Slashdot Mirror
Different View Of MS Code Theft
LowneWulf writes: "I found this to be an interesting perspective of the previously-mentioned M$ hack, from this article from MSNBC. State of the art security? Companies held for ransom from stolen code? Notorious multi-million dollar thieves out of Russia? Anyone heard about these? How about how someone who had the ability to create accounts on the network, if the incident only did last a week as the article implied, could only perhaps have a 'brief glimpse of the source code.' I don't know about you, but even on a 2400 baud modem, I think I could probably download more than a glimpse." Among other things, this story hints that MS may have been compromised through an employee's home computer, and quotes Howard Schmidt, Microsoft's corporate security officer, as having ruled out a connection between the recent breaches from ones in September.
Where did the initial allegation (MS hacked) come from?
Is there more than one verifiable source?
What made MS admit to the crack? (They didn't have to - they could have denied it)
The QAZ/Russia stuff? Who is the source? I haven't seen the MS logfiles. How do we know it waz a trojan posting "some data" to Russia?
Which journalist/journal is prepared to stand up and say "This happened - I believe it - here is my evidence."?
Question: Why would *anyone* want to steal MS source code. They are happy to *sell* access for a small fee (100k+ last time I asked - which is chump change)
Who could benefit from a source release? (Answer - any *professional* cracker who wants to crack MS run boxes). I'll leave you to work out the consequences of that. But *my* NT/2000 net-facing boxes are running home to Solaris/HP-UX/AIX/OS-400
And, finally: MS admitted it. So, there must be evidence that it happened. Where the fuck is this evidence?
Pissed posting pisses people off. Perhaps people posting pissed should perceive the pseudo-plenipontentiary powers of the powerful people who perform peer-review. Or not.
New Operating System!!!
Winski 2000 by MicroSlav
Operates just like Windows 2000!
Only 20 rubles. Put the money and your email address under the trash can on Ivanoff Street.
It is interesting to note that the break-in was committed using an "old" trojan (ie anti-virus products were detecting it since July). Why? If you were trying to hack into some pretty big IT firm you would have to assume that they have SOME sort of anti-virus/content vetting software. However, you might also assume that among the thousands of staff, there would have to be some that decide (for whatever reason) that they don't need to be running the company's mandated anti-virus product because of "XYZ" (insert completely lame excuse here, probably related to "This is meant for those DUMB users not ME").
Knowing this, it is just a matter of playing the numbers and eventually...BINGO! And of course if you spread out your attack over time, the failures would stay below the "Danger Will Robinson!" threshold. (Any sufficiently large and hated IT firm would have to expect a certain number of "incidents" over time - these wouldn't cause any undue alarm unless the density was high enough or there was a detectable pattern). Good ol' human engineering. You just can't protect against it. All you can hope to do is detect it quick enough and run your business such that you don't "have" too much info which if it got out would drive you under (can anyone say open source?)
What is REALLY interesting is the motive? Why would you do it? To improve WINE/SAMBA/XYZ??? I doubt it. These guys won't be touching any significant new changes with a ten foot pole for a while I bet. The competition? Why? What possible advantage could be worth the risk?
If its not just some dude who wanted to be the first to "plant the flag", then my money is on the mob. Why not? Just imagine how many buffer overflow bugs someone like Georgi Guninski (check out NTBugTraq) could discover with a good peek at the code. You could then use the knowledge when/where-ever. Alternatively, instead of using this knowledge themselves they may pass on the source to the "highest bidder" which would probably include the usual suspects (middle eastern "terrorists" etc).
Just my 5 rubles.
First the obligatory joke: Isn't that what MS does anyway?
But, in all seriousness, MS does have internal protections in place. Consider this: When I interned there last summer, there were something on the order of 500 interns there. These were virtually all normal college-aged CS geeks -- and not all of them were die-hard Microsoft drones, either. With that many people, in that demographic, for that short of a time period, I'd be willing to bet that if all the Windows source code was open for the viewing, something would've happened already. On the other hand, what was generally accessible on the corporate network were the websites for each of the various projects -- the sort of stuff that'd be best kept secret from a business standpoint, but would have zero interest to the Slashdot crowd.
And as a random aside, even the developer kit for the Barney Actimates doll that MS produces is kept secured from general access, for reasons that should be fairly obvious. (Creating a humorous yet vulgar Barney dialog is left as an exercise to the reader.)
...Microsoft reports that Oceania has always been at war with Eurasia.
The Chief Security Officer is trying to cover his ass. Take what he says with a grain of salt.
-bugg
To a hacker or a cracker, source code is worth it's weight in gold! You can look for buffer overflows and figure out how to exploit them. You can find hidden API tricks that allow one to gain extra privileges. You can find bugs that defeat security measures. You can find lots of stuff.
If you thought windows was easy to hack before... well, it just got a lot easier!
The only good weather is bad weather.
MS code is a "Trade Secret".
It is still a "Trade Secret" even if it is stolen, posted on the web, displayed on billboards, whatever. This is OK until you *use it*. Then, you're screwed.
If MS can prove to a court (in the US) that you used their trade secrets, and that you knew that you had acquired their trade secrets illegally (which *well* includes downloading the source from an FTP site), well, then you are so shafted it's unreal. Can you say "Punitive damages"? 'cos that's what you'll be paying.
All MS have to do to protect their trade secrets is to exercise "reasonable care". Now, try and prove they didn't.
FACT: Stolen secrets are still secrets in law. Half-witted sophistry doesn't change that.
The other half of the quote is "Information wants to be expensive" - Don't quote the popular half until you understand the context
If Russian military intelligence got to go over Microsoft's source code with a fine-tooth comb (or anybody- I only say Russian because apparently that IS precisely who's going over the code now), they would be able to conduct information warfare much more effectively, whether or not there are intentional backdoors- if there aren't, all the military spooks would have to do is dig up overflow exploits and the like. They have the code, and lots of people find ways to do this even _without_ the code.
They're not interested in fixing it, selling it, posting it on the net or anything of the sort. Their only concern is being prepared to take all of American military IT _down_ before the missiles are launched. (And again, America doesn't have to be the target- any country with a modern computerised military could be the target.)
The problem with lazy-ass monopolised security through obscurity is just this: now there's no security at all- odds are, some country (possibly not even Russia?) now has what they need to be able to take out any and all Windows-based IT at will. They're not going to be filing bug reports, or _using_ their techniques, unless they are seriously taking action. The only defense against this is to persuade Microsoft to either open their process to outside auditing (for instance, the NSA or the military), or to ask Microsoft to please fix any bugs that might be a weak point in this sort of attack.
*bitter laugh* riiiight.
I want my country's military off Windows, dammit. Now. All that is _compromised_. It's one big trojan horse because of Microsoft's arrogance and belief that they are SO SMART that they don't need to let anyone else into their process.
Now that M$ have publicly admitted that their IP has been compromised, they are in a good position to complain about anyone producing any competing products.
.NET stranglehold strategy.
If a C# compiler were to appear on the scene for a non-Windows platform, might the authors not be accused of having used M$'s IP in order to produce it? The same goes for any piece of code to appear that threatens their
I have not seen any definitive list of what code was compromised. Has that been made public? Or are they free to point to anything that appears in future and say it is based on their IP?
Hell, maybe they are making the whole incident up!
I wasn't even looking for confidential information. Just turns out that I knew a couple of people who happened to work at Microsoft, and so I decided to pay one of them a visit at their office in Redmond, while I was vacationing in Seattle.
Now at each entrance to each M$ building there are Honeywell card readers, and each employee has a matching Honeywell card that opens the right doors so he can get to work. With the building I was at there is a front entrance and then a foyer with a receptionist's desk. During the day you have to get by the receptionist slash security guard to the second set of doors, which you also have to swipe your Honeywell card at. (At the building I was in, the receptionist desk was inside the second set of doors.) At night there isn't a receptionist or security guard, you just swipe both sets of doors and you're in. And once you're in a building you can go practically anywhere in that building; there aren't any other security checkpoints.
If you lose your card you can use the phone next to the card reader on the outside to call in to the receptionist, or to call your friend inside to let you in. This is how I got in. I called my friend's 5-digit extension and they came down to get me. (That's 2-xxxx inside; 425-882-xxxx outside.) There are refrigerators stocked with Coke (and Pepsi) products on nearly every floor. Just help yourself. There are also random arcade games, Ping-Pong and billiard tables scattered around. Each person has their own office, small as it may be; a few people share in some areas.
Anyway, inside, they have large supplies of blank CD-R's. All of them were factory labeled with the Microsoft logo and the words "Microsoft Confidential" and some other legalese. They are half blue and half white. And most of the developers that I met had their own burner.
I'm quite sure you can figure out the rest from here, and these are the details I have to omit. I can say it has something to do with caffeine's diuretic effects on developers. But I wil provide a few other details for you.
Microsoft has their own security people. At night they go around and turn off all the lights in the buildings. Only they do it from the outside, via remote control. I think the system uses RF. (If you're inside, you can turn them back on, though. And be careful, they even turn off the lights in the bathrooms, and the switch can be hard to find. In the bathroom I used, it was about eight inches higher than I expected it to be.)
Microsoft has an internal server with pre-built installers for most (all?) current Microsoft operating systems, applications, etc. If you need something, you just open the network drive and get it.
Microsoft's firewall prevents people internal from connecting to certain outside sites. In 1998 this included netscape.com (but not mozilla.org).
Certain parts of Microsoft source are written in C and/or C++, and these parts are LITTERED with gotos. I mean they're everywhere. It's almost like they'd never heard of do, while, break or continue.
Anyway, that's my story.
Now I'm *really* intrigued. What constitutes a core product? Wouldn't it be interesting if certain languages were "core" and others weren't?
How would you feel if you paid $600 for Project to run major development work... or used Visual Basic to develop critical code for your company... or
If the cracker picked up Notepad, they wouldn't have asked for FBI help, would they? If it was MS Baseball 2002, they wouldn't have picked up the phone... it HAD to be something worth more than the bad press that could be generated!
--
Think about it ... not a rogue OS based off of MS code ... but thousands upon thousands of exploits would turn up thus any computer connected to the internet through a (sarcasm) "secure" internet connection would now be at risk.
Another hypothetical ... company A comes out with a product that can run all win32 binaries... this os is based off of the source code of windows but is a closed source project. This project is then suspected by MS ... but it would take illegal reverse engineering or a court warrent to confirm ... thus another downfall to MS.
One more question I have ... If MS is SOOO concerned about their code ... why the hell is it so easy to remote access it?
Ignore the "p2p is theft" trolls, they're just uninformed
I just left the navy after 10 years of service as a IS type. I can tell you for a fact that Windoze does absolutly nothing mission critical. They might use it for typing up some messages but all combat / intel / recon software is all based on unix in most cases HP.
Got Code?
Microsoft makes a living off not fixing problems that are brought to their attention in plenty of time. The security officer would probably get a bonus for adhering to company policy so well.
--
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Sounds like it's OK if accounts create themselves, as long as it isn't too frequent. Just when you get a lot of them is it indicative of a breakin?
Good grief! What were they writing? Software bloat as a protection against theft? So, if it's so big, how do they know it wasn't hacked?
I still can't figure out who would want Microsoft source code. Basing a new product on code you have transferred from another group is hard enough with their cooperation, basing it on a snapshop stolen from a breaking would seem to be pointless: you are better off starting from scratch.
Ah, the media fully buying into the "security by obscurity" approach. The underlying assumption is that any software must be so full of security holes that we couldn't possibly let people look at the sources. How clueless.
I don't think one could have written a better satire if one tried. It is sad, however, that technical reporters write this kind of drivel as serious reporting (probably directly copied from some PR releases) and people in power believe it.
Well, looks like they still have some bugs to iron out before 2001. Does this mean Office 2001 will be delayed?
Many posters have noted that Microsoft's source code is notoriously bad, and from what code I've seen (i.e. what they distribute with their SDKs) they're right. The whole thing is one gigantic ugly hack -- they're living in a world where strict C and object-oriented C++ mix freely, and the only thing they do consistently is their stupid variable naming scheme. People whine about Netscape 4.x being an ugly hack, but Microsoft code is much much worse -- it just has the advantage of loading at OS boot time.
That said, there's very little anyone could pull from any source code they got. Picking it apart looking for weaknesses or trade secrets would be fruitless -- picking apart the source code to their DirectX demos is bad enough, let alone a whole OS. Even before you figure in the legal issues, it's much easier to just reverse engineer the blasted thing.
What's important here is now Microsoft has to admit that their products are exploit-ridden. One of the greatest problems that computer security advisors have had recently is Microsoft's attitude towards the VBScript exploits; basically, they think that their codebase is good enough as is, with maybe a few patches needed here and there, and if in the meantime a few exploits make their way through then tough. (In fact, security experts rightly point to Outlook Express as the sole reason that worms like Melissa can even exist.) After all, the Microsoft PR people say, it's good enough for us.
But now someone has forced them to own up to the fact that the security in their products is a joke. Before this exploit, Microsoft spent many a PR dollar blasting Linux for the 'inherit insecurity' of its open-source nature, pointing to the fact that Microsoft itself uses Windows NT/2000 for its servers and nobody's broken into them before. Now that's all changed, and someone has shown that not even Microsoft can trust their own products for maximum security operations.
The irony is that Microsoft has become a victim of its own policy -- if it works for the most part, there's no point in patching up the little security holes. Well, guess what -- those little security holes added up to one major security hole that struck Microsoft at its core!
So what does this mean to the average consumer? It means that Microsoft is going to have to work really hard to fix up its codebase. After such a high-profile attack, Fortune 500 companies are probably going to think twice before using Microsoft software for mission-critical operations. Microsoft really is going to have to prove itself in the future, and that means no more quick-fix patches to security holes that fix one hole but don't really fix the overall problem, like the series of IE and Outlook Express patches that come out after every new ActiveX or VBScript exploit is revealed.
I'm pretty sure it was Stewart Brand. There's a reference to it here
/.
The full quote is "Information wants to be free. Information also wants to be expensive. Information wants to be free because it has become so cheap to distribute, copy, and recombine -- too cheap to meter. It wants to be expensive because it can be immeasurably valuable to the recipient. The result is a tension that will not go away."
It must be true - I saw it on
That end quote is sort of misleading. From what it sounds, this attack is nothing new - and it didnt first happen at the top. What's more interesting, and accurate, is that even with so much experience in worm vulnerability, Microsoft was not able to protect themselves from the threat.
Couldn't help but notice that the story first said "trojan virus" and then later, "worm virus."
Nice to see that these "techincal" jounalists are have been keeping up with the lingo.
JOURNALISTS: You must choose between the words virus, trojan, or worm. They have different, but related meanings.
Also I'd like to applaud the media for finally giving some attention to a *real* hacker, and not some script kiddie. And d00d with the t00lz can shut down a poorly-maintained website, but it does take a bit of time and skill to track down a Micro$oft employee, find his home computer, and go looking around from there. From the sound of the article, they don't provide any evidence that any code was actually taken or downloaded, just that there is a very high probability that he got to glimpse at some of it, which they remind their readership in every other sentence.
Here's what you could do with it:
Let's say it was someone who isn't really after Microsoft code just to get the new Microsoft code. It could be someone after Microsoft code to find security flaws in older, installed products. Products that Microsoft is no longer updating yet are still installed on many, many machines (like Windows 95 or NT3.5). If, by reading (not downloading, not uploading, but just looking at) the code, they can find a hole, 85% (or whatever number they use today) of the desktop machines in the world are vulnerable to attack. Why risk going after Microsoft when you've got the rest of the world ripe for the picking and they probably don't even realize it?
If it were me, I wouldn't waste time on "upcoming" or beta products. I'd go after the older stuff that's already installed, and therefore unlikely to be updated. Stuff that no one is paying attention to any more except to run things like, oh, Quicken or MS Money.
That way, you don't have to DO anything with the code, you just use it to go after other things. Remember the security/ActiveX security flaw that let you enter a Quicken transaction using IE? How much easier would it have been to find if you had the source code for the underlying flaw right in front of you rather than poking around?
RIDGEWOOD, NEW JERSEY -- Copyleft, an open source company that has made a significant effort to support the free software community with financial contributions financed through online sales of "geek chic" clothing, is poised to announce its new winter fashion line. Though no details are yet forthcoming, it is believed that central to Copyleft's new offerings is a blue cotton wedding dress with a thirty-foot train. When asked why, management denied comment except to mumble about needing more space to work with. Rumors of an apparent connection to Microsoft's recent break-ins and code theft remain unanswered.
-- Anne Marie
- It's going to be a lot easier to find security holes in Windows if you've got the source code. Of course, in Linux this cuts both ways because the good guys can find and fix them much more easily too, but Microsoft aren't likely to be taking patches any time soon
:)
- Having the source code would make figuring things out for interoperability purposes much easier for projects like Samba and WINE. Of course, neither of the above projects would use knowledge obtained from the crack (if the crackers actually downloaded any code worth looking at) - the legal risk is simply not worth taking.
- Finally, the Windows source code could get audited for code that really shouldn't be in there, such as unacknowledged BSD code, or any GPL'd code. I very much doubt that it actually contains any, but . .
.
So, yes, it *does* matter, but not in the ways the general media think.Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
Everyone is focusing on releasing Windows source code on the internet or basing products on that code. These I think are unlikely.
Instead, what if a good hacker decided to drop a few dozen lines of code in amongst the 10s of millions or so lines in Windows to make it easier for *them* to hack. Why hunt down security holes, when you can code them into the product yourself.
With everyone and their sister using Windows these days, this could give a hacker access to most every industry out there. And given the loose security between MS products, the new code could be in Office, Explorer, Outlook, almost anything. So the hacker downloads heaps of source code from a variety of MS products, finds a good location to insert this code and then modifies and sends a bit back. In amongst all the code that MS has to manage - most of which I'm sure they rarely look at, who would notice? How hard would it be to find?
Has the next MS product you plan to buy already been compromised? This I think is where the concern should really lie...
Oh, come on. Are we honestly expected to believe that this is the first time this has happened? This sort of thing goes on all the time, they even admitted it earlier in the article. Perhaps this is the first time it's happened to a really large corporation that's then let it the information leak out to the public, but the first time it's ever happened?
Oh I dunno, how 'bout looking for lines such as...
/* They should be using Media Player anyway */
if(realAudio())
breakRealAudio();
/* Dang hippie OS */
if(linuxPartition())
corruptRandomLinuxBlock();
-----
Zennie
By the end of this week, the story will be that an employee got the flu and was home sick for a few days. While working from home under the influence of prescription drugs, he accidently renamed a user account which set off a few alarms, but everything is well because no product deadlines will slip because of it.
The account given by Microsoft officials to the Times also cited the use of QAZ Trojan. Computer security experts said QAZ was a well-known worm virus that first surfaced in China several months ago.
So the QAZ trojan is a well-known worm virus. Glad we got that straightened out.