Slashdot Mirror
White Hats Take NASDAQ Through MS IIS Hole
stomv writes: "A hacker found exploits in NASDAQ server, could have changed market info and admin passwds. Server: IIS. Hacker did ethical job of providing info to fix. Also, mentions BugTraq and how MS didn't fix the hole when it was posted July 17.
"
You can't trade on the Dow, DJIA is just an index. Microsoft is part of the Dow, but the stock is traded on NASDAQ.
As an aside, I believe MSFT was the first stock on the Dow not traded on the NYSE.
Devil Ducky
Devil Ducky
MY peers would get out of jury duty.
Ok, I'm certainly a newbie to slashdot, at least from the posting standpoint, but this whole Karma thing has me dusted. With a little imagination I can kinda see where it was, and what's going on with it. But having read some of Sig11's rants I think he/she takes this all way to seriously.
I look to slashdot from an informational/entertainment perspective. If I see something that catches my interest I may wait around to see what other posters have to say, and some are truly excellent, but I'll often go dig for myself to satisfy my need for details.
Sig11 overlooks the fact that people are here because they choose to be, rather than forced to experience some utopia. Not perfect, as Taco says, but it has an audience. Seems a "good fit", as we say in the IT biz.
--
Chief Frog Inspector
A feeling of having made the same mistake before: Deja Foobar
This all has nothing to do with Microsoft's design. In fact quite the opposite. NT/2000, like most modern operating systems, have a pervasive operating system that imposes security everywhere. Every registry key, every file, every service, every mutex, every object. Everything has an ACL (Access Control List) that allows massive granularity of security configurations. Of course by default most objects are configured as "Everyone" but using some standard utilities and a good admin that's quickly fixed.
That pervasive security model carries through to lots of other applications as well. In SQL Server I define which of the NT users have rights to access the database server, then the databases individually, then the individual objects. Actually you can configure specific columns with ACLs. However that is all lost the moment a project is done in too tight of a timeline and security takes a backseat : In that case you end up with "Domain Users" configured as db_owners and sysadmins. That is rampant and it has absolutely nothing to do with the operating system.
Microsoft gets slammed a lot for things which are the exact opposite of their intent. There is nothing inherently wrong with the OS model, there's something wrong with the priorities of some developers and some organizations.
iPlanet administrative server must run on a different port from the user server. There is almost no access to Web app level configuration from this menu. (just servlet properties, which you'd have to restart the server to take effect, which requires a password)
iPlanet runs as an app in user space. When installing iPlanet, it warns you that the server should run under an id that has extremely limited permissions at the OS level. "nobody:nobody" is the default setting for this userid.
Because of this partition between Solaris and the Web server, it is nearly impossible for code attacking the webserver to root the box. Even getting a shell as nobody is not too useful.
On the web app side, servlets run in a security sandbox that can be custom tailored to limit access to outside resources. The default settings in iPlanet do not allow file or OS level access from servlets. In fact, the setting to turn this on isn't even in the default config file or admin interface. You have to look it up, know what it is and how and where to add the parameter by hand.
Automatic memory management and array bounds checking in Java prevent the most common form of attacks from being effective. (the app may crash, but it won't compromise your server)
There is still room (there's always room) for poor configuration and insecure apps to cause havoc, but in comparision to the Microsoft toolset, there is much more attention paid to security, segregation of control, and default settings that put security above ease of use.
While the average end user may prefer the ease of use to security, critical civilian sites like NASDAQ and other financial institutions just shouldn't be using products with that philosophy. To market and sell these products to these types of end users (even a company as huge as MS knows when somebody like NASDAQ is using their software) is irresponsible. To allow an application configuration like that is even more irresponsible. (you can bet that NASDAQ had MSCE's or an MSCSP build this, not somebody's 16 year old nephew) Sun, in contrast, sends auditors/admins to important customer sites like eBay to make sure they're using the software correctly.
I agree that the folks who built this must shoulder a lot of responsibility, but I cannot absolve Microsoft of culpability. Security is an afterthought in their products, rather than a fundamental design principle, and it shows.
Read the article!
It mentions(veracity aside) that the hacker did not use the July 17th exploit. Regardless of M$ or IIS, the hole was something the hacker had found and exploited.
The article also mentions that the hole was fixed and patched promptly; it never mentions if M$ fixed it, if M$ knew about it, or if M$ tried to hide it. All you are doing is spreading misinformation.
This is not about a crack reported in July. M$'s track record is not at issue, regardless of it's purity or lack therof, and M$'s press tactics are not the issue.
Hate M$, but this article is *not* about M$!
If you like the details... read the article.
The nick is a joke! Really!
GPL Deconstructed
Non-Dutch readers might be interested in the fact that the person Gerrie Mansur is not taken seriously in The Netherlands. He's a 'media hacker', despised both by hackers, crackers and security people.
-- unix is for people without a social life - Patrick van Eijk
The problem is *not* the July 17th hole, allegedly. It's a different one, that the hacker has thoughtfully chosen not to disclose. Of course, it's his word, but he says it isn't the +htr hole...
The nick is a joke! Really!
GPL Deconstructed
A followup article on Technology Evaluation at (Slash may mangle this URL) http://www.technologyevaluation.com/research/resea rch highlights/security/2000/06/news_analysis/na_st_lp t_06_21_00_1.asp explains some of the implications of weaknesses in stock data services.
What is ignored are the secondary effects- when these weaknessses are exploited to manipulate the market, the long term result will be loss of trust in news feeds and stock information services.
It seems that all of the major financial news services have had serious security problems this year- Comstock, Bloomberg, etc.
Who can you trust to supply good data?
I do not deploy Linux. Ever.
I hope this is early enough to beat all the M$ bashers et al...
The hacker denies using a known security hole. It's still M$'s bad for not *fixing* said hole, but unless the hacker is lying, that problem is not the issue.
Nor is the fact that M$ has a vulnerability-any software of sufficient complexity will have issues, bugs, and vulnerabilities.
It doesn't truly matter that M$ was involved, nor that IIS was in use. In this case, NASDAQ has someone they can talk to, debug, and fix, ultimately, and it was M$. It could have been Sun, IBM, VALinux, whatever. It isn't a bash against M$ that their server had this problem.
The nick is a joke! Really!
GPL Deconstructed
Why is CNN (or the person they quoted) claiming it was the July 17 exploit when it apparently wasn't?
Because accuracy or quality in reporting is no longer what's most important. What is most important is being the first to report it.
This is supposed to be great art. So why does it look like a bunch of decapitated naked people? -- Calvin
Possible answer one:
To give karma whores something to post about?
Possible answer two:
Because that's what their area expert thinks the guy used and they decided to post both explanations instead of launching a probably futile attempt to find out which it was by deadline time?
I'm sure they will have some PR twist or it just wouldn't be fun.
M$ can't devote any of their programming recources to security, or bugs. If they did, then they wouldn't have anyone to develop the latest Talking Barney. And that would be a tragedy.
Devil Ducky
Devil Ducky
MY peers would get out of jury duty.
I highly doubt that the computers which track trades are directly connected to the web servers. He might have been able to fool a few people into making bad trades because they think a stock is doing something its not, but it didn't sound like he ever had the power to change a stocks price.
Not to mention this information is backed up just a few times I'm sure. I don't think its as simple as changing one file to reflect the value you want the stock to have.
Microsoft is at it's 52-week low, as are Dell and @Home. Your point is?
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Insightful would perhaps talk about what the merits and demerits the M$ OS has, and the alternative OSes have. Or perhaps about their fitness for purpose, rather than vaguely commenting on their fitness.
My own comment is supposed to be insightful. It's supposed to engender insight in people reading on what an insightful comment is supposed to be. Moderate it up, if you moderators want people to read it and note "Gee, he's right. An insightful comment would make me stop and consider something I would not ordinarily consider. Bashing groupthink or M$ is not insightful, because everyone already does that... This is really overrated, or something."
Oh well. That's my rant ^^
The nick is a joke! Really!
GPL Deconstructed
Does it make much of a difference that the server was IIS? It's still a crack.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Guess online trading is buggy.
Microsoft trades on the Dow, right?
There is no Light Side without a Dark Side.
Face it, people are stupid, and the internet is the place where they all meet.
Why doesn't anybody realize that for a Web application, the following things shouldn't be the case:
1) Database passwords, admin passwords, ANY passwords shouldn't be stored on the Web server in plaintext.
2) If an application management interface exists at all on the Web server (which I have some problems with), it should always run on a different port than the application itself and that port should be firewalled such that it can only be accessed from trusted (internal) IPs. The content directory structures for the application and application management should also be segregated.
An architecture that stores permissions and passwords and allows access to change these things and modify the application through the same channels that the application is provided is INHERENTLY INSECURE BY DESIGN.
Sorry if I'm ranting here, but as a professional developer working on a financial site this really tweaks my sense of professional ethics. Who designed this crap? Who audited it and said it was OK? Why do people think that Microsoft's architecture aimed at Joe Idiot who wants to put up a web page about his schnauzer fan club without having to learn anything is suitable for use by NASDAQ for cripessake!?!?
Ñ'
The point is that there are many people out there who take advantage of exploits like this for nefarious purposes.
If it weren't for 'good crackers' like this person, we would be much more vulnerable overall. Crackers and Hackers like this person are the people for discovering and fixing security holes in our software. I think they should be applauded for working towards good rather than evil.
Of course, I forgot that in the utopian society you describe, there would be no need for security...
No, I don't believe M$ is very good, either...
I wasn't implying that in the OS world there was no contacts or reps. I was implying that NASDAQ's vendor/software/implementor was M$, out of anyone that they could have used: IBM, Sun, VALinux, etc.
My point was that there was an exploit, in a system, that a hacker found. It wasn't really an issue that it was a M$ problem, other than the implicit acknowledgement that there is the image that M$ code is buggy and unreliable.
The nick is a joke! Really!
GPL Deconstructed
Read the article. The bug mentioned in the blurb had a patch released on July 17. The bug mentioned in the blurb was not the one that was exploited.
You're quite right, it is not easily measured, but it is widely accepted that security holes are often discovered through the act of careless exploits.
It is infinately more difficult to reverse engineer a product than it is to look at the source and study it for weaknesses. At the very least, the source code acts as a guide to explore potential vulnerabilities.
While both IIS and Apache provide people with ample kudos for finding security holes, the attitudes are different. You can't even own a copy of IIS without shelling out for NT server, and then when you do, reverse-engineering puts you in violation of your license agreement. If you were to approach MS with a hole, and somehow convince them that it is a serious issue, you'll be lucky if you're not arrested. If not for piracy, for violation of your License... or you could report it, just give MS a short time to act on the bug, exploit it, make a name for yourself in the news and maybe let a few tools slip.
Hidden developers, lack of source, and potential legal consequences are all disincentive. The only reason to do them the favour when you just spent weeks hacking through a bug, is in fear of their applications failing.
Apache is so much easier. Just post the bug to the developers and be laughed at or be thanked. It's like debugging code written by your own company.
Finding the hole is nowhere near as easy as exploiting it. Not having the source is a major inhibitor to studying the security of an application. Reverse-engineering bugs is a pain in the butt...
Erm, the bug (in IIS4 and IIS5) was patched on July 17th, and if I interpret the text correctly, that's THE SAME...
Yes. You did interpret the text correctly. Your failing, however, it to assume that MSPatch==ProblemFixed. I am an MCSE and a security consultant. I have been doing this since 1997. Right now I'm managing the security on about 200 NT 4 servers. My experience would lead me to guess that either one of two things happened: A) The fix was a "band-aid" that defeated the given exploit code but ignored root cause B) The patch was merged into the wrong source tree and was subsequently broken by the next patch.
Both of these are very common occurences. I have had to back many hot fixes out because of regression errors. I have also seen many cases (especially in the last few months) where Microsoft has released a patch only to release a second patch a few days later because the first one was inadiquate. I'm not saying that the Nasdaq admins didn't drop the ball, I don't know the specifics of their environment. Making OS updates that often is a pain, even Microsoft has trouble keepi ng up. I find this whole thing funny simply because Microsoft has spent the last two years holding the Nasdaq up as one of their big success stories. I hope lots of CIO's see that article so that we can start to bring sanity to the server room and shed the Microsoft shackles.
Politics, Culture, Food?
The company uses all Microsoft applications. I used to work at the above company that hosts nasdaq/amex/nasdaq-amex/americanstocks/etc... Financial Insight Systems. They were a Microsoft Certified Solutions Provider, and trying hard to become an MS Partner. Nasdaq had a good dozen-plus IIS Webservers, and we were discouraged from using anything BUT Microsoft software, because of the company's position with MS.
Had it not been for the fact that we were trying so hard to become an MS Partner (by getting all employees certified at least to MCP, and getting sponsors), maybe there would have been some choice as to what software to install on what boxes. But there wasn't, so it was Microsoft all the way.
Right before I left the company, they had just hired on a security specialist, at an exhorbant salary, who had no clue how to install NT, or how to install patches. But the fact that the IT team was less than 10 people, we were all overworked, and any extra person was a working person. That plus the fact that the company hired many low-salary low-experience techies to replace high-salary high-experience techies didn't help, but that is too much of a common business practice now to complain.
The two guys in charge of the servers, getting the big bucks, were being worked to the bone, and I admire them for that. But there's only so far you can go before the IT staff has no say in the matter, and the company pushes them into roll-outs and upgrades that are beyond common sense. Then you end up with a lot of burn-outs, stuck in a job they hate, but have some unknown loyalty to.
You wrote:
Of course, I also use the moderation system because this is better than having no filtering at all, given the current traffic (FYI, I browse at +2 and I expand some of the comments that could be interesting, that's how I saw yours).
However, Signal11 was pointing out several flaws of this system: the most annoying one is that it encourages people to think and behave like sheep. Any comment that criticizes Microsoft and claims that Linux or open source software will solve most problems is almost guaranteed to get moderated up. On the other hand, an insightful comment that praises commercial software has a much lower chance of being moderated up. Also, the moderation is often done on the first 100 or so comments, and the following ones are ignored unless they are attached to a comment that is already moderated up.
Think about how Slashdot would be with the following changes (I am not suggesting that all of them should be implemented, but this is some food for thought):
Anyway, as you wrote, Slashdot is a system with entertaining flaws. There will always be some way to abuse it...
-Raphaël
NT/2000 users : Stupid.
Yes, but Microsoft's marketing for NT/2000 over the years has constantly told PHBs that they don't need expensive smart admins, only Unix/Linux does. And there are in fact PHBs that believe it - I worked for a company where management tried to set up and admin a NT file/print server themselves. They made it nearly 3 months before the whole thing imploded and we had to hire actual admins. At least with Linux nobody's (yet?) making that claim.
Redhat (RHAT) posted a new stock high today. Geeks
throughout the world celebrated. Meanwhile,
Microsoft stocks today were mysteriously slumping.
One company spokeswoman was overheard saying "we
just don't know what happened"..
(sneakers anyone?)
I would try to be funnier but don't have the time..
LAI
:eof
"I did not use the Source Fragment Disclosure Vulnerability, but used an exploit I wrote myself," he said. The exploit is software tool that Mansur developed and then used to gain access to the servers.
and
Dan Schindler, director of technical client service at CBSMarketWatch.com, responded, "Many thanks for bringing this to our attention. We have installed a patch and deployed it to all our data centers.
yup, typical IIS users.
Will you stop with the damn zealotry and fud already? Go back to crying about how there are no bugs in RedHat.
the United Loan Gunmenfirst did it over a year ago: http://www.attrition.org/mirror/attrition/1999/09/ 15/www.nasdaq-amex.com/
-digitialboi
People who frown on White Hat Hacking would have you believe that keeping people blissfully ignorant of problems like this is a good thing. He allowed his target to get stuff fixed before releasing what he knew. How ethical is it to sit on this information if it can benifit other sites? What is good about having this around for someone with far less scruples to come along and exploit? What is good about having Microsoft not fixing bugs that they may not know about? What is good about customers believing the software they bought is properly configured or as secure as they believe it to be?
A simple proverb goes something like this...
"A man isn't foolish if one admits there is a problem. Instead a man is foolish when they refuse too."
The problem with that is that traders, day traders and most on-line stock quote web sites don't get their data from the nasdaq.com web site, they get it from the NASDAQ data feed. So even if you put phoney stock quotes on nasdaq.com, people would see the real quotes once they logged into etrade or ameritrade or dljdirect to do the trade.
And like I said before, you're not going to get to the source of the quotes (the NASDAQ feed) through the internet - you're going to have to tap into a leased line to one of the Service Delivery Points and impersonate a Market Maker trader.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
This /. story and the corresponding CNN article contain some vague or incorrect statements...
-Raphaël
ht tp: //www.microsoft.com/NTWorkstation/downloads/Critic al/q267559/default.asp
or bugtraq's page on this bug and the solutions:
http: //w ww.securityfocus.com/frames/?content=/vdb/bottom.h tml%3Fvid%3D1488
Now.. slashdot.. tell me... do you have a problem with a certain company or something? because the 'news' seem to get a little shakey in the 'correctness' area. :)
--
Never underestimate the relief of true separation of Religion and State.
So post on the web that IBM or Sun are going to tank, then cut their prices on the web site by half. The ensuing panic selling would allow you to clean up.
Of course, the FTC seems to be damn good at spotting this sort of thing and nailing people to the wall for it.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
and they are still late dammit! Talking Barney 2.0 was supose to be out 2 weeks ago!!! and where is it!! dammit, Microsoft needs to get it act togehter and get the final rev of talking Barney to market.
Um for my little brothers birthday, yea that is the ticket, it is for my brother, not me. He is 9 err 6 years old.
I love slashdot, cause slashdot loves me!
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
Having been responsible for the creation of a number of websites using IIS I can say that I have NEVER put a password in any web page or asa's source. I either use an account with proper authentication for anonymous access (i.e. configuring the database to allow access from IWEB_), or I use a database guest account. These are absolute no brainers. If using a database system that doesn't integrate with NT Authentication I use the appropriate database guest account for anonymous access (and we are talking about anonymous access here).
Additionally security, as it always should be, should be very pervasive and built in many layers of the system. There should be a firewall eliminating anything but the appropriate access (obviously) so even if someone did have the database passwords there would be nothing they can do without getting past the firewall (note that this also requires locking down or removing RDS : Look in IIS for the virtual directory "msadc". If you don't need or use RDS get rid of it. It's potentially a backdoor into your DB). However the database should be running on a completely separate machine/domain trusting only the appropriate account from the IIS machine for severely restricted "public viewing" access. The database should be configured with appropriate permissions on every table (usually zero access for anyone), stored procedure, etc. Anonymous web access doesn't need to see the whole DB, and they definitely should never have write access, etc.
It's sad seeing so many house of cards systems being put up and security is a one layer design : If you get past that one layer you own the system.
BTW: If you run an IIS system go into Application Mappings and remove anything that you don't need. In the vast majority of cases all you need are ASP and ASA (and also enable "Check that File Exists" for these). There are lots of "opt-out" esoteric parsers that IIS bundles that 99.999% of the population never ever needs, and the problem is that because they're not scrutinized they often harbour gross security holes. If you don't need it, it shouldn't be in there. If a website reads from a database it should be using an account that has appropriate permissions, etc. These are all basics and they are true regardless of the operating system or web serving software.
Anyways have a good day all.
I like how he was just clarifying information, and you had to spew this mindless drivel about how great linux is. Yes. We all know that. Moderators, can't you notice this karma whoring when you see it? You're getting played!
Uh are you being serious? My posting was a sarcastic play on the standard Slashdot-esque "open source is the solution to all mankinds ills" claims (i.e. read it again : I was actually saying quite the opposite of claiming the greatness of Linux). I think you have an ISAPI filter (;-p) that is parsing postings in a rather nasty way, totally obliterating the original intent.
In any case I find your comment that I am karma whoring interesting. To be honest I expected quite the opposite (i.e. to find that baby at a -1). I am getting to really respect the moderation of Slashdot because it is no longer "anything-pro-Linux=+++++++", "anything-not-pro-Linux=---------".
1) According the cracker himself, he did NOT use the July 17 exploit. This indicates that another problem exists with IIS. It also makes him a non-white hat since he still has the power to crack other servers.
I'd like to give him the benefit of the doubt and assume that he's not releasing it before a patch is finished, to prevent all the kiddiez from going to town with their new 'leet trick before people can plug the holes.
Speaking as somebody who works for a company that writes software that connects to the NASDAQ servers, I can state categorically that the NASDAQ servers don't connect to the Internet. Period. Market Makers get their data feeds through a leased line from NASDAQ to a Service Delivery Point (SDP) which they lease from NASD.
I don't rule out the possibility that some of the market makers might have their NWII (Nasdaq Workstation II) or similar systems running on Internet connected boxen, but they're not supposed to.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
They will only learn when their customers start to feel the same way you do.
How true. Unfortuneately their real target customer is large businesses. It's easy for them to convince some dweeby IT pruchasing manager to buy into the M$ propaganda by simply passing out free lunches and cheesy swag. I know, I've been there... I've seen some very devoted anti-microsoft types come back from Redmond with a leather jacket and a frontal lobotamy. It's scary, I tell you.
-This sig intentionally left blank
If NASDAQ were using Apache, there would likely have been a fix (realize that MS knew about this exploit for months now and hasn't even bothered to fix it...) and if their admins were worth their salt, they'd have certified the fixes against their system and would have already deployed. IIS people are still waiting for a fix and many wouldn't bother with updating until the next SP was released.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I'm sure MICROS~1 will have some PR twist on this, blah blah blah. Although I think this story was VERY worthwhile of inclusion on /., I'm almost getting tired of hearing about Microsofts security flaws, and their inability to deal with them. Microsoft has more hardware, software and programmer resources than probably any other company today. They have NO excuse (IMO) to not address something like this immediately,
-This sig intentionally left blank
Is there a chance that people have been secretly exploiting this for some time? Can it be used to gain unfair advantage in trading?
Ñ'
It doesn't really matter. People keep assuming that administration wants to know or cares if their pet server OS is secure. They don't decide on technical merits or fitness for purpose; they decide on what the salesmen tell them and what everyone is doing. They're just going to think, 'well, everyone gets hacked', and forget about it. This doesn't change any thought process at all because everyone in the server rooms knows whats going on and everyone out of it doesn't care.
A society that will trade a little liberty for a little order will lose both and deserve neither. - Thomas Jefferson
Not to say that ms is always on time with patches, but a couple of clicks through the links above lead to a patch released on 14th of July - in response to an earlier exploit using the same basic method.
This exploit allows someone to view files that would otherwise be run natively on the server, without being preprocessed. In their entirety.
Something like global.asa, which for you non-IIS types out there, is a file run on webserver startup, which contains all sorts of interesting information. It is a repository for most developers using IIS to put in information like database usernames and passwords, so the webserver can talk to it.
_This_ is where the problem is. I'm not sure that exploit as reported on Bugtraq gives write-access to anything (except by revealing another port of entry), but it does allow someone to get access to databases and any sort of thing they choose to store anywhere within the webserver space, in any file.
Evil. and credit to the white-hat for reporting that. It builds more media coverage, with the hackers looking good, the sites looking good (for patching it quickly), the only ones who look bad are Microsoft for not fixing the bug in the forst place.
Fross
it sounds like they didn't even rebuild the server after it was cracked. they just installed patches and took the hacker's word for it that he didn't do anything else (install backdoors or whatever). very trusting of them.
Most hackers who are hacking into a box for the purpose of providing Admins with the exploit details and how to fix it will most likely not be caught red-handed at the keyboard. The reason black hats are often caught is through months (sometimes years) of systematic research and tracking their activities. It is a long an arduous process to get to the point where the FBI is breaking down some guys door and ripping his RJ45 out of the wall. (Read Cliff Stoll's Cuckoo's Egg to see what he had to go through for this to happen)
I suspect a white hat would exploit a system and then go to work on a fix. He would not repeatedly go back and exploit the same box over and over. That is a evidence of a black hat. Black hats keep their exploits secret and repeatedly exploit the same hole over and over. A white hat is also not angling for an account on that box from from where he'd set up a base of operations. He just exploits and leaves, leaving little trace of even being there.
I would be less concerned with a white hat getting caught, and more concerned with black hats post-facto claiming they were planning to go public all along. (Apparently the legal system takes this view as well)
Regards...
> try convincing some PHB... They're like mentally handicapped children...
Please - a bit more respect for the mentally handicapped!
--
Sheesh, evil *and* a jerk. -- Jade
"I will gladly pay you today, sir, and eat up
Sacred cows make the best burgers.
The media jumps all over the "Bad Guys" on the Internet. Defaced websites (especially high-profile ones) get plenty of coverage. I'm curious how the media is going to treat this one. If more public praise is given to these White Hats, maybe the trend can be reversed. A disobedient kid is often looking for attention. If the good guys gain as much notoriety as the bad guys... you get the idea.
Whoa! That's another quality hack by a Dutchman. First slashdot, now Nasdaq. Holland Hackers vs Site Admins: 2-0 :-)
Bram
http://www.stolk.org/tlctc
If he did that he would be rooming with John Gotti in supermax at Levenworth
PejVHF8LRIgynjB0dqjTuH4/8A-Z9#sSQV74sR>S4983w0cSM
You are talking about Application architecture issues.
I could make the same exact mistakes with a Unix solution... they wouldn't be the fault of Unix, they would be the fault of my mistakes.
I never brought those points into play; I don't disagree with them, but I don't think they are relevent either...
Black Hats vs White Hats: Why is it relevent to the issue? How is it measureable or documented?
About the number of security holes: No one can know about security holes that 'no one' knows about. This is true of all OS/webserver combos. I guess it's relevent that M$ isn't disclosing it's source-but that only means that we cannot fix holes we find.
As fer incentive: Apache provides no incentive to investigate the holes. It is only the case that hackers, white or black, tend to investigate holes for their own reasons, independent of the vendor. NASDAQ is a big enough site that people will try to hack it even if it's running an Open Source package.
Open Source projects doesn't inhibit people from *fixing* security holes. Finding the hole is as easy as exploiting it, and people are always trying to find holes to exploit.
The nick is a joke! Really!
GPL Deconstructed
Damn...I forgot to tag my text. Sorry all.
A number of replacements based on the acronym IIS could include:
It Is Sh*TTY
I Is Smart! (Refering to the people who chose to use MS/IIS)
It Isn't Seaworthy
I Imagined Stability
It Isn't Stable
Impression? It SUCKS!
Impotent Internet Server
Invokes I.T. Shame
Imbecile Inside Server
Anymore that I missed?
In God we trust...all others must submit a valid X.509 certificate.
Do not meddle in the affairs of dragons, for you are crunchy, and taste good with ketchup.
If everybody would just leave everybody else alone, the 'net would be a better place. Instead, scum like this have to go out and hunt for holes on the NASDAQ web server. Why, back in the day, nobody would ever look for holes like that. People peacefully on the mainframes. And, for the record, I did not shoot that person who was using up CPU time playing trek. Not me.
The next thing you know he'll be arrested for violating some law regarding vaguely worded "breaking and entering" clauses into computer equipment.
Such as this Michigan State statute: MCL 767.39; MSA 28.979 reads:
Every person concerned in the commission of an offense, whether he directly commits the act constituting the offense or procures, counsels, aids, or abets in its commission may hereafter be prosecuted, indicted, tried and on conviction shall be punished as if he had directly committed such offense.