Slashdot Mirror
Microsoft Cracked
Lyserjic seems to have been first with the news. Some linkage: CNET. CNN. AP. MSNBC. BBC. MSNBC's story is a copy of the Wall Street Journal article which apparently broke the news - it's the most complete.What's known - the passwords were being sent to St. Petersburg, Russia. They probably had access for about three months.
Before everyone here gets into a frenzy of self-important "Micro$oft are lusers" posts, I think it's important to discuss just how bad it would be if they have actually had the source code for their operating systems stolen by these hackers. And not for Microsoft, no, but for people engaged in open source projects like Wine, or people building Windows compatible operating systems.
What are Microsoft going to end up doing? They now have the perfect ammunition to claim that these projects have received help in their tasks from people who are willing to engage in criminal persuits, and that these products have improved as a direct result of this crime. Then, all they need to do is take the creators of Wine to court over this, and hey presto, there goes a project which was making Linux look good against Windows.
Unfortunately, because of the hacker ethos about security and the fact that the ranks of open source programmers already include criminals (Randall Schwartz), judges without any real clue are quite likely to buy this.
This quote taken from the Yahoo coverage..
"The code could also be purchased by an unscrupulous company looking to make its applications work more smoothly with Microsoft's dominant operating systems"
Who is 'unscrupolous'?, the company trying to improve their software for the greater good of everyone? I think it is the company that won't reveal the source code...the company that has systematically crippled/sabotaged other companies by keeping their 'intellectual' secrets under wraps in an attempt to leverage themselves into any software based market they see fit to at the expense of others.
I think this quote basically sums up the whole open source/closed source debate.....
Guy
It's easy to blame NT, or Inoculate IT, but the real culprit is Outlook.
Microsoft's policy of helping users (even their own users apparently) run binaries and scripts from untrusted locations is absolutely insane. Yes, Inoculate IT should have stopped the virus (theoretically), yes, Windows NT should have more protection against attacks, but the key is that Outlook is a trojan fun house waiting to happen.
Unfortunately, for Microsoft anyway, the fix for this type of thing goes far beyond patching some buffer exploits. They instead have to totally re-think how Outlook (and other Internet software) handle untrusted binaries (that probably includes ActiveX).
Seriously, though... one of the more serious reasons that viruses/trojans spread more easily on Win32/Mac is "user imbecility/gullibility". And one reason (among many others!) why Linux/BSD was considered secure is that (1) users were much more sophisticated, and (2) the OS often compromised on security over 'ease-of-use'.
Today, with Linux (not BSD though (thankfully!)) reaching more and more into the newbie space (I'm just waiting for the first "for-newbies" distro (oh, wait, Corel comes to mind)), how long before something like this happens on a Linux box? Remember, there are a lot of newbies out there running Linux (and also Win2k/NT, for that matter) on their PCs with exactly one user account -- "root"! (or "administrator".)
Looking beyond the fan-boy name calling, there is a serious point behind this.
Microsoft has made a massive virtue of "making hard stuff easy"; underlying a lot of the products coming out of Redmond is the core value of "Trust us to do the hard stuff for you".
In that context, it's commerically damaging to have revealed to the world-at-large that even Microsoft can't rely on Microsoft to do the hard-stuff (security) for it.. And if Microsoft can't rely on themselves why should anyone else?
Not, I hasten to add, that I believe that this incident will have any long-term consequences of this action. I'm waaay too cynical to believe that any good can come of this.
--
I'd rather have a bottle in front of me than a frontal lobotomy
Your naiveté makes me hope you never administer any network I use.
The exact same type of crack could happen on ANY Unix machine, not properly safeguarded. Get an e-mail with a binary attachment, chmod 744 attachment, it runs, displayes a really cool screen hack or small game of some type. It also spawns a child process, but you're probably unaware of this.
This child process sniffs out passwords, because hey, any user account can sniff packets, not just root. People log into other computers, all the while this program gets user acct & password after user acct & password. It then sends out an e-mail to a remote address, listing all these new shiny user names & passwords, what machine they were connecting to, and voila, this cracker suddenly has user accounts. Now he's free to move onto higher level attacks.
Don't fool yourself for a second -- Microsoft's biggest mistake was that it wasn't using a more secure firewall to protect it's local machines - these machines should have been INVISIBLE to the entire internet, only available to MS's intranet.
Well, y'd have to be running some program as stupid as Outlook, which runs arbitrary executable attachments, inside your supposedly "clean environment". I can't imagine a competent UNIX sysadmin would set things up this way.
perl -e 'fork||print for split//,"hahahaha"'
St. Petersburg (!AP) -- St. Petersburg police have found the bodies of three young computer experts. The three were found in one of the their apartments, lying on the floor in front of their 486 running SuSE Linux.
"Our police experts stated that they were those who broke into Microsoft's servers and stole large amounts of code", says a police agent via translator. "Experts were able to tell from lengthy headers, pointless libraries, and pointers to nowhere-in-particular that this must be actual code for Windows 2000' successor."
After a preliminary exam, forensic pathologists state that their deaths were all caused by ruptured lungs.
"If I didn't know better, I would think that they would have died laughing", said the pathologist.
One of the police experts who determined that the code was in fact Microsoft's also began laughing uncontrollably, and was rushed to a nearby hospital. He remains in serious condition and on heavy sedatives.
DrQu+xum: Proof that the lameness filter doesn't work.
Al Gore has the quote "I invented the Internet" fused to his name. It's been used time and again to demonstrate Gore's penchant for hyperbole, his untrustworthiness as a leader. Many of you probably already know, though, that Gore never actually said that he created the Internet, but rather that he was the key political figure in the early days of funding the Internet (still an inflated claim, but nowhere near as sensational as the other.) Does the fact that he never actually said what countless media outless attribute to him, often as a direct quote, make any difference whatsoever to his image and reputation? Nope. The media and his opponents decided to nail him to the wall with a hyperbole of their own, and with a bit of hard work and luck, it has become Truth. Truth, in that wonderful Orwellian fashion of 'if all official sources report the lie as the Truth, then the lie becomes the Truth, and the truth a lie.'
It wouldn't matter how much you or I knew the truth, much like it doesn't matter that Al Gore never actually said that he invented the Internet. The Sheep and PHBs everywhere will swallow whetever pill they're given, and you can bet dollars to donuts that the story line wouldn't play out in favor of Open Source. If you think it's hard to convince your superiors to utilize an Open Source model now, try and imagine the brick wall you'd hit with your boss' brain automatically substituting "what happened to that stolen MS code" for "Open Source".
For the moderators out there, I'm not saying that I think Open Source is theft, just so that's sufficiently clear. I'm just saying that it's worth considering the damage that the mass media PR monster could do to the Open Source movement, especially in light of the fact that most major media outlets are heavily invested in (and guided by) large, mean corporations. Think about it.
Obliteracy: Words with explosions
I'd expected more mature responses to MSFT being hacked than childish attacks either blaming NT like the above post or claiming that MSFT being hacked is good for Open Source like others I've seen. Frankly *nix and Windows are roughly equivalent in default security (except for OpenBSD) and only through the machinations of a good sys admin is either OS properly secured.
For those that believe *nix is somehow more inherrently secure than Windows here are a few sources that may refute that claim The major security issues in Windows are Outlook (disable preview pane, be careful with attachments) and Internet Explorer (disable Javascript). Doing that and using a firewall like ZoneAlarm is most of the securing that a typical Windows box needs. On the other hand due to the use of insecure C libraries (str* functions, *scanf functions, etc) most of the services that are enabled by default in a typical Linux install are insecure (especially RedHat the primary consumer Linux OS in the U.S.). Take a quick look at security sites like Attrition.org, CERT, SANS, rootshell, SecurityFocus, etc and check the results. Defacements of Linux sites has been rising at a steady rate and now there are more defacements of Linux sites than NT sites. CERT regularly has more Linux and Unix security advisories than for Windows. The SANS (System Administration, Networking, and Security) Institute top ten list of security holes has more entries for *nix than Windows. A quick search of the terms "linux" and "windows" on Rootshell's seearch engine come up with 84 downloadable exploits for Linux versus 39 for Windows.
The above post is not intended to be flamebait (I run Win2K but plan to reinstall Linux on my second machine so I am a Linux user) but as a counterpoint to the above post which was rated +5 when I replied to it.
Second Law of Blissful Ignorance
AVAILABLE - Slightly frazzled security Admin seeks Immediate Position after undertaking imposssible task at unnamed Redmond, WA. employer. Canned due to circumstances beyond control. Will take any offer not relating to windows. Added Plus - Able to interpret arcane source code for popular and possible unintentially Open Source Operating System (you hear that Larry E.?). Used to long hours and sleepless nights, anything's a change for the better. Looking for stock options (in a company that's still gonna be worth something in a month).
Imagination is the silver lining of Intelligence.
This was PRECISELY my first thought when I read these pieces: this is a staged event for some reason as yet to be revealed.
Of course, as a reluctant user of NT, I *know* it's vulnerable, and the fact this occured doesn't surprise me at all. What IS surprising is we haven't heard more of this coming out of Redmond; it can't be the first time.
I don't think the possibility that this is a way for Microsoft to reign in the Open Source movement is paranoid AT ALL. With M$ having its market share threatened by Open Source stuff, why not create an excuse that the people releasing it are ripping off internal code stolen from M$. Indeed, it makes perfect sense, and it wouldn't surprise me if the lawsuits start flying within 6 months.
I worked at a place where we had REAL break-ins, and the last thing you want to tell your customers is that you've been hacked. The fact that M$ is being so forthright about this--in direct contradiction to the way they typically stonewall against any less-than-flattering news--points to an entirely different motivation than just being honest.
Remember, the people that report these stories have extensive relationships with M$. There can be no doubt that they are spinning this is such a way as to ultimately benefit M$, or any initiative that M$ may find to its liking.
By the wall, Randall is *NOT* a criminal. Yes, he was convicted, but that means about as much as the stain on Monica's dress. Judge for yourself; go here for more information.
"The more corrupt the state, the more numerous the laws."--Tacitus, The Histories
According to the report, unknown hackers managed to procur a password to Redhat's network servers. They then used the password to download the blueprints to all of Redhat's products. Even worse, the password was circulated widely over the internet, allowing thousands, potentially over a million hackers to repeat the exploit.
One person familiar with the case said it appeared the hackers initially gained access to Redhat's corporate computers by exploiting a hole in the company's "FTP" software. This software is used to transfer files between remote computers. The hackers discovered that the password "anonymous" allowed them access to all of Redhat's intellectual property.
Most damning of the report's accusations is the claim that internal Redhat officers have known about the vulnerability for months, even years, but failed to alert customers or close the security hole.
The breach may have allowed hackers to insert instructions into the blueprints for Redhat's products, including the recently released Redhat Linux 7. One anonymous insider called such practices "common." When asked if they were planning an extensive audit of their code, Redhat officials repeated their reply, "What the hell are you talking about?"
No matter how much you think Bill Gates is the anti-christ or hate Windows, this is most assuredly NOT good news. The judges, the lawyers, and the law enforcement that will certainly become involved in this case will look at one point, and one point only: someone broke the law. Know what else? They don't understand you, and they don't care that you want Wine to work better or an Open Source Windows.
In the interest of fairness, let's look at this from their point of view. "Hackers" (does anyone know what this word means anymore?) have been getting a lot of bad press lately. Hacking into Microsoft's site adds fuel to the fire. Stealing Microsoft's code is fanning the flames.
Everyone is making jokes about how insecure MS products are, as if Apache or Slashdot have never been compromised.
Even more worrisome is the opinion of the everyday, ordinary citizen. Some of which have made money off MS stock. Many of which use a computer, but aren't as "in" to them as we are. I bet you lunch that they see stuff like this and feel "insecure". And I guarantee you, when something like Carnivore comes along, the average person will suport it, because it makes, at least in their mind, the online world a safer place.
So laugh now about Microsoft's problem. Joke about an OSS Windows, regardless if they want it or not.
Ladies and Gentlemen, if you're old enough to understand, it's time to realize that this is most assuredly Not A Good Thing.
Disclaimer: MY computer runs Linux/BeOS.
It could have been in the attached MS Word .DOC file as well. And anyone who goes to ther MSDN site for various tech info, having to use IE with full ActiveX enabled to make the sites work right, is potentially infected. Or anyone using the MSDN Libraries, including MSVC Help, of recent couple years (which also don't work well without internet connection enabled).
Their whole "vision thing" of hypertext documents which seamlessly integrate your computer (via the MSDN Libraries, including compiler help files) into the Microsoft servers, reporting (if they wish so) anything you look up, any articles you read and for how long, anything you search for, which code samples you extract, ... even without coupling with ActiveX, is a virus/trojan handcrafted for industrial espionage, all by itself.
I wish only Bill Gates' machines and those of the other brains behind the Microsoft all-is-one (or is it one-is-all) "vision" got some of their own medicine.
BTW, I just typed in my first message in here, and this luxuriously spacious /. edit box with its eye pleasing courier font makes Microsoft Notepad seem like an ultra-ergonomic editor from the future. (The only cure for this is to make the web designer here use this exact edit box for three days for all of her editing work; by the second day the edit box would be twice as wide and three times as tall and user could set their own non-fixed pitch fonts. By the third day she would suggest dumping it altogether and using something like Userland's Manila editor .)
whois microsoft.com
also whois aol.com ; whois apple.com ; whois whitehouse.gov
How did they do it? Simple. Whenever you register a nameserver IP address, you have to include a domain name for the nameserver. I think the only thing checked is that the IP address pings and the domain name is part of a real domain.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
"These were all very bright boys - cheerful, helpful and good at their day programming jobs" said apartment resident Canya Bolyevtis. "But last weekend that changed when they started walking around in a daze after an all-night session, as if they had been exposed to some terribly traumatic thing."
Californian software analyst Rich McGee says the teens were foolish to allow themselves to be exposed to Microsoft source code.
"Here you have some very bright young guys with some Unix experience suddenly coming into contact with the C source for kernel32.dll. I think they were unprepared for the shock."
St. Petersburg police chief Konstantin Bolygubov thanked the public for the information that led to the arrests, saying it was the easiest raid he had done in a long time.
"When we broke down the door, none of them moved," he said. "They were all just staring in horror at the screen of a PC in the corner of the living room."
--- Hot Shot City is particularly good.
This reminds me very much of a point I have
frequently made to a friend of mine about
the security of his network.
He had claimed that he didn't need to worry about
security because his networking folks had
provided a very secure firewall.
"Really," I said, "Do you have any Windows
boxes on your network."
"Yes," he replied.
"Do they run Outlook?" I inquired.
"Yes," he replied.
"Then why do you bother to run a firewall at all?"
I went on to explain that anyone could infect
Windows boxes behind his firewall via email
(which almost every firewall in the world
is configured to pass). Once infected this
Windows box could subvert his whole network
and tunnel anything it needed back out via
SMTP (we do after all, have examples of
tunnelling IP via SMTP).
My friend thought I was nuts. Seems that something similar happened to Microsoft itself.
Guess I'm not nuts. There is no network
security on a network which has Windows
present.
I've seen some pretty dumb things on Slashdot and I've seen some pretty offensive things on Slashdot, but never a post like this.
This ranks up there with the jokes that came out after the Challenger accident and after Oklahoma City. The Kursk was a tragedy. It may not seem that way to an American, but it shattered the emotions of the Russian people. To further imply that Microsoft had any part in that tragedy is simply childish.
I've always considered the majority of Slashdot readers to be brats, but this goes to show that whatever Microsoft may do to fight the open-source movement, they'll probably win. Why? Because for the most part, it's people like you who make up and support that movement, people lacking any amount of maturity and decency, and for movements to succeed, they must at least be honorable in the face of their enemy.
Just sickening. Whoever moderated this up for being funny should be shot. Mark me down for flamebait or what have you, but the fact remains, many open-source zealots and programmers are simply brats.
the earlier story about Wine running Excel and Word takes on new meaning.
Lacking <sarcasm> tags,
Hackers huh? Hopefully they'll fix some bugs before they give it back.
Ah, yes, evil hackers from Russia stealing the "software blueprints". Smells like the plot of a James Bond movie.
"And now, Mr. Bond, by altering the blueprints I will be able to take control of every desktop computer on the planet! I'll have an entire cybernetic zombie legion at my disposal!"
"We're one step ahead of you, Smirnoff. Office is a very fragile piece of code. Change even one line and the whole thing will come crashing down like a house of cards. The worst you'll be able to do is crash every computer. And who would be able to tell the difference between that and the way Office normally runs, eh?"
"Curse you, James! Now I'll have to kill you by an incredibly intricate device which you'll no doubt escape. The only way out of your cell is to cross this tile floor. Land mines are hidden under nearly half the tiles. Fancy a game of full-contact Minesweeper, Mr. Bond?"
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
No. It's just about the software which comes with NT and Microsoft sells for NT and everybody uses on NT. An equally stupidly-designed UNIX mail reader would be equally bad. But most UNIX systems don't use such software.
perl -e 'fork||print for split//,"hahahaha"'
Just what we need. A high-profile company that has decent lobbying skills getting hacked just as we face more and more legislation against hacking.
And this on the hells of the story below about pushing for more UCITA support. crap.
---- The price of freedom is eternal vigilance. -Thomas Jefferson