Microsoft Cracked

Lyserjic seems to have been first with the news. Some linkage: CNET. CNN. AP. MSNBC. BBC. MSNBC's story is a copy of the Wall Street Journal article which apparently broke the news - it's the most complete.What's known - the passwords were being sent to St. Petersburg, Russia. They probably had access for about three months.

The heart of the problem...

[guynorton]

This quote taken from the Yahoo coverage..

"The code could also be purchased by an unscrupulous company looking to make its applications work more smoothly with Microsoft's dominant operating systems"

Who is 'unscrupolous'?, the company trying to improve their software for the greater good of everyone? I think it is the company that won't reveal the source code...the company that has systematically crippled/sabotaged other companies by keeping their 'intellectual' secrets under wraps in an attempt to leverage themselves into any software based market they see fit to at the expense of others.

I think this quote basically sums up the whole open source/closed source debate.....

Guy

Re:See what happens when you rely on NT

[Jason+Earl]

It's easy to blame NT, or Inoculate IT, but the real culprit is Outlook.

Microsoft's policy of helping users (even their own users apparently) run binaries and scripts from untrusted locations is absolutely insane. Yes, Inoculate IT should have stopped the virus (theoretically), yes, Windows NT should have more protection against attacks, but the key is that Outlook is a trojan fun house waiting to happen.

Unfortunately, for Microsoft anyway, the fix for this type of thing goes far beyond patching some buffer exploits. They instead have to totally re-think how Outlook (and other Internet software) handle untrusted binaries (that probably includes ActiveX).

Re:Open source in danger

[Black+Parrot]

> Before everyone here gets into a frenzy of self-important "Micro$oft are lusers" posts...

Well, I'm just grateful that no one broke in to www.redhat.com and stole the source for Linux.

Reichstag Fire

[Deskpoet]

This was PRECISELY my first thought when I read these pieces: this is a staged event for some reason as yet to be revealed.

Of course, as a reluctant user of NT, I *know* it's vulnerable, and the fact this occured doesn't surprise me at all. What IS surprising is we haven't heard more of this coming out of Redmond; it can't be the first time.

I don't think the possibility that this is a way for Microsoft to reign in the Open Source movement is paranoid AT ALL. With M$ having its market share threatened by Open Source stuff, why not create an excuse that the people releasing it are ripping off internal code stolen from M$. Indeed, it makes perfect sense, and it wouldn't surprise me if the lawsuits start flying within 6 months.

I worked at a place where we had REAL break-ins, and the last thing you want to tell your customers is that you've been hacked. The fact that M$ is being so forthright about this--in direct contradiction to the way they typically stonewall against any less-than-flattering news--points to an entirely different motivation than just being honest.

Remember, the people that report these stories have extensive relationships with M$. There can be no doubt that they are spinning this is such a way as to ultimately benefit M$, or any initiative that M$ may find to its liking.

By the wall, Randall is *NOT* a criminal. Yes, he was convicted, but that means about as much as the stain on Monica's dress. Judge for yourself; go here for more information.

Redhat Cracked

[ahaile]

Durham, Oct 27 -- The linux world is in a tumult today after a report claiming hackers broke into the corporate network of industry leader Redhat. The report, published on the internet by a pseudonymous "BG", purports that "lots and lots" of hackers outside the Durham-based organization have been "stealing intellectual property" from the company for "a whole lot longer than three months." Redhat officials appear to be stonewalling on the issue, responding to questions with a baffled look and the reply, "What the hell are you talking about?"

According to the report, unknown hackers managed to procur a password to Redhat's network servers. They then used the password to download the blueprints to all of Redhat's products. Even worse, the password was circulated widely over the internet, allowing thousands, potentially over a million hackers to repeat the exploit.

One person familiar with the case said it appeared the hackers initially gained access to Redhat's corporate computers by exploiting a hole in the company's "FTP" software. This software is used to transfer files between remote computers. The hackers discovered that the password "anonymous" allowed them access to all of Redhat's intellectual property.

Most damning of the report's accusations is the claim that internal Redhat officers have known about the vulnerability for months, even years, but failed to alert customers or close the security hole.

The breach may have allowed hackers to insert instructions into the blueprints for Redhat's products, including the recently released Redhat Linux 7. One anonymous insider called such practices "common." When asked if they were planning an extensive audit of their code, Redhat officials repeated their reply, "What the hell are you talking about?"

Re:Open Sourcing Windows...

[bilgebag]

First one to submit a patch gets to pick a new default colour for the Screen Of Death...

Not A Good Thing

[pokrefke]

No matter how much you think Bill Gates is the anti-christ or hate Windows, this is most assuredly NOT good news. The judges, the lawyers, and the law enforcement that will certainly become involved in this case will look at one point, and one point only: someone broke the law. Know what else? They don't understand you, and they don't care that you want Wine to work better or an Open Source Windows.

In the interest of fairness, let's look at this from their point of view. "Hackers" (does anyone know what this word means anymore?) have been getting a lot of bad press lately. Hacking into Microsoft's site adds fuel to the fire. Stealing Microsoft's code is fanning the flames.

Everyone is making jokes about how insecure MS products are, as if Apache or Slashdot have never been compromised.

Even more worrisome is the opinion of the everyday, ordinary citizen. Some of which have made money off MS stock. Many of which use a computer, but aren't as "in" to them as we are. I bet you lunch that they see stuff like this and feel "insecure". And I guarantee you, when something like Carnivore comes along, the average person will suport it, because it makes, at least in their mind, the online world a safer place.

So laugh now about Microsoft's problem. Joke about an OSS Windows, regardless if they want it or not.

Ladies and Gentlemen, if you're old enough to understand, it's time to realize that this is most assuredly Not A Good Thing.

Disclaimer: MY computer runs Linux/BeOS.

The "Truth" about who Microsoft really is

[b1t+r0t]

Any of you with Unix shell access should try:

whois microsoft.com

also whois aol.com ; whois apple.com ; whois whitehouse.gov

How did they do it? Simple. Whenever you register a nameserver IP address, you have to include a domain name for the nameserver. I think the only thing checked is that the IP address pings and the domain name is part of a real domain.

Update

[mav[LAG]]

ST PETERSBURG, Russia: 2000-10-27: In a joint sting operation, Russian police and the FBI made a raid on a downtown apartment today, netting four teenagers they suspect of being behind the Microsoft breakin. Microsoft spokesman Rick Miller applauded the operation, saying that neighbours tipped off the police after noticing strange behaviour from them.

"These were all very bright boys - cheerful, helpful and good at their day programming jobs" said apartment resident Canya Bolyevtis. "But last weekend that changed when they started walking around in a daze after an all-night session, as if they had been exposed to some terribly traumatic thing."

Californian software analyst Rich McGee says the teens were foolish to allow themselves to be exposed to Microsoft source code.
"Here you have some very bright young guys with some Unix experience suddenly coming into contact with the C source for kernel32.dll. I think they were unprepared for the shock."

St. Petersburg police chief Konstantin Bolygubov thanked the public for the information that led to the arrests, saying it was the easiest raid he had done in a long time.
"When we broke down the door, none of them moved," he said. "They were all just staring in horror at the screen of a PC in the corner of the living room."

Re:Open Sourcing Windows...

[rdl]

It's not against our AUP.

We as a company are not in favor of software
piracy, so we certainly wouldn't help, but if
a customer wanted to host stuff like this, we can't really say it's against our AUP.

(I personally think MS source code would be a
waste of space, a thousand monkeys and all that...)

No Security on a Windows Network

[hagbard5235]

This reminds me very much of a point I have
frequently made to a friend of mine about
the security of his network.

He had claimed that he didn't need to worry about
security because his networking folks had
provided a very secure firewall.

"Really," I said, "Do you have any Windows
boxes on your network."

"Yes," he replied.

"Do they run Outlook?" I inquired.

"Yes," he replied.

"Then why do you bother to run a firewall at all?"

I went on to explain that anyone could infect
Windows boxes behind his firewall via email
(which almost every firewall in the world
is configured to pass). Once infected this
Windows box could subvert his whole network
and tunnel anything it needed back out via
SMTP (we do after all, have examples of
tunnelling IP via SMTP).

My friend thought I was nuts. Seems that something similar happened to Microsoft itself.

Guess I'm not nuts. There is no network
security on a network which has Windows
present.

Re:This is obvious but...

[jrumney]

Hackers huh? Hopefully they'll fix some bugs before they give it back.

Re:Open Sourcing Windows...

[nick_davison]

we're likely to see a similar situation to DeCSS

How the hell am I going to get all that bloatware on the back of a t-shirt?!

Sounds like a great idea!

[Chelloveck]

Ah, yes, evil hackers from Russia stealing the "software blueprints". Smells like the plot of a James Bond movie.

"And now, Mr. Bond, by altering the blueprints I will be able to take control of every desktop computer on the planet! I'll have an entire cybernetic zombie legion at my disposal!"

"We're one step ahead of you, Smirnoff. Office is a very fragile piece of code. Change even one line and the whole thing will come crashing down like a house of cards. The worst you'll be able to do is crash every computer. And who would be able to tell the difference between that and the way Office normally runs, eh?"

"Curse you, James! Now I'll have to kill you by an incredibly intricate device which you'll no doubt escape. The only way out of your cell is to cross this tile floor. Land mines are hidden under nearly half the tiles. Fancy a game of full-contact Minesweeper, Mr. Bond?"

This could be VERY bad

[Kyaphas]

Just what we need. A high-profile company that has decent lobbying skills getting hacked just as we face more and more legislation against hacking.

And this on the hells of the story below about pushing for more UCITA support. crap.