MSNBC: Stealing Credit Card Numbers Online is Easy

tiny69 writes "This is the reason why I don't use my credit card on the internet. The people I give it to may not be as responsible as I would like them to be. It's easy to point the finger at Microsoft and the MCSE's running the systems on this one." [Irony alert!] Yes, MSNBC says all the servers they cracked were running MS SQL. [/irony alert]

Re:Windows 2000

oh come on- transparent windows isn't over-bloat...
:o)

Re:first German post (offtopic)

Did you use babelfish to come up with this ?
German articles:
der = male
die = female
das = neutral
You basically said that you are an inanimate object instead of a human being. Then again, you are probably right :-)

Re:Windows 2000

Well, to be fair to it, it's actually not as bloated as NT4 after SP6. It's lean for Windows, and for what they could have done to it. It does however, install pinball by default?! And, shock horror!!! It *doesn't* require a restart every 10 minutes. Office installed without a restart! What will MS think of next? They did also include a telnet server, but for some reason, doesn't need authentication to give you full access! (by default, anyway at least)

Re:But do you use a cordless phone, or a cell phon

Bah, even home shredders leave documents in a state where they can be put back together. Do you burn the shreddings afterwards?

Feh. If I wanted credit card numbers, I'd go dumpster diving at Sears. :p Maybe I'd get lucky and find some discarded 'damaged' computer merchandise to rip the ram out of.

Why does the media overlook the bigger point here?

Why when sites like CDUniverse or ebay have some major problem does none of the main stream press report that there servers at M$ boxes and that is where the real problem lies? Admin's that use M$ boxes rarely have much technical savvy. This along with defective technology from Redmond makes for these huge problems.

Re:Windows 2000

hehe. thats why its not yet on the market. thats also why its called "vapour". it IS the best thing to come of out micro$hit, yes. but then only crap comes outta there anyway.

Re:Typical misinformation...

What the poster says is only untrue if the admin and designers are morons. Unfortunatly, that can be said of any database and/or web server configuration. After all wasn't it just on /. that people recently defended linux in one of the server challenges because a "well" known security hole had been left opened?

Re:Typical misinformation...

Perhaps MS's "you can train a monkey to admin NT" advertising campaign needs to be re-examined.

Saving money by hiring idiots to administer your servers is not a good long term plan, no matter how easy your OS vendor claims their OS is to run.

Re:Why Not Use Credit Cards over the Net?

"Still, you have to notice the theft, and complain--not always trouble-free. And how quickly can you have your money back?"

I know, I got cheated out of a weeks car rental by one of the large companies that by 'mistake' charged me the weeks rental plus insurance, even though I had a fully prepaid voucher for that.

And this _wasn't_ on the Internet...

It took me two months just to get a confirmation from the rental company that they've credited it back. Now I must contact my credit card company to confirm that the money was credited.

But where is the interest, the cost in letters and phone calls? What about the stress it caused? Not even a "we're sorry, it was our mistake".

I dont think I will retaliate here my mentioning that it was ****** ********. Because it wouldn't be a relief, and that isn't the point, others may screw up as often as these @!*# did...

Re:NOT Microsoft's fault (for a change)

Microsoft's advertising (in non-technical business oriented magazines) is that you can save money by hiring cheap MS-Chimps (tm) instead of expensive unix gurus. Stupidly configured servers is the result. MS is to blame for misleading advertising, and the MIS directors are to be blamed for believing Microsoft when they tell you why you should give them money.

Hire idiots to run your server, and you get servers that run like they were configured by idiots. I am amazed that otherwise "smart" business people fall for this scam.

Flamebait? Moderators are Morons

Since when has a valid, proven, and ontopic opinion been flamebait?

Only on slashdot could moderators have a negative IQ.

Re:Flamebait? Moderators are Morons

Ontopic reply (not ontopic to the story, but the original post) - The reply was to a post stating:

>Well, Windows 2000 will surely fix all these network security problems.

Now that validates it being ontopic.

Proven - ok, which has more problems: MS-DOS edit, or Word for Windows? Which has more features? This applies to UNIX as well - which has more bugs - Emacs or Vi? Staroffice or Emacs? less or more?

Why the less featureful (less crap added on) versions of all these programs do. While less is stable - and probably is just as stable as more, less breaks more terminals, because it uses more features. That is, to me, a bug.

Win2k therefore will have more problems (bugs) than WinNT 4 or Windows '98 because it has more crap (features). Especially new features that haven't had the problems ironed out.

Valid - The original poster (i suppose as a joke) suggested Win2000 is going to fix the world's network problems. So I guess since there are no more problems to solve there will be no need for any service packs to it, or a Win2001?

The reply suggests that there will be more problems with Win2000 than ever before because it is full of crap (features). Sounds like a reasonable argument to solving the world's problems to me (infact, ANYthing is more reasonable than what the original poster suggested).

Now, just because Win2k isn't mentioned in the article means nothing. If I suggest I like Klein bottles, and noting else in my post, does that mean that comment should be totally ignored? No, it means that any responses to that post that comment on Klein Bottles are FULLY on topic to the post, just maybe not the article.

If I were to take your stance to the extremes, it would mean that the STORY is offtopic too. What does stealing credit cards have to do with using geek software/hardware (news for nerds. stuff that matters)? Only a very little bit really...

And I must say, credit cards don't matter to the true geek. The true geek doesn't use 'em (IMHO). They are donated whatever they want by other companies from their outstanding appreciation for their efforts.

So there. :-)

Re:Flamebait? Moderators are Morons

>You're a f***ing moron. Go f*** yourself.

Ahhh, that proves my theory - That the reason we all have a hard time understanding moderation is all the horomones that get in the way of normal feelings and ideas - That's what you get when you let a bunch of zit faced 15 year old male nuts in on the rabble. (I say that only because only a very immature person would find that phrase at all insightful. I would personally find it inciteful ;-).

Re:Flamebait? Moderators are Morons

[Robert+S+Gormley]

I'm wasting my energy, but:

valid - how so?

proven - by whom?

ontopic - where is Win2000 mentioned in the article?

Re:Flamebait? Moderators are Morons

[Kaiwen]

I've given up trying to understand Slashdot moderation.

Recently, I spent an hour or so composing a detailed and -- if I may be so bold -- rather informative post in reply to an inquiry from an AC who was obviously clueless on the subject we were discussing. No flamage, no name-calling, no baiting. I got a 1 for my efforts, and that, presumably, was simply because I didn't post as an AC.

The reply, which read in its entirety, "You're a f***ing moron. Go f*** yourself." was moderated up to 3 and labeled "Insightful."

I've decided the best way to deal with the moderators here is to set my threshold back down to 0 and decide for myself what's valuable and what's not.

Re:Flamebait? Moderators are Morons

[nlamsben]

Maybe it's time for some moderators who have passed puberty?

Re:And then we accuse MS of FUD ?

In addition, they allowed the database to be accessed directly from the internet. The secure way to do it is to put a firewall between the website and database. Nobody besides your website is allowed to hit the database from outside the firewall. This would be rather difficult if you're not hosting the site on your own servers, of course.

If you don't have a firewall, you can at least configure the website with a database login that only allows stored procedure access. Then even if a hacker does see your script, he can only run stored procedures. If you keep the username/passwords in a session variable (ie in ram on the web server) and pass them in to be checked in your critical stored procedures, you can be fairly secure that way, if your sa password is strong.

Re:Windows 2000

I don't know. It still has graphic operations in kernel space. Normal browsing for an hour makes around 400-500 buffer overruns in the serial port, and 100 crc errors. It has no proper shell, rendering it useless. Thats it. A useless OS :)

Re:It *was* fixed

Not to mention fighting a corporate bureaucracy where it takes a year of testing before Service Pack 6 can be installed -- Like some of us have to deal with.

Re:Good tactic

Seriously, those sound like good suggestions.

Much less seriously, Anonymouscard does the "prepaid credit card" thing for porn. I have no idea if they're reputable or not, but in theory it seems like a good idea.

Re:Why Not Use Credit Cards over the Net?

a disputed charge (ie you don't think it is a valid charge) should be credited to your account as soon as you report it to your credit card company.

The charge is then bounced back to the merchant in question, and they have to provide proof that the charge is valid.

Only if they can prove the charge is valid will it be put back onto your account (plus interest).

Re:2 questions about CC's

I'll add one more: for periodic customers. I have worked on several systems where the customers are billed monthly. These systems need the cc number to process the recurring charges.

Re:Suggestion

There already is such a service: netcraft
Simply enter the URL of a online merchant and see what software he is using before submitting your creditcard info.

Re:Typical misinformation...

Starting with yours, jackass. Go drool on your Britney Spears poster and call us when you know what you're talking about.

Re:Typical misinformation...

That's bullshit. If you RTFM for SQL Server, the manuals tell you to change the fucking SA PW. Second of all you can use domain security (authenticated by NT domain Security), SQL Server authentication, or mixed between the two. Third, you can limit database access by login and assign a login to a particular user. If the sysadmins don't read the manuals and leave gaping hole, off with their heads. They are liable, not M$. This is no different than if someone ran Linux, and didn't take similar basic security procedure. and speaking of W2K, If there are any wannabe/paper MCSE's out there, good luck implementing basic w2k features without really knowing what you are doing! The product is not as easy to use as NT4 by any means.

Re:::$DATA

How do you know no one has penetrated the security of the Microsoft.com data centers? It's not like they would tell you if someone had...

In fact, I'd say it's almost a certainty!

AC - I'll take my zero now...

Linux can be insecure too...

A poor installation of Linux can be VERY insecure as well. NT by default leaves the system as open as possible so that even newbies can get a system up and running. We all know that is fine for a small office LAN, but is horrible for a live Internet system. As Linux installs become more "user friendly" this may become a Linux issue as well.

Re:Windows 2000

A score of 0, flamebait no.
Score 0, sure, but that was 'flamebait'?

Re:Typical misinformation...

hehehe, is someone feeling defensive because someone is stupid? :)

You can go back to fellating your father now.

Re:Administration

Well, yeah, I've read that essay too, but avoiding the idiotic mistakes those people made is easy. Step one, apply recent security patches/service packs. Step two, don't leave a freakin' null admin password on your database. If someone is too clueless to take at least those steps, no software will help them.

Re:Windows 2000

actually, it's "vapor."

your intelligence sums up the Linux community pretty well as dumbasses,

Re:::$DATA

Slashdot has gotten terrible. Anyone who read the fucking article would have read that this was patched nearly 2 years ago. Instead, some idiot posts the obvious and gets 2 karma points.

Re:Windows 2000

Windows 2000 bloated? ROFL seems to me that a workstation install of most of the linux distros out there is about 600MB, about the same as a win2k pro instalation. Guess that means linux is bloated too.

Re:Suggestion

Thanks, that's good to know. However, 90% of the problems aren't caused by using the wrong software.

Re:Windows 2000

not all people and countries agree with your spelling, dumbass.

ebay uses Sun servers you idiot

do some research before you blame.

ebay uses Sun servers you idiot!

Excuse me. Do some research before you blame.

Genius or bonehead advertising?

I read the MSNBC article and found an ad entitled "Point, Click, Shop @ MSN Shopping!".

Is this a good ad for the article ("Our competitors are not secure! Shop with us!"), or a bad ad for the article ("Shop online and get ripped off! Shop with us!")? You make the call!

Re:Typical misinformation...

Don't forget thats: MicrosoftNBC.

Better to have thousands taken than one credit car

What do you think gets noticed first, the guy who steals one credit card number a week for 5 years, or the guy who steals 2000 in one night? At least when a lot of card numbers get stolen, it is easily noticable. What can somebody do with your number anyway? Almost all places check to see if the shipping address is the address listed with the credit card company. I guess if the guy wants to sit at your front door waiting for the package, he can do that, but I'll take my chances anyway. Sure beats driving 2 hours to get to a computer store

Better to have thousands taken than one credit car

What do you think gets noticed first, the guy who steals one credit card number a week for 5 years, or the guy who steals 2000 in one night. At least when a lot of card numbers get stolen, it is easily noticable.

What can somebody do with your number anyway? Almost all places check to see if the shipping address is the address listed with the credit card company. I guess if the guy wants to sit at your front door waiting for the package, he can do that, but I'll take my chances anyway. Sure beats driving 2 hours to get to a computer store

Re:Windows 2000

Most Linux distros give you an option for a minimal install, which are normally under 100 MB. The base install of Debian 2.2 is 43850K. Does Win2K have a minimal or custom install option? I know you can't install Win98 without IE (I remember trying to do this, since I had IE5 when I installed it and didn't want to get downgraded to IE4 - I didn't succeed).

The Win2K system requirements seem to indicate bloat:
- 133 MHz or higher Pentium-compatible CPU.
- 64 megabytes (MB) of RAM recommended minimum; more memory generally improves responsiveness.
- 2GB hard disk with a minimum of 650MB of free space.

Keep in mind that those are the *minimum* requirements. The minimum requirements for Win95 were, IIRC, around a 386/16 with 4MB of RAM. It was quite sluggish running on my 486/33 with 8MB of RAM, and not much better with 24MB of RAM (~3 minutes to boot Windows, after booting DOS).

Re:For people who would egg Bill's grandmother

It does seem that MSNBC'c coverage of MS is fair. It really really annoys when news reports report on bugs and security problems and don't even mention the name of the effected software! That's a basic fact of the story.

Re:Windows 2000

Name one software product that installs itself with a secure password. A default password, whether it be blank, "password", or "d@3d1_+fGd" is not secure since it has to appear in the installation manual. The OS you're running to post your idiotic response was installed without a secure password. If it has one, you created it. This was a wetware issue...plain and simple.

Better yet, make it an "Ask Slashdot"...

nt.

Re:Your own Win2K problems

Another thing about Linux: Linux backup software can handle file names longer then eight characters. I guess in Micros~1 land, that is too advanced to do.

What the heck are you talking about? Windows NT backup has handled long file names since version 3.1
Time to get some new FUD to throw.

Re:For people who would egg Bill's grandmother

But it makes such a great acronym: MicroSoft: Nothing But Crap :-).

Re:Don't be a moron..

So, then, you are advocating security through the obscurity of setup rather than by the obscurity of closed source code? The former is, if anything, even less valid than the latter. There are a multitude of books and websites that can "help" you get apache and MySQL running on Linux, even if you barely know the shell commands. Either cut & paste into your telnet on a windows machine or just click on the script in X.

Re:Security Models

That site works as a minimum for *nix as well.

Try downloading a copy of nessus and running that against the machine in question.

Would be cool if there was a site that scanned *nix machines for the common problems for each OS... Of course, it would likely be abused by the script kiddies just as much as it was of use to people for legitimate security testing, but isn't that always the case?

Re:Typical excuses.

" You haven't tried. Configuring Microsoft - any flavor - is simple - define your IP, Gateway, and netmask. If those are correct, then there won't be a problem."

Hmm..could I have that in writing. Ooops, nevermind.

Re:::$DATA

How do you know no one has penetrated the security of the Microsoft.com data centers? Whoever did it would have posted it here...

A Couple of Points

UNIX is stuck with the all-or-nothing model of security, ...

IMO, this is not a problem where e-commerce servers are concerned. The "all-or-nothing" model is primarily an issue when 'nixes are used as general computing platforms. 'Nix used for e-commerce is relatively easily properly secured these days. If you know what you're about.

...while Windows actually has a good model that is horribly implemented.

Agreed. In some respects: Ms-WinNT has a better security model than does 'nix. But, and this is a big but: Ms-WinNT suffers from a plethora of problems. The biggest one is perhaps the impression fostered by Microsoft and its allies that "Windows makes it easy." (As I noted in another comment I made.) Where e-commerce is the issue, or even just being exposed to the 'net, there is no such thing as "easy." Another problem is that many products, including Microsoft's own, execute end-runs around the system's security model or force the Admin to compromise it so they'll run. So much for a good security model.

Secondly, there's really only one really big difference between NT's security model and that of Unix: Administrator access. There's some serious misunderstanding about this security model. Management, and even some Admins, read about how NT does not allow the Administrator to access user data without the user being made aware. Fine. True. But how many end-users really understand the implications of this? Who do you think they turn to for an explanation when they see an indication that their data may have been raided? That's right: the Admin. So how much good does that security model really do from a practical standpoint?

Until there is a concentrated demand from the public for security...

Not likely.

Re:NOT Microsoft's fault (for a change)

You are full of shit.

An inexperienced admin on ANY platform would make this kind of a mistake.

I can't think of one NT/SQL Server admin who would be such a dumb ass, but I know one unix admin who thinks it can't happen to them because the path from the internet to their unsecure boxe is obscure to casual probing.

Stupidity is an equal platform opportunity for disaster.

Re:secure by default

openbsd is far closer to secure by default than w2k. not that by default should matter, but if you have to go through hoops to lock something down, its easy to make a mistake. (not that it seems to be the case here) judging by the track record of windows, i still think its silly to use windows for such things. if w2k can prove itself, so be it, but its very too to tell.

can you really trust the security of any software for which you do not have the source? does not get the potential peer review of all its users? no, not every user is going to do a full audit, but dont underestimate the paranoid who will.

i look forward to a future where people no longer trust what they cannot get the source to and coding is common knowledge (not that im certain this will happen, but it could make some parts of our lives easier)

-- pixel fairy (just not logged in at the moment)

Re:Windows 2000

Best OS on the market? hm.. well actually, since the distribution of Linux does not follow supply and demand, technically it's not ON the market, right?

Re:Windows 2000

Well if it's not bloated then I don't even want to guess why it takes four TIMES longer to install than NT4 on the same machine, takes three times longer to boot, and twice as long to shut down. I'm also wondering why it runs 2d games (mainly SubSpace) with 30% less framerate on a Pentium _PRO_ than on windows98 (remember that pentiumpro runs 16-bit code ~15% slower than 32-bit code&windows9x has 16-bit code).

This may not be news to *us*, BUT...

I'll bet it is for a lot of people who made their first online purchases last month!

I'm referring to the people who use the internet as another method of mail order and *DON'T* read Bugtraq, Security Focus, or Slashdot. Although these folks may be aware that it's possible to extract credit card info from websites, past general-media coverage has probably led them to assume that such extraction involves a high level of technical skill on the part of the extractor. Well, now we have a bunch of reporters (!) obtaining large amounts of data NOT through some arcane crack, but because many site administrators are too lazy/clueless/busy/underfunded to bother locking the doors. IMO, this report is a Good Thing because (1) it's in relatively plain language (no technical MEGOs), and (2) it may make the PHBs (and the credit card companies) more aware of the technical issue of i-net available databases, and encourage them to worry about it.

Another important point, obvious to Slashdot readers but probably not so obvoius to the general public, is the sheer amount of information that can be obtained through a single break-in. While there are many ways to obtain a card number or two (and if we didn't already know some, we do NOW, thanks to several of the above posts :-)), there aren't *THAT* many ways for some outsider to obtain multiple card numbers from a business, especially with the card infomation linked to useful things like customer addresses. Now that this has been demonstrated, we should expect the card companies to add some data security requirements to their merchant agreements. (Perhaps something on the order of: "Failure to properly secure this information is gross negligence on the order of leaving months worth of filled-out manual slips on your front counter for casual passers-by to dig through.") This will also be a Good Thing, because it will mean fewer customers will have to go through the hassle of canceling compromised cards, fewer businesses will lose money because of bogus transactions (maybe they'll drop prices), and fewer techies will have to beat their heads against walls of management ignorance of the importance of proper security.

Sounds like a win for everybody execpt the criminals!

Pay Attention, doof.

The guy said that Microsoft was to blame because their advertising encourages companies to hire idiot admins. He was not denying that idiot admins exist on every platform. The point was that Microsoft's emphasis on making things "easy" lends itself too easily to PHB's deciding that if it's easy, any moron can do it.

Re:Windows 2000

Umm, Microsoft doesn't make MySQL.

Poor Microsoft

I have here in my had a list of about 15 different exploits for the latest versions of Microsoft NT and Windows 2000. These explots are only known to a few people and they are very very nasty. In every case using any one of these 15 exploits will gain access to the entire system. I have personally tried these and know them to all be functional.

The question then becomes should I report these exploits to Microsoft? My answer is no. Why on earth should I help an illegal monopoly in its quest for world domination by flooding the market with half baked immature, insecure junk? I think I will try to sell these explots to Microsoft for a sum of $250 Million. After all, it will cost them about this much money for their dim wit programmer staff to find the problems if ever.

I find it utterly amazing why anyone would even bother to deploy a known insecure mess like Windows*. There was a time when being a computer professional was an honorable job, but unfortunately stupidity has taken over because Microsoft has created a generation of jack in the box administrators who have no business even being behind a console.

As for me, I'll continue to deploy BSD and Linux. BSD is the most secure os out of the box period. You have a problem with this, try to get over it. As for Microsoft and these 15 unpublished exploits, I will think about what is to be done. Whatever does happen, it will *NOT* be favorable to Microsoft.

Re:Is this really a new problem...?

What I like about credit cards is that if someone grabs your number and starts buying stuff with it, it'll show up on your next bill, and you can call the credit card company. This happened to me on my Visa once, and I complained. They handled it and took the charges off my bill and fixed everything. So it's not quite as bad as carrying cash and having some thief steal it.

POLYESTER.NET HUMOR POSTCARDS!!@#

VISIT POLYESTER.NET FOR VIRTUAL HUMOR POSTCARDS AND ANTI-LINUX IMAGES!!@!@#$

Re:Windows 2000

Funny how you CAN run an enterprise on something that is useless. Wow, imagine what Linux can do, since it's not useless.

Re:Better to have thousands taken than one credit

What you do is take a blank credit card and use the stolen number to create a new one. Walk into any store and buy what you want. I very rarely see clerks taking even a small look at the credit card. If you think fake cards are a joke think again. The moral? Check your bill. If you see something you don't remember complain. OTOH don't think non-internet stuff is safe either. If you wanted to get CC #'s from normal retail store fronts it isn't impossible.

Re:Windows 2000

And what are the realistic requirements for a Linux + X Windows System install -- prolly around P-133, 64MB.

(Microsoft's 64MB, however, is a baldfaced lie. NT4 barely runs with that amount of memory, NT5 certainly won't be that much better.)

Re:Windows 2000

Yup, MS-SQL sucks in this respect just as hard as Oracle. The theory is idiots aren't setting up these boxes.

what worries me

I'm not too concerned about credit cards getting hacked - liability is limited there.

What *is* a worry is investment firms.

My last job was at one of the 'top' investing firms, and part of my responsibilities was managing some of their firewalls. As a result, I had a pretty good idea of the security measures taken, from the Internet access points all the way up to the client databases.

Looking back on this, it would be simple for someone to work their way in. Internal security was *extremely* soft; there were modems on people's desktops with no security, telnet was used for access to sensative databases, and encryption was used sloppily at best. Security was an afterthought in the design process for both systems and applications.

As a result, once anyone got inside, it would be trivial to sniff some access to about everything. Since 'inside' is a worldwide network with no partitioning and tens of thousands of hosts, this isn't exactly rocket science.

Most of this was because of internal politics; the group controlling security had advisory powers at best.

I'm currently at a startup, and with any luck will have a reasonable amount of money to manage in a year or two.

Based on what I know, I'd be very, very wary of investing any substantial money in that or any other firm without a very complete and carefully worded, written down understanding of the liability of each party. After that, I would demand to see the results of regular system-wide security audits by external organisations, and ask for increased identification requirements for access to my accounts.

Anyone who has a substantial amount of money in one place should do likewise. This company was not stupid, and certainly didn't lack for money, but they were short on clue, and you get a certain level of mediocrity in any large corporation.

Debit cards protection

My debit card number was stolen and USED at an online shop. Since I didn't use the number online, it goes without saying it was stolen in meatspace.

When I disputed the charges, the bank issued a temporary credit to the account and after they did their little background checking, made the credit permanent.

The exact wording in my user agreement isn't near me now, but as far as I recall, debit cards are NOT as protected as credit cards, but they don't leave you completely liable either. Now whether that's law or bank policy? That's a question for someone else. :)

Re:Windows 2000

Why are all you people thinking of win2k...and realy use it and trust it.. I need to know what I'm installing if I install something this isn't changed in win2k I guess? (someone tellme) For me..if somebody tell's me that he is useing windows that person doesn't know much about his pc.. and most linux(unix) users DO!!! that's the difference....

Re:Windows 2000

Normal browsing for an hour makes around 400-500 buffer overruns in the serial port, and 100 crc errors.

Really? I use the Professional (RC2) version and it never crashed so far. By the way, are you a MORON?

Lipstick on the Pig

-- Windows 2000 Server needs 256 MB Ram. That's what it says on the box. (P.S. MS tried to get away with saying 128 MB until beta-users started shouting at them). No, W2000 is bloated beyond belief. Not efficient. The best design is not reached when you have nothing more to add but '.. when there is nothing more to take away'. MS have never understood this, and probably cannot fiscally. Why? well no new features = no ability to market = No sales = No money ... you get the overall picture yet? (Ans :- To stay in business MS HAS to bloat)

Small curiosity - SQL server 6.5 or 7?

-- which version are you referring to?

Re:Small curiosity - SQL server 6.5 or 7?

[chazR]

Alright, to be honest almost all my production experience is with 6.5. It is measurably slower than Oracle 7.3.4 and 8.0.5 on the same hardware. I haven't done enough with SQL Server 7 to comment about performance. I have done some work with Oracle 8i, and all I have to say is "Buy another bucket of memory". It is a complete hog, particularly doing imports. Way cool, though.

Big deal.

This is not amazing at all .. a couple of months back I noticed that a website I was going to order from was storing all of it's form data in a file in /_private/orders.txt .. it was a well documented problem for IIS .. written about in a phrack article over a year before ..

I wrote a little script which looked at cached orderform pages off google and parsed them for the same problem and ended up bagging around 3000 credit card numbers myself.

You must trust the vendor to be competant, unfortunately with the increase in internet shopping, the technically competent among us are going to have to keep a vigil for those who cannot check this themselves.

Re:Big deal.

[blowdart]

Thats not IIS though, that's Front Page extentions, you can set it up to do the same thing under any of the other web servers Front Page mangles. I know it may be snobby, but would you trust your credit card numbers to a site written in Front Page?

Re:Is this really a new problem...?

Hey, covering your own ass IS protecting the consumer. That's how capitalism works, right? You screw up, nobody buys from you. You be nice to the consumer, people buy from you.

Re:Windows 2000

because it wont let you into outlook on a nt4 network unless you have domain-admin privilages.

Re:Windows 2000

actually, it's "vapor."

actually it's 'English', not 'American'.

your affectionate friend

AC

Re:Windows 2000

I hawe been using W200 since the rc1 and so on Ido not agre with you that it is better than WinNT4.0 server, it can do the same things but requres more hardware to give the same performance. And if you need security both of then has huge weaknes (apologies for my bad english) Magnus L MCSE

Re:first German post (offtopic)

>As far as I'm concerned though, we're all >inanimate sql entries to eachother. :) Or /really/ well coded eggdrop bots =)

Re:Windows 2000

it's the best OS currently on the market

It is not public avaiable at the present time. It is not even on the market yet, so how can it best of the market, when it is not currently avaiable on the market?

Not just technical holes...

The inadvertent code errors are just part of the problem, and not even the most serious part, in my view. I work for a large e-commerce company, and our clients frequently require us not to encrypt credit card numbers - either in the database or in e-mail - either to save development time or because they don't want to learn how to decrypt them. Sysadmins can read them at will, and they're e-mailed in bulk to fulfillment houses where God knows how long they lie around in printouts or on hard drives.

Re:Windows 2000

on our company we use nt4 sp5 32meg mem p100's and they run fine, they run quicker than win95 does on the same machine actually

Re:Why Not Use Credit Cards over the Net?

What city (just to avoid naming a company) did this bogus insurance charge show up on your rental? I travel alot and use a few different voucher-taking rental companies...I'd like to know what cities to avoid.

Private email can be sent to john_and_ken@hotmail.com.

Re:kernel graphics

Ummm... actually, the purpose behind the Frame Buffer was to allow Linux to run natively on proprietary hardware that didn't have a "text mode". (i.e. Apple Macintosh)

I have yet to see any user-space applications that require you to have the frame buffer running, and I suspect (and hope) that I never will.

--

"The only reason I keep my MS-DOS partition around is so I can mount it like the bitch it is"

Ethan Baldridge

Reported this hacking attempt to the FBI

I sent the FBI an alert that MSNBC has twice now hacked into sites and potentially stolen over 6,500 credit cards. I encourage everyone else to do the same.

Re:OPEN SOURCE CREDIT CARD

.

But do you use a cordless phone, or a cell phone?

Anyone with a scanner can intercept credit card numbers using these methods. Any transaction made without using cash is susceptible to fraud or theft.

Do you shred all your personal documents? Do you review the security procedures of your bank? I'll bet not.

The only reason this is noteworthy is because this abuse happened over the 'net. It's hardly a novel threat.

I'm patiently awaiting the calls for regulation of online businesses to "protect consumers" from this kind of thing. The better to tax them with.

No firewall?

I would hope that a database server like that would have been set up behind a firewall which blocked all access to the database admin ports, Microsoft RPCs, etc. and only allowed HTTP and HTTPS access.

OK, a hosting service might allow an IP they know is the client's to administer the server, but not the whole internet!

If a firewall isn't blocking database admin, it might not be blocking NT file sharing either, and that opens a whole new can of worms.

And no, this isn't an NT problem. If I had a MySQL system and allowed the whole internet to access port 3306 on the server, then I'd be in trouble, too.

Re:Windows 2000

By default the Win2K telnet client logs you on to the server with the login credentials you supplied to your workstation. This is the username/password you typed in at the Ctrl-Alt-Del logon prompt.

In other words, if you're logged into your workstation as JoeUser, you will be automatically authenticated as that user to the telnet server on the machine you're trying to connect to.

This is done via NTLM or Kerberos, depending on how your domain is set up, so it is pretty secure. It works just like how you don't have to type in a password to connect to a file share if you've already authenticated to the machine.

I would note that this the default Win2K telnet server config is actually much more secure than a regular telnet server, since passwords are not sent over the wire in plaintext.

Turn on IPsec, and the session traffic will be encrypted as well.

Fer Cryin' Out Loud

What kind of idiot would expose an unsecured server running a database manager (Ms-SQL Server or otherwise) directly to the 'net?

This only proves a point that I've long been trying to make to those who have been of the opinion that "once Microsoft enters the server market, the Bad Old Days of needing arrogant computer gurus will be over." Frequently heard in pre-WinNT days and apparently still believed by many.

The point is this: sophisticated and powerful computing problems need sophisticated solutions, implemented by knowledgeable and talented computer engineering professionals.

Make no mistake: this kind of thing is not Microsoft's fault. It was just an amusing irony that MS server products were the ones that were discovered/investigated. And lest anybody think that non-MS platforms/software are unlikely to suffer the same kind of fate: witness the Serious Bug in MySQL password handling recently reported on bugtraq. How many E-Commerce site admins running MySQL do you suppose don't even know about that one, much-less have it plugged?

Where Microsoft is to blame, IMO, is in promulgating the myth that their products take the complexity out of complex problems. Sorry, but it just ain't so. What they do accomplish is burying details so effectively that the solutions appear simple. (And, ironically, even if you know they're not: making it hard to "get to the root of things." [No pun intended.])

Real computing problems require real solutions implemented by real computer-savvy, intelligent and, perhaps most of all, focused and responsible engineers. Not some liberal arts or business marketing graduate that took one-or-another vendor course and got his or her "certificate." Regardless of the chosen solution. (Tho I, personally, do not recommend MS-based solutions.)

Re:Fer Cryin' Out Loud

[dieMSdie]

Well said! I tried to say this earlier in the thread, but much less eloquently than yourself.

Re:Fer Cryin' Out Loud

[wanrat]

I agree with you, except to note that many of the smaller e-commerce sites have opted to integrate their processes on a single box to save money. This is noble and all, except, as you noted, when it gets carried too far (in the direction of miserliness). Actually, in some respects, the argument towards running multiple processes on a single server could be validated for security reasons themselves. I mean, past a certain point where you have the server into a current-patch/known good state, my first instinct is to reduce the number of necessary connections of any kind to try to keep it as safe as possible. An ODBC call to another server is just another link to hack at.

Suggestion

It would be nice if somebody decided to maintain a "black list" of sorts that contained the names of all companies & web sites that are found to be using inadequate security measures for e-commerce. There are several self-proclaimed hacker groups who keep telling us how their cracking antics are really doing the rest of us a favor. I wonder if any would be willing to prove it by creating and/or maintaining such a list. It's benefits for the average consumer should be obvious.

Look! Up in the sky!

This looks like a job for...

WHOOSH!

Bill Gates, Chief Software Architect! (Dah-da-da-DAH!)

Gaping holes, clueless management : help !

OK, the second security related story in two hours, it has to be a SIGN .. ;)

Posted via Anonymizer as an AC for reasons which will become obvious ...

This is off-topic as far as this story is concerned, but I'm posting because there are (I think) lots of people in a similar position & I really would like to hear some fresh thinking about how to wake my employers up.

I'm employed as an intranet developer by AMegaCorp.,Inc., a business services firm. With the thrill of anonymity I can name a client to give you an idea of how big they are : Ford Motor Co.

Our people have daily access to insanely sensitive stuff. Stock prices moves would be the tip of the iceberg. There's a fair amount of, um, politically sensitive stuff in there, too; let's just say defense, nuclear ... that kind of thing.

• We have no corporate IT policy.
• We issue staff with Win 95 laptops; it's also on all the desktops. (Yes folks, even NT would be safer than 95 :) )
• We have no IDS.
• We have 'a firewall'.
• We have a reasonable virus protection package.
• We have fast desktop net access; I'm no expert, but I can see a LOT of ports on external boxes.
• I actually had a support call from a user who's "internet is broken, yeah, since I disconnected this modem I was using to access hotmail, could that be it ?"
• We are about to embark on a major rollout of RAS ...

I've tried raising these issues in various ways, with no effect. Should I just run away ASAP ? Or am I morally obliged to do something about this ?

Seriously, any suggestions ?? This is doing my head in !

--

healing bex

Re:Gaping holes, clueless management : help !

[tregoweth]

Send anonymous, detailed descriptions to major media outlets, and look for another job? I doubt that working amongst all of that cluelessness can be pleasant.

-j

CC# security - 40-bit SSL is common in UK.

[dwmw2]

Many companies in the UK are only using 40-bit SSL, which is blatantly insufficient. Offenders include Dabs Direct, who actually told me that they're happy with 40-bit SSL and don't intend to upgrade.

I've spoken to NatWest Streamline, who perform CC clearing for many online retailers, and they don't intend to increase their minimum security guidelines to 128-bit SSL. I know know which of the two is being more negligent.

Even the Which? Web Trader Scheme doesn't mandate 128-bit SSL, which is insane.

Re:CC# security - 40-bit SSL is common in UK.

[Awel]

On the other hand, even sites with 128-bit SSL don`t always have a clue. Lloyds Bank, for example, has online transaction facilities, and requires that passwords be between six and eight characters long, and alphabetic characters only. The idea that a password should not be easily guessable doesn`t seem to have occurred to them.

Re:Good tactic

[Tony+Shepps]

Good idea. Have you gotten any unexpected results from this?

Re:Why Not Use Credit Cards over the Net?

[Trepidity]

Not necessarily. Recently there was a guy that got caught in New York who had been scanning people's cards twice - once on the cash register for the purchase, once through a reader attached to his Palm Pilot which saved the numbers. Apparently he did this for several months (and got several thousand credit card numbers) before somebody noticed he was scanning their card twice and not providing a good enough explanation.

Sure, this is an isolated incident, but so is the CDUniverse crack.

Re:Typical misinformation...

[Simon]

> Yet again, Slashdot spews out anti-Microsoft FUD with as much fervor and skill as Microsoft spews out anti-Linux FUD.

I don't know who or what you are responding to, but I've read almost all of this discussion and I haven't seen anyone 'spewing' anti-MS FUD or claiming that these servers were 'cracked'.

The article also said that the ::$DATA problem had been patched ages ago.

--
Simon

Obvious solution:

[pb]

This isn't a problem, it's a solution:

Let's sue MS-NBC for stealing 2,500 credit card numbers!

These sorts of lawsuits are brought against [cr|h]ackers all the time. The defense? "Um... I wasn't going to use them, I was just... just wanted to see if I could get them! Yeah, that's it!" Yeah, right. And that's what MS-NBC wants you to believe too. So either we'll have a precedent for being able to collect information on the grounds that it's cool, or we'll get to sue MS-NBC back into the dark ages. Sounds good to me.

(all you have to find is one of these companies who actually knew they got hacked... um... never mind. :)
---
pb Reply or e-mail; don't vaguely moderate.

Re:This Is Probably A Good Thing...

[sjames]

1. Partitioning - Web and database server functionality should be separated as much as possible: having your database on a separate machine and fitted with proper access controls (i.e. only accepting connections from trusted hosts and using proper authentication in addition to that) is pretty much a requirement.

EXACTLY!! My first thought was why are they even allowing access from outside their own domain. It's easy to set up and can protect you from a multitude of mistakes in other areas. I wonder what those companies would do if someone issued 'delete from orders;' or some such?

All of the things you mentioned are important, but that one thing would go miles in the right direction.

I would add one more thing: NEVER allow a cgi script to pass in unchecked SQL. That's begging for trouble!

Re:Why Not Use Credit Cards over the Net?

[C.Lee]

>I can't understand why people refuse to buy things over the internet.

Give *ONE* good reason to buy something over the Net.

Cheaper? Not really.
Faster? Again, not really.
Easier? Try buying something that's actually useful over the Net, and then compare it to buying it at a Wal-mart department store....

MS servers get cracked more because there are more

[heroine]

If you haven't already noticed, most of the servers which are used by businesses are Win NT. Maybe if businesses used UNIX instead you'd see UNIX SQL installations getting cracked. UNIX owns the college and hobbyist world for 50% of the internet, but Win NT clearly owns the part of the internet that deals with business. Just read Alan Cox's diary. Every business server he deals with is running Win NT whether it's catalog orders or metro stations. Not a single business server he mentions is running UNIX. Not a one. Just because colleges and hobbyists account for over 50% of the internet doesn't mean that businesses are flocking to UNIX, which they obviously aren't.

Re:MS servers get cracked more because there are m

[Frodo]

Maybe that's why they are getting cracked? They read PC Magazine, buy NT, hire some freshly-out-of-colledge MCSE wannabe-admin, that knows exactly one this - to click "OK" buttons, and then they wonder why their systems are wide open and bent... The only cause we haven't 10 times more such cracks is because 99% of crackers are plain stupid - even too stupid to correctly run ready-made exploit, not to say make one by oneself.

Re:Windows 2000

[jafac]

I used beta 2.

And I wholeheartedly disagree with you.

the term "bloated" refers to a lot of things, but mainly, to the fact that the bar is raised with each release with regard to minimum hardware requirements. W2K's minimum hardware requirements are fairly astronomical. When you run it on low-end hardware, it is slow as hell. And in the Microsoft-run training class I took, we couldn't get half the machines to install DNS, and therefore couldn't get ActiveDirectory to run on those machines, and therefore couldn't install most of the nifty new cool spiffy features Win2K supposedly has.

It's a big bloated piece of POO, unless you can buy shiny new very expensive Intel hardware to run it on.

I wish I had a nickel for every time someone said "Information wants to be free".

Re:You work for Microsoft, don't you?

[jafac]

"IE technology & IIS etc are important to windows 2000 cause they provide objects and libraries that are used as
other parts of the OS."

A **RESPONSIBLE** OS vendor would ship the libraries and objects SEPARATELY from the application, allowing people to install the libraries and objects, and use whatever web browser and web server applications they want.

Applications != Objects and Libraries.

I wish I had a nickel for every time someone said "Information wants to be free".

Re:Windows 2000

[jafac]

Your $700 machine is obsolete, because you're not going to be running W2K on it. Not effectively anyways.

PS. I brought in over $100k last year, and I just bought a $4500 Sun Ultra 10, so don't go talking about things you have no idea about. I'd just prefer an OS that lets you spend money on hardware for performance improvement, not spend more money for the same or worse performance, and I'd like hardware to be useful past a 2-year horizon. In an NT network, if you go W2K, if you want to take advantage of most of the new features, you need to run CaptiveDirectory, so you have to be homogeneous with respect to OS, which means the Pentium 200 you used to run NT 4 on gets shitcanned. With Linux, when you buy your shiny new dual Xeon 500, you can keep your Pentium 200 around as a DNS server or something.
There's a difference between demanding cheap, rock-bottom priced systems, and demanding value for your hardware dollar.

I wish I had a nickel for every time someone said "Information wants to be free".

I find it odd ...

[Frater+219]

... that Bob Sullivan and Anatoliy Prokhorov would admit, in a news article published worldwide, to having committed several counts (possibly 2500 counts, to judge by the example of Kevin Mitnick) of a few major felonies. Plus, of course, listing the names of the sites from which they stole the credit card numbers ... is this reportage, or script-kiddie-age? "Gimm3 y3r k0d3z, d00d!!!!"

MSNBC may be a touch more honest than Microsoft proper, but that doesn't mean they entirely have their clue on straight. Yes, tell the world that MS SQL has security holes in its defaults ... Yes, tell the world that hiring a Microsoft Certified-Clueless Database Administrator is a bad idea ... but no, don't publicly admit committing felonies like that. At least, not under your real name, Bob and Anatoliy.

Clues?

They should ask before storing the number

[Malc]

I wish that web sites would give us a choice about storing our credit card numbers. The last time I used Amazon.com (long ago, before the recent boycott due to B&N) was right before my credit card expired. I'm happy to use my credit card online, but not somewhere where they store the number (I don't mind typing it in everytime). It's two years before my current cards expire. Who's to say if/when an online DB gets comprimised: two years is a long time in computing circles.

Re:It *was* fixed

[longspur]

Nah, I'd say the problems lie in those companies that can't afford wetware and expect an "easy to use" gui-based OS to compensate for their decision to hire "air"ware.
--

Re:Typical misinformation...

[alexsh]

Gosh... Why don't you just calm down a bit? This isn't an anti-Microsoft article, this is an article about the current state of security in e-commerce, which contained an amusing note that Roblimo highlighted (with a prominent irony alert) for our entertainment. Shashdot doesn't spew out anti-Microsoft FUD, this article doesn't contain anti-Microsoft propaganda, and you should just chill down and stop wasting your nerves on such nonsense.

Designed for and used by morons.

[Colin+Smith]

Why are we at all surprised?

The software is specifically designed to make it easy for *anyone* to set up a database. Even an "Internet Database". No thought required, just point and drool.

Why are we surprised that any moron who thinks they know what they are doing can set themselves up as "Internet Consultancies" and sell "Web Solutions" to Credulous Customers? Or that the resulting systems are criminally insecure?

Security is difficult. It has to be thought about. That's expensive, it takes experience and the Credulous Customer wants to save £5,000 so they look at the shiny new MCSE's and get a warm fuzzy feeling inside.

I wouldn't blame the sysadmins too much either. They probably had absolutely no say in the design or implementation or continual running of the systems. Of course any attempts to improve the security and add patches, break the application horribly and the wrath of the CIO comes from on high to put it back the way it was.

Experience tells us M$ usually is to blame.

[Colin+Smith]

Think of it as a response cache. You'll get a hit 99% of the time.

It *was* fixed

[Matt+Lee]

It was fixed over a year ago, and the patch was distributed.

These examples show that the problems don't lie in the software - it's in the wetware. Any system, OS, or combination of the two can be insecure with a stupid enough person at the wheel.

Re:It *was* fixed

[Cassandra]

These examples show that the problems don't lie in the software - it's in the wetware.

I'd say it's in the software as well. All humans make errors now and then. Thus, it would be reasonable to desire software that make human errors (such as overlooking a config option) less likely. Stupid defaults in server software do the opposite.

Someone's missing a big point here...

[PiMan]

MSNBC cracked 7 servers and got 2,500 credit card numbers. This is a blatently illegal act. WHY THE HELL ISN'T SOMEONE SUING??!

Rubbish

[Zemran]

The fact that M$ leaves the site open to attack by default is part of the whole stupity of the M$ model. The default share on NT is open to everyone. The default should be secure, that is the stupidity of M$, and idiots saying it is not the fault of M$ that anytime something gets overlooked the site is open to anyone is just as dumb.

Re:Rubbish

[Jeremi]

The fact that M$ leaves the site open to attack by default is part of the whole stupity of the M$ model.

As much as I hate to say it, Microsoft is only giving the people what they want.

Imagine Scenario 1: Microsoft ships a truly secure product, where you have to set up permissions for everything on install. Result: Lots of reviews about how the product is "hard to set up and use", and lazy sysadmins/managers go to the competition. Microsoft loses.

Scenario 2 (what actually happened): Microsoft ships a product with useful defaults that are also big security holes. With the defaults, you don't have to know how to do much, you can just install and presto, your web site "works". True, if you read the documentation, it warns you about the security holes, but you and I both know that most people only read docs when something isn't working. Result: The reviews talk about how the Microsoft product is easy to configure and get working, and the public buys it. Maybe six months or a year later a story like this comes out, which is embarrassing, but by then it doesn't matter: Most sites are using M$ software aren't likely to switch now!

Scenario 3: Microsoft manages to figure out a way to have the defaults, and a way to make sure even Joe Clueless is forced to set them, so that his ignorance doesn't lead to an insecure site. I'm sure they have either done this or will soon...

Re:Rubbish

[Wonko42]

If that's the case, then Linus Torvalds and all his minions are just as evil and stupid as Microsoft. Do you really think Linux is secure by default? If so, then the only one here who's an idiot is you. Linux is most certainly not secure by default. In fact, no operating system is. Just because SQL Server has a built-in account (which, by the way, the setup program gives you the option to disable from the very beginning, genius) doesn't mean Microsoft did anything wrong.

--

Is credit card theft really that great a threat?

[Skim123]

How big of a problem is credit card theft? I know that there are those out there who have their numbers stolen, and have items purchased with their card, but it seems to be an isolated case.

Stop and ask yourself how many people you personally know that have had their credit card #'s stolen. I know of no one. No one in my immediate or extended family; none of my friends or coworkers. And, like good Americans, the people I know, including myself, have readily used credit cards: at restaurants, on the Net, over the phone, at brick and mortar stores...

Granted, with the Net, credit cards become a lot easier to steal. If your credit card #'s are stolen, and you can list the last five places you've charged at, that gives the credit card company a place to start their investigation. If your #'s were stolen when used at a restaurant, chances are someone at the restaurant is responsible. With the Net, finding who, exactly, stole your #'s may be a bit more difficult, if not impossible.

Regardless, though, is this that big of a problem, or is the media latched onto the next "big thing" here? Granted, no one feels comfortable when you inform them that their credit card #'s are accessible over the Web, but just because they are accessible, does that mean that people are accessing them?

Notice that the holes comes not from large, trusting sites, like Amazon.com, BN.com, eBay.com, or other powerhouse sites. These are tiny, crappy-looking sites. Have you visited some of these sites listed in the article? THEY ALL LOOK ALIKE! They seem to be part of that "Get an eCommerce store for only $30 a month!" kind of thing.

When shopping on the Internet, use common sense, just like you would use when shopping in the non-virtual world. Imagine walking into a sleazy-looking store, an unkempt, shodily arranged and managed store. Would you buy anything from here with a credit card? Just use your common sense, it's what separates us from the monkeys. :)

Finally, it is important to remember that shopping on the Net is no more dangerous than using your credit card at a department store. These sites that were vulnerable were vulnerable because they were hosted by a shoddy web host who didn't know or care about security issues. Having worked with IIS/NT/ASP/data-driven web sites using Microsoft products/technologies, I would wager the problem was from a number of things:

• The ::$DATA error not being fixed. With ASP pages, you can view the server-side code by appending ::$DATA to the querystring. However, this bug was identified a long time ago and a very simple patch has been around just as long...
  
• If you are going to use an Access database (which is what I would assume this cruddy web host uses), do not place it in the Web root or subdirectories. If you place it in the Web root, anyone can download it through a web browser!
  
• Do not hard code usernames or passwords into your server-side scripts, or do not place them in text files in your web root directory! Again, anyone can simply view these files using a web browser!

OK, enough ranting... In closing, let me say that I hope the media doesn't go crazy on issues like this. Yes, these crappy eCommerce sites are unsafe to shop at, but that doesn't mean you can feel confident shopping at Buy.com.

Re:Thus, NT is not "easy to use"

[Skim123]

One of the interesting things about Windows2000 is that it has complete command-line functionality; at least, that's what the Microsoft brainwashed drone told me. In other words, anything you can do from the GUI you can do from the command line. And I thought that Microsoft's claim that the command line was "archaic" and "going away." Microsoft lies lead to Microsoft failures and backpedaling. It's a shame that they are so good at marketing and politics

Don't forget that the developers that work on NT are computer programmers. They like command-line functionality. Just because the Microsoft execs think all end-users should use a GUI tool, the developers are still going to create a command-line tool for their own use.

Did you know that there is tab completion in the command-line tool for NT 4.0, much like there is tab completion in tshell for *NIX? Something that is not enabled by default on NT, but can be turned on with the switch of a registry setting. I doubt an NT project manager speced such a feature. I would assume a developer, who liked UNIX, said, "Hey, tab completion would be neat," and so he implemented it. I would wager a similar bet that the developers said to themselves, "Hey, let's make sure everything can be done via the command-line."

Remember, the developers at MS are just as nerdy as the rest of us, and like computers just as much, and would prefer a command-line over a GUI tool any day of the week...

Sneakernet

[Mawbid]

The article used the term "sneakernet". In case there are others as unenlightened as I myself was a moment ago, let me share the definition with them:

sneakernet /snee'ker-net/ n.

Term used (generally with ironic intent) for transfer of electronic information by physically carrying tape, disks, or some other media from one machine to another. "Never underestimate the bandwidth of a station wagon filled with magtape, or a 747 filled with CD-ROMs." Also called `Tennis-Net', `Armpit-Net', `Floppy-Net' or `Shoenet'; in the 1990s, `Nike network' after a well-known sneaker brand.

(from the jargon file)
--

Thus, NT is not "easy to use"

[Loundry]

One of my favorite NT lies is that NT is "easy to use" while *IX is "obscure," "archaic," and "1960's technology."

If NT is "easy to use," then shouldn't it also be easy to make secure as well? The fact that it takes time and skill to "properly" configure an NT server to be secure undermines the claim that NT is "easier" than *IX.

One of the interesting things about Windows2000 is that it has complete command-line functionality; at least, that's what the Microsoft brainwashed drone told me. In other words, anything you can do from the GUI you can do from the command line. And I thought that Microsoft's claim that the command line was "archaic" and "going away." Microsoft lies lead to Microsoft failures and backpedaling. It's a shame that they are so good at marketing and politics.

Administration

[laertes]

Reading this article, I got a very anti-programmer feeling. The author seemed to be saying that any moderatly decent coder should ba able to make secure code. Anyone who writes on internet security should be forced, at gunpoint, to read this essay, lest they take the same attitude. The fact is, writing code that works is hard, and writing code that is secure is an order of magnitude more difficult. However, there are reasonably secure packages out there, so if anyone is to blame for these lost credit card numbers, it is the administrators and managers responsibility. It just seems clear to me that the fault lies not even with MS SQL, but the administrators.

Re:Administration

[ZenShadow]

Writing code that works is not hard. I've been doing it for the last 7 years. It's actually fairly easy -- *IF* you have the knowledge required to write the code you've sold yourself as being able to write.

The problem here is that a fairly large segment of the professional programmer population is fairly ignorant. They don't understand basic issues in performance, security, scalability, and other areas. If they did, I'd venture to say (and even without being totally anti-MS) that fewer people would use NT, since it's a far less Real Programmer friendly OS. But the latter is beside the point, and MHO.

The point is that the real issue isn't "true security," it's "common sense." A goodly percentage of programmers out there don't do the common sense things that a -real- programmer, someone who truly understands the things they're writing, does.

Cryptography and its uses should be something people think about -after- the common-sense security issues have been dealth with.

--ZS

Bull shit

[RelliK]

I guess you have not heard of ebay, amazon.com, (gasp!) IBM, etc.

___

Re:Good tactic

[datazone]

damn, i think the site has been slashdotted
i can't sign up. check the errors i get:



error 'ASP 0113'

Script timed out

/new_account.asp

The maximum amount of time for a script to execute was exceeded. You can change this limit by specifying a new value for the property Server.ScriptTimeOut or by
changing the value in the IIS administration tools.

Re:Windows 2000

[myconid]

I just installed MSSQL 7.0 a few days ago, it came with two default accounts:

Both are controlled by NT authentication, both are based on the Administrator password/login. You cant remotely login, because its NT auth [gotta login to the box, domain first]

Oh.. then theres SA, which has a password set.. hrrm.. word. [changes password]

Moderate this up

[ewhac]

...And then get someone to "surreptitiously" point it out to Ford's PHBs.

My suggestion: Fake up an email and run it through a bunch of anonymous remailers. Claim to be a cracker who has access to information that would be available to someone who penetrated only the outermost security layer. Mail it to yourself at Ford. Forward to supervisors with the heading, "We got a problem!" When the emergency meeting is convened, drop on the table your prepared action plan for creating reasonable security and say, "We're going to do this."

Make sure the first thing you do is install RCS/CVS/whatever version control on all security measures, and log everything. This way, they can't later claim your fake email was a ruse to install trojans, since all checkins were logged and can be reviewed.

Hey, might work...

Schwab

Is this really a new problem...?

[Booker]

I mean - people are willing to call a complete stranger on the phone, and give them their credit card number. Same goes with a waiter in a restaurant, for example. I guess there's more potential for abuse online, since a list of 1000's of numbers might be available... but using a credit card in almost *any* fashion has the potential for abuse or theft.
----

Re:Is this really a new problem...?

[Robotech_Master]

At my K-Mart, the cash register prints out two receipts: one for the customer to keep (with full number printed thereupon) and one for the customer to sign (also with full number & other data printed thereupon) which then goes into our till. I am led to believe that we need that copy in order to be able to charge the customer for the merchandise. I don't think we could have the number blacked out and still process the charge.

The fact of the matter is, there are lots of people who could steal your card number...and not just in the places you use it. People at the bank who issued it could get ahold of it, too...people could (and have in times past) take rubbings through the envelope in which it is delivered to you. The only way to keep your number a complete secret is not to use it at all...and what would be the point of that? :)

Thankfully, many of the places where one could potentially use a stolen credit card number are becoming more watchful about getting verification of details, such as billing address. It won't stop fraud completely, but will help cut it down.

Re:Is this really a new problem...?

[Cassandra]

Using a credit card PERIOD is a potential for theft.

If you say so, but that is also the case for the mere use of money :-)

What actually matters IMHO is whether the advantages outweigh the risks...

Re:Is this really a new problem...?

[Surak]

I mean - people are willing to call a complete stranger on the phone, and give them their credit card number. Same goes with a waiter in a restaurant, for example. I guess there's more potential for abuse online, since a list of 1000's of numbers might be available... but using a credit card in almost *any* fashion has the potential for abuse or theft.

I used to work for RadioShack, and believe me there was a LARGE potential for abuse there. I would assume this potential exists anywhere in retail, but....

It was a small matter to rip off HUNDREDS of credit card numbers per week. (Not that I did this...but I'm sure some people who worked for RS did...). This may have changed since they converted to a new register system a couple of years back, but...

RadioShack would keep the yellow carbon copies of all receipts printed out. The ones for credit cards would go into a separate bin. The bin was not secured in anyway: it was sitting on a shelf, in plain sight to someone behind the counter. All one would have to do is wait till the manager went on break, and start copying credit card numbers down (yes the reciepts listed the FULL credit card number right on them, not simply the first four or last four digits as is now common place). At that time, most stores were not even videotaped, so the potential for abuse was QUITE great.

RadioShack no longer prints the full credit card number on the receipt, so this is no longer an issue with them. Most stores are now videotaped (since in the 90s many managers started setting up videocameras taken from stock to tape the store, it became common practice).

So think twice next time you use your credit card -- ANYWHERE, not just online. Make sure your CC# is not printed on the receipt in full....if it is, demand to see the "carbon copy" and black it out with a magic marker.

Re:Is this really a new problem...?

[mindstrm]

Yes.. you are correct. They were, of course, covering their own asses.
And I bet you are right about the merchant agreements forbidding things too.

After some thought, the consumer doesn't have a lot to worry about, really... it's the credit card companies that will bear the burden.. and they will just hand it off to the merchant.

Re:Is this really a new problem...?

[mindstrm]

Yes.. and the CC companies have standards of conduct for merchants. What to do with receipts, etc.... There is a code of conduct with regards to dealing with plastic.

On the online front, at one point, Visa said 'We will not give you a merchant account for online work unless you meet certain requirements.'
These requirements included providing information about your firewall, your security policies, who has the passwords, etc... which made perfect sense. They were protecting the consumer.

The problem is.. this gets abstracted. ONe company gets a merchant accounts, and then sells transaction 'services' to others, and at that point, security is questionable.

Re:Is this really a new problem...?

[agravaine]

Yeah, the 'list of 1000s' part is somewhat new.

People call strangers up and give them their credit card numbers all the time. What's new is, now they can [metaphorically speaking] call that phone number up, say "Hey! Do you have a listing for Billy Bob? What's his credit card number, billing address, and expiration date? And while you're at it, why not just read me your whole customer list..."

...that's kind of new... :^)

Re:Is this really a new problem...?

[Paolo]

The next time you're at an honest to goodness brick n mortar store, take a look at the bottom of your receipt. I'd put it that 66-75% of the time your credit card number in its entirety and sometimes even your expiration date is on it. Suddenly you feel a lot worse about losing the receipt or leaving it in the bag. Oops. No one seems to care about this however, and few companies (but to those that do I applaud you) xxx out the remaining 12 digits of your card for privacy.

Nothing new at all.

Re:Is this really a new problem...?

[Mister+Attack]

They were protecting the consumer.

Oh, come on. Do you really think they care about the consumer? They were covering their own tails. They, not the consumer, have to pay for fraudulent use of credit cards. Visa was doing, plain and simple, exactly what was in their best interest. As for the abstraction problem, I'd be willing to bet that the merchant agreements specifically prohibit reselling the transaction services. Of course, I could be wrong...

bottom line: Visa cares about Visa.
--

Re:Is this really a new problem...?

[jallen02]

Using a credit card PERIOD is a potential for theft.

Re:Is this really a new problem...?

[deep_magic]

As someone whos done work in the financial services area I'd like to point out a few things:

1. Customer is only liable for $50 *if* its after 30 days from time a fake charge was made. If the consumer notices the charge before, then the credit card company eats the bill (and consequently puts more requirements on existing laws (see # 2) and merchants for greater secuirty)

2. Alot of these problems could be corrected with strong encryption - but since its not feasible to run a global web site with strong encryption for US users and weaker encryption for non-US...this is a mute point...But once credit card companies start losing $$$ because of this, congress will suddenly have a new outlook on the whole issue.

3. Fixed credit card numbers will be a thing of the past within the next 5 years or so.. A much better approach is to have valid session id's. That is, dynamic credit card "numbers" that are good for one transaction and one transaction only..that way if the merchant you did business with has crappy security and that information gets released to the world at large...doesn't matter because the number is no longer valid...

4. and finally, #1 was *really* put into effect by the govt (it is called Reg D) to make consumers comfortable using credit cards period. The reason for this is it makes the IRS's job much easier come audit time. Umm...you had $30k of credit card bills that all got paid last year, so now we know you made at least $30k...

-deep_magic

Re:Your own Win2K problems

[Jerry]

"Uh, you could always get 3rd party backup software (or did Linux write all of GNU himself)."

You really know a lot about 'Linux' Torvolds, don't you! I'll bet you've met him in person. rof,l....

We know the real reason why you are lurking on /. and posting M$ FUD....
YOU ARE PLANNING TO SWITCH, and trying to work up your courage. Go ahead, make the jump to hyperspace! All you have to lose is the BSOD and you will also SAVE a ton of cash unless, or course, you enjoy adding to His Lowness's billion dollar kitty.
BTW, Linux was begun by Linus Torvolds and many very fine hackers have contributed to it since 1992. That'w one more clue you never had before...

Flames on the Operating System used are completely

[trog]

The fact is that ANY server running on ANY OS without the proper cryptographic processing of the data before it is stored is the most important component of data security. If the data is stored in an SQL database unencrypted, if the server is compromised, the data belongs to the cracker.

An "e-commerce" server should have a two tier model for security. The first tier is Server security, which is what most of the uninformed are flaming about. The second tier, and MOST IMPORTANT, is data security. The data needs to be cryptographically processed in such a way that if the server is completely compromised, the data is completely useless to the cracker.

This takes a GREAT deal of skill and craft to successfully implement. Herein lies the problem: companies are so motivated to get the e-commerce thing going NOW that they leave themselves wide open.

Linux based companies have been guilty as well

[somnambule]

Not to smear Loki's name or anything, but they have been less than careful with credit card numbers in the past. My girlfriend purchased Quake III for me (what was she thinking ?) from Loki using their secure form. There was a small problem with the information, so the person handling the order saw fit to tranmit the output from their ordering script in it's entirety via. email IN CLEAR TEXT.

It's true that submitting private information such as a CC number online is really no different than signing a receipt in a store, but a certain trust relationship is assumed when carrying out a secure online transaction. I think people using "the Internet" for transactions tend to rush about with their business without thinking. Maybe it's the "time dilation" that occurs on "the Internet", or maybe not.

For people who would egg Bill's grandmother

[Ashen]

[Irony alert!] Yes, MSNBC says all the servers they cracked were running MS SQL. [/irony alert]

That is not ironic! They are a news site who are suppost to report the news as it is, just like any other news site. I'm so fucking tired of people shitting on MSNBC just because they are co sponsored by Microsoft.

Irony would have been if Microsoft had reported this on their web site.

I'm no fucking Buddhist, but this is enlightenment. - Bjork

Re:Why Not Use Credit Cards over the Net?

[Thrakkerzog]

It is a little different. Now one person can steal thousands of credit card numbers instead of a clerk copying down one number.

Real risk and an idea

[Da+VinMan]

What bugs me about incidents like this is that consumers are STILL liable for the first $50 of the fraudulent charges (at least in the US). But what if the card is actually a debit card? I could be wrong, but I think you're just out the money, because the account leads to real money and not just a billable account.

I'm of the mind that credit cards are NOT secure enough to use on the Internet. They don't even require any special knowledge (like a password), to use. We should at least have the option of securing all of our cards with a password, that way a ripped off card wouldn't be a substantial risk unless the thief also managed to rip the passwords from the card companies too (which could happen)!

(Of course, most of this would be moot with standardized biometrics, but that probably won't happen for a while.)

Yeah, I got issues. ;+)

Re:Real risk and an idea

[Detritus]

"Furthermore cardholders are protected by the Canadian Code of Practice for Debit Card Services that assures that confirmed victims of proven fraudulent activity will not suffer losses."

Maybe I'm just being paranoid, but that sounds weak to me. It could be read as "You are screwed unless someone proves that fraud was committed." In my dealings with banks I've found that they have a poor record of investigating errors that cost the customer, not the bank, money.

Re:Real risk and an idea

[robhancock]

I don't know about American debit cards (Visa Check Card, etc.) but with the Interac system in Canada,

"Furthermore cardholders are protected by the Canadian Code of Practice for Debit Card Services that assures that confirmed victims of proven fraudulent activity will not suffer losses."

That's off www.interac.ca

Re: It was fixed (as in NEUTERED)

[leonbrooks]

it takes a year of testing before Service Pack 6 can be installed

...only to discover the near-silent release of SP6a over TechNet a little later to fix up some of the faux pas in SP6.

Re:Typical misinformation...

[fidros]

The point here is NOT any bugs in the code but the famous Microsoft "ease of use" and "low TCO through hiring less experienced admins".
In MS world you can get an ecommerce site and never understand (some aspects of) what your doing. Now, the same IS true for any other OS/Software as well, including, say Linux+Apache BUT (and it's a big but) we don't advertise that as a feature!
A lot of PHB are falling (or used to) this trap -"I'll get MS products and then I can save on the staff I need because MS products are simple."
Guess what? the article describes the result. You need to know what're you doing or you're going to screw it, so all that "ease of use" and "lower TCO" are a phantom (menace? ;-) when it comes to (semi) big servers - you're better off getting a UNIX system that need an experienced admin, but at least has less chance of leaving your customers credit cards open to anyone on the Net...

Re:Windows 2000

[Noke]

Yeah! Just look at Enlightenment!

Re:Windows 2000: A solution to a non-existing prob

[Noke]

Right-click on task bar.
Select "Properties".
Select "none" for menu effect.

No more fade-in menus to bitch about.

Win2k Install Times

[Noke]

This is a repost of a comment from the story,
http://slashdot.org/articles/99/09/29/119245.sht ml

------------------------------------------------
Was he installing from the CD? Was he installing directly from his HD under windows? Was he installing from the CD in DOS? If he was installing from DOS, he probably didn't have the foresight to load smartdrv and sat there for 4 hours while it copied all 2,000 files from the i386 dir to the HD. Anyone who has any experience installing Win2k doesn't install this way as it is like chineese water torture. DOS copies files very very slow. The better method is to either boot from the Win2k CD directly, install from Windows (if you already have it installed), or if you MUST install from DOS - make SURE you run smartdrv to speed up the file copy process.

I can't speak for beta2 since it is almost 9 months old, but Release-Canidate 2 that was released a couple of weeks ago doesn't take more than an hour to install. I am speaking on behalf of 40 or so people in #Win2000 on efnet who all install Win2k at various times. As long as they arent installing from DOS without running smartdrv, and they don't have shitty hardware, they install within an hour consistantly.
------------------------------------------------ -

To add to that, Win2k RTM (final) has been quicker to install than RC2 that is mentioned in the quoted text.

Re:Typical misinformation...

[chicken]

This is a very old setting, and unless you are a complete dumbass you put a password on the sa account. The problem was not caused by microsoft (they had to default it to something to let you set up the database, and leaving it blank should prompt someone to fill it in).

The bad press should go to the particular web sites who apparently don't see this as an obvious hole.

Why give the CC# to the merchant ?

[styxlord]

I'd really like to know why they need to store Credit Card numbers in the first place let alone all of the details. If I buy a TV from Best Buy they don't need my Name/Address/E-mail Address/Date of Birth/Magazine Interests etc. Sure the online merchant needs your address to send you the goods, but after that, they don't.

Unless I explicitly agree (hence the default being that I don't agree [that one's for all you sites which made me search for that darn check box which was inconvieniently ticked for me]) to have my e-mail Inbox or snail mail box filled with wads of trash they don't need squat.

How 'bout this. VISA (or AMEX/Diners/etc) goes into the instantaneous online transaction business.

I've filled my shopping cart with goodies and I'm heading for the checkout. At this point, I give them my name and the billing address of my VISA card (the public key). The merchant then contacts VISA and indicates that I want to make a purchase for the given amount. VISA then issues a challenge to get the credit card number correct (the private key). This can be easly done without ever transmitting the credit card number itself or anything which can be easily converted into my credit card number.

For example, VISA sends the merchant some random garbage who then passes it on to me. I enter my credit card number which is combined with the random garbage and spits out, for sake of argument, a 128 bit MD5. I send the MD5 back to the merchant who then sends it to VISA who can easily verify that the card number is correct, and then make sure I'm not over my limit etc.

VISA then indicates to the merchant if you succeeded or not and the transaction is completed. As an added bonus the transaction could require that you combine the amount of the transaction with you credit card number to prevent the merchant from being able to fiddle the books (not that a merchant would want to do this anyhow, I can't imagine that pissing VISA off is good for business).

So the net result is the merchant (whom has been identified as a weak link in the chain) never sees you credit card number.

Re:Why give the CC# to the merchant ?

[alecto]

What you speak of has already been envisioned. It's called SET, for Secure Electronic Transactions. It uses cryptography (both public key and symmetric) and X.509 certificates to allow a merchant to accept a credit card and get paid without ever knowing the credit card number. The bank can also pay the charge without ever knowing what the customer ordered (say, a Beowulf cluster of VIC-20's running FreeBSD, a Natalie Portman statuette, and a dozen packets of instant grits), but retains a one way hash of that order information in case of a customer dispute.

An overview and links to more detail are available at SETCo's site. (SETCo is an organization promoting the standard.)

This standards effort started in 1996 at the behest of MasterCard and Visa, apparently sometime shortly after someone there first made the observation that anyone handling a credit card has access to the number.

Re:Why give the CC# to the merchant ?

[TCook]

Gee, where have we seen this process before!?
Are shoppers too impatient to wait the extra 2 minutes or so? In the US, probably. But it's a great post anyway.

Shooting the Messenger?

[trims]

I've read through alot of these posts, and there seems to be two common threads to most of them:

1. It's the product's fault for shipping with stupid defaults.
2. It's the admins fault for not fixing things tightly.

I think both of these need to be addressed to see the underlying reasons for the problem, of which neither of the above are.

First off, I'm a professional SysAdmin, and have spent most of the last 4 years doing System Architect and Security stuff. The last two at E-commerce places.

People, the problem is threefold, none of which is easy to fix:

Virtually nothing is designed with security in mind. That includes all our favorite UNIX OSes, Windows, and virtually all applications. The few apps that seem to have some reasonable security setup often sacrifice this by using stupid defaults to aid "ease-of-use". The sad fact here is that nothing we are using these days is decently secure (no, not even OpenBSD). UNIX is stuck with the all-or-nothing model of security, while Windows actually has a good model that is horribly implimented. Apps tend to be the same. Given that the systems are poor to begin with, hardening them is more than difficult. And compromises tend to do massive damage.

Business is not taking security seriously. Right now, time-to-market is king, and everything else is sacrificed to that great Idol. This is primarily the public's fault, as people seem to reward cheap and first rather than more expensive and well-designed. The miserable state of software quality is a prime example of this mentality. And bugs are a leading cause of security problems.

Also, companies have limited resources. Right now, spending the extra money to shore up security (or maybe even - gasp - do it Right) is about as likely as giving the entire staff a free vacation to Tahiti. They simply have no reason to do it - there isn't much real PR problem, the public doesn't seem to reward companies that spend the extra on security, and there aren't really any legal liabilities yet for failing to do so. So why spend money on something that doesn't have any real returns?

Security is an ongoing battle. This is related to both the previous problems (lack of proper resources, and poor security to begin with). In order to keep a site even basically secure, it's far more complex than simply keeping an eye on BugTraq and watching for vendor security updates. A typical mid-size e-commerce site probably has at least 100 different products (remember, each script is a different product) to keep an eye on, covering at least a dozen (nowdays, with ASPs, likely several score) machines. Just keeping up to date is a daunting task, and like fighting a really war, the opponent isn't stupid, and adapts rapidly. You will suffer defeats. Security is a massively complex and difficult job. Don't let anyone kid you otherwise.

The knee-jerk reaction to fire the admin is merely a Management-covering-their-ass mentality. Blaming the product overlooks the reasons why the product is that way, and also doesn't say anything about the state of the market as a whole.

Until there is a concentrated demand from the public for security, things will continue to be as they are. If the public can stand it, well, then that's the shape of the world we live in. If they don't like it, give business the incentives to buckle down - make them legally responsible for breakins, buy only properly-designed software, etc. Until that happens, blaming the admins and the software is stupid.

Re:Shooting the Messenger?

[mindstrm]

The thing is... who cares? Is the merchant responsible for the frauds? I mean, are they held financially liable (by visa) if the numbers get stolen and used? If so. .that is their incentive.
If they aren't.. that's VISA's problem.
In any rate, it is not the consumer's problem..

Re:Shooting the Messenger?

[dolphineus]

Until there is a concentrated demand from the public for security ...

Well, there won't be. The public in America is notoriously apathetic towards anything that does not directly affect them. While credit card fraud of any kind does have an impact on them, its not one they can see or feel for themselves. They won't care till its their credit card/identity that gets swiped and it is their life/credit that is all screwed up.

So maybe the best thing would be for someone to swipe a huge Visa database and start doing credit card fraud on a massive basis...

Re:Shooting the Messenger?

[topham]

The other mistake...

Never, EVER leave security up to the individuals designing/programming/installing the application.

Security is a very different mindset and someone testing a site security should not know how, or why the software was designed the way it is. While it should be secure even if they know all the details it may prevent them from finding the holes since they may make assumptions that certain holes do not exist.

If a security audit could not easily determine the software and the configuration it is in I would be suprised anyway. But, assuming it couldn't that would be good as well. It would mean a hacker would have a difficult time trying to find a quick hole, but that would just slow them down.

Security experts don't write applications, application experts don't write operating systems, etc.


I worked for a company which wanted to gets it's database online. The project died because I was unwilling to assert that it was secure. I was very vocal about the fact I had no reason to believe it was secure. The company the server was purchased from never got around to running its own audit on the server. (I wouldn't have trusted their opinion anyway, a third party would have been a better choice).

Re:Shooting the Messenger?

[jkorty]

You are making things too complicated. The article's main complaint is that too many admins have not set up password protection on their SQL servers. This is negligence of the first order. Your long series of second-order security precautions comes into play only after the competence of these admins rises to the point where they see the need and can do password assignment. And that won't happen universally, across the board, until corporations become liable for this sort of negligence [IANAL, so they may already be liable for this and we are only waiting for a test case to prove it].

Re:Shooting the Messenger?

[Toothpic]

The thing is... who cares? Is the merchant responsible for the frauds? I mean, are they held financially liable (by visa) if the numbers get stolen and used? If so. .that is their incentive.
If they aren't.. that's VISA's problem.
In any rate, it is not the consumer's problem..

But it IS the consumers problem!!
Sure, VISA initially foot the bill, but they will quickly force that cost onto the consumer. Don't be fooled into thinking that VISA etc will just soak up these loses.

Gee, its pretty bad when the reporters can 'hack'

[RAruler]

Christ, it must be pretty bad when reporters can hack into a site.. I use the term hack loosely... very.. but these are no ordinary reporters.... why they work for MSNBC..

Stolen without using the net

[opse]

I had $600+ stolen before I even recieved my card. If I am not mistaken every card at my branch was victim to this attack.

Re:Typical misinformation...

[cjs]

PS - I actually quite like SQL Server. Every time a client specifies a really slow, memory intensive RDBMS, I specify SQL Server. It hasn't happened yet.

So you really find MS SQL server to be that much worse than Oracle, or any of the other products out there? What were you using it for? Or have you even used it?

This looks to me like a prime example of someone from the Linux community happily spreading FUD or just generally spouting ignorance. I've had a fair amount of experience with MS SQL Server recently, and, being a long-time MS-hater, I certainly didn't come to it with an open mind. But I have to say that MS SQL Server is a damn good database; I'm very, very impressed with it. It's certainly as solid and as featureful as anything else out there.

Unfortunately, it is somewhat crippled by running only under NT. This limits its reliability and security, in that the OS underneath it is not terribly reliable or secure. It also limits its scalability in that NT simply doesn't run on big machines. And, of course, I find NT system administration a complete PITA.

But there are a lot of database systems out there than can get by just fine on a 4 x 500 MHz PIII system with a gig of RAM, and under many circumstances the MS SQL Server system will be rather cheaper than the Unix options. If you've got an NT admin handy to keep the server running, it can be a worthwhile choice.

cjs

Re:Windows 2000

[Cassandra]

He he...

There actually was a facial expression there-- a smiley ;)

Re:Why Not Use Credit Cards over the Net?

[Cassandra]

First of all, if someone makes a purchase with your credit card, but you haven't actually lost the card, then you are liable for nothing. You have nothing to use!

Still, you have to notice the theft, and complain--not always trouble-free. And how quickly can you have your money back?

Credit card theft and fraud occur without the internet. Your wallet/purse can get stolen. In that case, you are liable for up to 50 dollars. A waiter or clerk can copy down your numbers.

A clerk could copy your number, while a cracker could copy thousands with the same effort. To make a profit out of it, the clerk would have to withdraw a noticeable amount, while the cracker could simply withdraw, say $5 from each acount, and get away with it...

Re:::$DATA

[jelle]

Geesh, I wonder what went wrong...

I always thought that hiring (cheap) half-knowledgable system (security) administrators and compensating by using an expensive point-and-click server operating system was a guarantee to result in secure Internet servers. That that basic rule would be the reason for NT to replace Unix, wasn't it? Low cost of ownership resulting from low cost of the people administering and securing the system?

Suppose something is wrong with that?

(irony present)

::$DATA

[jelle]

Isnt the ::$DATA bug one that was found over a year ago and was supposed to be fixed by MS ages ago as well?

Re:::$DATA

[delmoi]

In fact, I'd say it's almost a certainty!

Well then, that would make you pretty stupid...

"Suble Mind control? why do html buttons say submit?",

Re:::$DATA

[SEWilco]

Okay, okay already. I'll install the service pack as soon as I get this batch of burgers flipped over.

Re:::$DATA

[Ekapshi]

Yep, ::$DATA was patched *ages* ago. It was just that the sysadmins of those servers were too lame/lazy to apply the hotfixes/servicepacks.

A NT server staffed by a competant admin can be just as secure as a linux server ya know.

Has anybody penetrated the security of any of the Microsoft.com datacenters? Nope! The admins there have actually properly configured their servers.

-Ekapshi.

Re:::$DATA

[LocalYokel]

Yes, it is.

--

Re:Typical misinformation...

[jelle]

I don't think it's about quality of the software.

I think the basic problem here is what you mentioned yourself, that system administrators forget to remove (unnecessary) default accounts, or forget to patch for security bugs.

What always has been part in the equation used as for why the MS solution would be best (beating Unix), was the ease of use, and the resulting lower cost of ownership because you could hire cheaper people for administering your systems, and that those cheaper people would require less time per server to administer, because the OS was to userfriendly.

That part of the equation has now, repeatedly, been proven to be faulty.

Re:I used to worry about my CC info ...

[Tech]

I'm glad to see I'm not the only one who believes that. Credit cards are amazingly insecure, and inherent so. I find it hard to believe that in this ago of paranoia, people still use credit cards at all.

If I buy something from the local shop, there's nothing stopping the person behind the counter remembering my CC details and using them later for a mail order purchase. Even easier, he waits for me to leave, whips out the receipt, and copies off the details from there. We don't need plaintext email to make this an insecure system, it already is!

I was thinking that there ought to be some sort of authentication system that would enable mail order transactions to be verified by the vendor before processing. For example, you might be issued with a list of authentication codes along with your card, then with each transaction you would use one of the codes and cross it off the list. The bank would allow each code to be used only once. This would also make telephonic orders more secure, since you could quote the authentication code quite easily (rather than trying to spell out a PGP encrypted CC number in binary). (I didn't put a lot of thought into this - just an example of a possible means of getting around the inherent risk of CCs.)

Re:MS servers get cracked more because there are m

[Tim+C]

I work for a web design/hosting company in the UK, and the majority of the sites we host are hosted on Solaris boxes, with the database (if any) being Oracle Enterprise Edition.

Yes, NT is pretty prevalent in the business world, but by no means is it the only server platform used for commercial websites.

Tim

Re:Windows 2000

[sherms]

I disagree. The more crap they add on, the more can go wrong. Windows 2000 is to bloated.

Sherm

Re:Windows 2000

[sherms]

To big of a hurry

0 0
I
\_/

Sherm

Re:Why Not Use Credit Cards over the Net?

[eyeball]

Actually, IIRC, it was actually a woman who was doing this.

That's sort-of like the scam that occurred in a mall (in Connecticut I believe), where some guys rolled in a fake ATM machine. You would swipe your card, enter your pin, and it would say "Sorry, out of order. Please try somewhere else." Talk about a need for server authentication!

Instructions for being Paranoid

[wavelet]

... or obsessive compulsive.

I agree that you should be cautions when using your credit card anywhere and check your statements etc. However everyday seems a bit much. I have several credit/debit cards. Checking all of them everyday would mean I spend more time in overhead than any "savings" of having a credit card in the first place.

Do you check you checking account everyday? Do you check the stash of money under your bed everyday too?

Re:Instructions for being Paranoid

[grantdh]

.. or obsessive compulsive.

True - could be said of that. Mind you, the card is used in my company, so yeah, I do check it daily (mostly 'cos it's almost always close to limit lately :)

Do you check you checking account everyday?

The business ones, yes. My personal one? Shit no (mostly 'cos it's close to empty all the time :)

You see, it takes about 5 - 10 minutes per day to check transactions against my accounts (two checking accounts, a transfer account, a cash management account and the credit card). Maybe it's paranoid or obsessive/compulsive, but then again, maybe it's 'cos I'm running a company? (My other company has an accounts person - he does the checking for me on those accounts and I just take a peek at the current balances, etc :)

Do you check the stash of money under your bed everyday too?

Shit no - I ditched that ages ago. Too insecure - the cockroaches were robbing me blind. As to the uncut diamonds in the fish tank - now that's a different matter :)

credit cards easily availible

[Pyromage]

I work at a local computer store and sometimes cashier. Essentially, it is much easier to steal it from there on paper than in is to do a crack online.

Look at this: I have a big red bin sitting up on the counter where every reciept goes, organized by card provider (visa, etc). Sitting right out on the counter. Hundreds of receipts with the complete info, the number, the expiration date and the customer's name. Anyone can come and rip off a ton, if they want, and no one would suspect for a LONG while. Also, the camera's were recently added: that is, there have been years where there was no kind of security whatsoever. And no one actually moniters the cameras now, either.

It is far less difficult to rip it off the old fashioned way than to crack. Worry about the REAL world, the digital one is safe.

Now leaving out the password is insane, this does not make it any easier than stealing it from the store. Caution is pointless when both are equally vulnerable.

Just another perspective.

Re:Trust Based Method Open to Abuse

[mindstrm]

Yes.
My primary complaint is that there is no other easy way for me to buy stuff online...

And.. as for merchants earning my trust.. I firmly feel it is the responsiblity of the CARD ISSUER to trust the merchant, and is not my problem. If someone tells me I can pay with my card, and we agree on a transaction, then that is the only transaction I am responsible for. If the merchant steals my number and uses it fraudulently, it's not my problem whatsoever, it's Visa's.

Re:Why Not Use Credit Cards over the Net?

[mindstrm]

1) You get your money back instantly.. or rahter, if you actually READ your bill before paying, you never even pay anything.

Yes.. a clerk could do it, and a kiddie could do thousands... but so what? This doesn't hurt the consumer, it hurts the card issuer, and by contract, the merchant.

Also.. they don't 'withdraw' money from your account.. they 'charge' $5 in credit.. which you can just refuse to pay.

Re:Why Not Use Credit Cards over the Net?

[mindstrm]

Okay...
But did you call the card issuer instead? If bogus charges appear on your card (which, I believe, includes any incorrect charges) the issuer will immediately revoke them and put the onus on the merchant to sort it out. It is the merchant that should be put out by this.. not you.

Re:What we really need...

[mindstrm]

Why?
It's not the consumer's problem. The whole reason for using a credit card is BECAUSE Of fraud protection.

The merchant is held responsible. The consumer does not have to pay unless the merchant can PROVE that it was them who initiated the transaction. If the consumer says 'I didn't do this' and the merchatn can't prove it, VISA doesnt' pay the merchant...
So.. VISA is protected.. and the consumer is protected.
And it's up to the merchants to protect themeselves.


So if someone steals the AOL customer databse.. who gives a hoot? It won't put any customers out any..

Re:Card Companies need to get wise.

[mindstrm]

Actually, many already do.. the problem is, they are too easy to circumvent.
ie: if you already have a storefront, and a merchant account, and then decide to do things online.. you don't need to tell visa.
That, or some third party farms out transactions.. making it so you don't have to deal directly with visa.

And all that aside.. VISA is not responsible... they clearly state that they do not have to honor any statement unless the MERCHANT can prove that the customer used the card legitimately (signature, basically). If a cardholder says 'I didn't do this' and visa says to the merchant' can you prove they DID?' and the merchant says 'no' then the merchant doesnt' get paid.period.

Let's get a few things straight.

[mindstrm]

Not to cloud the issue.. but I think there is a simple cause and effect here that we need to remember.

1) You are not responsible for fraudulent use of your credit card. Technically, and I forget the exact terms, you can be held liable for up to $50 of debt.. but this is never enforced. It may only apply if you know about the theft but do not inform the card issuer immediately (kind of makes it your fault then anyway..)

2) The Credit card companies are the ones who bear the brunt of the financial burden for fraudulent use of cards. If their merchants are irresponsible, and cause them to lose money, it is up to them to deal with it. They are fairly lax about it, though, as if it was difficult to get a merchant account, then nobody would accept credit cards, and they would be out of business.

3) It is between the Credit issuer and the authorized Merchants to deal with this issue, it is not up to the consumer/cardholder. Yes, the cardholder should behave responsibly, but at the same time, who tells us this? The CARD COMPANIES tell us this.. why? Because it lessens the burden on them.

Remember.. one of the things card issuers use to get you to use their card instead of good old cash is FRAUD PROTECTION.. and that is the very beauty of credit (if there is such a thing..). You can buy online, and not get ripped off. If you buy with cash... ha.. you have no recourse.

Re:Typical misinformation...

[CerebusUS]

You will notice that when you install most software these days that needs such facilities that it asks for a password during the install.

This is the way it should be. If a user choses a dumb password, that's different, but having a default is a good way to get bad PR, and companies that succede in getting bad PR for that will earn no sympathy from me.



SQL 6.5 _does_ ask for an SA password during install. these people obviously ignored it. The site admins are to blame, not Microsoft.

My mistake -- you're a troll

[DragonHawk]

A browser may not be part of an operating system in some sense, but it's part of the Windows OS.

Exactly my point. Linux follows a nice, modular design. Different parts of the system are nicely separated from other parts of the system. They work together, but are not forced together, as they are with Windows. So, if my browser goes bonkers on Linux, I can just kill it and restart it. But when MSIE goes south, have the time you have to blow away your whole login session just to kill the browser, because it is also the OS shell.

Who said Win2K's backup couldn't understand it's own filesystem. Am I missing something here?

Quite a bit, apparently. Go back and read the web site I linked to. Which you obviously did not, which means you've been talking out of your nether regions this whole time. You're worse then an MS employee -- you're a troll. Go away.

Re:My mistake -- you're a troll

[TummyX]

ROFLMAO. You had me rolling around on the floor.

Linux follows a nice modular design? Coming from someone who uses an OS based on a monolithic kernel.

Windows has a much much more modular design that Linux (COM+ etc).
The point wasn't you _couldn't_ seperate IE, the point is seperate IE would ruin windows.

Just like vi isn't part of the Unix OS, but without vi it would make many things useless (like the man pages)...same with Windows, removing IE (a highly componentized product) would render the help pages useless.

It's not a matter of technically not being able to remove it, it's a matter of removing it would make windows 2000 not windows 2000 anymore. It would be windows 2000 without .

You're so ignorant.

Backups

[DragonHawk]

I said I did an emergency restore of my wonko.com backup. NOT my hard drive backup.

I figured a backup of your website would actually include your website. My mistake.

Your own Win2K problems

[DragonHawk]

I think it's [Win2K] the best thing ever to come out of Microsoft.

Could well be. That really isn't saying much. There is plenty of room for improvement in Windows. (Most would say that is an understatement.)

For that matter, it's the best OS currently on the market.

Really? You don't use many OSes, do you? According to your own website, you've had Windows 2000 go bonkers. SVCHOST.EXE starting eating up all your RAM and CPU. Very interesting, that.

You see, there are no mystery processes under Linux. There are no huge, monolithic programs that are part of the system. No single, huge "System Services Manager". So if you see something sucking up CPU time, you kill it. And if you need to find out what is wrong, you open up the source in the debugger and trace it. With Microsoft, when SVCHOST.EXE goes wonky, you do not and cannot determine what is wrong by examining the problem directly. You have to jump through hoops, like reinstalling the OS, for example.

Another thing about Linux: Linux backup software can handle file names longer then eight characters. I guess in Micros~1 land, that is too advanced to do.

I find it very interesting that you assert Win2K is the best OS on the market, when you yourself have encountered problems Linux has never had, and never will.

Re:Your own Win2K problems

[delmoi]

Another thing about Linux: Linux backup software can handle file names longer then eight characters. I guess in Micros~1 land, that is too advanced to do.

What the hell does that have to do with the OS? anyway, as far as I know, NT and 2k don't even need to use the whatev~1 style filenames at all.

"Suble Mind control? why do html buttons say submit?",

Re:Your own Win2K problems

[Wonko42]

Really? You don't use many OSes, do you? According to your own website, you've had Windows 2000 go bonkers. SVCHOST.EXE starting eating up all your RAM and CPU. Very interesting, that.

That particular issue occurred while I was running Win2K RC2...a beta release. The issue was reported to Microsoft, and is fixed in the final release. As for running different OSes...despite my age, I've managed to use DOS, OS/2, OS/2 Warp, UNIX, Linux, FreeBSD, MacOS, GEOS, QNX, Win 3.0, Win 3.1, Win95, WinNT 3.51, Win98, WinNT 4.0, Win CE, and Win2K. So to answer your question, yes, I have used many different OSes.

You see, there are no mystery processes under Linux. There are no huge, monolithic programs that are part of the system. No single, huge "System Services Manager".

Funny you should mention that. In fact, my friend, that is exactly what the Linux kernel is. Yes, the Linux kernel is a huge, monolithic program (thus the term "monolithic kernel") that contains a good deal of Linux's device support as well as a zillion other things.

Another thing about Linux: Linux backup software can handle file names longer then eight characters. I guess in Micros~1 land, that is too advanced to do.

Hmm. I guess you didn't read my article too well. I didn't use backup software to back up my files. I stuck the hard drives in a DOS machine and copied them that way...thus the reason for the lost long file names, since DOS doesn't support them.

I find it very interesting that you assert Win2K is the best OS on the market, when you yourself have encountered problems Linux has never had, and never will.

When I made that statement, I was referring to the final release of Windows 2000, which I am now using. My previous problems, as I've stated before, were with a beta version of the OS. Bugs are to be expected in betas, just as bugs are to be expected in Linux's unstable development releases.

--

Re:Your own Win2K problems

[x0]

Funny you should mention that. In fact, my friend, that is exactly what the Linux kernel is. Yes, the Linux kernel is a huge, monolithic program (thus
the term "monolithic kernel") that contains a good deal of Linux's device support as well as a zillion other things.



Huge? To use paraphrase another post: 'You haven't used linux before, have you?' Unless, of course, you consider ~700k huge. Nor are there 'zillions' of other things in the kernel.

Re:Your own Win2K problems

[TummyX]

Really? You don't use many OSes, do you? According to your own website, you've had Windows 2000 go bonkers. SVCHOST.EXE starting eating up all your RAM and CPU. Very interesting, that.
I find it very interesting that you assert Win2K is the best OS on the market, when you yourself have encountered problems Linux has never had, and never will.


Uh, you've never used netscape have you?


Another thing about Linux: Linux backup software can handle file names longer then eight characters. I guess in Micros~1 land, that is too advanced to do.

Uh, you could always get 3rd party backup software (or did Linux write all of GNU himself).

Re:Your own Win2K problems

[mattACK]

Umm... Have you ever used the backup in W2k? It doesn't suck.

You work for Microsoft, don't you?

[DragonHawk]

Me: You don't use many OSes, do you? According to your own website, you've had Windows 2000 go bonkers. SVCHOST.EXE starting eating up all your RAM and CPU.

You: Uh, you've never used netscape have you?

You work for Microsoft, don't you? Well, in my book, the browser isn't part of the OS!

You: Uh, you could always get 3rd party backup software (or did Linux write all of GNU himself).

You miss the point. This guy goes around claiming Win2K is the best OS available, but its own backup program cannot understand its own filesystem? Yeah, I really want to trust my data to software of that quality.

Re:You work for Microsoft, don't you?

[TummyX]

What's the difference between having an exe and not having an exe.

If I weere microsoft I'd go to hell with it and include the EXE and appropriate apps so my customers can use IIS technology to it's fullest.

Removing functionality purposly like that for no reason is RUDE.

Re:You work for Microsoft, don't you?

[TummyX]

You work for Microsoft, don't you? Well, in my book, the browser isn't part of the OS!


A browser may not be part of an operating system in some sense, but it's part of the Windows OS. It's as much a part of Windows 2000, as Windows Explorer was part of Windows 95. In Microsoft's mind, it's as essential as bash/tsh etc would be to redhat.
So while it's not part of the kernel (what you would probably consider part of the OS) it's a major part of Windows, and is hugely important - windows would be useless without a shell for most people.
Who cares if the shell just happens to be able to render HTML (just like most shells of yesteryear can render ASCII).

IE technology & IIS etc are important to windows 2000 cause they provide objects and libraries that are used as other parts of the OS. IE for HTML Help, It's XML DOM etc. IIS comes with MTS, which is becoming essential for load balancing and stabalizing COM+.



This guy goes around claiming Win2K is the best OS available, but its own backup program cannot understand its own filesystem?


Who said Win2K's backup couldn't understand it's own filesystem. Am I missing something here? Since when was windows 2000's backup program restricted to 8.3?

The Linux kernel and monolithic programs; more

[DragonHawk]

Me: You see, there are no mystery processes under Linux. There are no huge, monolithic programs that are part of the system. No single, huge "System Services Manager".

You: In fact, my friend, that is exactly what the Linux kernel is. Yes, the Linux kernel is a huge, monolithic program (thus the term "monolithic kernel") that contains a good deal of Linux's device support as well as a zillion other things.

Not quite the same thing.

Yes, the kernel is a monolithic kernel. That refers to the design of the memory management and scheduling of the kernel. All parts of the kernel share the same memory space and are scheduled together. This is one of the reasons Linux performs so well -- the kernel isn't preemptable, so there is no overhead of task switching in the kernel.

However, the kernel is still nicely modularized into separate components for software maintence, and compiles to a small binary that performs one task -- low-level device abstraction -- well. True, all of your low-level device abstraction is happening in the same program, but there really isn't a way around that. Device drivers have to have kernel privileges.

Comparing that to what I was referring to -- the many "monolithic" userland programs in Windows -- is an error. I was referring to the fact that there are a great many "do it all" processes in Windows which are essentially opaque, such as SVCHOST.EXE. You have no idea what they really do. You cannot get inside them to diagnose problems. They are a magic black box, which you are forced to trust. Hence the term "monolithic". Sorry if my usage confused you.

Now, there are various projects to include userland functionality -- knfsd, for NFS service, and khttpd, for web service -- in the Linux kernel, but I consider them the wrong solution to a problem. Fortunately, I don't have to include them in my kernel -- I can easily exclude them at compile-time, or not load them if I'm using pre-compiled modules.

That is another thing you cannot do with Windows -- you have to accept Microsoft's choices for what is and is not in the kernel. Such as the graphics layer. Originally, NT 3.x did not include the graphics subsystem in the NT kernel. This is one of the reasons NT 3.x was so slow, but it did mean better stability. However, MS decided to move parts of the GUI into the kernel itself with NT 4. This made things faster, but means there is a lot more that can go wrong in the critical kernel code.

Hmm. I guess you didn't read my article too well. I didn't use backup software to back up my files.

Hmmm. I guess you didn't write your article too well. I quote, "...installed Win2K, did an emergency restore of my wonko.com backup (which, luckily, was totally up to date)." Sure sounds like a Win2K backup program to me! How was I supposed to know that a totally up-to-date "backup" really meant you did a file copy after the problem happened? To me, a backup is something you do before problems occur.

(And before you start jumping up and down about your usage of "DOS" in the next sentence, realize that: MS still uses DOS today in some of its products. MS supports DOS programs under NT. MS has system recovery procedures that work with NT using DOS. Using a DOS-based program to run a system restore program is something they've done in the past. I didn't know you meant the actual MS-DOS(TM) product running instead of NT. I didn't think anybody still used stand-alone DOS.)

When I made that statement, I was referring to the final release of Windows 2000, which I am now using. My previous problems, as I've stated before, were with a beta version of the OS.

That is very true, but I believe the problems I describe are flaws in the design of MS-Windows, of which your problems are only examples. Windows still follows the same design approach, and I believe it will still cause problems.

Re:The Linux kernel and monolithic programs; more

[Wonko42]

Hmmm. I guess you didn't write your article too well. I quote, "...installed Win2K, did an emergency restore of my wonko.com backup (which, luckily, was totally up to date)." Sure sounds like a Win2K backup program to me! How was I supposed to know that a totally up-to-date "backup" really meant you did a file copy after the problem happened? To me, a backup is something you do before problems occur.

Yet again, the problem here is you not reading things correctly. I said I did an emergency restore of my wonko.com backup. NOT my hard drive backup. The wonko.com backup was a backup file made by IIS that contains all the settings for the web site. It contains NO files. Just settings. THAT is what I restored. Try to actually read the sentence before you start jumping down my throat.

--

Re:You need to have standing

[Mr.+White]

It looks like it would not be difficult to prove that MS-NBC took part in the intrusion of remote systems. That is illegal. But to bring a suit you need to have legal standing to do so. The companies mentioned in the story have that standing but I'm sure MS-NBC got around that by getting an agreement with the given companies, for example.

Security Models

[dieMSdie]

I was very amused by this article. I warned (and warned, and warned...) my former employers of such possibilities, yet they went the MS SQL route anyway.

I think at the heart of this is the age-old debate: Open-Source/UNIX vs. Closed Source/NT/WinX. Before everyone starts flaming, or or yelling "MS basher!", let me explain...
I've noticed that most *nix software ships with a very tight setup by default. You have to specifically enable things. You have to open those ports that you want opened. And your admin needs to have a clue.
Now, with an MS solution, things are a bit different. Turn it on, click here, type in some info - and HEY! you've got an E-Commerce site up! And if you are not well-versed in security, and/or pretty clueless about the internet - you could be in big trouble, as the MSNBC article points out.

My point is, you don't have to know much about IT stuff to set up an E-Commerce site using this software. You don't have to know anything about security. And this leads to the sort of things we are seeing now. "Ease of use" on the desktop is just fine... but I think they have carried it a little too far on the server end.


I agree with many of the other posters though, this is not entirely Microsoft's fault. I think the blame should mostly fall on the PHB's hiring clueless admins.

Re:Security Models

[jesser]

I've noticed that most *nix software ships with a very tight setup by default. You have to specifically enable things. You have to open those ports that you want opened. And your admin needs to have a clue.

Is there a website that will automatically test your security setup for you? I've heard other people say that default linux setups aren't terribly secure, and I'd like to know how secure my linux setup is (once that 17" monitor I ordered for my p120 finally comes). There is a site does this for windows setups (it was able to get my ethernet card number, my windows login name, and my network name).

--

Re:Don't be a moron..

[dieMSdie]

And you totally missed my point...

Any moron can set up an E-Commerce site with IIS, whereas to set up PHP/MySQL/Apache takes a little bit more understanding and working knowledge of the Internet.
You tend to pay more attention to security when you have to learn HOW it all works, rather then point-and-click your way online.

Re:Don't be a moron..

[dieMSdie]

I wouldn't say "obscurity of setup" perhaps. Would be much better if even ONE, yes just 1, PHB learned from this incident, and hired an admin who knew what he/she/it was doing.
I have seen a lot of "admins" passing themselves off as professionals in the IT field, when they knew next to nothing about how any of it worked. And most of them were NT admins. I am not bashing NT admins as a whole, but it is much easier to pass yourself off as a Professional with NT than with Linux, IMHO.


Compare and contrast Rob Malda to such. If he had not taken the time to learn how it all works, would we not see "Y0u are 0wn3D!" on the /. homepage quite frequently? :)

MS Bashing

[tomreagan]

RedHat 6.1 has rsh, rlogin, and rcp turned on. As well as an lpr package with holes, and numerous other security problems. MacOS 9 shipped with a bug in the TCP/IP stack that brought the machine down with one UDP packet to a high-numbered port. And when you compile MySQL, it doesn't make you put a password on the root account by default.

CowboyNeal calls it an irony alert that the servers were running SQL server. That's not ironic, it's stupid. Not putting the database servers on the other side of a firewall or inside a private IP network is dumb. SQL server, while perhaps difficult to configure, is not dumb. It might not be the best database server; that doesn't make it stupid. It is easier to develop for because there are a great number of high quality development tools.

This is just poor security. Stupid mistakes. RedHat, Apple, and people like you and me make them all the time, doing things that most of us would consider stupid out of context. It's not evidence of MS stupidity or inadequacy. It's just plain dumb.

If you don't trust other people to be perfect, then don't give them your credit card. Develop secure payment algorithims that don't require card number transmission. But don't bitch about MS. It sounds so fscking stupid when you do, and it makes people like us (you know, "Open Source" "Free Software" "Linuxheads" "BSDers "Technophiles" "Abused High-Schoolers" or whatever is our Label of the Day) sound like crybabies.

Just put your shoulder to the wheel, your nose to the grindstone, and build something. When you're done, start over. That's how we will make the world a better place.

and don't even start me...

[Robert+S+Gormley]

... on the moderator who marked this troll.

kernel graphics

[delmoi]

Linux has Graphics in the kernel now to, dumbass. (yes yes, you can turn it off...)

"Suble Mind control? why do html buttons say submit?",

Re:cause it is

[delmoi]

How easy is it to setup a share, setup permissions and allow user X to have access in Linux?

Um... try typing 'adduser' at the command line? dosn't sound to hard to me...

Well, I really don't know that much about security anyway. I'd probably go with OpenBSD if I was going to give people user acounts, I mean if you have compile acess I would think you'd probably be able to crash the computer at least.

"Suble Mind control? why do html buttons say submit?",

Re:Why Not Use Credit Cards over the Net?

[delmoi]

A clerk could copy your number, while a cracker could copy thousands with the same effort

I think you have a pretty warped idea of "same effort". Although I do know you can get CC#'s off IRC just like MP3's and warez (cardz)

"Suble Mind control? why do html buttons say submit?",

Linus and his minions

[delmoi]

The Linux kernel has no defaults. Its all a mater of distribution Defaults. If I wanted a no-hassle, but possibly insecure setup for home use I could go red-hat. Or I could get Caldera or something with better built-in security, but more hassles.

With MS there is only one option.

"Suble Mind control? why do html buttons say submit?",

Rather funny (possibly redundant :)

[kubrick]

One of the images on this article has the ALT
tag "Point, Click and Shop @ MSN Shopping"....

Now surely that's the *last* thing you'd want
to be doing on an MS server after reading this
article :)

kubrick

Re:Windows 2000

[SEWilco]

Actually, if you read the article and know a little about networking it is obvious that the problem is a combination of web site design, application configuration, network configuration, and MS-SQL configuration. The operating system is only an issue in how it can or cannot be used for the network configuration issues.

Windows 2000

[SEWilco]

Well, Windows 2000 will surely fix all these network security problems.

:-)

Re:Windows 2000

[Wonko42]

Have you ever used Windows 2000? Eh? What's that? No? Then what's all this "too bloated" crap you're spouting? Go use the thing first, silly. Then you can spout your misinformed opinions. I've used Windows 2000 as a server for almost a year now (yes, starting with the early betas) and I think it's the best thing ever to come out of Microsoft. For that matter, it's the best OS currently on the market.

--

Re:Windows 2000

[Wonko42]

Complete and utter bull. I run wonko.com on a Windows 2000 Server, and the machine it's on is a Pentium 166 with only 64 megs of RAM. It runs fine. That machine serves up web pages as well as running Microsoft SQL Server 7.0, and it's speedy as all get-out. If you had problems, they were most likely caused by not configuring things correctly.

--

Re:Windows 2000

[Wonko42]

By your logic, everyone should buy one computer at an early age and then never upgrade it again, and all software companies should write software that will run on that old piece of crap computer even though technology has advanced considerably. Yeah, right. Doing things that way will only bog down technological advancement.

By developing software that runs best on newer equipment, software-makers cause more demand for the new equipment, which then prompts hardware-makers to put more money into developing even newer equipment, which is the only way technology ever gets anywhere. I, for one, like this course of events. If you're too poor to be able to save up for a little while and buy a new processor, well, what are you doing playing with computers?

I bought my current machine for less than $700: a Celeron 300A OC'ed to 450mhz, running on an ABIT BH6 motherboard, with 128 megs of RAM and 37 gigs worth of 7200rpm IDE hard drive, SoundBlaster Live!, and a Riva TNT AGP video card. Yes, less than $700, and it runs all the latest software without flinching. And I'm a high school student with a low-paying part-time job. If you can't afford that, then perhaps you need to think about getting a better job.

--

Re:Windows 2000

[blowdart]

Can't remember if it's SQL 7, or 7.5 (in beta) but it specifically asks you if you want to leave the sa password blank.

Re:Windows 2000

[TheTomcat]

I can attest that it IS bloated.
I WAS trying to run windows2000 SERVER on my Cel.333/64MB ram. X runs GREAT on this box. Windows2000 swaps every time I type. Apparently, it wasn't designed to work on anything less than 128MB RAM.

Re:Windows 2000

[SpaceCadet]

Actually, it does and it doesn't. By default, unless you change the options during install, Telnet doesn't even run. If you run it, then by default localhost and Windows 2000 machines in the same domain don't need to authenticate, but any other machine won't be able to connect. Or, you can set a lower security option to use password authentication. It's not too bad, actually; I've been running the various versions from RC1 through 2195 (RTM final) for months now, and it actually kicks ass. Beats NT hands down, 98 no question, and even Linux on some tasks.

Of course, that just got this comment labeled a troll because it doesn't proclaim it to suck, but hey - the truth hurts. Deal.

Re:Windows 2000

[nicodmus]

Umm, no. Most serious applications, require you to enter your own superuser passwords. A quick example is a vanilla install of an Informix Database. One of the first things the install does is ask you for an Admin password. If you don't specify one it, it sets a default, but if you accept this, it will throw an obvious warning screen informing you of your decision and asking you if you would like to proceed with this password. It is that simple. I've never installed SQL server before, so I cannont commment on its install procedure

Re:Windows 2000

[blakestah]

Actually, if you read the article, it is obvious the problem is the install program leaves a gaping hole in the database to the outside world. This enormous gaping hole must then be removed by a sys admin who should have noticed the security update two years ago.

How can ANYONE not blame this one on Microsoft ? It is just totally unconscionable to have your enterprise-ready e-commerce
database package install in this way.

Re:Windows 2000

[blakestah]

The OS I am running to make this post was installed with my choice of a password. And besides, I was given the choice of exactly which services to place on the net BEFORE they were started.

ANY software package that is going to serve to the net HAS to install with user chosen passwords, or HAS to install without outside access capable. To think otherwise is quite foolish.

MySQL from Microsoft installs with an account with NO password. This is apparently not publicized very well, or else some 2500 people wouldn't have had their credit card info revealed by MSNBC, and anyone else who cares.

Re:Windows 2000

[Sadfsdaf]

I think the original post was sarcastic. hard to tell on the internet without facial expressions...

Re:Windows 2000

[Poppa+Squirl]

What was this article about again? Oh who cares... I hate Microsoft! - -- ---Poppa Squirl--- -- - "If the hole is too small, the hamsters won't fit."
- -- ---Poppa Squirl--- -- -
"If the hole is too small, the hamsters won't fit."

Re:Windows 2000

[thetbone]

Vaporware refers to pre-marketing of software that doesn't exist. Windows 2000 does exist and it has already been released to manufacturing.

Re:Windows 2000

[unDees]

Actually, I run Red Hat 5.1 with X Windows on a 486 DX133 and 16MB RAM. Runs fine. Hell, it was even (barely) runnable on my old 33 MHz machine, though the 8 MB of RAM was a little snug. Ha!

Re:Windows 2000

[fsck]

Ha Ha see what you posted is off thier web site, its a mix of what they like to call "minimum requirements" and "recommended requirements". Check this out off my pirated copy of win2k "pro" final (no im not running it as an OS)

------------------------------------------------ ----------------------
Meeting Hardware Requirements
------------------------------------------------ ----------------------

Before you install Windows 2000, make sure your computer meets the
following minimum hardware requirements:

* 133 MHz Pentium or higher microprocessor (or equivalent).
Windows 2000 Professional supports up to two processors
on a single computer.
* 64 megabytes (MB) of RAM recommended minimum.
32 MB of RAM is the minimum supported. 4 gigabytes (GB) of
RAM is the maximum.
* A 2 GB hard disk with 650 MB of free space.
If you're installing over a network, more free hard disk
space is required.
* VGA or higher resolution monitor.
* Keyboard.
* Microsoft Mouse or compatible pointing device (optional).


See the part about minimum ram amount supported! hahahahahaha

Re:Windows 2000

[aliebrah]

What the hell were you doing installing W2K server on 64 megs of RAM. Had you actually bothered to READ the system requirements you'd have noticed that you should be installing it on minimum 256 megs of RAM.

Re:Windows 2000

[VoodooBird]

I think you'll find that 2d grpahics suck by default on PPros. Remeber the big bitchfest that happened when ppl tried to run Quake on their pentium pro machines, only to find that pentiums of the same CPU speed produced better graphics? There are workarounds. The big question is, why are you running games on an operating system that cannot, in our wildest fantasies, be called a desktop OS?

Re:Typical misinformation...

[Nodatadj]

Funny that,
I always wonder that same thing myself.

Typical misinformation...

[Wonko42]

Yet again, Slashdot spews out anti-Microsoft FUD with as much fervor and skill as Microsoft spews out anti-Linux FUD.

People, the credit card numbers that MSNBC stole were not stolen through a "cracked" database. MSNBC did no cracking of any kind, and therefore the security of MS SQL Server is not the issue. The issue is, once more, the people who stupidly set the sites up and left the default "sa" account active. The "sa" account is included in SQL Server merely to allow the software to be set up. It is not meant to be left active on a server connected to the web.

Try cracking a Microsoft SQL Server that's been configured correctly, by someone who actually has half an idea what they're doing. It's just as impossible as cracking any other database solution...in fact, I'd venture to say MS SQL Server is even more secure than most other database servers.

Furthermore, the "::$DATA" vulnerability was only in IIS4. Microsoft patched that bug over two years ago, and anyone stupid enough to still be running an unpatched IIS4 server is just asking for trouble.

--

Re:Typical misinformation...

[ajs]

Yes, they can be held to blame.

VMS learned the hard way, back in the 80s that you just don't leave default passwords lying around, even if you think your users might be smart enough to change them.

You will notice that when you install most software these days that needs such facilities that it asks for a password during the install.

This is the way it should be. If a user choses a dumb password, that's different, but having a default is a good way to get bad PR, and companies that succede in getting bad PR for that will earn no sympathy from me.

Re:Typical misinformation...

[ajs]

Every product on the market gets this kind of PR hit when it ships with a blaringly stupid default (like an sa account that you don't have to go out of your way to leave open). People break in, and the product is blamed. This can be said for many FTP servers under UNIX/Linux, MS SQL and a gob of others.

MS deserves bad press for such a stupid blunder as would any other company or development effort.

Re:Typical misinformation...

[chazR]

I agree entirely. Particularly...

The issue is, once more, the people who stupidly set the sites up and left the default "sa" account active.

I usually work with Oracle databases. I am still astonished every time I find a can log in to an Oracle database as either SYS or SYSTEM. Given that the default SYS password is ChangeOnInstall, you have to wonder about the people running the systems. I guess that more than 10% of Oracle databases are misconfigured like this.

Don't even get me started about the DB2 database I found on a net-facing S/390 that still had the default admin password.

Is this Oracle's (or Microsoft's, or IBM's) fault? NO - it is the fault of the halfwit DBAs who bullshit their way into jobs that are way beyond their ability. The 'differently intelligent' managers who hire these people should also be held to account, except their mental age relieves them of criminal culpability.

PS - I actually quite like SQL Server. Every time a client specifies a really slow, memory intensive RDBMS, I specify SQL Server. It hasn't happened yet.

Re:Typical misinformation...

[SpaceCadet]

IIS gets hacked a new way twice a month. And microsoft release a "Hot fix" and says that the software is now bugfree... Only to be proven wrong.

Wrong. Reviewing the Microsoft Security list, there's an average of two to three "Bulletins" a week. Those usually consist of an error report, an update, and then a fix. That's for ALL Microsoft web software, be it old versions of IE, IIS, SQL, whatever. And nowhere does it say the software is now "bugfree," it just says the current known vunlerabilities are fixed. Which is true.

Outlook Express runs ActiveX Components in emails ! Why the f*** is html being used in emails anyway ? And why put windows only stuff in html ?

Because not everyone shares your views. I prefer plain text email. My boss prefers HTML. That's his right. I also prefer pseudo-HTML "humor" tags to smileys. He prefers smileys. They're both incorrect grammar, but who cares. If your mail program can't handle it, don't complain to the user. It's *YOUR* problem. Not theirs.

IE has some of the same ActiveX and other security related problems. And it is so damn annoying.
IE: "Now we are going to setup an internet account"
USER: "But i have already setup my dial-up connection"
IE: "I DONT FUCKING CARE. ITS MY WAY OR THE HIGH WAY"

Proving you're talking out of the side of your face and have no idea what you're talking about.
Option 1; Sign up for new Internet Account.
Option 2; Modify existing dial-up networking.
Option 3; Use Existing Settings

IE: "Now we are going to dial up to your internet connection. 'cuz you clicked on the Internet icon on your desktop"
USER: clicks cancel, as he is wanting to access his lan
IE: "Operation aborted, Offline"
USER: types http://192.168.0.53 in his browser
IE: "Now we are going to dial up to your internet connection."
USER: Clicks cancel once again
IE: "Operation aborted, offline"
USER: "Grr"

Wait just a minute. You can (as you seem to be claiming) configure Linux to do all this, but you can't figure out Microsoft Networking? Get real. You haven't tried. Configuring Microsoft - any flavor - is simple - define your IP, Gateway, and netmask. If those are correct, then there won't be a problem.

Re:Typical misinformation...

[god_of_the_machine]

Can MS really be held responsible for bluntly stupid users? It's no different from setting the root account password to blank or the company name.

What else can a company do (be it Red Hat or MS)? You need a password to set everything up and testing... I suppose there could be an alert or something that warns that the sa/root accounts are open... but that would be a threat in itself.

Re:Typical misinformation...

[Erchie]

Yet again, Slashdot spews out anti-Microsoft FUD with as much fervor and skill as Microsoft spews out anti-Linux
FUD.

So what? Isn't that ironic? Killing Microsoft with its own sword is another nuance of "an eye for an eye." It is interesting to note that Microsoft didn't even "innovate" the evil art of FUD. They just took it to new heights after IBM invented it. Now it is being turned on them, in spades. I believe that is what is called "poetic justice."

Re:Typical misinformation...

[e7]

I work with one of the "halfwit DBAs" you mentioned. It's a real shame ...

I'm a junior programmer, so if I don't know how to do something, I tell the interviewer honestly up front that I don't know but can "probably figure something out." Given the current tech labor shortage in Silicon Valley, sometimes I get the contract anyway. Then whatever happens becomes entirely the manager's fault. ehhehe heh heh ...

Re:Typical misinformation...

[VelvetHammer]

Exactly. However, two misfortunes occured here. 1) The administrators of the system(s) affected are incompetent/lazy/stupid/etc, and did not take any time to configure security on their SQL Server. They also neglected to patch IIS for a security bug that is years old. No excuses for any of this. These individuals should be fired for blatant incompetence. (My guess is that these individuals had (no?) supervisors with any technical experience). 2) The manner in which MSNBC phrased the fact that MS SQL Server was being used seemed to place blame on the product itself. (Furthermore, I am guessing that many people will stop reading the article right there, and go spewing MS SQL Server FUD). I think that MSNBC should have placed more emphasis on the sloppy sys admin work that was done than the product being used. Additionally, the industry needs better guidelines for consumers of our [consulting/development] services to judge us by. When we can be ranked on similar scales, then the consumers of our services will get more bang for the buck. It is unfortunate that unscrupulous/incompetent individuals pass themselves off as otherwise. . .

Re:Typical misinformation...

[dillinger44]

is there something intelligent that you forgot to post? i'm not sure how successfully you are demonstrating someone else's ignorance when you are betraying a rather mundane intellect yourself...dicksmack

Re:2 questions about CC's

[JatTDB]

There's a number of reasons why the server would store the credit card number:

-If a customer calls to confirm the order and the credit card number used
-For repeat shoppers so they don't have to enter the information every time
-For "just in case" stuff, so there is a complete audit trail of everything that happened if they ever need to know
-Plus a lot more that I don't feel like thinking up right now.

As far as the number on the card...at least once a month I go into some gas station and find that their reader is malfunctioning and won't read the strip properly, and they have to punch in the digits manually. Of course, you could counter this with having the cardholder remember the omitted sequence of numbers, but most people in the world are stupid and lazy and don't like to remember things, especially when it's an assigned number and not a number they chose themselves.

Right on.

[Tony-A]

I think my main gripe about Microsoft is that they seem to raise mediocrity to an aspiration. This somehow makes technophobes (PHBs and MIS directors) feel more comfortable.

What we really need...

[seibed]

There should be an outside agency that conducts audits of security systems and then gives it there public stamp of approval, not so much to say "this web site uses good software for your transactions" but more of a "This web site has been put through a base test of common methods for hacking/cracking and has passed."

The agency is nuetral and allows a little Icon in the corner of the web page to show that the sever has been checked. This would give confidence to the consumer and the companies selling over the internet could use it as a selling point e.g. are servers have been audited by the "Guardian" security services.

Probably a good business opportunity for someone.

Edward

Re:What we really need...

[seibed]

If this is the case, then why don't we just publish credit card numbers freely?
I don't have a problem shopping on line, but I would feel a lot better about buying from a store that won't get hacked/cracked the next day as then I would have to deal with the credit card company

If they steal my card:
probably many hours on hold with the credit card company
then a couple of hours explaining to ten different people that I didn't have a DVD player shipped to Honduras
then a 2 week wait for a new Credit card

I just don't want to deal with all that.



Edward

Re:And then we accuse MS of FUD ?

[blowdart]

And additionaly use Trusted Connections. Trusted connections use the NT login that the user/IIS process is running under. No passwords need to be stored. This is just a config option.

The worst ones I've seen are sites using Frontpage *shudder* to store credit cards in clean text files in a sub directory off the web root. Mind you they were spammer sites, so tough noggies :)

Re:Good tactic

[Breace]

My method to detect e-mail spam is to use give companies companyname@mydomain.com as my email address

I do exactly that too! What was really funny when I needed to call Bank of America tech support because I couldn't get access to my account the where REALLY friendly, like to an absurd level.

I couldn't figure it until the guy askes like 'you ARE with BoA rite???'. I'm, of course, answering 'no'. And he sayes, Ohhh, I though from your email address (bankofamerica.com@mydomain.com) you where with our company!

Must have been their 'internet-guru'... ;)

Breace.

Re:Online checks are still worse

[Breace]

As others have pointed out in different responses, it's *worse* since credit cards have fraud limits - and that limit applies to all fradulent charges.

I don't know about that. We have a credit card of which the number must have been taken by someone in Florida when we where at a trade-show.

They started ordering stuff from one of these TV shows (jewelry or something) but only for small amounts. Since the card has a lot of charges on it and we travel a lot it took three months before we noticed it.

Well, the fine print reads that you have to notify them within a month or you are screwed. Fraud protection my ass. Yes, they will give you the company who charged it's information. Then you have to try to find out from that company where the goods where delivered (and why would they want to cooperate?). If you are lucky enough that you'll get that information out of them, then what? Call in the cops? We did, they laughed...

In other words, you spend hours and hours on the phone and the bottom line is: you lost your money.

I know now that you have to keep a very close eye on every statement for a credit card. This may sound obvious or stupid but when you have company cards with a hundred or more transactions per statement...

Breace.

Online checks are still worse

[coyote-san]

Some sites are now offering "online checks" for people who aren't willing to trust their credit card to the net.

As others have pointed out in different responses, it's *worse* since credit cards have fraud limits - and that limit applies to all fradulent charges. Checks, in theory, will be fully refunded if you file the paperwork to claim fraud. In practice, most banks have quietly changed their fine print to say that if someone has your account number the presumption is that you have authorized *any* access, and it is damn hard to get them to stop honoring debits. In practice you must close the account, something that's far more disruptive with checks than with a credit card.

I can understand why the banks did this - they probably got tired of being caught in the middle between customers and health club finance companies - but the practical effect is that checks are now far less secure than credit cards.

I mention this only because I've already seen some sites advertising that they offer "online checks" as a "secure" alternative to credit cards, and stories like this will only make things worse.

Re:cause it is

[SquierStrat]

Like eating pie when one uses the GUI utilities to do it.

Re:Why Not Use Credit Cards over the Net?

[AME]

The short reason is that if you can find a loophole in a credit card database, you can steal thousands of numbers in one night, possibly undetected. In the physical world, it takes longer, so you are likely to get less numbers.

This doesn't necessarily mean that it is more risky to buy online. It would only if the number of stolen card numbers per purchase is greater in the case of online transactions than in real-world transactions.

For the individual consumer, it doesn't make any difference how the number is stolen, or the scale of the crime. The only concern for the consumer is the chance that this one transaction will result in his/her number being compromised.

There is also the factor that, online, making multiple purchases from the same vendor probably does not expose the consumer to greater risk. Not true in the real world.

Windows 2000: A solution to a non-existing problem

[iserlohn]

Hi Mr despite-my-age-i-have-used-many-oses, I would like to use a recent personal example to illustrate how crap Windows 2000 is.

Recently I had to chance to take on a rather odd task. I work for a telecomunications provider which has its customer service database written as a DOS program. I beleive the work was contracted out and for some reason the source was not avaible to us. Currently we have to run the program from different novell servers at different locations, connected with slow ISDN links, with syncronization only happening every night. Clearly, this posed a lot of problems for the CS deparment with different locations getting outdated infomration at different degrees.

My task was to provide a quick fix to the problem. I believe the best and cheapest way to do this was to set up a telnet server which served this program. I found the goodtech telnet server for Win9X and tried it out. It crashed the first few hours. Then I got into a w2k machine and tried the telnet server there. As I suspected, the telnet behaved exactly like my NT4 distribution did. It did not trap ANSI screen updates and escape sequences correctly. Consequently the application looked like a big mess with any terminal emulator, even the default WinNT one.

What's my point? Well, you see my final solution was to run a dosemu session in a telnet seesion in Linux. It's stable and provided all the features that I need. Most important of all, it's free, in the sense that I can know what's going on under the hood, and that it's gratis.

This is something that WTS was supposed to solve. However, my old dos apps that are still in use in the organization isn't supported in the same extent win apps are. You know something? I don't need fancy menus that fade-in in my OS. I need an OS that can provide reliable solutions to everyday problems. I don't want to, or have the time and resources to shop around for the best commercial solutions, because commercial solutions are coded by people that do not face the problems that it solves; however, most free software *is* coded by hackers who are faced with those very problems.

Don't get me wrong. I have nothing against w2k. I only think it is a waste of resources that I can spend much more effectively using free solutions. It is most ironic that the best solution to serving legacy DOS programs is not a MS W2k/WTS or commecial solution, but one that depends almost entirely on free software.

If your standards on judging how good an OS is is by looking if the OS has alpha-blended fade-in menus, then YES W2K is the BEST OS ON EARTH.

But I don't think it solved any more problems than NT4 did. My Linux boxens do much more and cost much less. Yes NT4 supports com+, active directory and all that shit, but I have heard that every time a new version of XXX comes out. We are not a big company that can afford a horde of developers working on big projects using the new "standards" that MS is promoting. Our staff is a bunch of hard working geeks that try to fix what's not working, and trying to make what's working work more smoothly.

Re:Windows 2000: A solution to a non-existing prob

[iserlohn]

Opps... you just took away the 4 years of improvements that went into NT5 :)

40bit RSA encryption.

[jlcooke]

Usless. It seems only Banks enforce 128bit web transations. Anyone want a program to break RSA-40bit? Just let me know.

JLC

Re:But do you use a cordless phone, or a cell phon

[Betcour]

Anyone with a scanner can intercept credit card numbers using these methods. Any transaction made without using cash is susceptible to fraud or theft.

True... in US ! In the rest of the world, people use GSM which by default has encryption enabled.

This problem is easy to fix..

[Weezul]

From our point of view this is just unprofessionalism in a very high degree that's not explainable

They hit the hail on the head andthis problem should be easy to fix, but there are more programmer orented problems that are not so 3easy to fix:

These script langauges which deposite form variables in the global namespace (like PHP and VBScript) there is a god chance of programmer created problems which are not so easy to track of fix. Example: programmer keeps copy of web site PHP code at home.. Programmer gets fired.. Programmer paws through code and finds a weakness since the code was in PHP and allowed form submits to mess wit the global name space.

Also, VBScript has the problem that most people using it do not know how to protect the strings that are going into an SQL query.

I know these problems seem milder because the exploits may need to be diffrent for diffrent web sites, but I would expect to see tools (maybe even AIs) which manage to automate some of the process of exploiting these holes. Government funded hackers (like in China) may have access to profesors and people who could do the research to find statisticaly probable weaknesses in custom software.

I'm not really tring to slam PHP and VBScript, but I do see a lot more potential for PHP and VBScript programmers making the same mistake over and over then with other langauges.

Jeff

Re:This problem is easy to fix..

[rtaylor]

This is why I put all my stuff into functions, where variables that variables are passed into. Not to mention the fact that the code actually handles things like passwords in an encrypted manner within the code.

I'm sure I've missed other stuff though.

Re:Is there really a problem?

[gewalker]

I can assure you than people do buy cars using a single credit card. Expensive cars.

A friend purchased a new Jag on his American
Express one day, just because he liked it.

(Unfortunately, not a good enough friend, cause
he did not get one for me)

Here's Some Real Irony

[mochaone]

Stories exactly like this will spur PHB's to run out and purchase Win2000 and all the 2000 certified software in the hopes that it will absolve them from security problems. Microsoft should be excoriated for releasing insecure systems and keeping them closed, yet Microsoft is in a win win situation. The people running these sites are probably married to the idea of a Microsoft platform and will no doubt move up to its latest incarnation.

Re:MS servers get cracked more because there are m

[phidipides]

If this posting is redundant I'm sorry, I was reading earlier postings with a threshold of 3...

A couple of points:

1. The reason NT is so prevalent is that it is easy to learn and cheap. Why would a company with 10 employees pay hundreds of thousands of dollars for Oracle, Solaris, and training for an IT staff when they can get a site up on NT for $10,000 - $30,000 and a minimal investment in training? Large companies with dedicated IT staffs use UNIX. Small companies with inexperienced IT use NT.

2. SQL server is by no means a great product, but having a default account and password is not a security hole -- every database has to have some way to make an initial login, and this includes Oracle, DB2, whatever. After setup, it's the first job of the DBA to change that password. If it isn't done it's not a problem with the database, it's a problem with some brain-dead DBA who was too lazy to modify the administrative account.

Just my two cents. Game on...

Re:Why does the media overlook the bigger point he

[phidipides]

>But, anyways, if the situation was reversed, and eBay was running Microsoft, and experienced a
>crash (due to not installing a patch), I am certain that 99.44% of Slashdot readers would
>blame Microsoft, and Microsoft only [*]

Among IT professionals Windows NT has a reputation as being a much less robust OS than a UNIX OS. This reputation is well deserved due to problems which can not be patched, such as memory leaks (Microsoft recommends a regular reboot of NT servers to solve this problem) and the ability of individual applications to bring down the server -- with UNIX you simply kill the guilty process while the rest of the server chugs merrily along.

The point to make is that often problems with NT servers are not patchable, while problems with UNIX almost invariably are. The resulting thinking among IT folk is that if a UNIX system goes down it's because someone forgot to install the patch, while if an NT system goes down reboot and hope it doesn't happen again.

As to the anti-Microsoft sentiment among Slashdot users, of the 0.56% who wouldn't blame Microsoft, how many do you think are employed somewhere in the Redmond area ;)

Oracle security measures are routinely ignored

[Get+Behind+the+Mule]

To support the argument that this is not just a Microsoft problem, let me point out that the security measures built into Oracle databases are ignored at very many sites I have encountered. The problem is that many administrators do nothing -- and I mean nothing whatsoever -- to change the default state of the database installation. Oracle is a popular choice for e-commerce, and I'm sure that someone, someday, will manage to steal data because of this.

Over the past year or so I have done DBA consultancy for some of our customers, going into sites and helping with their database administration. Very often, I find that the default passwords of privileged database users have never been changed. Try it sometime: the user system, who can read and change any data in the database, has the default password manager, and the user sys, who can start up and shut down the database, has the default password change_on_install. (Some people apparently don't notice that the latter password is a hint.)

Oracle installs a default "listener" that is open on port 1521. Many e-commerce sites have their web and DB servers on the same machine, and don't need any external TCP/IP connections to the database. Even those that do can be set up so that connections are only permitted from a limited number of IP addresses. But this, too, is almost never done. So there's your opening: get an Oracle client to connect to port 1521 on your target machine, log in as system/manager, and in many cases you'll own the whole database.

Another thing: many people routinely do their Oracle admin work by logging as the "oracle" user, the owner of the Oracle software. Few seem to understand that this user is like root: you don't log in under that name unless you absolutely have to, because any mistake you make can be disastrous. What you do is make users with DBA responsibilities members of the group "dba", so they can run the admin software but can't delete anything critical. In fact, you need to be "oracle" far less often than you need to be root -- after installation, you should never log in as "oracle" again. And yet there are admins who work as "oracle" all day long. Even worse: it seems that the most common password chosen for the "oracle" user is, you guessed it, "oracle"!

We could accuse the administrators of laziness and cluelessness. But the real blame lies with management, who want to set up a cheap e-commerce site without paying the price for DBA's who know what they're doing, or for the training that their current admins need. Many of the admins I've worked with have told me that the boss stuck the Oracle CD's in their hand one day and told them to go run a database. That's a surefire formula for an insecure site.

And then we accuse MS of FUD ?

[hernick]

When slashdot constantly accuses Microsoft of generating FUD, what is this ? Can anybody debate the fact that the topic is strongly anti-MS biased ? I hope that the posters will know better than to say "that's what happens when you don't go with linux". Sure, MS has a lot of security flaws.

In this very situation, you are combining two things.

First, the database administrators (who might not be MCSEs... Without praising the MCSE program, one thing it does put emphasis on is long, hard to guess passwords with short expiration times) made the stupid mistake of using the default username for their database and putting no password, or a stupid password. That's like leaving the root password blank, and allowing root to log in via telnet ! It's a stupid mistake made by people who probably didn't get any kind of training. Probably not the kind of people you'd normally hire to run your server... Such a person running your linux server would give you a very vulnerable server, as vulnerable as those.

Second thing is, they were using a version of IIS that had not been patched for the last two years. Okay, it shouldn't have been defective in the first place. But look at 2 year old linux distributions ! Anybody with a good root package is able to crack a linux box that's been left alone for the past 2 years ! Use one of the buffer overflows in one of the various flawed daemons, if it's 2 years old, it's probably vulnerable... If you don't patch your system, no matter what OS it runs, it will be vulnerable.

Who should be blamed here, the OS or the administrators ? I think the answer is obvious. A bad administrator will cause similar problems in any old OS.

Re:And then we accuse MS of FUD ?

[mdb31]

Who should be blamed here, the OS or the administrators ? I think the answer is obvious. A bad administrator will cause similar problems in any old OS.

Yup, any administrator capable of reading would have followed the security guidelines available from Microsoft (http://www.microsoft.c om/security/products/iis/CheckList.asp). Then again, most admins are not interested in reading. Blame the schools, not Microsoft...

Re:Good tactic

[hernick]

My method to detect e-mail spam is to use give companies companyname@mydomain.com as my email address. Of course, that only works if you have your own domain and a catchall account. But it allows you to know who put you on a spam list, and to ignore them easily by forwarding their spam to /dev/null.

Your middle name method is pretty clever...

One of the things that one can do to limit the value of the credit card he uses, and therefore defend against most fraud, is to use a card without anymore money than you wish to spend.

Three possibilities I can think of.

First, an Incentive Card if you can find any. Those come with fixed values, they're not credit cards, but you can spend up to their fixed value anywhere that takes credit cards. www.aies.com sells them, I believe. That way, you keep changing CC# very often.

www.webcertificate.com offers a similar product, and you can add money with your real credit card (processing fee of 1.50$ by 50$ you add). You don't get a physical card, but only a mastercard number you can use to make purchases. It works great for me.

The third method is to use a Visa Debit Card and deposit the amount you wish to use before every transaction... That's a bit of trouble, but combined with online banking it can be made easy. I use www.x.com to do that. You open an account with them, and they send you a visa debit card you can use like a credit card. But the balance availaible is only what you deposit in it. You can deposit up to 500$/6 months with another credit card, and as much as you want by check.

Any of those ways, you have a "credit card" without credit. It only has as much money as you want. I'm sure you can understand the implication of that.. Even if somebody steals it from you, you don't lose anything more than the value that you put on it, which is probably only the value of the item that was there in the first place. And as they're issued by banks, they will let you contest charges as well as with a real credit card.

Hope this has been helpful.

---
P.S. If you sign up for x.com, you have the option of referring somebody. If you feel generous, refer francois@bradet.com . You don't lose anything if you don't refer me. If you feel this whole thing sounds like a commercial endorsement and you don't like such things, please let me know by moderating me down. If you really what I just wrote is bad, let me know at francois@bradet.com and I'll apologize. I'm just trying to share my knowledge.

Good tactic

[konstant]

I won't go quite as far as the poster about abstaining from online credit card purchases, but I do have a method by which I can at least identify the culprit company if anything goes wrong.

Whenever I make an online purchase, I use the name (or first initial) of the company as my own middle name. That way, if someone steals my personal info, emails me spam, or any number of invasions, I will know instantly from the name on the billing which I company I should never use again.

Of course, this does nothing to prevent your information from actually being stolen in the first place...

-konstant
Yes! We are all individuals! I'm not!

Re:Good tactic

[Super_Frosty]

That's a good one. You can do it in the internet world, too, if you have your own mail server. I have every piece of mail sent to mydomain.com forwarded to another address. If I enter a contest for a free router at Cisco, I tell them my address is Cisco@mydomain.com (I can do these on the fly, without setting anything up). Then, when I get spam that's addressed to Cisco@mydomain.com, I know who sold me out!

Re:Good tactic

[Super_Frosty]

Actually, I just started doing it (cuz I just got my mail server, WOO HOO!), so I haven't caught anyone so far.

Another thing I do to make the internet a better place is use SpamCop. Try it, it feels got to take spammers' accounts away!

Re:Why Not Use Credit Cards over the Net?

[Convergence]

As I've always felt and always said.. I trust the internet completely.. While it may be possible that encryption can be broken, the amount of effort needed would be too high for the gain of a mere credit card number. So, the internet itself is safe.... But that's not enough.

The CC number has to be cleartext when its sitting on MY computer when I type it in. It also has to be cleartext on THEIR computer when they submit it to the CC company. I trust my system is fairly well set up and secure. I don't trust the peon's on the other end to have done the same. THAT is why I dislike ordering online.

There are also the issues of extent. A waiter can only copy so many CC numbers a day; a thief can only steal so many purses a day. But, an online site can store thousands of CC numbers in an insecure database.

But you are right.. The biggest danger isn't monetary loss (because of the $50 limitation of liability), but rather hassle and annoyance.

Re:first German post (offtopic)

[cdlu]

Yeah. First posts can be funny if they are original. But someone else will do this tomorrow, and the next day. It will have been funny this time.

As far as I'm concerned though, we're all inanimate sql entries to eachother. :)
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1); }return(0);}

slashdot?

[cdlu]

Can I use CODs to buy slashdot hats and tshirts now? :)

But more seriously, what this shows us is that people don't pay attention to what they are doing before they do things. If you don't do something as simple as set a password on your database, it should come down to the same thing as leaving the key in the ingition, the car running, and noone in the car, in the third lane of a four lane highway in rush hour. Insurance won't cover it. People have to be careful when they start up a business that they are doing everythign right.

If you are thinking of starting an ecommerce site, then higher a security professional to come in and take a look at it. They are out there, they are there for a reason. Credit card numbers are a very personal thing, and having them publically available is just plain bad, even if its not on purpose.

In legal terms, if you kill someone and didn't mean to, its called 'involuntary manslaughter' and you still go to jail.
#include <signal.h> \ #include <stdlib.h> \ int main(void){signal(ABRT,SIGIGN);while(1){abort(-1); }return(0);}

Re:slashdot?

[jedrek]

In legal terms, if you kill someone and didn't mean to, its called 'involuntary manslaughter' and you still go to jail.

IANAMANHIEPOOTV (I am not an American lawyer, nor have i ever played one on TV) but I think that this is covered, in this case, by law under 'negligence'. The person who was to secure the cards didn't do their job. IMO it's the credit card companies that should be seriously pissed. They're covering for everything over $50 or whatnot.

jay

Re:slashdot?

[Punto]

then hire a security professional to come in and take a look

Yes.. but doesn't this sound like "then hire a Y2K expert to take a look"? Part of the problem is that developers say "I don't need a security expert" (ok, so some didn't need a Y2K expert..)

Anyway, I wonder what our friend DotComGuy has to say..

--

Database == Web ???

[Brecker]

I guess that I never stopped to think that every time you use your credit card on the phone, they have to use a pencil and paper to process your order.

Otherwise, they would still need to use one of those dangerous databases!

Card Companies need to get wise.

[cgarrity]

I won't be surprised when we start seeing the major credit-card companies come out with a set of standards say "you have to use these security features, or we won't do business with you." After all, they are the ones that will get screwed in the long-run if that don't ($50 dollar deductable of unauthorized charges) ...

I just worry about using a check-card one line, all my cash is in that account ... i know, i know

Instructions for Using Your Credit Card

[grantdh]

OK - so maybe the credit card companies need to send out a bunch of instructions for people who are too dumb to figure it out for themselves (sort of like those "Objects in mirror are closer than they appear" messages - like, DUH!!!!! :)

Here we go with some simple instructions for how to use your credit card and not get burnt:

1. Make sure you can check your credit card statement on-line as required.

2. Record all purchases in a database (Quicken, MYOB, MS-Money, text file, spreadsheet, whatever!)

3. Check your credit card statement on-line as often as you can (once per day is good :)

4. If you find anything you didn't write down, start screaming to your card issuer!

Even if you never travel over seas, purchase from catalogs or purchase from the 'net, you should be doing this. If you don't, you're just asking for trouble. At the least, you should check your monthly statements - doing it daily makes it quicker to get the dispute resolution process started :)

I frequently travel to "worrying" places, use my card at cafes/restaurants, purchase over the 'net and so on. I check things and (touch-wood :) haven't had any problems. I did find a couple of entries that were charged incorrectly and was able to resolve them by contacting the vendor directly. No problems, everyone happy.

Stop whining, stop expecting the government/corporations/mommy & daddy/whatever to protect you. Get off your ass and take responsibility for your actions.

Same goes for those setting up e-commerce sites. One of my companies does it and we get third-party security reviews (we charge more, but we don't want penny-pinchers as clients - they always come back to haunt you :)

Re:Roblimo Paronoia

[Duxup]

Good point!
My mistake and apologies.

Roblimo Paronoia

[Duxup]

I use my CC online all the time. I've never been burnt but a friend of mine was. He just called the CC company and they refunded his $. It is that simple.
It's good to be careful like Roblimo and careful whom you give it too. However it's more important to know your rights and that your not responsible for such charges.

Re:Roblimo Paronoia

[cotopaxi]

Not to nitpick, but Roblimo never said anything about not using his credit card-it was the cat who reported the article.

Re:This Is Probably A Good Thing...

[jesser]

I'm not sure why everyone is suddenly so excited about the fact that you can easily steal credit card numbers "over the Internet" -- heck, you can easily steal credit card numbers anywhere.

But because of computers, you can access 1000 credit card numbers at once and charge $20 to each one. Only a few people will notice, because you took such a small amount from each person.

Also, if you work as a temp employee and write down several customers' credit card numbers (this happened to a member of my family, who had to get a new credit card), you can be tracked down because the customers will remember doing business at that company the day before. The business then realizes that the employee left shortly before charging each of the credit cards, and helps the credit card company and law enforcememnt to track down the criminal.

--

Isn't this really the site operator's faults?

[Hieronymous]

Granted that Microsloth could make it more difficult to setup a site without proper security in place but it is still ultimately the fault of the site operators that such a hole exists. It's also their responsbility to make sure they are operating on the latest patches of the OS and their applications that deal with security in any way.

In any other industry the companies could easily be sued for negligence because it is their responsbility to insure the that user security is taken car eof. You can't just say later, "we didn't know!"...it doesn't work that way in the real world. But oh yeah, this is the Internet, not the real world.

Why Not Use Credit Cards over the Net?

[Super_Frosty]

I can't understand why people refuse to buy things over the internet.

First of all, if someone makes a purchase with your credit card, but you haven't actually lost the card, then you are liable for nothing. You have nothing to use!

Credit card theft and fraud occur without the internet. Your wallet/purse can get stolen. In that case, you are liable for up to 50 dollars. A waiter or clerk can copy down your numbers.

The risk isn't any greater at all, but fear tactics from the media like this MSNBC story don't give a sense of proportion.

Re:Why Not Use Credit Cards over the Net?

[nerdguy0]

if you ask me it's just all media hype

Re:Why Not Use Credit Cards over the Net?

[destrago]

it's a relatively unknown fact that more credit card theft occurs when you use the plastic in a store than it does when you ship the number over the internet. As far as the CDUniverse crack is concerned, that's the fault of CDUniverse for not protecting themselves enough, and it looks like that problem isn't going away. INTERNET IS AN UNSAFE PLACE TO BUY! THE GREAT SCANDAL TO FOLLOW Y2K! NEXT, ON THE MEDIA SENSATIONALISM CHANNEL!

Re:Why Not Use Credit Cards over the Net?

[348]

The risk is bigger. It's simple. Most DB to DB transactions are done on a "Trusted" source relationship. The key is to spoof yourself as the trusted source. The fact that in the examples given, the article states that the numbers were stored in plain text and connected directly to the seb site. Granted this is pretty dumb, but the risk remains even if it's not directly connected. If the DB is in the enterprise all you need is some form of enterprise access. This isn't generally hard to get, with stuff like BO2K redily available.

Once your in, just use some basic DBA tools that are inherant to almost any commercially available DB, like access etc. Some minor mods, and then your a trusted source.

The real problem is that most web based transaction hosts DO NOT implement nearly enough security. ANY enterprise DB with sensitive data should have a DB scanner implemented just like you would implement a scanner on your firewall. ISS and other companies offer them and price per DB is really not all that bad.

With simple proxy, lift and drop and best practice DBA administration, this should never have happened. One thing that always gets overlooked though is if the sites used a secure transaction firm like Cybercash, they would never have had the sensitive data to begin with, all they would have had would have been an order number, a cost amount and a receipt from Cybercash, not card numbers.

It always amazes me that on line retailers think that they can do it better, faster and cheaper that firms that do this stuff for a living. Hope they outsource next time.

Re:Why Not Use Credit Cards over the Net?

[Toothpic]

First of all, if someone makes a purchase with your credit card, but you haven't actually lost the card, then you are liable for nothing. You have nothing to use! (lose?)

This is not a victimless crime. The credit card companies are going to foot the bill and that cost is ultimately going to be passed onto you.

Re:Why Not Use Credit Cards over the Net?

[type2]

The question boils down to this: is using a CC on the net any less safe than buying in person.

I think the answer is yes, although not drastically so. The short reason is that if you can find a loophole in a credit card database, you can steal thousands of numbers in one night, possibly undetected. In the physical world, it takes longer, so you are likely to get less numbers.

More people are fiddling real-world card numbers at the moment, which is why internet card abuse is less of a problem than physical card(/number) theft. This may change.

-type2

cause it is

[TummyX]

NT IS _EASIER_ to use. And why do you assume that means everything is supposed to be easier (like security). But anyway, your assumption is correct anyway, NT is _EASY_ to secure. But you have to do it!

By default NT is left open so that things work. It's easier to start with a working system, and close of things.

Anyway, it's easy to secure, you've just got to make sure you (*&(%# do it.

How easy is it to setup a share, setup permissions and allow user X to have access in Linux?
In NT it's a breeze.

Re:cause it is

[RoninM]

NT IS _EASIER_ to use.

For you. There's no quantifiable evidence one way or another. That mis-administration on NT is so rampant would lead one to believe that NT is not easier to use or more intuitive for a great majority of people. Which isn't to say they'd have an easier time of things with Linux, just that it'd be no worse and no better.

It's easier to start with a working system, and close of things.

Precisely the approach many Linux distributions take, and precisely the same thing that they get faulted for.

How easy is it to setup a share, setup permissions, and allow user X to have access in Linux?

Well, I don't find anything difficult or counter-intuitive in it. The file is /etc/exports and I can use "man exports" for information on the file's options and example formats. Is typing counter-intuitive? Is reading counter-intuitive? Neither can be classified as unfriendly, since NT's Share configuration requires one to do both. With both NT and Linux, you have to know what you want to do and where to look to do it. I fail to see how one is better or easier in this instance. Perhaps you should have thought of a better example? Or actually done some sort of even introductory administration on a UNIX OS before you try to fault it for your deficiencies?

NOT Microsoft's fault (for a change)

[LocalYokel]

I won't assault Robin this time :), because this time I'm alert to the fact that these aren't his own words -- he just happens to bite on sensationalist articles...

If all other security issues having to do with administration vs. the OS itself could be considered muddy, this one isn't. I don't see how others' bad coding and administration is Microsoft's fault, does anyone else?

Even though the language ultimately corrupts itself, should Larry Wall be the person to blame for shoddy Perl scripts? Should we blame Linus Torvalds if the root password to Slashdot's SQL box is successfully guessed? I don't think so.

--

Card Issuers or Visa/MC Holding The Numbers...?

[slykens]

There are so many ways that fraud could be combated, but are we willing to pay the price in time? For example:

Visa sets up a system which you authorize yourself to Visa, using some sort of information that only you should know, and they provide you a hash that you then use for the next 30 minutes or so at a particular online merchant.

I dunno, but if merchants can't be trusted with holding your ccnums, Visa and the issuing banks won't let them have them. How Visa implements that system will be interesting.

sl

This is not just an ONLINE problem...

[_blueboy]

About 5 years ago, I was working at a gas station in a small town. When we took credit cards, we swiped them through the POS machine (same as debit). However if, for some reason, the card didn't go through, we did the old manual imprint method, and put the retailer's copy in the top drawer behind the cash. When I worked there, there were literally hundreds or thousands of these numbers, sitting unprotected in a drawer. Most nights, I was the only one in the station, and would often be in the back sweeping. Anyone could have taken these numbers! And that is assuming I hadn't already auctioned them off to the highest bidder.

The point is, whenever you use your credit card, there is a risk involved. That does not mean, however, that we should not address this particular problem.

Re:Why does the media overlook the bigger point he

[bigdogs]

All of the problems which eBay has had are bugs in Solaris. When eBay had problems there were SUN engineers on site to fix the problems.

True, however yet again the issue comes down to whether or not the SA/DBA had decided to install the patch(es) which would have fixed a known problem.

The eBay outage you refer to was the result of a known problem that Sun had a patch for, but eBay didn't/wouldn't install the patch. So whose fault was the outage? Sun's?? Considering the fix was available but not implemented, I don't think so. eBay was clearly at fault on that one.

Re:Why does the media overlook the bigger point he

[bigdogs]

Personally, if I were Sun, I would make pretty damn sure that one my highest profile customers had installed the patch, if it had even the slightest chance of causing a problem.

While that's great in theory, it's not feasable, for a couple of reasons:

1. Like you said, there are hundreds of patches for Solaris available, especially for the older OS's such as 2.5.1, but not all of them are "recommended" (i.e. you damn well better install them). Most of them fall under the category of "if you experience problem X, install patch Y."

2. Sun can pressure and posture as much as they want, but they can't force a customer to install a particular patch, regardless of how important it may be. The best they can do is say, "Hey, we've seen this problem before, and it's serious. You'd better install this patch." But that still doesn't mean the customer will install it.

But, anyways, if the situation was reversed, and eBay was running Microsoft, and experienced a crash (due to not installing a patch), I am certain that 99.44% of Slashdot readers would blame Microsoft, and Microsoft only

I'm not disputing that point, nor did I in my previous post. In fact, I would agree with you that Sun has gotten off easier than M$ in the security/patch/PR war. My main point in both of these posts (and I think you'd agree with me on this) is that the vendor can only do so much to enable a customer to set up a secure/stable site.

So you don't use SSL then?

[Codex+The+Sloth]

There are several problems with this argument.

First, credit card abuses are far more common on the net than in the real world because it's easier to minimize the risk of using the card. Software.net which sold software electronically over the Web, claimed that 50% of the purchases they sold were later disputed. Especially in cases where the fufillment side is all electronic (and now that most merchants will ship to address other than the billing address) the risk for the theif is much lower.

Now, is this any less secure than catalog shopping? No. But certain economies of scale make it a better value proposition. Instead of maxing out one card, you can charge $30 to a thousand cards.

The other (more serious) problem was that these idiots had there entire customer databases available (don't these people know what a firewall is?) so identity fraud is a real issue.

In cases where the charge is disputed either the credit card company pays or the merchant does. So sooner or later, Visa is going to lean on merchants to get there act together. But really, credit card #'s are just a symptom of a much larger problem.

Another Good tactic-- preventative, even

[Savage+Henry+Matisse]

Before you make a purchase at a site, take a look at what kind of server they're running. Here is a nice little CGI that easily lets anyone fetch header info. Among the many bits and pieces in the header is the type of server being used. Although this is by no means fool-proof-- pretty much any system can be set up lazily/ineptly/insecurly, god news-- we all know that some servers (I recognize that this SQL thang isn't exactly a server problem) are more easily accidentally left insecure than others. Additionally, the header info can give you an idea of the OS the folks are running (if you want to be rabid about only supporting Linux based e-tailors, or some such hogwash **grin**.)

In a way, checking on a site's html-headers is the same as glancing at the fry-cook's hands to see if they're dirty-- a guy with clean hands can still sneeze on your burger, but it's still a little peace-of-mind.

Re:Why does the media overlook the bigger point he

[VAXman]

I am not interested in whose fault it is - Sun's or eBay's. Personally, if I were Sun, I would make pretty damn sure that one my highest profile customers had installed the patch, if it had even the slightest chance of causing a problem. It is not clear to me that Sun had made it known that the patch was important (and I understand there are hundreds of patches available for Solaris - how to decide which one is needed?)

But, anyways, if the situation was reversed, and eBay was running Microsoft, and experienced a crash (due to not installing a patch), I am certain that 99.44% of Slashdot readers would blame Microsoft, and Microsoft only [*]. (Even if it was only remotely related to Microsoft such as a non-Microsoft application which crashed when running on a Microsoft system - c.f. the Naval ship). However, if it is a non-Microsoft company, ESPECIALLY if it is a Unix related company, Slashdot readers are quick to do research and figure out why it happened. What I am interested in, is why there is this double standard. It is probably simply because most Slashdot readers have an anti-Microsoft agenda, though it might possibly be a bit deeper.

[*] You need proof of this? Look at all of the posts in THIS ARTICLE which are blaming Microsoft for a bug in IIS 4.0, which has had a patch avialble for over TWO YEARS.

Re:Why does the media overlook the bigger point he

[VAXman]

eBay's servers are NOT Microsoft. Their front end web servers are Microsoft, but the back end databases are Solaris. All of the problems which eBay has had are bugs in Solaris. When eBay had problems there were SUN engineers on site to fix the problems.

Of course, since Microsoft is the scapegoat of the computer industry, people will blame the company if any of their software is involved in any way. eBay is a prime example; when the people who blame eBay find out that it was Sun's and not Microsoft's fault for the problems, they do not shift the blame to Sun, but rather shrug off the problems, and pretend to play down the incident. eBay's outage in the summer, which cost well over one and a half BILLION dollars in market capitalization, is one of the biggest industrial blunders in history, and was 100% to blame on a bug in the Solaris operating system. Yet Microsoft continues to receive the blame for it.

It is really getting out of control. There are people who really think Microsoft is to blame for the Year 2000 problem the Year 2038 problem, the Internet worm, et cetera, ad nauseum. It is so incredibly trendy to blame Microsoft that any industrial problem whatsoever is blamed on them if they had any involvement whatsoever - without even GLANCING at what the real problem was or who really was to blame.

The real problem

[guran]

Do I walk around with a note with username and password for my network in my wallet? NO!
Do I tag my home adress to my keys? NO!
Do I walk around with a card in my wallet, containing in plain text form all information required to purchase stuff online. YES!

If our computers were cracked because i had a postit with UID/PW I would be in serious trouble with my boss.
If a pick pocket would break in because I told him where my keys went, I would probably get nothing from my insurance.
But the plain text information on a plastic card is enough to spend my money! Hello!

Of course I might be able to prove that a transaction was not valid and eventually get my money back, but that would take lots of work.

Where I live, a CC purchase must be validated with either a PIN-code or a signature. Get my number if you want to. You still dont have access to my money without forging my signature or getting my code.

Enter the net. Thousands of opportunities to buy stuff online in my name. Once my number is out, I just have to trash my card.

Thats the problem with CC numbers on the net.

2 questions about CC's

[tomson]

First of all, why would any server store them.. They don't need them after they used to get your money. If you pay in a restaurant, do they also keep a copy of the number? (I never use a CC)..

Is it sane to put the complete number on the card.. In the Netherlands (and other countries in Europe) we have a different system, and have to remeber a pin code. The card is worthless without that pin.. I never really understood why they didn't do that with CC's..

Re:2 questions about CC's

[p-k4]

First of all, why would any server store them.. They don't need them after they used to get your money.

Refund processing. The alternative is having the user re-enter their CC number, but then you have to make sure that it matches the previously used number. This can be solved by storing only the last 5 digits of the card for comparison.

Besides refund processing, I've seen all types of lunacy with CC information. For one company I've done work for, one of their workers wrote a script to process all outstanding CC transations in one fell swoop. The script was ran, but the user didn't notice that the authorization results were not being stored in the database.

Months later someone had to go back with the CC report from the bank and match everything up and try and figure out who didn't get charged. It was a disaster. Imagine being hit up for $3000 (their average customer bill) 6 months after the fact because your credit card was declined and they never bothered to tell you.

M$ releases hot new cracking tool - SQL Server

[MrBlack]

Not changing your passwords and account names from the defaults (or not even having a password) on a live customer database connected to the internet! Lunacy. Seems like some e-commerce companies have never heard of security, aren't able to implement it at the most basic level, or simply think it's too hard. To all those who have posted saying that "even when you use your credit card at a restraunt you run a risk because the waiter could memorise your number and use it" think about this. a)the "waiter" couldn't rip 2500 people's card #'s in a matter of minutes. b) each time the "waiter" rips a card there is a tangible like between himself and the card - he is an employee at a place that the card was used, making the chances of cathing him reasonably high. When you get 2500 people's card details all that links you to them is a few TCP/IP packetts that flew across the internet. c) AFAIK your argument originally appeared in a dilbert cartoon (you know, the one where the waitress comes back wearing the fur coat).

Shortsight of the e-generation.

[Sarin]

Let's be on the e-train seems to be the motto these days. A oneway ticket to the cash-station.
Most are ignorant and others just seem to forget it, there's no such thing as a m$ cash-station, the train is driving but the windows are falling out. Be sure to wear your m$ seatbelt otherwise you might not survive the destined crash.
So-called e-commerce experts seem to focus on the cash and the cash only - security of their customers creditcard id's and other data is neglected because of the costs, a lesson ms teached them. Well I hope there's going to be a test trail to sort out somesort of law protecting the people from them.


Regards,
Sarin

I used to worry about my CC info ...

[p-k4]

Why is it important for you to keep your CC info private?

At worst case, you are only liable for $50.00, regardless of the actual fraud.

The media made all of us think that Y2K would be a big deal, and I have the same opinion when it comes to credit card information.

Since the begining of e-commerce on the web, the media has been talking about how people could steal your credit card information. Be careful, someone could steal your credit card info. In addition, even if you deal with a reputable site, someone could use a packet sniffer and steal your credit card that way.

Please. My credit card number is not the kind of information that I worry about people getting. I'm more worried about disturbed individuals getting my home address and mistaking me for an abortion doctor. Or someone stealing my social security number, getting a job under my SS number, and not paying taxes.

Have you ever known anyone who had their life ruined because someone stole their credit card? IMHO, people have more to fear from the debt that can be caused by credit cards that the $50.00 limit on fraud purchases. People's lives have been ruined when they had their SS number stolen, not their CC info.

So who is pushing the media to push the masses to care so much about their CC info. The CC companies, as they are the ones who have to pay the fraudulent charges after $50.00. And we, as a whole, are falling for it in the same way that we fell for Y2K and Pauly Shore.

I have used a credit card on numerous web sites and have sent it in plain-text e-mails to pay for merchandice. If sending your plain text CC information was so sensitive, it wouldn't be printed on every receipt.

Wouldn't it be more effective in eliminating CC fraud to only print the last 5 digits on the receipt and omit the expiration date, making sure that someone can't just dumpster dive for my info?

As for the story, at least SQL Server can be configured to be secure. One of the companies I did work for was using FileMaker Pro 4.* as their web server. However, all you have to do is guess the username and leave the password field blank, and FileMaker (when doing the query) will assume the blank password field is a wildcard. Hence security is only as far away as the username. This "feature" is even present in the e-commerce example web site that ships with FileMaker Pro 4.*.

We laughed. And then went to Apache.

Re:Let's get a few things straight. - correction

[wilcoxon]

2) The Credit card companies are the ones who bear the brunt of the financial burden for fraudulent use of cards. If their merchants are irresponsible, and cause them to lose money, it is up to them to deal with it. They are fairly lax about it, though, as if it was difficult to get a merchant account, then nobody would accept credit cards, and they would be out of business.

Actually, this is incorrect. The merchants almost always get stuck with the loss for fraudulent charges. I've worked at several different places that have taken credit cards (retail stores and hotels mostly) and all of them have had to eat fraudulent charges. There is a slight chance this has changed as it has been a while (7+ years), but I doubt it.
After all, why should the credit card company take the loss when they can pass it on?

Not really about the DB server....

[mckyj57]

The problem here is not so much the database server as the database design.

Any time you can get a credit card number via a normal database query it is a security hole.

I will say it again -- anytime you can query your database and get a credit card number it is a security hole. If you are not saving the information to a non-internet connected system, or encrypting with strong encryption before writing it to disk, you are playing fast and loose with customer information.

The simple rule should be this -- an unencrypted credit card number should never be written to disk, not even for a moment.

Hey you pessimists...

[TangoChaz]

I'm as sick of Microsoft as the next guy, but I have something positive to say...

It seems to me that MSNBC is at least attempting to act like a legitimate news agency. Perhaps it isn't just irony but perhaps a shade of genuine journalistic integrity that is driving their conduct?

(Bombs away)

TC

This is less likely to happen under Linux.

[bnolan]

Because I think the majority of people who got far enough into a unix to be able to set-up an e-commerce sight wouldn't be slack enough / dumb enough / so-lacking-in-self-respect so as to allow their vital databases to run with a default password.

My two cents. And I hope that it wasn't a college student than set-up that service, because that'd be really bad PR for those of us that have half a clue.

Ben

RBL for E-Commerce sites...

[SsC]

What I would find interesting would be an RBL (realtime blackhole list) sort of solution for e-commerce sites. I don't know exactly how it would be done, but I could imagine that the majority of dialup users could point their machines at some sort of proxy to do it. An interesting idea anyway, IMHO. -Steve
--
Windows: Boring and mundane, even at 3am with little sleep.
Linux: A rewarding challenge.. even at high noon!

Saying this once.

[jallen02]

I have a credit card. I Use it a lot in place of cash and just pay the bill off at the end of the month. Anywhere you use that bad oscar it can be stolen. I got my CC bill one month. this was before I made it a 500 dollar limit. Bam 15,000 Dollars my damn card was maxed out. I shit a wooden nickel. I did only pay 50 bucks but good lord. I had shopped online for like 2 and a half years at that point. You know where it was stolen from? Macy's of all fargen places. One of the Cashiers there took like 15 or so CC nums and just went hog wild buying cars and whatever else. The point is ITS all insecure. So there just has to be a little trust between you and where ever or whoever you are buying with..

Geez what a lot of trash

[wanrat]

Someone above posted the correct answer which is: these guys just stripped the info out of 1)MS SQL's enterprise manager using either the default login, 2) by exploiting an extended stored proc., or 3) by stripping login info out of the .asp page or from the global.asa file at the root of the asp distribution directory. ALL of these holes are patchable, and were required fixes by MS. ANY site who has a DBA on staff should be aware of these things and should already have them patched. MSNBC likely used the extended url hack on IIS to read the global.asa file which has the u/p embedded in it. This is not really MS's fault, as hacks will be created on every platform... this is the fault of the folks who hired second rate, underqualified DBA's and network engineers. Even given a local login and straight access to the site, the SQL Server can be made inaccessable simply by implementing application specific security (under 7). This is, once again, a foresight and planning problem and is not necessarily the fault of the technology. My Redhat/Oracle box winds up with many many security patches as well, so we in the Linux community are not immune to this kind of stuff. Actually, I'm surprised that the people who skimped on their network weren't hacked up until now. (the frightening thing is... maybe they have been muhahahahaha)

-Wanrat

hehe it's 10pm, do you know where your credit card is?

Re:Shooting the Messenger? The consumer pays...

[dcd]

I've seen this said several times now
"it is not the consumer's problem"

The consumer always pays...

Any cost the merchant incurs is passed on to
the consumer. So you pay for my losses, and
I pay for yours :-) It's just averaged out.

This Is Probably A Good Thing...

[mdb31]

I'm not sure why everyone is suddenly so excited about the fact that you can easily steal credit card numbers "over the Internet" -- heck, you can easily steal credit card numbers anywhere . Guess someone feels they have to make up for their Y2K media fiasco...

But anyway, all the attention to this issue is probably a Good Thing. Popular Internet e-commerce servers are bound to have quite a bit of credit card numbers, along with other goodies such as the name of the owner and the expiration date, floating around, and it's time that a people became more clueful about how to handle this situation.

Face it: any setup where both your webserver and database server are available from the Internet is a major security risk. The way most e-commerce shops, especially those running at hosting companies, are set up today (webserver and database server on the same machine, or at least the same network without any access controls) is simply asking for trouble.

Here are a few reasons why:
Software bugs - and no, not running any Microsoft products won't get you off the hook. In fact, I guess the cozy little MySQL password security exploit that was discovered recently is way worse than the ::$DATA issue, although most clueful providers will fix it quickly.
Untrusted staff - how easy is it for a rogue operator at your provider, or a lowly-paid temp working for the shop itself, to run a complete copy of the credit card file?
General data security - in other words: hey, do you know who else has access to your shared database server, or where the backups go at night?

All of the above leads to a few conclusions:
1. Partitioning - Web and database server functionality should be separated as much as possible: having your database on a separate machine and fitted with proper access controls (i.e. only accepting connections from trusted hosts and using proper authentication in addition to that) is pretty much a requirement.
2. Encryption and access controls - Even with proper partitioning in place, most of your customer details need to be encrypted using a non-trivial scheme, and proper access controls need to be put in place. Make sure only the right people have access to your data, and log every access. Disable bulk commands, except during the backup window, if possible.

Now, which percentages of sites is operating as described above today? My guess would be less than 10%, leaving enough room for on- and off-line crackers to steal whatever information they want. It's not consumer problem per se (since credit card companies have pretty extensive consumer protection from fraud...), but still a lot needs to be done before the general public will truly get a warm fuzzy feeling about on-line shopping...

secure transactions

[BhodiLi]

There already is a way.. but its expensive... and probably will not be accepted by all.... There is a electronic card called a "Fortezza" card that is in use by the US DOD to sign and authorize electronic documents.... You set up a key and authenticate it. You then assign your "Signature" to it and pop it into your pcimca slot... you then "Sign" your requests... This would fix the fraud or others posing as you but its a hassle....

Trust Based Method Open to Abuse

[RuntimeError]

Using Credit Cards to make on-line payments is essentially a trust based method. Although we won't trust J Random Merchant with our cash, we will trust him with our credit card.

Trust, unfortunately, is one of the easiest things to abuse. After all, most of the merchants have not earned our trust. We just take their word for it, i.e., the only reason we trust them is because they us to trust them.

Old though I am a sentimental old fool who believes in trust, I think it is about time that we moved out of this trust based method of transaction and entered a much more secure form of on-line funds transfers.

E-cash, and e-cheques sound promising. For example, a if someone mugs you and gets 10 quid ( sterling pounds ) off you, your damage is only that 10 quid. However if someone steals a credit card from you, the damage can be quite considerable. Of course, you, the user, may not bear the brunt of the damage - the merchant and the bank most probably will - but the muggers earning potential is only limited by your credit ceiling.

Same way, if someone steals a 100 dollars of e-cash or e-cheques, the potential loss is only that amount.

I hope some of the e-commerce companies and banks give this a serious thought.

MS created this problem in the first place.

[Etam]

In the name of ease of use, they create a software that clueless people can install. And they also created a certifying program to allow clueless people to pass.

This appears to be their plan all along... dump down the customer so that they have no alternative but to stay with them. Therefore, it is wrong for the article not to put part of the blame on their partner company.

Not always quite that simple

[augurist]

While we might not be responsible for more than the first $50.00 (if that) there still is the issue of getting the charges off the card.

I've had bogus charges on credit cards twice. The first time on an Amex card and it was taken care of with absolutely no problems, but the second time was another matter. Over two years of phone calls, letters, FAXs, etc. and it was finally resolved. Until this other card company finally complied with the Federal regs, over $700.00 worth of charges (and possibly the interest for the entire 2+ years it was on the card) hung over my head.

What this made clear was how difficult it can be to enforce your rights. Whether instances like this are due to poor procedures and/or incompetence, or deliberate policies of a card company is unclear. It still is a consideration, when using credit cards.

I haven't, and won't, stop using credit cards, but have switched to using wired phones and shredding anything with a card # on it before it gets into the trash.

A simple, elegant solution..

[Ogerman]

It's quite simple.. and it requires no encryption, no digital signatures, and no expensive hardware to implement: just use a rotating pin number for each credit card transaction.

Each month with your credit card bill, you get a list of say.. 10 randomly generated (http://lavarand.sgi.com anyone? :-) 4-digit pins printed on a cheap laminated card. Each time you make a transaction, you go to the next number, then cycle back to the top at the end of the list.
This way, even if someone steals your credit card number and pin (such as from an online database), it is completely useless to them since the next transaction will require a different, random pin and only you and the credit card company know the list.

The only case in which this would not work is if you made enough consecutive transactions with the same party to go all the way through the list. But thieves are looking for a quick steal. They would not likely go through this much hastle.

In summary, this method would eliminate, first of all, the most common type of credit card theft: the casual, unscrupulous store/hotel clerk. And secondly, it would drastically reduce the potential of online theft by making credit card number databases, in themselves, nearly worthless to crackers.

..a sidethought: the system could be made more secure by appending a single rotating digit to the number from a list of say.. 6 random digits. (or any other number such that the modulus of it and the number of 4-digit #'s is non-zero) This digit would also be printed on the card rotated with each transaction, but it might add enough extra complexity to confuse idiots..

A simple, elegant solution..

[Ogerman]

It's quite simple.. and it requires no encryption, no digital signatures, and no expensive hardware to implement: just use a rotating pin number for each credit card transaction. Each month with your credit card bill, you get a list of say.. 10 randomly generated (http://lavarand.sgi.com anyone? :-) 4-digit pins printed on a cheap laminated card. Each time you make a transaction, you go to the next number, then cycle back to the top at the end of the list. This way, even if someone steals your credit card number and pin (such as from an online database), it is completely useless to them since the next transaction will require a different, random pin and only you and the credit card company know the list. The only case in which this would not work is if you made enough consecutive transactions with the same party to go all the way through the list. But thieves are looking for a quick steal. They would not likely go through this much hastle. In summary, this method would eliminate, first of all, the most common type of credit card theft: the casual, unscrupulous store/hotel clerk. And secondly, it would drastically reduce the potential of online theft by making credit card number databases, in themselves, nearly worthless to crackers. ..a sidethought: the system could be made more secure by appending a single rotating digit to the number from a list of say.. 6 random digits. (or any other number such that the modulus of it and the number of 4-digit #'s is non-zero) This digit would also be printed on the card rotated with each transaction, but it might add enough extra complexity to confuse idiots..

Re:neophytes

[A.Gideon]

>What this all comes down to is that companies are >trying to save a buck and are using so called >'web developers' that don't know what they are >doing

That, plus "going cheap" by not hiring a network administrator that can pronounce "firewall", not running DB and web on separate machines, etc.

Certainly not all companies are this cheap, but many are. However, an important point is that they get away with it. Why?

Too many "e-commerce" clients want As Cheap As Possible. They want their web/db server costs at "the usual $20/month". So the vendors which spend more on security and infrastructure are out of luck for being overpriced.

Looking at this from a different perspective, I have to cite an ex-client. They decided - for security reasons - to host a machine at a "secure" location (ie. Exodus). However, they run the web server on the same machine as the Sybase server. The Sybase server is listening on a port that is completely open to the Internet. They have finally put an SA password in place, but the server itself is still wide open.

The dataserver is also configured so that all devices are on file systems. This is an invitation to corruption.

How did these occur? Because the technical staff at this company has no idea what it is doing. Why does the management of the company permit this? Because they've no idea what they're missing. Since Internet Businesses are "for the young", the owners of the company decided that a young senior techie was a normal thing.

And perhaps it is. This is not the first time I've seen this sort of thing.

Note: this company is using Solaris, Stronghold, and Sybase. These are all products that I very much respect. So it may be a mistake to look too closely at *any* product, if you're looking to place blame. No product is good enough - at least today - to survive improper administration.

Perhaps that is the next level to which we must take our products: secured against administrative abuse .

Is there really a problem?

[type2]

It is clear that obtaining credit card numbers (and the other required information such as expiry etc) is not the problem. As has been well pointed out, this has been do-able for some time, by a variety of means.

Even as it stands, it's not a disaster if some criminal finds my card number. If he isn't careful when using it, he will get caught. You can't use them to get cash out of ATMs without a PIN (at least, not in this country) so you have to buy something. You can only really buy in person with it - and forge a signature - because otherwise it has to be shipped to an address and you will get caught that way, unless you are a resourceful criminal. I don't think you can just walk away from a dealership with a car, having paid by card.

And even buying something in person has a risk associated, if only shops would be more rigorous in pursuing fraudulent customers via closed circuit camera pictures or whatever.

Certainly the credit card companies are unhappy at the amount of fraud which goes on, and they don't even pursue the low-value transactions. To answer my own question, there must be some problem otherwise they wouldn't be so worried, but I must admit that I don't understand why more people aren't caught. If shops were more willing to identify fraud, the possession of a credit card number would buy you very little without a high risk.

But in any case, the problem isn't that the credit card numbers get out - it is, and always has been, a sort of security through obscurity, and we know what to think of that!

type2

Database Design for E-Commerce/Client-Server Apps

[Tassach]

I would add one more thing: NEVER allow a cgi script to pass in unchecked SQL. That's begging for trouble! Actually, (speaking as a veteran Client/Server systems architect) you should never let ANY front-end program pass arbitrary SQL to your database. All the front-end should be allowed to do is execute Stored Procedures. In the systems I design, I never grant user accounts ANY permissions to the tables directly -- every database transaction is done via a call to a stored procedure. This is more secure, results in better performance on the database, and simplifies the DBA's job. Sadly, many otherwise very clueful programmers do not really grok databases; especially from a security and performance standpoint.

neophytes

[ereoc]

What this all comes down to is that companies are trying to save a buck and are using so called 'web developers' that don't know what they are doing. Changing the defaul;t password on SQL server, and sticking it behind your firewall is not a difficult thing to do... if you know that it needs to be done.