Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

Microsoft IIS4 Backdoor Claim Retracted 176

maniack writes: "According to NTBugtraq, the latest reports say that there is no back door in IIS 4.0. As ArsTechnica points out, the story has apparently been blown out of proportion by the press and no security hole exists. " So - anyone know what's /really/ the case? We've got reports from both sides, but it sounds like it's not true now.
This discussion has been archived. No new comments can be posted.

Microsoft IIS4 Backdoor Claim Retracted

Comments Filter:
  • by HerrNewton ( 39310 ) < ... <sneakemail.com>> on Saturday April 15, 2000 @06:32PM (#1130370) Homepage
    Oooh hey---it's the first Microsoft "vaporbug". Lots of press releases spinning the story, but MS doesn't deliver. Jeez. Typical ;-)

    ----
  • Dang, a vaporbug.. they can't even deliver on BUGS, wow, what next? Bugfixes.. oh wait, hum, is there anything Microsoft is good at? ...well, I seem to recall a certain hack in the Win9x source kernel, some three pages of just making Lotus 123 work. The comments on that page, well, are rather funny.. stuff about the idiotic programmers that couldn't program worth a damn, so they have to go in and fix it themselves.. - I! Finally! Figured! Out! How! To! Punctuate! Kirk's! Sentences! Dinner not ready: (A)bort, (R)etry, (P)izza?
  • Heh, maybe "no security hole exists" in this certain case, but Frontpage is riddled with insecurity like a block of swiss cheese.

    Mike Roberto (roberto@soul.apk.net [mailto]) - AOL IM: MicroBerto
  • by yarmond ( 114187 ) on Saturday April 15, 2000 @06:36PM (#1130373)
    Time for a new advertising campaign by Microsoft?

    Don't try to fix the bug, for that is impossible. You must realize the truth: there is no bug.

  • by roswell ( 12849 ) on Saturday April 15, 2000 @06:36PM (#1130374) Homepage
    We should try to make Linux and opensource look better instead of try to make its competitors worse. I'm getting sick of all the Microsoft crap on /.

    I likes the techie stuff. Gimme!
  • A plot by the Redmond Cabal (tm) (now with ActiveHex) to discredit Eric Raymond!

    Eh, who knows/cares, really.
    It doesn't affect me either way.
  • Well, you have to admit bashing Microsoft is almost a national pastime around Linux users.. Sometimes, you just have to think though.. What OS did you start on, when you first touched a PC? For me, it was DOS, of course.. which was made by Microsoft.. not saying that actually bears relation to it, but that they DO make good software at times. Although, come to think of it, who the heck uses Win2000 anyway? Win98 is more stable.. but that's like comparing the two crappiest bands in the place; which one's better? Who cares? C'mon, let MS have a SMALL break. I'm sure they were just having fun.. and in reference to a post about replacing the 404 error with a Netscape-bashing item, that would probably cause even more uproar. (Then again, it could be INCREDIBLY funny.) -- Daddy, what does FORMATTING DRIVE C mean?
  • My theory is that one of the lower managers recognized the backdoor/bug and did the right thing by reporting it so it can be dealt with. Then upper management decided they didn't like the bad publicity and decided to cover it all up. All of a sudden it wasn't REALLY a back door, just a little problem for a few people. uh huh. I'm convinced. Then again, it's just a theory and I can't back it up.

    /*--Why can't I find the QNX OS on any warez sites?
    * (above comment useless as of 4-26-2000)
    */
  • Why is the string is there? It's been found in more than one file. There's gota be a reason it was placed there. Unless if MS hired someone who was going insane.
  • Do we get an ESR apology as the next story?
    Be thankful you are not my student. You would not get a high grade for such a design :-)
  • by Zico ( 14255 ) on Saturday April 15, 2000 @06:45PM (#1130380)

    Restores a lot of faith after the ESR article. And no, I don't mean any of this in a snotty way. Thanks.

    As to the real deal, I was under the impression that there really is a hole, just no backdoor, and way less serious than originally thought.

    My own quick summary: If multiple web sites are hosted on a NT4/IIS4 server with FrontPage 98 extensions installed, then webmaster A with web authoring permissions on his own site could potentially inappropriately read the .asp (and possibly the global.asa, but no others) files of webmaster B's web site if he knew where they existed on the same server. Note that to be able to do this, user B would have had to have granted user A read permissions (explicitly, or by giving read access to "Everyone") on those files -- otherwise, user A would be unable to read the files.

    There's also the buffer overrun, although I don't know if anyone has successfully been able to exploit yet.

    Bottom line: Just delete the dang dvwssr.dll. Do not pass GO, just delete it. I don't know a single person still using Visual Interdev 1.0, and even then you'll just lose the "Link View" feature. I could care less if they ever release a fixed version of this nasty DLL.

    Cheers,
    ZicoKnows@hotmail.com

  • Maybe "no security hole exists" in the article above should be rephrased "this particular security hole is phony." It's Microsoft, afterall.
  • released perl explot for it that works, so i guess that bug (backdoor) IS there.
    i know linux geeks sometimes get into hype too much, but that is no reaso to use *bad* words in posts (see VA pos above:)
  • by z4ce ( 67861 ) on Saturday April 15, 2000 @06:52PM (#1130383)
    Read this [securityfocus.com] This is the actual security alert from bugtraq. I've learned not to trust slashdot's security reporting. It tends to be rather uh biased. ESR does security news. Oh yay.

    Ian
  • Wonder how that link from the word contact [eros-os.org] got in there ;-)
  • What OS did you start on,when you first touched a PC? For me, it was DOS, of course..

    for me it was Apple DOS 3.3. What's your point? Does that make it a good OS? Get a clue!

    Although, come to think of it, who the heck uses Win2000 anyway? Win98 is more stable.. but that's like comparing the two crappiest bands in the place; which one's better?

    I do. And being "based on NT technology", Windows 2000 is FAR superior to Windows 98 in terms of stability. Again, you have NO IDEA what you are talking about. (Of course, Linux is far more stable than both of them, and I use that, too.)

  • by roman_mir ( 125474 ) on Saturday April 15, 2000 @06:59PM (#1130386) Homepage Journal
    How often does it happen that the press actually gets their facts straight? Does it feel weird that in this case the story has changed so quickly? First it's a BACKDOOR MAMAAAA help. Then, it's a bad BUG. Then it's nothing at all:

    -There is nothing to see here, folks, just go on with your business, there is nothing going on here, nothing at all! Can't we all just get alone!

    Micro$oft has lots of money (BTW. WTF. Why Isn't /. talking about the latest HIT on TECHSTOCKS? Is it because Linux suffered alot?) so Microsoft has the money to make everyone go on with their business and shut their mouths.

    I wonder how much (intangeable costs) will MS pay for this blunder?

  • Tell me: if someone had made the same claim (hidden backdoor) about Apache, would you have been as quick to believe it? The fundamental answer (which is the point Eric was making) is "No."
    -russ
  • Anyone else getting a little annoyed that slashdot has no posted !3! articles pertaining to this? Its getting old REAL fast. Who cares, IIS has tons of bugs, so why post this. You don't post LINUX bugs, you dont post NT bugs. NO ONE CARES. Next Catz' is gunna do a From IIS's Mouth series about teens and how IIS destroyed their lives.


  • ..so it may not be a backdoor. 2 questions remain:

    #1, WTF is that string doing in this dll?

    #2, Can Netscape sue for libel?
  • Since you appear to be the only person doing this work, I suggest you give up the futile effort.

    You're getting out what is now *NON-INFORMATION*, which could have been real information, and might have had an effect if you:

    A) hadn't broadcasted it with an unnecessarily hateful and spiteful tone and

    B) hadn't spammed the article.

    Now you'll get moderated down as redundant in all of your posts, instead of getting rated up as insightful. Conflicting viewpoints are not always moderated down. Rarely in fact, and those that do are brought back up and meta moderation takes care of the moderator. Except when you take your role of "town asshole" and everyone gladly takes a shit on you.

    Next time, think your "comment" out a bit better, and make sure you leave the unnecessary "fuck the moderators", "this will be moderated down", preaching to the "Trolls of the world", and calling everyone "linux losers" out and maybe people won't be so quickly repulsed.

    Someone who immediately comes off as hostile who rants and raves with only a MINIMALLY apparent reason isn't likely to be taken seriously. You are one of those people. Enjoy, as you may have had a message, but screwed yourself.
  • by DanaL ( 66515 ) on Saturday April 15, 2000 @07:07PM (#1130391)
    But that is the annoying thing about Microsoft. Whenever there is even a fake report, they've had such a bad history of denying bugs for days, weeks or even months (I'm still bitter about DOS 6.0....) that when stuff like this happens, you have to take it seriously if you are using their products. It gets awfully frustrating.

    Sure, *now* we can say it was probably nothing, but for a while, folks running IIS had to be worried, and waste time and money fixing the problem. The problem didn't exist, but because of Microsoft's unreliable history, people couldn't give them the benefit of the doubt.

    Dana
  • Nowadays, it's pretty hard to be sure about the facts on issues such as these. After I submitted this story, I read in different places that a back door exists, a backdoor doesn't exist, a buffer overrun exists, nothing exists, etc. Who can we believe? Much as I love the open source community, I find it hard to trust it more than I trust Microsoft. Both have a stake in news such as this, so it's hard to find an impartial judge on this issue (considering I spend most of my time on sites favorable to linux).

    Another issue I have with the bug report: one of the previous stories on slashdot claimed that this was a good example of closed source's shortcomings. Why is it that whenever Microsoft's products are found to have bugs in them, everyone in the Open Source community cries out, "See, we told you"? I think some of our credibility is lost when this happens, especially when the backdoor is found to not exist. Another issue is that of fair journalistic reporting. Instead of immediately reporting this "news" like a tabloid, Cnet and whatever other sites that first came out with this report should have actually checked to see if it had any merit before scaring all the webmasters around who are unlucky enough to still use NT. While a respectable site such as slashdot posted the retraction, other sites may not do this and this can harm many consumers.

  • See what Microsoft has to say [microsoft.com] for questions about the vulnerability. They have found (or been informed of) another vulnerability with the same file and the same remedy (delete the file). The link says that there isn't a backdoor, but it doesn't proclaim the whole security issue as bunk. Obviously, there *are* security issues involved here.
  • by DeepDarkSky ( 111382 ) on Saturday April 15, 2000 @07:11PM (#1130394)
    Look, this Anti-Microsoft bashing is discrediting Slashdot and Open Source community. Simple as that.

    I like Slashdot, let me say this first. I find it informative, insightful, interesting and very often, funny (hey, that's +4!). However I find many things disturbing. From time to time I see the term 'serious journalism' bandied about on Slashdot. I have to state: I don't consider Slashdot serious journalism. I find it a great place to find new and interesting information. I find it a good place to get some really insightful perspectives. But that's really from the Slashdot community. Not from the Slashdot editorial staff. The editorial staff, I think have their own agenda.

    Slashdot = Pro-Linux, pro-Open Source, right? Slashdot = Anti-Microsoft. Though it seems to be anti-corporatism, I find that to be less evident.

    Many of Slashdot's "celebrities" are Open Source community's big names. It's no secret that Linux and Open Source are the "darlings" of the technology world right now, to some extent. It's also no secret that many of these people have vested interest in companies that base its business on Linux and/or Open Source Software based products.

    What I find, then, is that Slashdot's agenda is: 1. Praise Linux, praise Open Source. 2. Get the Linux and Open Source community to all pat each other in the back for being defenders of the free software world. 3. Get rich off of the companies that they have vested interest in.

    What this means to me, in a twisted way (I'll admit it's twisted) is that the Community (I'm lumping Slashdot, Linux and Open Source together, rather unfairly too, I know, but I'm doing it anyway) has become an Open Source Microsoft corporations. Think about it. Here are the parallels:
    1. Linux = Windows whatever.
    2. Open Source Community = Microsoft Developers.
    3. Slashdot (and other places) = Microsoft marketing machine.

    I'm sure that are many others. But this is what I could think of.

    So in a sense, it is distributed (don't we love that word!) corporatism, to some extent. It's a bit of a stretch there, but I think you may see my point. Just because the vested interest is in a bunch of companies doesn't mean that it's not corporatism. The point of corporatism is bottom-line. I don't think that it's so different in the companies that have products based on open-source.

    In all fairness, I believe that Open Source has its roots in for-honest-goodness, but I think that the term has now been used for many self-serving people and companies with an agenda to use it as a marketing term.

    And in this respect, the largest target for the Community has always been Microsoft. The Community is competing against Microsoft for market share. The Community hides behind "Open Source" as a Good Thing(tm). I find it extremely distasteful the feeding frenzy of every misstep and mishap of Microsoft. I don't love Microsoft, but I find this kind of behavior turns me off to the Community. And I absolutely believe that many are jumping on this bandwagon to bash Microsoft so that the best alternative to Microsoft, Linux and Open Source based products, will win out so that their own vested interest will make them rich. How disillusioning.

  • That's right, a TI-99/4, the one with the chiclet keyboard and the space bar that always bounced off its hinges making double-spaces on the screen (thank goodness it had a "Space" key), not the more advanced TI-99/4a.

    That was my first computer. After that, I had an Apple //e with Apple ][ DOS 3.3, and later ProDOS.

    Hey, I was nerd before nerd was cool. :)

    The point is the same...DOS wasn't the first computer for many of us. Even in the cases where it was, is that a sign of it not sucking ass? My first computer was a piece of crap in most ways! I have no allegiance to TI because of that computer, nor will I cut them any slack. I'm an engineer. I rave over the best technology. All else is vanity.

  • by Anonymous Coward on Saturday April 15, 2000 @07:16PM (#1130396)
    Info about the list here:

    Vuln-dev FAQ [securityfocus.com]

    We've been discussing this on the the vuln-dev mailing list. Here are the relevent threads:

    Has anyone verified whether is is valid? [securityfocus.com]

    Re: dvwssr.dll (Has anyone verified whether is is valid?) [securityfocus.com]

    So far, concensus is that the hole, as first published by RFP, is a little misleading. It looks like a number of Frontpage servers out there may be misconfigured permission-wise, so that using his code will allow grabbing of .asp files and such off the server. Some folks think that under the same circumstances, the same could be done with a copy of Frontpage.

    Now, there is a worse hole that the CoreSDI guys have found:

    DVWSSR.dll Buffer Overflow Vulnerability in Microsoft IIS 4.0 Web Servers [securityfocus.com]

    It's an unrelated hole, that was inspired by RFP's post.

    RFP is a pretty sharp guy, so it's very likely he's onto something. It's possible that he overstated things a bit due to default permissions (which means 90% of the sites ARE vulnerable) but I wouldn't write off his work entirely. There will be more to this story Real Soon Now.

    In either case, with two major problems related to the same .dll, and a huge embarassement for MS, you WILL see this file patched. :)

    And let's not forget MS's word on the subject:

    http://www.microsof t.com/technet/security/bulletin/fq00-025.asp [microsoft.com]

    BB

  • by Zico ( 14255 ) on Saturday April 15, 2000 @07:16PM (#1130397)

    WTF is that string doing in this dll?

    It's just a string used for encryption. It could've been anything, but the programmers decided to make it a jab at Netscape.

    #2, Can Netscape sue for libel?

    Only if they can prove that their engineers are not indeed weenies. In other words, not bloody likely!! ;-)

    Cheers,
    ZicoKnows@hotmail.com

  • Simple. They didn't intend to. Some programmer could have decided to add one in of their own free will. If they did add one, would you know? How? If they TOLD you would you buy it? No. You stated that yourself. But what if they didn't? Let's hope UCITA isn't passed in your state...

    Most all Microsoft products do not include their source code. Had they inserted a backdoor no one would know, or been able to find out with any relative ease. With opensource, said backdoor would never have been allowed into 90% of *nix systems. (the last 10% are suckers who installed untrustworthy binaries from some punk and run 24/7 as root).

    There are some corporations that don't intend to make the best product they can and sell it. They compete viciously, sometimes illegally, to crush competition to the point that they don't have to make the best to make money because they can make lots of money selling something that is far from the best they could do (whew!), since there is (or, has been) no option to turn to. Linux/*BSD, quite simply, is going to be near impossible for them to crush, if it can be crushed at all. Lets hope this forces changes.

    Slashdot must be right! Microsoft is an evil corporation which only exists to let people break into your computer and see your pr0n!
    Acting like an ass doesn't help you.

  • why would anyone moderate this up? it's a troll. there are real reasons for IPOs, particularly Linux IPOs, to yo-yo, and none of those reasons have to do with VA Linux, ESR, or Linux itself.

    The whole market just took a plunge -- after years of clockwork growth. Tech stocks were hit hardest -- particularly recent IPOs, dot-coms, and other computer/IT related stocks. Clearly, interest rates are going to skyrocket, just as all indicators show inflation on the rise. The party's over, folks. It's going to take something earth-shaking (fundamental Fusion/Physics/Science breakthrough) to pull this one out.

    Even worse, the recent tech IPOs of RedHat, VA, Caldera, MP3 were started off with unsophisticated "geek" buyers. People who are basically ignorant of anything except the net investing all they had for a quick buck. The institutions quickly followed suit, and everyone bailed out once they saw the peak.

    This chump should give it a rest with the Linux bashing, ESR should do his homework before making BS posts, and moderators, KINDLY PULL YOUR HEAD OUT OF YOUR ASS. This guy is either a troll or pathetically ignorant of the stock market, or (most likely) both.

  • people keep asking why the phrase "Netscape engineers are weenies!" was in the affected DLL if it wasn't the pass phrase for a back door of some kind.

    from this note [microsoft.com] on Microsoft's site, it seems that the phrase was being used as an "obfuscation key" for filenames in HTTP requests involving this component (probably using an XOR scheme, or else they would have called it encryption).


    But wasn't a password of some kind needed to exploit the original vulnerability?

    Press reports originally claimed that Dvwssr.dll used a password to bypass access controls, but this was not correct. The component uses an obfuscation key to obscure the names of files being requested by the client from the server. The obfuscation key and its use did not influence the operation of the access controls on the server in any way.

  • by Russ Nelson ( 33911 ) <slashdot@russnelson.com> on Saturday April 15, 2000 @07:30PM (#1130401) Homepage
    No, because his point remains true: that if you cannot audit the source, the executables are less trustworthy. Perhaps the incident that prompted his observation is a non-incident. So what? His point is valid, and worth making, again and again (that's how you sell ideas, by the way, by repeating them).
    -russ
  • What's happened to Slashdot?

    I'm not talking about the error; the correction was prompt and quick. I'm talking about the Trolls.

    We've always had trolls. But now it is just crazy.

    What prompts people to behave like this on web forums? Do those of us who don't want trolls, do we need to go elsewhere?

    How much fun would it be to Troll a forum no one reads?

    Sorry for posting off-topic, Slashdot used to be a much nicer place to visit. I think the threshold has been breached; AC posting must go. Perhaps temporarily.

    And I used to be a strong supporter for AC posting too. But the rewards no longer outweigh the problems, not when it is like this.

    Whatever will we do?
  • #2 - No. If you remember the article about Source Code being ruled by a judge as being Free Speecch, compiled binaries are NOT considered speech, therefore, the string in the .dll cannot be construed as speech. Ergo, no libel.
  • So? Insert "prominent vendor of proprietary software." If you like Microsoft, insert Adobe, or Apple. Microsoft is an easy target because they're so big.

    But if you limit yourself to not saying why the current regime sucks, you have a hard time explaining why you don't suck.
    -russ
  • No, because ESR's point still stands. It's not the fact whether there was a backdoor or not, what is important is the fact that that dll had been around for 4 years and Microsoft didn't even know what the hell was going on inside it. (And they have the source code!) It demonstrates just how easy it is for backdoors to live in closed source software. ESR's point was that that can't happen with OSS.

    --
    Simon.
  • The sad thing is that most people would believe anything about microsoft products when it comes to bugs or backdoors... why? well, they do have a record for having them. Maybe Microsoft should really take a look at the public perception of their software. People use their software, but don't trust the company they buy it from.

    Such is the order of things today...

  • you take the time out to bash slashdot, but you never mention all the major news services carried it first.

    remember, slashdot DOES NOT VERIFY news to any great extent. it only reports it.

    by the way, even MSHAFT recommended the dll be deleted as soon as possible.

    whether you like it or not, it was news, news for nerds. incorrect news, but that was hardly slashdot's fault, considering the above.
  • We all thought it was true because we wouldn't put it past Microsoft for having such a flaw. We can't inspect the code to their software, so who knows what they might plug in.

    The point could be made (I did not read ESR, I had no urge to read the SAME drivel over again) that with opensource, especially Apache, such flaws are hard to get past the thousands who use/code for it. If programmers A, B, C, D, E, F, G, H, I, and J find programmer K's backdoor, they'll all remove it before it gets major distribution, and if it somehow, by some freak accident makes it out in a release, we'll all be shocked as hell (some Ms trolls will parade it as the fall of opensource), then we'll promptly download the 2k or so of code to patch it (that came with the announcemnet), recompile, and be done with it. Thus the fundamental answer of "No."
  • What OS did you start on, when you first touched a PC?

    First "home" computer: UCSD P-System on a Sage II hardware. I then moved up to UNIX System V.2 on a Stride 440. I didn't have an IBM compatible PC till the 90's and then only because I could install Linux on it. With the exception of work I don't use MS Windows and even then it's only because they make me. I'm much happier with any UNIX workstation on my desk than I am with a Windows PC.

  • Ok .. so maybe there is a hole, maybe there isn't .. but the fact still remains that the words "Netscape programmers are weanies!" backwards in the .dll file that somehow becomes a password and lets people in under certain circumstances.

    Being that said, it's still a point against Microsoft and the "security by obscurity" model. A VERY large point it is also..

    NOW I see more clearly why Microsoft is trying their DAMNEDEST to not get their source code opened for the whole world to read. Wouldn't you? =)

    Ryan Wyler
  • remember, slashdot DOES NOT VERIFY news to any great extent. it only reports it

    What bothered me was not that slashdot got it wrong but that they had an entire article by ESR about how this proves closed source is totally insecure and open source is the cure.

    Other news sources reported this but did not hav extensive articles bashing microsoft and imply that microsoft designed the backdoor and placed it in the program.

    What slashdot did is sort of like a paper writing an extensive article explaining how the cuban community in miami is evil because they killed Elian rather than give him to his father then writing another article saying that they were wrong and Elian wasn't dead after all.

  • as always, just set you threshhold to above 1, and all is good.

    If you don't want to do that, ask Rob et. al to have a switch to turn off ACs for you, and maybe have a way to not see posts based on a regular expression that you set up on your prefs page.
    Of course the harder everyone tries to get rid of Trolls, the more they will appear. That is their nature, they want to annoy and pester you until you can't stand it anymore. I believe the AMA will be recognizing it as a disease soon, and will hopefully a pill to counter act its affects by 2005. Until then, the AMA are asking that if you see a Troll, to put it out of its (and our) misery, go to any clinic and they will give you a small bat that should do the job, in a crunch, a shovel will do. (no plastic ones though) Detailed instructions accompany the bat.
    The unfortunate thing is that we can't just ignore them either, they will simply try harder to get our attention.
  • Deep Dark Sky has a valid point. Ever heard of 'there's no such thing as a free lunch'. Think about it. Everyone has an agenda!

    Please engage brain before putting mouth in gear.

  • No, because ESR's point still stands. It's not the fact whether there was a backdoor or not, what is important is the fact that that dll had been around for 4 years and Microsoft didn't even know what the hell was going on inside it

    There are also bugs/races in open source program that were sitting around for several years. I believe a few months ago there was a exploit for redhat/debian systems that slackware that fixed 2 years before. Right now Lynx has a bunch of races in file creation that won't be fixed because the code is so bad and the authors aren't addressing it. So opensource is not the cure that ESR makes it out to be since not many people with the knowledge of whats happening look at the code they're compiling

  • BTW, have any of you guys tried this command on the linux kernel tree before??

    # cd /usr/src/linux
    # egrep -i "fuck|shit|damn" `find . -name '*.c'` 2>/dev/null

    It's quite amusing.. It's there.. but I can guarentee that you will not find an INTENTIONAL security hole in the linux kernel.

    Ryan Wyler
  • The parent to this post is the one post on this entire article that is ACTUALLY RELEVANT and has a lot of meaty, relevant links .

    --Joe
    --
  • Reminds me of the XOR encryption Micros~1 used with synchronization between Windows CE and NT. In that case, the obfuscation key was susageP [google.com], Pegasus backward. (Pegasus was the code name for the project that became CE and is not connected with Pegasus Mail [usa.com].)
  • Linux didn't suffer at all. Now Linux based companies on the other hand...

    "Free your mind and your ass will follow"

  • I believe the AMA will be recognizing it as a disease soon, and will hopefully a pill to counter act its affects by 2005.

    Get your troll pills here [rose-hulman.edu]. If trolls are playing Vitamins on their boxen, they can't be trolling /. at the same time.

    The unfortunate thing is that we can't just ignore them either, they will simply try harder to get our attention.

    There is a limit as to how hard they will try. Ignore them hard enough (build enough karma to get the +1 bonus, then browse at 2) and they'll stop trying.

  • As far as I can tell, slashtroll is an evening (us time) and weekend phenomenom. I wish I could spare the time to post to Slash during the weekdays but I have a job that prevents that and thus I post when the trolls are out.

    Trolls kill the readability of this site. Perhaps we should limit the number of posts by any given IP address to 1/10 minutes, the length of time it takes to post something serious. This would not stop the maniacal trolls but slow new trolls and lessen the tendency of people to overreact to (real) trolls starting flamewars.

    I wish the sex/grits trolls would leave. The political (VA) trolls are annoying but at least have a real message. 1 post/10 minutes would cut much of that crap out and probably increase the quality of posts in the threads generally.

    To the real trolls, keep going! Sometimes you are the only ones presenting the other point of view even if I occasionally get suckered.

  • It's cracked:
    JASON SAYS HI TO ALL THE IDIOTS THAT DONT BELIEVE HIM
    But how long will goats e.cx [goatse.cx] stay cracked?
  • one theory i heard...

    is that microsoft has a lot of their serfs (directly and indirectly) flailing at slashdot to disorganize things, try to keep us apart, try to fragment the core believers in openess.

    it sounds crazy at first, but back in 1998 or so MS *did fund* a fake grassroots ("astroturf") campaign to try and drop support for the DOJ in the legislative and executive branches of the US government -- that is, they paid people to send letters in support of MSHAFT to the government, people claiming to be independent of MSHAFT, just another lie in the string...

    it's not that far of a stretch to have the serfs come pollute slashdot. the most obvious ones start with "...hey, i don't like MSHAFT either, but..." personally, that when I recognize them :-)

    i also read a thoughtful article by someone here about this being an ancient japanese technique when your adversary has an open forum -- send in your clowns to spread hate and misery, to discredit the opponent.

    overall, i've come to believe this is the case. this open forum has simply become infested by the opposition, who will post anything to discredit the truth. an oppostion that consists of thousands of programmers and users that are simply "less than" -- that is, unable to see past their own desire to retain dominance and see the necessity to restore sanity to the software industry.

    perhaps most ironically, it is microsoft programmers who stand to gain the most from government intervention. they would obtain a wider field of possible employers. why they don't see that...oops, i forgot :-)

    anyway, if linux goes down, it won't be the first time brawn beat brains, or wrong beat right, or evil beat good, or the general public chose poorly. there are many instances in history where governments/societies chose *extremely poorly*, even though it seemed right at the time.

    personally, i don't think censorship applies to grossly offtopic posts. the "va linux" whiner is pathetic. okay, if there is anyone out there who doesn't realize that the stock market had a major reversal, and va linux/andover/redhat/mp3/SGI all cratered, please....go read the news.

    besides, ESR still has 150,000 shares, even if va drops to like $0.50 it's still $75K he didn't have before all this. i fell sorry for the people who really lost out this week -- people depending on 401K distributions, etc. that's really painful.
  • No, you're wrong. "Netscape programmers are weenies!" is simply used to encrypt certain data travelling back and forth between two Microsoft components. Clearly, Microsoft did not intend for this security method to be full proof; they simply wanted to keep the casual observer from seeing certain data. Here's what Russ cooper said:

    While reports focused on a phrase -- "!seineew era sreenigne epacsteN" or the backwards spelling of "Netscape engineers are weenies!" -- which was present in the DLL, that's a red herring, said Cooper, adding that the phrase is not a password, but a cypher key used to scramble the address of Web pages requested by users..
  • by Alex Belits ( 437 ) on Saturday April 15, 2000 @08:15PM (#1130424) Homepage
    From http://www .securityfocus.com/vdb/bottom.html?section=discuss ion&vid=1108 [securityfocus.com]:

    Two dlls (dvwssr.dll and mtd2lv.dll) included with the FrontPage 98 extensions for IIS and shipped as part of the NT Option Pack include an obfuscation string that manipulates the name of requested files. Knowing this string and the obfuscation algorithm allows anyone with web authoring privileges on the target host to download any .asp or .asa source on the system. This includes users with web authoring rights to only one of several virtual hosts on a system, allowing one company to potentially gain access to the source of another company's website if hosted on the same physical machine.

    If this is true, this is a vulnerability in the environment with multiple users sharing a hosting service (but not with single user as someone probably thought originally).

    Anyone disproven this? Or now only vulnerabilities that don't require a local account on the system count as real?

  • Did anyone try this exploit [securityfocus.com]? I don't have my own IIS server and don't want to steal data from other servers, but if this program is proved to work than the security hole really exists.
  • As a Microsoft shareholder, I'm outraged. The irresponsible press, like the awful San Jose Mercury "News" (which is practically owned by Fry's Electronics), gleefully reported this story.

    It was very easy to verify. As soon as I heard the story, I tried to verify it, by installing IIS, etc, and was unable to.

    Looks like the press got suckered in to reporting an urban legend! I hope Bill Gates puts these so-called newspapers out of business for this slanderous coverage.

    --- Speaking only for myself,

  • Can Netscape sue for libel?

    Can they prove they're not weenies?
    Does that mean that a judge would have to establish a legal definition of what constitutes being a weenie?
    I say the MS engineers should challenge the NS engineers to a Nerf battle. Winner take all.

  • Not a vapor bug, but a real slick marketing tool. How many servers have not yet upgraded to FP2000 extensions? This is forced retirement of FP98.
  • There are also bugs/races in open source program that were sitting around for several years.

    True, but ESR's main point w.r.t the Weenie issue is that it is very very hard for someone to sneek a backdoor into OSS.

    --
    Simon

  • Small Dick is right -- this bug was reported by none other than Russ Cooper, who runs the "NTBugTraq" list. That makes it "news". (However, notice how Slashdot fails to report root holes in popular Unix software like Bind and WUFTP....)

    Cooper shot off his mouth to none other than the Wall Street Journal, before posting to his own list. Slashdot even had the story several hours before I got it in the mail. Once the folks on NTBugTraq looked at it, they determined that "netscapeengineersareweenies" was not a password, but did find another exploit concerning this DLL.

    While Cooper's list is an important source for NT admins, right now Russ is definately wearing a boob on his head.

    As for the facts of the matter, the DLL in question is only needed to support Visual InterDev 1.0 (obsolete), so by all means it should be deleted. Shame on Microsoft for including it in the base IIS product to begin with.
  • by Zico ( 14255 )

    What if they decided to use for their string something like the following: "I've seen a report compiled by private detectives that detail a very sordid private life by Sun CEO Scott McNealy. It appears that various times within the last 24 months, he has forced subordinates, both female and male -- one a 16-year old high school exchange program coder -- into engaging in sexual acts with him under the threat of losing their jobs. Our source indicates that all employees -- some current employees and some who have departed -- were paid off with a secret discretionary fund controlled by Sun's board of directors."

    Now, any reporter making something like that up would get their testes sued off, but what if a company purposesly put it into a common library, knowing that it'd be found, just biding time until someone looked at it with a hex editor? Yeah, it's pretty far out there on the realm of possibilities, but I have a hard time believing that a new judge would keep the precedent set by the one you mentioned in such a case.

    Cheers,
    ZicoKnows@hotmail.com

  • by Anonymous Coward
    No, the incredible Lunacy can be read here [slashdot.org]

    Eric - what have you to say now. All your 'insights' and 'inspirations' are proven wrong Yeah, facts, unlike your posts. When VA Linux hit $300 on opening day, you all blabbed about how important it was for the linux community. You said "it's nice to see that investors get it!". Well, now that VA Linux is a loser to anyone who still owns shares, what does that say? You said investors 'Got It', and I think you are right, they still get it. Linux is nothing. It's not important. It's insignificant. It's 28 and plummeting fast. You guys get all high and mighty whenever there is pro-linux or anti MS news, where is all your comments about this news? Why the silence? Surely it rates as a story since VA Linux was a story whenever there was any other news about it. Go ahead linux losers, moderate me down. Trolls of the world, copy this message, and make sure it's posted 100 times in each article. We'll get the message out regardless of what the moderator queer linux lovers think

  • Oh wait... lemme guess. You lost money in stocks and now you need a scapegoat.

    Stocks are not a lot different from gambling. You win some you lose some. Get over it and stop whining you ninny.

    "Free your mind and your ass will follow"

  • The only thing that's weird is that the NT community is so willing to believe that Microsoft backdoored their software. Even to the point of making hay about the whole matter before it was verified.
  • First of all, are there any real Netscape engineers left? I suspect all the qualified engineers have long gone.

    Netscape software sucks. Even Netscape's parent company AOL admits IE is better. After all, when you subscribe to AOL, you get Internet Explorer.

    --- Speaking only for myself,

  • Why don't we worship the guy that wrote ls instead.

    Hmm or better yet how about we all agree to go back to having our own thoughts. Then get back to posting interesting stuff.
  • by VividU ( 175339 ) on Saturday April 15, 2000 @08:32PM (#1130440)
    All of you MS Bashers remind of Mac users from a few years back. So in love with your precious OS, so blinded by your hate of MS, so much so that your own shortcomings are invisible to you.

    I drive a Honda, and I love my Honda. I do not spend most of my waking hours evangalizing about why Toyotas are inferior cars. I'm content to drive the car I want to drive.

    You all have lost sight of the fact that a computer is only a tool. And if your wise, you will put your biases and prejedices aside and use the best tool for the given application!.

    Linux [ and open source ]. Is not always the best solution to a given problem.

    The hypocrisy of your animosity is enormous. Would you have a PIII650 with 256MB if it wasnt for Windows being directly responsible for expanding the user base of PC's and thereby lowering the prices for everyone ( that includes you Linux user ).

    If you do not like it, do not use it. Your energies would be better spent taking care of the problems in your house instead of sweeping them under the rug.

    And, in case your curious what my tools of choice are: Win2000 ( which works great ) and BeOS ( which works even better! ).

  • by reptilian ( 75755 ) on Saturday April 15, 2000 @10:20PM (#1130452)
    Please allow me to rant.

    It seems whenever anyone starts calling their little group a community everything starts falling apart. Everyone now feels justified in making demans upon everyone else; everyone starts to think in the "mass mind" and it's only a matter of time until the tyrrany of the majority destroys everything. There is no community. There's a slashdot community, I'll give you that, but if slashdot is the primary representative of Free Software, all hope in civilization is lost. Free Software, Open Source, whatever you want to call it, I don't see a community. I see everyone as an individual, all with equal rights, specifically the right to use their software however they god damn want to. So we all share something. Isn't that nice? It doesn't make it a community. It MUSTN'T be a community, or it will destroy itself over the petty demands of "the community."

    Now, rant over I think. You can't blame slashdot for this backdoor mishap. They got the story from WSJ and C|Net and whatever other websites published it. We've all complained before that slashdot editors should do some fact checking before posting stories that don't sound credible, but really, if you believe everything you read... things like this really aren't worth complaining about. Relax and shrug it off. No one is infallible.


    Man's unique agony as a species consists in his perpetual conflict between the desire to stand out and the need to blend in.

  • by Wah ( 30840 ) on Saturday April 15, 2000 @10:54PM (#1130453) Homepage Journal
    I would have thought that most of the Microsoft apologists would have lost their fervor after said company was found guilty of fucking everyone over in a Federal court of law. I guess some people just get used to it. I got sick of it, so there ya go. Here's to another 20 years of expensive easter eggs!!

    Microsoft has millions of dollars and a lot of easily convinced people to push their agenda. Linux has people who love it. There is a fundamental difference, some people embrace it, some people ignore it, some just go about their merry lives, hoping things will get better but never doing anything about it.

    There was a recent store closing in my town. A bookstore that could no longer compete and was forced to close its doors. Since then, a small awareness has arisen in people that the votes they make with their dollars and their actions help shape the world around them. If the only thing they look at is their own convenience, and their own bottomline, well, then that's how the community crumbles.

    If you stick your head in the ground and ignore or dismiss the negaive actions of powerful entities, they will have no recourse but to continue with that course of action, because it's obvious nobody cares. It's the same with your average eight-year old.

    Just the tip of the iceberg of a counter rant, and MHO.


    --
  • Even "Free" software can be exploited for economic gain. Corporate systems are brutally efficient at "maximizing shareholder value" in all economic environments.

    Free software and open source just changed the playing field which puts "old-style" (if you can call two decades old) corporations on unstable footing. But they'll adapt; they have to. Meanwhile, the net is wide open and free software corporations have the ball.

  • Well, I think the first sign that this was something bad was from the original article on ZDNet [zdnet.com]:

    The headline subtext: Microsoft engineers placed a password in server software that could be used to gain illicit access to hundreds of thousands of Internet sites worldwine.

    Microsoft Corp. acknowledged Thursday that its engineers included in some of its Internet software a secret password...

    The manager of Microsoft's security-response center, Steve Lipner, acknowledged the online-security risk in an interview...

    By using the so-called back door, a hacker may be able to gain access to key Web-site management files, which could in turn provide a road map to such things as customer credit-card numbers, said security experts who discovered the password.

    When you have Microsoft calling it a secret password and an online security risk, I guess people figured it was just that. They assume at least Microsoft did look into it before letting their security-response center manager go to the presses. Then ZD and the experts who discovered it were the ones that stretched it to "hundreds of thousands" of servers and that whole credit-card scheme. Everything with these folks has to end in credit card fraud.

    This is how I figure people (including ESR) went to calling it a backdoor. But many of the arguments of closed vs open source regarding security/privacy still stand. We have seen things like Blizzard secretly sending [slashdot.org] your email and stuff from the registry when you mis-type the CD key. These sort of things can very easily be put into programs, and there's little way to find out except to sniff and the like (not to mention you'll get sued for disassembling it and other freakin' EULA/reverse-engineering crimes). It could happen in the Linux kernel, GCC, Apache, etc., but of all the thousands of eyes looking at the code, someone will find it quicker than someone will find it in closed programs. Someone will become curious about how a specific piece works, gcc will become more strict and error out, etc. Eventually someone will fall into the malicious code. Then it's snip-snip and it's all good again. Not to mention with many projects using CVS and the like, it's not hard to go back and see just who it was that submitted the code, unlike Microsoft's "as-yet-unidentified person."
  • What I find, then, is that Slashdot's agenda is: 1. Praise Linux, praise Open Source. 2. Get the Linux and Open Source community to all pat each other in the back for being defenders of the free software world. 3. Get rich off of the companies that they have vested interest in.

    Ah, but the encouraging thing is-- if Slashdot readers consist entirely of backslapping open-source bigots, why was your comment moderated to a +4? Why was the top-rated comment about the `Geek Pride' festival one that said, I think, that meeting Eric Raymond would be `about as enticing as a headwound'? Certainly among the Slashdot Illuminati, there's a strong voice of dissent to the party line.

    I get the impression that the majority of the comments you read on Slashdot represent the views of a group of kneejerk reactionary teenagers who, like you do when you're a teenager, are trying to find their niche to fit in. The sometimes heady political atmosphere of Linux advocacy is ideal for this sort of self-definition, gives you something to talk about at parties etc. (but does not, repeat not impress girls, take note. Skateboarding is still good for something. )

    Anyhow, I think the guys that run this site do a smashing job of keeping us posted. I don't think they have an agenda, but their attitude, like that of most balanced Linux users, is parallel to Linus' when he said jokingly that the purpose of Linux was to `conquer the world'. Slashdot's stories need to be taken with this sort of tongue-in-cheek comment in mind-- yeah, so MS has a dodgy DLL, big deal we will now inherit the earth bwahahaha... you're hardly meant to take it as serious political commentary. But I think the teeny contingent take it seriously and flood the comments boards with Borg-like efficiency because, well, they're just following a crowd like teenagers do.

    Hmmm, bit of a ramble. But you get my drift. I don't think Slashdot is going to be descending into back-slapping hell for a long while, and there are some really incisive, decent comments being moderated up. And let's not let ESR do security reports in future, because although he's written some good essays and software, he does have an annoying habit of posting complete tripe here.
  • > of all the thousands of eyes looking at the code, someone will find it quicker than someone will find it in closed programs

    An interesting experiment would be to put a comment in some obscure piece of Linux kernel or utility code, saying "This is a survey. If you find this comment, send a message to whoever@wherever, and don't mention it to anyone. In a year I'll report on how many pairs of eyes have spotted it. (P.S. - Let me know if you only have one eye.)"

    --
  • you don't know how much of those ESR (or anyone) sold off

    FWIW, Everyone knows how much ESR has sold off: exactly zero shares. He's not allowed to sell any until 6 months after the IPO, which will be in June. At the current rate, VA Linux could be a penny stock by that point, especially after that recent report showing how they were trounced by the competition in the sale of Linux computers. Honestly, by the way that they're dwarfed by the other hardware vendors, companies which are already profitable, what does VA Linux have going for it which would keep this stock from going even lower? They're not looking to turn a profit anytime soon, and today's Wall Street has very little patience for stocks like that.

    Cheers,
    ZicoKnows@hotmail.com

  • send in your clowns to spread hate and misery, to discredit the opponent.

    As long as Slashdot continues to post garbage and lies like the ESR article, neither Microsoft nor anyone else needs to send people here to discredit Slashdot -- it's doing a heckuva job on its own.

    Cheers,
    ZicoKnows@hotmail.com

  • by ebcdic ( 39948 ) on Sunday April 16, 2000 @01:59AM (#1130467)
    If someone had made this claim about Apache, we'd have looked at the source and known the answer in five minutes.

    And if there *had* been such a backdoor in Apache, whoever found it could have posted the code rather than just asserting it, so we'd be *right* not to be quick to believe an unsupported assertion.

  • Unfortunately, the bottom line still stands. While it might be hard to exploit this hole, the fact that it exists continues to raise serious doubts about the Microsoft QC, and other, perhaps more intentional, inclusions.
  • by Black Parrot ( 19622 ) on Sunday April 16, 2000 @02:36AM (#1130473)
    > We all thought it was true because we wouldn't put it past Microsoft for having such a flaw.

    And the perception is sometimes more important than the reality.

    However much this turned out to be a false alarm, the fact that it was taken so seriously by so many people (and not just us drooling anti-MS types) is going to be read by the non-technical crowd as a sign that this kind of thing really is possible.

    I think the next time a non-US parliment* discusses the issue, you'll find that the discussion has moved from last year's Could this kind of thing be happening? to this year's How do we protect ourselves from this kind of thing?

    I suspect this overblown flap will prove to be the last nail in the coffin of closed source software exports. People have just seen the proverbial writing on the wall, and would be fools to wait until they really do get stung before doing something about it. And conveniently, Open Source Software was just on the verge of public acceptance when all this happened.

    Rather than saying that this is something that was overblown in a way that never should have happened, the wise should be grateful that it happened and was overblown enough to reach their attention.

    I find myself increasingly unwilling to run non-OSS software on my Linux system at home, even though I don't have anything to hide or anything worth stealing. I wouldn't dream of running anything I hadn't compiled myself on a commercial site. And it's not hard to imagine how paranoid the directors of government agencies around the world must be getting about this kind of thing right now.

    Someday the alarm will be for real, and serious damage will be done. On that day the users of OSS will be patting themselves on the back for more than just the money they have saved.

    ~~~~~
    * I explicitly exclude the US, not because we don't have a parliment, but because we're way too stupid to let something like basic security stand in the way of supporting American businesses with our purchases.

    In fairness I should also note that although OSS seems to be the kind of source code that's getting attention right now, it might also suffice to have "closed" code under a non-disclosure agreement, so long as it was complete enough for you to compile it yourself. (Though even then the non-disclosure would presumably limit the number of pairs of eyes viewing it. Indeed, you would not even know whether you were actually getting the same code that the NDND got, with the result that you would need to scrutinize the whole thing yourself.)

    --
  • > Microsoft already have something like that. SETUP.EXE, I believe it's called.

    I should have known that. I killed a Windows95 system one time by using the Windows uninstall utility to remove a frickin' $5 game.

    --
  • These are not the backdoors you are looking for.
  • (wave hand) These are not the backdoors you are looking for.
  • Most users like Explorer because it does a good job of surfing the web for the user.

    As a web developer I HATE IT. Explorer does NOT correctly support HTML standards, and contains a lot of code that imposes it's own view of how flawed code should be shown, often making up tags as it goes along. I cannot use IE as a development tool because it just flat out does not display HTML correctly! It also is extrodinarily crappy for Javascript debugging.

    IE has had the affect of encouraging sloppy HTML coding habits - something that is going to bite the web in the ass when smaller web devices without the horsepower to run large browsers like IE become common.

  • It wasn't Slashdot that was feeding the frenzy over the "back door". The mainline press did not interview the Taco. They interviewed NTBugTraq's big kahona.

    I will state that most Open Source programmers had nothing to do with the feeding frenzy on Slashdot. A few "luminaries" did, but in general they acted upon what information was reported by Microsoft and NTBugTraq. Given that Microsoft itself was calling it a "back door", I can hardly fault ESR for putting out a long essay about the problem.

    Finally: To accuse Open Source people of "corporatism" is silly. People who release code under the GPL do so that others *can't* take ownership and hide it from view, which is what corporatism is all about. Yes we get excited when we see our beliefs vindicated, but this has nothing to do with money. It is interesting that many former Microsoft employees, albeit working in other places hundreds of miles away from Redmond, will still defend their former employer, for the exact same reason: pride of ownership. It is "their" product, and they want to tell the world that it's good stuff and that those who criticize it are weenies. No Borg mind-washing required.

    About the only lesson we can learn here is that there would have been no story if it were OSS. The Wall Street Journal would have contacted a local security guru, who would have looked at the source code of the module in question, and said "There's no back door there." No story. The only reason there was a story was because only one company had the source code to this module -- Microsoft -- and the Wall Street Journal had to rely on Microsoft's word. And Microsoft was saying it was a back door.

    -E

  • Slashdot is not journalism, Slashdot links to others stories that may be ov interest to Slashdot's community and allows us to discuss it.
    Yes Slashdot has an agenda, just like every other news source out there, difference is, we aren't subtle about it.

    Finkployd
  • I use Windows 2000 on my PC and two laptops and it works quite well. How about getting your head out of your ass for a minute?
  • So, in case you haven't red the bug report, the specific password in question is "Netscape engineers are weenies!"

    Oh, I love Microsoft's well-developed sense of responsibility and mature approach to the market :-)

    So I guess people are backing off because you have to have publishing rights, but the ugly part is that you only have to have publishing rights to one of the virutual hosts on a server to get all of the .asp(s) from it.

    I'll have to peruse the Ars Technica comments to see why they don't consider this a back-door.
  • Look, a lot of people were announcing an NT security hole. Slashdot reported it too. Now, I agree that Slashdot should have a team of investigative reporters who have the tecnical credits to figure out if this is true or not, but that's because I have a very different vision of what Slashdot should be than, say, CmdrTaco. I don't begrude him his site as it is, but feel it would be much more useful as a validating filter on the poor high-tech reporting that goes on in other outlets.

    The story is still up in the air as far as I'm concerned. One guy (who, BTW was not the original discoverer of the exploit) is reporting that Microsoft doesn't think there's an exploit.

    I want to see some people grab the exploit script (it's on the real bugtraq) and run it against some test servers with valid permissions. Does it work? How invalid do the permissions have to be? Does the Microsoft documentation lead you down the road of "invalid permissions" for settting up virtual hosts?

    Many questions need to be answered before this case is closed....
  • If I didn't already agree with Eric, I wouldn't bother being the VP of OSI. Isn't that obvious *enough*?
    -russ
  • The Ken Thompson cc story is just a story. And guess what? Real software needs to be rewritten from scratch every five years, because the assumptions you make about trade-offs become invalidated. Both sendmail [cr.yp.to] and bind [cr.yp.to] are *long* overdue for a rewrite.
    -russ
  • What OS did you start on, when you first touched a PC?

    Apple DOS 3.3. Unless you want to count the AppleBASIC in the ][e's ROM as an OS =)

  • Why all talk WITHOUT checking?

    Facts:

    1. IIS w/ option pack HAS a "backdoor" with "netscapeengeniersareweenies" (or something like that).
      • It allows every user with access to read all other user's .asp files. This seems not to be a bug!
      • I HAVE SEEN IT WORK.
      • So as it is would affect mostly web-hosting companies
    2. BUT, Core-SDI [core-sdi.com]'s Gera and Beto have found a buffer overflow vulnerability.
      • It lets ANYBODY on the internet to crash a IIS with mentioned option pack (called a DOS).
      • It is demonstrated using a perl script posted on BUGTRAQ [securityfocus.com].
      • It seems HIGLY POSSIBLE to use THIS buffer overflow for arbitrary remote code execution.
      • I HAVE SEEN IT WORK.
      • So as it is affect ALL IIS w/ option pack4 on the net!!!
    Notes:
    • I work too at Core-SDI.
    • I hate lewsers talking without even trying it.
    • I hate how SLASHDOT just becomes vaporware-information.
    • This are the same guys who spotted RSALIB's overflows last year!
    • For god's sake, even M$ admitted it!!!!
  • Microsoft sent out TWO security notices regarding this DLL to their security mailing list in the last couple of days.

    I guess they are part of the irresponsible press and should sue themselves, huh?

    .


    Torrey Hoffman (Azog)
  • 1. Release a sploit for the "backdoor" that actually works, when you run it, and without having to turn shit on or off on the server (like ACLs!)

    2. Release a sploit that DOS's or executes arbitary code with the buffer overflow that actually works, first time, without having to turn shit off on the server.

    If after you do this you see that people don't care. Don't be suprised, they have lived with insecurity for years. But if you pulled this shit in the unix community there would be the same response. "You got a sploit?" "err.. no" "Then we'll get around to looking at the code later" .. that's the way it's always been, no-one does anything until you release a sploit.

  • I can't even access the dll because I don't allow anonymous interaction with my IIS box. Hack the sploit so you can use a username and pass so I can test this thing already.
  • Because we don't have the source to IIS, we couldn't check for ourselves, so when people who we trust more then MS (for good reason - they are somewhat unbiased) made an allergation we believed them.

    That's the reason Open Source is better - the security expects (or us) could have checked the source, seen no real hole, retested the scenerio, and seen what was really going on.

  • And if your[sic] wise, you will put your biases and prejedices[sic] aside and use the best tool for the given application!

    Precisely. That's why I use *nix -- winbloze has neither grep nor cron.

  • Why the hell is the above rant "insightfull"? It didnt' make me appreciate anything, i didn't get any vision or hopes from it? Infact it was just one pissed off opinion from another person expressing his blatant choice in OS's.

    Moderate it down, moderate correctly. I have to agreee with the other posts about moderation.. What the hell is going on here. enlighten me on what "If you stick your head in the ground and ignore or dismiss the negaive actions of powerful entities, they will have no recourse but to continue with that course of action, because it's obvious nobody cares. It's the same with your average eight-year old. " means. So it means now if you bust your ass working on linux stuff and some coroporation is still making millions life is good because your not an 8 year old? Gimme a break people. Microsoft is Microsoft, you people BOUGHT there software or COMPUTERS with it on there. You could have bought OS/2, Apples, or even kept the faith in very advanced for its day NeXT Boxes or BeBoxes. The consumer was the one putting there faith in Microsoft. Should we sue mcdonalds because it makes people fat and really taists like shit but the commercials make me buy it or because its the only joint on my bock its now unfair competition and they have to be sued until someone else with another shitty ass hamburger can come back in? My god. CHOICE PEOPLE! you chose a FUCKEN LAWYER to win your battle. Now think about that. You didn't choose NOT to run a Microsoft Product, you chose to waiste money on supporting a government that is just as unruely and unjust as any corporation that exists. Fear the capitalism? them move somewhere else or leave it be. DON'T take my choice! I still run Windows, I still run OS/2, i still use Linux. MY Choice. I didn't support nor write my legislature/senators to sue microsoft, that is BS. I didn't buy a distro because THAT is BS. Buying something that *IS* free for the sake of Support? If the INFORMATION is free, why would you NEED support? If it was intuitive enough, what would be so hard that you need support????? Why should redhat get my money moreso then microsoft? Atleast with microsoft i see Innovative features such as the highly popular portals/email/mapping systems, kick as gaming, ease of use, quick adaptation, forward looking and forward thinking design and gui concepts? I mean for the first time in computer la la land there is consistancy and a huge market.

    And we want to distroy that because people are naive and want to accept freedoms and not be forced to choose? Microsoft didnt FORCE windows. Microsoft didn't FORCE anyting. They played the game and the lil boys lost.. wooopideee dooo. They aquired when nescape could have aquired. Why didn't netscape team up with IBM to compete with microsoft? I won't even go any further, as its pointless reall..

  • For an OS that was supposed to END the two different Windows OS's, Win2000 is extremely bad at compatibility, etc.

    Who said Windows 2000 was supposed to do that? I mean, at one time that was Microsoft's story, but no longer. That's why it's called Windows 2000 Professional and Windows 2000 Server. Their will always be WindowsMe and Windows 2000 Consumer...

    I use the command-line in Windows for almost everything but dinking with specific file operations

    Same here.

    And yes, I do know what I'm talking about, I've used Win2000, hardware support? We obviously don't NEED hardware support in this OS, after all we're cool! (Now, on the other hand, Linux is good.. that's actually my main OS..)

    Win2k detected every piece of hardware I had, both on my PII 450 desktop (mostly new hardware) and on my old laptop (P133). Of course, I don't have every wiz-bang programmable Speaker/Joystick/Modem/TurboKeyboard/Ethernet/Prin ter/Scanner
    combo device on the planet, but still...

    And Win2k has better hardware support than Linux (sad, but true). Linux rule of hardware: if it just came out yesterday, or if it came out 10 years ago and almost nobody uses it, then there is no support for it.

  • one pissed off opinion from another person expressing his blatant choice in OS's.

    Yes, choice. My choice. The fact that I've used computers extensively for 10 years, all but the last one extensively on the Microsoff platform. Recently is has been proven (beyond a shadow of a doubt) that this wasn't because they produced the best software, well, maybe it was the best software, but they cheated to keep it that way. Or should I say the platform upon which it is run. Microsoft stumbled, thanks to IBM's ego, upon the true power over the home PC, it's operating system. Apple had a chance, but kept the shortsighted view and tried to control the hardware too. Hardware is commodity stuff, as it turned out. I believe if fairly obvious now that Operating Systems are the same. Unfortunately the company with a stranglehold on the home PC doesn't think so, AND HAS BROKEN LAWS TO HOLD THEIR POSITION. And in doing so has hurt the consumer. So that's why I'm pissed.

    "If you stick your head in the ground and ignore or dismiss the negaive actions of powerful entities, they will have no recourse but to continue with that course of action, because it's obvious nobody cares. It's the same with your average eight-year old. "

    Basically it means that if you don't respond to the actions of someone, be they an eight-year old or a billion dollar corportation, they will continue doing the same thing. If someone hurts you, and you want them to stop, the simplest thing is to tell them. If that doesn't work, you tell other people too. Unfortunately in this situation M$ has been able to squeeze so much money out of the market, that they can state their position whenever and wherever they want. I don't have that option, so I rant here.

    You could have bought OS/2, Apples, or even kept the faith in very advanced for its day NeXT Boxes or BeBoxes.

    Yes, I could have, unfortunately every program that comes out has a cute little Window on the package. The OS is just the foundation, a foundation with no buildings is a useless. Microsoft used every tactic it could to keep people from building on other's foundation, because they know the only real money comes from owning the land. (lot's o'metaphors phor you.)

    You didn't choose NOT to run a Microsoft Product, you chose to waiste money on supporting a government that is just as unruely and unjust as any corporation that exists. Fear the capitalism? them move somewhere else or leave it be. DON'T take my choice!

    Capitalism needs a free market to function properly, when a company, say in a Monopoly position, abuses that power, if fscks up the market. Study the history of capitalism if you don't believe that.

    If the INFORMATION is free, why would you NEED support?

    Because knowledge and information are two different things.

    --

    Say hi to the folks on k22320inchfan for me!


    --

A successful [software] tool is one that was used to do something undreamed of by its author. -- S. C. Johnson

Working...