Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

Microsoft Cracked 712

Lyserjic seems to have been first with the news. Some linkage: CNET. CNN. AP. MSNBC. BBC. MSNBC's story is a copy of the Wall Street Journal article which apparently broke the news - it's the most complete.What's known - the passwords were being sent to St. Petersburg, Russia. They probably had access for about three months.
This discussion has been archived. No new comments can be posted.

Microsoft Cracked

Comments Filter:
  • "Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites."

    Do you think that maybe thats because there are more Linux than NT webservers and that its been rising because the amount of Linux webservers is rising(in fact has overtaken NT). I dunno just a guess.

    Time is Change.
  • Did I miss some facts in the article...

    You sure did. I'd venture to guess you didn't even read it. Go read the MSNBC artcile where it states what "experts" think happened. (In short: QAZ).

    And while it doesn't mention a mail client, how much you wanna bet everyone at MS uses Outlook?

    --

  • In short, I agree with you. But it's not limited to Windows, even though that is currently the riskiest platform by far.

    As far as I can tell, defining and enforcing a policy for what is acceptible as email content is a very, very rare practise. I contend that it shouldn't be, no matter what OS you are running.

    Which is why I hang around on slashdot telling people to click on my signature - I wrote an open source filter which allows admins to do just this. :-)

    My program doesn't solve the problem. But it helps - it allows the admin to make his internal network immune to whole classes of attacks. That can really make a difference.
    --

  • You know, I was expecting some level of Microsoft apologism in the posts in this thread.

    But I expected the arguments to at least be plausible.

    What we have instead, is an argument that Microsoft's software is not at fault; the problem is faulty administration.

    This is being claimed despite the fact that Microsoft wrote the freaking software!

    If they can't admin it properly, how is it reasonable to expect anyone else to do so?

    SHEESH!

    --

  • by ctembreull ( 120894 ) on Friday October 27, 2000 @07:40AM (#670981)
    Maybe, maybe not.

    While I agree with you that this is going to look bad in just about any light, a few things need to be kept firmly in view.

    • We do *not* at this point know if the crackers in fact took source code. We know, according to Ballmer, that they did indeed *view* the code. But did they actually get hold of a copy? Without knowing this answer, we can't accurately predict if and how that source code will be distributed to the net.
    • Yes, it's true, Microsoft will in all likelihood attempt to spin this as being all the fault of those nasty, evil, commie Open Source people. But is it? The best defense against FUD is the truth, and finding out just who did this, and why, will go a long, long way towards blunting the flood of bullshit that's even now beginning to emit from the general direction of the Pacific Northwest.
    • What will Microsoft be able to claim as protection in the event the source *does* get out to the internet? Trade secret status? One of the most important things to come out of all that DeCSS litigation was, if I remember correctly, the statement from the judge that once a trade secret is publicized, no matter how, it's not a secret anymore. What, if anything, can MS use? Copyright violations? Won't hold water if any GNU or other public code is discovered in *their* code. Sure, they might try to invoke the DMCA or something like that, but honestly, what will they be able to prove or accomplish? Once the secret's out of the bag, it's *out* - whether or not that's a good thing.
    Yeah, it's for almost damn sure that there's going to be a very, very ugly war of ideologies, rhetoric, and politics resulting from this little stunt. But the key for anyone who opposes Microsoft and its slipshod methodologies which produce, in my not-so-humble opinion, second-rate software, is to keep the debate focused upon the facts and the truth. This exploit was the result of a well-known security issue, one that's been around for months, and one which Microsoft *should* have been able to guard against. This exploit was more than likely the result of a rotten-to-the-core policy decision that allows Outlook to execute arbitrary code with nigh-unfettered access to the operating system internals.

    Yes, this hack was probably a very, VERY unwise decision by the culprits. Yes, there will be a truly astounding storm of shit over the matter. But, if Microsoft's opponents play their cards correctly and with a bit of savvy, there can be a world of good which comes out of it, too.

    But first, maybe we should all sit back and try to figure out exactly what happened, how it happened, who caused it to happen, and most importantly, why it happened.

    If nothing else, that approach will choke off some of these tiresome, pointless accusations and counteraccusations.

    Chris Tembreull
    Web Developer, NEC Systems, Inc.

  • Updated:

    Reuters at Yahoo [yahoo.com].

  • If these guys managed to sneak at least a section of all that embedded all-integrated code then Microsoft is in deep trouble.

    Its is known for quite long that there is some "secret code" that allows such apps like Excel or Explorer to work more tightly with the core of the system. Even Microsoft, back in the middle of the 90's, recognized that their Excel got a boost in preformance due to such hacks. Now, imagine what will happen if the code gets well known. First Microsoft looses its warhorse. Second, these hacks can be exploited to take control over the system. Note: I am not stating an hypotesis but a fact that I saw with this "all-in-one" mess, two years ago. It's a pitty I didn't have that source code back then :)
  • I've always considered the majority of Slashdot readers to be brats, but this goes to show that whatever Microsoft may do to fight the open-source movement, they'll probably win. Why? Because for the most part, it's people like you who make up and support that movement, people lacking any amount of maturity and decency, and for movements to succeed, they must at least be honorable in the face of their enemy.


    First let me say I agree the message was in very bad taste. I don't think M$ will win in the long run. Why? History repeats itself. Causes that are championed by the youth of today inevitably win tommorow when the youth of today becomes the decision makers of tommorow (scary, I know).

    Historic examples: green movement, peace movement, and probably a lot of other movements I'm forgetting about.

    M$ might win the day, but I seriously doubt they'll win the war.

    ----
    Remove the rocks from my head to send email
  • Somebody wanna put up a location to the source?

    I'd love to see Microsoft source code. We could all benefit from looking at their source. In the very least we could learn what kind of code *not* to write.

  • Hackers have had access of some sort to Microsoft source codes for perhaps as long as three months. Microsoft can only say they presently have "no evidence" that codes have been changed.

    So little is necessary to create a back door, or even an exploitable "bug," how would it be possible for Microsoft ever to say that the codes are uncompromised.

    The problem is that MS operating systems are ubiquitous. If a hacker can build-in, directly or indirectly, the equivalent of Back Orifice in EVERY system, what then? Suddenly MS itself becomes the Trojan horse.

    This is the fundamental difficulty of closed source solutions -- there is no way for third parties to assure themselves of the absence of serruptitious code. Of course, such code can find itself into open source code as well, but at least there are means to independently verify the work.

    Microsoft just says, "trust me." And some of us do. But the more frequent hacker visits occur, the less it matters whether we trust Microsoft -- we have to ask ourselves, "do we also trust Microsoft to effectively defend itself (and thus us) against Microsoft's hackers?"
  • Info on this is also available at the Washinton Post [washingtonpost.com]
  • Or was it Steve Jobs? :-)
    Really, this isn't a good thing for MS in any way. If it can be proven to be an inside job (to hold off the legal issues maybe?) and is found out to be, then they're screwed.
    If it's a outside job and the crackers beat MS' secuity, now the whole world+dog knows that MS software sucks in protecting data.
    On the bright side, it's a win-win for us.

    Oh what a great day.

  • by Anonymous Coward on Friday October 27, 2000 @01:56AM (#671006)

    Before everyone here gets into a frenzy of self-important "Micro$oft are lusers" posts, I think it's important to discuss just how bad it would be if they have actually had the source code for their operating systems stolen by these hackers. And not for Microsoft, no, but for people engaged in open source projects like Wine, or people building Windows compatible operating systems.

    What are Microsoft going to end up doing? They now have the perfect ammunition to claim that these projects have received help in their tasks from people who are willing to engage in criminal persuits, and that these products have improved as a direct result of this crime. Then, all they need to do is take the creators of Wine to court over this, and hey presto, there goes a project which was making Linux look good against Windows.

    Unfortunately, because of the hacker ethos about security and the fact that the ranks of open source programmers already include criminals (Randall Schwartz), judges without any real clue are quite likely to buy this.

  • What is it Slashdot? Microsoft Cracked or Crackers Crack Microsoft? Either way, there's good coverage on Yahoo [yahoo.com], as always. Diskore
  • what do they need laser guidance for?
  • .. because there have been so many blatant ones. How can anyone say that there isn't a Win32 equivalent of buffer overflows, or string format errors? One of those things they did somewhere down the line for performance was to yank some of the API parameter checking.

    But so far, crackers haven't had to look for holes or real problems in the code, because *THE PUBLISHED API, ITSELF CAUSES HOLES*. Windows is still back at the "Morris Worm" days of security, if even that far along. How long ago was that?
  • You jump to conclusions pretty quickly. You saw someone who wrote a post that offended you, and thus you assume that this person, and most other frequenting this place to be "brats... lacking any amount of maturity and decency", ending your display by declaring death penalty to the person not sharing your taste of humour.

    I must admit that I wonder who is at error here. The post you're replying to is in no way an indication of this person's maturity or decency, nor does it reflect his affiliation with the Open Source movement.

    Even so, as have already been stated in another post (redundant here I come:), people make jokes about anything, all the time! This includes war, death, fatal accidents, betrayal heart aches and slapping eachother in the face with dead fish :)
    NO topic is too touchy to joke about. Some people may on some occasions be offended by certain jokes (obviously), but in that case I'd make a bet that it's usually the people offended that's the problem, and not the joke.

  • and outline that this happened precisely because Microsoft does not truly participate in 'white hat cracking' efforts. They finally have some levels of acknowledgment of Bugtraq, but they haven't fully embraced it. (let alone extend or extinguish, but perhaps that's the legal focus yet to come.)

    That is to their detriment, and what they have refused to learn from the white-hat community has contributed to this break-in.

    That's the story we need to put forward, now!
  • It doesn't matter if the judge has no clue. You can still have a judge that has a clue and it's likely he would agree if Microsoft could prove a linkage.

    A judges' job is to interpret the law. (incase you forgot this.) These are VERY smart people and I will bet you money they are not clueless in any sense of the imagination. The judge may philosphically agree with you but it is more than likely he is tied down by arcane laws that no longer work.

    Yes if Microsoft can prove linkage between source code theft and Wine, the Linux kernel (god forbid!!) or any other piece of software they WOULD win (not could). It doesn't matter if the judge has been using Linux for years and can compile his own kernel he would have to agree with Microsoft. If he didn't he would be disbarred (fired) for not following the law and the case would bounce to another court until Microsoft got an agreeing judge.

    Any theft of intellectual property is extremely risky. Even if it's intended to help a group or embarass another group it can come back and bite you in the ass.
  • From CNN's article: What they appear to have had access to is the source code for products in development "years and years away," the spokesman said.

    Read: not only can you not trust the next release of windoze, you won't be able to trust it for "years and years." ;o)

  • by Pig Hogger ( 10379 ) <pig.hogger@gm a i l.com> on Friday October 27, 2000 @08:01AM (#671033) Journal
    Other possible motives include economic espionage, though experts said only a rogue company might knowingly buy stolen software, using it either to improve its own products or make those products more compatible with Microsoft's best-selling operating systems.
    Well, the article said it all: only BAD companies would want to make products MORE COMPATIBLE with Windoze...

    --
    Americans are bred for stupidity.

  • Those things were supposedly made more secure with Outlook patches after the I Love You problems. Now if Microsoft themselves didn't apply their own patch to their softwares and are paying the price of it I can't help but smile and shake my head at how ridiculous this is.


    "When I was a little kid my mother told me not to stare into the sun...
  • You are absolutely correct. However, from all indications in the press, this crack was open for three months-- which is plenty of time to quietly make changes that get into the backup sequence and into the master source tree (there can be many copies, but sooner or later source must be merged unless each MS developer is working on a completely forked piece of software). And if this crack exists, are there others? Also, this is a company well-known for easter eggs [demon.co.uk]. Not that I didn't think the Excel flight simulator wasn't fun, but think about what the whole idea of easter egg means in terms of security policy. I'm not saying they can't clean their software up or that there is even a reason to believe it was corrupted (trojan code still has to compile and not cause bugs during testing in order to make it back out of the corporation). But how would we know? And do you really trust them to be as careful or as truthful about it as you'd like?
  • Now that news of a penetration at microsoft has been reported, whether or not any facts emerge, there will always be conspiracy theories and urban legends of people who hacked MS or own the code.

    I love it.

    Unfortunately, even if investigators catch the crackers "red handed" with the MS password files and Windows source code, there is no way anyone can be absolutely sure that the code has not been distributed.

    Conspiracy theories and legends of rogue cracker terrorists, foreign power "Echelon" projects, and talented grade-schoolers will emerge.

    As other readers have pointed out, this is a perfect way for MS to attack all projects aimed at MS compatibility. They will always be able to point at how it is impossible for others to get their programs to work with Windows without having access to the source code. Wow.... all this is a incredible conspiracy on MS's part!

    Don't cloud the issues with the facts.

    Everyone is out to get YOU. Have a nice day.
  • will I get sued for posting a link to the Windows source code? And how the hell am I going to get it to fit on a T-shirt??
  • Sorry? If explorer is set to show hidden extensions, it still hides .vbs?
    I think not.. and I just tried it to confirm this.

    And outlook is not part of windows... it's part of office.

    And the icon for .vbs is different than for .txt, so those 'power users' sure aren't.
  • I said 'outlook' does not come with windows.

    Outlook Express does come with windows, but they are *not at all* the same piece of code. Outlook Express is *not* simply a 'light' version of outlook.. it is mostly a completely different mail package.

    All these 'outlook' worms *ONLY* work in OUTLOOK, not in outlook express. Everyone just assumes that when you say outlook, you mean 'outlook express'.

  • Or if you are truly sick, you can simply use Emacs+Gnus to read Slashdot. Some crazy hacker has actually added a Slashdot backend to Gnus so that you can read Slashdot as if it were just another news group.

    That includes Gnus incredibly powerful scoring system (so your problems with slashdot moderation disappear). If you want you can just read the posts from known trolls.

  • actually, it's not Outlook's fault at all. It is the fault of the architect who decided what Outlook's default security settings are. By default, they're wide open. (stages.vbs proved that), but if the security settings are tweaked a bit, this kind of exploit is impossible. But then again, if they enable those settings, widespread use of this so-called "feature" is DISabled. And if widespread use of this so-called "feature" is threatened, it threatens the feature's usefulness, and hence, the feature itself may as well not exist (yay!).

    So basically, the choices are;
    1) Develop a feature which allows Outlook to run executable code - so administrators can email software updates to their employees, etc. By default, leave it wide open, so support of this feature is ubiquitous, and so that people actually USE it, and it's touted as a great reason to use Outlook instead of Eudora, etc.
    2) Develop this feature, add it to Outlook, but effectively hobble it by setting the security defaults high enough to eliminate the threat of email viruses. If anyone wants to actually USE this feature, designed to aid complicated administration tasks, they'll be required to train all endusers in how to set the security settings so that this feature can be used (has anyone here actually tried to tweak these settings in Outlook? Talk about obscurity!)
    3) Leave the feature out, and give consumers NO features that appeal in Outlook over Eudora.
  • They have acknowledged that Windows source code was taken:

    http://www.nytimes.com/aponline/technology/27MICRO SOFT.html [nytimes.com]

    The Reichstag Fire analogy is relevant in my view.

  • OK, now that you've all had your fun at the expense of MSFT, it's time to tell about what really happened. I mean, it didn't even get the banner headline in Seattle, it was so lame. We were all paying attention to I-695 being overturned and how Eyman is a dweeb.

    Picture this - a dark, shadowy lair on the shores of Lake Washington, in a futuristic (circa 1990s) mansion that has a trout stream meandering throughit and ads for Froot Loops appearing on every wall. Bill G, Dark Overlord, sits in his space age chair, rocking back and forth, as his minions sit uncomfortably, waiting to hear his latest dark plan for world domination.

    "Profits!" he screams suddenly. "Noone is buying my Windows 2000 TM R Patent Pending!" he shouts to the cowering lackeys, many recently hired from failed dot-coms that litter the wasteland of King County. They jump in their chairs, and settle back down nervously, awaiting their orders.

    "You must crack our servers, in a way that will bring disrepute upon those who oppose us - make it appear to be Open Source Hackers, Russians would be best; everyone knows the Russsians are still mad at us over the cold war. Release all the code to our failed OS - they will assume it was functional. And then - you must go into hiding in Aruba."

    They leave, shuddering at the import of his task, knowing that their lives and those of much of the rest of the world shall never be the same after this.

  • Are there any security controls to keep unauthorized access from happening to the registry? Can you lock down individual hives or even the whole thing with specific access?

    Yes, you can lock down any key in the registry.

  • What kills me is the way C|Net blackened WINE developers after all the "Deplorable Acts of Corporate..." bleating from Ballmer, and the obligatory reference to Linux. Safe to say that while there are probably hundreds of thousands of people who would love their copy of Whistler source, anyone doing any serious developement of a project involving, say, reimplimenting the Microsoft API wouldn't want to be in the same building as a stolen copy of code, let alone look at it. Especially after the whole thing with Kerberos.

    Wouldn't it just suck to be a WINE developer and wake up one morning with a copy of pilfered source in your inbox, and the FBI knocking to ask questions because they tracked it down from the sender's Russian address?

    Fist Prost

    "We're talking about a planet of helpdesks."
  • um not so simple. Windows Shell Scrap allows an author to "hide" executable code in a file that looks like a text file -

    For instance, stages virus was actually Stages.txt.vbs. In Outlook, it looks like Stages.txt. If you save it, in explorer, it looks like Stages.txt (even if you told explorer to show all extensions - this is a hidden exception, even Windows Power Users are fooled by this, ironically, your only saving grace is erp! DOS!).

    So you see this innocent looking .txt file, you know better than to view .doc files, because you know they have Macros that can be viral. But you open this .txt file, in Notepad, no less, and it executes. You see a little system activity for a few moments, and nothing else, you're infected, and you've just emailed 150 of your closest colleagues the same garbage.

    No other mail client will hide the .vbs extension.

    Now, you CAN tell Outlook to warn you when it runs executable content from an untrusted source, but the problem is, it SHARES these security settings with Explorer, so if you do this to secure Outlook, you hobble Explorer, which will no longer run javascript from untrusted sources, which amount to like 90% of the websites you're likely to visit.

    This is complete horseshit, and there's no excuse for a feature like this.
  • And you would do what exactly with that steaming pile of crap that it is? Have you heard the expression tar'baby before? Once you've even glanced at something like Whistler source, every thing you code involving Windows (think WINE or plex86 here) would be suspect. The worst thing you could possibly do to hurt the OSS movement would be to wantonly distribute something like that. Better to just burn it and pass it around on unmarked CD's if that's your plan.

    Fist Prost

    "We're talking about a planet of helpdesks."
  • I'm interested to hear how the trojan got access to the usernames/passwords - these were sent back to the crackers periodically via email.

    Simply sniffing keystrokes in usermode wouldn't have allowed the login keys to be captured (because the logon process runs under a different session), however passwords used for "net use" connections (i.e. connecting to file shares) could be visible (I'm not sure, though)

    Sniffing the network requires admin rights (like Unix) and would only give you acces to encypted Kerberos tickets...

    Any other ideas on how they did it ?
  • It's probably wise to check the source code for changes, but what they REALLY need to check is their compilers!!
  • Outlook's preview-mode and auto-running of attached code takes the human link out of the chain.

    This stuff is enabled by default. that, along with the shell scrap crap (that hides the executable code inside what looks, to the user, as a plain text file), is an inexcusable lack of conscientious software design.
  • The article is being very stupid.

    Military entities would grab this sort of thing in a heartbeat, a nanosecond. There's no way this was some curious geek or 'rogue Russian company' trying to be more compatible with windows! That's utterly absurd.

    This was a military exploit. Everything from military IT to battleships runs off Windows. In addition to that, lots of other countries' militaries run off Windows as well. We will not be seeing script kiddies putting up funny defaced web pages.

    The purpose of this espionage is this: when the missles come over, the target country's military IT will be DOWN.

    I simply hope my country (the US) isn't actually the target that somebody has in mind. Just about any country would be as vulnerable, this isn't about the US only. It's not strictly military IT either- consider a war with the shipping and industry of the target country crippled through IT attacks.

    I've felt for a long time that people should be nervous of Microsoft waking up and realising their control of IT was a military weapon. It seems I was wrong- they never smartened up enough to understand this. Somebody in Russia, however, did- and struck first, gaining access to the proprietary information that would reveal every point of weakness for later attack. Whether Microsoft figures out it possesses the capacity for denial of IT services as a military weapon, at this point, is meaningless. It's too late as they no longer control the information- they lost the first-strike capability.

    It might be a good idea for the US military to seize control of the very same code so at least they can have equal capacity to attack, or to know what will be attacked and how. If MS tries to resist that it would be a matter of, "No- you can pay money to run our products, and the Russians have total information on all their weaknesses, but YOU have to trust us that your IT is not compromised. Trust us, we're Very Smart!"

    Frankly, the political applications of this are staggering.

  • In system.ini, under the [386Enh] heading, type: MessageBackColor=(Hex colour of choice) MessageTextColor=(Hex colour of choice) Have fun.
  • Slaves do not overthrow their masters. Occupied countries are never freed by resistance organizations, only by foreign armies or voluntary abandonment.

    There is no where left on Earth to run to. The tyrants are subtle in rich countries, and boldly open in poor countries; it's merely a question of whether you're a well-managed resource or a poorly managed one. Even the sea floor has been shared out between the great military powers in treaties, and they have the navies to enforce them.

    You can't beat 'em, most can't join 'em, the only option left is to run away, and the only direction left is up.

    --------
  • Somewhere, possibly in Russia, some poor, misled hacker now has to read MS source code.

    Poor bastard.

    --------
  • Um, foreign intelligence computer espionage agents don't post to Slashdot. _Good_ hackers post to slashdot. Military spies may be good _at_ hacking but they really suck rocks at 'information sharing' :P

    Wake up, this was a military action, not geek subculture. If you want to see the source you'll have to crack into MS yourself. The Russian spies are not going to share.

  • ...By clambering over this structure and going into these bright shapes, Hiro could probably uncover some of the code that makes Rife's network operate. He could, perhaps, try to hack it up, as Juanita suggested.

    But there is no point to messing with something he doesn't understand. He might waste hours fooling around with some piece of code only to find out that it was the software to control the automatic toilet flushers at Rife Bible College...

    I wonder what they found, those probing hackers. If it were merely bare source, Neal above suggests, nothing. Now if it were marketing documents, that would be something; and if it were legal documents relating to all that Federal fuss, well, this would be one interesting crack!

    Why did Microsoft tell, and what didn't they tell?

    Yours WDK - WKiernan@concentric.net

  • by guynorton ( 149974 ) on Friday October 27, 2000 @02:22AM (#671187)
    This quote taken from the Yahoo coverage..

    "The code could also be purchased by an unscrupulous company looking to make its applications work more smoothly with Microsoft's dominant operating systems"

    Who is 'unscrupolous'?, the company trying to improve their software for the greater good of everyone? I think it is the company that won't reveal the source code...the company that has systematically crippled/sabotaged other companies by keeping their 'intellectual' secrets under wraps in an attempt to leverage themselves into any software based market they see fit to at the expense of others.

    I think this quote basically sums up the whole open source/closed source debate.....

    Guy
  • by x0n ( 120596 ) <oising@ i o l.ie> on Friday October 27, 2000 @02:24AM (#671199) Homepage Journal
    Does anyone at all think before they post stuff like this? Just for once can we please not be subjected to the usual moronic childish chants of "microsoft sucks" and "see what happens when you don't run linux" ?

    This incident is a simple case of social engineering when you look at it -- it's nothing to do with windows, nt nor any OS security. Some muppet ran an executable program that was sent to him/her and the program emailed some user-priviledge data _legally_ available to any program running in that user's context.

    IMO the problem lies in their staff training -- don't run crap in work on a sensitive machine, especially if you've got high-level access via an extranet. Now that isn't too hard to understand, is it?


    -- Writing a Haiku
    in seventeen syllables
    is very diffic
  • by Brett Viren ( 296 ) <brett.viren@gmail.com> on Friday October 27, 2000 @02:24AM (#671201) Homepage
    From the MSNBC/WSJ article: ``We are confident that the integrity of Microsoft source code remains secure'', a Microsoft spokesman.

    Remains? Since when has there been any integrity to MS code?

  • by Jason Earl ( 1894 ) on Friday October 27, 2000 @02:26AM (#671209) Homepage Journal

    It's easy to blame NT, or Inoculate IT, but the real culprit is Outlook.

    Microsoft's policy of helping users (even their own users apparently) run binaries and scripts from untrusted locations is absolutely insane. Yes, Inoculate IT should have stopped the virus (theoretically), yes, Windows NT should have more protection against attacks, but the key is that Outlook is a trojan fun house waiting to happen.

    Unfortunately, for Microsoft anyway, the fix for this type of thing goes far beyond patching some buffer exploits. They instead have to totally re-think how Outlook (and other Internet software) handle untrusted binaries (that probably includes ActiveX).

  • by divec ( 48748 ) on Friday October 27, 2000 @02:44AM (#671222) Homepage
    They now have the perfect ammunition to claim that these projects have received help in theirtasks from people who are willing to engage in criminal persuits

    Would be hard to prove. I can imagine, in such a trial, the defence demoing a 1997 version of wine running Excel 95. (It was unstable, but you could get it to run which is visually important). I.e. "this project has been making an earnest attempt to do a legit clone of the windows functionality for many years now".
    open source programmers already include criminals (Randall Schwartz)

    I'm sure there are examples of closed-source programmers who are criminals, which you could list in a trial.
    (In case anyone doesn't know, Randall's only crime was to get on the wrong side of Intel in Oregon, where the government basically does anything Intel wants. See here [lightlink.com] for details. Please boycott Intel and write to them to tell them you are doing so).
  • by Molina the Bofh ( 99621 ) on Friday October 27, 2000 @02:46AM (#671232) Homepage
    Indeed, Windows source code leaked. Here's a fragment.

    voidmain()
    {
    while(!CRASHED)
    {
    display_windows_logo();
    display_copyright_message();
    display_bill_rules_message();
    do_nothing_loop();
    look_for_new_hardware();
    sleep(10);
    look_again_for_new_hardware();
    scandisk();
    if(detect_cache())
    disable_cache(); if(first_time_installation)
    {
    make_50_megabyte_swapfile();
    do_nothing_loop();
    totally_screw_up_HPFS_file_system();
    search_and_destroy_the_rest_of_OS/2();
    hang_system();
    }
    write_something(anything);
    display_copyright_message();
    do_nothing_loop();
    do_some_stuff();
    if(still_not_crashed)
    {
    display_copyright_message();
    do_nothing_loop();
    basically_run_windows_3.1();
    do_nothing_loop();
    do_nothing_loop();
    }
    }
    if(detect_cache())
    disable_cache_again();/*just to be sure*/

    if(fast_cpu())
    {
    set_wait_states(lots);
    set_mouse(speed,very_slow);
    set_mouse(action,jumpy);
    set_mouse(reaction,sometimes);
    }

    /*printf("WelcometoWindows3.11");&nb sp;*/
    /*printf("WelcometoWindows95");&nbsp ;*/
    printf("WelcometoWindows98");
    if(system_ok())
    crash(to_dos_prompt);
    else
    system_memory=open("a:\swp0001.swp",O_CR EATE);
    while(something)
    {
    sleep(5);
    get_user_input();
    sleep(5);
    act_on_user_input();
    sleep(5);
    }
    create_general_protection_fault();
    }
  • by cygnusx ( 193092 ) on Friday October 27, 2000 @02:47AM (#671238) Homepage
    There is no security on ANY network (though Windows is slightly more susceptible to cracks, that's all :-)). If cracking fails, there's always social engineering. You want security, go get a standalone computer. (and don't forget the Tempest shielding -- and the intrusion early-warning system and the leadlined safe.)

    Seriously, though... one of the more serious reasons that viruses/trojans spread more easily on Win32/Mac is "user imbecility/gullibility". And one reason (among many others!) why Linux/BSD was considered secure is that (1) users were much more sophisticated, and (2) the OS often compromised on security over 'ease-of-use'.

    Today, with Linux (not BSD though (thankfully!)) reaching more and more into the newbie space (I'm just waiting for the first "for-newbies" distro (oh, wait, Corel comes to mind)), how long before something like this happens on a Linux box? Remember, there are a lot of newbies out there running Linux (and also Win2k/NT, for that matter) on their PCs with exactly one user account -- "root"! (or "administrator".)

  • by henley ( 29988 ) on Friday October 27, 2000 @02:47AM (#671239) Homepage

    Looking beyond the fan-boy name calling, there is a serious point behind this.

    Microsoft has made a massive virtue of "making hard stuff easy"; underlying a lot of the products coming out of Redmond is the core value of "Trust us to do the hard stuff for you".

    In that context, it's commerically damaging to have revealed to the world-at-large that even Microsoft can't rely on Microsoft to do the hard-stuff (security) for it.. And if Microsoft can't rely on themselves why should anyone else?

    Not, I hasten to add, that I believe that this incident will have any long-term consequences of this action. I'm waaay too cynical to believe that any good can come of this.

  • by Anonymous Coward on Friday October 27, 2000 @02:33AM (#671253)
    Your naiveté makes me hope you never administer any network I use.

    The exact same type of crack could happen on ANY Unix machine, not properly safeguarded. Get an e-mail with a binary attachment, chmod 744 attachment, it runs, displayes a really cool screen hack or small game of some type. It also spawns a child process, but you're probably unaware of this.

    This child process sniffs out passwords, because hey, any user account can sniff packets, not just root. People log into other computers, all the while this program gets user acct & password after user acct & password. It then sends out an e-mail to a remote address, listing all these new shiny user names & passwords, what machine they were connecting to, and voila, this cracker suddenly has user accounts. Now he's free to move onto higher level attacks.

    Don't fool yourself for a second -- Microsoft's biggest mistake was that it wasn't using a more secure firewall to protect it's local machines - these machines should have been INVISIBLE to the entire internet, only available to MS's intranet.
  • by divec ( 48748 ) on Friday October 27, 2000 @02:34AM (#671259) Homepage
    This would have happened if they were using Linux, BSD or anything else.

    Well, y'd have to be running some program as stupid as Outlook, which runs arbitrary executable attachments, inside your supposedly "clean environment". I can't imagine a competent UNIX sysadmin would set things up this way.
  • Jesus christ already, that's not cracking, I'm sick of seeing this "story"!

    All those are is host entries under, say, terrorists.net or hackerjack.com.

    If you have a DNS that is acting on behalf of registered domains, it's IP address is registered to the registrar so their root servers can point to it.

    So if you say you have a DNS server called "microsoft.com.is.secretly.run.by.illuminati.terro rists.net" it will show up there.

    So can we agree that there's no "cracking" going on? Sure, it's a neat hack, but I've seen this thing in e-mails, on 4 different web "portals", and now in comments as well. Please, for the love of god, make it stop! :)

  • by hanwen ( 8589 ) on Friday October 27, 2000 @02:37AM (#671277) Homepage Journal
    This child process sniffs out passwords, because hey, any user account can sniff packets, not just root

    Would you care to explain how?

  • by Salsaman ( 141471 ) on Friday October 27, 2000 @03:12AM (#671286) Homepage
    Actually quite a few banks use unix for their core systems. I worked at places which use RS/6000's running AIX.
  • "the company couldn't say one way or the other whether source code had been stolen."

    In other news, a new build of Wine was released today boasting 100% emulation of the Windows environment at native speeds. When asked to comment, the dev team replied "We could tell you how we did it, but then we'd have to kill you".

    (note to morons : go check on freshmeat just in case!)
  • by DrQu+xum ( 218745 ) on Friday October 27, 2000 @02:38AM (#671297) Homepage Journal
    St. Petersburg (!AP) -- St. Petersburg police have found the bodies of three young computer experts. The three were found in one of the their apartments, lying on the floor in front of their 486 running SuSE Linux.
    "Our police experts stated that they were those who broke into Microsoft's servers and stole large amounts of code", says a police agent via translator. "Experts were able to tell from lengthy headers, pointless libraries, and pointers to nowhere-in-particular that this must be actual code for Windows 2000' successor."
    After a preliminary exam, forensic pathologists state that their deaths were all caused by ruptured lungs.
    "If I didn't know better, I would think that they would have died laughing", said the pathologist.
    One of the police experts who determined that the code was in fact Microsoft's also began laughing uncontrollably, and was rushed to a nearby hospital. He remains in serious condition and on heavy sedatives.
  • Y'know, it may not be in the Open Source community's best interests if the source code for MS' OSes gets stolen and released into the wild. Regardless of how sweet the irony looks from here, what kind of influence would it have on the Open Source movement if the first thing people associated with "Open Source" was "Oh, like those gyus who broke into Microsoft and stole their code, right?"

    Al Gore has the quote "I invented the Internet" fused to his name. It's been used time and again to demonstrate Gore's penchant for hyperbole, his untrustworthiness as a leader. Many of you probably already know, though, that Gore never actually said that he created the Internet, but rather that he was the key political figure in the early days of funding the Internet (still an inflated claim, but nowhere near as sensational as the other.) Does the fact that he never actually said what countless media outless attribute to him, often as a direct quote, make any difference whatsoever to his image and reputation? Nope. The media and his opponents decided to nail him to the wall with a hyperbole of their own, and with a bit of hard work and luck, it has become Truth. Truth, in that wonderful Orwellian fashion of 'if all official sources report the lie as the Truth, then the lie becomes the Truth, and the truth a lie.'

    It wouldn't matter how much you or I knew the truth, much like it doesn't matter that Al Gore never actually said that he invented the Internet. The Sheep and PHBs everywhere will swallow whetever pill they're given, and you can bet dollars to donuts that the story line wouldn't play out in favor of Open Source. If you think it's hard to convince your superiors to utilize an Open Source model now, try and imagine the brick wall you'd hit with your boss' brain automatically substituting "what happened to that stolen MS code" for "Open Source".

    For the moderators out there, I'm not saying that I think Open Source is theft, just so that's sufficiently clear. I'm just saying that it's worth considering the damage that the mass media PR monster could do to the Open Source movement, especially in light of the fact that most major media outlets are heavily invested in (and guided by) large, mean corporations. Think about it.

  • by Cally ( 10873 ) on Friday October 27, 2000 @02:55AM (#671307) Homepage
    As always on the occasions when some tech story is big enough to make it into the mainstream media, we get to cringe at their awful attempts to explain things to the general public which they don't understand themselves. I woke up this morning to hear a BBC radio interviewer asking "so what are these source codes? are they like blueprints?"... discussion then proceeded to the topic of could the 'hackers' have planted "a virus or bug"[sic] in Windows? "Yes", said their expert, "and that could be included in every copy of Windows shipped from today!" ARRRRGGGHHHH.

    Perhaps this is a UK-only phenomena. Eventually the BBC etc might stop assuming that their audience thinks of computers as huge semi-sentient boxes with spinning tape drives and flashing lights that talk to their operators. Or that Microsoft are the best and only software source in the world. ("How could this happen to Microsoft of all companies?" asked the same interviewer.)

    And the use of "hacker"...
    /me goes up in a puff of unsmoke.

  • by Ser\/o ( 105187 ) on Friday October 27, 2000 @03:18AM (#671309) Journal
    Think about how many attempts to do this go unrewarded....in any given day. I think about how many scripts and 'sploits I see for *nix machines, and I don't see these kinds of numbers for NT boxes.

    Why is it that a *nix box getting compromised = 'Excellent, now we can patch the hole', but an NT machine = their security "sucks"?

    My personal opinion is that unix variants are more secure, stable, and so on, but NT is NOT a gaping hole into a given network, just not my 1st choice as a server.

    Before the flames abound, my personal server is a linux box, I just didn't agree with this particular statement.

  • You really need to think before posting. Most of the security compromises you list for Linux are _local_ compromises. That means, you must already have a shell to do them. If you have a shell on Windows, getting root is even easier, unless you have all of the security updates. When NT4 was first released, almost every kernel call did not do proper checking, and you could comprimise security with _any_ kernel call. As far as _network_ security goes, securing Linux is just like securing any other OS - you check the network programs. The way you secure the console is by simply removing unwanted SUID programs. With Windows, you can assume that if someone is at the console or telnetted in (which you _can_ do with the proper software), you should assume they have administrator priviledges. As far as security advisories, most Linux security advisories come from the people developing the code, not from being cracked. This means you get to secure your machine _before_ script kiddies get their hands on things. With NT, the advisories are normally based on someone actually being cracked. Please think before posting, and make sure you understand the topic at hand.

    I'm not even trying to say "Linux is better than Windows" with this post. I'm just pointing out that your arguments are comparing apples to oranges (network security to local machine security, and published exploits to theoretical problems).
  • by hey! ( 33014 ) on Friday October 27, 2000 @02:57AM (#671337) Homepage Journal
    order the biggest freakin' code review in history.

    If I were a hostile cracker, I wouldn't go the "data hostage" route -- to risky. The police will follow the money.

    Instead, posing as an engineer, I'd slip a few buffer overrun vulnerabilities, just where I could use it. Knowing the cruftiness of MS operating systems I'd have my own private back door into any system shipped with Windows for years to come.

    Give a man a fish, and he'll eat for a day. Hand a fisherman a crate of hand grenades and he'll catch all the fish in the river.

  • by Carnage4Life ( 106069 ) on Friday October 27, 2000 @03:23AM (#671338) Homepage Journal
    I'd expected more mature responses to MSFT being hacked than childish attacks either blaming NT like the above post or claiming that MSFT being hacked is good for Open Source like others I've seen. Frankly *nix and Windows are roughly equivalent in default security (except for OpenBSD) and only through the machinations of a good sys admin is either OS properly secured.

    For those that believe *nix is somehow more inherrently secure than Windows here are a few sources that may refute that claim The major security issues in Windows are Outlook (disable preview pane, be careful with attachments) and Internet Explorer (disable Javascript). Doing that and using a firewall like ZoneAlarm [zonelabs.com] is most of the securing that a typical Windows box needs. On the other hand due to the use of insecure C libraries (str* functions, *scanf functions, etc) most of the services that are enabled by default in a typical Linux install are insecure (especially RedHat the primary consumer Linux OS in the U.S.). Take a quick look at security sites like Attrition.org, CERT, SANS, rootshell, SecurityFocus, etc and check the results. Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites [attrition.org]. CERT regularly has more Linux and Unix security advisories [cert.org] than for Windows. The SANS (System Administration, Networking, and Security) Institute top ten list of security holes [sans.org] has more entries for *nix than Windows. A quick search of the terms "linux" and "windows" on Rootshell's seearch engine [rootshell.com] come up with 84 downloadable exploits for Linux versus 39 for Windows.

    The above post is not intended to be flamebait (I run Win2K but plan to reinstall Linux on my second machine so I am a Linux user) but as a counterpoint to the above post which was rated +5 when I replied to it.



    Second Law of Blissful Ignorance
  • by Chitlenz ( 184283 ) <chitlenz@chit l e n z . com> on Friday October 27, 2000 @01:58AM (#671340) Homepage
    AVAILABLE - Slightly frazzled security Admin seeks Immediate Position after undertaking imposssible task at unnamed Redmond, WA. employer. Canned due to circumstances beyond control. Will take any offer not relating to windows. Added Plus - Able to interpret arcane source code for popular and possible unintentially Open Source Operating System (you hear that Larry E.?). Used to long hours and sleepless nights, anything's a change for the better. Looking for stock options (in a company that's still gonna be worth something in a month).
  • by Alternity ( 16492 ) on Friday October 27, 2000 @03:28AM (#671351)
    This has nothing to do with the OS used. It's an employee who introducedd the Trojan by opening an attachment.

    Once again this prooves the weakest link in any security is the human factor.


    "When I was a little kid my mother told me not to stare into the sun...
  • by Black Parrot ( 19622 ) on Friday October 27, 2000 @02:43AM (#671353)
    > Before everyone here gets into a frenzy of self-important "Micro$oft are lusers" posts...

    Well, I'm just grateful that no one broke in to www.redhat.com and stole the source for Linux.
  • by henley ( 29988 ) on Friday October 27, 2000 @02:43AM (#671357) Homepage

    Any project started within the last 3 months may be potentially vulnerable to a legal Denial of Service attack, yes.

    I refuse, however, to believe that there's a Court of Law in the world that's bone-headed enough to believe that project X, running for Y years and fully documented in that time as an open project (cf WINE [winehq.com]), has benefited from the unrelated, unadvertised and recent breaking out of MS source code.

    Come on.. Doom-saying is all fun and games, but please do try and stay within the bounds of reality...

  • by Deskpoet ( 215561 ) on Friday October 27, 2000 @02:43AM (#671360) Homepage Journal
    This was PRECISELY my first thought when I read these pieces: this is a staged event for some reason as yet to be revealed.

    Of course, as a reluctant user of NT, I *know* it's vulnerable, and the fact this occured doesn't surprise me at all. What IS surprising is we haven't heard more of this coming out of Redmond; it can't be the first time.

    I don't think the possibility that this is a way for Microsoft to reign in the Open Source movement is paranoid AT ALL. With M$ having its market share threatened by Open Source stuff, why not create an excuse that the people releasing it are ripping off internal code stolen from M$. Indeed, it makes perfect sense, and it wouldn't surprise me if the lawsuits start flying within 6 months.

    I worked at a place where we had REAL break-ins, and the last thing you want to tell your customers is that you've been hacked. The fact that M$ is being so forthright about this--in direct contradiction to the way they typically stonewall against any less-than-flattering news--points to an entirely different motivation than just being honest.

    Remember, the people that report these stories have extensive relationships with M$. There can be no doubt that they are spinning this is such a way as to ultimately benefit M$, or any initiative that M$ may find to its liking.

    By the wall, Randall is *NOT* a criminal. Yes, he was convicted, but that means about as much as the stain on Monica's dress. Judge for yourself; go here [lightlink.com] for more information.

  • by ahaile ( 147873 ) on Friday October 27, 2000 @03:59AM (#671365)
    Durham, Oct 27 -- The linux world is in a tumult today after a report claiming hackers broke into the corporate network of industry leader Redhat. The report, published on the internet by a pseudonymous "BG", purports that "lots and lots" of hackers outside the Durham-based organization have been "stealing intellectual property" from the company for "a whole lot longer than three months." Redhat officials appear to be stonewalling on the issue, responding to questions with a baffled look and the reply, "What the hell are you talking about?"

    According to the report, unknown hackers managed to procur a password to Redhat's network servers. They then used the password to download the blueprints to all of Redhat's products. Even worse, the password was circulated widely over the internet, allowing thousands, potentially over a million hackers to repeat the exploit.

    One person familiar with the case said it appeared the hackers initially gained access to Redhat's corporate computers by exploiting a hole in the company's "FTP" software. This software is used to transfer files between remote computers. The hackers discovered that the password "anonymous" allowed them access to all of Redhat's intellectual property.

    Most damning of the report's accusations is the claim that internal Redhat officers have known about the vulnerability for months, even years, but failed to alert customers or close the security hole.

    The breach may have allowed hackers to insert instructions into the blueprints for Redhat's products, including the recently released Redhat Linux 7. One anonymous insider called such practices "common." When asked if they were planning an extensive audit of their code, Redhat officials repeated their reply, "What the hell are you talking about?"

  • by The Dodger ( 10689 ) on Friday October 27, 2000 @02:02AM (#671381) Homepage

    If the hackers release the source into the "wild", we're likely to see a similar situation to DeCSS - anyone who hosts or links to the source code for Windows or any other Microsoft software will have the full force of Microsoft's legal vultures brought to bear upon them.

    Wonder if HavenCo [havenco.com] would host it. That would mean a real, live-fire test of SeaLand's sovereignty - if Microsoft can't beat them, then noone has a chance! :-)

    D.

  • by bilgebag ( 102479 ) on Friday October 27, 2000 @03:33AM (#671382) Journal
    First one to submit a patch gets to pick a new default colour for the Screen Of Death...
  • by K8Fan ( 37875 ) on Friday October 27, 2000 @02:02AM (#671384) Journal

    ...what in the hell would hackers want with Microsoft's plans? Script kiddies, sure. Crackers, of course. But actual hackers? No self-respecting hacker would ant or need to crib from Microsoft's notes. That would be like copying off the paper of the class idiot.

  • by ichimunki ( 194887 ) on Friday October 27, 2000 @04:08AM (#671406)
    This may be a case of social engineering, but please don't gloss over the fact that it is Microsoft themselves who have repeatedly and loudly condemned Linux and who still, at this page on their site [microsoft.com] claim the Linux security model is weak. They spend a lot of time, money, and effort to put Linux in an extremely bad light. If they can't secure their own network using their own software, then I seriously question how their user base is to be expected to do the same. This points up how incredibly difficult it is to secure their software, yet they claim it is superior to other models out there.

    Also, a quote from their spokesdroid, "We are confident that the integrity of Microsoft source code remains secure." (MSNBC article [msnbc.com]). I'm not so sure I believe them. Can they prove it? Is there any consulting firm in the world not on the Microsoft payroll who will be allowed to study their source to determine that it hasn't been trojaned by Russian subversives (or Steve Jobs or whoever cracked them)? I humbly suggest that from this day forward, there is no guarantee that any newly compiled software or patch hasn't been corrupted. While there's no need for gloating and "moronic childish chants", the fact remains that their source may be compromised and their security through obscurity model does not satisfy even the weakest security policies. This is not a problem we have with Linux or BSD-- which certainly have had holes in them, no denying it. But when you have someone telling you that you should trust them, and please pay mightily for our product, and, yes, you'll just have to trust us that it works the way we say it does (even though we can't seem to keep ourselves secure)-- oh and that Free software that you can obtain for a fraction of the cost and that you are able to review, modify, and share as you will? It sucks.

    They do not deserve any leniency whatsoever. Their model is the one that is broken. It is based on trust. They can't buy that with any amount of marketing or legal shenanigans. Trust must be earned. And right now, they get none from me.
  • by beebware ( 149208 ) on Friday October 27, 2000 @02:03AM (#671409) Homepage
    More details are available from:

    Richy C. [beebware.com]
    --
  • by pokrefke ( 146856 ) on Friday October 27, 2000 @03:05AM (#671429)
    No matter how much you think Bill Gates is the anti-christ or hate Windows, this is most assuredly NOT good news. The judges, the lawyers, and the law enforcement that will certainly become involved in this case will look at one point, and one point only: someone broke the law. Know what else? They don't understand you, and they don't care that you want Wine to work better or an Open Source Windows.

    In the interest of fairness, let's look at this from their point of view. "Hackers" (does anyone know what this word means anymore?) have been getting a lot of bad press lately. Hacking into Microsoft's site adds fuel to the fire. Stealing Microsoft's code is fanning the flames.

    Everyone is making jokes about how insecure MS products are, as if Apache or Slashdot have never been compromised.

    Even more worrisome is the opinion of the everyday, ordinary citizen. Some of which have made money off MS stock. Many of which use a computer, but aren't as "in" to them as we are. I bet you lunch that they see stuff like this and feel "insecure". And I guarantee you, when something like Carnivore comes along, the average person will suport it, because it makes, at least in their mind, the online world a safer place.

    So laugh now about Microsoft's problem. Joke about an OSS Windows, regardless if they want it or not.

    Ladies and Gentlemen, if you're old enough to understand, it's time to realize that this is most assuredly Not A Good Thing.

    Disclaimer: MY computer runs Linux/BeOS.
  • by jbarnett ( 127033 ) on Friday October 27, 2000 @04:12AM (#671440) Homepage

    The point is this.

    1) Microsoft has complete unrestricted access to there own source

    2) Microsoft is a billion dollar company and ALOT (atleast in their eyes) is at stake

    3) They have enough money to higher decent security officers

    4) These well-paid security officers should of secured the system and network

    5) With people hired for the sole purpose of securing the network, the network should be somewhat more secure, no matter what OS they are running.

    6) Why are there developemnt/ source code computer even avaiable on the Internet? Anyone every hear of firewall or internal network? Anyone think about just upluging the T1 from the internal network? Anyone think about requiring the security admins to read "Intro to network security"??

    I am sorry to say, but this crack looks "so seventh grade or something"

    7) Should Microsoft employees know how to use what software they are required to for there job (ie. outlook). Shouldn't of Microsoft employees be educated about basic security?

    8) Where is any monitoring? "Hey Network Admin Bob, some ip in russian has been downloading megs of stuff from one of our internal machines? Is that normal?"

    Microsoft views the security of there source code as "high value", the see the closedness of their source as their cash cow, yet they let someone 0wnZ them so easy.

    I am not saying NT or W2k is more secure than Unix, etc, that is a broad and misleading statement. I am not saying Unix is more secure than NT, that is also to broad and misleading.

    What I am saying is that any decent OS (this includes NT, W2K) should of not even had the chance to be owned like this. If there network was setup right, you could have had the most insecure OS running with default uid/pass for admin access and should not be spolitable like this (atleast from the internet).

    It boggles the mind.

    It not even like a 31337 crack, it is "hey I downloaded all this programs off the internet, you want to 0wnZ M$?"

    The problem isn't with what OS it is running, the problem is that 1) the network admins no nothing about security 2) the system admins no nothing about security 3) the users no nothing about secuirty.

    Even if they where running a "Ultra Secure" *cough*OpenBSD*cough* OS, if they hook their "important machines with highly classified information" up the the internet, they are just ASKING for trouble...

    And someone please explain to me why the SYSTEM ADMIN was checking his email with the ADMIN account on a SECURE MACHINE. Then running an unknown program as ADMIN user!

    That is like a unix admin, going to a secure unix box, logging in as root, checking his email with root, then running an unknown program as root, this mind boggles.

    Do they people in redmond even know how to use there own dam OS? Maybe they should require all employees to get MSCE or something...


  • by mcrbids ( 148650 ) on Friday October 27, 2000 @04:44AM (#671446) Journal
    Gee, somebody who GETS IT!

    Take a PC, install a default copy of RH 6.2, hook it up to a static IP DSL modem. Come back in a month or two, and you'll find that you have at least 1 or 2 "volunteer" sysadmins!

    The difference between NT and Linux is that you are given the control to make Linux VERY secure. You just aren't given the low-level control needed to make NT anywhere NEAR as secure.

    It takes time, and extreme attention to detail - bit it CAN be done.

    -Ben
  • by Nightlight3 ( 248096 ) on Friday October 27, 2000 @03:40AM (#671456)
    They instead have to totally re-think how Outlook (and other Internet software) handle untrusted binaries (that probably includes ActiveX).

    It could have been in the attached MS Word .DOC file as well. And anyone who goes to ther MSDN site for various tech info, having to use IE with full ActiveX enabled to make the sites work right, is potentially infected. Or anyone using the MSDN Libraries, including MSVC Help, of recent couple years (which also don't work well without internet connection enabled).

    Their whole "vision thing" of hypertext documents which seamlessly integrate your computer (via the MSDN Libraries, including compiler help files) into the Microsoft servers, reporting (if they wish so) anything you look up, any articles you read and for how long, anything you search for, which code samples you extract, ... even without coupling with ActiveX, is a virus/trojan handcrafted for industrial espionage, all by itself.

    I wish only Bill Gates' machines and those of the other brains behind the Microsoft all-is-one (or is it one-is-all) "vision" got some of their own medicine.

    BTW, I just typed in my first message in here, and this luxuriously spacious /. edit box with its eye pleasing courier font makes Microsoft Notepad seem like an ultra-ergonomic editor from the future. (The only cure for this is to make the web designer here use this exact edit box for three days for all of her editing work; by the second day the edit box would be twice as wide and three times as tall and user could set their own non-fixed pitch fonts. By the third day she would suggest dumping it altogether and using something like Userland's Manila editor [userland.com].)

  • by b1t r0t ( 216468 ) on Friday October 27, 2000 @02:05AM (#671457)
    Any of you with Unix shell access should try:

    whois microsoft.com

    also whois aol.com ; whois apple.com ; whois whitehouse.gov

    How did they do it? Simple. Whenever you register a nameserver IP address, you have to include a domain name for the nameserver. I think the only thing checked is that the IP address pings and the domain name is part of a real domain.

  • by radja ( 58949 ) on Friday October 27, 2000 @03:06AM (#671465) Homepage
    I don't care how M$ falls. They've made it clear that they'll stoop to any level to get more cash, but now the shoe is on the other foot. But I would not insert any windows code into a linux app. linux is not the OS of thieves. And that would make linux just as bad as M$.

    //rdj
  • by schon ( 31600 ) on Friday October 27, 2000 @03:41AM (#671469)
    In fact, it's probably the biggest misconception he made.

    Relying solely on a firewall is the single biggest mistake a company can make.

    True, a proprely configured firewall can make a huge difference, but _real_ security involves securing every machine on the network. A firewall won't fix a problem with bad client (such as Outlook) executing code it's not supposed to. A firewall won't fix a problem with a web/mail/whatever server running behind it.

    The bottom line is that if a machine needs to talk to the internet, it _needs_ to be secured, because an improperly written app can make any firewall completely useless.
  • by mav[LAG] ( 31387 ) on Friday October 27, 2000 @02:06AM (#671477)
    ST PETERSBURG, Russia: 2000-10-27: In a joint sting operation, Russian police and the FBI made a raid on a downtown apartment today, netting four teenagers they suspect of being behind the Microsoft breakin. Microsoft spokesman Rick Miller applauded the operation, saying that neighbours tipped off the police after noticing strange behaviour from them.

    "These were all very bright boys - cheerful, helpful and good at their day programming jobs" said apartment resident Canya Bolyevtis. "But last weekend that changed when they started walking around in a daze after an all-night session, as if they had been exposed to some terribly traumatic thing."

    Californian software analyst Rich McGee says the teens were foolish to allow themselves to be exposed to Microsoft source code.
    "Here you have some very bright young guys with some Unix experience suddenly coming into contact with the C source for kernel32.dll. I think they were unprepared for the shock."

    St. Petersburg police chief Konstantin Bolygubov thanked the public for the information that led to the arrests, saying it was the easiest raid he had done in a long time.
    "When we broke down the door, none of them moved," he said. "They were all just staring in horror at the screen of a PC in the corner of the living room."

  • What about the claims by some that M$ uses portions of GPL'd code? If that was revealed in the any sources absconded with, could this not work in open source's favor? Granted, M$ will still take the position the material was illegally obtained (probably rightfully so) and try to supress it (fat fscking chance). This could give the free software movement some justifaction for its model and some teeth for any legal wrangling they felt they should do.

    just a thought...
  • by rdl ( 4744 ) <ryan&venona,com> on Friday October 27, 2000 @04:48AM (#671485) Homepage
    It's not against our AUP.

    We as a company are not in favor of software
    piracy, so we certainly wouldn't help, but if
    a customer wanted to host stuff like this, we can't really say it's against our AUP.

    (I personally think MS source code would be a
    waste of space, a thousand monkeys and all that...)
  • by beebware ( 149208 ) on Friday October 27, 2000 @02:10AM (#671516) Homepage
    It seems michael has forgotten to include the link to the original article on the Wall Street Journal - it's here - login 'slashdot123' passwd 'slashdot123' [wsj.com]. Very long, comprehensive and insightful.
    Richy C. [beebware.com]
    --
  • by hagbard5235 ( 152810 ) on Friday October 27, 2000 @02:10AM (#671518)
    This reminds me very much of a point I have
    frequently made to a friend of mine about
    the security of his network.

    He had claimed that he didn't need to worry about
    security because his networking folks had
    provided a very secure firewall.

    "Really," I said, "Do you have any Windows
    boxes on your network."

    "Yes," he replied.

    "Do they run Outlook?" I inquired.

    "Yes," he replied.

    "Then why do you bother to run a firewall at all?"

    I went on to explain that anyone could infect
    Windows boxes behind his firewall via email
    (which almost every firewall in the world
    is configured to pass). Once infected this
    Windows box could subvert his whole network
    and tunnel anything it needed back out via
    SMTP (we do after all, have examples of
    tunnelling IP via SMTP).

    My friend thought I was nuts. Seems that something similar happened to Microsoft itself.

    Guess I'm not nuts. There is no network
    security on a network which has Windows
    present.
  • If it's a outside job and the crackers beat MS' secuity, now the whole world+dog knows that MS software sucks in protecting data.

    From all the articles, it looks like this was a Trojan that may have been secreted during the execution of some email attachment. Knowing MSFT, they'll probably spin this as a virus similar to Melissa or ILOVEYOU and the general public will stop blaming them.

    After all, no one is calling for their heads after Melissa and ILOVEYOU even though the main reason they caused so much damage is the lack of security built into Outlook and the ease of using Virus Building Script. Instead we'll probably get a lot of hacker crackdowns with this breakin, perhaps another Kevin Mitnick type case where he got reamed for seeing Sun's Solaris source [zdnet.com]. It's very possible to see the culprits doing massive jail time for supposedly causing MSFT zillions of dollars in lost revenue by merely looking at the source like Sun did with Kevin Mitnick. This is especially possible in the current climate of UCITA and the DMCA. I wouldn't consider that a win, would you?

    Second Law of Blissful Ignorance
  • by Hrunting ( 2191 ) on Friday October 27, 2000 @03:47AM (#671545) Homepage
    I've seen some pretty dumb things on Slashdot and I've seen some pretty offensive things on Slashdot, but never a post like this.

    This ranks up there with the jokes that came out after the Challenger accident and after Oklahoma City. The Kursk was a tragedy. It may not seem that way to an American, but it shattered the emotions of the Russian people. To further imply that Microsoft had any part in that tragedy is simply childish.

    I've always considered the majority of Slashdot readers to be brats, but this goes to show that whatever Microsoft may do to fight the open-source movement, they'll probably win. Why? Because for the most part, it's people like you who make up and support that movement, people lacking any amount of maturity and decency, and for movements to succeed, they must at least be honorable in the face of their enemy.

    Just sickening. Whoever moderated this up for being funny should be shot. Mark me down for flamebait or what have you, but the fact remains, many open-source zealots and programmers are simply brats.
  • by divec ( 48748 ) on Friday October 27, 2000 @02:13AM (#671549) Homepage

    From what the MSNBC article said, the crackers initially got access because some poor MS employee inadvertantly ran a trojan email attachment, then did some sort of password sniffing.


    It should now be completely clear that attachment-running programs such as Outlook are dangerous and should not be used by any business which has sensitive data, i.e. any business at all. Any business which jeapordises my personal privacy by using such software is acting negligently, just as if they left their locks unlocked and their safe open at night.


    I wish I could say that this marks the beginning of the end of such "back-door enabled" software. However I fear that this will not be the case.

  • by overshoot ( 39700 ) on Friday October 27, 2000 @05:02AM (#671564)
    the earlier story about Wine running Excel and Word [slashdot.org] takes on new meaning.
  • by jrumney ( 197329 ) on Friday October 27, 2000 @02:14AM (#671573) Homepage
    Hackers huh? Hopefully they'll fix some bugs before they give it back.
  • by PhilHibbs ( 4537 ) <snarks@gmail.com> on Friday October 27, 2000 @03:52AM (#671582) Homepage Journal
    It's not as if they stole anything valuable, is it?
  • by Eck ( 2901 ) on Friday October 27, 2000 @05:49AM (#671587)

    If there are so many exploits for Unixes and not NT, why is it that despite an apparent minority [netcraft.co.uk] of servers, there are more defacements [attrition.org] of NT sites?

    Besides, as another poster pointed out, if we hear about a vulnerability in an open source OS, whether or not it's Unix-like, we can fix it a lot more easily than with closed-source NT.

  • by nick_davison ( 217681 ) on Friday October 27, 2000 @04:27AM (#671599)
    we're likely to see a similar situation to DeCSS

    How the hell am I going to get all that bloatware on the back of a t-shirt?!

  • by Chelloveck ( 14643 ) on Friday October 27, 2000 @02:17AM (#671610) Homepage

    Ah, yes, evil hackers from Russia stealing the "software blueprints". Smells like the plot of a James Bond movie.

    "And now, Mr. Bond, by altering the blueprints I will be able to take control of every desktop computer on the planet! I'll have an entire cybernetic zombie legion at my disposal!"

    "We're one step ahead of you, Smirnoff. Office is a very fragile piece of code. Change even one line and the whole thing will come crashing down like a house of cards. The worst you'll be able to do is crash every computer. And who would be able to tell the difference between that and the way Office normally runs, eh?"

    "Curse you, James! Now I'll have to kill you by an incredibly intricate device which you'll no doubt escape. The only way out of your cell is to cross this tile floor. Land mines are hidden under nearly half the tiles. Fancy a game of full-contact Minesweeper, Mr. Bond?"

  • by divec ( 48748 ) on Friday October 27, 2000 @02:19AM (#671635) Homepage
    Um it was not about NT you fool.

    No. It's just about the software which comes with NT and Microsoft sells for NT and everybody uses on NT. An equally stupidly-designed UNIX mail reader would be equally bad. But most UNIX systems don't use such software.
  • by Kyaphas ( 30519 ) on Friday October 27, 2000 @02:19AM (#671637)
    Just what we need. A high-profile company that has decent lobbying skills getting hacked just as we face more and more legislation against hacking.

    And this on the hells of the story below about pushing for more UCITA support. crap.

Klein bottle for rent -- inquire within.

Working...