Microsoft Cracked 712
Lyserjic seems to have been first with the news. Some linkage: CNET. CNN. AP. MSNBC. BBC. MSNBC's story is a copy of the Wall Street Journal article which apparently broke the news - it's the most complete.What's known - the passwords were being sent to St. Petersburg, Russia. They probably had access for about three months.
Umm... HELLO!!! (Score:2)
Do you think that maybe thats because there are more Linux than NT webservers and that its been rising because the amount of Linux webservers is rising(in fact has overtaken NT). I dunno just a guess.
Time is Change.
Yep, you missed 'em (Score:2)
You sure did. I'd venture to guess you didn't even read it. Go read the MSNBC artcile where it states what "experts" think happened. (In short: QAZ).
And while it doesn't mention a mail client, how much you wanna bet everyone at MS uses Outlook?
--
Re:No Security on a Windows Network (Score:2)
As far as I can tell, defining and enforcing a policy for what is acceptible as email content is a very, very rare practise. I contend that it shouldn't be, no matter what OS you are running.
Which is why I hang around on slashdot telling people to click on my signature - I wrote an open source filter which allows admins to do just this. :-)
My program doesn't solve the problem. But it helps - it allows the admin to make his internal network immune to whole classes of attacks. That can really make a difference.
--
This is really getting to be too much (Score:2)
But I expected the arguments to at least be plausible.
What we have instead, is an argument that Microsoft's software is not at fault; the problem is faulty administration.
This is being claimed despite the fact that Microsoft wrote the freaking software!
If they can't admin it properly, how is it reasonable to expect anyone else to do so?
SHEESH!
--
Re:Not A Good Thing (Score:3)
While I agree with you that this is going to look bad in just about any light, a few things need to be kept firmly in view.
- We do *not* at this point know if the crackers in fact took source code. We know, according to Ballmer, that they did indeed *view* the code. But did they actually get hold of a copy? Without knowing this answer, we can't accurately predict if and how that source code will be distributed to the net.
- Yes, it's true, Microsoft will in all likelihood attempt to spin this as being all the fault of those nasty, evil, commie Open Source people. But is it? The best defense against FUD is the truth, and finding out just who did this, and why, will go a long, long way towards blunting the flood of bullshit that's even now beginning to emit from the general direction of the Pacific Northwest.
- What will Microsoft be able to claim as protection in the event the source *does* get out to the internet? Trade secret status? One of the most important things to come out of all that DeCSS litigation was, if I remember correctly, the statement from the judge that once a trade secret is publicized, no matter how, it's not a secret anymore. What, if anything, can MS use? Copyright violations? Won't hold water if any GNU or other public code is discovered in *their* code. Sure, they might try to invoke the DMCA or something like that, but honestly, what will they be able to prove or accomplish? Once the secret's out of the bag, it's *out* - whether or not that's a good thing.
Yeah, it's for almost damn sure that there's going to be a very, very ugly war of ideologies, rhetoric, and politics resulting from this little stunt. But the key for anyone who opposes Microsoft and its slipshod methodologies which produce, in my not-so-humble opinion, second-rate software, is to keep the debate focused upon the facts and the truth. This exploit was the result of a well-known security issue, one that's been around for months, and one which Microsoft *should* have been able to guard against. This exploit was more than likely the result of a rotten-to-the-core policy decision that allows Outlook to execute arbitrary code with nigh-unfettered access to the operating system internals.Yes, this hack was probably a very, VERY unwise decision by the culprits. Yes, there will be a truly astounding storm of shit over the matter. But, if Microsoft's opponents play their cards correctly and with a bit of savvy, there can be a world of good which comes out of it, too.
But first, maybe we should all sit back and try to figure out exactly what happened, how it happened, who caused it to happen, and most importantly, why it happened.
If nothing else, that approach will choke off some of these tiresome, pointless accusations and counteraccusations.
Chris Tembreull
Web Developer, NEC Systems, Inc.
Re:Reichstag Fire (Score:2)
Reuters at Yahoo [yahoo.com].
Intresting thought (Score:2)
Its is known for quite long that there is some "secret code" that allows such apps like Excel or Explorer to work more tightly with the core of the system. Even Microsoft, back in the middle of the 90's, recognized that their Excel got a boost in preformance due to such hacks. Now, imagine what will happen if the code gets well known. First Microsoft looses its warhorse. Second, these hacks can be exploited to take control over the system. Note: I am not stating an hypotesis but a fact that I saw with this "all-in-one" mess, two years ago. It's a pitty I didn't have that source code back then
OSS brats, hippies & Microsoft, oh my! (Score:2)
First let me say I agree the message was in very bad taste. I don't think M$ will win in the long run. Why? History repeats itself. Causes that are championed by the youth of today inevitably win tommorow when the youth of today becomes the decision makers of tommorow (scary, I know).
Historic examples: green movement, peace movement, and probably a lot of other movements I'm forgetting about.
M$ might win the day, but I seriously doubt they'll win the war.
----
Remove the rocks from my head to send email
So where's the source? (Score:2)
I'd love to see Microsoft source code. We could all benefit from looking at their source. In the very least we could learn what kind of code *not* to write.
Potentially Serious Consequences (Score:2)
So little is necessary to create a back door, or even an exploitable "bug," how would it be possible for Microsoft ever to say that the codes are uncompromised.
The problem is that MS operating systems are ubiquitous. If a hacker can build-in, directly or indirectly, the equivalent of Back Orifice in EVERY system, what then? Suddenly MS itself becomes the Trojan horse.
This is the fundamental difficulty of closed source solutions -- there is no way for third parties to assure themselves of the absence of serruptitious code. Of course, such code can find itself into open source code as well, but at least there are means to independently verify the work.
Microsoft just says, "trust me." And some of us do. But the more frequent hacker visits occur, the less it matters whether we trust Microsoft -- we have to ask ourselves, "do we also trust Microsoft to effectively defend itself (and thus us) against Microsoft's hackers?"
Info also at the Washington Post (Score:2)
Inside job? (Score:2)
Really, this isn't a good thing for MS in any way. If it can be proven to be an inside job (to hold off the legal issues maybe?) and is found out to be, then they're screwed.
If it's a outside job and the crackers beat MS' secuity, now the whole world+dog knows that MS software sucks in protecting data.
On the bright side, it's a win-win for us.
Oh what a great day.
Open source in danger (Score:4)
Before everyone here gets into a frenzy of self-important "Micro$oft are lusers" posts, I think it's important to discuss just how bad it would be if they have actually had the source code for their operating systems stolen by these hackers. And not for Microsoft, no, but for people engaged in open source projects like Wine, or people building Windows compatible operating systems.
What are Microsoft going to end up doing? They now have the perfect ammunition to claim that these projects have received help in their tasks from people who are willing to engage in criminal persuits, and that these products have improved as a direct result of this crime. Then, all they need to do is take the creators of Wine to court over this, and hey presto, there goes a project which was making Linux look good against Windows.
Unfortunately, because of the hacker ethos about security and the fact that the ranks of open source programmers already include criminals (Randall Schwartz), judges without any real clue are quite likely to buy this.
Yahoo Coverage (Score:2)
Re:Sealand (Score:2)
Re:The "Truth" about who Microsoft really is (Score:2)
Haven't even gotten to SUBTLE Win-security holes.. (Score:3)
But so far, crackers haven't had to look for holes or real problems in the code, because *THE PUBLISHED API, ITSELF CAUSES HOLES*. Windows is still back at the "Morris Worm" days of security, if even that far along. How long ago was that?
Re:Maybe this is what sunk the Kursk (Score:2)
You jump to conclusions pretty quickly. You saw someone who wrote a post that offended you, and thus you assume that this person, and most other frequenting this place to be "brats... lacking any amount of maturity and decency", ending your display by declaring death penalty to the person not sharing your taste of humour.
I must admit that I wonder who is at error here. The post you're replying to is in no way an indication of this person's maturity or decency, nor does it reflect his affiliation with the Open Source movement.
Even so, as have already been stated in another post (redundant here I come:), people make jokes about anything, all the time! This includes war, death, fatal accidents, betrayal heart aches and slapping eachother in the face with dead fish :)
NO topic is too touchy to joke about. Some people may on some occasions be offended by certain jokes (obviously), but in that case I'd make a bet that it's usually the people offended that's the problem, and not the joke.
We need to turn the tables... (Score:2)
That is to their detriment, and what they have refused to learn from the white-hat community has contributed to this break-in.
That's the story we need to put forward, now!
Re:Open source in danger (Score:2)
A judges' job is to interpret the law. (incase you forgot this.) These are VERY smart people and I will bet you money they are not clueless in any sense of the imagination. The judge may philosphically agree with you but it is more than likely he is tied down by arcane laws that no longer work.
Yes if Microsoft can prove linkage between source code theft and Wine, the Linux kernel (god forbid!!) or any other piece of software they WOULD win (not could). It doesn't matter if the judge has been using Linux for years and can compile his own kernel he would have to agree with Microsoft. If he didn't he would be disbarred (fired) for not following the law and the case would bounce to another court until Microsoft got an agreeing judge.
Any theft of intellectual property is extremely risky. Even if it's intended to help a group or embarass another group it can come back and bite you in the ass.
Re:Inside job? (Score:2)
Read: not only can you not trust the next release of windoze, you won't be able to trust it for "years and years." ;o)
Only ROGUE companies, eh.... (Score:3)
--
Americans are bred for stupidity.
Re:See what happens when you rely on NT (Score:2)
"When I was a little kid my mother told me not to stare into the sun...
Re:Inside job? (Score:2)
Conspiracy theories and Urban Legend (Score:2)
I love it.
Unfortunately, even if investigators catch the crackers "red handed" with the MS password files and Windows source code, there is no way anyone can be absolutely sure that the code has not been distributed.
Conspiracy theories and legends of rogue cracker terrorists, foreign power "Echelon" projects, and talented grade-schoolers will emerge.
As other readers have pointed out, this is a perfect way for MS to attack all projects aimed at MS compatibility. They will always be able to point at how it is impossible for others to get their programs to work with Windows without having access to the source code. Wow.... all this is a incredible conspiracy on MS's part!
Don't cloud the issues with the facts.
Everyone is out to get YOU. Have a nice day.
What I want to know is... (Score:2)
Re:s/NT/stupidly trojan-enabled software/ (Score:2)
I think not.. and I just tried it to confirm this.
And outlook is not part of windows... it's part of office.
And the icon for
That's not what I said. (Score:2)
Outlook Express does come with windows, but they are *not at all* the same piece of code. Outlook Express is *not* simply a 'light' version of outlook.. it is mostly a completely different mail package.
All these 'outlook' worms *ONLY* work in OUTLOOK, not in outlook express. Everyone just assumes that when you say outlook, you mean 'outlook express'.
Re:/. edit box (Was: See what happens when you...) (Score:2)
Or if you are truly sick, you can simply use Emacs+Gnus to read Slashdot. Some crazy hacker has actually added a Slashdot backend to Gnus so that you can read Slashdot as if it were just another news group.
That includes Gnus incredibly powerful scoring system (so your problems with slashdot moderation disappear). If you want you can just read the posts from known trolls.
Re:See what happens when you rely on NT (Score:2)
So basically, the choices are;
1) Develop a feature which allows Outlook to run executable code - so administrators can email software updates to their employees, etc. By default, leave it wide open, so support of this feature is ubiquitous, and so that people actually USE it, and it's touted as a great reason to use Outlook instead of Eudora, etc.
2) Develop this feature, add it to Outlook, but effectively hobble it by setting the security defaults high enough to eliminate the threat of email viruses. If anyone wants to actually USE this feature, designed to aid complicated administration tasks, they'll be required to train all endusers in how to set the security settings so that this feature can be used (has anyone here actually tried to tweak these settings in Outlook? Talk about obscurity!)
3) Leave the feature out, and give consumers NO features that appeal in Outlook over Eudora.
Re:Reichstag Fire (Score:2)
http://www.nytimes.com/aponline/technology/27MICRO SOFT.html [nytimes.com]
The Reichstag Fire analogy is relevant in my view.
Why Bill G paid them to do it (Conspiracy 101) (Score:2)
Picture this - a dark, shadowy lair on the shores of Lake Washington, in a futuristic (circa 1990s) mansion that has a trout stream meandering throughit and ads for Froot Loops appearing on every wall. Bill G, Dark Overlord, sits in his space age chair, rocking back and forth, as his minions sit uncomfortably, waiting to hear his latest dark plan for world domination.
"Profits!" he screams suddenly. "Noone is buying my Windows 2000 TM R Patent Pending!" he shouts to the cowering lackeys, many recently hired from failed dot-coms that litter the wasteland of King County. They jump in their chairs, and settle back down nervously, awaiting their orders.
"You must crack our servers, in a way that will bring disrepute upon those who oppose us - make it appear to be Open Source Hackers, Russians would be best; everyone knows the Russsians are still mad at us over the cold war. Release all the code to our failed OS - they will assume it was functional. And then - you must go into hiding in Aruba."
They leave, shuddering at the import of his task, knowing that their lives and those of much of the rest of the world shall never be the same after this.
Re:Simply Bad System Administration (Score:2)
Yes, you can lock down any key in the registry.
Re:Russians (Score:2)
Wouldn't it just suck to be a WINE developer and wake up one morning with a copy of pilfered source in your inbox, and the FBI knocking to ask questions because they tracked it down from the sender's Russian address?
Fist Prost
"We're talking about a planet of helpdesks."
Re:s/NT/stupidly trojan-enabled software/ (Score:2)
For instance, stages virus was actually Stages.txt.vbs. In Outlook, it looks like Stages.txt. If you save it, in explorer, it looks like Stages.txt (even if you told explorer to show all extensions - this is a hidden exception, even Windows Power Users are fooled by this, ironically, your only saving grace is erp! DOS!).
So you see this innocent looking
No other mail client will hide the
Now, you CAN tell Outlook to warn you when it runs executable content from an untrusted source, but the problem is, it SHARES these security settings with Explorer, so if you do this to secure Outlook, you hobble Explorer, which will no longer run javascript from untrusted sources, which amount to like 90% of the websites you're likely to visit.
This is complete horseshit, and there's no excuse for a feature like this.
Re:Russians (Score:2)
Fist Prost
"We're talking about a planet of helpdesks."
How'd they get username/passwords? (Score:2)
Simply sniffing keystrokes in usermode wouldn't have allowed the login keys to be captured (because the logon process runs under a different session), however passwords used for "net use" connections (i.e. connecting to file shares) could be visible (I'm not sure, though)
Sniffing the network requires admin rights (like Unix) and would only give you acces to encypted Kerberos tickets...
Any other ideas on how they did it ?
Never mind the source code (Score:2)
Re:See what happens when you rely on NT (Score:2)
This stuff is enabled by default. that, along with the shell scrap crap (that hides the executable code inside what looks, to the user, as a plain text file), is an inexcusable lack of conscientious software design.
Re:Only ROGUE companies, eh.... (Score:2)
Military entities would grab this sort of thing in a heartbeat, a nanosecond. There's no way this was some curious geek or 'rogue Russian company' trying to be more compatible with windows! That's utterly absurd.
This was a military exploit. Everything from military IT to battleships runs off Windows. In addition to that, lots of other countries' militaries run off Windows as well. We will not be seeing script kiddies putting up funny defaced web pages.
The purpose of this espionage is this: when the missles come over, the target country's military IT will be DOWN.
I simply hope my country (the US) isn't actually the target that somebody has in mind. Just about any country would be as vulnerable, this isn't about the US only. It's not strictly military IT either- consider a war with the shipping and industry of the target country crippled through IT attacks.
I've felt for a long time that people should be nervous of Microsoft waking up and realising their control of IT was a military weapon. It seems I was wrong- they never smartened up enough to understand this. Somebody in Russia, however, did- and struck first, gaining access to the proprietary information that would reveal every point of weakness for later attack. Whether Microsoft figures out it possesses the capacity for denial of IT services as a military weapon, at this point, is meaningless. It's too late as they no longer control the information- they lost the first-strike capability.
It might be a good idea for the US military to seize control of the very same code so at least they can have equal capacity to attack, or to know what will be attacked and how. If MS tries to resist that it would be a matter of, "No- you can pay money to run our products, and the Russians have total information on all their weaknesses, but YOU have to trust us that your IT is not compromised. Trust us, we're Very Smart!"
Frankly, the political applications of this are staggering.
BSOD Colour Changing (Score:2)
I agree, let's get off this rock. (Score:2)
There is no where left on Earth to run to. The tyrants are subtle in rich countries, and boldly open in poor countries; it's merely a question of whether you're a well-managed resource or a poorly managed one. Even the sea floor has been shared out between the great military powers in treaties, and they have the navies to enforce them.
You can't beat 'em, most can't join 'em, the only option left is to run away, and the only direction left is up.
--------
Let's remember the real victim here. (Score:2)
Poor bastard.
--------
Re:So where's the source? (Score:2)
Wake up, this was a military action, not geek subculture. If you want to see the source you'll have to crack into MS yourself. The Russian spies are not going to share.
Neal Stephenson sez... (Score:2)
But there is no point to messing with something he doesn't understand. He might waste hours fooling around with some piece of code only to find out that it was the software to control the automatic toilet flushers at Rife Bible College...
I wonder what they found, those probing hackers. If it were merely bare source, Neal above suggests, nothing. Now if it were marketing documents, that would be something; and if it were legal documents relating to all that Federal fuss, well, this would be one interesting crack!
Why did Microsoft tell, and what didn't they tell?
Yours WDK - WKiernan@concentric.net
The heart of the problem... (Score:5)
"The code could also be purchased by an unscrupulous company looking to make its applications work more smoothly with Microsoft's dominant operating systems"
Who is 'unscrupolous'?, the company trying to improve their software for the greater good of everyone? I think it is the company that won't reveal the source code...the company that has systematically crippled/sabotaged other companies by keeping their 'intellectual' secrets under wraps in an attempt to leverage themselves into any software based market they see fit to at the expense of others.
I think this quote basically sums up the whole open source/closed source debate.....
Guy
Re:Inside job? (Score:3)
This incident is a simple case of social engineering when you look at it -- it's nothing to do with windows, nt nor any OS security. Some muppet ran an executable program that was sent to him/her and the program emailed some user-priviledge data _legally_ available to any program running in that user's context.
IMO the problem lies in their staff training -- don't run crap in work on a sensitive machine, especially if you've got high-level access via an extranet. Now that isn't too hard to understand, is it?
-- Writing a Haiku
in seventeen syllables
is very diffic
Integrity (Score:3)
Remains? Since when has there been any integrity to MS code?
Re:See what happens when you rely on NT (Score:5)
It's easy to blame NT, or Inoculate IT, but the real culprit is Outlook.
Microsoft's policy of helping users (even their own users apparently) run binaries and scripts from untrusted locations is absolutely insane. Yes, Inoculate IT should have stopped the virus (theoretically), yes, Windows NT should have more protection against attacks, but the key is that Outlook is a trojan fun house waiting to happen.
Unfortunately, for Microsoft anyway, the fix for this type of thing goes far beyond patching some buffer exploits. They instead have to totally re-think how Outlook (and other Internet software) handle untrusted binaries (that probably includes ActiveX).
Re:Open source in danger (Score:3)
Would be hard to prove. I can imagine, in such a trial, the defence demoing a 1997 version of wine running Excel 95. (It was unstable, but you could get it to run which is visually important). I.e. "this project has been making an earnest attempt to do a legit clone of the windows functionality for many years now".
I'm sure there are examples of closed-source programmers who are criminals, which you could list in a trial.
(In case anyone doesn't know, Randall's only crime was to get on the wrong side of Intel in Oregon, where the government basically does anything Intel wants. See here [lightlink.com] for details. Please boycott Intel and write to them to tell them you are doing so).
Here's Windows source code (Score:3)
voidmain()
{
while(!CRASHED)
{
display_windows_logo();
display_copyright_message();
display_bill_rules_message();
do_nothing_loop();
look_for_new_hardware();
sleep(10);
look_again_for_new_hardware();
scandisk();
if(detect_cache())
disable_cache(); if(first_time_installation)
{
make_50_megabyte_swapfile();
do_nothing_loop();
totally_screw_up_HPFS_file_system();
search_and_destroy_the_rest_of_OS/2();
hang_system();
}
write_something(anything);
display_copyright_message();
do_nothing_loop();
do_some_stuff();
if(still_not_crashed)
{
display_copyright_message();
do_nothing_loop();
basically_run_windows_3.1();
do_nothing_loop();
do_nothing_loop();
}
}
if(detect_cache())
disable_cache_again();/*just to be sure*/
if(fast_cpu())
{
set_wait_states(lots);
set_mouse(speed,very_slow);
set_mouse(action,jumpy);
set_mouse(reaction,sometimes);
}
printf("WelcometoWindows98");
if(system_ok())
crash(to_dos_prompt);
else
system_memory=open("a:\swp0001.swp",O_CR EATE);
while(something)
{
sleep(5);
get_user_input();
sleep(5);
act_on_user_input();
sleep(5);
}
create_general_protection_fault();
}
Re:No Security on a Windows Network (Score:4)
Seriously, though... one of the more serious reasons that viruses/trojans spread more easily on Win32/Mac is "user imbecility/gullibility". And one reason (among many others!) why Linux/BSD was considered secure is that (1) users were much more sophisticated, and (2) the OS often compromised on security over 'ease-of-use'.
Today, with Linux (not BSD though (thankfully!)) reaching more and more into the newbie space (I'm just waiting for the first "for-newbies" distro (oh, wait, Corel comes to mind)), how long before something like this happens on a Linux box? Remember, there are a lot of newbies out there running Linux (and also Win2k/NT, for that matter) on their PCs with exactly one user account -- "root"! (or "administrator".)
Re:Inside job? (Score:4)
Looking beyond the fan-boy name calling, there is a serious point behind this.
Microsoft has made a massive virtue of "making hard stuff easy"; underlying a lot of the products coming out of Redmond is the core value of "Trust us to do the hard stuff for you".
In that context, it's commerically damaging to have revealed to the world-at-large that even Microsoft can't rely on Microsoft to do the hard-stuff (security) for it.. And if Microsoft can't rely on themselves why should anyone else?
Not, I hasten to add, that I believe that this incident will have any long-term consequences of this action. I'm waaay too cynical to believe that any good can come of this.
Re:See what happens when you rely on NT (Score:4)
The exact same type of crack could happen on ANY Unix machine, not properly safeguarded. Get an e-mail with a binary attachment, chmod 744 attachment, it runs, displayes a really cool screen hack or small game of some type. It also spawns a child process, but you're probably unaware of this.
This child process sniffs out passwords, because hey, any user account can sniff packets, not just root. People log into other computers, all the while this program gets user acct & password after user acct & password. It then sends out an e-mail to a remote address, listing all these new shiny user names & passwords, what machine they were connecting to, and voila, this cracker suddenly has user accounts. Now he's free to move onto higher level attacks.
Don't fool yourself for a second -- Microsoft's biggest mistake was that it wasn't using a more secure firewall to protect it's local machines - these machines should have been INVISIBLE to the entire internet, only available to MS's intranet.
Re:Well, Ho Ho Ho (Score:4)
Well, y'd have to be running some program as stupid as Outlook, which runs arbitrary executable attachments, inside your supposedly "clean environment". I can't imagine a competent UNIX sysadmin would set things up this way.
Re:DNS entry also cracked (Score:3)
All those are is host entries under, say, terrorists.net or hackerjack.com.
If you have a DNS that is acting on behalf of registered domains, it's IP address is registered to the registrar so their root servers can point to it.
So if you say you have a DNS server called "microsoft.com.is.secretly.run.by.illuminati.terro rists.net" it will show up there.
So can we agree that there's no "cracking" going on? Sure, it's a neat hack, but I've seen this thing in e-mails, on 4 different web "portals", and now in comments as well. Please, for the love of god, make it stop! :)
Re:See what happens when you rely on NT (Score:3)
Would you care to explain how?
Re:Banks don't use Microsoft (Score:3)
Gates said "Blame Linux developers!" (Score:3)
In other news, a new build of Wine was released today boasting 100% emulation of the Windows environment at native speeds. When asked to comment, the dev team replied "We could tell you how we did it, but then we'd have to kill you".
(note to morons : go check on freshmeat just in case!)
News Flash from Russia! (Score:4)
"Our police experts stated that they were those who broke into Microsoft's servers and stole large amounts of code", says a police agent via translator. "Experts were able to tell from lengthy headers, pointless libraries, and pointers to nowhere-in-particular that this must be actual code for Windows 2000' successor."
After a preliminary exam, forensic pathologists state that their deaths were all caused by ruptured lungs.
"If I didn't know better, I would think that they would have died laughing", said the pathologist.
One of the police experts who determined that the code was in fact Microsoft's also began laughing uncontrollably, and was rushed to a nearby hospital. He remains in serious condition and on heavy sedatives.
"...we invented Software Theft?" Hear me out... (Score:4)
Al Gore has the quote "I invented the Internet" fused to his name. It's been used time and again to demonstrate Gore's penchant for hyperbole, his untrustworthiness as a leader. Many of you probably already know, though, that Gore never actually said that he created the Internet, but rather that he was the key political figure in the early days of funding the Internet (still an inflated claim, but nowhere near as sensational as the other.) Does the fact that he never actually said what countless media outless attribute to him, often as a direct quote, make any difference whatsoever to his image and reputation? Nope. The media and his opponents decided to nail him to the wall with a hyperbole of their own, and with a bit of hard work and luck, it has become Truth. Truth, in that wonderful Orwellian fashion of 'if all official sources report the lie as the Truth, then the lie becomes the Truth, and the truth a lie.'
It wouldn't matter how much you or I knew the truth, much like it doesn't matter that Al Gore never actually said that he invented the Internet. The Sheep and PHBs everywhere will swallow whetever pill they're given, and you can bet dollars to donuts that the story line wouldn't play out in favor of Open Source. If you think it's hard to convince your superiors to utilize an Open Source model now, try and imagine the brick wall you'd hit with your boss' brain automatically substituting "what happened to that stolen MS code" for "Open Source".
For the moderators out there, I'm not saying that I think Open Source is theft, just so that's sufficiently clear. I'm just saying that it's worth considering the damage that the mass media PR monster could do to the Open Source movement, especially in light of the fact that most major media outlets are heavily invested in (and guided by) large, mean corporations. Think about it.
lame media (Score:3)
Perhaps this is a UK-only phenomena. Eventually the BBC etc might stop assuming that their audience thinks of computers as huge semi-sentient boxes with spinning tape drives and flashing lights that talk to their operators. Or that Microsoft are the best and only software source in the world. ("How could this happen to Microsoft of all companies?" asked the same interviewer.)
And the use of "hacker"...
/me goes up in a puff of unsmoke.
Re:Inside job? (Score:3)
Why is it that a *nix box getting compromised = 'Excellent, now we can patch the hole', but an NT machine = their security "sucks"?
My personal opinion is that unix variants are more secure, stable, and so on, but NT is NOT a gaping hole into a given network, just not my 1st choice as a server.
Before the flames abound, my personal server is a linux box, I just didn't agree with this particular statement.
Re:Childish attacks unnecessary (Score:3)
I'm not even trying to say "Linux is better than Windows" with this post. I'm just pointing out that your arguments are comparing apples to oranges (network security to local machine security, and published exploits to theoretical problems).
If I were Ballmer I'd... (Score:3)
If I were a hostile cracker, I wouldn't go the "data hostage" route -- to risky. The police will follow the money.
Instead, posing as an engineer, I'd slip a few buffer overrun vulnerabilities, just where I could use it. Knowing the cruftiness of MS operating systems I'd have my own private back door into any system shipped with Windows for years to come.
Give a man a fish, and he'll eat for a day. Hand a fisherman a crate of hand grenades and he'll catch all the fish in the river.
Childish attacks unnecessary (Score:4)
For those that believe *nix is somehow more inherrently secure than Windows here are a few sources that may refute that claim The major security issues in Windows are Outlook (disable preview pane, be careful with attachments) and Internet Explorer (disable Javascript). Doing that and using a firewall like ZoneAlarm [zonelabs.com] is most of the securing that a typical Windows box needs. On the other hand due to the use of insecure C libraries (str* functions, *scanf functions, etc) most of the services that are enabled by default in a typical Linux install are insecure (especially RedHat the primary consumer Linux OS in the U.S.). Take a quick look at security sites like Attrition.org, CERT, SANS, rootshell, SecurityFocus, etc and check the results. Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites [attrition.org]. CERT regularly has more Linux and Unix security advisories [cert.org] than for Windows. The SANS (System Administration, Networking, and Security) Institute top ten list of security holes [sans.org] has more entries for *nix than Windows. A quick search of the terms "linux" and "windows" on Rootshell's seearch engine [rootshell.com] come up with 84 downloadable exploits for Linux versus 39 for Windows.
The above post is not intended to be flamebait (I run Win2K but plan to reinstall Linux on my second machine so I am a Linux user) but as a counterpoint to the above post which was rated +5 when I replied to it.
Second Law of Blissful Ignorance
Bad Day for Bill (Score:4)
Re:See what happens when you rely on NT (Score:3)
Once again this prooves the weakest link in any security is the human factor.
"When I was a little kid my mother told me not to stare into the sun...
Re:Open source in danger (Score:5)
Well, I'm just grateful that no one broke in to www.redhat.com and stole the source for Linux.
Pulleth The Other One, it hath Bells On (Score:3)
Any project started within the last 3 months may be potentially vulnerable to a legal Denial of Service attack, yes.
I refuse, however, to believe that there's a Court of Law in the world that's bone-headed enough to believe that project X, running for Y years and fully documented in that time as an open project (cf WINE [winehq.com]), has benefited from the unrelated, unadvertised and recent breaking out of MS source code.
Come on.. Doom-saying is all fun and games, but please do try and stay within the bounds of reality...
Reichstag Fire (Score:5)
Of course, as a reluctant user of NT, I *know* it's vulnerable, and the fact this occured doesn't surprise me at all. What IS surprising is we haven't heard more of this coming out of Redmond; it can't be the first time.
I don't think the possibility that this is a way for Microsoft to reign in the Open Source movement is paranoid AT ALL. With M$ having its market share threatened by Open Source stuff, why not create an excuse that the people releasing it are ripping off internal code stolen from M$. Indeed, it makes perfect sense, and it wouldn't surprise me if the lawsuits start flying within 6 months.
I worked at a place where we had REAL break-ins, and the last thing you want to tell your customers is that you've been hacked. The fact that M$ is being so forthright about this--in direct contradiction to the way they typically stonewall against any less-than-flattering news--points to an entirely different motivation than just being honest.
Remember, the people that report these stories have extensive relationships with M$. There can be no doubt that they are spinning this is such a way as to ultimately benefit M$, or any initiative that M$ may find to its liking.
By the wall, Randall is *NOT* a criminal. Yes, he was convicted, but that means about as much as the stain on Monica's dress. Judge for yourself; go here [lightlink.com] for more information.
Redhat Cracked (Score:5)
According to the report, unknown hackers managed to procur a password to Redhat's network servers. They then used the password to download the blueprints to all of Redhat's products. Even worse, the password was circulated widely over the internet, allowing thousands, potentially over a million hackers to repeat the exploit.
One person familiar with the case said it appeared the hackers initially gained access to Redhat's corporate computers by exploiting a hole in the company's "FTP" software. This software is used to transfer files between remote computers. The hackers discovered that the password "anonymous" allowed them access to all of Redhat's intellectual property.
Most damning of the report's accusations is the claim that internal Redhat officers have known about the vulnerability for months, even years, but failed to alert customers or close the security hole.
The breach may have allowed hackers to insert instructions into the blueprints for Redhat's products, including the recently released Redhat Linux 7. One anonymous insider called such practices "common." When asked if they were planning an extensive audit of their code, Redhat officials repeated their reply, "What the hell are you talking about?"
Open Sourcing Windows... (Score:4)
Re:Open Sourcing Windows... (Score:5)
This is obvious but... (Score:3)
...what in the hell would hackers want with Microsoft's plans? Script kiddies, sure. Crackers, of course. But actual hackers? No self-respecting hacker would ant or need to crib from Microsoft's notes. That would be like copying off the paper of the class idiot.
Re:Inside job? (Score:3)
Also, a quote from their spokesdroid, "We are confident that the integrity of Microsoft source code remains secure." (MSNBC article [msnbc.com]). I'm not so sure I believe them. Can they prove it? Is there any consulting firm in the world not on the Microsoft payroll who will be allowed to study their source to determine that it hasn't been trojaned by Russian subversives (or Steve Jobs or whoever cracked them)? I humbly suggest that from this day forward, there is no guarantee that any newly compiled software or patch hasn't been corrupted. While there's no need for gloating and "moronic childish chants", the fact remains that their source may be compromised and their security through obscurity model does not satisfy even the weakest security policies. This is not a problem we have with Linux or BSD-- which certainly have had holes in them, no denying it. But when you have someone telling you that you should trust them, and please pay mightily for our product, and, yes, you'll just have to trust us that it works the way we say it does (even though we can't seem to keep ourselves secure)-- oh and that Free software that you can obtain for a fraction of the cost and that you are able to review, modify, and share as you will? It sucks.
They do not deserve any leniency whatsoever. Their model is the one that is broken. It is based on trust. They can't buy that with any amount of marketing or legal shenanigans. Trust must be earned. And right now, they get none from me.
More linkages (and details) (Score:3)
Richy C. [beebware.com]
--
Not A Good Thing (Score:5)
In the interest of fairness, let's look at this from their point of view. "Hackers" (does anyone know what this word means anymore?) have been getting a lot of bad press lately. Hacking into Microsoft's site adds fuel to the fire. Stealing Microsoft's code is fanning the flames.
Everyone is making jokes about how insecure MS products are, as if Apache or Slashdot have never been compromised.
Even more worrisome is the opinion of the everyday, ordinary citizen. Some of which have made money off MS stock. Many of which use a computer, but aren't as "in" to them as we are. I bet you lunch that they see stuff like this and feel "insecure". And I guarantee you, when something like Carnivore comes along, the average person will suport it, because it makes, at least in their mind, the online world a safer place.
So laugh now about Microsoft's problem. Joke about an OSS Windows, regardless if they want it or not.
Ladies and Gentlemen, if you're old enough to understand, it's time to realize that this is most assuredly Not A Good Thing.
Disclaimer: MY computer runs Linux/BeOS.
Re:Childish attacks unnecessary (Score:4)
The point is this.
1) Microsoft has complete unrestricted access to there own source
2) Microsoft is a billion dollar company and ALOT (atleast in their eyes) is at stake
3) They have enough money to higher decent security officers
4) These well-paid security officers should of secured the system and network
5) With people hired for the sole purpose of securing the network, the network should be somewhat more secure, no matter what OS they are running.
6) Why are there developemnt/ source code computer even avaiable on the Internet? Anyone every hear of firewall or internal network? Anyone think about just upluging the T1 from the internal network? Anyone think about requiring the security admins to read "Intro to network security"??
I am sorry to say, but this crack looks "so seventh grade or something"
7) Should Microsoft employees know how to use what software they are required to for there job (ie. outlook). Shouldn't of Microsoft employees be educated about basic security?
8) Where is any monitoring? "Hey Network Admin Bob, some ip in russian has been downloading megs of stuff from one of our internal machines? Is that normal?"
Microsoft views the security of there source code as "high value", the see the closedness of their source as their cash cow, yet they let someone 0wnZ them so easy.
I am not saying NT or W2k is more secure than Unix, etc, that is a broad and misleading statement. I am not saying Unix is more secure than NT, that is also to broad and misleading.
What I am saying is that any decent OS (this includes NT, W2K) should of not even had the chance to be owned like this. If there network was setup right, you could have had the most insecure OS running with default uid/pass for admin access and should not be spolitable like this (atleast from the internet).
It boggles the mind.
It not even like a 31337 crack, it is "hey I downloaded all this programs off the internet, you want to 0wnZ M$?"
The problem isn't with what OS it is running, the problem is that 1) the network admins no nothing about security 2) the system admins no nothing about security 3) the users no nothing about secuirty.
Even if they where running a "Ultra Secure" *cough*OpenBSD*cough* OS, if they hook their "important machines with highly classified information" up the the internet, they are just ASKING for trouble...
And someone please explain to me why the SYSTEM ADMIN was checking his email with the ADMIN account on a SECURE MACHINE. Then running an unknown program as ADMIN user!
That is like a unix admin, going to a secure unix box, logging in as root, checking his email with root, then running an unknown program as root, this mind boggles.
Do they people in redmond even know how to use there own dam OS? Maybe they should require all employees to get MSCE or something...
Re:See what happens when you rely on NT (Score:3)
Take a PC, install a default copy of RH 6.2, hook it up to a static IP DSL modem. Come back in a month or two, and you'll find that you have at least 1 or 2 "volunteer" sysadmins!
The difference between NT and Linux is that you are given the control to make Linux VERY secure. You just aren't given the low-level control needed to make NT anywhere NEAR as secure.
It takes time, and extreme attention to detail - bit it CAN be done.
-Ben
Re:See what happens when you rely on NT (Score:4)
It could have been in the attached MS Word .DOC file as well. And anyone who goes to ther MSDN site for various tech info, having to use IE with full ActiveX enabled to make the sites work right, is potentially infected. Or anyone using the MSDN Libraries, including MSVC Help, of recent couple years (which also don't work well without internet connection enabled).
Their whole "vision thing" of hypertext documents which seamlessly integrate your computer (via the MSDN Libraries, including compiler help files) into the Microsoft servers, reporting (if they wish so) anything you look up, any articles you read and for how long, anything you search for, which code samples you extract, ... even without coupling with ActiveX, is a virus/trojan handcrafted for industrial espionage, all by itself.
I wish only Bill Gates' machines and those of the other brains behind the Microsoft all-is-one (or is it one-is-all) "vision" got some of their own medicine.
BTW, I just typed in my first message in here, and this luxuriously spacious /. edit box with its eye pleasing courier font makes Microsoft Notepad seem like an ultra-ergonomic editor from the future. (The only cure for this is to make the web designer here use this exact edit box for three days for all of her editing work; by the second day the edit box would be twice as wide and three times as tall and user could set their own non-fixed pitch fonts. By the third day she would suggest dumping it altogether and using something like Userland's Manila editor [userland.com].)
The "Truth" about who Microsoft really is (Score:5)
whois microsoft.com
also whois aol.com ; whois apple.com ; whois whitehouse.gov
How did they do it? Simple. Whenever you register a nameserver IP address, you have to include a domain name for the nameserver. I think the only thing checked is that the IP address pings and the domain name is part of a real domain.
Re:This isn't good. (Score:3)
//rdj
it's *NOT* a very good point (Score:3)
Relying solely on a firewall is the single biggest mistake a company can make.
True, a proprely configured firewall can make a huge difference, but _real_ security involves securing every machine on the network. A firewall won't fix a problem with bad client (such as Outlook) executing code it's not supposed to. A firewall won't fix a problem with a web/mail/whatever server running behind it.
The bottom line is that if a machine needs to talk to the internet, it _needs_ to be secured, because an improperly written app can make any firewall completely useless.
Update (Score:5)
"These were all very bright boys - cheerful, helpful and good at their day programming jobs" said apartment resident Canya Bolyevtis. "But last weekend that changed when they started walking around in a daze after an all-night session, as if they had been exposed to some terribly traumatic thing."
Californian software analyst Rich McGee says the teens were foolish to allow themselves to be exposed to Microsoft source code.
"Here you have some very bright young guys with some Unix experience suddenly coming into contact with the C source for kernel32.dll. I think they were unprepared for the shock."
St. Petersburg police chief Konstantin Bolygubov thanked the public for the information that led to the arrests, saying it was the easiest raid he had done in a long time.
"When we broke down the door, none of them moved," he said. "They were all just staring in horror at the screen of a PC in the corner of the living room."
Open source.. assisted? (well, gpl perhaps..) (Score:3)
just a thought...
Re:Open Sourcing Windows... (Score:5)
We as a company are not in favor of software
piracy, so we certainly wouldn't help, but if
a customer wanted to host stuff like this, we can't really say it's against our AUP.
(I personally think MS source code would be a
waste of space, a thousand monkeys and all that...)
Read the (full) Wall Street Journal Article (Score:3)
Richy C. [beebware.com]
--
No Security on a Windows Network (Score:5)
frequently made to a friend of mine about
the security of his network.
He had claimed that he didn't need to worry about
security because his networking folks had
provided a very secure firewall.
"Really," I said, "Do you have any Windows
boxes on your network."
"Yes," he replied.
"Do they run Outlook?" I inquired.
"Yes," he replied.
"Then why do you bother to run a firewall at all?"
I went on to explain that anyone could infect
Windows boxes behind his firewall via email
(which almost every firewall in the world
is configured to pass). Once infected this
Windows box could subvert his whole network
and tunnel anything it needed back out via
SMTP (we do after all, have examples of
tunnelling IP via SMTP).
My friend thought I was nuts. Seems that something similar happened to Microsoft itself.
Guess I'm not nuts. There is no network
security on a network which has Windows
present.
Win-Win? Not so sure...(Kevin Mitnick) (Score:3)
From all the articles, it looks like this was a Trojan that may have been secreted during the execution of some email attachment. Knowing MSFT, they'll probably spin this as a virus similar to Melissa or ILOVEYOU and the general public will stop blaming them.
After all, no one is calling for their heads after Melissa and ILOVEYOU even though the main reason they caused so much damage is the lack of security built into Outlook and the ease of using Virus Building Script. Instead we'll probably get a lot of hacker crackdowns with this breakin, perhaps another Kevin Mitnick type case where he got reamed for seeing Sun's Solaris source [zdnet.com]. It's very possible to see the culprits doing massive jail time for supposedly causing MSFT zillions of dollars in lost revenue by merely looking at the source like Sun did with Kevin Mitnick. This is especially possible in the current climate of UCITA and the DMCA. I wouldn't consider that a win, would you?
Second Law of Blissful Ignorance
Re:Maybe this is what sunk the Kursk (Score:4)
This ranks up there with the jokes that came out after the Challenger accident and after Oklahoma City. The Kursk was a tragedy. It may not seem that way to an American, but it shattered the emotions of the Russian people. To further imply that Microsoft had any part in that tragedy is simply childish.
I've always considered the majority of Slashdot readers to be brats, but this goes to show that whatever Microsoft may do to fight the open-source movement, they'll probably win. Why? Because for the most part, it's people like you who make up and support that movement, people lacking any amount of maturity and decency, and for movements to succeed, they must at least be honorable in the face of their enemy.
Just sickening. Whoever moderated this up for being funny should be shot. Mark me down for flamebait or what have you, but the fact remains, many open-source zealots and programmers are simply brats.
Initial breakin was via email trojan (Score:3)
From what the MSNBC article said, the crackers initially got access because some poor MS employee inadvertantly ran a trojan email attachment, then did some sort of password sniffing.
It should now be completely clear that attachment-running programs such as Outlook are dangerous and should not be used by any business which has sensitive data, i.e. any business at all. Any business which jeapordises my personal privacy by using such software is acting negligently, just as if they left their locks unlocked and their safe open at night.
I wish I could say that this marks the beginning of the end of such "back-door enabled" software. However I fear that this will not be the case.
All of a sudden (Score:4)
Re:This is obvious but... (Score:5)
It's Not too serious ... (Score:3)
Re:Inside job? (Score:3)
If there are so many exploits for Unixes and not NT, why is it that despite an apparent minority [netcraft.co.uk] of servers, there are more defacements [attrition.org] of NT sites?
Besides, as another poster pointed out, if we hear about a vulnerability in an open source OS, whether or not it's Unix-like, we can fix it a lot more easily than with closed-source NT.
Re:Open Sourcing Windows... (Score:5)
How the hell am I going to get all that bloatware on the back of a t-shirt?!
Sounds like a great idea! (Score:5)
Ah, yes, evil hackers from Russia stealing the "software blueprints". Smells like the plot of a James Bond movie.
"And now, Mr. Bond, by altering the blueprints I will be able to take control of every desktop computer on the planet! I'll have an entire cybernetic zombie legion at my disposal!"
"We're one step ahead of you, Smirnoff. Office is a very fragile piece of code. Change even one line and the whole thing will come crashing down like a house of cards. The worst you'll be able to do is crash every computer. And who would be able to tell the difference between that and the way Office normally runs, eh?"
"Curse you, James! Now I'll have to kill you by an incredibly intricate device which you'll no doubt escape. The only way out of your cell is to cross this tile floor. Land mines are hidden under nearly half the tiles. Fancy a game of full-contact Minesweeper, Mr. Bond?"
s/NT/stupidly trojan-enabled software/ (Score:4)
No. It's just about the software which comes with NT and Microsoft sells for NT and everybody uses on NT. An equally stupidly-designed UNIX mail reader would be equally bad. But most UNIX systems don't use such software.
This could be VERY bad (Score:5)
And this on the hells of the story below about pushing for more UCITA support. crap.