Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Slashback

Slashback: Gopherectomy, Portacinema, Disunity 210

Slashback tonight with a quartet of updates. So, read on for more information on portable video viewing (and instant recording!), United Linux and one analysts view of What it All Means, Microsoft's answer to a Gopher hole, and why easily guessed passwords sometimes save the day.

Throwing the gopher out with the bathwater. An Anonymous Coward writes: "As reported on News.com and discussed on Slashdot, MSIE's gopher support had a serious security vulnerability that allowed your machine to get ROOT'ed.

Well, it seems that Microsoft is unwilling or unable to make the fix, so it is removing support for the gopher protocol from IE. Not that MSIE's gopher support isn't very poorly implemented anyways."

Kept out of the U.S. by the secret conspiracy, no doubt. Buggalo writes "When I saw the article about the Pogo Flipster I thought I'd mention this too. Of course, it's not available in the US (not yet at least), but it sounds cool anyway. It plays MP4 video as well as MP3 audio. One thing that differentiates it from the Flipster is that this one includes video inputs so you don't even need a computer to get anything onto it. It also seems to have a larger screen. From what I can tell it has 64 megs of flash memory built in, and has an SD memory card slot as well. Sorry the website is in Japanese, but you can use Babelfish to translate it."

Not betting on a United front. dgb2n writes "Smart Money Magazine published an excellent article covering the business implications of the United Linux consortium. It provides some good insight into Red Hat's business model, stock price, and future prospects and names a potential winner in the Linux market."

At least this one aspect is happy. Hellkitten writes "The password for the database has been found, it was as simple as 'ladepujd', the name of the database's creator spelt backwards This previous Slashdot article explains the problem they had.

Aasentunet posted this notice, telling the password and thanking everyone that helped"

ZDNet has the story here as well."

This discussion has been archived. No new comments can be posted.

Slashback: Gopherectomy, Portacinema, Disunity

Comments Filter:
  • by King of the World ( 212739 ) on Monday June 10, 2002 @07:02PM (#3676266) Journal
    Not that MSIE's gopher support isn't very poorly implemented anyways.
    Er, wot?
    • by sholden ( 12227 )
      Not that MSIE's gopher support isn't very poorly implemented anyways.

      Er, wot?


      You have trouble parsing sentences of the form:

      Not that A isn't B.

      ???

      For the english impaired, it means that A isn't B is false. And in a lot of cases, thus A is B.

      So the quoted sentence means:

      MSIE's gopher support is very poorly implemented.

      But stated in a more diplomatic style, which I guess is not so common for slashdot :)
      • Except that in your example, B is also a negative, cause the confusion by using a triple negative.
  • Now if only my employer would agree to let me fix all the security holes in W2K by UNINSTALLING. I can dream, can't I?
  • by Anonymous Coward on Monday June 10, 2002 @07:05PM (#3676280)
    Next thing you know, they'll drop support for 75 baud cradle modems. Damn Microsoft! Damn them all to hell!!!!
    • by thesolo ( 131008 ) <slap@fighttheriaa.org> on Monday June 10, 2002 @08:28PM (#3676671) Homepage
      Next thing you know, they'll drop support for 75 baud cradle modems. Damn Microsoft! Damn them all to hell!!!!

      The sarcasm and humor in the parent post aside, this is a very serious issue.

      I think most of us know that Gopher is not used very much anymore, so MS supporters are definitely downplaying this hole. However, by not releasing a patch and instead just removing Gopher support, MS is leaving millions of people still open to vulnerabilities!

      Not everyone who uses IE is going to upgrade to the next version of IE which will have no Gopher support. Not everyone runs WinXP, and can install the latest service pack that turns off Gopher support. People are going to keep their system the way it is, but because a patch is not available, they will be vulnerable to arbitrary code being executed at system-level just by clicking a link. And god forbid someone DOES actually want to use Gopher under IE, I guess they can't upgrade to the next version of IE. (Hey, they can always use Mozilla though!)

      This could have a major spiral effect too; think of the Code Red worms. When worm writers realized that people were not patching their system, they released variants of the same worm, to do even more damage. If malicious people now hear that MS is not planning on patching this vulnerability, they might very well have a field day with it.

      I guess all that talk from MS about their "trustworthy computing initiative" was exactly what we all thought; complete and utter hogwash. This type of behavior is simply unacceptable, but especially from a company that claims to be on a company-wide security audit.
      • However, by not releasing a patch and instead just removing Gopher support, MS is leaving millions of people still open to vulnerabilities!

        Not everyone who uses IE is going to upgrade to the next version of IE which will have no Gopher support.


        Yeah, but those are the same people who wouldn't install the patch, so what difference does it make?

        Actually, it's much more likely that people will install the new version of MSIE than that they will install a patch.

        I agree that it's a cop-out, and probably indicative of MS' security future, despite all their lip-service to the contrary, but lets be honest here; people are stupid, so there will be millions left vulnerable no matter what MS does because those millions are too ignorant to protect themselves.

        The only thing they could do that would actually make a difference is release the patch as a worm that would patch it's own exploit after emailing itself to your whole address book.

        • Or they could spend a few of those billions making secure code in the first place.

          Pleeeeeze - it can't be that hard scanning your code for unchecked buffers! So I don't think that fixing the thing even after the fact would be that insanely difficult...

          Lastly how about software liability?

          The only time that MS really fixes things (or anyone else for that matter) will be when it costs them. When they have to go before a jury, and explain how they didn't use any due dilligence, and that that total system crash that took down the First Interstate Loan Center (Portland Oregon) in the early-mid 90's for hours and hours every week was their own fault. (As I recall it was an undocumented switch in the TCP stack that fixed the SNA session dying thing...) [I know, I had friends that worked there then - NT 3.1, 3.5? dunno]

          When companies no longer can shield themselves from liability by claiming that software is _SO_ different than the rest of the known world, they'll actually do somthing - till then, just get ready to take it like a good consumer!

          Cheers!
        • ... but lets be honest here; people are stupid, so there will be millions left vulnerable no matter what MS does because those millions are too ignorant to protect themselves.
          Interesting (and depressing) thing occured last week here at work. Couple of us "linux" nuts were talking to a "windows" nut about the need to at least keep up on system patches, etc. Now, he's a very brilliant engineer and can get around in a computer system more so than you'd otherwise think when you heard his reply: "I don't care. I really don't." This even after we explained it wasn't about someone taking stuff from his system as much as it was about someone using his system to attack others. He is smart enough to do it, understands the repurcussions of not doing it, and still doesn't care. It was at this point that the couple pro-linux nuts in the discussion realized that there was honestly nothing we could say to move his opinion.

          In other words, you have to figure that, as many clueless people are not patching their systems, our co-worker represents a large number of quite saavy people that are completely apathetic to wanting to be bothered. They don't have the interest to want to take the time; we can't reach these people using fear or logic. How, then, do we protect ourselves?
      • I think most of us know that Gopher is not used very much anymore, so MS supporters are definitely downplaying this hole. However, by not releasing a patch and instead just removing Gopher support, MS is leaving millions of people still open to vulnerabilities!

        They ought to just hire Bill Murray and be done with the problem. (Hey, it wouldn't be any worse than anything else they've done...)

      • This vulnerability is so easy to exploit (javascript popup to a gopher) its driven me and a couple of other people I know to use mozilla almost exclusively on win boxes. Unfortunately Mozilla doesn't render everything MSIE does (apparently checking your page in netscape hasnt been a priority for many web developers anymore).
  • Portmacinema? (Score:1, Interesting)

    by ObviousGuy ( 578567 )
    It's nice to see how quickly the password was hacked into. Now maybe people will realize how encryption and password protection is simply a smokescreen for system infiltration by hackers.

    Did the data need to be encrypted? Nope.
    • Now maybe people will realize how encryption and password protection is simply a smokescreen

      Ummm... AFAIK it wasn't cracked it was guessed. Just b/c the administrator chose one of the crappiest passwords ever you can't fault the system.
      That's like when someone kills themselves drunk driving you say 'see, roads are dangerous.'

    • Overlooking the fact that his password was his name spelled sdrawkcab. Which is VERY bad password security
  • by rufusdufus ( 450462 ) on Monday June 10, 2002 @07:06PM (#3676292)
    If I were the manager of IE, I'd just rip out support for gopher too. Why support this protocol which nobody uses (in IE) but has at least one major known security breach? The testing and validation of the bug fix's security, as well as the the rest of the code, would cost way more than its worth.
  • by GoatPigSheep ( 525460 ) on Monday June 10, 2002 @07:11PM (#3676321) Homepage Journal
    The password for the database has been found, it was as simple as 'ladepujd', the name of the database's creator spelt backwards

    thats not a very smart choice of password, using your name.

    at least it wasn't 'god' or 'sex'
  • Backwards? (Score:2, Funny)

    by Nept ( 21497 )
    The password for the database has been found, it was as simple as 'ladepujd', the name of the database's creator spelt backwards


    are you sure that's the name spelled backwards? spelling it 'djupedal' looks more backwards to me ... :)

    • It's probably something more like D. Jupedal.
    • Re:Backwards? (Score:4, Interesting)

      by hta ( 7593 ) on Tuesday June 11, 2002 @03:58AM (#3678073) Homepage Journal
      are you sure that's the name spelled backwards? spelling it 'djupedal' looks more backwards to me ... :)

      Americans......
      "djupedal" means "deep valley" in Norwegian, and is a reasonably common surname.
      American cultural imperialism is already imperiling the Norwegian heritage with given names like "Roger" and "Angela", but the surnames are still holding on against the flood.
      Where is Ivar Aasen when you need him.....?
      • the thing about "cultural imperialism" is that it is fought by the "victims." if people don't give up money to the invading culture, it cannot spread. the problem is that people don't always realize that they are buying the entire package and not just the entertainment or the convenience they want.

        and on a lighter note...

        i'm an american, but i do my part to preserve things norwegian. i buy jarlsberg cheese and apoptygma berzerk cds. actually i just buy those things because i like them.
  • by dirk ( 87083 ) <dirk@one.net> on Monday June 10, 2002 @07:14PM (#3676341) Homepage
    Why should IE continue to support Gopher? It is a protocol that is rarely used. It is outdated, and there is no need for it in IE. It's what is commonly refered to as program bloat. It's not needed and should be removed. For the .001% of IE users who do use Gopher, they can use a seperate Gopher utility, which will probably support it better than an all-in-one option like IE. Isn't program bloat one of the things everyone has against MS? Shouldn't this decision be applauded?
    • Because the RIAA isn't looking for MP3 sites, the BSA isn't looking for warez sites, and the IDSA isn't looking for ROM sites on the gopher:// protocol. Oh well, the clued already aren't using IE anyway, so no loss.
    • Why should IE continue to support Gopher?

      "Welcome to Internet Explorer. With this you can easily go everywhere on the Internet. Except for sites which have protocols that we have problems with implementing(*). Have a nice day.

      (*) This is everything except FTP and HTTP. Even if there are problems with the implementation of FTP and/or HTTP, we will not remove them(**).

      (**) This will happen after we've implemented the MS-PPTP(***) into our IIS servers and have replaced TCP/IP with the MS-PITY(****).

      (***) Microsoft Private Propriatary[sp] Transfer Protocol is a trademark of ...

      (****) Microsft Protocol for Internet TechnologY is a trademark of ...."
    • Why should IE continue to support Gopher?
      Because IE is supposed to be a web browser. The original concept of a web browser was to provide a unified interface to Internet resources.

      Naturally, this is an invitation to software bloat, although if the browser is modularised it needn't be so bad. But arguably the user interface benefits are so compelling as to compensate for the conceptual ugliness.

      By removing Gopher, Microsoft are moving away from the concept of a web browser and towards the concept of a proprietary content viewer.

  • by kzinti ( 9651 ) on Monday June 10, 2002 @07:17PM (#3676357) Homepage Journal
    According to a report and interview on NPR All Things Considered this afternoon, it only took about an hour to discover the password. The hard part was finding a copy of the old DOS-based database software that was capable of opening the database.

    The institute now keeps copies of all its passwords locked in a safe. Of course, if all its passwords are as bad as the lost password, then what's the point?

    --Jim
    • "The institute now keeps copies of all its passwords locked in a safe."

      And where do they keep the code or key to the safe?
      • "And where do they keep the code or key to the safe?"

        If it's the main safe, there would presumably be several trusted individuals with the key or combination. That's quite different compared to the password used on a project done by a single person.

        But it doesn't really matter. Cracking a safe is relatively easy compared to attempting to recover the password from a proprietary application.

      • Not an issue, a good locksmith (who knows safes, which isn't all good locksmiths) can get into any safe in less than a day, but the effort will leave physical evidence.

    • Actually, this is not quite correct. The NPR interview said it took an hour to discover the password *and* determine the correct version of the software. Furthermore, the majority of the hour was used up in determining the version. Apparently the password existed in plain-text within the data file, and it only took a few minutes to discover it.
  • How many /. reader's use their name spelt backwards as passwords ;)
  • ...But we should all take it as a lesson. Use strong pass phrases!
    • by agentZ ( 210674 ) on Monday June 10, 2002 @07:37PM (#3676458)
      I disagree. The lesson we should take away is that there should be a password recovery mechanism.

      If this person had used a strong password and strong crypto, all of their work could be lost! The password recovery mechanism has to be difficult enough to deter an attacker (e.g. require physical presence of company CIO, etc), but easy enough to do in an emergency. This could be necessary for untimely deaths, disgruntled employees leaving without turning over the access devices to their accounts, etc.
      • I heard recently about a software package (no reference, sorry) for managing company resources based on a security model of aggregate permissions. Suppose the administrator for a system dies (as in this Norway case), two non-administrator employees might together be given permission to access the database as admin.

        The software is based on a point system where a person at a particular organizational level would possess N points to contribute toward a group effort requiring security clearance.

        Guess that's not too good if you're an abusive employer though... "Mutiny on the LAN!" ;)

        • That's already in PGP [pgpi.org]. You can make split keys easily. And it is easy to program your own: to make an m-of-n system, where you need m of the n pieces to recover the password, let r_1 through r_m-1 be lists of random integers 0 to 256, with lengths equal to that of the password.

          Then share number s of the password, part i is r_1[i]+s*r_2[i]+s^2*r_3[i]+...+s^(m-2)*r_m-1[i]+s^ (m-1)*password[i] all mod 257. If you have m of the shares, say keys numbered s_1...s_m, you reconstruct (leaving out the [i]'s this time) as password=key_s_1/((s_1-s_2)(s_1-s_3)...)+key_s_2/( (s_2-s_1)(s_2-s_3)...)+...+key_s_m/((s_m-s_1)...).

          I hope that isn't patented, it's just a back-of-the-envelope calculation with VanderMonde matrices. All you have to do then is have everyone encrypt their share(s) with a different password, and integrate the key-rejoining routine with the password-entry system so that the employees don't get to see it after reconstructing it, and you're done. The cool thing about the system is that m-1 of the shares give no information about the password, assuming the random number generator you used is good enough.
      • And then what are you going to tell your shareholders when the news comes out that your database was cracked in a couple of minutes by a script kiddy? And then it happens again, and again, and again?

        If you follow good computing practices this problem would never happen.

        1. Every application or system should have an administrative userid with the ability to change all passwords.

        2. This userid should be guarded like fort knox.

        3. The password for this userid should be changed on a regular basis.

        4. At least two people should be involved in the password change, and preferably each one should only know half of the password.

        5. Each time the password is changed it should be recorded in twice. One record should be stored locally in a secure place such as a safe. The other copy should be stored in an easily accessible secure offsite storage facility.

        6. A third party should be responsible for verifying the process has been completed and report to management any deviation from the procedures.

        7. Management approval should be required for retrieval of the password and the password should be immediately changed after usage.

        This may sound a little extreme, but it is very easy to implement. If these or similar procedures are followed you will never lose the password and you won't have to resort to using week passwords.
        • An interesting idea, but how do you cope for users forgetting their passwords on a daily basis? If we assume that the administrator(s) can change the passwords for users, there has to be more than one administrative user. (Somebody has to man the tech support desk every day!) How can you guard the admin password like Fort Knox if it has to be given to several people?
  • by Anonymous Coward on Monday June 10, 2002 @07:24PM (#3676390)
    Bill Gates wearing full Viking armor and singing "Kill the GO-PHER, Kill the GO-PHER, Kill the GO-PHER!!!" to the tune of "Ride of the Valkyries." ;-)
  • "djupedal" has proved inspirational. I've been looking for a new Slashdot ID....
  • It's not clear whether backward last name was the actual password. Both the thank you notice and the news article say that was a password submitted by users.
  • So Microsoft is stepping up the removal of old code from Windows?

    Hrm, so this means that Internet Explorer will be gone from the OS completely in a few months? Cool!
    • by rufusdufus ( 450462 ) on Monday June 10, 2002 @07:34PM (#3676443)
      Removing gopher will effect a very very small number of people, and probably no 3rd party software vendors.
      Removing HTML rendering AND HTTP support (which is what removing IE equals) would screw many many users and thousands of 3rd party software vendors who rely on this support from the OS, in in fact render the system unusable as too many components rely on this support, 3rd party and otherwise.

      When MS says Windows is not modular, they are using a legal, not technical, argument. This is based on past cases where, for example, Ford was banned from buidling pick-up trucks with covers (ie snugtop) because it was an optional module.
      • Removing gopher will effect a very very small number of people, and probably no 3rd party software vendors.
        Removing HTML rendering AND HTTP support (which is what removing IE equals) would screw many many users and thousands of 3rd party software vendors who rely on this support from the OS, in in fact render the system unusable as too many components rely on this support, 3rd party and otherwise

        Nope, try again. M$ could care less about other software, as you can tell by their conatantly changing print methods. The reason M$ claims that IE can't be removed is because they put it in EXACTLY the way they were forbiden to by the federal government: spagetti coded into the OS itself through innumerable DLLs with multiple undocumented and unrelated interfaces. This kind of code mixing, like passing disk access through the GUI, is one of the reasons M$ is so unstable. IE is always on because it recieves many unecessary function calls. What you get when you try to remove IE is a box that won't boot. I doubt even Bill Gates knows what you get when you leave it in, besides poorer.

      • When MS says Windows is not modular, they are using a legal, not technical, argument. This is based on past cases where, for example, Ford was banned from buidling pick-up trucks with covers (ie snugtop) because it was an optional module.

        Well then, by thunder Microsoft should be banned from producing an OS with a browser included, because it's an optional module!

        Microsoft should be banned from including a Microsoft-branded browser, and if they want to keep IE they'll have to spin it off to a child company. This would be legal under that precedent (though the interaction would have to be watched) - it's the same as Ford including another company's cover with their trucks, which is perfectly legal. The court case only bans Ford from including a Ford-made cover.

        Instead they could take Apple's standpoint on the issue: HTML rendering services and APIs are provided, some kind of simplistic HTTP is provided, but a browser (i.e., complete application using those tools) is not part of the OS. Until recently, Internet Explorer and Netscape were both included with the OS (though IE was the default, grr...). This changed with OS X because until very recently there was no OS X-native version of Netscape. With the next version of OS X, due out in late summer, Apple probably will once again include both.

  • Protocol manager (Score:4, Interesting)

    by hackwrench ( 573697 ) <hackwrench@hotmail.com> on Monday June 10, 2002 @07:31PM (#3676427) Homepage Journal
    What Microsoft should add is a protocol manager that shows all the protocols your system can access, whether it be through Microsoft or other 3rd party vendors like Real's prn protocol
  • This is yet another reason Microsoft should open the source for IE.
  • Fortunately for Microsoft, the Gopher implementation in IE was inextricably integrated with Windows. I guess only the HTTP part of IE can not be removed without breaking the whole operating system.
  • This reminds me of an old joke by George Carlin (or at least I think it was Carlin).

    Newscaster:
    A man got on to an eastbound bus and killed three people. He then took a transfer, got onto a westbound bus and killed two more people.

    As a result, bus authorities say they will eliminate the transfer system.

  • ...the password was selected as to be easy enough to discern in the event of death.... After all, these are not state secrets we are talking about, now are they. A password was obliged and enabled, that's the simple driver. Beyond that, not much was to be gained by making it cryptic.
  • fool. (Score:5, Funny)

    by jcsehak ( 559709 ) on Monday June 10, 2002 @08:09PM (#3676601) Homepage
    it was as simple as 'ladepujd', the name of the database's creator spelt backwards

    What an idiot. I, an 31337 hax0r, am much smarter. My password, "78sne4ml;w" is composed of random characters, which nobody would ever guess. Lam3r.
    • Dear jcsehak,
      I apologize for disturbing you, but you seem to have omitted your slashdot password in the parent post. This could also just be a typo in the password you gave.

      Would you please reply with the correct password?

  • the japanese zaurus has a video adaptor so you can download movies to your zaurus. unfortunately, i don't think it's available for the us version (we have the ARM processor, they have the SH processor, i think) you can still view movies on your zaurus without a problem. smoother than the palm 505, i think

  • If worse turns to worst, Red Hat could always become a bond fund for fixed-income retirees.


    Funny, but then stacked up against the MS 40bn catastrophe fund even as bond funds MS still rules. The analysis was sound, and, sadly resonantes with the big questions Red Hat has yet to answer. IBM's brilliant play of the Linux market was worthy of note. Bill Gates stole the OS market from IBM when MS dumped OS/2, maybe IBM is looking to steal that market back. Mmmmmm a real fight between the Big Dawgs would be a spectacle to behold.

  • Back what? (Score:3, Funny)

    by TheFlu ( 213162 ) on Monday June 10, 2002 @08:20PM (#3676640) Homepage
    Good thing my name's not Bob.
  • "The problem is that you are dealing with 50 million lines of code and everything depends on everything else,"

    I'm prety sure that was established as bad form, oh, about 20 years before MS's birth.

    They never cease to amaze me with thier forward thinking 'inovation' though... Apparently spagetti code must be 'the wave of the future'. I guess I must not be hip enough, my boss better hirry up and fire me!

  • I remember using gopher back when search engines were just getting started. If you couldn't find it on the search engine, you could always try gopher.

    I kinda miss it... sniff. Poor lil guy.
    • I remember using gopher when that was the only available option. It was never a choice - it's a pants interface.
      If I wanted to find something, then I always used _archie_ (because there were no search engines as such).

      FP.

  • ...sounds similar to a procedure Richard Gere might need.
  • ...for a second, I thought that was some kind of sick synonym for gerbilling.
  • gopher://not.in.the.garden
  • by tulare ( 244053 ) on Monday June 10, 2002 @10:10PM (#3677129) Journal
    Be able to videotape the program which you cannot abandon and the image et cetera which always would like to carry about with simplicity operation, always carrying about, little being less crowded time and in et cetera the streetcar, freely it can view.
    Reminds me of the time I sent an email to someone in Italy whose knowlege of English was unknown to me. As a (attempted) courtesy, I bablefished the email first. The reply came back: "Dear Microphone,
    Please resend the message in English without the online translation. I'm very sure I will understand you better that way." 'Nuff said.
  • The password for the database has been found, it was as simple as 'ladepujd', the name of the database's creator spelt backwards

    So it took them what, maybe an hour to figure this out? but the plea has been circulating for several days...

    It's been true since I can remember: the larger the audience from which you beg a clue, the sooner you'll find it yourself, and the dumber you'll look because of it!

    How much ya wanna bet the folks who panicked wish they had just asked one or two buddies to help them out? :-D

  • by billcopc ( 196330 )
    As quoted from the M$ Gopher article:

    Marc Maiffret, 21-year-old security prodigy and chief hacking officer for eEye Digital Security, doesn't fault old code for security problems. He said that programmers who don't review the code before using it are at fault. Old code may have more security holes in it, but those holes should be caught, he said

    Okay, so they're interviewing a 21-year old who thinks he knows more about Microsoft's code than Microsoft itself. Yes it's true, in a perfect world we would all have infinite time to review legacy code and peek into shared libraries, but the matter of the fact is that fundamental reason we reuse code is to save time and effort. If we all spent our time rereading and retesting code whenever we glue it into something else, we'd be better off starting from scratch every time.

    This kid is a fast-talking idiot, nothing more.

The only difference between a car salesman and a computer salesman is that the car salesman knows he's lying.

Working...