Slashdot Mirror
Different View Of MS Code Theft
LowneWulf writes: "I found this to be an interesting perspective of the previously-mentioned M$ hack, from this article from MSNBC. State of the art security? Companies held for ransom from stolen code? Notorious multi-million dollar thieves out of Russia? Anyone heard about these? How about how someone who had the ability to create accounts on the network, if the incident only did last a week as the article implied, could only perhaps have a 'brief glimpse of the source code.' I don't know about you, but even on a 2400 baud modem, I think I could probably download more than a glimpse." Among other things, this story hints that MS may have been compromised through an employee's home computer, and quotes Howard Schmidt, Microsoft's corporate security officer, as having ruled out a connection between the recent breaches from ones in September.
Where did the initial allegation (MS hacked) come from?
Is there more than one verifiable source?
What made MS admit to the crack? (They didn't have to - they could have denied it)
The QAZ/Russia stuff? Who is the source? I haven't seen the MS logfiles. How do we know it waz a trojan posting "some data" to Russia?
Which journalist/journal is prepared to stand up and say "This happened - I believe it - here is my evidence."?
Question: Why would *anyone* want to steal MS source code. They are happy to *sell* access for a small fee (100k+ last time I asked - which is chump change)
Who could benefit from a source release? (Answer - any *professional* cracker who wants to crack MS run boxes). I'll leave you to work out the consequences of that. But *my* NT/2000 net-facing boxes are running home to Solaris/HP-UX/AIX/OS-400
And, finally: MS admitted it. So, there must be evidence that it happened. Where the fuck is this evidence?
Pissed posting pisses people off. Perhaps people posting pissed should perceive the pseudo-plenipontentiary powers of the powerful people who perform peer-review. Or not.
New Operating System!!!
Winski 2000 by MicroSlav
Operates just like Windows 2000!
Only 20 rubles. Put the money and your email address under the trash can on Ivanoff Street.
It is interesting to note that the break-in was committed using an "old" trojan (ie anti-virus products were detecting it since July). Why? If you were trying to hack into some pretty big IT firm you would have to assume that they have SOME sort of anti-virus/content vetting software. However, you might also assume that among the thousands of staff, there would have to be some that decide (for whatever reason) that they don't need to be running the company's mandated anti-virus product because of "XYZ" (insert completely lame excuse here, probably related to "This is meant for those DUMB users not ME").
Knowing this, it is just a matter of playing the numbers and eventually...BINGO! And of course if you spread out your attack over time, the failures would stay below the "Danger Will Robinson!" threshold. (Any sufficiently large and hated IT firm would have to expect a certain number of "incidents" over time - these wouldn't cause any undue alarm unless the density was high enough or there was a detectable pattern). Good ol' human engineering. You just can't protect against it. All you can hope to do is detect it quick enough and run your business such that you don't "have" too much info which if it got out would drive you under (can anyone say open source?)
What is REALLY interesting is the motive? Why would you do it? To improve WINE/SAMBA/XYZ??? I doubt it. These guys won't be touching any significant new changes with a ten foot pole for a while I bet. The competition? Why? What possible advantage could be worth the risk?
If its not just some dude who wanted to be the first to "plant the flag", then my money is on the mob. Why not? Just imagine how many buffer overflow bugs someone like Georgi Guninski (check out NTBugTraq) could discover with a good peek at the code. You could then use the knowledge when/where-ever. Alternatively, instead of using this knowledge themselves they may pass on the source to the "highest bidder" which would probably include the usual suspects (middle eastern "terrorists" etc).
Just my 5 rubles.
The Chief Security Officer is trying to cover his ass. Take what he says with a grain of salt.
-bugg
MS code is a "Trade Secret".
It is still a "Trade Secret" even if it is stolen, posted on the web, displayed on billboards, whatever. This is OK until you *use it*. Then, you're screwed.
If MS can prove to a court (in the US) that you used their trade secrets, and that you knew that you had acquired their trade secrets illegally (which *well* includes downloading the source from an FTP site), well, then you are so shafted it's unreal. Can you say "Punitive damages"? 'cos that's what you'll be paying.
All MS have to do to protect their trade secrets is to exercise "reasonable care". Now, try and prove they didn't.
FACT: Stolen secrets are still secrets in law. Half-witted sophistry doesn't change that.
The other half of the quote is "Information wants to be expensive" - Don't quote the popular half until you understand the context
If Russian military intelligence got to go over Microsoft's source code with a fine-tooth comb (or anybody- I only say Russian because apparently that IS precisely who's going over the code now), they would be able to conduct information warfare much more effectively, whether or not there are intentional backdoors- if there aren't, all the military spooks would have to do is dig up overflow exploits and the like. They have the code, and lots of people find ways to do this even _without_ the code.
They're not interested in fixing it, selling it, posting it on the net or anything of the sort. Their only concern is being prepared to take all of American military IT _down_ before the missiles are launched. (And again, America doesn't have to be the target- any country with a modern computerised military could be the target.)
The problem with lazy-ass monopolised security through obscurity is just this: now there's no security at all- odds are, some country (possibly not even Russia?) now has what they need to be able to take out any and all Windows-based IT at will. They're not going to be filing bug reports, or _using_ their techniques, unless they are seriously taking action. The only defense against this is to persuade Microsoft to either open their process to outside auditing (for instance, the NSA or the military), or to ask Microsoft to please fix any bugs that might be a weak point in this sort of attack.
*bitter laugh* riiiight.
I want my country's military off Windows, dammit. Now. All that is _compromised_. It's one big trojan horse because of Microsoft's arrogance and belief that they are SO SMART that they don't need to let anyone else into their process.
I wasn't even looking for confidential information. Just turns out that I knew a couple of people who happened to work at Microsoft, and so I decided to pay one of them a visit at their office in Redmond, while I was vacationing in Seattle.
Now at each entrance to each M$ building there are Honeywell card readers, and each employee has a matching Honeywell card that opens the right doors so he can get to work. With the building I was at there is a front entrance and then a foyer with a receptionist's desk. During the day you have to get by the receptionist slash security guard to the second set of doors, which you also have to swipe your Honeywell card at. (At the building I was in, the receptionist desk was inside the second set of doors.) At night there isn't a receptionist or security guard, you just swipe both sets of doors and you're in. And once you're in a building you can go practically anywhere in that building; there aren't any other security checkpoints.
If you lose your card you can use the phone next to the card reader on the outside to call in to the receptionist, or to call your friend inside to let you in. This is how I got in. I called my friend's 5-digit extension and they came down to get me. (That's 2-xxxx inside; 425-882-xxxx outside.) There are refrigerators stocked with Coke (and Pepsi) products on nearly every floor. Just help yourself. There are also random arcade games, Ping-Pong and billiard tables scattered around. Each person has their own office, small as it may be; a few people share in some areas.
Anyway, inside, they have large supplies of blank CD-R's. All of them were factory labeled with the Microsoft logo and the words "Microsoft Confidential" and some other legalese. They are half blue and half white. And most of the developers that I met had their own burner.
I'm quite sure you can figure out the rest from here, and these are the details I have to omit. I can say it has something to do with caffeine's diuretic effects on developers. But I wil provide a few other details for you.
Microsoft has their own security people. At night they go around and turn off all the lights in the buildings. Only they do it from the outside, via remote control. I think the system uses RF. (If you're inside, you can turn them back on, though. And be careful, they even turn off the lights in the bathrooms, and the switch can be hard to find. In the bathroom I used, it was about eight inches higher than I expected it to be.)
Microsoft has an internal server with pre-built installers for most (all?) current Microsoft operating systems, applications, etc. If you need something, you just open the network drive and get it.
Microsoft's firewall prevents people internal from connecting to certain outside sites. In 1998 this included netscape.com (but not mozilla.org).
Certain parts of Microsoft source are written in C and/or C++, and these parts are LITTERED with gotos. I mean they're everywhere. It's almost like they'd never heard of do, while, break or continue.
Anyway, that's my story.
Now I'm *really* intrigued. What constitutes a core product? Wouldn't it be interesting if certain languages were "core" and others weren't?
How would you feel if you paid $600 for Project to run major development work... or used Visual Basic to develop critical code for your company... or
If the cracker picked up Notepad, they wouldn't have asked for FBI help, would they? If it was MS Baseball 2002, they wouldn't have picked up the phone... it HAD to be something worth more than the bad press that could be generated!
--
Think about it ... not a rogue OS based off of MS code ... but thousands upon thousands of exploits would turn up thus any computer connected to the internet through a (sarcasm) "secure" internet connection would now be at risk.
Another hypothetical ... company A comes out with a product that can run all win32 binaries... this os is based off of the source code of windows but is a closed source project. This project is then suspected by MS ... but it would take illegal reverse engineering or a court warrent to confirm ... thus another downfall to MS.
One more question I have ... If MS is SOOO concerned about their code ... why the hell is it so easy to remote access it?
Ignore the "p2p is theft" trolls, they're just uninformed
I just left the navy after 10 years of service as a IS type. I can tell you for a fact that Windoze does absolutly nothing mission critical. They might use it for typing up some messages but all combat / intel / recon software is all based on unix in most cases HP.
Got Code?
Microsoft makes a living off not fixing problems that are brought to their attention in plenty of time. The security officer would probably get a bonus for adhering to company policy so well.
--
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Sounds like it's OK if accounts create themselves, as long as it isn't too frequent. Just when you get a lot of them is it indicative of a breakin?
Good grief! What were they writing? Software bloat as a protection against theft? So, if it's so big, how do they know it wasn't hacked?
I still can't figure out who would want Microsoft source code. Basing a new product on code you have transferred from another group is hard enough with their cooperation, basing it on a snapshop stolen from a breaking would seem to be pointless: you are better off starting from scratch.
Ah, the media fully buying into the "security by obscurity" approach. The underlying assumption is that any software must be so full of security holes that we couldn't possibly let people look at the sources. How clueless.
I don't think one could have written a better satire if one tried. It is sad, however, that technical reporters write this kind of drivel as serious reporting (probably directly copied from some PR releases) and people in power believe it.
Here's what you could do with it:
Let's say it was someone who isn't really after Microsoft code just to get the new Microsoft code. It could be someone after Microsoft code to find security flaws in older, installed products. Products that Microsoft is no longer updating yet are still installed on many, many machines (like Windows 95 or NT3.5). If, by reading (not downloading, not uploading, but just looking at) the code, they can find a hole, 85% (or whatever number they use today) of the desktop machines in the world are vulnerable to attack. Why risk going after Microsoft when you've got the rest of the world ripe for the picking and they probably don't even realize it?
If it were me, I wouldn't waste time on "upcoming" or beta products. I'd go after the older stuff that's already installed, and therefore unlikely to be updated. Stuff that no one is paying attention to any more except to run things like, oh, Quicken or MS Money.
That way, you don't have to DO anything with the code, you just use it to go after other things. Remember the security/ActiveX security flaw that let you enter a Quicken transaction using IE? How much easier would it have been to find if you had the source code for the underlying flaw right in front of you rather than poking around?
RIDGEWOOD, NEW JERSEY -- Copyleft, an open source company that has made a significant effort to support the free software community with financial contributions financed through online sales of "geek chic" clothing, is poised to announce its new winter fashion line. Though no details are yet forthcoming, it is believed that central to Copyleft's new offerings is a blue cotton wedding dress with a thirty-foot train. When asked why, management denied comment except to mumble about needing more space to work with. Rumors of an apparent connection to Microsoft's recent break-ins and code theft remain unanswered.
-- Anne Marie
Everyone is focusing on releasing Windows source code on the internet or basing products on that code. These I think are unlikely.
Instead, what if a good hacker decided to drop a few dozen lines of code in amongst the 10s of millions or so lines in Windows to make it easier for *them* to hack. Why hunt down security holes, when you can code them into the product yourself.
With everyone and their sister using Windows these days, this could give a hacker access to most every industry out there. And given the loose security between MS products, the new code could be in Office, Explorer, Outlook, almost anything. So the hacker downloads heaps of source code from a variety of MS products, finds a good location to insert this code and then modifies and sends a bit back. In amongst all the code that MS has to manage - most of which I'm sure they rarely look at, who would notice? How hard would it be to find?
Has the next MS product you plan to buy already been compromised? This I think is where the concern should really lie...
Oh I dunno, how 'bout looking for lines such as...
/* They should be using Media Player anyway */
if(realAudio())
breakRealAudio();
/* Dang hippie OS */
if(linuxPartition())
corruptRandomLinuxBlock();
-----
Zennie