Microsoft Cracked

Lyserjic seems to have been first with the news. Some linkage: CNET. CNN. AP. MSNBC. BBC. MSNBC's story is a copy of the Wall Street Journal article which apparently broke the news - it's the most complete.What's known - the passwords were being sent to St. Petersburg, Russia. They probably had access for about three months.

Umm... HELLO!!!

[state*less]

"Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites."

Do you think that maybe thats because there are more Linux than NT webservers and that its been rising because the amount of Linux webservers is rising(in fact has overtaken NT). I dunno just a guess.

Time is Change.

Yep, you missed 'em

[CrayDrygu]

Did I miss some facts in the article...

You sure did. I'd venture to guess you didn't even read it. Go read the MSNBC artcile where it states what "experts" think happened. (In short: QAZ).

And while it doesn't mention a mail client, how much you wanna bet everyone at MS uses Outlook?

--

Re:No Security on a Windows Network

[Juggler]

In short, I agree with you. But it's not limited to Windows, even though that is currently the riskiest platform by far.

As far as I can tell, defining and enforcing a policy for what is acceptible as email content is a very, very rare practise. I contend that it shouldn't be, no matter what OS you are running.

Which is why I hang around on slashdot telling people to click on my signature - I wrote an open source filter which allows admins to do just this. :-)

My program doesn't solve the problem. But it helps - it allows the admin to make his internal network immune to whole classes of attacks. That can really make a difference.
--

This is really getting to be too much

[Brian+Knotts]

You know, I was expecting some level of Microsoft apologism in the posts in this thread.

But I expected the arguments to at least be plausible.

What we have instead, is an argument that Microsoft's software is not at fault; the problem is faulty administration.

This is being claimed despite the fact that Microsoft wrote the freaking software!

If they can't admin it properly, how is it reasonable to expect anyone else to do so?

SHEESH!

--

Re:Not A Good Thing

[ctembreull]

Maybe, maybe not.

While I agree with you that this is going to look bad in just about any light, a few things need to be kept firmly in view.

• We do *not* at this point know if the crackers in fact took source code. We know, according to Ballmer, that they did indeed *view* the code. But did they actually get hold of a copy? Without knowing this answer, we can't accurately predict if and how that source code will be distributed to the net.
• Yes, it's true, Microsoft will in all likelihood attempt to spin this as being all the fault of those nasty, evil, commie Open Source people. But is it? The best defense against FUD is the truth, and finding out just who did this, and why, will go a long, long way towards blunting the flood of bullshit that's even now beginning to emit from the general direction of the Pacific Northwest.
• What will Microsoft be able to claim as protection in the event the source *does* get out to the internet? Trade secret status? One of the most important things to come out of all that DeCSS litigation was, if I remember correctly, the statement from the judge that once a trade secret is publicized, no matter how, it's not a secret anymore. What, if anything, can MS use? Copyright violations? Won't hold water if any GNU or other public code is discovered in *their* code. Sure, they might try to invoke the DMCA or something like that, but honestly, what will they be able to prove or accomplish? Once the secret's out of the bag, it's *out* - whether or not that's a good thing.

Yeah, it's for almost damn sure that there's going to be a very, very ugly war of ideologies, rhetoric, and politics resulting from this little stunt. But the key for anyone who opposes Microsoft and its slipshod methodologies which produce, in my not-so-humble opinion, second-rate software, is to keep the debate focused upon the facts and the truth. This exploit was the result of a well-known security issue, one that's been around for months, and one which Microsoft *should* have been able to guard against. This exploit was more than likely the result of a rotten-to-the-core policy decision that allows Outlook to execute arbitrary code with nigh-unfettered access to the operating system internals.

Yes, this hack was probably a very, VERY unwise decision by the culprits. Yes, there will be a truly astounding storm of shit over the matter. But, if Microsoft's opponents play their cards correctly and with a bit of savvy, there can be a world of good which comes out of it, too.

But first, maybe we should all sit back and try to figure out exactly what happened, how it happened, who caused it to happen, and most importantly, why it happened.

If nothing else, that approach will choke off some of these tiresome, pointless accusations and counteraccusations.

Chris Tembreull
Web Developer, NEC Systems, Inc.

Re:Reichstag Fire

[sulli]

Updated:

Reuters at Yahoo.

Intresting thought

[Ektanoor]

If these guys managed to sneak at least a section of all that embedded all-integrated code then Microsoft is in deep trouble.

Its is known for quite long that there is some "secret code" that allows such apps like Excel or Explorer to work more tightly with the core of the system. Even Microsoft, back in the middle of the 90's, recognized that their Excel got a boost in preformance due to such hacks. Now, imagine what will happen if the code gets well known. First Microsoft looses its warhorse. Second, these hacks can be exploited to take control over the system. Note: I am not stating an hypotesis but a fact that I saw with this "all-in-one" mess, two years ago. It's a pitty I didn't have that source code back then :)

OSS brats, hippies & Microsoft, oh my!

[Minupla]

I've always considered the majority of Slashdot readers to be brats, but this goes to show that whatever Microsoft may do to fight the open-source movement, they'll probably win. Why? Because for the most part, it's people like you who make up and support that movement, people lacking any amount of maturity and decency, and for movements to succeed, they must at least be honorable in the face of their enemy.


First let me say I agree the message was in very bad taste. I don't think M$ will win in the long run. Why? History repeats itself. Causes that are championed by the youth of today inevitably win tommorow when the youth of today becomes the decision makers of tommorow (scary, I know).

Historic examples: green movement, peace movement, and probably a lot of other movements I'm forgetting about.

M$ might win the day, but I seriously doubt they'll win the war.

----
Remove the rocks from my head to send email

So where's the source?

[shutdown+-h+now]

Somebody wanna put up a location to the source?

I'd love to see Microsoft source code. We could all benefit from looking at their source. In the very least we could learn what kind of code *not* to write.

Re:So where's the source?

[Chris+Johnson]

Um, foreign intelligence computer espionage agents don't post to Slashdot. _Good_ hackers post to slashdot. Military spies may be good _at_ hacking but they really suck rocks at 'information sharing' :P

Wake up, this was a military action, not geek subculture. If you want to see the source you'll have to crack into MS yourself. The Russian spies are not going to share.

Potentially Serious Consequences

[werdna]

Hackers have had access of some sort to Microsoft source codes for perhaps as long as three months. Microsoft can only say they presently have "no evidence" that codes have been changed.

So little is necessary to create a back door, or even an exploitable "bug," how would it be possible for Microsoft ever to say that the codes are uncompromised.

The problem is that MS operating systems are ubiquitous. If a hacker can build-in, directly or indirectly, the equivalent of Back Orifice in EVERY system, what then? Suddenly MS itself becomes the Trojan horse.

This is the fundamental difficulty of closed source solutions -- there is no way for third parties to assure themselves of the absence of serruptitious code. Of course, such code can find itself into open source code as well, but at least there are means to independently verify the work.

Microsoft just says, "trust me." And some of us do. But the more frequent hacker visits occur, the less it matters whether we trust Microsoft -- we have to ask ourselves, "do we also trust Microsoft to effectively defend itself (and thus us) against Microsoft's hackers?"

Info also at the Washington Post

[Rasvar]

Info on this is also available at the Washinton Post

Inside job?

[hrieke]

Or was it Steve Jobs? :-)
Really, this isn't a good thing for MS in any way. If it can be proven to be an inside job (to hold off the legal issues maybe?) and is found out to be, then they're screwed.
If it's a outside job and the crackers beat MS' secuity, now the whole world+dog knows that MS software sucks in protecting data.
On the bright side, it's a win-win for us.

Oh what a great day.

Re:Inside job?

[AnoniMoose+Cowherd]

From CNN's article: What they appear to have had access to is the source code for products in development "years and years away," the spokesman said.

Read: not only can you not trust the next release of windoze, you won't be able to trust it for "years and years." ;o)

Re:Inside job?

[ichimunki]

You are absolutely correct. However, from all indications in the press, this crack was open for three months-- which is plenty of time to quietly make changes that get into the backup sequence and into the master source tree (there can be many copies, but sooner or later source must be merged unless each MS developer is working on a completely forked piece of software). And if this crack exists, are there others? Also, this is a company well-known for easter eggs. Not that I didn't think the Excel flight simulator wasn't fun, but think about what the whole idea of easter egg means in terms of security policy. I'm not saying they can't clean their software up or that there is even a reason to believe it was corrupted (trojan code still has to compile and not cause bugs during testing in order to make it back out of the corporation). But how would we know? And do you really trust them to be as careful or as truthful about it as you'd like?

Re:Inside job?

[x0n]

Does anyone at all think before they post stuff like this? Just for once can we please not be subjected to the usual moronic childish chants of "microsoft sucks" and "see what happens when you don't run linux" ?

This incident is a simple case of social engineering when you look at it -- it's nothing to do with windows, nt nor any OS security. Some muppet ran an executable program that was sent to him/her and the program emailed some user-priviledge data _legally_ available to any program running in that user's context.

IMO the problem lies in their staff training -- don't run crap in work on a sensitive machine, especially if you've got high-level access via an extranet. Now that isn't too hard to understand, is it?


-- Writing a Haiku
in seventeen syllables
is very diffic

Re:Inside job?

[henley]

Looking beyond the fan-boy name calling, there is a serious point behind this.

Microsoft has made a massive virtue of "making hard stuff easy"; underlying a lot of the products coming out of Redmond is the core value of "Trust us to do the hard stuff for you".

In that context, it's commerically damaging to have revealed to the world-at-large that even Microsoft can't rely on Microsoft to do the hard-stuff (security) for it.. And if Microsoft can't rely on themselves why should anyone else?

Not, I hasten to add, that I believe that this incident will have any long-term consequences of this action. I'm waaay too cynical to believe that any good can come of this.

Re:Inside job?

[Ser\/o]

Think about how many attempts to do this go unrewarded....in any given day. I think about how many scripts and 'sploits I see for *nix machines, and I don't see these kinds of numbers for NT boxes.

Why is it that a *nix box getting compromised = 'Excellent, now we can patch the hole', but an NT machine = their security "sucks"?

My personal opinion is that unix variants are more secure, stable, and so on, but NT is NOT a gaping hole into a given network, just not my 1st choice as a server.

Before the flames abound, my personal server is a linux box, I just didn't agree with this particular statement.

Re:Inside job?

[McMuffin+Man]

What the story in the WSJ didn't say which would explain whether this was social engineering or not was how the trojan was run from the e-mail. If it was in an attachment which needed to be extracted and run by concious choice of the user, then x0n is right that this is just an education issue for Microsoft employees.

But another likely scenario is that one of the numerous design flaws in Outlook that make it possible to execute foreign code on a machine without user action was used here. In this case blame for the incident rests firmly on Microsoft's consistently careless security design of their products, and all of this "Microsoft sucks" chanting has some specific backing here.

Which is to say that, yes, I thought before I posted this, and microsoft sucks.

Re:Inside job?

[ichimunki]

This may be a case of social engineering, but please don't gloss over the fact that it is Microsoft themselves who have repeatedly and loudly condemned Linux and who still, at this page on their site claim the Linux security model is weak. They spend a lot of time, money, and effort to put Linux in an extremely bad light. If they can't secure their own network using their own software, then I seriously question how their user base is to be expected to do the same. This points up how incredibly difficult it is to secure their software, yet they claim it is superior to other models out there.

Also, a quote from their spokesdroid, "We are confident that the integrity of Microsoft source code remains secure." (MSNBC article). I'm not so sure I believe them. Can they prove it? Is there any consulting firm in the world not on the Microsoft payroll who will be allowed to study their source to determine that it hasn't been trojaned by Russian subversives (or Steve Jobs or whoever cracked them)? I humbly suggest that from this day forward, there is no guarantee that any newly compiled software or patch hasn't been corrupted. While there's no need for gloating and "moronic childish chants", the fact remains that their source may be compromised and their security through obscurity model does not satisfy even the weakest security policies. This is not a problem we have with Linux or BSD-- which certainly have had holes in them, no denying it. But when you have someone telling you that you should trust them, and please pay mightily for our product, and, yes, you'll just have to trust us that it works the way we say it does (even though we can't seem to keep ourselves secure)-- oh and that Free software that you can obtain for a fraction of the cost and that you are able to review, modify, and share as you will? It sucks.

They do not deserve any leniency whatsoever. Their model is the one that is broken. It is based on trust. They can't buy that with any amount of marketing or legal shenanigans. Trust must be earned. And right now, they get none from me.

Re:Inside job?

[Hooptie]

Why is it that a *nix box getting compromised = 'Excellent, now we can patch the hole', but an NT machine = their security "sucks"?

Please explain, in detail, to us how you would patch the Windows NT source code to fix a security hole.

Hooptie

Re:Inside job?

[joshuaos]

If it's a outside job and the crackers beat MS' secuity, now the whole world+dog knows that MS software sucks in protecting data.

If only this could be the case, but I have this sneaking suspicion that M$ and the media will use this incident to talk about how bad all those "hackers" are and attempt to totally gloss over the fact that it is simply lack of security in their OS that is the problem.

Joshua

Re:Inside job?

[Eck]

If there are so many exploits for Unixes and not NT, why is it that despite an apparent minority of servers, there are more defacements of NT sites?

Besides, as another poster pointed out, if we hear about a vulnerability in an open source OS, whether or not it's Unix-like, we can fix it a lot more easily than with closed-source NT.

Open source in danger

Before everyone here gets into a frenzy of self-important "Micro$oft are lusers" posts, I think it's important to discuss just how bad it would be if they have actually had the source code for their operating systems stolen by these hackers. And not for Microsoft, no, but for people engaged in open source projects like Wine, or people building Windows compatible operating systems.

What are Microsoft going to end up doing? They now have the perfect ammunition to claim that these projects have received help in their tasks from people who are willing to engage in criminal persuits, and that these products have improved as a direct result of this crime. Then, all they need to do is take the creators of Wine to court over this, and hey presto, there goes a project which was making Linux look good against Windows.

Unfortunately, because of the hacker ethos about security and the fact that the ranks of open source programmers already include criminals (Randall Schwartz), judges without any real clue are quite likely to buy this.

Re:Open source in danger

[Chokai]

It doesn't matter if the judge has no clue. You can still have a judge that has a clue and it's likely he would agree if Microsoft could prove a linkage.

A judges' job is to interpret the law. (incase you forgot this.) These are VERY smart people and I will bet you money they are not clueless in any sense of the imagination. The judge may philosphically agree with you but it is more than likely he is tied down by arcane laws that no longer work.

Yes if Microsoft can prove linkage between source code theft and Wine, the Linux kernel (god forbid!!) or any other piece of software they WOULD win (not could). It doesn't matter if the judge has been using Linux for years and can compile his own kernel he would have to agree with Microsoft. If he didn't he would be disbarred (fired) for not following the law and the case would bounce to another court until Microsoft got an agreeing judge.

Any theft of intellectual property is extremely risky. Even if it's intended to help a group or embarass another group it can come back and bite you in the ass.

Re:Open source in danger

[jetson123]

I think that danger doesn't exist. Microsoft was negligent in protecting their source code, and that like means that it isn't protected as a trade secret or confidential information anymore.

Let's just hope that the Microsoft source code doesn't infect open source projects with its lack of style or lack of attention to design.

Re:Open source in danger

[divec]

They now have the perfect ammunition to claim that these projects have received help in theirtasks from people who are willing to engage in criminal persuits

Would be hard to prove. I can imagine, in such a trial, the defence demoing a 1997 version of wine running Excel 95. (It was unstable, but you could get it to run which is visually important). I.e. "this project has been making an earnest attempt to do a legit clone of the windows functionality for many years now".

open source programmers already include criminals (Randall Schwartz)

I'm sure there are examples of closed-source programmers who are criminals, which you could list in a trial.
(In case anyone doesn't know, Randall's only crime was to get on the wrong side of Intel in Oregon, where the government basically does anything Intel wants. See here for details. Please boycott Intel and write to them to tell them you are doing so).

Re:Open source in danger

[MartinG]

> all they need to do is take the creators of
> Wine to court over this

Fortunately, they have to do a lot more than that. Proving that the wine project actually used or even say their source for a start.

It what you are saying were true, wine could just as easily take MS to court now claiming that MS _must_ have stolen their code just because they might have read it.

It's not a matter of the judges "buying it" unless they are a corrupt judge. It's a matter of assumed innocence until proof otherwise can be established. Proving that somebody read something is not neccasarily all that easy.

Re:Open source in danger

[kinkie]

First they have to _prove_ that there has been leakage of unlawfully-obtained code (assuming that the act of cracking a computer _is_ unlawful in Russia or wherever else the perpetrators have committed the act) into clean projects like Wine etc.
In the end, if the worst-case scenario comes true (that is, if there has actually been IP theft), all it takes is that the developers of Wine (etc.) refuse to get in touch with the stolen code.

I can imagine the scene: a dark alley, a Wine developer passing by and from a dark corner a hushed voice saying: "You look down. Problems compiling? I have something good for you... you know it won't hurt, in fact it will make you feel all right..." :-)

Re:Open source in danger

[Bazman]

The source code for Windows is already available outside of Redmond, or at least parts of it are. MS make it available to certain researchers under non-disclosure agreements. I know people in the Comp Sci dept here that have some of it.

So it could already be a problem, but it isn't.

I'm just hoping the source code gets posted so that we can start fixing the bugs in it.

Baz

Re:Open source in danger

[Black+Parrot]

> Before everyone here gets into a frenzy of self-important "Micro$oft are lusers" posts...

Well, I'm just grateful that no one broke in to www.redhat.com and stole the source for Linux.

Re:Open source in danger

[jafac]

It's worse than that, what if they not only stole the Windows source code; what if they MODIFIED it? What if they put a back door into it? Who knows? What if Microsoft doesn't locate the back door? What if products have already shipped with back doors?

What if the hackers find MORE exploits in their stolen source code, and instead of publishing them to NTBugTraq or 2600 (who will make them public - so everyone can know about the dangers, and take precautions, and so that Microsoft might fix them), they pass them around to terrorists or other "black-hat" hackers, and they are used nefariously?

There is no stronger argument for Open Source software.

Yahoo Coverage

[Diskore]

What is it Slashdot? Microsoft Cracked or Crackers Crack Microsoft? Either way, there's good coverage on Yahoo, as always. Diskore

Re:Yahoo Coverage

[jpatokal]

Either way, there's good coverage on Yahoo, as always.

Err... yeah. How's this for good coverage?

A worm is a distinct type of computer virus that makes copies of itself across multiple systems. This particular virus is believed to have entered Microsoft's headquarters on the back of an inconspicuous looking document, which would also make it a so-called Trojan virus.

I don't think I've ever seen so many concepts incorrectly defined in such a short space before:

• All viruses (and worms) replicate
• Worms are not viruses
• Trojans are executables, not documents
• Trojans are not viruses
• Trojans are not worms
• Trojans don't replicate

Cheers,
-j.

Re:Yahoo Coverage

[lizrd]

I don't think I've ever seen so many concepts incorrectly defined in such a short space before:

Ok, I'm left a little confused as to how you classify these kind of things then. Let's take something like Melissa or I Love You as an example:

• All viruses (and worms) replicate Melissa and I Love You make copies of themselves (like a virus) and send them across a network (like a worm).
• Worms are not viruses Well I'm a little confused here. My understanding of a worm is that it's simply a virus that uses a network as its primary means of propogation. I will however concede that a virus could be more strictly defined as only including those programs which embed themselves in other binary executables.
• Torjans are executables, not documents Well, how then do you classify VB scripts then? They are pretty much like a document, being plaintext and all. They are even more like a document when they come embedded in a Word or Excel document.
• Torjans are not viruses This is true, but the the difference is pretty subtle. OTOH, I'm not sure that you could always say that viruses are not trojans.
• Torjans are not worms This is true, but the the difference is pretty subtle. OTOH, I'm not sure that you could always say that worms aren't trojans.
• Trojans don't replicate No, but worms and viruses do. A trojan is just a means of social engineering, what the trojan does after being activated by the user may well take the form of viral or wormlike activity.

Overall I'd say that it's getting harder and harder to define the terms trojan, virus and worm. Their differences in meaning aren't all that great, especially in a time when nearly every computer was connected to a network. Now it's very possible for a cracker to draw on attributes of all three forms of malicious programs and produce something that's a little hard for computergeeks to accurately pidgeonhole, let alone expect some clueless reporter to be able to do accurately.
_____________________

Re:Sealand

[jafac]

what do they need laser guidance for?

Re:The "Truth" about who Microsoft really is

[jafac]

I like your .sig.

Haven't even gotten to SUBTLE Win-security holes..

[dpilot]

.. because there have been so many blatant ones. How can anyone say that there isn't a Win32 equivalent of buffer overflows, or string format errors? One of those things they did somewhere down the line for performance was to yank some of the API parameter checking.

But so far, crackers haven't had to look for holes or real problems in the code, because *THE PUBLISHED API, ITSELF CAUSES HOLES*. Windows is still back at the "Morris Worm" days of security, if even that far along. How long ago was that?

Re:Maybe this is what sunk the Kursk

[Kidbro]

You jump to conclusions pretty quickly. You saw someone who wrote a post that offended you, and thus you assume that this person, and most other frequenting this place to be "brats... lacking any amount of maturity and decency", ending your display by declaring death penalty to the person not sharing your taste of humour.

I must admit that I wonder who is at error here. The post you're replying to is in no way an indication of this person's maturity or decency, nor does it reflect his affiliation with the Open Source movement.

Even so, as have already been stated in another post (redundant here I come:), people make jokes about anything, all the time! This includes war, death, fatal accidents, betrayal heart aches and slapping eachother in the face with dead fish :)
NO topic is too touchy to joke about. Some people may on some occasions be offended by certain jokes (obviously), but in that case I'd make a bet that it's usually the people offended that's the problem, and not the joke.

We need to turn the tables...

[dpilot]

and outline that this happened precisely because Microsoft does not truly participate in 'white hat cracking' efforts. They finally have some levels of acknowledgment of Bugtraq, but they haven't fully embraced it. (let alone extend or extinguish, but perhaps that's the legal focus yet to come.)

That is to their detriment, and what they have refused to learn from the white-hat community has contributed to this break-in.

That's the story we need to put forward, now!

Only ROGUE companies, eh....

[Pig+Hogger]

Other possible motives include economic espionage, though experts said only a rogue company might knowingly buy stolen software, using it either to improve its own products or make those products more compatible with Microsoft's best-selling operating systems.

Well, the article said it all: only BAD companies would want to make products MORE COMPATIBLE with Windoze...

--
Americans are bred for stupidity.

Re:Only ROGUE companies, eh....

[Chris+Johnson]

The article is being very stupid.

Military entities would grab this sort of thing in a heartbeat, a nanosecond. There's no way this was some curious geek or 'rogue Russian company' trying to be more compatible with windows! That's utterly absurd.

This was a military exploit. Everything from military IT to battleships runs off Windows. In addition to that, lots of other countries' militaries run off Windows as well. We will not be seeing script kiddies putting up funny defaced web pages.

The purpose of this espionage is this: when the missles come over, the target country's military IT will be DOWN.

I simply hope my country (the US) isn't actually the target that somebody has in mind. Just about any country would be as vulnerable, this isn't about the US only. It's not strictly military IT either- consider a war with the shipping and industry of the target country crippled through IT attacks.

I've felt for a long time that people should be nervous of Microsoft waking up and realising their control of IT was a military weapon. It seems I was wrong- they never smartened up enough to understand this. Somebody in Russia, however, did- and struck first, gaining access to the proprietary information that would reveal every point of weakness for later attack. Whether Microsoft figures out it possesses the capacity for denial of IT services as a military weapon, at this point, is meaningless. It's too late as they no longer control the information- they lost the first-strike capability.

It might be a good idea for the US military to seize control of the very same code so at least they can have equal capacity to attack, or to know what will be attacked and how. If MS tries to resist that it would be a matter of, "No- you can pay money to run our products, and the Russians have total information on all their weaknesses, but YOU have to trust us that your IT is not compromised. Trust us, we're Very Smart!"

Frankly, the political applications of this are staggering.

Re:See what happens when you rely on NT

[Alternity]

Those things were supposedly made more secure with Outlook patches after the I Love You problems. Now if Microsoft themselves didn't apply their own patch to their softwares and are paying the price of it I can't help but smile and shake my head at how ridiculous this is.


"When I was a little kid my mother told me not to stare into the sun...

Conspiracy theories and Urban Legend

[wen]

Now that news of a penetration at microsoft has been reported, whether or not any facts emerge, there will always be conspiracy theories and urban legends of people who hacked MS or own the code.

I love it.

Unfortunately, even if investigators catch the crackers "red handed" with the MS password files and Windows source code, there is no way anyone can be absolutely sure that the code has not been distributed.

Conspiracy theories and legends of rogue cracker terrorists, foreign power "Echelon" projects, and talented grade-schoolers will emerge.

As other readers have pointed out, this is a perfect way for MS to attack all projects aimed at MS compatibility. They will always be able to point at how it is impossible for others to get their programs to work with Windows without having access to the source code. Wow.... all this is a incredible conspiracy on MS's part!

Don't cloud the issues with the facts.

Everyone is out to get YOU. Have a nice day.

What I want to know is...

[Tank+Abbott]

will I get sued for posting a link to the Windows source code? And how the hell am I going to get it to fit on a T-shirt??

Re:s/NT/stupidly trojan-enabled software/

[mindstrm]

Sorry? If explorer is set to show hidden extensions, it still hides .vbs?
I think not.. and I just tried it to confirm this.

And outlook is not part of windows... it's part of office.

And the icon for .vbs is different than for .txt, so those 'power users' sure aren't.

That's not what I said.

[mindstrm]

I said 'outlook' does not come with windows.

Outlook Express does come with windows, but they are *not at all* the same piece of code. Outlook Express is *not* simply a 'light' version of outlook.. it is mostly a completely different mail package.

All these 'outlook' worms *ONLY* work in OUTLOOK, not in outlook express. Everyone just assumes that when you say outlook, you mean 'outlook express'.

Re:/. edit box (Was: See what happens when you...)

[Jason+Earl]

Or if you are truly sick, you can simply use Emacs+Gnus to read Slashdot. Some crazy hacker has actually added a Slashdot backend to Gnus so that you can read Slashdot as if it were just another news group.

That includes Gnus incredibly powerful scoring system (so your problems with slashdot moderation disappear). If you want you can just read the posts from known trolls.

Re:See what happens when you rely on NT

[jafac]

actually, it's not Outlook's fault at all. It is the fault of the architect who decided what Outlook's default security settings are. By default, they're wide open. (stages.vbs proved that), but if the security settings are tweaked a bit, this kind of exploit is impossible. But then again, if they enable those settings, widespread use of this so-called "feature" is DISabled. And if widespread use of this so-called "feature" is threatened, it threatens the feature's usefulness, and hence, the feature itself may as well not exist (yay!).

So basically, the choices are;
1) Develop a feature which allows Outlook to run executable code - so administrators can email software updates to their employees, etc. By default, leave it wide open, so support of this feature is ubiquitous, and so that people actually USE it, and it's touted as a great reason to use Outlook instead of Eudora, etc.
2) Develop this feature, add it to Outlook, but effectively hobble it by setting the security defaults high enough to eliminate the threat of email viruses. If anyone wants to actually USE this feature, designed to aid complicated administration tasks, they'll be required to train all endusers in how to set the security settings so that this feature can be used (has anyone here actually tried to tweak these settings in Outlook? Talk about obscurity!)
3) Leave the feature out, and give consumers NO features that appeal in Outlook over Eudora.

Re:Reichstag Fire

[sulli]

They have acknowledged that Windows source code was taken:

http://www.nytimes.com/aponline/technology/27MICRO SOFT.html

The Reichstag Fire analogy is relevant in my view.

Why Bill G paid them to do it (Conspiracy 101)

[WillSeattle]

OK, now that you've all had your fun at the expense of MSFT, it's time to tell about what really happened. I mean, it didn't even get the banner headline in Seattle, it was so lame. We were all paying attention to I-695 being overturned and how Eyman is a dweeb.

Picture this - a dark, shadowy lair on the shores of Lake Washington, in a futuristic (circa 1990s) mansion that has a trout stream meandering throughit and ads for Froot Loops appearing on every wall. Bill G, Dark Overlord, sits in his space age chair, rocking back and forth, as his minions sit uncomfortably, waiting to hear his latest dark plan for world domination.

"Profits!" he screams suddenly. "Noone is buying my Windows 2000 TM R Patent Pending!" he shouts to the cowering lackeys, many recently hired from failed dot-coms that litter the wasteland of King County. They jump in their chairs, and settle back down nervously, awaiting their orders.

"You must crack our servers, in a way that will bring disrepute upon those who oppose us - make it appear to be Open Source Hackers, Russians would be best; everyone knows the Russsians are still mad at us over the cold war. Release all the code to our failed OS - they will assume it was functional. And then - you must go into hiding in Aruba."

They leave, shuddering at the import of his task, knowing that their lives and those of much of the rest of the world shall never be the same after this.

Re:Simply Bad System Administration

[pmc]

Are there any security controls to keep unauthorized access from happening to the registry? Can you lock down individual hives or even the whole thing with specific access?

Yes, you can lock down any key in the registry.

Re:Russians

[Fist+Prost]

What kills me is the way C|Net blackened WINE developers after all the "Deplorable Acts of Corporate..." bleating from Ballmer, and the obligatory reference to Linux. Safe to say that while there are probably hundreds of thousands of people who would love their copy of Whistler source, anyone doing any serious developement of a project involving, say, reimplimenting the Microsoft API wouldn't want to be in the same building as a stolen copy of code, let alone look at it. Especially after the whole thing with Kerberos.

Wouldn't it just suck to be a WINE developer and wake up one morning with a copy of pilfered source in your inbox, and the FBI knocking to ask questions because they tracked it down from the sender's Russian address?

Fist Prost

"We're talking about a planet of helpdesks."

Re:s/NT/stupidly trojan-enabled software/

[jafac]

um not so simple. Windows Shell Scrap allows an author to "hide" executable code in a file that looks like a text file -

For instance, stages virus was actually Stages.txt.vbs. In Outlook, it looks like Stages.txt. If you save it, in explorer, it looks like Stages.txt (even if you told explorer to show all extensions - this is a hidden exception, even Windows Power Users are fooled by this, ironically, your only saving grace is erp! DOS!).

So you see this innocent looking .txt file, you know better than to view .doc files, because you know they have Macros that can be viral. But you open this .txt file, in Notepad, no less, and it executes. You see a little system activity for a few moments, and nothing else, you're infected, and you've just emailed 150 of your closest colleagues the same garbage.

No other mail client will hide the .vbs extension.

Now, you CAN tell Outlook to warn you when it runs executable content from an untrusted source, but the problem is, it SHARES these security settings with Explorer, so if you do this to secure Outlook, you hobble Explorer, which will no longer run javascript from untrusted sources, which amount to like 90% of the websites you're likely to visit.

This is complete horseshit, and there's no excuse for a feature like this.

Re:Russians

[Fist+Prost]

And you would do what exactly with that steaming pile of crap that it is? Have you heard the expression tar'baby before? Once you've even glanced at something like Whistler source, every thing you code involving Windows (think WINE or plex86 here) would be suspect. The worst thing you could possibly do to hurt the OSS movement would be to wantonly distribute something like that. Better to just burn it and pass it around on unmarked CD's if that's your plan.

Fist Prost

"We're talking about a planet of helpdesks."

How'd they get username/passwords?

[Molesworth]

I'm interested to hear how the trojan got access to the usernames/passwords - these were sent back to the crackers periodically via email.

Simply sniffing keystrokes in usermode wouldn't have allowed the login keys to be captured (because the logon process runs under a different session), however passwords used for "net use" connections (i.e. connecting to file shares) could be visible (I'm not sure, though)

Sniffing the network requires admin rights (like Unix) and would only give you acces to encypted Kerberos tickets...

Any other ideas on how they did it ?

Never mind the source code

[mOdQuArK!]

It's probably wise to check the source code for changes, but what they REALLY need to check is their compilers!!

Re:See what happens when you rely on NT

[jafac]

Outlook's preview-mode and auto-running of attached code takes the human link out of the chain.

This stuff is enabled by default. that, along with the shell scrap crap (that hides the executable code inside what looks, to the user, as a plain text file), is an inexcusable lack of conscientious software design.

BSOD Colour Changing

[highschool-bert]

In system.ini, under the [386Enh] heading, type: MessageBackColor=(Hex colour of choice) MessageTextColor=(Hex colour of choice) Have fun.

I agree, let's get off this rock.

[TheDullBlade]

Slaves do not overthrow their masters. Occupied countries are never freed by resistance organizations, only by foreign armies or voluntary abandonment.

There is no where left on Earth to run to. The tyrants are subtle in rich countries, and boldly open in poor countries; it's merely a question of whether you're a well-managed resource or a poorly managed one. Even the sea floor has been shared out between the great military powers in treaties, and they have the navies to enforce them.

You can't beat 'em, most can't join 'em, the only option left is to run away, and the only direction left is up.

--------

Let's remember the real victim here.

[TheDullBlade]

Somewhere, possibly in Russia, some poor, misled hacker now has to read MS source code.

Poor bastard.

--------

Neal Stephenson sez...

[anonymous+cowerd]

...By clambering over this structure and going into these bright shapes, Hiro could probably uncover some of the code that makes Rife's network operate. He could, perhaps, try to hack it up, as Juanita suggested.

But there is no point to messing with something he doesn't understand. He might waste hours fooling around with some piece of code only to find out that it was the software to control the automatic toilet flushers at Rife Bible College...

I wonder what they found, those probing hackers. If it were merely bare source, Neal above suggests, nothing. Now if it were marketing documents, that would be something; and if it were legal documents relating to all that Federal fuss, well, this would be one interesting crack!

Why did Microsoft tell, and what didn't they tell?

Yours WDK - WKiernan@concentric.net

Re:s/NT/stupidly trojan-enabled software/

[jafac]

y'all better try again. Here is the registry hack to DISABLE this oh so useful (to virus spreaders) feature:

delete the key HKEY_CLASSES_ROOT\ShellScrap\NeverShowExt

Re:Maybe this is what sunk the Kursk

[Mike+Buddha]

I've always considered the majority of Slashdot readers to be brats, but this goes to show that whatever Microsoft may do to fight the open-source movement, they'll probably win.

1) How do you know that the majority of Slashdot READERS are brats if they are in fact reading and not posting? If you'd said the majority of /. posters were brats.. then I'd tend to agree with you.

Why? Because for the most part, it's people like you who make up and support that movement, people lacking any amount of maturity and decency, and for movements to succeed, they must at least be honorable in the face of their enemy.

2) How do you know that people like the tastless, lame poster make up and support the open source movement?

I think you're basing your opinions of a fairly large and diverse group of people on the actions of a few morons, who may or may not in fact be in support of Open source. I don't recall anything in that first offensive post that said anything about open-source software. I do recall some insensitive (and, quite frankly, LAME) humor about Microsoft's stability impaired operating system being responsible for the Kursk tragedy.

You make these vast over-generalizations and your own prejudices shine through, overshadowing the original message: the original poster is a jerk.

Please consider the targets of your message before you go off flaming good, undeserving people.

do *not* ask for the source

[criticalrealist]

Do not post to this thread. Asking for that source is like asking for stolen goods. Under American law, that is a crime. You might not be prosecuted, but why take the chance? This is probably going to end up being the highest profile security crack for many years. The FBI is probably already swarming through slashdot and other hacker hangouts. I repeat. Do *not* ask for the source code. Also, do *not* encourage copycat hacks. That could also be a crime under American law.

Just for the record, although I hate Microsoft Corporation and I support open source, a crime like this is still wrong. Crime does not pay.

Re:security through obscurity

[mattdm]

Exactly. This is the reasoning behind the adage "security through obscurity is no security at all". It gives a false sense that no one could ever find the weaknesses, when in truth, it just means that only the bad guys know.

--

Re:Pulleth The Other One, it hath Bells On

[Chops]

Doom-saying is all fun and games, but please do try and stay within the bounds of reality...

I agree with you an I hope that you're right, but remember that reality has very little to do with what happens inside a courtroom that has a technology case on its hands.

Don't get Cocky

[Forge]

Don't get too cocky now. Remember that Microsoft's isn't the 1st "flagship" site to be cracked. In fact. I think Sun Microsystems and posibly IBM are the only ones that havn't.

Slashdot, was owned. Apache was defaced, Credit cards were stolen from some Ecomers places.

Just be thankfull the source code for Windows didn't leak out. It wold be so horible if it fragmented into varius incompatible versions.

Huh... What's that ? It's hapening already ?

well at least we don't have to sufer throgh the pain of reading that code.

Lots of sites get compromised...

[jetson123]

Lots of sites get compromised. Most people just don't put important information on visible computers and they don't blame hackers when it happens--they fix it.

Microsoft, on the other hand, inflates the importance of what happened. I mean, after all, who gives a damn about their source code? And then they are crying out of the FBI to help them track down the evil criminals, costing tax payers lots of money, rather than admitting that they did something stupid, fix their processes, and move on.

The heart of the problem...

[guynorton]

This quote taken from the Yahoo coverage..

"The code could also be purchased by an unscrupulous company looking to make its applications work more smoothly with Microsoft's dominant operating systems"

Who is 'unscrupolous'?, the company trying to improve their software for the greater good of everyone? I think it is the company that won't reveal the source code...the company that has systematically crippled/sabotaged other companies by keeping their 'intellectual' secrets under wraps in an attempt to leverage themselves into any software based market they see fit to at the expense of others.

I think this quote basically sums up the whole open source/closed source debate.....

Guy

"If It can happen to Microsoft"

[Felinoid]

I work nights so I woke up to the radio news about this and an expert saying "If this can happen to Microsoft it can happen to anyone"

I step back and think.. isn't this sort of the way Microsoft responds to everything?
If it's a problem on Linux or Unix its unique to Unix or Linux.
But if it's a problem on Windows it can happen to anyone.

E-mail viruses.. ANYONE can have e-mail viruses (Note in the 1980s Unix experts were saying Unix was immune to viruses.. This is far from a unique clame.. Mac users made the mistake of razzing Dos for viruses... forgetting that everything that made dos viruses posable was present in MacOs.. however absent from anything else)

Back doors are supposidly unqiue to open source yet back doors usually happen as a result of an employee not the result of an unknown coder submitting code.

Anyway... look for the spin.. any time Bill Gates gets hit with a pie in the face we are told we are all hit with a pie in the face..
When Linus locks his keys in his car it's unqiue to Linus...

Side Note: Anyone notice Bill Gates didn't throw a fit but USA, California, SanFransisco Mayor Willy Brown did...

On the other had we do have a point to make...
If Microsoft can't secure it's own network should you trust them with yours?

You MUST BE WRONG

[jetson123]

Microsoft explicitly stated that E-mail attachments are not dangerous because, after all, you don't have to open them. In fact, of course, it's common practice to delete all E-mail from people you don't know sight unseen. So, you must be wrong: Microsoft said so when the Melissa virus came around.

Why? Because Microsoft said so.

[jetson123]

It's not that there is some evil conspiracy to smear Microsoft. Microsoft does themselves in. After all, they claim near perfect security yet don't meet their own standards. They run off to the FBI to waste tax dollars on tracking down some teenager in Russia, and they are the ones that state that someone looking at Windows source code is the end of the world (as if anybody really cared).

The attitude more commonly found among UNIX sysadmins seems healthier. Yes, we know it's buggy. Yes, we aren't perfect. And if it's broken, it's our fault, and we'll try to fix it. And let's try to keep important stuff somewhere nice and isolated.

Can the Russian crackers tell us...

[mwillis]

What NSAKEY is all about anyway? Did MS lie, and leave a big fat backdoor for spooks? This is the only thing in the w2k source that even vaguely interests me.

Integrity

[Brett+Viren]

From the MSNBC/WSJ article: ``We are confident that the integrity of Microsoft source code remains secure'', a Microsoft spokesman.

Remains? Since when has there been any integrity to MS code?

DNS entry also cracked

[beebware]

According to this article on The Register, Microsoft, Apple and AOL's DNS entry has also been cracked.
It's DNS entry currently reads:

MICROSOFT.COM.IS.SECRETLY.RUN.BY.ILLUMINATI.TERROR ISTS.NET
MICROSOFT.COM.IS.RULED.BY.HACKERJACK.COM
MICROSOFT.COM.INSPIRES.COPYCAT.WANNABE.SUBVERSIVES .NET
MICROSOFT.COM.HAS.NO.LINUXCLUE.COM
MICROSOFT.COM

Apple's says:

APPLE.COM.IS.THE.CHOICE.OF.ALL.SELF.RESPECTING.TER RORISTS.NET
APPLE.COM

and AOL's says:

AOL.COM.KCAUTOWEB.COM
AOL.COM.IS.REGULARLY.HAX0RED.BY.INSIDE-AOL.COM
AOL.COM.EATMYSHIT.ORG
AOL.COM.AMSLIQUIDATORS.COM
AOL.COM

Somebody has been busy...
Richy C.
--

Re:DNS entry also cracked

[Ranger+Rick]

Jesus christ already, that's not cracking, I'm sick of seeing this "story"!

All those are is host entries under, say, terrorists.net or hackerjack.com.

If you have a DNS that is acting on behalf of registered domains, it's IP address is registered to the registrar so their root servers can point to it.

So if you say you have a DNS server called "microsoft.com.is.secretly.run.by.illuminati.terro rists.net" it will show up there.

So can we agree that there's no "cracking" going on? Sure, it's a neat hack, but I've seen this thing in e-mails, on 4 different web "portals", and now in comments as well. Please, for the love of god, make it stop! :)

Re:See what happens when you rely on NT

[Jason+Earl]

It's easy to blame NT, or Inoculate IT, but the real culprit is Outlook.

Microsoft's policy of helping users (even their own users apparently) run binaries and scripts from untrusted locations is absolutely insane. Yes, Inoculate IT should have stopped the virus (theoretically), yes, Windows NT should have more protection against attacks, but the key is that Outlook is a trojan fun house waiting to happen.

Unfortunately, for Microsoft anyway, the fix for this type of thing goes far beyond patching some buffer exploits. They instead have to totally re-think how Outlook (and other Internet software) handle untrusted binaries (that probably includes ActiveX).

Why MS Windows is a special case

[Sloppy]

Seriously, though... one of the more serious reasons that viruses/trojans spread more easily on Win32/Mac is "user imbecility/gullibility".

That gullibility is manifested not just by the users' poor choices while using the applications, but in their poor choice of the applications themselves.

how long before something like this happens on a Linux box?

A long time.

It's not so much due to any specific virtue of Linux, as it is due to selection pressure. On any non-MS platform, there is competition among applications. That means if some incredibly irresponsible app developer releases applications that treat data as code, they will be subject to market forces and backlash and their apps will not become popular among the users of that platform. Go ahead, write an email reader for Linux that executes scripts that are embedded in the emails that it displays, and see if anyone still bothers to use your program once this "feature" has become known.

Whereas among MS Windows users, it's pretty much a given that you'll use Outlook, IE, Word, Excel, etc. regardless of whatever virtues or faults those apps happen to have. The flaws in the overall design philosophy (not just bugs) have been known for years, and yet people still use these apps.

Every single application market other than MS Windows has selection pressure in the direction of increased security, and MS Windows does not. Until the market changes (i.e. Microsoft is hurt), Windows will have significant security disadvantages compared to every other platform.

---

Re:What people are worried about

[CharlieG]

5) Or people hack on the source code, put in a nasty virus or trojan, and then distrubute it as part of a shareware/freeware program, or hack the Microsoft site, and put it in as part of "Windows Update"

A few weeks later, 50% of the worlds PCs are wide open

Re:Source shenannigans.

[divec]

Surely the source code couldn't be used for anything other than blackmail?

And making samba work with the secret protocols used by PDCs, and doing the same for Wine, and ...

Here's Windows source code

[Molina+the+Bofh]

Indeed, Windows source code leaked. Here's a fragment.

voidmain()
{
while(!CRASHED)
{
display_windows_logo();
display_copyright_message();
display_bill_rules_message();
do_nothing_loop();
look_for_new_hardware();
sleep(10);
look_again_for_new_hardware();
scandisk();
if(detect_cache())
disable_cache(); if(first_time_installation)
{
make_50_megabyte_swapfile();
do_nothing_loop();
totally_screw_up_HPFS_file_system();
search_and_destroy_the_rest_of_OS/2();
hang_system();
}
write_something(anything);
display_copyright_message();
do_nothing_loop();
do_some_stuff();
if(still_not_crashed)
{
display_copyright_message();
do_nothing_loop();
basically_run_windows_3.1();
do_nothing_loop();
do_nothing_loop();
}
}
if(detect_cache())
disable_cache_again();/*just to be sure*/

if(fast_cpu())
{
set_wait_states(lots);
set_mouse(speed,very_slow);
set_mouse(action,jumpy);
set_mouse(reaction,sometimes);
}

/*printf("WelcometoWindows3.11");&nb sp;*/
/*printf("WelcometoWindows95");&nbsp ;*/
printf("WelcometoWindows98");
if(system_ok())
crash(to_dos_prompt);
else
system_memory=open("a:\swp0001.swp",O_CR EATE);
while(something)
{
sleep(5);
get_user_input();
sleep(5);
act_on_user_input();
sleep(5);
}
create_general_protection_fault();
}

Re:Here's Windows source code

[Anders]

Indeed, Windows source code leaked. Here's a fragment.

Come on, that is getting to be a very old joke. It is about time that the syntax got correct.

search_and_destroy_the_rest_of_OS/2();

That would be search_and_destroy_the_rest_of_OS_2(); since a slash is clearly not allowed as part of a function name.

basically_run_windows_3.1();

Same deal, this time with a dot instead of a slash.

system_memory = open("a:\swp0001.swp", O_CREATE);

I do believe that the backslash would have to be escaped, making it "..a:\\swp...".

There might be a few more syntax errors that I did not notice this time around. void main() is illegal C, but I believe Microsoft compilers accept it, so no need to correct that one.

Making fun of Microsoft is great and all, but being binary only, Microsoft will have to make sure that Windows does at least compile. I think Linux is one of the only kernels that has a record of shipping with syntax errors ;-).
--

One more mark against proprietary software.

[Brett+Viren]

This developement is a bad thing considering how much mission critical stuff, for good or ill, depends on MS software. Just think of all those stock market, insurance company, bank, and government computers running MS software. Now think of all that data under the control of an outside untrusted agent. It's enough to cause a bank run!

However, as bad as this is, it is good for free software as highlights the benefit of having access to the source and the drawback of proprietary software. It should be strongly stressed that this break in and possible insertion of back doors in literally millions of computers via MS software just underlines things we all already know: When the source is not open, the consumer has *no* way to prove its level of security.

In the past MS and others have used the ``argument'' that having the source available to black hat hackers makes free / open source less secure. This (false) argument rested on the assumption that Uncle Bill kept MS source under lock and key. Today this argument is now double false.

Re:See what happens when you rely on NT

[jedwards]

Outlook isn't a fault. Outlook just makes it easier to run attachments then other mail programs, that's all.

If a bunch of microsoft employees receive something which looks like notepad.exe in a vaguely plausible sounding message "This is the new version of notepad for Whistler, please test it" then someone is going going to run it, whether they just click the link or have to manually extract and uudecode and unzip it. The hackers only needed one gullible person...

Any e-mail software can receive executables, any person can run the executable without checking it. That's why there is software around to check for malicious code, and it didn't work.

Re:The end of email-attachments?

[image]

This is obviously bait, but I'll bite.

Do you have first-hand personal knowledge that Microsoft employees would do something "moronic" like downloading a trojan?

As I've mentioned before, I used to be a program manager at Microsoft. As a whole, I found my co-workers there to be some of the most computer-literate, intelligent, and most capable people I've ever worked with (rivalled perhaps by my new company, Avacet). I can not think of a single one who was not educated about the dangers associated with blindly running executables that come in email.

Also, Microsoft's network security was rather strong, especially considering that they have something like 25,000 employees worldwide and hundreds of thousands of machines to deal with.

Seriously, feel free to critique MS technologies -- I do it myself all the time. But an uniformed criticism of everybody who works there is just inappropriate.

Re:No Security on a Windows Network

[cygnusx]

There is no security on ANY network (though Windows is slightly more susceptible to cracks, that's all :-)). If cracking fails, there's always social engineering. You want security, go get a standalone computer. (and don't forget the Tempest shielding -- and the intrusion early-warning system and the leadlined safe.)

Seriously, though... one of the more serious reasons that viruses/trojans spread more easily on Win32/Mac is "user imbecility/gullibility". And one reason (among many others!) why Linux/BSD was considered secure is that (1) users were much more sophisticated, and (2) the OS often compromised on security over 'ease-of-use'.

Today, with Linux (not BSD though (thankfully!)) reaching more and more into the newbie space (I'm just waiting for the first "for-newbies" distro (oh, wait, Corel comes to mind)), how long before something like this happens on a Linux box? Remember, there are a lot of newbies out there running Linux (and also Win2k/NT, for that matter) on their PCs with exactly one user account -- "root"! (or "administrator".)

Re:This is obvious but...

[clyons]

But actual hackers? No self-respecting hacker would ant or need to crib from Microsoft's notes. That would be like copying off the paper of the class idiot.

Most class idiots aren't pulling down A's. Microsoft software is almost standard (as in, it's there and used)in business environment.

As some people have pointed out, if someone makes the source to Microsoft software avaiable, a whole pandora's box could open:

• 3rd party programmers may be able to increase the stability and speed of their software under Windows.
• By examining the source to say, Windows ME, Windows 2000, etc, we may have proof that Microsoft does or doesn't code their OS's to break specific peices of software.
• As others have pointed out, this berak in proves just how insecure NT is. However, if the source is published, it may be possible to make NT more secure.

Of course, this makes it impossible for Microsoft to ignore obviouse problems with Outlook running vbs scripts from an e-mail.

What people are worried about

[marnanel]

It seems from reading the news articles that the writers don't agree on what's worrying about this. Is it worrying because...

1. ...the crackers could have modified Microsoft source code? No. Look, does anyone believe MS don't use version control and offsite backups?
2. ...the code could be used in other people's products without permission? Perhaps, but not much-- that's what Easter eggs are there to get in the way of.
3. ...everyone will read the code and discover defects? That's a good thing-- after an initial phase of instability, Microsoft will have to bring out patches. It's the opensource idea of the collective benefit of having millions of eyeballs read your source (what ESR calls "Linus's law".
4. ...people might discover that the source is flaky in places, badly designed and so on? That might be more of an embarrassment to MS, but there's little opensource software which doesn't have flaky parts, is there? And better that people know about it than not.

Re:The spy in your Software

[divec]

you've checked every line of your linux kernel for back doors then, correct?

Someone has. Well, not quite to the OpenBSD level, but each patch has been read by someone. And there is an unbroken patch link from linux 1.0 to current versions, so I guess the chances of those patches having been looked at are pretty high.

Re:See what happens when you rely on NT

Your naiveté makes me hope you never administer any network I use.

The exact same type of crack could happen on ANY Unix machine, not properly safeguarded. Get an e-mail with a binary attachment, chmod 744 attachment, it runs, displayes a really cool screen hack or small game of some type. It also spawns a child process, but you're probably unaware of this.

This child process sniffs out passwords, because hey, any user account can sniff packets, not just root. People log into other computers, all the while this program gets user acct & password after user acct & password. It then sends out an e-mail to a remote address, listing all these new shiny user names & passwords, what machine they were connecting to, and voila, this cracker suddenly has user accounts. Now he's free to move onto higher level attacks.

Don't fool yourself for a second -- Microsoft's biggest mistake was that it wasn't using a more secure firewall to protect it's local machines - these machines should have been INVISIBLE to the entire internet, only available to MS's intranet.

www.windows2000test.com finally hacked? ;-)

[Jacco+de+Leeuw]

So, was www.windows2000test.com (website now offline, mirror here) finally hacked? ;-)

The award for the "hackme" LinuxPPC contest was that you could get the hardware, but I didn't know that with the www.windows2000test.com you would get the whole Windows source code! ;-)

Jacco
---
# cd /var/log

Re:Well, Ho Ho Ho

[divec]

This would have happened if they were using Linux, BSD or anything else.

Well, y'd have to be running some program as stupid as Outlook, which runs arbitrary executable attachments, inside your supposedly "clean environment". I can't imagine a competent UNIX sysadmin would set things up this way.

Re:See what happens when you rely on NT

[log0n]

"Don't fool yourself for a second -- Microsoft's biggest mistake was that it wasn't using a more secure firewall to protect it's local machines - these machines should have been INVISIBLE to the entire internet, only available to MS's intranet."

Very good point.

I had the fortune of visiting the Microsoft Campus last year, and while there got a chance to go to the Museum they have. All of the computers in the lobby had internet access, yet they also had access to non-museum MS machines located around the campus. I know at least a few of them were probably not intended for public "consumption" due to the contents of some of the shared folders - nothing too fancy, but probably important stuff for MS.

Re:This isn't good.

[PigleT]

> I'm a Linux user in all, but if MS fall I want
> them to fall the right way and no other

Precisely, couldn't agree more. Let them hang themselves, rather than someone coming along assassinating them.
(Mind you, if it can be shown to have been an M$ product that was cracked, I'd feel justified in saying they had hung themselves :)

> It's Illegal all I have to say about it...

Well, there might be that.
I think it's more to the point that you'd be breaking the license agreement by so doing, myself; laws come and go and we've got a shed-load of stupid ones doing the rounds just to prove the point, but settle for "right" and "wrong" instead. If you're doing what the license at the top of the source file says you shouldn't, you're doing the Wrong Thing(TM).
~Tim
--
.|` Clouds cross the black moonlight,

some assumptions made here

[twitter]

1) People who know criminals are criminals. Sorry, wrong, we all know criminals and most of us want them in jail.

2)The people who broke into MS are criminals. I'm not sure about this either. OK, they did break in and they did copy information, but we don't know much more than that.

3)Judges are stupid. Nope, not always true. I doubt the fact that MS code was "stolen" will make all other programing illegal.

4)MS code is worth copying. I don't need it, or Wine for that matter, do you?

So, does this make MS open source?

Re:See what happens when you rely on NT

[hanwen]

This child process sniffs out passwords, because hey, any user account can sniff packets, not just root

Would you care to explain how?

An orchestration to reinforce Anti-Hack Treaty?

[ksan]

The break seems too weak to believe. Doesn't it seem like orchestration with the government to reinforce the Anti-Hack Treaty ? Showing such case to europeans and other signaturers may be a good reason. You cannot forget that government of USA entered in the World War II alleging that a ship was sunken by german sub and it was not true.

Re:Should I release the code?

[fredrik70]

sourceforge purrhaps???

Re:Banks don't use Microsoft

[Salsaman]

Actually quite a few banks use unix for their core systems. I worked at places which use RS/6000's running AIX.

Re:Could it be a source of problems for Wine & Co.

[divec]

I can't believe that Microsoft would ever admit it has been cracked and their sources were stolen unless there is some advantage in doing so. Do you?

If their shareholders found out they'd been keeping it secret, then the directors could go to jail.

Gates said "Blame Linux developers!"

[billcopc]

"the company couldn't say one way or the other whether source code had been stolen."

In other news, a new build of Wine was released today boasting 100% emulation of the Windows environment at native speeds. When asked to comment, the dev team replied "We could tell you how we did it, but then we'd have to kill you".

(note to morons : go check on freshmeat just in case!)

News Flash from Russia!

[DrQu+xum]

St. Petersburg (!AP) -- St. Petersburg police have found the bodies of three young computer experts. The three were found in one of the their apartments, lying on the floor in front of their 486 running SuSE Linux.
"Our police experts stated that they were those who broke into Microsoft's servers and stole large amounts of code", says a police agent via translator. "Experts were able to tell from lengthy headers, pointless libraries, and pointers to nowhere-in-particular that this must be actual code for Windows 2000' successor."
After a preliminary exam, forensic pathologists state that their deaths were all caused by ruptured lungs.
"If I didn't know better, I would think that they would have died laughing", said the pathologist.
One of the police experts who determined that the code was in fact Microsoft's also began laughing uncontrollably, and was rushed to a nearby hospital. He remains in serious condition and on heavy sedatives.

Re:News Flash from Russia!

[DrQu+xum]

Was ist das nurnstuck git und slotermeyer?

"It was a fantastic success, over 500 Microsoft employees were released, and one that Bill Gates could not match."

"Paul Allen has no nose"
"How does he smell?"
"Awful"

"...we invented Software Theft?" Hear me out...

[American+AC+in+Paris]

Y'know, it may not be in the Open Source community's best interests if the source code for MS' OSes gets stolen and released into the wild. Regardless of how sweet the irony looks from here, what kind of influence would it have on the Open Source movement if the first thing people associated with "Open Source" was "Oh, like those gyus who broke into Microsoft and stole their code, right?"

Al Gore has the quote "I invented the Internet" fused to his name. It's been used time and again to demonstrate Gore's penchant for hyperbole, his untrustworthiness as a leader. Many of you probably already know, though, that Gore never actually said that he created the Internet, but rather that he was the key political figure in the early days of funding the Internet (still an inflated claim, but nowhere near as sensational as the other.) Does the fact that he never actually said what countless media outless attribute to him, often as a direct quote, make any difference whatsoever to his image and reputation? Nope. The media and his opponents decided to nail him to the wall with a hyperbole of their own, and with a bit of hard work and luck, it has become Truth. Truth, in that wonderful Orwellian fashion of 'if all official sources report the lie as the Truth, then the lie becomes the Truth, and the truth a lie.'

It wouldn't matter how much you or I knew the truth, much like it doesn't matter that Al Gore never actually said that he invented the Internet. The Sheep and PHBs everywhere will swallow whetever pill they're given, and you can bet dollars to donuts that the story line wouldn't play out in favor of Open Source. If you think it's hard to convince your superiors to utilize an Open Source model now, try and imagine the brick wall you'd hit with your boss' brain automatically substituting "what happened to that stolen MS code" for "Open Source".

For the moderators out there, I'm not saying that I think Open Source is theft, just so that's sufficiently clear. I'm just saying that it's worth considering the damage that the mass media PR monster could do to the Open Source movement, especially in light of the fact that most major media outlets are heavily invested in (and guided by) large, mean corporations. Think about it.

lame media

[Cally]

As always on the occasions when some tech story is big enough to make it into the mainstream media, we get to cringe at their awful attempts to explain things to the general public which they don't understand themselves. I woke up this morning to hear a BBC radio interviewer asking "so what are these source codes? are they like blueprints?"... discussion then proceeded to the topic of could the 'hackers' have planted "a virus or bug"[sic] in Windows? "Yes", said their expert, "and that could be included in every copy of Windows shipped from today!" ARRRRGGGHHHH.

Perhaps this is a UK-only phenomena. Eventually the BBC etc might stop assuming that their audience thinks of computers as huge semi-sentient boxes with spinning tape drives and flashing lights that talk to their operators. Or that Microsoft are the best and only software source in the world. ("How could this happen to Microsoft of all companies?" asked the same interviewer.)

And the use of "hacker"...
/me goes up in a puff of unsmoke.

yooo - hooo!

[twitter]

You and your peers may be very bright, but can you vouch for everyone? Don't you know anyone dumb enough to have a downloaded screen saver, pointer cartoon program, or any of these other stupid things people pass around and execute without worry? Come on.

I work with bright people too who don't know any better. On an MS box that screen saver runs as root, but most don't know what that means. Someone who does not program and has never been exposed to *nix would not. They have been assured that their data is safe and trust that it is. That's the way it goes.

MS employees might better know their software than people who listen to the MS sales department but, again, can you vouch for everyone? From Bill down to secretaries and janitors on the night shift? I don't think so.

Re:The end of email-attachments?

[Pfhreakaz0id]

WOW! Have you been on slashdot very long? It's very appropriate here.
---

That's absolutely crazy thinking.

[drsoran]

Now that you mention it though.. it is kind of odd that only a couple of days ago we read that Wine can now run Microsoft Word 2000 and Excel 2000. Coincidence? :-)

Re:That's absolutely crazy thinking.

[logicTrAp]

Wine's running Diablo II perfectly as well, without any Windows DLLs for me whatsoever. I tend to think that looking at the history of Wine it would be hard for Microsoft to be able to claim any sort of collusion. It's really a tribute to the Wine team that they've been plugging at it for 5 years and it's now bearing some real fruit.

Re:This could be VERY bad

[Our+Man+In+Redmond]

I'm certain a group of 31337 h4x0r2 in St. Petersburg will be deterred by an American law against breaking into computers.

I know, I know, you can't expect to make sense of laws related to computers or efforts by the clue-challenged to pass them.
--

Re:Childish attacks unnecessary

[johnnyb]

You really need to think before posting. Most of the security compromises you list for Linux are _local_ compromises. That means, you must already have a shell to do them. If you have a shell on Windows, getting root is even easier, unless you have all of the security updates. When NT4 was first released, almost every kernel call did not do proper checking, and you could comprimise security with _any_ kernel call. As far as _network_ security goes, securing Linux is just like securing any other OS - you check the network programs. The way you secure the console is by simply removing unwanted SUID programs. With Windows, you can assume that if someone is at the console or telnetted in (which you _can_ do with the proper software), you should assume they have administrator priviledges. As far as security advisories, most Linux security advisories come from the people developing the code, not from being cracked. This means you get to secure your machine _before_ script kiddies get their hands on things. With NT, the advisories are normally based on someone actually being cracked. Please think before posting, and make sure you understand the topic at hand.

I'm not even trying to say "Linux is better than Windows" with this post. I'm just pointing out that your arguments are comparing apples to oranges (network security to local machine security, and published exploits to theoretical problems).

Re:Open Sourcing Windows...

[StarFace]

Not even close. We figured it out, if you take all 60 million lines of code and shrink it small enough to print onto (let's be generous) 15 feet of cloth, the font size would be about 13 atoms tall. Given the nature of cloth, hardly any of the "paint" would actually end up on the threads. Most would fall through the holes. You would in fact get a tshirt that was kinda stiff, and solid white.

If I were Ballmer I'd...

[hey!]

order the biggest freakin' code review in history.

If I were a hostile cracker, I wouldn't go the "data hostage" route -- to risky. The police will follow the money.

Instead, posing as an engineer, I'd slip a few buffer overrun vulnerabilities, just where I could use it. Knowing the cruftiness of MS operating systems I'd have my own private back door into any system shipped with Windows for years to come.

Give a man a fish, and he'll eat for a day. Hand a fisherman a crate of hand grenades and he'll catch all the fish in the river.

Childish attacks unnecessary

[Carnage4Life]

I'd expected more mature responses to MSFT being hacked than childish attacks either blaming NT like the above post or claiming that MSFT being hacked is good for Open Source like others I've seen. Frankly *nix and Windows are roughly equivalent in default security (except for OpenBSD) and only through the machinations of a good sys admin is either OS properly secured.

For those that believe *nix is somehow more inherrently secure than Windows here are a few sources that may refute that claim The major security issues in Windows are Outlook (disable preview pane, be careful with attachments) and Internet Explorer (disable Javascript). Doing that and using a firewall like ZoneAlarm is most of the securing that a typical Windows box needs. On the other hand due to the use of insecure C libraries (str* functions, *scanf functions, etc) most of the services that are enabled by default in a typical Linux install are insecure (especially RedHat the primary consumer Linux OS in the U.S.). Take a quick look at security sites like Attrition.org, CERT, SANS, rootshell, SecurityFocus, etc and check the results. Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites. CERT regularly has more Linux and Unix security advisories than for Windows. The SANS (System Administration, Networking, and Security) Institute top ten list of security holes has more entries for *nix than Windows. A quick search of the terms "linux" and "windows" on Rootshell's seearch engine come up with 84 downloadable exploits for Linux versus 39 for Windows.

The above post is not intended to be flamebait (I run Win2K but plan to reinstall Linux on my second machine so I am a Linux user) but as a counterpoint to the above post which was rated +5 when I replied to it.



Second Law of Blissful Ignorance

Re:Childish attacks unnecessary

[jbarnett]

The point is this.

1) Microsoft has complete unrestricted access to there own source

2) Microsoft is a billion dollar company and ALOT (atleast in their eyes) is at stake

3) They have enough money to higher decent security officers

4) These well-paid security officers should of secured the system and network

5) With people hired for the sole purpose of securing the network, the network should be somewhat more secure, no matter what OS they are running.

6) Why are there developemnt/ source code computer even avaiable on the Internet? Anyone every hear of firewall or internal network? Anyone think about just upluging the T1 from the internal network? Anyone think about requiring the security admins to read "Intro to network security"??

I am sorry to say, but this crack looks "so seventh grade or something"

7) Should Microsoft employees know how to use what software they are required to for there job (ie. outlook). Shouldn't of Microsoft employees be educated about basic security?

8) Where is any monitoring? "Hey Network Admin Bob, some ip in russian has been downloading megs of stuff from one of our internal machines? Is that normal?"

Microsoft views the security of there source code as "high value", the see the closedness of their source as their cash cow, yet they let someone 0wnZ them so easy.

I am not saying NT or W2k is more secure than Unix, etc, that is a broad and misleading statement. I am not saying Unix is more secure than NT, that is also to broad and misleading.

What I am saying is that any decent OS (this includes NT, W2K) should of not even had the chance to be owned like this. If there network was setup right, you could have had the most insecure OS running with default uid/pass for admin access and should not be spolitable like this (atleast from the internet).

It boggles the mind.

It not even like a 31337 crack, it is "hey I downloaded all this programs off the internet, you want to 0wnZ M$?"

The problem isn't with what OS it is running, the problem is that 1) the network admins no nothing about security 2) the system admins no nothing about security 3) the users no nothing about secuirty.

Even if they where running a "Ultra Secure" *cough*OpenBSD*cough* OS, if they hook their "important machines with highly classified information" up the the internet, they are just ASKING for trouble...

And someone please explain to me why the SYSTEM ADMIN was checking his email with the ADMIN account on a SECURE MACHINE. Then running an unknown program as ADMIN user!

That is like a unix admin, going to a secure unix box, logging in as root, checking his email with root, then running an unknown program as root, this mind boggles.

Do they people in redmond even know how to use there own dam OS? Maybe they should require all employees to get MSCE or something...

Re:Childish attacks unnecessary

[Carnage4Life]

You really need to think before posting. Most of the security compromises you list for Linux are _local_ compromises. That means, you must already have a shell to do them.

And your point? The Microsoft crack was most likely a Trojan (i.e. local compromise) as a opposed to deliberate network hack into the system. Secondly you are incorrect in stating that I listed mainly local compromises, there a liberal smattering of both types of compromises in my links (defaced web page count, SANS top ten list, rootshell exploits, etc).

Frankly resorting to personal attacks when it is clear that you didn't bother checking the links in my post, shows who indeed is the person who doesn't think before posting.

Second Law of Blissful Ignorance

Re:Childish attacks unnecessary

[Znork]

As unreliable as the defacement statistics are, you should actually look at the page. NT has a good solid upward trend again, and linux sinking.

Factor in the number of sites running either and it's not very pretty statistic for NT.

Bad Day for Bill

[Chitlenz]

AVAILABLE - Slightly frazzled security Admin seeks Immediate Position after undertaking imposssible task at unnamed Redmond, WA. employer. Canned due to circumstances beyond control. Will take any offer not relating to windows. Added Plus - Able to interpret arcane source code for popular and possible unintentially Open Source Operating System (you hear that Larry E.?). Used to long hours and sleepless nights, anything's a change for the better. Looking for stock options (in a company that's still gonna be worth something in a month).

Re:See what happens when you rely on NT

[jedwards]

See what happens when you rely on InoculateIT / Innoculan AntiVirus software. It missed a common trojan for 3 months. Oops.

"Why they stayed for 3 months?" explained

[Boomer3000]

Apparently the hackers were looking for some good or brilliant source code, and they weren't able to find it. This explain also why Microsoft persons are sure that source code wasn't compromised: "It's impossible to make it worse than that" one spokeperson said.

Re:See what happens when you rely on NT

[Alternity]

This has nothing to do with the OS used. It's an employee who introducedd the Trojan by opening an attachment.

Once again this prooves the weakest link in any security is the human factor.


"When I was a little kid my mother told me not to stare into the sun...

Security 101 (or rather, RFC 2196)

[juliao]

While there is no evidence that any changes have been made to the codes, and experts characterized such a risk as remote

Makes you wonder.
Weren't those same experts characterizing the risk that someone broke into their network as "remote", too?

Evryone knows the standard procedure for security break-ins. Isolate all machines, compare all binaries to archived copies, etc, etc.

RFC 2196, now does that ring a bell?

But of course not, it's going to be "bad hackers versus oh-so-nice Microsoft" all over again. Microsoft's software and OS design lacks in security, but guess what, it's going to be someone else's fault...

Pulleth The Other One, it hath Bells On

[henley]

Any project started within the last 3 months may be potentially vulnerable to a legal Denial of Service attack, yes.

I refuse, however, to believe that there's a Court of Law in the world that's bone-headed enough to believe that project X, running for Y years and fully documented in that time as an open project (cf WINE), has benefited from the unrelated, unadvertised and recent breaking out of MS source code.

Come on.. Doom-saying is all fun and games, but please do try and stay within the bounds of reality...

Sealand

[acb]

All MS would have to do is persuade the government that it is in the interests of the US New Economy and the perpetuation of the Long Boom to drop a few laser-guided fuel-air explosives on Sealand.

Re:Sealand

[Chalst]

The British government has just the right combination of spinelessness
and crawling to the US to let it pass.

Reichstag Fire

[Deskpoet]

This was PRECISELY my first thought when I read these pieces: this is a staged event for some reason as yet to be revealed.

Of course, as a reluctant user of NT, I *know* it's vulnerable, and the fact this occured doesn't surprise me at all. What IS surprising is we haven't heard more of this coming out of Redmond; it can't be the first time.

I don't think the possibility that this is a way for Microsoft to reign in the Open Source movement is paranoid AT ALL. With M$ having its market share threatened by Open Source stuff, why not create an excuse that the people releasing it are ripping off internal code stolen from M$. Indeed, it makes perfect sense, and it wouldn't surprise me if the lawsuits start flying within 6 months.

I worked at a place where we had REAL break-ins, and the last thing you want to tell your customers is that you've been hacked. The fact that M$ is being so forthright about this--in direct contradiction to the way they typically stonewall against any less-than-flattering news--points to an entirely different motivation than just being honest.

Remember, the people that report these stories have extensive relationships with M$. There can be no doubt that they are spinning this is such a way as to ultimately benefit M$, or any initiative that M$ may find to its liking.

By the wall, Randall is *NOT* a criminal. Yes, he was convicted, but that means about as much as the stain on Monica's dress. Judge for yourself; go here for more information.

Re:Reichstag Fire

[mattdm]

Users never learn. Operating systems/environments and apps (this goes for Linux too) need to take some responsibility for making sure this never happens.

--

Re:Reichstag Fire

[Hard_Code]

Microsoft lives and dies by its stock value. I don't think there is any chance they'd jeopardize that on purpose.

Re:Reichstag Fire

[jafac]

It is, and always has been in Microsoft's best interests (as far back as Bill Gates' Micro-soft open letter to the hobbyist community regarding "software piracy") to raise public hysteria against hacking and piracy to a fever pitch, in order to justify laws like UTICA and DMCA, which put all the cards in their hands, and out of our hands.

We stand at the brink of the beginning of a dark, dark, age. I don't believe there is anything that can be done about it. Those of us who want to preserve our freedom are going to necessarily have to become outlaws, and perhaps fight a guerilla war, or possibly fight from inside. (the stories I've read about the whole Intel/Rambus fiasco, and internal rebellion have kind of made me feel less pessimistic).

At least crypto is free. We have that small victory. But everything else seems to be going to hell.

Redhat Cracked

[ahaile]

Durham, Oct 27 -- The linux world is in a tumult today after a report claiming hackers broke into the corporate network of industry leader Redhat. The report, published on the internet by a pseudonymous "BG", purports that "lots and lots" of hackers outside the Durham-based organization have been "stealing intellectual property" from the company for "a whole lot longer than three months." Redhat officials appear to be stonewalling on the issue, responding to questions with a baffled look and the reply, "What the hell are you talking about?"

According to the report, unknown hackers managed to procur a password to Redhat's network servers. They then used the password to download the blueprints to all of Redhat's products. Even worse, the password was circulated widely over the internet, allowing thousands, potentially over a million hackers to repeat the exploit.

One person familiar with the case said it appeared the hackers initially gained access to Redhat's corporate computers by exploiting a hole in the company's "FTP" software. This software is used to transfer files between remote computers. The hackers discovered that the password "anonymous" allowed them access to all of Redhat's intellectual property.

Most damning of the report's accusations is the claim that internal Redhat officers have known about the vulnerability for months, even years, but failed to alert customers or close the security hole.

The breach may have allowed hackers to insert instructions into the blueprints for Redhat's products, including the recently released Redhat Linux 7. One anonymous insider called such practices "common." When asked if they were planning an extensive audit of their code, Redhat officials repeated their reply, "What the hell are you talking about?"

A moment of enjoyable, paranoid speculation

[Badgerman]

Considering the antitrust case going on, can Microsoft leverage this to show that Windows "now isn't closed" and "the code is in the wild" and thus claim they shouldn't be treated as a monopoly?

Could this have been "allowed" to happen? Note there seems to be a great deal of confidence no source code was changed, just code stolen.

Not rational sepculations, of course, merely interesting ones to explore the depths of paranoia.

If only...

[Brian+Knotts]

...this could somehow persuade IT managers to *finally* begin diversifying their networks, it could turn a negative into a positive.

Although I could see how some people might not see this event as a negative to begin with. :-)

--

This is a conspiracy . . .

[acceleriter]

. . . for Microsoft to be able to explain the back doors they have placed in software when the get found. Golly! There's a back door in Win2K?! Those nasty Russian Mafia people must've put that there. We'll comment that out, er, uh . . . remove that in the next service pack!

Open Sourcing Windows...

[The+Dodger]

If the hackers release the source into the "wild", we're likely to see a similar situation to DeCSS - anyone who hosts or links to the source code for Windows or any other Microsoft software will have the full force of Microsoft's legal vultures brought to bear upon them.

Wonder if HavenCo would host it. That would mean a real, live-fire test of SeaLand's sovereignty - if Microsoft can't beat them, then noone has a chance! :-)

D.

Re:Open Sourcing Windows...

[bilgebag]

First one to submit a patch gets to pick a new default colour for the Screen Of Death...

Re:Open Sourcing Windows...

[rdl]

It's not against our AUP.

We as a company are not in favor of software
piracy, so we certainly wouldn't help, but if
a customer wanted to host stuff like this, we can't really say it's against our AUP.

(I personally think MS source code would be a
waste of space, a thousand monkeys and all that...)

Re:Open Sourcing Windows...

[Erasmus+Darwin]

Which brings up an interesting circumvention technique. If you were to hypothetically assume that a pool of open source developers were all able to get their hands on the Windows source, could the sneak around the law by releasing some sort of diff (probably something other than 'diff -u', given that that tends to include original code)? Maybe an XOR scheme with some heavy versioning magic? It obviously wouldn't stop the entire source distribution or the resulting build from being illegal, but it might be just enough of a gray area to get a public collaborative effort going. windows.sourceforge.net, anyone?

Re:Open Sourcing Windows...

[JayBonci]

Except that they would lose. And i mean bad. Someone broke the law. It's totally different. It's not like someone reverse engineered the Windows Kernel. Someone stole the source. If you accepted it, you could go to jail. It's stolen property, regardless of what you think of Microsoft.

Re:Open Sourcing Windows...

[nick_davison]

we're likely to see a similar situation to DeCSS

How the hell am I going to get all that bloatware on the back of a t-shirt?!

This is obvious but...

[K8Fan]

...what in the hell would hackers want with Microsoft's plans? Script kiddies, sure. Crackers, of course. But actual hackers? No self-respecting hacker would ant or need to crib from Microsoft's notes. That would be like copying off the paper of the class idiot.

Re:This is obvious but...

[jrumney]

Hackers huh? Hopefully they'll fix some bugs before they give it back.

Save Face

[jjr]

I wonder what now Microsoft has to do to save face in light of these action being taken agianst them. As a Big player in the world of softawre this will hurt alot of thier products. For instance if the source code for IIS was stolen I feeel really bad for people who run NT servcers hey could find an exploits even quicker and I would think it would be harder for microsoft to fend these type off attacks.

Not everyone

[twitter]

Nothing, open source can't compete on this level unless it incorporates itself under law, and the pseudo-communistic rantings of gurus like Stallmann will prevent this from ever happening.

Sorry, greedy little troll, RMS does live within the law and FSF software has noting to fear at all from this BS.

Re:See what happens when you rely on NT

[Eric+Gibson]

Why was this modded to insightful? Any UNIX machine wouldn't have a mail client that automatically runs executables attached to email. On a default install for most UNIX what mail clients do you have? pine, elm, maybe mutt? In each of these files you could have to go out of your way to save the file, chmod it, the run it. Anyway, since when is Microsofts intranet not invisible to the internet?

More linkages (and details)

[beebware]

More details are available from:

• CBS MarketWatch
• C|Net
• The Register
• The BBC
• Wall Street Journal
• Basically
• Microsoft suspect the access was granted to St Petersburg (Russia) computer systems by use of the QAZ Trojan. The FBI is investigating.
  

Richy C.
--

Re:Well, Ho Ho Ho

[Shotgun]

It doesn't matter what OS you're running or what Email proggy you use if the person is dumb enough to run random executables.

But what happens when an email program provides a preview feature that will open an email and show you the first few lines and an auto-execute feature that will run an arbitrary program when the email is opened?

What happens when both features are enabled out of the box? Is a heart surgeon to be called stupid because he spends his days reading up on heart surgery instead of all the intricacies of computer security?

Re:Going to affect everyone

[Salsaman]

"Microsoft can sue anyone who looks like they have a copy of their code (Wine), and what are they going to do?"

Erm, ask for proof ?

Not A Good Thing

[pokrefke]

No matter how much you think Bill Gates is the anti-christ or hate Windows, this is most assuredly NOT good news. The judges, the lawyers, and the law enforcement that will certainly become involved in this case will look at one point, and one point only: someone broke the law. Know what else? They don't understand you, and they don't care that you want Wine to work better or an Open Source Windows.

In the interest of fairness, let's look at this from their point of view. "Hackers" (does anyone know what this word means anymore?) have been getting a lot of bad press lately. Hacking into Microsoft's site adds fuel to the fire. Stealing Microsoft's code is fanning the flames.

Everyone is making jokes about how insecure MS products are, as if Apache or Slashdot have never been compromised.

Even more worrisome is the opinion of the everyday, ordinary citizen. Some of which have made money off MS stock. Many of which use a computer, but aren't as "in" to them as we are. I bet you lunch that they see stuff like this and feel "insecure". And I guarantee you, when something like Carnivore comes along, the average person will suport it, because it makes, at least in their mind, the online world a safer place.

So laugh now about Microsoft's problem. Joke about an OSS Windows, regardless if they want it or not.

Ladies and Gentlemen, if you're old enough to understand, it's time to realize that this is most assuredly Not A Good Thing.

Disclaimer: MY computer runs Linux/BeOS.

The saddest quote on the MSNBC site...

[Invicta{HOG}]

Other possible motives include economic espionage, though experts said only a rogue company might knowingly buy stolen software, using it either to improve its own products or make those products more compatible with Microsoft's best-selling operating systems.

I'm not sure how you can label a company as ROGUE whose purpose is to provide more compatible software...maybe now we'll get open source windows...

Re:Read the (full) Wall Street Journal Article

If you make a public registration somewhere
try/create standard cypherpunk/cypherpunk first. (or was is cypherpunk?)

(Please mod up if you know what I'm talking about)

Re:See what happens when you rely on NT

[mcrbids]

Gee, somebody who GETS IT!

Take a PC, install a default copy of RH 6.2, hook it up to a static IP DSL modem. Come back in a month or two, and you'll find that you have at least 1 or 2 "volunteer" sysadmins!

The difference between NT and Linux is that you are given the control to make Linux VERY secure. You just aren't given the low-level control needed to make NT anywhere NEAR as secure.

It takes time, and extreme attention to detail - bit it CAN be done.

-Ben

Re:it's *NOT* a very good point

[jovlinger]

yup. Since the original host (infection 0?) was infected via an email attachment, it would have been easy for the attackers to tunnel through the firewall (port 80, perhaps: outgoing information encoded in the URLs).

Re:See what happens when you rely on NT

[Nightlight3]

They instead have to totally re-think how Outlook (and other Internet software) handle untrusted binaries (that probably includes ActiveX).

It could have been in the attached MS Word .DOC file as well. And anyone who goes to ther MSDN site for various tech info, having to use IE with full ActiveX enabled to make the sites work right, is potentially infected. Or anyone using the MSDN Libraries, including MSVC Help, of recent couple years (which also don't work well without internet connection enabled).

Their whole "vision thing" of hypertext documents which seamlessly integrate your computer (via the MSDN Libraries, including compiler help files) into the Microsoft servers, reporting (if they wish so) anything you look up, any articles you read and for how long, anything you search for, which code samples you extract, ... even without coupling with ActiveX, is a virus/trojan handcrafted for industrial espionage, all by itself.

I wish only Bill Gates' machines and those of the other brains behind the Microsoft all-is-one (or is it one-is-all) "vision" got some of their own medicine.

BTW, I just typed in my first message in here, and this luxuriously spacious /. edit box with its eye pleasing courier font makes Microsoft Notepad seem like an ultra-ergonomic editor from the future. (The only cure for this is to make the web designer here use this exact edit box for three days for all of her editing work; by the second day the edit box would be twice as wide and three times as tall and user could set their own non-fixed pitch fonts. By the third day she would suggest dumping it altogether and using something like Userland's Manila editor .)

The "Truth" about who Microsoft really is

[b1t+r0t]

Any of you with Unix shell access should try:

whois microsoft.com

also whois aol.com ; whois apple.com ; whois whitehouse.gov

How did they do it? Simple. Whenever you register a nameserver IP address, you have to include a domain name for the nameserver. I think the only thing checked is that the IP address pings and the domain name is part of a real domain.

Re:The "Truth" about who Microsoft really is

[wmschris+]

SamSpade is pretty good. I also like WS_PingPro

But SSH would eat their lunches.

Re:The "Truth" about who Microsoft really is

[Erasmus+Darwin]

Also, a press release from one of the groups doing it.

Re:The "Truth" about who Microsoft really is

[Carl]

Or you could try:
http://whois.inter nic .net/cgi-bin/whois?whois_nic=microsoft.com
http://whois.internic. net /cgi-bin/whois?whois_nic=apple.com
http://whois.internic.ne t/c gi-bin/whois?whois_nic=aol.com
http://whois.inte rni c.net/cgi-bin/whois?whois_nic=whithouse.gov

Re:This isn't good.

[radja]

I don't care how M$ falls. They've made it clear that they'll stoop to any level to get more cash, but now the shoe is on the other foot. But I would not insert any windows code into a linux app. linux is not the OS of thieves. And that would make linux just as bad as M$.

//rdj

it's *NOT* a very good point

[schon]

In fact, it's probably the biggest misconception he made.

Relying solely on a firewall is the single biggest mistake a company can make.

True, a proprely configured firewall can make a huge difference, but _real_ security involves securing every machine on the network. A firewall won't fix a problem with bad client (such as Outlook) executing code it's not supposed to. A firewall won't fix a problem with a web/mail/whatever server running behind it.

The bottom line is that if a machine needs to talk to the internet, it _needs_ to be secured, because an improperly written app can make any firewall completely useless.

The end of email-attachments?

[Otis_INF]

Reading the WP's story how the crackers got initial access, I wondered if this action will end the possibility to sent executables with email messages using MS software (as in: they'll patch the tools to get rid of this feature, as they should have done ages ago). I mean: the way the crackers got access wouldn't have possible with the lack of a way to send a person an executable by email (as a trojan).

OTOH, it's always possible to get a trojan to a person's PC, f.e. by let the person download some moronic 'gadget' for the desktop. But it would have been way more difficult that way.
--

Update

[mav[LAG]]

ST PETERSBURG, Russia: 2000-10-27: In a joint sting operation, Russian police and the FBI made a raid on a downtown apartment today, netting four teenagers they suspect of being behind the Microsoft breakin. Microsoft spokesman Rick Miller applauded the operation, saying that neighbours tipped off the police after noticing strange behaviour from them.

"These were all very bright boys - cheerful, helpful and good at their day programming jobs" said apartment resident Canya Bolyevtis. "But last weekend that changed when they started walking around in a daze after an all-night session, as if they had been exposed to some terribly traumatic thing."

Californian software analyst Rich McGee says the teens were foolish to allow themselves to be exposed to Microsoft source code.
"Here you have some very bright young guys with some Unix experience suddenly coming into contact with the C source for kernel32.dll. I think they were unprepared for the shock."

St. Petersburg police chief Konstantin Bolygubov thanked the public for the information that led to the arrests, saying it was the easiest raid he had done in a long time.
"When we broke down the door, none of them moved," he said. "They were all just staring in horror at the screen of a PC in the corner of the living room."

Open source.. assisted? (well, gpl perhaps..)

[uncleFester]

What about the claims by some that M$ uses portions of GPL'd code? If that was revealed in the any sources absconded with, could this not work in open source's favor? Granted, M$ will still take the position the material was illegally obtained (probably rightfully so) and try to supress it (fat fscking chance). This could give the free software movement some justifaction for its model and some teeth for any legal wrangling they felt they should do.

just a thought...

Re:s/NT/stupidly trojan-enabled software/

[mindstrm]

NT *does* have a proper security structure, even moreso than Unix does.

Planet Open

[rjamestaylor]

The following is a stretch, but bear with me

I wonder if this could be the beginning of Microsoft being forced to open its code to major customers (at least)--those that will demand the code for independent review (say, Fortune 500 companies and major governments).
Along this line I am reminded me of controversial tactics used in the homosexual community to "out" prominent persons publically against their will.

Is it time to start a Planet Open? A movement to force companies to "open" their wares against their will?

Such a thing would be illegal--and participating would make one liable to Mitnick-type incarceration (or worse!).

But, it this inevitable?

Now hiring experienced client- & server-side developers

Re:See what happens when you rely on NT

[bockman]

Once again this prooves the weakest link in any security is the human factor.

Not sure about that. IMO the problem was that a *stupid* computer was let to take decisions (i.e. running a program) instead of a - supposedly - *intelligent* human operator.

The policy of dumbifying computer users to sell more software is backfiring on M$oft ( not much, but some).

Good automation practice should rely on *sinergy* between man and computer, allowing each one to do what it does bests : computer to quicly perform repeated stupid tasks ; human to analyze data and take decisions.

Re:See what happens when you rely on NT

[mindstrm]

Really. I find that hard to believe.

More likely, NT admins just generally don't think about the TCP/IP world in the same terms unix asdmins do.
You absolutely *can* secure an NT box, to the same degree you can secure a unix box.

Re:Should I release the code?

[pcwhalen]

That knocking sound you hear is the FBI at your door. I hear Thursday's desert is stewed prunes at Levenworth. Don't worry, I'll donate to your commisary account.

Re:s/NT/stupidly trojan-enabled software/

[TheCarp]

> (and please don't blame 'untrained users' - on a
> properly configured *nix system, an untrained
> user couldn't do any harm...)

That depends on your definition of "harm".

They certainly can do things like use the same password for your system as they use over unencrypted connections elsewhere.

Stuff like that can at least open the door to harm. Lets face it - no system is completely bug free - and once someone gets on by sniffing a password - its that much easier for them to use the latest root exploit
(assuming they need root - last time one of our users had a password sniffed - the guy who broke in just setup an IRC bouncer - fucking looser too - I got the job of logging and monitoring his IRC sessions while we were gathering evidence for the Authorities. Just sat around in IRC all day talking about how "we can take over this channel" or "We want that channel" - get a fucking life!)

-Steve

Read the (full) Wall Street Journal Article

[beebware]

It seems michael has forgotten to include the link to the original article on the Wall Street Journal - it's here - login 'slashdot123' passwd 'slashdot123'. Very long, comprehensive and insightful.
Richy C.
--

No Security on a Windows Network

[hagbard5235]

This reminds me very much of a point I have
frequently made to a friend of mine about
the security of his network.

He had claimed that he didn't need to worry about
security because his networking folks had
provided a very secure firewall.

"Really," I said, "Do you have any Windows
boxes on your network."

"Yes," he replied.

"Do they run Outlook?" I inquired.

"Yes," he replied.

"Then why do you bother to run a firewall at all?"

I went on to explain that anyone could infect
Windows boxes behind his firewall via email
(which almost every firewall in the world
is configured to pass). Once infected this
Windows box could subvert his whole network
and tunnel anything it needed back out via
SMTP (we do after all, have examples of
tunnelling IP via SMTP).

My friend thought I was nuts. Seems that something similar happened to Microsoft itself.

Guess I'm not nuts. There is no network
security on a network which has Windows
present.

Its not a computer its an amplifier...

[HiyaPower]

Sigh. That thing on your desk is not a computer. It is an amplifier. If you are smart, it allows you to be very, very smart. If you are stupid, it allows you to be very, very stupid. Outlook allows folks to be very very stupid bigtime. When anyone who has any DP skills at all is in big demand, sooner or later, you will find someone who you have hired that is going to amplify their stupidity bigtime. You don't hand your car keys over to your 10 year old, but many places are doing the equivalent with Outlook, and other M$ products. I personally feel that the risk/reward against a tightly coupled rice-pudding OS/Application model such as M$ brings out. I shed no tears that they have been given a dose of their own medicine...

security through obscurity

[mattdm]

It might not kill them, but it would definitely hurt. They've relied on security through obscurity for years, and suddenly, it's all exposed. If the code becomes public (or, perhaps worse, widely available in serious black hat circles), watch for a *lot* of exploits.

--

Win-Win? Not so sure...(Kevin Mitnick)

[Carnage4Life]

If it's a outside job and the crackers beat MS' secuity, now the whole world+dog knows that MS software sucks in protecting data.

From all the articles, it looks like this was a Trojan that may have been secreted during the execution of some email attachment. Knowing MSFT, they'll probably spin this as a virus similar to Melissa or ILOVEYOU and the general public will stop blaming them.

After all, no one is calling for their heads after Melissa and ILOVEYOU even though the main reason they caused so much damage is the lack of security built into Outlook and the ease of using Virus Building Script. Instead we'll probably get a lot of hacker crackdowns with this breakin, perhaps another Kevin Mitnick type case where he got reamed for seeing Sun's Solaris source. It's very possible to see the culprits doing massive jail time for supposedly causing MSFT zillions of dollars in lost revenue by merely looking at the source like Sun did with Kevin Mitnick. This is especially possible in the current climate of UCITA and the DMCA. I wouldn't consider that a win, would you?

Second Law of Blissful Ignorance

Re:Win-Win? Not so sure...(Kevin Mitnick)

[jafac]

Oh, there's TONS of security built into Outlook, and VBS is not a threat to someone who knows how to set things up right. There's all kinds of deeply buried dialog boxes and registry hacks that can put a stop to this stuff.

But for 99% of Outlook users out there who use the defaults, (and NONE of the features that the defaults enable) they're screwed.

Sniffing Passwords??

[John+Cats]

Bah humbug!!

When are people going to learn to use SSH???

I use it on my own local network at home, even behind my "invinsable" linux masq gate.

Wow.

[mindstrm]

All it says is they had access to stuff... and sniffed passwords. What evidence do they have that these 'blueprints' were stolen?
And they continually talk about whether stuff was modified.

And they think that this might be a 'data hostage' situation.

Hardly. I think said hackers would simply distribute the source around a bit then post it to usenet. THAT would be cool.

Re:Funny? Learn to moderate!

[gle]

Local root exploit are quite common, and tend to be fixed late compared to remote root exploits. Some admins think they should only mind about remote exploits because they trust their users.
Statistics show how wrong they are. And even if you can trust your users, can you trust what they get in the mail?

____________________

Good Samaritans...

[Yousef]

What's with all the negative noise here!
They were probably well intensioned Hackers trying to fix bugs in M$ code!
They can't legally see the code, so they did the next best thing!

Danger!

[Max+von+H.]

If the Windows and Office source code starts circulating around, coder may just start coding stable apps and improve it since they'll have access to *everything*.

Bah, some dude in Scandinavia or Russia will release an open-source distro of Windows and we'll all end using and praising it... Imagine that, the Ultimate Revenge(tm)! MS forced to embrace OSS or else they die! Haha! Some are already creaming their pants, I know that for sure.

Linux is in danger!

/max

Re:Maybe this is what sunk the Kursk

[Hrunting]

I've seen some pretty dumb things on Slashdot and I've seen some pretty offensive things on Slashdot, but never a post like this.

This ranks up there with the jokes that came out after the Challenger accident and after Oklahoma City. The Kursk was a tragedy. It may not seem that way to an American, but it shattered the emotions of the Russian people. To further imply that Microsoft had any part in that tragedy is simply childish.

I've always considered the majority of Slashdot readers to be brats, but this goes to show that whatever Microsoft may do to fight the open-source movement, they'll probably win. Why? Because for the most part, it's people like you who make up and support that movement, people lacking any amount of maturity and decency, and for movements to succeed, they must at least be honorable in the face of their enemy.

Just sickening. Whoever moderated this up for being funny should be shot. Mark me down for flamebait or what have you, but the fact remains, many open-source zealots and programmers are simply brats.

Initial breakin was via email trojan

[divec]

From what the MSNBC article said, the crackers initially got access because some poor MS employee inadvertantly ran a trojan email attachment, then did some sort of password sniffing.

It should now be completely clear that attachment-running programs such as Outlook are dangerous and should not be used by any business which has sensitive data, i.e. any business at all. Any business which jeapordises my personal privacy by using such software is acting negligently, just as if they left their locks unlocked and their safe open at night.

I wish I could say that this marks the beginning of the end of such "back-door enabled" software. However I fear that this will not be the case.

Damage to MS already poor reputation

[pjrc]

We all suspect (know) that windows is full of nasty security holes. Whoever's got the code could do a lot of damage to MS by finding problems and/or writing exploits to windows and releasing them to script kiddies, one after another... timed to keep MS in the news for one major security problem after another.

Of course, this seems to be more or less happening naturally without the source!

Re:s/NT/stupidly trojan-enabled software/

[mindstrm]

? I don't get it.
YOu can select 'run attachment' from just about any mail client. How is this bad? It's a USER CHOICE to execute something mailed to them.

Whether or not it's a script is not the point.

I agree, it was stupid to have scripts that executed off a single click (a-la those trojans a while back)... so you didn't have time to think...

All of a sudden

[overshoot]

the earlier story about Wine running Excel and Word takes on new meaning.

Re:See what happens when you rely on NT

[cyber-vandal]

How many email clients on Unix have that option at all, never mind enabled by default like Active Scripting. Yes, I know admins should turn it off, but why include it at all? I can think of very few advantages of it's existence.

Re:See what happens when you rely on NT

[TheCarp]

> True, but you (or the original AC) were talking
> about Unix, not Windows. You can't go into
> promiscious mode unless you're root on Unix.

True - of course under true64 if the admin throws the interface into promiscuous mode - by default it ends up setup so that any user can then sniff the network - kind of lame. Took some digging through docs to figure out how to avoid that.
(turned out to be simple - though I forget it now - one of those "things we needed to do once")

> And since most systems use shadow passwords,
> you can't get at the hashed passwords
> unless you're root, either.

Yup - and even then you still need to attack them. Good luck if the system uses cracklib (or equivalent). As an added bonus - the salt makes it so that its fairly CPU intensive to crack passwords in parrallel (probably doesn't apply to MD5 hashes - but they arn't as limited as the old crypt() stuff anyway)

-Steve

This virus has been known since August!

[pcwhalen]

And MS didn't pick this up? On August 14, 2000, PC Mag ran a story on this trojan and only rated it a 5 out of 10 for harmfullness. WTF?

It's Not too serious ...

[PhilHibbs]

It's not as if they stole anything valuable, is it?

Re:See what happens when you rely on NT

[motek]

Everyone is guilty. Except the thief. The poor guy just had to do it, hadn't he. Can we from now on describe crime as 'crime' regardles who is the victim.
Please...

-M-

Microsoft stock is rising

[Ektanoor]

Has anyone take a look at MSFT stock chart? It's rising!

Well Windowzers nothing to worry about. It were Microsoft partners who sneaked the code.

Microsoft partners:
"AAAAAAAHHHhhhhhh. AT LAST!!! Now we can get a look at that dumbiness of kernel exception that has been segfaulting our code for 10 monthes and get a fix for it...

Hello? Mr. Investors? We finally get a solution to our problems. This time code will be stable and fast. Soon a new set of fresh killer-apps will be on the market. So Windows will still live for some time...

Investors:
Ok Dealers NOW you can buy some of that M$ stock."

Sounds like a great idea!

[Chelloveck]

Ah, yes, evil hackers from Russia stealing the "software blueprints". Smells like the plot of a James Bond movie.

"And now, Mr. Bond, by altering the blueprints I will be able to take control of every desktop computer on the planet! I'll have an entire cybernetic zombie legion at my disposal!"

"We're one step ahead of you, Smirnoff. Office is a very fragile piece of code. Change even one line and the whole thing will come crashing down like a house of cards. The worst you'll be able to do is crash every computer. And who would be able to tell the difference between that and the way Office normally runs, eh?"

"Curse you, James! Now I'll have to kill you by an incredibly intricate device which you'll no doubt escape. The only way out of your cell is to cross this tile floor. Land mines are hidden under nearly half the tiles. Fancy a game of full-contact Minesweeper, Mr. Bond?"

The best link (irony)

[billybob2001]

is at http://www.msnbc.com/news/481927.asp

We are confident that the integrity of Microsoft source code remains secure.

Re:Did you even read the article?

[Nicolas+MONNET]

But who are the competitors?

--

CNET header

[Nate+Fox]

Seems funny to me that CNET would file this story under

CNET : News : Entertainment & Media : Story

-----
If Bill Gates had a nickel for every time Windows crashed...

MS shares

[MartinG]

Okay then..

With this news in mind, can someone explain why MS shares have gone up nearly 5% so far today?

Re:No Security on a Windows Network

[bockman]

I'm just waiting for the first "for-newbies" distro (oh, wait, Corel comes to mind )

Actually, when I tried out the network edition of Colel 1.0 ( the one you find on magazines and on the 'Net), I was astonished to find out that the installer did not ask for root password ( I guess it was considered too complex a concept for newbies to grasp). As a result my box was perfectly installed - and anybody could became root with no password.

Not a big thing, for a unix/linux user - but I would not be surprising if Corel users are still surfing the Net without protection for their root accounts.

s/NT/stupidly trojan-enabled software/

[divec]

Um it was not about NT you fool.

No. It's just about the software which comes with NT and Microsoft sells for NT and everybody uses on NT. An equally stupidly-designed UNIX mail reader would be equally bad. But most UNIX systems don't use such software.

This could be VERY bad

[Kyaphas]

Just what we need. A high-profile company that has decent lobbying skills getting hacked just as we face more and more legislation against hacking.

And this on the hells of the story below about pushing for more UCITA support. crap.

Segfault Coverage

[Diskore]

Segfault has some underreporte d details in its coverage :)

Re:Maybe this is what sunk the Kursk

[radja]

people will ALWAYS find humour in what hits close to home. There are jokes about racism, terrorism, death, war, destruction, ships sinking, murders.. anything. humour is a normal mechanism for human beings to cope with anything serious. you don't have to like it, you don't have to do it. I admit to making racist jokes, lesbian jokes, homosexual jokes.. just about anything. that doesn't necessarily mean that I am a racist, womanhating homophobe though...I have friends in all those classes..

//rdj

Umm... so has everybody been rooted now?

[roystgnr]

It doesn't look like it; the news articles seem to imply that it was just some low level accounts cracked and just read-only access to anything important. (Yeah, like they could slip an extra bug into Windows source code and anyone would notice)

But that wasn't my first thought. That headline, "Microsoft cracked", is terrifying! Are all the Windows users here keeping their systems up to date? If you aren't, you're probably vulnerable to the new "Win9x doesn't always check whole SMB passwords" bug, the old "malformed IP packets confuse the hell out of Microsoft engineers" bugs, or a whole plethora of Outlook exploits (including a buffer overflow when email is downloaded, so turning off previewing and javascript won't help).

But if you are keeping your Windows box up to date, then you'll be one of the hundred million computers that get 0wn3d by the first person to crack windowsupdate.microsoft.com and stick in a trojan. This isn't just a Microsoft problem, of course; every OS vendor (even taking the broadest definition of "vendor" for Debian people) keeps their repository of updates, and all the good ones have an easy way for users to sync with those updates.

I still think that Windows Update, and the idea of autoinstalling security updates from vendors in general, is a good thing; it certainly beats having millions of exploitable computers hanging off the net. But that central download source then becomes a central point of failure for your operating system security; God help us all if Microsoft ever really gets cracked.

This is more than funny

[twitter]

Think about your next binary windoze install. Not that corrupted binaries were'nt already in circulation, but this adds a whole new dimension to Warez distros, even legit looking boxed software. Got mine from RISE, how about you? Mine comes from St Petersburg... Came in a box with a seal and everything.

Oh well, I have not installed windows on a machine in more than 2 years. Will not be doing it again anyway.

Hey, scroll down to my post (ch-ch)

[ch-chuck]

and read an account of the Windows upgrade that was behind the Kursk disaster.

And the best thing about .NET is. . .

[kfg]

that all your data is stored on a remote, secure server at Microsoft.

The future of hacking and computer security

[arikb]

Hello all

I'd like to jump into conclusions. Bear with me for a second here.

Say that the recent high profile cracks (a.k.a. hacks) are only the beginning of a tidal wave, where companies are attacked for fun and profit. The world cries for help, and out goes the countries (US and Europe, for starters) and

• Ban hacking tools (burglary tools)
• Ban hacking conventions (subversive activity)
• Ban hacking discussion forums (subversive, of course)
• Mandatory licensing and auditing system administrators (holders of forbidden knowledge)
• Mandatory deployment of monitoring tools allowing full accountability, complete with phone record cross references
• Etc.

What will happen? At first, things will look promisingly better:

• Hacking sites will be banned and closed. The few which will remain will go on-line and off-line quite a bit, and spend their time mirroring and evading law enforcement
• The script kiddiez will be gone! What used to be a game will have some kids arrested, and the rest will be scared s***less and cease to function
• High profile cracks will become the sign of stupidity, as the cracker is sure to find the feds outside his place in a matter of hours

But in the long run, we will start to see, IMHO, deeper influences:

• Underground groups would form. They will use the Internet for communications, just as before, but will probably be more closely-knit and use steganography and/or encryption as standard means for communications.
• Most of these groups would be benign, acting with the spirit of true hacking, but some will be malignant secret societies. I'm speaking of highly intelligent people, with the know-how and intention to commit those cyber-crimes, and some form of fscked up ideology about how "we must hurt them to prove they can't touch us".
• All kinds of those groups will work feverishly in research of new technologies to subvert security systems, which will be slower but continue nevertheless, while
• OTOH the security systems development will shift into lower gear. After all, the hackers are gone, right? The high profile dudes are in jail or on the run. Let's leave the door open at night, who cares?

A dark era is coming. Information will be limited to the few who dare have it. The majority will live in the bliss of ignorance, while the few will silently loom in the shadows, waiting for their chance. Some will treat it as a game, knowing they control the power and get high on the feeling. Some will silently slip into places and perform subtle acts which will really pass unnoticed, like long range logic bombs and backdoors. System administrators will grow lax and less educated, while hackers-crackers will rummage their systems undisturbed.

Call me paranoid and pessimistic. Flame like hell.