Slashdot Mirror
White Hats Take NASDAQ Through MS IIS Hole
stomv writes: "A hacker found exploits in NASDAQ server, could have changed market info and admin passwds. Server: IIS. Hacker did ethical job of providing info to fix. Also, mentions BugTraq and how MS didn't fix the hole when it was posted July 17.
"
You can't trade on the Dow, DJIA is just an index. Microsoft is part of the Dow, but the stock is traded on NASDAQ.
As an aside, I believe MSFT was the first stock on the Dow not traded on the NYSE.
Devil Ducky
Devil Ducky
MY peers would get out of jury duty.
The origianl eye-eye exploit took almost 5 months for a patch. That's scary as it gave total control of the file system to any remote user. 5 months is too long for somone sitting in a production environment to wait for a solution.
Score one for the "ethical hackers", Score one for the anti MS side, Score 2 for those that DON'T run IIS.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Ok, I'm certainly a newbie to slashdot, at least from the posting standpoint, but this whole Karma thing has me dusted. With a little imagination I can kinda see where it was, and what's going on with it. But having read some of Sig11's rants I think he/she takes this all way to seriously.
I look to slashdot from an informational/entertainment perspective. If I see something that catches my interest I may wait around to see what other posters have to say, and some are truly excellent, but I'll often go dig for myself to satisfy my need for details.
Sig11 overlooks the fact that people are here because they choose to be, rather than forced to experience some utopia. Not perfect, as Taco says, but it has an audience. Seems a "good fit", as we say in the IT biz.
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
This all has nothing to do with Microsoft's design. In fact quite the opposite. NT/2000, like most modern operating systems, have a pervasive operating system that imposes security everywhere. Every registry key, every file, every service, every mutex, every object. Everything has an ACL (Access Control List) that allows massive granularity of security configurations. Of course by default most objects are configured as "Everyone" but using some standard utilities and a good admin that's quickly fixed.
That pervasive security model carries through to lots of other applications as well. In SQL Server I define which of the NT users have rights to access the database server, then the databases individually, then the individual objects. Actually you can configure specific columns with ACLs. However that is all lost the moment a project is done in too tight of a timeline and security takes a backseat : In that case you end up with "Domain Users" configured as db_owners and sysadmins. That is rampant and it has absolutely nothing to do with the operating system.
Microsoft gets slammed a lot for things which are the exact opposite of their intent. There is nothing inherently wrong with the OS model, there's something wrong with the priorities of some developers and some organizations.
Ahem. It's "bugtraq".
Wow! Musta made some lucky trades, eh?
iPlanet administrative server must run on a different port from the user server. There is almost no access to Web app level configuration from this menu. (just servlet properties, which you'd have to restart the server to take effect, which requires a password)
iPlanet runs as an app in user space. When installing iPlanet, it warns you that the server should run under an id that has extremely limited permissions at the OS level. "nobody:nobody" is the default setting for this userid.
Because of this partition between Solaris and the Web server, it is nearly impossible for code attacking the webserver to root the box. Even getting a shell as nobody is not too useful.
On the web app side, servlets run in a security sandbox that can be custom tailored to limit access to outside resources. The default settings in iPlanet do not allow file or OS level access from servlets. In fact, the setting to turn this on isn't even in the default config file or admin interface. You have to look it up, know what it is and how and where to add the parameter by hand.
Automatic memory management and array bounds checking in Java prevent the most common form of attacks from being effective. (the app may crash, but it won't compromise your server)
There is still room (there's always room) for poor configuration and insecure apps to cause havoc, but in comparision to the Microsoft toolset, there is much more attention paid to security, segregation of control, and default settings that put security above ease of use.
While the average end user may prefer the ease of use to security, critical civilian sites like NASDAQ and other financial institutions just shouldn't be using products with that philosophy. To market and sell these products to these types of end users (even a company as huge as MS knows when somebody like NASDAQ is using their software) is irresponsible. To allow an application configuration like that is even more irresponsible. (you can bet that NASDAQ had MSCE's or an MSCSP build this, not somebody's 16 year old nephew) Sun, in contrast, sends auditors/admins to important customer sites like eBay to make sure they're using the software correctly.
I agree that the folks who built this must shoulder a lot of responsibility, but I cannot absolve Microsoft of culpability. Security is an afterthought in their products, rather than a fundamental design principle, and it shows.
doh, no points left.
.DLL, but a whole shitload better then just having it in the global.asa file.
.ASS exention made some PM's change there mind. but it's funny anyway.
really good point about the COM object. It seems a little "hacky" just to hid the passwords. and even then It would be clear text in the
anyone know that orginally ASP was going to be called Active Server Scripts? of course the
-Jon
this is my sig.
Something like global.asa, which for you non-IIS types out there, is a file run on webserver startup, which contains all sorts of interesting information. It is a repository for most developers using IIS to put in information like database usernames and passwords, so the webserver can talk to it.
What I believe is a better solution than to leave usernames and PW in the global.asa file, is to instantiate a COM object from global.asa. Then, either put the usernames/PW in there, or have the COM object read them from somewhere like the registry. Then, even if someone gets at the global.asa file, they don't know the important stuff going on there, no matter what their intentions. If NASDAQ had done this, their information wouldn't have been exposed.
Artificial inteligence is no match for natural stupidity. --unknown
You make an excellent point about the file extensions, especially for a developer (that wan't a dig, most developers get scared when I make changes to the system... they always thing it will break their app...). I don't think that the comment about hotfixes was off base, it happens fairly often. This is, of course, a result of people being human again. Sorry I'm answering your comments randomly... I never said you should ASSUME that the patch doesn't work, I just said you souldn't ASSUME that it does. I quote Paul Leach... "We deliberately and cynically make the smallest band-aid fixes we can, just enough to convince customers that the problem is fixed when it really isn't". - I admit that's taken out of context so he may have meant it as sarcasm, but Microsoft has many times shown this to be true in their actions. I agree about the global.asa file, but I'm so tired of fighting that war I finally just gave up. The last thing I'll say is that Microsoft should put those fixes (smart administration, such as removing the rouge file extensions) into the MCSE cirriculum(sp?). Right now they have a bunch of worthless hacks running around with no idea, but who have a certificate from Microsoft saying they know their shit. (I tech review guys constantly... 99% of MCSEs don't know the difference between regedit.exe and regedt32.exe).
the other last thing I'll say is thanks for replying. That is much more important to me than being modded up or down. Sorry again for the random replies, I'm in a hurry.
Politics, Culture, Food?
Read the article!
It mentions(veracity aside) that the hacker did not use the July 17th exploit. Regardless of M$ or IIS, the hole was something the hacker had found and exploited.
The article also mentions that the hole was fixed and patched promptly; it never mentions if M$ fixed it, if M$ knew about it, or if M$ tried to hide it. All you are doing is spreading misinformation.
This is not about a crack reported in July. M$'s track record is not at issue, regardless of it's purity or lack therof, and M$'s press tactics are not the issue.
Hate M$, but this article is *not* about M$!
If you like the details... read the article.
The nick is a joke! Really!
GPL Deconstructed
Non-Dutch readers might be interested in the fact that the person Gerrie Mansur is not taken seriously in The Netherlands. He's a 'media hacker', despised both by hackers, crackers and security people.
-- unix is for people without a social life - Patrick van Eijk
It still doesn't make it acceptable to leave a security hole unfixed so long, though.
He's supposed to be a white hat, yet refuses to disclose this "other" hole... while there was already a known hole to exploit? Maybe it's just me but that doesn't sound quite right.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
The problem is *not* the July 17th hole, allegedly. It's a different one, that the hacker has thoughtfully chosen not to disclose. Of course, it's his word, but he says it isn't the +htr hole...
The nick is a joke! Really!
GPL Deconstructed
A followup article on Technology Evaluation at (Slash may mangle this URL) http://www.technologyevaluation.com/research/resea rch highlights/security/2000/06/news_analysis/na_st_lp t_06_21_00_1.asp explains some of the implications of weaknesses in stock data services.
What is ignored are the secondary effects- when these weaknessses are exploited to manipulate the market, the long term result will be loss of trust in news feeds and stock information services.
It seems that all of the major financial news services have had serious security problems this year- Comstock, Bloomberg, etc.
Who can you trust to supply good data?
I do not deploy Linux. Ever.
I hope this is early enough to beat all the M$ bashers et al...
The hacker denies using a known security hole. It's still M$'s bad for not *fixing* said hole, but unless the hacker is lying, that problem is not the issue.
Nor is the fact that M$ has a vulnerability-any software of sufficient complexity will have issues, bugs, and vulnerabilities.
It doesn't truly matter that M$ was involved, nor that IIS was in use. In this case, NASDAQ has someone they can talk to, debug, and fix, ultimately, and it was M$. It could have been Sun, IBM, VALinux, whatever. It isn't a bash against M$ that their server had this problem.
The nick is a joke! Really!
GPL Deconstructed
I think the importance is that MS was notified of the hole in july but still have not produced a fix.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
Why is CNN (or the person they quoted) claiming it was the July 17 exploit when it apparently wasn't?
Because accuracy or quality in reporting is no longer what's most important. What is most important is being the first to report it.
This is supposed to be great art. So why does it look like a bunch of decapitated naked people? -- Calvin
Your logic follows that of "If everyone cleaned up their own yard, the world would be a much prettier place."
While this is true, some people just won't clean up their own yard without the intervention of external forces. That's why entities such as homeowners associations have prolifersted.
I guess we can consider White Hat hackers as being the HOA's of the internet.
Steal this signature.
Possible answer one:
To give karma whores something to post about?
Possible answer two:
Because that's what their area expert thinks the guy used and they decided to post both explanations instead of launching a probably futile attempt to find out which it was by deadline time?
I'm sure they will have some PR twist or it just wouldn't be fun.
M$ can't devote any of their programming recources to security, or bugs. If they did, then they wouldn't have anyone to develop the latest Talking Barney. And that would be a tragedy.
Devil Ducky
Devil Ducky
MY peers would get out of jury duty.
I highly doubt that the computers which track trades are directly connected to the web servers. He might have been able to fool a few people into making bad trades because they think a stock is doing something its not, but it didn't sound like he ever had the power to change a stocks price.
Not to mention this information is backed up just a few times I'm sure. I don't think its as simple as changing one file to reflect the value you want the stock to have.
is that this is a prime, well exposed example of how hackers are beneficial to business and society, rather than the parasites media typically portrays them as.
If you're a sysadmin, you should know you're in trouble when developers act like this. It's an indication they have no idea how their application works, or what it's security-requirements are; the application will most likely not have been designed with security in mind.
I have made this mistake myself a few times (I develop and admin systems nowadays)
-- Buddy
Microsoft is at it's 52-week low, as are Dell and @Home. Your point is?
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
You slept your way to a +5, so your last point is the only interesting one.
/. at a time when there were few people. He did not grow as Slashdot did; he was immersed in the "great conversations." Great conversations do not scale.
Signal11 came to
Or at least not without a change in perspective. The new crop of us fools see moderation as tools to find the interesting points that lie in the sea of noise. Upon finding an interesting point, I personally drill down to read its responses at -1. That means I lose all the original, interesting posts that weren't responses to someone else? Certainly. I am assuming that the great majority of unmodded good posts were some impassioned response to someone else. Not perfect, but moderation is a tool to find as much good information as possible, as a computer is a tool to filter through noise to find the waveform underneath.
To tell the truth, I don't care for Signal11's posts or whatever else people are doing to prove that Slashdot is a system with entertaining flaws. I know that. Chris Johnson is one of the regulars with something interesting to say; so probably is Fascdot/Olympic Sponsor. The rest can write whaterver they want; I just may not notice.
Insightful would perhaps talk about what the merits and demerits the M$ OS has, and the alternative OSes have. Or perhaps about their fitness for purpose, rather than vaguely commenting on their fitness.
My own comment is supposed to be insightful. It's supposed to engender insight in people reading on what an insightful comment is supposed to be. Moderate it up, if you moderators want people to read it and note "Gee, he's right. An insightful comment would make me stop and consider something I would not ordinarily consider. Bashing groupthink or M$ is not insightful, because everyone already does that... This is really overrated, or something."
Oh well. That's my rant ^^
The nick is a joke! Really!
GPL Deconstructed
I love you more than I love Hemos.
No, I didn't read the goddamned article.
It doesn't truly matter that M$ was involved, nor that IIS was in use. In this case, NASDAQ has someone they can talk to, debug, and fix, ultimately, and it was M$.
Beg pardon? Louis, are you implying here that Open Source people have nobody to talk to?
On Tuesday, I found a bug in Mandrake's recent compilation of a Linux kernel (which neutered ide-scsi CD burners). Within 15 minutes of telling them this, it was attended to, diagnosed, and fixed. Less than 15 minutes after seeing their email, the fix was on Mandrake's FTP server (which is impressive, given that we're dealing with four different kernel compiles here, plus modules).
Try getting any response out of Microsoft within 15 minutes, even by telephone, I dare you! Now try getting it for free. Finally, if the response starts with ``have you tried rebooting your computer?'', scream into the handset and hang up. (-:
I can't even get a straight answer about pricing out of Microsoft, never mind useful tech support. My experience with Sun and IBM is that their turnaround is likely to be a couple of days rather than minutes, but that their response is generally quite helpful. I haven't tried VALinux, but have heard good things about them.
I hope this is early enough to beat all the M$ bashers et al...
Forlorn hope, M$ is busy making more of them as we type. (-:
Got time? Spend some of it coding or testing
Does it make much of a difference that the server was IIS? It's still a crack.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
'You can't stop Lazy and inexperienced users from using your product.'
Where did I say you could? I said that if you make a point of marketing to such users you'll have more of them.
'Who is working to prevent lazy and inexperienced people from using Linux?'
Who needs to? You don't seem to get the point. Here it is. Microsoft sites are run by less experienced people because they are sold as being runnable by less experienced (and expensive) people. When Microsoft tells you Linux has a higher TCO because you need more expensive people to run it, this kind of story about the Nasdaq is the hidden cost of believing them.
It's amazing how powerful market speak is. If you call something easy to use and self-maintaining people smile. When you say that it was designed to be marketed to those who *need* easy and self-maintaining, tempers fly. But it's true. Microsoft sacrificed an awful lot of functionality and reliability so that it would be.
I never said that everyone who uses Microsoft was lazy and inexperienced, that is just as stupid and false as saying that everyone who uses Linux isn't. But saying that Microsoft has created their own problem userbase thru clever marketing not backed up by a sufficiently clever product is not a generalization and I believe it to be true.
Um, there is no online trading going on at the nasdaq.com website. Its a pure information source.
Right, but people go there to check their stocks. If they see inaccurate numbers, they will act on them, thus producing whatever effect the person who supplied the incorrect information wanted.
Remember the old saying, "Possession in nine tenths of the law" ?
Well, here's a new one for you:
"Perception is nine tenths of reality."
Think about it... If a stock (or whatever) is seen as uncertain or shaky, then it really doesn't matter how well it actually is doing, it becomes uncertain and shaky...
NecroPuppy
---
Godot called. He said he'd be late.
I like you, Stuart. You're not like everyone else, here, at Slashdot.
Stuff like this cracks me up. TEN YEAR OLD SECURITY FLAW REDISCOVERED BY ME -- EVIL VENDOR WON'T FIX BECAUSE OF BACKWARD COMPATIBLITY.
I suppose it's good to remind people that NetBIOS is an ancient insecure system that was designed for isolated 30 computer LANs, but the fact that someone has written an 'exploit' is not news at all. (Though, it would be nice if MS/Vendors shipped this stuff disabled by default on machines targetted to home markets.)
When I hear the word 'innovation', I reach for my pistol.
I hope MS learns their lesson on this one
www.buymeaferrari.com
There is nothing inherently wrong with the OS model, there's something wrong with the priorities of some developers and some organizations.
One of those developers being Microsoft, of course. Look at any of their pre-2000 desktop software which did not work right in secured configurations. Or, the terrible "Exploit Air" sample site they shipped with IIS4.
When I hear the word 'innovation', I reach for my pistol.
thankfully i'm not at his team, Hit2000 isnt really a team. Me and Nohican are with RooT66 (http://root66.student.utwente.nl). Hardbeat (with who I did apache.org) aren't with Hit2000 either. Gerrie Mansur used a way to view server side scripts, meaning he knew the passwords the server used to LOCAL connect to the database. Well that was his great hack, lets spoof 127.0.0.1 from your home cable modem? (no way i work at his cablemodem company :)
Guess online trading is buggy.
Microsoft trades on the Dow, right?
There is no Light Side without a Dark Side.
Face it, people are stupid, and the internet is the place where they all meet.
The article left out the part about NASDAQ's lawyers. I'm sure that by now their lawyers have given this hacker that "helped" them so much hell already. NASDAQ Lawyer: "If we even catch your bits, two hops away from our closest server, your ass is going to jail." I'm sure they consider him a threat right now and they're wondering, "what else does he know about our systems." Really though, I wonder what heat he got from them.
It's just a matter of caring enough to make sure the moderation system works. If it works for me, it should work for everyone.
/. useless to me, and prolly useless to others.
If it works well, then I'm happy. If it doesn't work, then it makes
The nick is a joke! Really!
GPL Deconstructed
Why doesn't anybody realize that for a Web application, the following things shouldn't be the case:
1) Database passwords, admin passwords, ANY passwords shouldn't be stored on the Web server in plaintext.
2) If an application management interface exists at all on the Web server (which I have some problems with), it should always run on a different port than the application itself and that port should be firewalled such that it can only be accessed from trusted (internal) IPs. The content directory structures for the application and application management should also be segregated.
An architecture that stores permissions and passwords and allows access to change these things and modify the application through the same channels that the application is provided is INHERENTLY INSECURE BY DESIGN.
Sorry if I'm ranting here, but as a professional developer working on a financial site this really tweaks my sense of professional ethics. Who designed this crap? Who audited it and said it was OK? Why do people think that Microsoft's architecture aimed at Joe Idiot who wants to put up a web page about his schnauzer fan club without having to learn anything is suitable for use by NASDAQ for cripessake!?!?
Wow.. is all that crap real?
Heh.. *shrugs*
Jeremy
...I think they use Compaq Tandem systems. When there's that much money at stake, you don't rely on Microsoft/Intel to make your software/processors.
Ñ'
So could this guy have altered graphs and quotes, triggering massive sell-offs or buying sprees?
:)
/me shudders while thinking of script kiddies sending Wall Street into a tailspin.
But I have to say that I wouldn't mind getting ahold of such an exploit--I could pay off my credit card
and set up a nice retirement nest egg in a few minutes in all likelihood.
The point is that there are many people out there who take advantage of exploits like this for nefarious purposes.
If it weren't for 'good crackers' like this person, we would be much more vulnerable overall. Crackers and Hackers like this person are the people for discovering and fixing security holes in our software. I think they should be applauded for working towards good rather than evil.
Of course, I forgot that in the utopian society you describe, there would be no need for security...
So he must be a black hat because he didn't release the details of the exploit to the general public thereby allowing other hackers to do real damage before it's patched?
This is a bowel disruptor, and you are just full of shit. - Spider Jerusalem
As an aside, I believe MSFT was the first stock on the Dow not traded on the NYSE.
Yeah, that's it. My brain always assumes that anything on the Dow is traded on the NYSE.
Guess I'm Mynn the Clueless today.
Face it, people are stupid, and the internet is the place where they all meet.
The guy should get a payout from m$ for finding bugs like that, he's brave enough to give his Id and a fix for the security hole - but he'll probably get nothing but hastle or the cold-shoulder from 'the man' Lets face it, because humans are fallible, software will always have flaws and bugs that will either be fixed, ignored or exploited. m$ more-often-than-not falls somewhere in the last 2
A slashdotting - you get the stick first and then the carrot !
I'm almost getting tired of hearing about Microsofts security flaws, and their inability to deal with them.
They will only learn when their customers start to feel the same way you do.
Admit nothing, deny everything and make counter-accusations.
No, I don't believe M$ is very good, either...
I wasn't implying that in the OS world there was no contacts or reps. I was implying that NASDAQ's vendor/software/implementor was M$, out of anyone that they could have used: IBM, Sun, VALinux, etc.
My point was that there was an exploit, in a system, that a hacker found. It wasn't really an issue that it was a M$ problem, other than the implicit acknowledgement that there is the image that M$ code is buggy and unreliable.
The nick is a joke! Really!
GPL Deconstructed
You'd tihnk that the powers that be
would voluntarily dish out a reward
and publicize the hell out of this.
Or at least pass out large chunks of
intellectual kudos.
It's the coverage of sleaze and the lack of
"New"s that I quit paying attention to the
networks in the first place.
Hell.. truth be known.. I don't even watch tv..
Friends don't let friends buy Compaq's. (Dell/Gateway... same same) You want a good computer? Build it yourself.
Read the article. The bug mentioned in the blurb had a patch released on July 17. The bug mentioned in the blurb was not the one that was exploited.
Mine for several weeks have been showing almost nothing but port 137, 138, 139 shit
That is whacky. I'm talking about my personal machine sitting on the @Home network and my BSD firewall box has not seen a single attempt on any of the NetBIOS ports. Not one. I don't know where you are but are you perhaps on a corporate network and all your coworkers run Windows? ;-). Seriously though I find it odd that I haven't seen a single NetBIOS attempt and you say you are innundated with them.
Watching what that h4x3r5 are looking at is always quite interesting. Several attempts tonight have been to port 23 (telnet), and from a diverse crowd. I have a completely locked down firewall so it's not like they're hitting me as a known target, but rather this is network scanning. Why the sudden interest in telnet tonight?
On the topic of scans I will admit that scanning for SubSeven and BackOrifice has gone up MASSIVELY in the past 24 hours. Either someone has a distributed-scan going or some warez or software has gone out with one of these trojans and the kiddies are looking for the infected. Fascinating stuff though.
Cheers!
Wow, CmdrTaco is the most mature and good natured person I've ever heard of: *NOT!*
Jesus, now I know why so many people become trolls. Somebody that hung up on themselves just deserves to have problems.
Trolls, in the past two weeks I've started to understand your plight. I believe my turning will soon be complete. Forgive me for my past transgressions. I will soon be one of you!
Bite my yammer.
You're quite right, it is not easily measured, but it is widely accepted that security holes are often discovered through the act of careless exploits.
It is infinately more difficult to reverse engineer a product than it is to look at the source and study it for weaknesses. At the very least, the source code acts as a guide to explore potential vulnerabilities.
While both IIS and Apache provide people with ample kudos for finding security holes, the attitudes are different. You can't even own a copy of IIS without shelling out for NT server, and then when you do, reverse-engineering puts you in violation of your license agreement. If you were to approach MS with a hole, and somehow convince them that it is a serious issue, you'll be lucky if you're not arrested. If not for piracy, for violation of your License... or you could report it, just give MS a short time to act on the bug, exploit it, make a name for yourself in the news and maybe let a few tools slip.
Hidden developers, lack of source, and potential legal consequences are all disincentive. The only reason to do them the favour when you just spent weeks hacking through a bug, is in fear of their applications failing.
Apache is so much easier. Just post the bug to the developers and be laughed at or be thanked. It's like debugging code written by your own company.
Finding the hole is nowhere near as easy as exploiting it. Not having the source is a major inhibitor to studying the security of an application. Reverse-engineering bugs is a pain in the butt...
Erm, the bug (in IIS4 and IIS5) was patched on July 17th, and if I interpret the text correctly, that's THE SAME...
Yes. You did interpret the text correctly. Your failing, however, it to assume that MSPatch==ProblemFixed. I am an MCSE and a security consultant. I have been doing this since 1997. Right now I'm managing the security on about 200 NT 4 servers. My experience would lead me to guess that either one of two things happened: A) The fix was a "band-aid" that defeated the given exploit code but ignored root cause B) The patch was merged into the wrong source tree and was subsequently broken by the next patch.
Both of these are very common occurences. I have had to back many hot fixes out because of regression errors. I have also seen many cases (especially in the last few months) where Microsoft has released a patch only to release a second patch a few days later because the first one was inadiquate. I'm not saying that the Nasdaq admins didn't drop the ball, I don't know the specifics of their environment. Making OS updates that often is a pain, even Microsoft has trouble keepi ng up. I find this whole thing funny simply because Microsoft has spent the last two years holding the Nasdaq up as one of their big success stories. I hope lots of CIO's see that article so that we can start to bring sanity to the server room and shed the Microsoft shackles.
Politics, Culture, Food?
The company uses all Microsoft applications. I used to work at the above company that hosts nasdaq/amex/nasdaq-amex/americanstocks/etc... Financial Insight Systems. They were a Microsoft Certified Solutions Provider, and trying hard to become an MS Partner. Nasdaq had a good dozen-plus IIS Webservers, and we were discouraged from using anything BUT Microsoft software, because of the company's position with MS.
Had it not been for the fact that we were trying so hard to become an MS Partner (by getting all employees certified at least to MCP, and getting sponsors), maybe there would have been some choice as to what software to install on what boxes. But there wasn't, so it was Microsoft all the way.
Right before I left the company, they had just hired on a security specialist, at an exhorbant salary, who had no clue how to install NT, or how to install patches. But the fact that the IT team was less than 10 people, we were all overworked, and any extra person was a working person. That plus the fact that the company hired many low-salary low-experience techies to replace high-salary high-experience techies didn't help, but that is too much of a common business practice now to complain.
The two guys in charge of the servers, getting the big bucks, were being worked to the bone, and I admire them for that. But there's only so far you can go before the IT staff has no say in the matter, and the company pushes them into roll-outs and upgrades that are beyond common sense. Then you end up with a lot of burn-outs, stuck in a job they hate, but have some unknown loyalty to.
You wrote:
Of course, I also use the moderation system because this is better than having no filtering at all, given the current traffic (FYI, I browse at +2 and I expand some of the comments that could be interesting, that's how I saw yours).
However, Signal11 was pointing out several flaws of this system: the most annoying one is that it encourages people to think and behave like sheep. Any comment that criticizes Microsoft and claims that Linux or open source software will solve most problems is almost guaranteed to get moderated up. On the other hand, an insightful comment that praises commercial software has a much lower chance of being moderated up. Also, the moderation is often done on the first 100 or so comments, and the following ones are ignored unless they are attached to a comment that is already moderated up.
Think about how Slashdot would be with the following changes (I am not suggesting that all of them should be implemented, but this is some food for thought):
Anyway, as you wrote, Slashdot is a system with entertaining flaws. There will always be some way to abuse it...
-Raphaël
I place the blame on the administrators. IIS can be made secure if the proper steps are taken. Apache.org was defaced because of a misconfiguration. People just need to be more carefull and take steps to secure and maintain security on there site.
Microsoft aggravates my tourettes syndrome.
I think my point was clear and concise-- but probably evidence that I need to cut down on the caffeine and lighten up once in a while.
I do not have a signature
See, your statement carries as much weight as his does, since neither his nor your claims can be verified through public information.
Knowing Gerrie Mansur, though, I'll believe neither of you for now.
-- Buddy
Gotta watch out for the medical waste.
>> < Signal_11 > So what, stats are like bikini's.. they're just suggestive.
Is that a great line or what?
NT/2000 users : Stupid.
Yes, but Microsoft's marketing for NT/2000 over the years has constantly told PHBs that they don't need expensive smart admins, only Unix/Linux does. And there are in fact PHBs that believe it - I worked for a company where management tried to set up and admin a NT file/print server themselves. They made it nearly 3 months before the whole thing imploded and we had to hire actual admins. At least with Linux nobody's (yet?) making that claim.
The dilemma is that if the law goes soft on crackers, then black-hat crackers caught while attempting to crack a system can just say "I'm a white hat! I was going to tell them!". Law makers and enforcers tend to err on the side of caution.
Redhat (RHAT) posted a new stock high today. Geeks
throughout the world celebrated. Meanwhile,
Microsoft stocks today were mysteriously slumping.
One company spokeswoman was overheard saying "we
just don't know what happened"..
(sneakers anyone?)
I would try to be funnier but don't have the time..
LAI
:eof
So that's why MS stock has been so "over valued" lately.... (j/k)
Actually, who's to say he didn't? Especially over a period of time, a series of small adjustments wouldn't show up... (but _would_ add up...)
Just my $0.02...
I am dyslexia of borg - your ass will be laminated.
"I did not use the Source Fragment Disclosure Vulnerability, but used an exploit I wrote myself," he said. The exploit is software tool that Mansur developed and then used to gain access to the servers.
and
Dan Schindler, director of technical client service at CBSMarketWatch.com, responded, "Many thanks for bringing this to our attention. We have installed a patch and deployed it to all our data centers.
yup, typical IIS users.
Will you stop with the damn zealotry and fud already? Go back to crying about how there are no bugs in RedHat.
Sorry for that Apple fault at friday - I was just curious of what this index.split_secondstage function does.
---
Every secretary using MSWord wastes enough resources
the United Loan Gunmenfirst did it over a year ago: http://www.attrition.org/mirror/attrition/1999/09/ 15/www.nasdaq-amex.com/
-digitialboi
People who frown on White Hat Hacking would have you believe that keeping people blissfully ignorant of problems like this is a good thing. He allowed his target to get stuff fixed before releasing what he knew. How ethical is it to sit on this information if it can benifit other sites? What is good about having this around for someone with far less scruples to come along and exploit? What is good about having Microsoft not fixing bugs that they may not know about? What is good about customers believing the software they bought is properly configured or as secure as they believe it to be?
A simple proverb goes something like this...
"A man isn't foolish if one admits there is a problem. Instead a man is foolish when they refuse too."
From what I gather, he rooted the box via the Source Fragment Disclosure vulnerability, but made his own exploit app. Or perhaps I am wrong.
That example is like saying "Who was cooler, Vader or C3P0"
----
ADVENTURERS! - ANTIHERO FOR HIRE - CARDMASTER CONFLICT
The biggest mistake made here is that the manufacturer of the product used is not always to blame for misusage by the customer and results of that misusage. I'm pretty sure the Nasdaq site admins have overlooked 1 issue, like slashdot had overlooked 1 issue last week when they were hacked. Can happen, we're all human. What I find disturbing is that the global.asa file contained database information. Every normal site should build a simple COM object that provides you the connection string for the database at runtime, so no static info is stored in ascii files, readable for every intruder. Such a COM object is written in 10 lines of code in VB. Little effort, great pleasure. :)
Oh, and I'm an MCSE too (but programming is a nicer job). :)
--
Never underestimate the relief of true separation of Religion and State.
is to give it to those who can best use it.
Now, whether or not the best group to give it to is corporate america is debatable, but simply by doing the right thing he demonstrated power.
Jacco /var/log
---
# cd
-------
Warning: Slashdot may contain traces of nuts.
Its just not as cool if they can't show clips of a defaced website with a "NASSDAQ" logo, etc.
And how long will it take the Barney v.2 autopsy to be posted on the web?
I don't want knowledge. I want certainty. - Law, David Bowie
The problem with that is that traders, day traders and most on-line stock quote web sites don't get their data from the nasdaq.com web site, they get it from the NASDAQ data feed. So even if you put phoney stock quotes on nasdaq.com, people would see the real quotes once they logged into etrade or ameritrade or dljdirect to do the trade.
And like I said before, you're not going to get to the source of the quotes (the NASDAQ feed) through the internet - you're going to have to tap into a leased line to one of the Service Delivery Points and impersonate a Market Maker trader.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
whether IBM's Charles Palmer would have showed it to Nasdaq or told them about it and charged a huge fee...
--
Peace,
Lord Omlette
ICQ# 77863057
[o]_O
Reference to hackers in the media that doesn't involve the law, or any further stirring of the collective fears of the mainstream populace that everyone who knows how to use a computer is trying to steal their money, kidnap their children, or blow up buildings.
And a chance to poke Microsoft with a stick is always appreciated!
- I settled down long enough to write this and have now collected far too much dust. Damn Dust.
This /. story and the corresponding CNN article contain some vague or incorrect statements...
-Raphaël
The "nashaq" thing in the link to the CNN story... is it meant as a secret joke? :P
"I did not use the Source Fragment Disclosure Vulnerability, but used an exploit I wrote myself," he said. The exploit is software tool that Mansur developed and then used to gain access to the servers.
... Apple stock took such a sharp hit.
ht tp: //www.microsoft.com/NTWorkstation/downloads/Critic al/q267559/default.asp
or bugtraq's page on this bug and the solutions:
http: //w ww.securityfocus.com/frames/?content=/vdb/bottom.h tml%3Fvid%3D1488
Now.. slashdot.. tell me... do you have a problem with a certain company or something? because the 'news' seem to get a little shakey in the 'correctness' area. :)
--
Never underestimate the relief of true separation of Religion and State.
Well, in their defense, Microsoft is the largest and most successful software company in the world. If they can't get excellent support and the best web server money can buy from the largest software company in the world, who can they get it from? Sure, we all know IIS is crap but try convincing some PHB that their billion dollar trading network should use an open source webserver like Apache instead of Microsoft. You can't do it. They refuse to believe you. They say "Microsoft didn't get where it is today by selling bad products!" They're like mentally handicapped children who are unable to learn that touching that hot stove is going to burn their hand again and again and again.
So post on the web that IBM or Sun are going to tank, then cut their prices on the web site by half. The ensuing panic selling would allow you to clean up.
Of course, the FTC seems to be damn good at spotting this sort of thing and nailing people to the wall for it.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
and they are still late dammit! Talking Barney 2.0 was supose to be out 2 weeks ago!!! and where is it!! dammit, Microsoft needs to get it act togehter and get the final rev of talking Barney to market.
Um for my little brothers birthday, yea that is the ticket, it is for my brother, not me. He is 9 err 6 years old.
I love slashdot, cause slashdot loves me!
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Having been responsible for the creation of a number of websites using IIS I can say that I have NEVER put a password in any web page or asa's source. I either use an account with proper authentication for anonymous access (i.e. configuring the database to allow access from IWEB_), or I use a database guest account. These are absolute no brainers. If using a database system that doesn't integrate with NT Authentication I use the appropriate database guest account for anonymous access (and we are talking about anonymous access here).
Additionally security, as it always should be, should be very pervasive and built in many layers of the system. There should be a firewall eliminating anything but the appropriate access (obviously) so even if someone did have the database passwords there would be nothing they can do without getting past the firewall (note that this also requires locking down or removing RDS : Look in IIS for the virtual directory "msadc". If you don't need or use RDS get rid of it. It's potentially a backdoor into your DB). However the database should be running on a completely separate machine/domain trusting only the appropriate account from the IIS machine for severely restricted "public viewing" access. The database should be configured with appropriate permissions on every table (usually zero access for anyone), stored procedure, etc. Anonymous web access doesn't need to see the whole DB, and they definitely should never have write access, etc.
It's sad seeing so many house of cards systems being put up and security is a one layer design : If you get past that one layer you own the system.
BTW: If you run an IIS system go into Application Mappings and remove anything that you don't need. In the vast majority of cases all you need are ASP and ASA (and also enable "Check that File Exists" for these). There are lots of "opt-out" esoteric parsers that IIS bundles that 99.999% of the population never ever needs, and the problem is that because they're not scrutinized they often harbour gross security holes. If you don't need it, it shouldn't be in there. If a website reads from a database it should be using an account that has appropriate permissions, etc. These are all basics and they are true regardless of the operating system or web serving software.
Anyways have a good day all.
I like how he was just clarifying information, and you had to spew this mindless drivel about how great linux is. Yes. We all know that. Moderators, can't you notice this karma whoring when you see it? You're getting played!
Uh are you being serious? My posting was a sarcastic play on the standard Slashdot-esque "open source is the solution to all mankinds ills" claims (i.e. read it again : I was actually saying quite the opposite of claiming the greatness of Linux). I think you have an ISAPI filter (;-p) that is parsing postings in a rather nasty way, totally obliterating the original intent.
In any case I find your comment that I am karma whoring interesting. To be honest I expected quite the opposite (i.e. to find that baby at a -1). I am getting to really respect the moderation of Slashdot because it is no longer "anything-pro-Linux=+++++++", "anything-not-pro-Linux=---------".
Will you stop with the damn zealotry and fud already? Go back to crying about how there are no bugs in RedHat.
Linux is not RedHat.
Lars -
where is the first one?
I wondering how hard (or how much time one would have to have free) to hack the barney to doing "unintended" things.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
After reading those logs and Signal 11's Farewell Speech, I would just like to say. /. devotion is scary.
/. all day?
1)Goodbye you idiot, your
2)Moderation works for me, I hardly ever see your posts.
3)Going to k5 is not your answer, therapy is.
4)check yoself
Where do you work that you can refresh
Never screw around with large corporations who have millions to blow on lawyers. You could end up like mitnick rotting in jail for years. Although few people realize that it was HIS defense lawyers that asked for the trial date pushed so far back, the government had nothing to do with it.
Only the State obtains its revenue by coercion. - Murray Rothbard
1) According the cracker himself, he did NOT use the July 17 exploit. This indicates that another problem exists with IIS. It also makes him a non-white hat since he still has the power to crack other servers.
I'd like to give him the benefit of the doubt and assume that he's not releasing it before a patch is finished, to prevent all the kiddiez from going to town with their new 'leet trick before people can plug the holes.
Speaking as somebody who works for a company that writes software that connects to the NASDAQ servers, I can state categorically that the NASDAQ servers don't connect to the Internet. Period. Market Makers get their data feeds through a leased line from NASDAQ to a Service Delivery Point (SDP) which they lease from NASD.
I don't rule out the possibility that some of the market makers might have their NWII (Nasdaq Workstation II) or similar systems running on Internet connected boxen, but they're not supposed to.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Because accuracy or quality in reporting is no longer what's most important. What is most important is being the first to report it.
So the mentality of the major news sources can be summed down to that of the slashdot "first post" troll?
Makes sense to me.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
That's not a "vaguely worded clause"; it's just a bog standard codification of the common law principle that aiding and abetting an act is potentially an equal crime to committing the act. If you know of cases in which authors of tools have been prosecuted for hacks, then that's a problem with your local courts' interpretation, not that boiler-plate piece of statute.
-- the most controversial site on the Web
Accuracy or quality in posting is no longer what's most important. What is most important is being the first to post so you can be moderated up.
--
You appear to have discovered an entirely new Troll, was it intentional or not?
Special Relativity: The person in the other queue thinks yours is moving faster.
The term "white hat" refers to the fact that he alerted the web site rather than posting horrible stories about a stock then buying loads of the artifically deflated stock.
Lots of people can crack servers if they wanted to. That doesn't make them black-hats.
They will only learn when their customers start to feel the same way you do.
How true. Unfortuneately their real target customer is large businesses. It's easy for them to convince some dweeby IT pruchasing manager to buy into the M$ propaganda by simply passing out free lunches and cheesy swag. I know, I've been there... I've seen some very devoted anti-microsoft types come back from Redmond with a leather jacket and a frontal lobotamy. It's scary, I tell you.
-This sig intentionally left blank
Better question is when are all the third party software manufacturers going to support Linux. I work for a law firm who has special needs and will probably never go over unless some of their apps work in Linux and VMware is not an alternative since why run an os in a window if you can just put the OS on the machine. Trust me I bet MS would prefer VMware succeeding rather than Wine.
People who refuse to take simple precautions deserve what they get. People who find holes are doing us a great favor. Doubly so if they report them and get them fixed, like this person did, instead of exploiting them. It is sad that sometimes releasing an exploit is the only way to motivate lazy executives.
A world where people fix problems instead of whining about the people exposing them is a much stronger and safer place. Those people are not scum, they are saviours of the whiners (like you?).
I mean when you have *that* much money riding on something why possibly have the potential of screwing it all up.
PejVHF8LRIgynjB0dqjTuH4/8A-Z9#sSQV74sR>S4983w0cSM
If NASDAQ were using Apache, there would likely have been a fix (realize that MS knew about this exploit for months now and hasn't even bothered to fix it...) and if their admins were worth their salt, they'd have certified the fixes against their system and would have already deployed. IIS people are still waiting for a fix and many wouldn't bother with updating until the next SP was released.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I'm sure MICROS~1 will have some PR twist on this, blah blah blah. Although I think this story was VERY worthwhile of inclusion on /., I'm almost getting tired of hearing about Microsofts security flaws, and their inability to deal with them. Microsoft has more hardware, software and programmer resources than probably any other company today. They have NO excuse (IMO) to not address something like this immediately,
-This sig intentionally left blank
BTW why would you use IIS to power something as inportant as the stock market anyways?
Because they don't. IIS is used only to power the web front end... so if it crashes, you only lose the ability to use Nasdaq.com.
The real NASDAQ is in another world, using non-microsoft databases. I'd hope that NASDAQ assigns separate priviledges to the web page than to regular administrators, so that gleaning a password from global.asa isn't enough to change stock prices. Then again...
Is there a chance that people have been secretly exploiting this for some time? Can it be used to gain unfair advantage in trading?
Ñ'
If the good guys gain as much notoriety as the bad guys... you get the idea.
This was exactly my first reaction to the article.
I think this is a unique sicha-ashun because as a white hat there is more of an opportunity to be recognized: black hat, BH'ers, have to stay underground lest they be Mitnickized)
WH'ers can strut around with their real names and show how smart they are. I think this lends itself to more competition to be declared as the top dog WH.
However, BH'ers are driven by different goals. They want to screw things up for personal gratification, and are content to drop the bomb and fly away to watch the damage from afar, silently. That element will never go away.
Chicken-Egg: will there always be more holes to exploit maliciously, or more holes to fix virtuously?
---
Unto the land of the dead shalt thou be sent at last.
Surely thou shalt repent of thy cunning.
https://www.accountkiller.com/removal-requested
#1) The hacker, by his own admission, did NOT use the IIS 4.0/5.0 Source Fragment Disclosure Vulnerability. HE says he didn't. Who knows WHY CNN choose to quote some misc. "security expert" who GUESSED at what was done when they KNOW (they wrote the quote one paragraph later) that this was untrue! How irresponsible and misleading this is!
:)
#2) The Microsoft IIS 4.0/5.0 Source Fragment Disclosure Vulnerability has already been fixed for both IIS4 and IIS5!!! HELLO PEOPLE! Visit http://www.securityfocus.com/bid/1488 and see for yourself - fixed 2 days after it was discovered!
#3) What hack this guy used we do not know but it does not automatically mean that all IIS servers are vulnerable. Does one crack on one Apache server mean all Apache servers are vulnerable? Until we know how exactly he did what we don't know where the weak link was. Maybe someone forgot to change the blank password for SA - who knows
ALL I'm saying is - Wait for details and stop spreading FUD.
It seems to me that there might be a systematic method of finding security related holes in various OS's or applications. Is there some formal process that is more than just hit and miss?
PejVHF8LRIgynjB0dqjTuH4/8A-Z9#sSQV74sR>S4983w0cSM
I don't understand. You say that you agree that Linux has it's share of bugs, but people should keep using it? And you're surprised that people continue to use Windows even though dugs are found? That doesn't make sense.
Also, NSA_KEY was pretty conclusively determined to be something harmless, unrelated to the NSA we know and love but with the same acronym.
I'm certainly not a fan of Microsoft, and I definitely prefer to use Linux, but your reasoning here just doesn't make sense...
Gumbo
It doesn't really matter. People keep assuming that administration wants to know or cares if their pet server OS is secure. They don't decide on technical merits or fitness for purpose; they decide on what the salesmen tell them and what everyone is doing. They're just going to think, 'well, everyone gets hacked', and forget about it. This doesn't change any thought process at all because everyone in the server rooms knows whats going on and everyone out of it doesn't care.
A society that will trade a little liberty for a little order will lose both and deserve neither. - Thomas Jefferson
They fixed the bug 2 days after it was announced - check http://www.securityfocus.com/bid/1488 AND this was NOT the method used to break in - did you actually read the article or just stop as soon as a random "security expert" attacked IIS?
ALSO - the July 17th exploit was FIXED July 19th!!
So, how are all those compromised zombie servers in unix land doing these days? Compromised for ages and more continued to e compromised daily.
Open Source didn't help prevent RedHat from releasing a distrib with 2500+ bugs in it eh?
actually, they seem to be on the same team! thankfully.
.sig --
--
Don't forget apache.org
3-0
true, but who was kewler, Darth Maul or young Obi Wan?
I have a feeling that they sold more Darth Maul Halloween costumes than Obi-Wan costumes.
Not to say that ms is always on time with patches, but a couple of clicks through the links above lead to a patch released on 14th of July - in response to an earlier exploit using the same basic method.
This exploit allows someone to view files that would otherwise be run natively on the server, without being preprocessed. In their entirety.
Something like global.asa, which for you non-IIS types out there, is a file run on webserver startup, which contains all sorts of interesting information. It is a repository for most developers using IIS to put in information like database usernames and passwords, so the webserver can talk to it.
_This_ is where the problem is. I'm not sure that exploit as reported on Bugtraq gives write-access to anything (except by revealing another port of entry), but it does allow someone to get access to databases and any sort of thing they choose to store anywhere within the webserver space, in any file.
Evil. and credit to the white-hat for reporting that. It builds more media coverage, with the hackers looking good, the sites looking good (for patching it quickly), the only ones who look bad are Microsoft for not fixing the bug in the forst place.
Fross
it sounds like they didn't even rebuild the server after it was cracked. they just installed patches and took the hacker's word for it that he didn't do anything else (install backdoors or whatever). very trusting of them.
Most hackers who are hacking into a box for the purpose of providing Admins with the exploit details and how to fix it will most likely not be caught red-handed at the keyboard. The reason black hats are often caught is through months (sometimes years) of systematic research and tracking their activities. It is a long an arduous process to get to the point where the FBI is breaking down some guys door and ripping his RJ45 out of the wall. (Read Cliff Stoll's Cuckoo's Egg to see what he had to go through for this to happen)
I suspect a white hat would exploit a system and then go to work on a fix. He would not repeatedly go back and exploit the same box over and over. That is a evidence of a black hat. Black hats keep their exploits secret and repeatedly exploit the same hole over and over. A white hat is also not angling for an account on that box from from where he'd set up a base of operations. He just exploits and leaves, leaving little trace of even being there.
I would be less concerned with a white hat getting caught, and more concerned with black hats post-facto claiming they were planning to go public all along. (Apparently the legal system takes this view as well)
Regards...
Sorry, but your gave a bad example. We you are REQUIRED to do something by any EXTRENAL force, you lose freedom.
Sure in your example, you lose a small amount of freedom for the cleaness of your neighborhood, but is it worth in? Maybe in this example, but it WILL go beyond this, if you let them FORCE you to clean up you yard.
Please use a differant example.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
While I understand your point, I'm not a big fan of your example. Of all the things unnecessary for the smooth functioning of civilization, clean yards and homeowners associations are near the top.
___
__
Do ya feel happy-go-lucky, punk?
"I will gladly pay you today, sir, and eat up
Sacred cows make the best burgers.
will a move like this make the dow go up or down?
"If you think education is expensive, try ignorance" - Derek Bok
The media jumps all over the "Bad Guys" on the Internet. Defaced websites (especially high-profile ones) get plenty of coverage. I'm curious how the media is going to treat this one. If more public praise is given to these White Hats, maybe the trend can be reversed. A disobedient kid is often looking for attention. If the good guys gain as much notoriety as the bad guys... you get the idea.
Whoa! That's another quality hack by a Dutchman. First slashdot, now Nasdaq. Holland Hackers vs Site Admins: 2-0 :-)
Bram
http://www.stolk.org/tlctc
If he did that he would be rooming with John Gotti in supermax at Levenworth
PejVHF8LRIgynjB0dqjTuH4/8A-Z9#sSQV74sR>S4983w0cSM
You are talking about Application architecture issues.
I could make the same exact mistakes with a Unix solution... they wouldn't be the fault of Unix, they would be the fault of my mistakes.
> Realizing this makes understanding the media a lot easier.
See, now you can start assigning karma mods to the stories you read, and pretty soon certain news sources will drop below your viewing threshold.
--
Sheesh, evil *and* a jerk. -- Jade
I'm not trying to imply that Linux is bug-free by any means, however I think it's rather interesting that despite the bugs, holes (everybody remember NSA_KEY ?), etc., it doesn't really stop anybody from using IIS.
__________________________________________________ ___
rooooar
A number of replacements based on the acronym IIS could include: It Is Sh*TTY I Is Smart! (Refering to the people who chose to use MS/IIS) It Isn't Seaworthy I Imagined Stability It Isn't Stable Impression? It SUCKS! Impotent Internet Server Invokes I.T. Shame Imbecile Inside Server Anymore that I missed? In God we trust...all others must submit a valid X.509 certificate.
Do not meddle in the affairs of dragons, for you are crunchy, and taste good with ketchup.
When's the last time you read the SAGE Code of Ethics?
I never brought those points into play; I don't disagree with them, but I don't think they are relevent either...
Black Hats vs White Hats: Why is it relevent to the issue? How is it measureable or documented?
About the number of security holes: No one can know about security holes that 'no one' knows about. This is true of all OS/webserver combos. I guess it's relevent that M$ isn't disclosing it's source-but that only means that we cannot fix holes we find.
As fer incentive: Apache provides no incentive to investigate the holes. It is only the case that hackers, white or black, tend to investigate holes for their own reasons, independent of the vendor. NASDAQ is a big enough site that people will try to hack it even if it's running an Open Source package.
Open Source projects doesn't inhibit people from *fixing* security holes. Finding the hole is as easy as exploiting it, and people are always trying to find holes to exploit.
The nick is a joke! Really!
GPL Deconstructed
Damn...I forgot to tag my text. Sorry all.
A number of replacements based on the acronym IIS could include:
It Is Sh*TTY
I Is Smart! (Refering to the people who chose to use MS/IIS)
It Isn't Seaworthy
I Imagined Stability
It Isn't Stable
Impression? It SUCKS!
Impotent Internet Server
Invokes I.T. Shame
Imbecile Inside Server
Anymore that I missed?
In God we trust...all others must submit a valid X.509 certificate.
Do not meddle in the affairs of dragons, for you are crunchy, and taste good with ketchup.
If everybody would just leave everybody else alone, the 'net would be a better place. Instead, scum like this have to go out and hunt for holes on the NASDAQ web server. Why, back in the day, nobody would ever look for holes like that. People peacefully on the mainframes. And, for the record, I did not shoot that person who was using up CPU time playing trek. Not me.
MSFT is on NASDAQ.
Admit nothing, deny everything and make counter-accusations.
The next thing you know he'll be arrested for violating some law regarding vaguely worded "breaking and entering" clauses into computer equipment.
Such as this Michigan State statute: MCL 767.39; MSA 28.979 reads:
Every person concerned in the commission of an offense, whether he directly commits the act constituting the offense or procures, counsels, aids, or abets in its commission may hereafter be prosecuted, indicted, tried and on conviction shall be punished as if he had directly committed such offense.