Microsoft Admits To Backdoor In IIS [updated] 236
Ninkasi writes: "Here is a rather alarming article from Yahoo which claims that Microsoft has a backdoor password into IIS web servers running FrontPage 98 server extensions. Here's another brilliant example of how closed source development models are a threat to security and privacy on the Internet." The article says that Microsoft "plans to alert customers as soon as possible with an e-mail bulletin and advisory published on its corporate Web site." This is really just too perfect. Update: 05/14 07:48 PM by T : Actually, it is too perfect -- guess this particular possibility for built-in backdoors is old news. Sorry.
I disapprove of this. (Score:1)
Apache, on the Internet's World-Wide-Web network at hypertext transfer protocol site www.apache.org, is the world's most popular Internet server for World-Wide Web services. Internet Information Services, on the other hand, is not. I have published additional guides on the subject, which can be purchased for $19.95 each.
Re:What is this password? (Score:1)
It's the admission (Score:1)
Frontpage is for internal developers only (Score:1)
Microsofties make better lovers (Score:3)
Re:code review (Score:2)
Backdoors which have been specifically placed there *by design*, as an implementation of corporate policy regarding control and access to 'fielded products', is another thing entirely.
Your company - Microsoft - has a particularly bad habit when it comes to shifty, underhanded policies such as this backdoor situation, and therefore it's not unreasonable to expect that the community at large raise alarm torches when holes such as this are discovered.
I don't disagree with you that security by peer review has its flaws.
But then, so does Microsofts' aggressive predatory business practices.
Re:What is this password? (Score:2)
That's amazing! I've got the same combination on my luggage.
Rev. Dr. Xenophon Fenderson, the Carbon(d)ated, KSC, DEATH, SubGenius, mhm21x16
Okay... (Score:1)
So they gave us the DLL with the offending code. I've not looked to see how big the DLL is but wouldn't it be pretty straightforward to locate the backdoor password now?
Re:code review (Score:2)
The fact of the matter is that, short of releasing source code, there is no way that your customers can be sure that there aren't any backdoors. For example, it would be much easier for your Dev team to insert a method called PayEntireDevTeam() than for one member to insert the mythical PayTim() method. For Tim to get away with the insertion of his method he would have to be more clever than all of the reviewers. But if all of the auditors were in on the backdoor then there is no defense.
I would like to think that Microsoft would be trustworthy on this account. But this is the same company that released a spreadsheet that doubled as a flight simulator. Quite frankly, I doubt that a whole lot of auditing actually occurs. And if you can convince a group of Microsoft employees that a flight simulator is an important feature of a spreadsheet, then inserting a backdoor should be child's play.
Re:oh please (Score:2)
Neither Linux nor Apache has ever had a security problem that was intentional. This particular problem wasn't a bug, it was a backdoor. Some clever coder at Microsoft even used a joke password.
At least with Linux or Apache there is some chance that someone else is going to catch something this idiotic. With Microsoft the problem apparently can remain unreported to the general public for years. Clearly there is a difference between some random buffer exploit and a backdoor that was specifically placed there by an employee and that was somehow "missed" in the code review.
Re:code review (Score:2)
Commercial software on the other hand frequently has frequent code reviews done internally. Other staff looking at code to fix it, or sometimes group code review sessions.
Re:code review (Score:2)
Wow, I think maybe your tin foil hat needs some adjustment today.
Re:code review (Score:2)
The problem with conspiracies is they fall apart the larger the group is who knows about it. Why just this week before Congress they are talking about Ted Olson's involvement in the vast right-wing conspiracy to discredit President Clinton.
Everybody pretty much even knew that existed, but couldn't pin down who was involved. Well now the evidence is leaking out because of one disgruntled former magazine editor.
And that was a conspiracy involving only a couple of dozen people.
Microsoft has thousands of developers, on the other hand...
Re:code review (Score:2)
I think you need a replacement.
Re:Does illustrate the advantage of Open Source (Score:2)
Re:Does Open Source do Better? (Score:2)
With free software you get whatever you want. You want access to the source? You got it. You want to pay someone else to be held accountable? You got it. Anything is possible.
Re: (Score:2)
No. It is NOT perfect! (Score:1)
Okay, as much as I hate MS products and their lack of options, the revelation of this back door is NOT perfect.
It means that there's a bunch of poor bastards out there who're going to get their systems trashed because they believed in Microsoft.
Yes. This may be a wicked little ego boost to the mindless OSS boosters. But to everyone else, it's a pain in the ass and potentially VERY damaging to some people's sites/businesses.
So gloating to the point of calling this "perfect" is WAY off-base. And, frankly, I'd expected a little more from you guys.
Chas - The one, the only.
THANK GOD!!!
Re:uV-ajeD (Score:2)
Well, unemployed weenies I guess...
Re:Does illustrate the advantage of Open Source (Score:2)
All things aside, all questions of Linus, Bill, Mac, etc. aside, the Microsoft backdoor does illustrate a major advantage of Open Source:
Security.
While I can see the theoretical, practically this is not true [earthweb.com]. In practical terms almost no one actually analyzes the source with any intensity apart from the people who are the primary programmers (hence the ones who would likely be planting the backdoors). I do CVSups on my FreeBSD [freebsd.org] fairly frequently and I'm basically entrusting that machine absolutely and entirely to the FreeBSD CVS controllers (which of course means if they were compromised I'd be ownzed). I'd wager >99.5% of open source users are exactly the same way: You presume that because the source is available there are tonnes of selfless individuals busily auditing it, but the reality is quite different.
The simple reality is that most current software projects are HUGE and there simply isn't enough time in a lifetime for each of us to analyze all of the code we run with anything more than a cursory glance. And if anyone thinks they'll scan through and see
// Embed backdoor
if (strcmp(password,"REDHAT")==0) {
      iPriority=1000;
}
then they have a enormously naive impression of how a backdoor would be embedded in code subtly. For all you know a number of the software products you are running might be waiting for a magic byte string to come along when it bows to its real master.
Re:open source can have back doors as well (Score:2)
Question: How long do you think that Microsoft REALLY knew about this back door?
Question:How many systems have they accessed or could they have had acess to because of this?
While I agree that noone may have looked at all the source, I think it is a little more difficult for things like this to happen with open source.
As far as kernel patches go I think Linus does look at the patches as well they are usually reviewed by other developers and it is not a matter of here take my word. Besides you don't usually put usernames and passwords in the kernel you put them in other software.
Apache probably watches out for back doors pretty closely I'd imagine or at least hope.
I don't want a lot, I just want it all!
Flame away, I have a hose!
Re:Back Door? (Score:2)
On the contrary, that's the first time that link's been on-topic in quite a while.
Caution: contents may be quarrelsome and meticulous!
Re:What I find alarming... (Score:2)
Perhaps many of their coders were under 18, and wouldnt' be allowed to look at the code?
Caution: Now approaching the (technological) singularity.
Re:M$ Easter Eggs (Score:2)
--
Re:Does illustrate the advantage of Open Source (Score:2)
MS selling you the OS, the compiler, the web server, the mail server, the database, the office applications...it's a very dangerous situation if your company takes its privacy seriously. Combine that with Microsoft Passport and Hailstorm and you'd have to be either psychotic or stupid (possibly both) to use .NET.
-jon
Re:Does illustrate the advantage of Open Source (Score:2)
The problem with using Passport and Hailstorm on top of using IIS, NT/2000, SQL Server, Exchange, Word/Excell, MSC++, etc. is that you don't know what back doors there are in these apps. They are all getting more and more integrated together. Do you packet-sniff your lines? Are you sure what data is being sent where? Do you know what extra code is being placed in your code by MS' C++ compiler?
I'm not saying there are back doors, or even that MS _as a company_ wants to do that. But there are 30,000+ Microsoft employees. All it takes is a couple of programmers in a couple of different departments, working together to put in a set of related trojans. With millions of lines of code, they'll probably slip through code reviews. Heck, with some misleading comments in the code, they'd pass through a code review pretty easily.
How much effort would it be for someone to add code to Excel to automatically email any document which has the words "Payroll Report" in it? Cross-reference the names with people who have Microsoft Passport accounts. Maybe we can find some direct deposit records and have those automagically sent off. I could probably get a fairly complete picture of all information about you, to use as I see fit.
Paranoid? Maybe. But it only takes a couple of rogue programmers.
-jon
Proper Q&A (Score:2)
A lot of people see open source as being so great becouse you can fix the bugs when the software breaks.
The objective of Q&A is to fix the bugs so when you get the product it is already working.
If the code is writen correctly Q&A can do it's job..
A point was made (in a very crude way) that poorly writen open source isn't going to be easyer to fix under "many eyes". Weak fradual code is going to break no matter what system you use to fix it. Making ANY changes breaks the code.
I should now mention one of the OTHER advantages of open source...
In reality there is only one thing you CAN do with poorly writen code... toss it...
But when you invest $100 to $1,000 into software you are stuck with it.
Having spent no money on the software you downloaded and installed you can throw it away.
I'm sure a lot of open source develupers would prefer you didn't consider this option but it is valuable to know that you are not stuck with it before you get a chance to try it out.
(This is the whole guiding idea behind shareware.. Try before you buy. Freeware has this same advantage. Actually you have this advantage with video games in some cases if the store carrys a console with the games running)
So in short bad products that are byond repair can be disposed of in open source.
Now it would be munch nicer if coders would just not make crap code to start with. Open source dosn't prevent it any more than closed. It's just easyer to dispose of.
Oh, very true, however . . . (Score:2)
Not a perfect deterrent to potential abusers, but at least one that is there. Hey, I'll take what I can get.
Does illustrate the advantage of Open Source (Score:4)
Security.
Don't like the security? Change it. Don't trust a program? Check it then recompile it. Found a flaw in security? There's a good chance someone else did and has a fix.
Now I'll be first to admit that I feel MS products are not as bad as portrayed. I feel people bash them for the sake of bashing them. But Microsofts policies and attitudes, and now this debcale . . . that's highly bashable, that's indefensible.
Let's hope this story gets smeared all over the world news - and especially in those countries looking at Open Source as an alterative to Microsoft.
I'm a fanatic (Score:2)
Please say "Proprietary Software" as it whould be....
Hugo
Because we went through this last year (Score:3)
The only date in the article or within the HTML is "Last Thursday", the same phrasing in the 2000/04/14 WSJ article. Microsoft's information is within this modified security bulletin [microsoft.com].
Re:New or Old? (Score:2)
I tried not to act like a zelot when I posted the message. I'll admit to being rather distrustful of MS, but I also included a link to their take on the issue, as well as a comment that they'd already provided both a workaround and a patch.
Okay, I'll admit I probably don't understand the idea of Directories and Group policies that well. I am mostly a normal user. I've been forced to do some system administration (NT/Unix) for my group due to both Budget constraints and available personel.
What I got out of the MS announcement was that Group policies over-rode system configuration settings. To me this seems like a bad idea sinse it doesn't allow a system level granularity to shut things off (unless I missunderstood).
Please, instead of just brushing off my comment as "You must know nothing", enlighten me. I'm actually curious and will readily accept both new knowledge, and new insight to old knowledge.
Re:I gotta ask (Score:2)
Rethink on the question. (Score:2)
Although one could define installing Linux unasked malicious (I would even though I use Linux), and generating SPAM, or portscanning systems could be construed as malicious, I suppose the virus doesn't have to be.
Okay. I'll take the challenge (of design if not implimentation
For a virus to be non-malicious and still raise public awareness enough it would have to propogate itself (unchanged), but instead of wiping the targets hard-drive, or removing files, etc. it could generate a list of known vulnerabilities (as best as it can), that the target's system is vulnerable to, and e-mails it (or sets it up to run on reboot in the autoexec.bat and then after reading that doc, you can continue to standard bootup). This would 1) show people they are vulnerable, 2) detail (to some extent) they are vulnerable, 3) its non-malicious nature might allow it to propigate by "benign" distribution (as a security tool). I could see one person saying, "Hey, let me send you this file, it lists all the problems on your system". Avoiding the need to work on anything more.
Hmmm you make me wonder if instead of a virus the answer might lie in a Free/OSS P.H.D. Windows Security Audit Tool (phd = Push Here Dummy).
I'm not aware of one but I'm going to start looking. If it was "Cool" enough people would distribute it like they do other "Flash Programs" (not suggesting writing it in flash, just an example).
What it will take. (Score:3)
Imagine a virus on this scale that does the following:
1) replicate itself through either e-mail attachment, or by forwarding a random encoded name (cut/paste algorythm from mailbox? past message with a "I'm not sure I sent you this" + Subject, replacing a link within the message for a poisened website/ftp site.
2) wipe all network attached drives
3) enter commands in the registries "RunOnce" section to remove the system files on the next reboot (these can only be done prior to their being loaded, otherwise the system tends to be persnickety about it). Don't forget things like the CMD/COMMAND shell.
4) (optional) attempt a remote access/infect of all machines within a given IP range (defined by SubnetMask?).
5) If you are using step 4 then move step 1 to here so recently hacked/poisoned web/ftp sites can be inserted into mail message preventing stagnation of link. For extra credit have the virus self-modify to include a running list of where its been (or what sites its tried to help cut down on duplicated effort. Short run log might also help trace back to source so the IP addresses should be normalized/sorted, not appended to the end. This will also help in updating the list as the worm moves).
6) You've done all the mischief you can. Now reboot the system to truly FSCK the end user.
This is just a broad outline, but seriously.
If this sort of thing happened, the results would be two-fold.
1) Definate: People would be calling for blood (most likely taken out of the cracker/script kiddie who did this, and rightly so in my opinion). The software industry/media would view this as the work of a "hacker" and not thier fault.
2) Less Likely: (but wishful) People might realize how security is iterative and valuable. It is much more tangeble than the social contract most of us assume it to be. We figure, "we're not worth it", or , "who would bother me?" and joke about security, but your average end user doesn't really care (ask the same person about 'air-bags' and see how much they do care if they feel vulnerable).
With the days of standard, High speed access in the homes, the scenario I outlined above is all to real and all too close to happening.
I guess this probably won't make much of a difference in MSFT server sales... unless the payloads are consistantly delivered via an MSFT server (or else the virus specifically targets MSFT servers by using some central warehouse of net accessable MSFT servers, like say netcraft).
P.S. I do not encourage AT ALL making the above virus. I think it would be a mallicious piece of garbage and would be the first on line to string the writer up by their anatomy. On the other hand I doubt I'm the first to think of this sort of thing so I have only slight quams about writing it down (the more who are concerned about it, the less likely it will come to pass), and there would (still) be major technical obsticles to be overcome, for a virus of this type to be created and released.
New or Old? (Score:5)
While its nice to see MS finally admitting to this, unless this is a new vulnerability, it seems almost like someone is trolling either Yahoo and/or Slashdot (and succeeding).
On the other hand I did find out about a wonderfull and relatively new (Posted may 02, 2001 to CIAC [ciac.org]) bug involving IIS 5.0, Windows 2000, and a buffer overflow (what else
In Microsoft's defense, more information (in easy bite size portions that were a tad too sickening for me) are available here [microsoft.com]. They also have a patch to fix the issue (assuming you wish to maintain the service and not remove it). The patch will supposedly be rolled into Win2K SP2.
One last thing, an interesting side note is that they recommend modifying group permissions instead of just unmapping the Internet Printing ISAPI extension in the Internet Services Manager. Their reason?
Group policy can override the settings in the Internet Services Manager, so disabling Internet Printing via group policy provides greater certainty.
Disabling Internet Printing via the Internet Services Manager can interfere with the operation of Outlook Web Access. Specifically, when you unmap the Internet Printing ISAPI extension via the Internet Services Manager on an Exchange 2000 server, you're prompted whether or not to apply the changes to the child folders, including Exchange, Public, and ExAdmin. If you choose to apply the setting to these child folders, Outlook Web Access will stop functioning until you restart the Exchange System Attendant.
Gee... so if I undo something on the windows panel, it may not be undone because the group properties take precedence over the systemwide settings (doesn't make sense as an implimentation "feature"), and if I disable the option everything else that is bundled into the OS and that relies on that package will break (makes sense, but is equally scary). Makes me happy I run Win98SE and Linux.
Funny (Score:2)
How much of closed source is never looked at again?
Because we went through this last month (Score:2)
http://slashdot.org/articles/00/04/14/0619206.sht
The end result was that there was no backdoor.
Re:Back Door? (Score:2)
With an unknown number of "back doors" in. There might also be some rotten "easter eggs" in their too...
Re:code review (Score:2)
yeh...
and i've got some wonderful swamp land in florida. Act now, and i'll throw in a bridge in Brooklyn...
tagline
Re:Predicted comment breakdown for this article: (Score:2)
Oh, there are no masters in the field of psychology, only students. Study neurobiology and start reverse engineering the brain, you'll get there faster than an infinite army of Freudian navel-gazers.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Re:Cisco (Score:4)
The Right Thing To Do with forgotten passwords make the person who forgets them suffer. System must be brought down, set a new password, bring it back up. What happens if you lose all keys to the toolshed? You have to rip out the lock, which can and should be a lot of trouble, and then install a new one. Don't lose the keys, dumbass.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Re:code review (Score:2)
Re:April 2000 (Score:2)
The only other reasonable assumption is that M$ has finally admitted, 13 months after the shitstorm, that they did indeed have an exploitable backdoor in IIS. The last statements I heard, during the shitstorm of april 2000, was that the string existed but couldn't lead to any compromise. Perhaps M$ has now tortured a confession out of the engineers and realised there is a backdoor. But the mention of dvwssr.dll ties this into last years fiasco.
Most likely is that this is a glitch story accidentally reposted by a yahoo editor. Only time, and maybe a slashback, will tell.
the AC
Re:code review (Score:2)
I wonder how to solve this. Perhaps make a "game" of code reviews...people who contribute get "points"...or other people can "vote up" contributions. Perhaps something like this. This way, ego sort of gets put on the shelf, because you're not really attacking the person sitting opposite of you, you're just "gaining points". I don't know if this would work in reality...but code reviews are almost universally dreaded, even though they should probably be practiced much more often.
Re:Predicted comment breakdown for this article: (Score:2)
I calculate about another 2 years until slashdot degrades to the point where a empty story will be posted stating "Microsoft Sucks". CmdrTaco will implement a filter which uses advanced nerual net filtering to decide if a post is pro microsoft, and the post will immediately get rated at the new, (-5, idiot) level. Any pro-linux post will get +5. Truly insightful posters will move onto some new forum. Of course, the trolls will split into two groups, both somehow equally as annoying as before. Shortly thereafter, a singularity will form above RedHat's HQ and suck in all things open-source, As Bob Young rips off his face mask (a-la MI:2) to reveal... Bill Gates.
To quote the book of Sith, passage 30:23, "And the dark lord sayeth, Strike out at me, and become me, for truely I am thyself, with a more menacing outfit."
Too Late for Some (Score:2)
JOhn
code review (Score:5)
Currently I am leading my team through a series of security code reviews for a system that transacts money. We joke about finding a method called "PayTim()", but it is not entirely a joke. No matter how much we would all like to believe that our team is composed of trustworthy devs, it is important to establish the expectation that all code is reviewed. It keeps the honest honest.
Not to mention that we have found and fixed many hidden security and reliability flaws along the way, thus improving the quality of our product.
-konstant
Yes! We are all individuals! I'm not!
Let us not forget the NSA backdoor theory (Score:4)
from: sci.crypt
subject: NSA and MS windows
A few months ago in my newsletter Crypto-Gram, I talked about Microsoft's system for digitally signing cryptography suits that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace.
Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd
expect out of Microsoft.
Suddenly there's a flurry of press activity because someone notices that the second key is called "NSAKEY" in the code. Ah ha! The NSA
can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.
I don't buy it.
First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption.
Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to
compromise security.
Third, why in the world would anyone call a secret NSA key "NSAKEY." Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone
with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.
I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.
Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.
But it's not an NSA key so they can secretly install weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.
Last Thursday? (Score:3)
Re:April 2000 (Score:4)
I couldn't find a link to it on the main story index though.
--
DLL naming convention (Score:5)
MEMORANDUM
TO: BILL GATES
FR: SECRET SERVICE COMPUTER CRIME TASKFORCE,
OPERATING SYSTEM REMOTE CONTROL TEAM
Pursuant to our back door access agreement with Microsoft, please include the following dvwssr.dll (device for virtual web secret service remote-control) in your web server system distribution.
DIR. SECRET SERVICE
p.s. Could you also have one of your database people call the folks over at the FBI? Apparently they've got a whole bunch of pages of some Oklahoma City court trial related stuff in that SQL database and can't make heads or tails out of the darn thing. They had some Chinese workers looking into it, but apparently they got reassigned to a firewall project over at Defense.
and thanks to FOII... (Score:5)
MEMORANDUM
TO: BRIAN STAFFORD
FR: STEVE
Brian - Got your note. No problemo on the request. BTW, please tell your folks that I'm the big man on campus now. I've got an office almost as big as Bills was, and even have one of those really cool leather chairs. So please tell them they can stop sending all that stuff to Bill. It just sits on his desk while he's out doing that foundation crap.
Speaking of Bill, tho, we talked about the little SQL problem over at the FBI and he wanted me to assure you all that he's absolutely positive there's no relation between database problems and that pesky antitrust matter.
Bill said he was sure that since Janet's long gone, we'd be glad to take a look into the problem. In fact, we'd be happy to archive all the antitrust stuff at the same time just as a way of saying thanks for the business.
Give me a call sometime!
The Big Ball
Re:April 2000 (Score:2)
Code Reviews (Score:2)
Call me nieve, but I don't think that Microsoft is stupid enough to purposely put in a back door. Even if "security experts" outside the company never find it, secrets like backdoors have a way of comming out. This is likely the act of mone or two very foolish MS employees who if they still worked there when this came out, got fired over it.
Code reviews are especially improtant with closed source, but all projects need them. We got behind schedule on the last project I was in charge of, and I put off the code reviews to try and get the software done. It was a BIG MISTAKE on my part. Now some of those people have left the company, and I'm left supporting poorly designed, hastily written code. What's worse is the one person who left had great confidence in himself, so he tested very little of his code. Needles to say, the product ended up being later and of lower quality because the time wasn't spent doing it right the first time.
Re:Back Door? (Score:3)
This news does not surprise me... (Score:3)
...but the reaction to it will surprise me. I expect it, and it will still surprise me: I predict this makes absolutely no dent in MSFT server sales.
You see, I think that most of the people who could learn from this sort of thing have already learned several times over.
I don't know what sort of catastrophe it will take for the rest of these people to learn...
Re:Back Door? (Score:2)
--
Re:Back Door? (Score:2)
--
Re:Back Door? Off-Topic (Score:2)
He (You?) linked to goatsex, therefore he is (you are?) a slimeball. Only one post needed for that. Simple enough for you?
--
Re:New or Old? (Score:2)
If you understood directories and group policies, you would understand why this is so. Of course, most people "happy to run Linux" don't get the purpose of directories (NDS, ADS or otherwise) to control and organize information within a company.
ÕÕ
Re:Too Late for Some (Score:4)
God I'd like to put a bullet in the head of that particular piece of FUD once and for all...
Re:Too Late for Some (Score:4)
What's Amazing about this and what's not... (Score:3)
"Better security out of the box than Linux" (Score:5)
U$oft spin doctors (Score:2)
How does Microsoft's PR people pull this off? The article attempts to
shift the blame by pointing that out the code was "written during the
dispute between Netscape and Microsoft over their versions of
Internet-browser software." When other companies have software holes
found, the media holds the manufacture firmly and ultimately
responsible, even if it was a disgruntled employee. But with when
talking about this Microsoft hole, the article goes way out of it's way
to make hints at subtle this dubious detail in an apparent attempt to
shift the blame. Sure, it COULD have had something to do with the
browser wars. But it could have just as easily been general
anti-Microsoft sentiment. Or someone putting it in for their own
personal gain. Or someone just being a smart ass. Again, when other
companies have security breaches, no one goes "Awww, poor foobar.com,
you're bugs are okay because people are picking on you". No, they rip
the company a new ass hole and their stock takes a dive.
Re: (Score:2)
Re:code review (Score:2)
M$ would prefer you to attribute to lack of malice what is obviously explainable through incompetence.
There are no more backdoors, but only because M$'s backdoor routines are buggy.
April 2000 (Score:5)
--
Back Door? (Score:2)
What is this password? (Score:2)
Re:Holding Microsoft Accountable (good luck) (Score:2)
I'm very tired of hearing this argument. It is the same argument as "no one ever got fired over buying IBM". If you feel good over the ability to sue, fine, it'll make you sleep better. But I've learned to sleep well by shrugging off the repeated experience of getting screwed over by vendors who just had a better lawyer than I did when the contracts were reviewed.
And that's with vendors where you can actually negociate a contract. Microsofts market dominance means it will get away with not negociating a contract. Take the EULA or leave it.
Besides, for a successful suit you'd need to prove something like gross negligence or criminal intent. I think the chance of proving that is slim in the case of this backdoor, and that they would probably walk away with a court order mandating half off upgrades to all affected users.
Re:What is everyone spewing about? (Score:2)
The message you quoted is in fact from the NTBugtraq moderator (who IMO deserves considerably less credibility). The two lists are entirely independent.
But why? (Score:2)
So they put the code in there to...what? Check up on servers to see if they were running non-M$ extensions or packages? It just sounds a little odd to put a back door into a webserver for reasons of a dispute.
--
Re:What I find alarming... (Score:2)
The backdoor was slipped in by a coder who managed ot get it through a code review, etc, etc.
I don't know. I'd like to think that if this particular piece of code really was peer-reviewed, then it would have been caught before release.
But I agree that it is not isolated to M$. I have yet to work at a place that really understands how code reviews are supposed to work. Too often, managers say "do a code review", without understanding that it takes more manpower than the overworked coder one cube over to do a proper code review.
IMO, the release of the backdoor wasn't a defect -- it was a foul-up, and a stupid one at that. While I'm sure that there was a good reason to have a back door during development and testing, the coder should have ensured that this wouldn't get put into a release build of the product, and therefore put the approprate compiler/linker flags in the build so that it didn't. But, when you're talking about a large company where developers are rushing half-baked stuff out the door to meet whatever deadlines the resident PHBs dream up, these kinds of mistakes are going to happen.
Re:Back Door? (Score:2)
It's not like I was trying to disguise it as something else... and if you read the parent comment, anyone who's been on Slashdot for a fairly long time should know what it will lead to. So lighten up.
--
Who are the "security experts"? (Score:5)
I looked in the usual-suspect places but didn't turn up anything. I mean, you can't really "search" for this.
The song remains the same (Score:2)
--
Re:Should be fined (Score:2)
This is what passes for secure these days?
Trust (Score:2)
Except, of course, when they make a mistake, or mis-speak, or omit certain details, or just out right lie.
Doesn't that seem to be happening uncomfortably often?
It is one thing to get control of a market by various hardball marketing tactics.
It is another to gain a market because of trust.
Check out the Vinny the Vampire [eplugz.com] comic strip
Let's be fair (Score:3)
Now, let's be fair. If you don't care about the open/free software philosophy (and just for the record, I do), and security is really the only thing we're arguing here, then the real questions are: when was this backdoor introduced, when was it discovered, and how soon will there be a patch?
The article mentions nothing in this regard, and doesn't warrant the comment, "Here's another brilliant example of how closed source development models are a threat to security and privacy on the Internet."
I can't see how this incident favours one side of the argument over the other, until we have more information about the circumstances.
--
What I find alarming... (Score:3)
Is not the security hole... we all know M$ considers security matters a complete joke. People are at their mercy as to when to release fixes, if at all.
What raises a red flag with me is that the wording of the article indicates the password backdoor was put there intentionally... and we're supposed to trust M$ with our valuable and oftentimes, priceless data?
"Against our policy"... right. To hell with them.
Ethics and Computing (Score:2)
Deven Phillips, CISSP
Network Architect
Viata Online, Inc.
"Microsoft" "backdoor" (Score:3)
What is everyone spewing about? (Score:4)
Take a look at what Bugtraq's owner had to say at the time (Bugtraq originally reported this issue.)
It seems that someone testing the box entered the string and got into the Frontpage web w/ no password.... as it is pointed out below, that is because the security on the box wasn't set properly.... they could have typed in "MicrosoftSucks!" and gotten in.
======= BEGIN MESSAGE =========
Ok, here's a breaking update.
Latest reports say that there is
NO VULNERABILITY IN DVWSSR.DLL
Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ.
Please accept that I have followed the story published elsewhere and tried to keep you abreast of everything I knew. Also appreciate that the amount of time given to verify and research the claims made by others has been extremely short. I've had probably 30 interviews today by orgs pressing for information on the story as the feeding frenzy occurs after the first one goes to press (WSJ in this case).
MS have had people working on this thing like madmen, trying to verify the claims and investigate all of the possible pieces of code that may be affected. As that research progressed, different observations were made and so the story came out in various stages (with varying levels of "correctness"). Had they been given a reasonable amount of time to respond, nobody would have been in a tizzy about anything (i.e. the press would not have cared to run this story anywhere).
Decide for yourself whether we were better served by (more) immediate disclosure or not. I've stood where I stand for a reason, despite the loathing of others for my stance...
In the end, it turns out that unless you actually have permissions for the file you are requesting, you'll get an error message when you follow the procedures outlined by RFP in his RFP2K02 advisory.
That said, understand that sites that allow connections by Front Page may very well provide you with source asp if you request it. BUT THAT WILL HAPPEN with or without the
From what I've heard/seen/been told, permissions on the test servers must have either been non-existent, incorrectly applied, or permissioned the user across multiple virtual sites (i.e. incorrectly applied).
I had someone claim that they could get into an FP98 site using "Netscapeengineersareweenies!" as a userID and no password...making them think it was a backdoor userID. Fact is they could get into the same sites using "TomDickandHarry" as a userID too. If the permissions aren't set correctly, anything is possible.
This info may change again before its finalized. It may well be that there is some way to use this
Finally, to my point out the string not being a password. Elias Levy of SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly pointed out that using the term password to apply to that string is not beyond the realm of understanding. The client component mtd2lv.dll and the server component dvwssr.dll both need to know this value, and use it correctly, for communications to work. If you try and talk directly to dvwssr.dll and don't obfuscate your communication with the correct "key", it won't understand you. Of course if you don't already have permissions, knowing this value gets you nothing...hence my observation that its not a password. Whatever it is, it appears to be meaningless junk text used as data.
===== END MESSAGE ======
-------
-- russ
"You want people to think logically? ACK! Turn in your UID, you traitor!"
Re:What it will take. (Score:2)
--
EULA sez no. (Score:2)
-Kasreyn
The fact remains... (Score:2)
Bill Gates' Network Neighborhood (Score:4)
I bet Microsoft's websites are probably running on a "Modified" version that doesn't include this backdoor.
Does Open Source do Better? (Score:4)
With a company behind it (MS or Other), their reputation is on the line. If I do discover a backdoor in my open source product, who do I hold accountable?
Re:April 2000 (Score:3)
V.
Re:code review (Score:5)
# FIXME: can't test on dev server, assume works for now
return 1; # cc validation goes here...
The site was less than a week from going live when we found that.
--
M$ Easter Eggs (Score:3)
.kb
Re:What I find alarming... (Score:2)
--
Re:What I find alarming... (Score:4)
The backdoor was slipped in by a coder who managed ot get it through a code review, etc, etc. This is not isolated to Microsoft. That's why OSS is so nice - anyone can look for and find backdoors to fix them.
When you are talking about tens of millions of lines of code, its impossible to find stuff like this unless you spend a LOT of time looking for it. IN my previous life I worked for a company whose flagship software was about 25 million lines of code. I'll never forget when they decided to give the source to select customers who signed NDA's. They spent MONTHS looking for backdoors and inappropriate comments like:
It was amazing how much stuff they found (mostly in the comment catagory) and how long it took to find it all in a code base that large.
--
DVWSSR.DLL (Score:2)
Slashdot... (Score:3)
I didn't even have to read past the Yahoo article to realize what it was. The dynamic link library mentioned plus FrontPage 98 clicked in even my head.
Since the editors of Slashdot love bashing MS, can't they at least learn of NT's vulnerabilities before posting them? Anyone who knew something about NT would have spotted that was old before reposting it.
No offense to Slashdot and I'm not a troll. I just can't believe this.
Re:code review (Score:2)
Re:What it will take. (Score:2)
Re:code review (Score:2)