Microsoft Admits To Backdoor In IIS [updated]

Ninkasi writes: "Here is a rather alarming article from Yahoo which claims that Microsoft has a backdoor password into IIS web servers running FrontPage 98 server extensions. Here's another brilliant example of how closed source development models are a threat to security and privacy on the Internet." The article says that Microsoft "plans to alert customers as soon as possible with an e-mail bulletin and advisory published on its corporate Web site." This is really just too perfect. Update: 05/14 07:48 PM by T : Actually, it is too perfect -- guess this particular possibility for built-in backdoors is old news. Sorry.

I disapprove of this.

I would recommend the installation of Apache server in lieu of IIS.

Apache, on the Internet's World-Wide-Web network at hypertext transfer protocol site www.apache.org, is the world's most popular Internet server for World-Wide Web services. Internet Information Services, on the other hand, is not. I have published additional guides on the subject, which can be purchased for $19.95 each.

Re:What is this password?

linuxcodersareweenies

It's the admission

We have all known about the back door for a while, but the date encoded in the URL is 2001 05 14. I can only presume that it's taken this long for Microsoft to admit to the backdoor. Admission is good. MS did the right thing, a year or so late!

Frontpage is for internal developers only

If you are an IT professional using Frontpage you should be fired. Everyone worth a bit knows that Frontpage is a toy that sucks. And you also don't install the InterDev extensions on production either. But this is shit about as interesting as Oracle's INTERNAL/SYSTEM login and password. I mean you have to be a professional.

Re:Frontpage is for internal developers only

[TheCarp]

Hmmm I have yet to be at a place where management was that clueless, and enforced its cluelesness on its employees AND thought to myself "Gee I want to keep this job".

In fact, when I have worked at such a place (no, I wont name names) I was thinking "Ok, I am gettin gout of here ASAP" and... I did.

Life is too short to work for the clueless. Its also too short to spend too much time doing boring jobs or spend too many hours working.

Oh well, to each their own. So many people work for the clueless, I have to imagine its because they like doing it.

-Steve

Re:Frontpage is for internal developers only

[SirGeek]

If you work in an environment where upper management only knows/trusts Microsoft you may have NO choice (not if you want to keep your job)..

Microsofties make better lovers

because they're experienced at going down several times a night.

Re:code review

[torpor]

Code reviews on a team basis are one thing, as are the inevitable bugs that slip through the cracks in this environment.

Backdoors which have been specifically placed there *by design*, as an implementation of corporate policy regarding control and access to 'fielded products', is another thing entirely.

Your company - Microsoft - has a particularly bad habit when it comes to shifty, underhanded policies such as this backdoor situation, and therefore it's not unreasonable to expect that the community at large raise alarm torches when holes such as this are discovered.

I don't disagree with you that security by peer review has its flaws.

But then, so does Microsofts' aggressive predatory business practices.

Re:What is this password?

[Xenophon+Fenderson,]

That's amazing! I've got the same combination on my luggage.

Rev. Dr. Xenophon Fenderson, the Carbon(d)ated, KSC, DEATH, SubGenius, mhm21x16

Okay...

[tzanger]

So they gave us the DLL with the offending code. I've not looked to see how big the DLL is but wouldn't it be pretty straightforward to locate the backdoor password now?

Re:code review

[Jason+Earl]

The fact of the matter is that, short of releasing source code, there is no way that your customers can be sure that there aren't any backdoors. For example, it would be much easier for your Dev team to insert a method called PayEntireDevTeam() than for one member to insert the mythical PayTim() method. For Tim to get away with the insertion of his method he would have to be more clever than all of the reviewers. But if all of the auditors were in on the backdoor then there is no defense.

I would like to think that Microsoft would be trustworthy on this account. But this is the same company that released a spreadsheet that doubled as a flight simulator. Quite frankly, I doubt that a whole lot of auditing actually occurs. And if you can convince a group of Microsoft employees that a flight simulator is an important feature of a spreadsheet, then inserting a backdoor should be child's play.

Re:oh please

[Jason+Earl]

Neither Linux nor Apache has ever had a security problem that was intentional. This particular problem wasn't a bug, it was a backdoor. Some clever coder at Microsoft even used a joke password.

At least with Linux or Apache there is some chance that someone else is going to catch something this idiotic. With Microsoft the problem apparently can remain unreported to the general public for years. Clearly there is a difference between some random buffer exploit and a backdoor that was specifically placed there by an employee and that was somehow "missed" in the code review.

Re:code review

[sheldon]

I disagree. Open Source Peer Review relies on a voluntary effort. Throw the source up on FTP site, and hope someone reads it.

Commercial software on the other hand frequently has frequent code reviews done internally. Other staff looking at code to fix it, or sometimes group code review sessions.

Re:code review

[sheldon]

"Get your head out of the sand, please."

Wow, I think maybe your tin foil hat needs some adjustment today.

Re:code review

[sheldon]

Oh blather. You attribute to malice what is obviously explainable through incompetence. It would be pathetically illogical to believe there was a Microsoft conspiracy to introduce back doors to all their software.

The problem with conspiracies is they fall apart the larger the group is who knows about it. Why just this week before Congress they are talking about Ted Olson's involvement in the vast right-wing conspiracy to discredit President Clinton.

Everybody pretty much even knew that existed, but couldn't pin down who was involved. Well now the evidence is leaking out because of one disgruntled former magazine editor.

And that was a conspiracy involving only a couple of dozen people.

Microsoft has thousands of developers, on the other hand...

Re:code review

[sheldon]

You should do a search on google.com for Aluminum Foil Deflector Beanie.

I think you need a replacement.

Re:Does illustrate the advantage of Open Source

[johnnyb]

That only works if the compiler can detect the routines which generate output. Given a new compiler or a significantly revised version of the compiler, this will not work. So, if I have two compilers, compiler A and B, I can use one to compile the other, and then compile the first one again, and I'll have a clean compiler.

Re:Does Open Source do Better?

[johnnyb]

Whoever you bought your product from. If I buy it from RH, they are responsible.

With free software you get whatever you want. You want access to the source? You got it. You want to pay someone else to be held accountable? You got it. Anything is possible.

Re:Does illustrate the advantage of Open Source

[Tal+Cohen]

Recompile? But wait, can you trust the compiler? Ken Thompson says you can't.

No. It is NOT perfect!

[Chas]

Okay, as much as I hate MS products and their lack of options, the revelation of this back door is NOT perfect.

It means that there's a bunch of poor bastards out there who're going to get their systems trashed because they believed in Microsoft.

Yes. This may be a wicked little ego boost to the mindless OSS boosters. But to everyone else, it's a pain in the ass and potentially VERY damaging to some people's sites/businesses.

So gloating to the point of calling this "perfect" is WAY off-base. And, frankly, I'd expected a little more from you guys.


Chas - The one, the only.
THANK GOD!!!

Re:Does illustrate the advantage of Open Source

[armb]

> This is an old story, sorry to rehash...

It's an old story AND THE LINK IN THE POST TWO LEVELS UP POINTS TO IT!

--

Re:code review

[Eivind+Eklund]

[On the idea of this being a hole introduced by rouge engineers, rather than Microsoft corporate policy]
Get your head out of the sand, please.

I believe, as the poster you replied to, that this isn't corporate policy. Not because MS says so (MS has close to zero credibility in my eyes), but because the backdoor was so stupidly executed. MS has a lot of good engineers - if this had been an official policy, it would have been nicely executed, and if uncovered would look just another random security hole. It would probably even be harder (but more reliable) to exploit than the non-intentional ones!

Eivind.

Troll??

[HEbGb]

Are you crazy? That was a great joke. Bravo.

+1 Funny.

Re:"Microsoft" "backdoor"

[Bob+McCown]

Wow, the goatse.cx link would be on topic for once....

Re:uV-ajeD

[Bob+McCown]

So.. Are Netscape engineers STILL Weenies?

Well, unemployed weenies I guess...

Re:uV-ajeD

[Bob+McCown]

So.. Are Netscape engineers STILL Weenies?

Well, unemployed weenies I guess...

Re:Does illustrate the advantage of Open Source

[ergo98]

Actually I use FreeBSD which is from a different (in fact that papa) fork than OpenBSD.

Re:Does illustrate the advantage of Open Source

[ergo98]

All things aside, all questions of Linus, Bill, Mac, etc. aside, the Microsoft backdoor does illustrate a major advantage of Open Source:

Security.

While I can see the theoretical, practically this is not true. In practical terms almost no one actually analyzes the source with any intensity apart from the people who are the primary programmers (hence the ones who would likely be planting the backdoors). I do CVSups on my FreeBSD fairly frequently and I'm basically entrusting that machine absolutely and entirely to the FreeBSD CVS controllers (which of course means if they were compromised I'd be ownzed). I'd wager >99.5% of open source users are exactly the same way: You presume that because the source is available there are tonnes of selfless individuals busily auditing it, but the reality is quite different.

The simple reality is that most current software projects are HUGE and there simply isn't enough time in a lifetime for each of us to analyze all of the code we run with anything more than a cursory glance. And if anyone thinks they'll scan through and see

// Embed backdoor
if (strcmp(password,"REDHAT")==0) {
&nbsp &nbsp &nbsp iPriority=1000;
}
then they have a enormously naive impression of how a backdoor would be embedded in code subtly. For all you know a number of the software products you are running might be waiting for a magic byte string to come along when it bows to its real master.

hangs again..

[kreuzotter]

why does my netscape browser hang each time i try
to read the tuvit website?

Re:open source can have back doors as well

[josepha48]

While this is true, ther eis an advantage of open source. That advantage is that anyone can look at the source to find backdoors. Basically that you have the source and can search for user names and passwords. In closed source you do not have this option and you MUST rely on the vendor to provide you this information.

Question: How long do you think that Microsoft REALLY knew about this back door?

Question:How many systems have they accessed or could they have had acess to because of this?

While I agree that noone may have looked at all the source, I think it is a little more difficult for things like this to happen with open source.

As far as kernel patches go I think Linus does look at the patches as well they are usually reviewed by other developers and it is not a matter of here take my word. Besides you don't usually put usernames and passwords in the kernel you put them in other software.

Apache probably watches out for back doors pretty closely I'd imagine or at least hope.

I don't want a lot, I just want it all!
Flame away, I have a hose!

Re:Back Door?

[ethereal]

On the contrary, that's the first time that link's been on-topic in quite a while.

Caution: contents may be quarrelsome and meticulous!

Re:code review

[ArsonSmith]

Microsoft has thousands of developers, on the other hand... ...and how many over see the finial compile time?

hmm

my guess would be less than a couple dozen...

Re:code review

[ArsonSmith]

Ohh yea, good call on this one.

MY lord

[siberian]

Last week it was the IIS overflow bug, now its a low level password left behind. I love showing this stuff to potential clients, it always swings them from competitors to our lovely web farm...

Re:Should be fined

[Zico]

This is what passes for secure these days?

As opposed to the 46 security fixes for RedHat 7 in the 32 weeks since last October 4, the 6 security fixes for RedHat 7.1 in the 4 weeks since April 16, or the 47 security fixes for Debian 2.2 in the 18 weeks since January 10? I'll let you do the math and see how those averages compare to the one you got for your Windows 2000 installation.

And why would installing those fixes take you all day? I know the other guy who responded to you didn't know what he was talking about, but you don't have to reboot after each service pack or hotfix. Install them all from a script and reboot once after the whole thing is done. Because I'm such a nice guy and always helpful to newbies, I'll even get you started on a suggested batch file for you:

H:\Fixes\SP1\i386\update\update.exe -n -z -q -u -o
H:\Fixes\Hotfixes\Q260219\hotfix.exe -n -z -q -m
H:\Fixes\Hotfixes\Q267559\hotfix.exe -n -z -q -m
H:\Fixes\Hotfixes\Q267843\hotfix.exe -n -z -q -m
...
H:\Fixes\Hotfixes\Q293826\hotfix.exe -n -f -q -m

Note: I've expanded all my hotfixes and the service pack with the -x switch, which is why they're all in separate directories and run via the hotfix.exe command instead of the original name of the .exe file you downloaded. If you don't want to expand them like me, the switches above work just the same whether you're using the original, unexpanded .exe or hotfix.exe.

For the service pack (update.exe): -n = don't backup files for uninstall purposes, -z = don't reboot, -q = quiet mode, -u = unattended mode, -o = overwrite OEM files without asking.

For the hotfixes: -n = don't backup files in an uninstall directory, -z = don't reboot, -q = quiet mode, -m = unattended mode. For the last hotfix in your script, replace the -z with a -f, which forces all applications to quit before the automatic reboot.

Go take a leak, grab a coke, or whatever, come back in about 5 or 10 minutes, and your computer will be waiting for you to log in.

Cheers,

Re:Let's be fair

[Zico]

Um, no. You have a faulty memory. Allow me to show you how wrong you are. This news.com article from yesterday explains how this is a case of Yahoo! reposting news from a year ago. This news.com article from April 2000 contains the initial Microsoft reaction, and I quote, "Microsoft said its engineers included a secret back door including the phrase 'Netscape engineers are weenies!' in Web site authoring software that could allow hackers to gain unauthorized access to potentially thousands of Web sites." Once they actually looked at it instead of reacting to media questions, they realized there was a hole there but not some secret backdoor.

Know why you couldn't find that Yahoo! article anymore? Because they removed it after realizing they screwed up.

Cheers,

Re:Let's be fair

[Zico]

Hey, no sweat — seems like they're all substandard these days! ;)

Cheers,

Re:What I find alarming...

[HiThere]

I'm not sure why they insisted on removing that kind of comment. It's lots of work, and though the comment isn't ideally informative, it's sure better than no comment at all.

Perhaps many of their coders were under 18, and wouldnt' be allowed to look at the code?

Caution: Now approaching the (technological) singularity.

windows 95 backdoor

[meridian]

I know for a fact that there is another backdoor in at least windows 95. some time ago i got on the MS irc servers with a normal irc client and was doing stats and such on the server and found a channel an opper was hiding in. i obviously brought attention to myself. i was doing nothing but ircing on my connection. seconds after joining the oppers channel i noticed my modems send light going at full ball when i was doing nothing but idling in this channel on irc. my belief is that the opper sent some command to download my registry but i am not sure exactly what was being sent. after about 10 seconds it had not stopped and i switched off my modem. that was a few years ago but i know i was not dreaming it. it was also very near to the time when connecting to msn caused your registry to be sent, which is why i assumed it was my registry being sent to the MS irc opper. as an aside i have also posted info previously about win2k sending out multicast data to a MS owned ip during win2k installs, incase your interested :)

Back to the Slash Dotcasting Company

[PRickard]

...and that was today's episode of As The Massively Obvious Security Hole Turns, brought to you, as always, by Microsoft! 'Microsoft - What Do YOU Want To Crack Today?'

[annoying organ music]

Kids, don't forget to send in those Ovalteem labels for your free Windows XP Product Activation DECODER RINGS!

Tune in next week for our latest episode - Ballmer's Big Blunder!

[more annoying organ music, followed by station identification]

Re:M$ Easter Eggs

[sharkey]

Really. I've never seen that picture, just the one after Bill has left.

--

Re:Does illustrate the advantage of Open Source

[TWR]

You misunderstand Ken Thompson. In fact, he's proving the point about Microsoft's closed software. He is pointing out that you cannot trust one source for all of your software. The compiler and the telnet daemon were both written by the same person, and he put in the back door in both.

MS selling you the OS, the compiler, the web server, the mail server, the database, the office applications...it's a very dangerous situation if your company takes its privacy seriously. Combine that with Microsoft Passport and Hailstorm and you'd have to be either psychotic or stupid (possibly both) to use .NET.

-jon

Re:Does illustrate the advantage of Open Source

[TWR]

I take it you are being dense on purpose.

The problem with using Passport and Hailstorm on top of using IIS, NT/2000, SQL Server, Exchange, Word/Excell, MSC++, etc. is that you don't know what back doors there are in these apps. They are all getting more and more integrated together. Do you packet-sniff your lines? Are you sure what data is being sent where? Do you know what extra code is being placed in your code by MS' C++ compiler?

I'm not saying there are back doors, or even that MS _as a company_ wants to do that. But there are 30,000+ Microsoft employees. All it takes is a couple of programmers in a couple of different departments, working together to put in a set of related trojans. With millions of lines of code, they'll probably slip through code reviews. Heck, with some misleading comments in the code, they'd pass through a code review pretty easily.

How much effort would it be for someone to add code to Excel to automatically email any document which has the words "Payroll Report" in it? Cross-reference the names with people who have Microsoft Passport accounts. Maybe we can find some direct deposit records and have those automagically sent off. I could probably get a fairly complete picture of all information about you, to use as I see fit.

Paranoid? Maybe. But it only takes a couple of rogue programmers.

-jon

Re:open source can have back doors as well

[Felinoid]

>Has anyone look at everyline of code in KDE or the linux kernal itself...

Linus and AC have.. but then some Q&A person reviewed every line of Windows code so that dosn't really help.

There are two advantages with open source.. even more so with open source Unix like systems..

You can fix the software.. or you can toss the software.

You are quite familure with the "fix" option.. So let me run over the "toss" option.

With free software (it dosn't need to be open) you invested no money so in tossing the software you aren't throwing money away.
Let's say Linus starts blamming application programmers and end users for defects in Linux. (Ahem.. Microsoft.. Ohh not that Microsoft was the first or only.. Just the best example today..)
Ok so now what? Well you dump Linux... How? I mean I invested umm well.. nothing...
Ok yeah but all my Unix code...

UNIX code.. Switch to BSD.. make some tweeks if nessisary..

At the apps level same deal. If the develuper starts acting goofy and untrustworthy then dump the bad app and switch to something else.

File format issues...
When writing code you almost always come up with something to save that the current standards don't recognise. The solution is simple.. enhance the existing standard or write your own format.
It is usually easyer and better to just write your own format.

Rarely (if ever) is this format documented. Open or closed. The user dosn't need it.
If the user needs to switch from one app to annother he needs to convert his files from one format to annother... No can do mister..
With open source you CAN read the source and discover the format. From there it's pritty brain dead easy.

So basicly open source software has an easyer escape path.

Solarus is pritty blasted secure. But if that ever changes you may have problems.
(Being Unix escaping Solarus is easyer than escaping Windows)

Basicly Unix/Posix and open source provide escape paths that tend to be cut off by closed source propritary systems.

Proper Q&A

[Felinoid]

On the older topic the issue of Q&A procedures came up.
A lot of people see open source as being so great becouse you can fix the bugs when the software breaks.
The objective of Q&A is to fix the bugs so when you get the product it is already working.
If the code is writen correctly Q&A can do it's job..
A point was made (in a very crude way) that poorly writen open source isn't going to be easyer to fix under "many eyes". Weak fradual code is going to break no matter what system you use to fix it. Making ANY changes breaks the code.

I should now mention one of the OTHER advantages of open source...

In reality there is only one thing you CAN do with poorly writen code... toss it...
But when you invest $100 to $1,000 into software you are stuck with it.
Having spent no money on the software you downloaded and installed you can throw it away.
I'm sure a lot of open source develupers would prefer you didn't consider this option but it is valuable to know that you are not stuck with it before you get a chance to try it out.
(This is the whole guiding idea behind shareware.. Try before you buy. Freeware has this same advantage. Actually you have this advantage with video games in some cases if the store carrys a console with the games running)

So in short bad products that are byond repair can be disposed of in open source.
Now it would be munch nicer if coders would just not make crap code to start with. Open source dosn't prevent it any more than closed. It's just easyer to dispose of.

Re:Let us not forget the NSA backdoor theory

[alfredo]

You are right, the NSA would be much more discreet. One thing one must remember, the smaller the circle, the less chanced for compromise.

I would be surprised if the NSA didn't use MS products as a mole. As far as letting MS know, I doubt it.

If MS uses the exploits for industrial espionage, I don't know. But I am sure they are tempted. It would be hard for them to resist checking out what some competitor or law office is up to.

Vigiles Salutis

Whats wrong with the comments?

[FatSean]

Guess I better start purifying my code then!

Oh, very true, however . . .

[Badgerman]

Oh, as a programmer I realize Open Source also means Tons Of Code to Worry About. However, it still presents an advantage over Closed Source in that there is the opportunity to look through the code and the opportunity to adapt the code, and a different developmental mindset.

Not a perfect deterrent to potential abusers, but at least one that is there. Hey, I'll take what I can get.

Does illustrate the advantage of Open Source

[Badgerman]

All things aside, all questions of Linus, Bill, Mac, etc. aside, the Microsoft backdoor does illustrate a major advantage of Open Source:

Security.

Don't like the security? Change it. Don't trust a program? Check it then recompile it. Found a flaw in security? There's a good chance someone else did and has a fix.

Now I'll be first to admit that I feel MS products are not as bad as portrayed. I feel people bash them for the sake of bashing them. But Microsofts policies and attitudes, and now this debcale . . . that's highly bashable, that's indefensible.

Let's hope this story gets smeared all over the world news - and especially in those countries looking at Open Source as an alterative to Microsoft.

Re:Does illustrate the advantage of Open Source

[Lozzer]

Anyone who thinks their Java is safe should try running some class files through JAD. You'd be surprised how complete a decompilation is usually available.

Re:Does illustrate the advantage of Open Source

[sg_oneill]

How is this guys post a Troll. It's a pretty fair comment actually
However I might add, that using Apache soap-mod, or any RPC ... or network anything for that matter .. is dangerous once you've introduced a packet sniffer and some methodology for actually decoding it. Soap of course is hideously readable, not surprising in that XML is designed to be , self documenting
Truth is you can't trust anything.. Except yer sweet old self.
Btw. Soap is a pretty cool technology, It'd be even cooler if MS didn't stuff it to the hilt with variant junk. Weak typing has reeeealy gotta go.

Re:Does illustrate the advantage of Open Source

[papskier]

Please explain how .NET != Web Services

If it's not at all related to Web Services, then somebody might want to notify MS of their frightful misnomer (to me, the name .NET would be the first tip off that it's dealing with web services... but of course, that's not necessarily anyone else).

Re:Does illustrate the advantage of Open Source

[dachshund]

You misunderstand Ken Thompson. In fact, he's proving the point about Microsoft's closed software. He is pointing out that you cannot trust one source for all of your software.

Which is funny, as I remember a story about Ken Thompson (it may actually have been one of his colleagues) building a backdoor into the password program. It was so cleverly embedded into the system that even if you rebuilt from clean code it would still be there-- because the hack was embedded in the compiler itself. This is an old story, sorry to rehash...

Re:Does illustrate the advantage of Open Source

[Computer!]

Funny you might say that, since basically anyone writing .Net apps is writing open source apps, whether they like it or not.
Also, Passport is a subset of Hailstorm functionality. Please explain how Microsoft providing these services as Web Services impacts a decision to use .Net (a completely seperate concept from Web Services). Since Windows was written in C++, should we not use C++?

Re:Does illustrate the advantage of Open Source

[Computer!]

OK, now you're trolling. First off, none of what you said is actually in reply to my post. My post was posted in order to post one thing: that .Net is not the same as Web Services, which in turn is not the same as Passport, which is still not the same as Hailstorm. Some of these things are independent of each other (like .Net and Web Services), and some of these things are built one off of the other (like Hailstorm and Passport). So then you got off on some rant where Excel programmers are emailing users' spreadsheets to each other without the consent of the users of Excel. I can adress that point anyway, 'cause I'm versatile like that. Yes, you are paranoid. For several reasons:

1. Unlike in the Open Source community, people who want to work on a product team at Microsoft actually go on a job interview. They are interviewed over the course of days, for hours at a time. They are forced to code while being watched. They are drug tested and background checked. I know, I went on one (no, I was not hired. It was for the consulting group, and I didn't have enough eperience as a billable employee. Boo Hoo.). In short: they are good. Real good.
2. Yes, it's true that some malicious or shoddy code could slip through, and it does. Why would this not happen in Open Source projects? Because everyone who uses Open Source reviews the source code before they compile it? Nope. I bet 99% of the installed executables on your machine are a complete mystery to you. Because that number is %1 higher on my computer, I'm an idiot?
3. Unlike Open Source programmers, Microsoft programmer's code=their careers. You'd have to be insane to ruin your career over putting a stupid backdoor in Excel. Meanwhile, Open Source programming is a hobby. Who's going to get fired for screwing up Apache?
4. Because closed software is paid for, there is a level of legal recourse for users who are affected by malicious programmers. With Open Source, you sign your life away by clicking on "Accept".
5. "Rogue Programmers"? Funny. The Open Source movement is based on "rogue programmers" "bucking the system" and "doing it their way". I'm more afraid of some 7337 4@}{0r coding my office apps than some cube jockey up in Redmond with his manager up his ass.

So, your scenario is possible, but the programmers responsible are sent to jail (since MS would know who put in the backdoor within moments), and users get to sue MS for damages. It's just as possible in Open Source, except that nobody knows who did it, and nobody gets to sue.

Re:Does illustrate the advantage of Open Source

[Tech187]

The difference is that people who use Microsoft are relying on a big anarchic corporation to review their code. Anybody who tries to slip something in that shouldn't be there will be narked on by someone else who wants a raise for doing so.

You're instead using OpenBSD, a project run by a few individuals in a more laid-back fashion. The head of said project is a well known Usenet troll with a major chip on his shoulder, who was thrown out of the NetBSD Project for his bad behavior.

Yeah, you've made the right choice. Uh-huh.

Is it just FrontPage?

[The+Cat]

Is this dll only included with the FrontPage extensions, or is it part of IIS normally? Frankly, I've never been a big fan of the whole "FrontPage" system, the program or the "extensions."

As far as I can tell, FrontPage extensions make as big a mess out of a web server as FrontPage itself makes out of its HTML. :)

Re:Is it just FrontPage?

[loraksus]

just frontpage extensions. The same ones that default to god level access to everybody by default.
IIS isn't that bad. Frontpage is the problem.

The slashdot 2 minute between postings limit:
Pissing off hyper caffineated /.'ers since Spring 2001.

I'm a fanatic

[Hugonz]

Sorry I'm a fanatic, but "Closed Source" sounds so harmless.

Please say "Proprietary Software" as it whould be....

Hugo

should have known

[cruelworld]

If anyone manages to get their hands on Bill Gates laptop his screensaver password is "netscapesuxs"

Re:Who are the "security experts"?

[Klaas]

I get "about 11,200" for apache and "about 7,440" for IIS on Google. Apparently all those hax0rs have been working too hard. Google will tell me how to ownz servers thousands of times over.

Hrm..

[arkham6]

I guess this blows the 'More secure than linux out of the box' concept out of the water.

Re:Hrm..

[Geekboy(Wizard)]

As long as it stays out of the box, then it is very secure.

Because we went through this last year

[SEWilco]

Actually, the URL of the Yahoo article includes "20010514". Today's date is 2001/05/14. Apparently it's new news at Yahoo.

The only date in the article or within the HTML is "Last Thursday", the same phrasing in the 2000/04/14 WSJ article. Microsoft's information is within this modified security bulletin.

Re:New or Old?

[powerlord]

Gee... so if I undo something on the windows panel, it may not be undone because the group properties take precedence over the systemwide settings (doesn't make sense as an implimentation "feature")

If you understood directories and group policies, you would understand why this is so. Of course, most people "happy to run Linux" don't get the purpose of directories (NDS, ADS or otherwise) to control and organize information within a company.

ÕÕ

I tried not to act like a zelot when I posted the message. I'll admit to being rather distrustful of MS, but I also included a link to their take on the issue, as well as a comment that they'd already provided both a workaround and a patch.

Okay, I'll admit I probably don't understand the idea of Directories and Group policies that well. I am mostly a normal user. I've been forced to do some system administration (NT/Unix) for my group due to both Budget constraints and available personel.

What I got out of the MS announcement was that Group policies over-rode system configuration settings. To me this seems like a bad idea sinse it doesn't allow a system level granularity to shut things off (unless I missunderstood).

Please, instead of just brushing off my comment as "You must know nothing", enlighten me. I'm actually curious and will readily accept both new knowledge, and new insight to old knowledge.

Re:I gotta ask

[powerlord]

From "The Big Guy and Rusty the Boy Robot" (ran out of room in the quote limit) From a Corporate head to the lead scientist as Rusty charges huge alien and gets squished (again). :)

Rethink on the question.

[powerlord]

It could fix things, I just don't think anyone would really notice, or pay much attention.

Although one could define installing Linux unasked malicious (I would even though I use Linux), and generating SPAM, or portscanning systems could be construed as malicious, I suppose the virus doesn't have to be.

Okay. I'll take the challenge (of design if not implimentation :).

For a virus to be non-malicious and still raise public awareness enough it would have to propogate itself (unchanged), but instead of wiping the targets hard-drive, or removing files, etc. it could generate a list of known vulnerabilities (as best as it can), that the target's system is vulnerable to, and e-mails it (or sets it up to run on reboot in the autoexec.bat and then after reading that doc, you can continue to standard bootup). This would 1) show people they are vulnerable, 2) detail (to some extent) they are vulnerable, 3) its non-malicious nature might allow it to propigate by "benign" distribution (as a security tool). I could see one person saying, "Hey, let me send you this file, it lists all the problems on your system". Avoiding the need to work on anything more.

Hmmm you make me wonder if instead of a virus the answer might lie in a Free/OSS P.H.D. Windows Security Audit Tool (phd = Push Here Dummy).

I'm not aware of one but I'm going to start looking. If it was "Cool" enough people would distribute it like they do other "Flash Programs" (not suggesting writing it in flash, just an example).

What it will take.

[powerlord]

I hate to say it, but what it will take is something truly vindictive. A worm on the scale of the ILOVEYOU virus, but with a truly destructive payload. The ILOVEYOU virus wasn't that destructive to most people. It targeted MP3s, and several Media files. Neat, okay. But it still left your computer usable.

Imagine a virus on this scale that does the following:

1) replicate itself through either e-mail attachment, or by forwarding a random encoded name (cut/paste algorythm from mailbox? past message with a "I'm not sure I sent you this" + Subject, replacing a link within the message for a poisened website/ftp site.

2) wipe all network attached drives

3) enter commands in the registries "RunOnce" section to remove the system files on the next reboot (these can only be done prior to their being loaded, otherwise the system tends to be persnickety about it). Don't forget things like the CMD/COMMAND shell.

4) (optional) attempt a remote access/infect of all machines within a given IP range (defined by SubnetMask?).

5) If you are using step 4 then move step 1 to here so recently hacked/poisoned web/ftp sites can be inserted into mail message preventing stagnation of link. For extra credit have the virus self-modify to include a running list of where its been (or what sites its tried to help cut down on duplicated effort. Short run log might also help trace back to source so the IP addresses should be normalized/sorted, not appended to the end. This will also help in updating the list as the worm moves).

6) You've done all the mischief you can. Now reboot the system to truly FSCK the end user.

This is just a broad outline, but seriously.
If this sort of thing happened, the results would be two-fold.

1) Definate: People would be calling for blood (most likely taken out of the cracker/script kiddie who did this, and rightly so in my opinion). The software industry/media would view this as the work of a "hacker" and not thier fault.

2) Less Likely: (but wishful) People might realize how security is iterative and valuable. It is much more tangeble than the social contract most of us assume it to be. We figure, "we're not worth it", or , "who would bother me?" and joke about security, but your average end user doesn't really care (ask the same person about 'air-bags' and see how much they do care if they feel vulnerable).

With the days of standard, High speed access in the homes, the scenario I outlined above is all to real and all too close to happening.

I guess this probably won't make much of a difference in MSFT server sales... unless the payloads are consistantly delivered via an MSFT server (or else the virus specifically targets MSFT servers by using some central warehouse of net accessable MSFT servers, like say netcraft).

P.S. I do not encourage AT ALL making the above virus. I think it would be a mallicious piece of garbage and would be the first on line to string the writer up by their anatomy. On the other hand I doubt I'm the first to think of this sort of thing so I have only slight quams about writing it down (the more who are concerned about it, the less likely it will come to pass), and there would (still) be major technical obsticles to be overcome, for a virus of this type to be created and released.

Re:What it will take.

[Leto2]

That's for the same reason C=64s are unaffected: No one uses them anymore!

/me ducks

Re:What it will take.

[HongPong]

I'd guarantee you that as usual, Apple Macintoshes would not be affected.

--

Re:What it will take.

[Pathos78]

If this sort of thing happened, the results would be two-fold. 1) Definate: People would be calling for blood (most likely taken out of the cracker/script kiddie who did this, and rightly so in my opinion). The software industry/media would view this as the work of a "hacker" and not thier fault. 2) Less Likely: (but wishful) People might realize how security is iterative and valuable.

Consequence Number 3: Law makers and 'responsible, accountable' software firms denounce the actions of these unruly 'hacker' types and take our computers away. Then "Anti-terrorist" laws are passed: gcc requires a three-day waiting period and a license. Don't give them the excuse.

New or Old?

[powerlord]

Judging by the content (sparse that it is) " Two security experts discovered the code, which was written during the dispute between Netscape and Microsoft over their versions of Internet-browser software", it seems like this might just be a rehash of the old NetscapeEngineersSuck (reversed) (or whatever the string actually was).

While its nice to see MS finally admitting to this, unless this is a new vulnerability, it seems almost like someone is trolling either Yahoo and/or Slashdot (and succeeding).

On the other hand I did find out about a wonderfull and relatively new (Posted may 02, 2001 to CIAC) bug involving IIS 5.0, Windows 2000, and a buffer overflow (what else :) in an ISAPI extension for submitting/controling print jobs via HTTP that is enabled by default.

In Microsoft's defense, more information (in easy bite size portions that were a tad too sickening for me) are available here. They also have a patch to fix the issue (assuming you wish to maintain the service and not remove it). The patch will supposedly be rolled into Win2K SP2.

One last thing, an interesting side note is that they recommend modifying group permissions instead of just unmapping the Internet Printing ISAPI extension in the Internet Services Manager. Their reason?

Group policy can override the settings in the Internet Services Manager, so disabling Internet Printing via group policy provides greater certainty.

Disabling Internet Printing via the Internet Services Manager can interfere with the operation of Outlook Web Access. Specifically, when you unmap the Internet Printing ISAPI extension via the Internet Services Manager on an Exchange 2000 server, you're prompted whether or not to apply the changes to the child folders, including Exchange, Public, and ExAdmin. If you choose to apply the setting to these child folders, Outlook Web Access will stop functioning until you restart the Exchange System Attendant.

Gee... so if I undo something on the windows panel, it may not be undone because the group properties take precedence over the systemwide settings (doesn't make sense as an implimentation "feature"), and if I disable the option everything else that is bundled into the OS and that relies on that package will break (makes sense, but is equally scary). Makes me happy I run Win98SE and Linux.

Re:New or Old?

[duplicate-nickname]

Gee... so if I undo something on the windows panel, it may not be undone because the group properties take precedence over the systemwide settings (doesn't make sense as an implimentation "feature")

If you understood directories and group policies, you would understand why this is so. Of course, most people "happy to run Linux" don't get the purpose of directories (NDS, ADS or otherwise) to control and organize information within a company.

ÕÕ

Re:New or Old?

[Caspuh]

Because policies encompass more than just permissions.

Re:New or Old?

[jeff13]

If you understood directories and group policies, you would understand why this is so.

What??? It's basic you Microsoft wog. As someone who works on an IIS network, I can tell you without a doubt that it's the worst crap I've ever encountered. IMHO, it's Micro$oft that does not understand directories and group policies.

BTW, Group Policies??? What about permissions? Let's pick our terminology and stick with it shall we?
______
jeff13

Re:New or Old?

[Ayende+Rahien]

Because if you want system level granularity, you don't set the group policies to prevent it.

The point in group policies is that you set it up in one place, and it override anything else.

Re:New or Old?

[romanski]

Yes, very old. And I know who did it. I've just inspected the old Altair Basic code (it is only 4k) and I have found a string "llAuoYteGlliWI".

Funny

[Tony-A]

Yeah. Funny. If you find it in time.
How much of closed source is never looked at again?

Re:Funny

[imipak]

Ironically, at about the same time it looked like we'd got the go-ahead to Free & release a part of the application server developed in-house - that motivated us to finally get round to giving it a proper audit, which turned up several more interesting features...

knowing there's a possibility that one's peers may deign to cast an eye over one's code == much more care and attention. Not that I'd ever write buggy or insecure code of course ;)
--

Because we went through this last month

[aenea]

There's no date on the Yahoo article. It's probably talking about this:

http://slashdot.org/articles/00/04/14/0619206.shtm l

The end result was that there was no backdoor.

OT too: I'll bite

[CBravo]

All right, I'll bite...

I think there is more than black and white... There are people who are slightly tempted to do small things. Implicit jobsecurity, rebelling against management 'cause it's in your blood, seeing how smart you can be (testing the tester :-) and so forth... Yellow excists...

Re:Back Door?

[mpe]

And what's worst: they don't have a single backdoor, they have a whole backoffice!

With an unknown number of "back doors" in. There might also be some rotten "easter eggs" in their too...

Re:code review

[EnderWiggnz]

what, you think that MS would come out and say "yep well, you caught us, sorry about that... hope you dont find the other ones... i mean... uh... this is against our policy, we had no idea it was in there, it was a rogue developer"

yeh...

and i've got some wonderful swamp land in florida. Act now, and i'll throw in a bridge in Brooklyn...

tagline

Re:Predicted comment breakdown for this article:

[MadAhab]

CmdrTaco will implement a filter which uses advanced nerual net filtering

That alone would be funny enough to stick around for.

Oh, there are no masters in the field of psychology, only students. Study neurobiology and start reverse engineering the brain, you'll get there faster than an infinite army of Freudian navel-gazers.

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Re:Cisco

[MadAhab]

Funny. But stupid. If someone can get in with a backdoor password, how are you supposed to keep anyone out?

The Right Thing To Do with forgotten passwords make the person who forgets them suffer. System must be brought down, set a new password, bring it back up. What happens if you lose all keys to the toolshed? You have to rip out the lock, which can and should be a lot of trouble, and then install a new one. Don't lose the keys, dumbass.

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Re:Predicted comment breakdown for this article:

[catfood]

...between meaningful activities i'll sit down and write a theory on how the collective open-source mind of slashdot operates.

Make sure you include the part where there's two posts decrying the "collective mind" for every one example of same.

The whole site's gone meta-kneejerk.

Re:code review

[catfood]

Always grep for "FIXME" before releasing.

Re:Microsoft trustworthiness

[Juln]

nice to see you know what cvs is, barely...

Re:code review

[gej]

Oh god. Getting points at another's expense. Yeah, that's a good solution. (Score 1 for me).

What I've found best in code reviews is not to attack another person for their code (``Were you on crack when you wrote this? Is this really how you do regular expressions?'') but to be constructive: (``I've found it helpful to do...'', ``Have you tried this....'', or just the flat out ``This looks like a bug...'', etc.).

If you make a code review feel collaborative (``This is our code and we will try to perfect it'', not ``This is your code, now defend it.'') you get good results.

gene

Re:code review

[darkonc]

if this had been an official policy, it would have been nicely executed

OH... I guess you've been using Linux for so long that you haven't had to deal with the excellent Microsoft engineering in products like Windows-98.
--

Re:April 2000

[anticypher]

First thing to my mind was someone has re-discovered "!seineew era sreenigne epacsteN" all over again. The lack of a date stamp leads me to believe someone has hoaxed the slashdot submission queue (again). There is also something fishy about that http://smallbusiness.yahoo.com/entrepreneur.html URL, there's nothing under that tree except the standard banner/skyscraper ads.

The only other reasonable assumption is that M$ has finally admitted, 13 months after the shitstorm, that they did indeed have an exploitable backdoor in IIS. The last statements I heard, during the shitstorm of april 2000, was that the string existed but couldn't lead to any compromise. Perhaps M$ has now tortured a confession out of the engineers and realised there is a backdoor. But the mention of dvwssr.dll ties this into last years fiasco.

Most likely is that this is a glitch story accidentally reposted by a yahoo editor. Only time, and maybe a slashback, will tell.

the AC

Re:code review

[Hard_Code]

Through the net it's easier to have "code reviews" because any body can review somebody else's code without having ever to meet that person face to face, and many times without even corresponding directly with them. Having a "physical" code review on the other hand, has the effect of putting people on their guard, and inhibiting critiques they might otherwise have.

I wonder how to solve this. Perhaps make a "game" of code reviews...people who contribute get "points"...or other people can "vote up" contributions. Perhaps something like this. This way, ego sort of gets put on the shelf, because you're not really attacking the person sitting opposite of you, you're just "gaining points". I don't know if this would work in reality...but code reviews are almost universally dreaded, even though they should probably be practiced much more often.

Re:What I find alarming...

[QuantumG]

we actually define a macro NOT_REACHED(); which causes a box to popup and give the file:line but it is essentially exactly the same.

Microsofts actual fault

[AnalogBoy]

MS's actual failure here is their QA and legal staff. Think logically. Microsoft would never, ever release software that intentionally had a security hole in it. Yes, there are bugs in and out. Yes, there are [accused] NSA Backdoors. HOWEVER, planting a LEGIT hole in software is like beating on the doorway to the DOJ screaming "TAKE ME NOW!". AntiTrust suit aside, this has no abiguity. Microsoft, purposefully sticking a backdoor in their software and keeping it hidden from their customers, seems to me to be 100% illegal

It then makes no sense for MS to let this pass. The financial reprecussions are severe. As i stated above, QA should have caught this. So, if anything, microsofts development methodology, and NOT its legal practices are likely to blame in this case.

Disclaimer: Yes, i know posting a microsoft-postive message on Slashdot is begging for a (-1, Flamebait) rating. If the idea to mod me down has crossed your mind, congratulations, you're a bigot.

Re:Predicted comment breakdown for this article:

[AnalogBoy]

One day i will follow my dream of becoming a master in the field of psycology, and then, between meaningful activities i'll sit down and write a theory on how the collective open-source mind of slashdot operates. and somehow, i think the results of the personality breakdown will be similar to what you just posted.

I calculate about another 2 years until slashdot degrades to the point where a empty story will be posted stating "Microsoft Sucks". CmdrTaco will implement a filter which uses advanced nerual net filtering to decide if a post is pro microsoft, and the post will immediately get rated at the new, (-5, idiot) level. Any pro-linux post will get +5. Truly insightful posters will move onto some new forum. Of course, the trolls will split into two groups, both somehow equally as annoying as before. Shortly thereafter, a singularity will form above RedHat's HQ and suck in all things open-source, As Bob Young rips off his face mask (a-la MI:2) to reveal... Bill Gates.

To quote the book of Sith, passage 30:23, "And the dark lord sayeth, Strike out at me, and become me, for truely I am thyself, with a more menacing outfit."

Corporate culture anybody?

[mojotooth]

I hope nobody's buying this whole "It's against our corporate policies but somehow this backdoor got in here anyway."

I don't fall for that in a second. SOMEBODY told somebody to put that backdoor in there. And even if not, SOMEBODY had to decide that somebody wanted that backdoor in there.

In either case, it's just an example of a group of designers who expect their superiors to support this kind of "feature."

This is probably one of the best reasons to use an open-source application I've ever heard.

Too Late for Some

[Milican]

Well its too late for my friend Daniel. He is running 2000 with IIS and his site was already hacked. A reactive position like Micrsofts is not a very good solution. Yes, Daniel should have been running Apache on Linux (like me) and since this was a personal site he didn't loose too much, but backdoor passwords are simply retarded in this day and age. Microsoft should know better.

JOhn

Re:Too Late for Some

[Greyfox]

Well then he should sue them. After all, when you're dealing with a commercial company, you actually have someone to sue, unlike open source software. Isn't that right?

God I'd like to put a bullet in the head of that particular piece of FUD once and for all...

Re:Too Late for Some

[SlaterSan]

And now it's been slashdotted too .

Re:Too Late for Some

[H1r0Pr0tag0n1st]

Yes, Daniel should have been running Apache on Linux Or maybe Daniel should have installed the hot fix released over a year ago. Course I really don't see what his experence has to do with a back door in IIS as you are refering to a completely separate (and automated) exploit.

Re:Does Open Source do Better?

[Nurgled]

The general idea is that another of the 69,000 hackers would spot the backdoor and fix/remove it, and alert people. With that many people seeing the code, and patches getting reviewed by lots of people before they go into the "official" release, it's difficult to slip in a backdoor and still have people use your patches/code in the future.

code review

[konstant]

For those of us working on closed software and not in a position to take advantage of open-sourced peer review, code reviews are a critical substitute. This backdoor illustrates what happens when dev's are "trusted" to code morally and never second-guessed. Of all the advantages of OSS, peer review is the one closed-source developers have to work hardest to replicate.

Currently I am leading my team through a series of security code reviews for a system that transacts money. We joke about finding a method called "PayTim()", but it is not entirely a joke. No matter how much we would all like to believe that our team is composed of trustworthy devs, it is important to establish the expectation that all code is reviewed. Its keeps the honest honest.

Not to mention that we have found and fixed many hidden security and reliability flaws along the way, thus improving the quality of our product.

-konstant
Yes! We are all individuals! I'm not!

Re:code review

[rtaylor]

Don't forget TODO and ARGH too.

Re:code review

[thelaw]

keep in mind that you have to prove *both* motive *and* intent to prove guilt, not just motive.

jon

Re:code review

[Andy_R]

"You attribute to malice what is obviously explainable through incompetence."

M$ would prefer you to attribute to lack of malice what is obviously explainable through incompetence.
There are no more backdoors, but only because M$'s backdoor routines are buggy.

Re:code review

[sg_oneill]

if this had been an official policy, it would have been nicely executed

I'd say , more likely, that the programmer who put this backdoor in, as been "nicely executed".
I've read that MS can be a little heavy on security with staff.

Re:code review

[raju1kabir]

if you read the article, it states that microsoft has stated publically that the code was not there as "an implementation of corporate policy", but rather, produced by some engineers on their own during the netscape vs. microsoft times. i don't like microsoft either, but it's not as if this was some massive conspiracy by microsoft

Happy birthday! Sorry I'm a day late.

If you were Microsoft, and someone had discovered your evil plan to backdoor IIS, and you were confronted by reporters, would you:

A) Say "Yes, we had an evil plan to backdoor IIS, you got us! Nice catch!", or

B) Say "It was all the action of a rogue programmer who has been dealt with appropriately and it will never happen again. We find this sort of thing unacceptable and it is completely against Microsoft policy."

Get your head out of the sand, please.

Re:code review

[raju1kabir]

Wow, I think maybe your tin foil hat needs some adjustment today

I'm not saying that Microsoft does in fact have such a policy (i.e., to introduce backdoors). I am saying that it is pathetically naïve to assume that just because they deny it, it isn't so.

Re:code review

[raju1kabir]

Oh blather. You attribute to malice what is obviously explainable through incompetence.

No, I am pointing out that what you say is sufficiently common "wisdom" that it is easily abused. Therefore, it is not prudent to assume either until more information is available. Anyone who runs off in a conjectural sprint based on their preferred flavor of the conventional wisdom is not being productive in the service of the truth.

It would be pathetically illogical to believe there was a Microsoft conspiracy to introduce back doors to all their software.

History gives us plenty of precedents. Backdoors are nothing new, in both commercial and custom software. What is illogical is the assumption of perfect rationality on the part of unknown others (such as various Microsoft employees), as there is in fact no strong historical record of rational behavior.

Re:code review

[imipak]

and ``debug''
--

Re:code review

[imipak]

code horror stories... I once reviewed code written by a co-worker who left a couple of months before. Got to the credit card validation routines:

# FIXME: can't test on dev server, assume works for now
return 1; # cc validation goes here...

The site was less than a week from going live when we found that.
--

Re:code review

[Ayende+Rahien]

If MS decide to plant a back door in IIS, you wouldn't know about it.
It would be something totally innocent looking, so even if you *did* discover it, it would look like a bug, not a back door.

Re:code review

[Ayende+Rahien]

Coding can be *boring*.
I don't see it as a hard thing to convince a couple of programmers to code a flight simulator into a spread sheet.
It's a way to relax, and take a look at Apple's previous bug fixed, they were *filled* with such easter eggs.
I do find it hard to concive a way to make dev team agree to enter a backdoor.

BTW, easter eggs are fun, get them here:
http://www.mysteries-megasite.com/eastereggs/egg -1 .html

Re:code review

[Zal42]

It keeps the honest honest.

I know this is offtopic, but why does this phrase keep coming up? Usually, I see it in the context of copy protection (to prevent accidental copying??). Puh-leeze. If you're honest, you don't need anything to keep you that way! Why not just say it like it is? To expose the liars and cheats!!

Ok, rant is over!

Re:code review

[GreenJeepMan]

Well put.

Re:code review

[dhamsaic]

if you read the article, it states that microsoft has stated publically that the code was not there as "an implementation of corporate policy", but rather, produced by some engineers on their own during the netscape vs. microsoft times. i don't like microsoft either, but it's not as if this was some massive conspiracy by microsoft to h4x0r some web sites or steal credit card numbers. they already control enough of the web server market and have $27 billion in the bank. this was something a coder did, not the company.

code review

[konstant]

For those of us working on closed software and not in a position to take advantage of open-sourced peer review, code reviews are a critical substitute. This backdoor illustrates what happens when dev's are "trusted" to code morally and never second-guessed. Of all the advantages of OSS, peer review is the one closed-source developers have to work hardest to replicate.

Currently I am leading my team through a series of security code reviews for a system that transacts money. We joke about finding a method called "PayTim()", but it is not entirely a joke. No matter how much we would all like to believe that our team is composed of trustworthy devs, it is important to establish the expectation that all code is reviewed. It keeps the honest honest.

Not to mention that we have found and fixed many hidden security and reliability flaws along the way, thus improving the quality of our product.

-konstant
Yes! We are all individuals! I'm not!

Let us not forget the NSA backdoor theory

[joq]

Analysis By People We Trust II: Bruce Schneier

from: sci.crypt
subject: NSA and MS windows

A few months ago in my newsletter Crypto-Gram, I talked about Microsoft's system for digitally signing cryptography suits that go into its operating system. The point is that only approved crypto suites can be used, which makes thing like export control easier. Annoying as it is, this is the current marketplace.

Microsoft has two keys, a primary and a spare. The Crypto-Gram article talked about attacks based on the fact that a crypto suite is considered signed if it is signed by EITHER key, and that there is no mechanism for transitioning from the primary key to the backup. It's stupid cryptography, but the sort of thing you'd
expect out of Microsoft.

Suddenly there's a flurry of press activity because someone notices that the second key is called "NSAKEY" in the code. Ah ha! The NSA
can sign crypto suites. They can use this ability to drop a Trojaned crypto suite into your computers. Or so the conspiracy theory goes.

I don't buy it.

First, if the NSA wanted to compromise Microsoft's Crypto API, it would be much easier to either 1) convince MS to tell them the secret key for MS's signature key, 2) get MS to sign an NSA-compromised module, 3) install a module other than Crypto API to break the encryption (no other modules need signatures). It's always easier to break good encryption.

Second, NSA doesn't need a key to compromise security in Windows. Programs like Back Orifice can do it without any keys. Attacking the Crypto API still requires that the victim run an executable (even a Word macro) on his computer. If you can convince a victim to run an untrusted macro, there are a zillion smarter ways to
compromise security.

Third, why in the world would anyone call a secret NSA key "NSAKEY." Lots of people have access to source code within Microsoft; a conspiracy like this would only be known by a few people. Anyone
with a debugger could have found this "NSAKEY." If this is a covert mechanism, it's not very covert.

I see two possibilities. One, that the backup key is just as Microsoft says, a backup key. It's called "NSAKEY" for some dumb reason, and that's that.

Two, that it is actually an NSA key. If the NSA is going to use Microsoft products for classified traffic, they're going to install their own cryptography. They're not going to want to show it to anyone, not even Microsoft. They are going to want to sign their own modules. So the backup key could also be an NSA internal key, so that they could install strong cryptography on Microsoft products for their own internal use.

But it's not an NSA key so they can secretly install weak cryptography on the unsuspecting masses. There are just too many smarter things they can do to the unsuspecting masses.

uV-ajeD

[AlienSquid]

So.. Are Netscape engineers STILL Weenies?

New motto

[Dark+Coder]

Where do you want to go get reamed today?

Last Thursday?

[z4ce]

Which last Thursday would that be? This last Thursday? How about this last Thursday? Nice one yahoo... post an article from April 2000 in May 2001. I bet microsoft will be angry as heck. And they deserve to be, this seems like plain libel to me.

Re:Last Thursday?

[loraksus]

yeah, it might be old news, but I bet that at least 80% of people who are running IIS, etc... haven't patched this hole.

The slashdot 2 minute between postings limit:
Pissing off hyper caffineated /.'ers since Spring 2001.

Re:April 2000

[phutureboy]

Actually, the story's URL contains the string "articles/20010514/microsoft_ackno" which suggests that the article is from today, 2001-05-14.

I couldn't find a link to it on the main story index though.

--

DLL naming convention

[scoove]

Gosh, where could they have come up with a name like dvwssr.dll?


MEMORANDUM
TO: BILL GATES
FR: SECRET SERVICE COMPUTER CRIME TASKFORCE,
OPERATING SYSTEM REMOTE CONTROL TEAM

Pursuant to our back door access agreement with Microsoft, please include the following dvwssr.dll (device for virtual web secret service remote-control) in your web server system distribution.

DIR. SECRET SERVICE

p.s. Could you also have one of your database people call the folks over at the FBI? Apparently they've got a whole bunch of pages of some Oklahoma City court trial related stuff in that SQL database and can't make heads or tails out of the darn thing. They had some Chinese workers looking into it, but apparently they got reassigned to a firewall project over at Defense.

and thanks to FOII...

[scoove]

we bring you this previously secret Microsoft response to the Secret Service's request:


MEMORANDUM
TO: BRIAN STAFFORD
FR: STEVE

Brian - Got your note. No problemo on the request. BTW, please tell your folks that I'm the big man on campus now. I've got an office almost as big as Bills was, and even have one of those really cool leather chairs. So please tell them they can stop sending all that stuff to Bill. It just sits on his desk while he's out doing that foundation crap.

Speaking of Bill, tho, we talked about the little SQL problem over at the FBI and he wanted me to assure you all that he's absolutely positive there's no relation between database problems and that pesky antitrust matter.

Bill said he was sure that since Janet's long gone, we'd be glad to take a look into the problem. In fact, we'd be happy to archive all the antitrust stuff at the same time just as a way of saying thanks for the business.

Give me a call sometime!

The Big Ball

Re:and thanks to FOII...

[dvChaos666]

Obviously fake.. if you guys believe all that anti-ms rubbish (including those so-called "memos") then you need your head checked for sanity errors. as everyone knows sanity errors are the number one cause of "the downfall of the internet".

Weenies!

[CMU_Nort]

Isn't this just the "Netscape Engineers are Weenies" backwords backdoor? I assumed that and when I saw the name of the dll it was confirmed. Bad Yahoo! Bad! Go stand in the corner!

Re:April 2000

[selectspec]

It's humorous how pathetic the technical reporting is on the Yahoo/CNET/WSJ/NYTIMES/etc. These guys need to stick to the "just the facts" reporting instead of their "editorial" deductions.

Code Reviews

[flatrock]

One of the benefits of open source is that it allows the world to review the code. You need to have code reviews so that one person by intent or mistake can't royally screw things up.

Call me nieve, but I don't think that Microsoft is stupid enough to purposely put in a back door. Even if "security experts" outside the company never find it, secrets like backdoors have a way of comming out. This is likely the act of mone or two very foolish MS employees who if they still worked there when this came out, got fired over it.

Code reviews are especially improtant with closed source, but all projects need them. We got behind schedule on the last project I was in charge of, and I put off the code reviews to try and get the software done. It was a BIG MISTAKE on my part. Now some of those people have left the company, and I'm left supporting poorly designed, hastily written code. What's worse is the one person who left had great confidence in himself, so he tested very little of his code. Needles to say, the product ended up being later and of lower quality because the time wasn't spent doing it right the first time.

Re:Back Door?

[quigonn]

And what's worst: they don't have a single backdoor, they have a whole backoffice!

Re:Should be fined

[VB]

I'm going to be spending the rest of the day patching!

About 2 hours. I don't believe any give the choice to not reboot, either.

Linux rocks!!! www.dedserius.com

Frontpage ???

[ckaminski]

Am I the only person in the world NOT running the Frontpage extensions on IIS? I have to admit that IIS isn't perfect when it comes to security matters, but come on, installing frontpage is just BEGGING to have your shit hacked.

This news does not surprise me...

[stevens]

...but the reaction to it will surprise me. I expect it, and it will still surprise me: I predict this makes absolutely no dent in MSFT server sales.

You see, I think that most of the people who could learn from this sort of thing have already learned several times over.

I don't know what sort of catastrophe it will take for the rest of these people to learn...

Re:Back Door?

[fanatic]

Someone please moderate this asswipe to some nether region - this is a goatse.cx link.

--

Re:Back Door?

[fanatic]

What makes you think I didn't check first? Just because I didn't actually see the nasty picture is no reason not to get some karma subtracted from a slimeball like you. I can't believe you actually accumulated enough to post at 2 - how did that happen?

--

Re:Back Door? Off-Topic

[fanatic]

Boy, aren't you one to judge, after looking at a single post.

He (You?) linked to goatsex, therefore he is (you are?) a slimeball. Only one post needed for that. Simple enough for you?

--

Re:April 2000

[nachoman]

yep, old news,
It was even posted on /. before...

http://slashdot.org/article.pl?sid=00/04/16/0032 59 &mode=nested

then was retracted
http://slashdot.org/article.pl?sid=00/04/16/0032 59 &mode=nested

Re:What is this password?

[Geekboy(Wizard)]

So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard! That's the kind of combination an idiot would put on his luggage!

Re:What is this password?

[Geekboy(Wizard)]

What do I care if my sig is stupid?

What's Amazing about this and what's not...

[BierGuzzl]

What we all should _really_ be amazed about is that Microsoft is actually getting around to admitting to this. An IIS backdoor is really not that surprising of a thing on it's own. The only difference between a regular IIS bug and a IIS backdoor is that one was put there on purpose and the other was left there through carelessness.

"Better security out of the box than Linux"

[BierGuzzl]

I'm guessing that we mean before it's inserted into the cdrom drive.

Re:What I find alarming...

[TheCarp]

Heh yea.

I dunno, its just comments. I put funny little things in comments all the time. Makes the code a bit more enjoyable to read.

Speaking of, as someone complained at last years Usenix, I have decided to take up the cause. All code must have Haiku! It doesn't have to be good haiku, or even relevant haiku, but the practise of putting it in comments seems to have died out in recent years, so I want to bring it back!

hmmm and "we are fucked if we get here" (with your favorite commenting char(s) in front (I like # myself)) doesn't worry me - sounds like the start of an error conditional ;)

if ($! =~ /some really bad error/) {
# We are fucked if we get here
die "Couldn't do some crap $!";
}

-Steve

Re:What is this password?

[cybercuzco]

The password is Password. no no wait, its 1.. 2... 3... 4... 5...

open source can have back doors as well

[mljames]

Just a program is open source doesn't mean a programmer can put a backdoor in...is every line of code reviewed or does someone just add functionality. Has anyone look at everyline of code in KDE or the linux kernal itself...claiming something is open source and it has been reviewed doesn't mean it's secure..

U$oft spin doctors

[katarn]

U$oft spin doctors

How does Microsoft's PR people pull this off? The article attempts to
shift the blame by pointing that out the code was "written during the
dispute between Netscape and Microsoft over their versions of
Internet-browser software." When other companies have software holes
found, the media holds the manufacture firmly and ultimately
responsible, even if it was a disgruntled employee. But with when
talking about this Microsoft hole, the article goes way out of it's way
to make hints at subtle this dubious detail in an apparent attempt to
shift the blame. Sure, it COULD have had something to do with the
browser wars. But it could have just as easily been general
anti-Microsoft sentiment. Or someone putting it in for their own
personal gain. Or someone just being a smart ass. Again, when other
companies have security breaches, no one goes "Awww, poor foobar.com,
you're bugs are okay because people are picking on you". No, they rip
the company a new ass hole and their stock takes a dive.

Will this really change anything, though?

[DrEldarion]

Sure, it's big news that they've admitted to it, but will anything really change? As someone has already noted, this is actually a story from back in April. There has been no outburst so far(except for the Anti-Microsoft-But-I-Don't-Know-Why people who will soon flood this thread).

The world is too dependent on Microsoft, and Microsoft is too good at lying for this to really make any difference. If they did indeed put it in on purpose, all they have to say is that the programmers did it on their own and they had nothing to do with it... and only those programmers had access, so it doesn't really mean much. See how easy that is? Now imagine professional lawyers going over that and making it sound as confusing and convincing as possible.

This is not the end of Microsoft. Not even close. Their attitude about it is probably, "'Eh, whatever. Shit happens." They're still going to continue to rake in the dough, and the world will continue on like nothing has happened.

The only difference is that the Anti-MS crew has more anti-MS ammunition now (not that anyone will really listen to them about it, though.)

-- Dr. Eldarion --

April 2000

[rjamestaylor]

This is really old news, as well as misleading. A curse on Yahoo Small Business for not including a time/date stamp on their story. See this Google search for more info.
--

Re:April 2000

[MacGabhain]

They did include a date stamp. It's in the URL - 20010514, today. While you may be right, don't assume that a Microsoft security hole isn't there just because there was reported to be a similar one a year ago. (Again, you may be right, that it's just Yahoo being yahoos, but I don't see any reason to assume that there isn't another - real this time - backdoor just because there was a false alarm 13 months ago.)

Re:April 2000

[valentyn]

There is a date/time stamp on the Yahoo story, and it's just what it looks like: May 14, 2001. The Slashdot crew is not to blame here: Yahoo! Small Business, Technology section made it a feature today. The link to entrepreneur.com that Yahoo has, has no references to this story. It seems Yahoo! is at fault here.

V.

Re:April 2000

[papskier]

Yes, the exploit is old news, but the MS stance on it is new news. Read the article that you link to. It mentions that MS says that it was a bug, not an intentional backdoor. The Yahoo Small Business story says that MS has finally admitted that the backdoor was intentional, at least by the coder. Now perhaps in another year MS will finally admit that they wanted the backdoor, not just the coder.

Frontpage sux...

[malfunct]

The big problem here is that the people put Frontpage server extensions on the server.

#1 The stability of said extensions is low to none.

#2 The 98 version of the extensions runs on NT4 if I remember right. Ick

#3 The server extensions are all about breaking security by putting another way to write to the server.

What this all adds up to mean is if you install FP Server Extenions in a production environment you are a bonehead. It slows down, crashes, and in lots of other ways renders worthless your webserver. If I remember right they were designed for coprorate use to make posting web documents easier on the LAN and not really focused at the internet at large. I'd say this is not a security hole in IIS so much as the admitted lack of security in FP Server Extensions so be bright and don't use them where they aren't recommended.

Back Door?

[Ronin+X]

Microsoft has been bending people over and 'entering through a backdoor' for years now...

Re:Back Door?

[electricmonk]

Hey, "asswipe," why don't you check your links first before being a knee-jerk Slashbot and clicking them? Maybe you would be less surprised next time. Or maybe you checked it and WANTED to see gaping asshole. THAT wouldn't surprise me in the least.

It's not like I was trying to disguise it as something else... and if you read the parent comment, anyone who's been on Slashdot for a fairly long time should know what it will lead to. So lighten up.

--

Re:Back Door?

[LordArathres]

I live in LA and you dont need a machine gun. It helps. Really helps sometimes, but not necessary. A well made double barrel shotgun is usually enough.

Arathres


I love my iBook. I use it to run Linux!

Re:Back Door?

[imipak]

Readers in the UK of a certain age will understand when I say that there can be only one response to this news! (RA)
--

Re:Back Door?

[warmiak]

Hell, this fucking image is so ugly I actually tend to support moderating down just about anybody who links to it - related or not.

Obligatory Outlook joke

[vanza]

The article says that Microsoft "plans to alert customers as soon as possible with an e-mail bulletin...

which will automagically install a patch when read with Microsoft® Outlook®.

--
Marcelo Vanzin

Microsoft

[SpanishInquisition]

Where do we want to go today?
--

What is this password?

[svl]

Moderate replies to this question as 5:Informative.

Re:What is this password?

[Spackler]

Re:What is this password?

a11_your_11s_aRe_BeLoNg_2_US


M$_0wnz_j00

ASAP?

[ahknight]

ASAP would have been when they installed the backdoor...

Kind of sad, really. MS wants people to see them as an enterprise solutions company, as a big player, as a "leader" in security, so of course they have a backdoor into their IIS systems.

Kind of sickens the stomach to see these folks even close to winning the server market. (shiver)

Does it really have to be malitious?

[mini+me]

Why can't the virus be useful instead of just destroying everything? Everyone always maintains these viruses are to exploit the shortcomings of a particular system. If it is such a big deal to them, then why not fix the problem with thier virus instead of reaving havoc!

Although even this would be malitious to a certain extent, I always thought it would be interesting if someone created an Outlook virus that installed Linux on the system, while maintaining the users current settings, and giving the default interface to one that looks like Windows. Most users would never even notice the difference!

Re:Holding Microsoft Accountable (good luck)

[driehuis]

Sue the vendor? Good luck.

I'm very tired of hearing this argument. It is the same argument as "no one ever got fired over buying IBM". If you feel good over the ability to sue, fine, it'll make you sleep better. But I've learned to sleep well by shrugging off the repeated experience of getting screwed over by vendors who just had a better lawyer than I did when the contracts were reviewed.

And that's with vendors where you can actually negociate a contract. Microsofts market dominance means it will get away with not negociating a contract. Take the EULA or leave it.

Besides, for a successful suit you'd need to prove something like gross negligence or criminal intent. I think the chance of proving that is slim in the case of this backdoor, and that they would probably walk away with a court order mandating half off upgrades to all affected users.

Re:What is everyone spewing about?

[The+Pim]

Take a look at what Bugtraq's owner had to say at the time

The message you quoted is in fact from the NTBugtraq moderator (who IMO deserves considerably less credibility). The two lists are entirely independent.

Re:What I find alarming...

[Lozzer]

25 million lines of code, what were you working on? NT 3.5 only had about 5 million and that was already pretty bloated.

Re:What I find alarming...

[Lozzer]

I've been scratching my head since Tuesday. I've not got a clue. Coz its so big I'm guessing it may be pretty well known, but something that has to use a redundant processor...

Any more clues? What size image (if the question make sense for your language) is the result of compiling all this code.

Foreign governments use...

[Stoutlimb]

Windows?

I just wonder which agencies of the USA government knew about these back doors for years, and which ones are not yet revealed.

Any non USA government using windows has to be plain mad.

But why?

[don_carnage]

The article notes: "Two security experts discovered the code, which was written during the dispute between Netscape and Microsoft over their versions of Internet-browser software."

So they put the code in there to...what? Check up on servers to see if they were running non-M$ extensions or packages? It just sounds a little odd to put a back door into a webserver for reasons of a dispute.


--

Yes it does exist

[Igmuth]

According to Microsoft Dvwssr.dll does allow limited access to users who have Web Authoring permisions set.
It's amazing what you find when you reseach.

Re:Yes it does exist

[Karl_Hungus]

Wow, a web server has a bug which allows limited access dependent upon the way permissions are set? Yeah, that's definitely front page (no pun intended!) news, especially when it's over a year old. Face it, slashdot's credibility has hit rock bottom.

I thought /.'s credibility hit rock bottom over a year ago.

GOT ROOT?

[Picass0]

"Microsoft Windows has better security than Linux out of the box"

HAHAHAHAHAHAHAHAHA!!!!!

Re:What I find alarming...

[decesare]

The backdoor was slipped in by a coder who managed ot get it through a code review, etc, etc.

I don't know. I'd like to think that if this particular piece of code really was peer-reviewed, then it would have been caught before release.

But I agree that it is not isolated to M$. I have yet to work at a place that really understands how code reviews are supposed to work. Too often, managers say "do a code review", without understanding that it takes more manpower than the overworked coder one cube over to do a proper code review.

IMO, the release of the backdoor wasn't a defect -- it was a foul-up, and a stupid one at that. While I'm sure that there was a good reason to have a back door during development and testing, the coder should have ensured that this wouldn't get put into a release build of the product, and therefore put the approprate compiler/linker flags in the build so that it didn't. But, when you're talking about a large company where developers are rushing half-baked stuff out the door to meet whatever deadlines the resident PHBs dream up, these kinds of mistakes are going to happen.

Re:Predicted comment breakdown for this article:

[sqlrob]

You forgot:
2% CowboyNeal

Who are the "security experts"?

[VSarkiss]

Does anyone khow who the "two security experts" are that the article refers to? Where they work, how they found it, etc.?

I looked in the usual-suspect places but didn't turn up anything. I mean, you can't really "search" for this.

Search: microsoft iis security hole
Search returned 745 documents

Re:Who are the "security experts"?

[Ayende+Rahien]

search: linux apache security hole
How many?

Don't be sorry about old news.

[bruthasj]

The point of this repost is not that it was a "mistake" or that it was old. The point is, what the hell is Microsoft waiting for? It's been a whole month and they're still going to let people know "as soon as possible" ???

What is this? Can you M$ advocates let me know what this is all about??

Re:Don't be sorry about old news.

[bruthasj]

Yeah, I know where this is from...

Re:It is incredible how people just can't read.

[bruthasj]

Shut up Bill. I know you read tabloids like Slashdot, but you don't have to post anonymously. Why don't you come out of the closet?

Re:It is incredible how people just can't read.

[bruthasj]

what makes think I like linux?

The song remains the same

[isomeme]

You know, for some reason I suspect that the new backdoor password contains the strings "taH deR" and seineew.

--

Should be fined

[Nos.]

Micrsoft should be fined, or punished in some way for this. Anyplace they say that IIS is more secure, has just been proven false. I mean how can any software be considered more secure than anything if it contains a backdoor! For example, the linked article in the post says Windows is more secure out of the box. Well, Win2K Advanced Server installs IIS by default (not sure about Front Page extensions though). Therefore, it is definitely NOT more secure.

The sad thing is, this probably won't affect sales of MS products one bit. Those who weren't informed, will probably miss this bit, or downplay its importance. I know I'm supposed to be migrating our web server from NT4.0 and IIS to Win2K and IIS 5.0, but even if I brought this article to my boss, he'd downplay the importance. He'd bring up that at a regional level we're not supposed to install Linux, of course we're not supposed to intall Win2K servers either, but that doesn't seem to matter.

Re:Should be fined

[Nos.]

What can I say except THANKS!. No, installing them probably wouldn't take all day, but downloading 110+ MB through our connection at work did take all day :).

Re:Should be fined

[Nos.]

Quick notes: I'm installing Server, not advanced. As with any install, you go check for updates, well, for 2000 Server, since June 6/2000, there are 31 critical updates for Windows 2000 Server, not including SP1. That's a little less than 1 per week. I'm going to be spending the rest of the day patching!

This is what passes for secure these days?

Re:Should be fined

[jotaeleemeese]

Damn! Which button do I click to run that!

Trust

[Alien54]

Of Course, We should all trust Micorosft. Microsoft knows the value of customer trust.

Except, of course, when they make a mistake, or mis-speak, or omit certain details, or just out right lie.

Doesn't that seem to be happening uncomfortably often?

It is one thing to get control of a market by various hardball marketing tactics.

It is another to gain a market because of trust.

Check out the Vinny the Vampire comic strip

Let's be fair

[DeadVulcan]

Now, let's be fair. If you don't care about the open/free software philosophy (and just for the record, I do), and security is really the only thing we're arguing here, then the real questions are: when was this backdoor introduced, when was it discovered, and how soon will there be a patch?

The article mentions nothing in this regard, and doesn't warrant the comment, "Here's another brilliant example of how closed source development models are a threat to security and privacy on the Internet."

I can't see how this incident favours one side of the argument over the other, until we have more information about the circumstances.

--

Re:Let's be fair

[papskier]

This bug is actually a year old, patches are available. What's new is that MS has admitted that it was programmed in as a backdoor. Proving what sneaky bastards they are.

Re:Let's be fair

[papskier]

Um, yeah they did. The article seems to be gone now, so I can't directly quote it. But, what happened was last year when it was discovered, a lot of people said it was a backdoor, but MS adamently denied it. MS said it was simply an exploit, and released a patch. What happened last week was that MS finally came back and admitted that it actually was a backdoor.

Re:Let's be fair

[papskier]

my fault for being complacent with a substandard news source... thanks for clearing that up!

What I find alarming...

[mizhi]

Is not the security hole... we all know M$ considers security matters a complete joke. People are at their mercy as to when to release fixes, if at all.

What raises a red flag with me is that the wording of the article indicates the password backdoor was put there intentionally... and we're supposed to trust M$ with our valuable and oftentimes, priceless data?

"Against our policy"... right. To hell with them.

Re:What I find alarming...

[baptiste]

Well, lets see - I see the need for a riddle :). It ran on a dual processor system - not SMP, but active/inactive for redundancy. Its main processor (at the time) was the same processor using in pre PPC Macs. It was all written in a proprietary heavily typed language based off Pascal, and these systems were used by millions of people everyday all over the world. It handled thousands of 'transactions' a second.

--

Re:What I find alarming...

[baptiste]

Now I can bash Micro$oft with the best of them, but in their defense...

The backdoor was slipped in by a coder who managed ot get it through a code review, etc, etc. This is not isolated to Microsoft. That's why OSS is so nice - anyone can look for and find backdoors to fix them.

When you are talking about tens of millions of lines of code, its impossible to find stuff like this unless you spend a LOT of time looking for it. IN my previous life I worked for a company whose flagship software was about 25 million lines of code. I'll never forget when they decided to give the source to select customers who signed NDA's. They spent MONTHS looking for backdoors and inappropriate comments like:

// If we get here we are REALLY f**ked

It was amazing how much stuff they found (mostly in the comment catagory) and how long it took to find it all in a code base that large.

--

Re:What I find alarming...

[dachshund]

Well, if I saw a comment that said "if we get here we're really...", I'd be more concerned about what was going on with the code than with the language.

A better example is "// oops, this is totally fucked up, gotta remember to fix it".

Re:What I find alarming...

[obdulio]

Lets assume for a while that Micro$oft, as a company, did not know of the backdoor. Verification of the code, checking and testing the sofware are essential steps in any Software Developmente cycle, part of the entire Software Engienering process. If the backdoor went undetected into the final product, it means that the entire proccess of Software Development is unreliable. And this is definitely a Companys fault. Probably as a way to speed up the release of new products, the Corporate Policies for Software Development sacrify the exhaustive testing and verification needed to ensure the quality of their products. They sell anyway, so why wasting time and money. Thats really scary, regardless of whether M$ knew or not of the backdoor.

Re:What I find alarming...

[warmiak]

OT but if your company was typical then that source code probably had couple of "black hole" sections which nobody even attempted to touch cause " it would fucking break everything" , there were well known entry points where people would enter to follow the flow and hopefully make some changes and finally there would be no single person or documentation allowing somebody new to comprehend and introduce major changes in that code.
Anyway, maybe my experience is unique and most software out there is well written and maintainable...

NTBugTraq's response

[tomknight]

Here's what I found in this morning's email from NTBugTraq:

I just wanted to comment about the brain-dead media reports propagating from a story running on Yahoo today.

http://smallbusiness.yahoo.com/entrepreneur.html?s =smallbiz/articles/2 0010514/microsoft_ackno (probably wrapped to two lines)

The story, from a year ago, pertains to the discovery of a string in dvwssr.dll and its alleged ability to backdoor NT. My message from 4/14/2000 about the issue is attached below. There is no new backdoor discovery, Microsoft hasn't recently confirmed anything of the sort, Yahoo deserves to be shot for not putting a date on the article and not realizing it was wrong when it was first run. Looks like they're a bit hard up for ad revenue.

For anyone who hasn't already deleted the file, read;

http://www.microsoft.com/technet/security/bulletin /MS00-025.asp

I particularly liked the bit "Looks like they're a bit hard up for ad revenue."

Tom.

Quoth Gates

[Tebriel]

All your IIS are belong to us!!

Re:NEWS for SUITS

[Ando[evilmedic]]

As long as it's loading slow for you too. Lagdot indeed

- Ando

becoming a habit this...

[swright]

first Interbase, now the FP extensions. Bit worrying really...

Re:Ethics and Computing

[InfoSec]

While I appreciate and understand your cynicism towards certification, there are good points to being certified. I was competent at security long before I became a CISSP. As far as certifications go, I would never use it as a basis for hiring a perspective candidate. The only thing I find certifications good for is that they validate a person's competency. By seeing a qualified person with experience I can learn a great deal, but by seeing a qualified person with experience and a certification, I learn a great deal more.
Deven Phillips, CISSP
Network Architect
Viata Online, Inc.

Ethics and Computing

[InfoSec]

I'm a CISSP and I have been bound to an ethical agreement that I cannot perform any illegal or shady activities in the computer industry. My concern is, that Microsoft and other companies seem to be bound by no such agreements either by their own internal policies or by their customers. Isn't it about time that Microsoft was made to be responsible for their security?? Shouldn't customers demain some kind of responsibility from Microsoft and others?
Deven Phillips, CISSP
Network Architect
Viata Online, Inc.

Re:Ethics and Computing

[raju1kabir]

I'm a CISSP and I have been bound to an ethical agreement that I cannot perform any illegal or shady activities in the computer industry.

A cultlike yet entirely pointless genuflection before feel-good crap like nebulous self-enforced ethics agreements is one of the many reasons why I have forever given up on hiring anyone whose resume contains any of these certification acronyms.

Are you really so stupid as to think an unethical person will change their moral character because they have signed some insipid pledge? Thank God you have nothing to do with my network's security.

Time and time again, the holders of the multi-kilobuck laser-printed certificates demonstrate that the only reason they got them was because their general idiocy was preventing them from achieving advancement the old-fashioned way: by showing competence.

Never Mind

[vistas]

I think that for these circumstances, Slashdot should replace whatever icon is there with a picture of Emily Litella. (if you don't know who she is --gilda radner-- go watch some vintage '75-'79 Saturday Night Live)

Re:oh please

[bobthemonkey13]

Well, that's true. But open-source code is seen by many people from all different backgrounds. With all of these people, it is almost impossible to miss something like:

if (!strcmp(password, "netscapeprogrammersareweenies"))
access=FULL;

From the tone of your comment, you seem to think that this M$ backdoor is some kind of bug. It it not a bug, it is an intentional security hole. This is what Open Source can guard against.

Re:"Microsoft" "backdoor"

[update()]

So, this "backdoor" turns out to be a year old story that wasn't even true in the first place.

Can we at least salvage a little bit of fairness by giving Hairy Potter the (Score:5, Funny) he deserves? I just sprayed Diet Coke through my nose onto my keyboard while reading that.

Unsettling MOTD at my ISP.

"Microsoft" "backdoor"

[Hairy_Potter]

boy, this screams for a disgusting trollish gif or jpeg, but for the life of me I can't think of one.

What is everyone spewing about?

[rabtech]

This is the same old "Netscape Engineers suck!" backwards-text thing that was hashed (and rehashed) quite some time ago. It turns out that the string is just junk text in the file. It isn't a password, backdoor, or anything else.

Take a look at what Bugtraq's owner had to say at the time (Bugtraq originally reported this issue.)

It seems that someone testing the box entered the string and got into the Frontpage web w/ no password.... as it is pointed out below, that is because the security on the box wasn't set properly.... they could have typed in "MicrosoftSucks!" and gotten in.

======= BEGIN MESSAGE =========

Ok, here's a breaking update.

Latest reports say that there is

NO VULNERABILITY IN DVWSSR.DLL

Yup, that's right, different again from what I said earlier, and even more different than what I said yesterday to WSJ.

Please accept that I have followed the story published elsewhere and tried to keep you abreast of everything I knew. Also appreciate that the amount of time given to verify and research the claims made by others has been extremely short. I've had probably 30 interviews today by orgs pressing for information on the story as the feeding frenzy occurs after the first one goes to press (WSJ in this case).

MS have had people working on this thing like madmen, trying to verify the claims and investigate all of the possible pieces of code that may be affected. As that research progressed, different observations were made and so the story came out in various stages (with varying levels of "correctness"). Had they been given a reasonable amount of time to respond, nobody would have been in a tizzy about anything (i.e. the press would not have cared to run this story anywhere).

Decide for yourself whether we were better served by (more) immediate disclosure or not. I've stood where I stand for a reason, despite the loathing of others for my stance...

In the end, it turns out that unless you actually have permissions for the file you are requesting, you'll get an error message when you follow the procedures outlined by RFP in his RFP2K02 advisory.

That said, understand that sites that allow connections by Front Page may very well provide you with source asp if you request it. BUT THAT WILL HAPPEN with or without the .dll. Without proper and full permissions applied across virtual servers on a given box, site leakage or manipulation by others will always be possible in myriad ways.

From what I've heard/seen/been told, permissions on the test servers must have either been non-existent, incorrectly applied, or permissioned the user across multiple virtual sites (i.e. incorrectly applied).

I had someone claim that they could get into an FP98 site using "Netscapeengineersareweenies!" as a userID and no password...making them think it was a backdoor userID. Fact is they could get into the same sites using "TomDickandHarry" as a userID too. If the permissions aren't set correctly, anything is possible.

This info may change again before its finalized. It may well be that there is some way to use this .dll in a way that's not intended...it just doesn't appear to be this one. On a box where multiple sites have not been individually permissions, or permissions are lax or non-existent...anyone permissioned to execute the .dll in the first place would have the ability to simply open the other sites and manipulate them directly (i.e. no need to do this junk with the dvwssr.dll)

Finally, to my point out the string not being a password. Elias Levy of SecurityFocus.com and Mark Edwards of NTSecurity.net have both correctly pointed out that using the term password to apply to that string is not beyond the realm of understanding. The client component mtd2lv.dll and the server component dvwssr.dll both need to know this value, and use it correctly, for communications to work. If you try and talk directly to dvwssr.dll and don't obfuscate your communication with the correct "key", it won't understand you. Of course if you don't already have permissions, knowing this value gets you nothing...hence my observation that its not a password. Whatever it is, it appears to be meaningless junk text used as data.

===== END MESSAGE ======

-------
-- russ

"You want people to think logically? ACK! Turn in your UID, you traitor!"

EULA sez no.

[Kasreyn]

Don't you love this modern age of zero-liability software producers? Have you read some of the newer software licenses? Some of these licenses would basically allow the software firm to sell you a virus and be unassailable in court. And M$ pioneered this sort of license. I don't think any suit against Microsoft based on functionality or truth in advertising has a snowball's chance in hell of getting through.

-Kasreyn

The fact remains...

[Mytzle]

I work for one of the largest computer/technology companies in the world. When I suggest that we move just OUR servers (my team/division) to something like Apache, you should hear the crap I get. My manager dismisses it out of hand, an why? Because no one can buck corporate policy. Or no one will. Until People stop being scared of better alternatives just because it's "not what we use" then these problems will continue. So sad.

Bill Gates' Network Neighborhood

[AlgUSF]

I wouldn't be suprised if when Bill Gates clicks on his network neighborhood icon, every windows machine on the internet comes up with full access... :-)

I bet Microsoft's websites are probably running on a "Modified" version that doesn't include this backdoor.

Does Open Source do Better?

[iCharles]

OK, let's say I use open source. How do I know there isn't a back door? I could, if I had the expertise and the time, go through every line of code, and verify that none of the 69,000 developers working on it didn't put a backdoor in. I dare say in most situations, that is impractical. It means that even the smallest installation requires someone with some knowledge of OS development and C code.

With a company behind it (MS or Other), their reputation is on the line. If I do discover a backdoor in my open source product, who do I hold accountable?

On the other hand, Open Source does, at least, give you the option of checking it out. I suppose neither side has an advantage.

Re:Does Open Source do Better?

[Ayende+Rahien]

Yes, RIGHT!

How man KLOC there are in RH even a strip down distribution?

To read the kernel alone would takes a long time.
Then you've all of POSIX's applications, bash, X, favoraite WM of choice, browser, email client, etc.

You are *never* going to get through everything.

Re:Holding Microsoft Accountable

[iCharles]

If a comany (not just MS) were to deliberately put in a back door, or if they could not be relied upon to prevent deliberate security breaches (such as a back door), people woudl stop buying their software. No revenue hurts them.

I also suspect that, in the case of deliberate tampering, someone would find a way to sue them despite the EULA.

Does Open Source do Better?

[iCharles]

OK, let's say I use open source. How do I know there isn't a back door? I could, if I had the expertise and the time, go through every line of code, and verify that none of the 69,000 developers working on it didn't put a backdoor in. I dare say in most situations, that is impractical. It means that even the smallest installation requires someone with some knowledge of OS development and C code.

With a company behind it (MS or Other), their reputation is on the line. If I do discover a backdoor in my open source product, who do I hold accountable?

Re:Again the total lack of journalism is showed.

[RogueAngel7]

If /. wasn't a forum of free speech, your post wouldn't have ever shown up.

The whole point of free speech is for people to be able to express ideas, opinions and information, even if you don't like it/them, and to have to ability to clearify false information when it is dispensed.

RA7
-

sometimes rehashing the past is needed.

[RogueAngel7]

the fact is is old news makes it no less disturbing.

Why anyone would use a MS product in a Security intsive application (like data servers, or critical workstations) is beyond me. Opinions aside, there are to many well known and well documented holes in the security of thier products, that they have tried to hide until the heat came down on them. Not to mention stability flaws.

How can use trust a company like that. They seem to me to be a company that apparantly has no regard for the integrity of thier products.

RA7
-

Re:Hey, Check This Out You SlashBorg Fuckwits!

[mahmud]

I will rephrase Arthur C. Clarke on space-elevators:
OpenSource will really kick off when everybody will stop laughing.

P.S FYI, being a ludite is not "IN":P

M$ Easter Eggs

[kbeast]

Thats wierd, I saw this listed as an easter egg that when you enter the correct password, it displays a jpg of Bill Gates with his fist up my ass.

.kb

DVWSSR.DLL

[hyrdra]

Here is an analysis compiled by BindView RAZOR Team, including detection of the DLL on a remote host, decompilation of the file itself, and vulnerability risk assesments.

Analysis of DVWSSR.DLL Risks


Risks Uncovered:

The risks of having dvwssr.dll are not as severe as originally reported in media outlets Friday morning, but still severe enough that system administrators responsible for NT systems to investigate. The risks involve whether or not a certain DLL is loaded, how rights are set, and potentially how Front Page 98 is used.

1. If you have Microsoft NT 4 with the Option Pack loaded and FrontPage 98, you have the vulnerable dvwssr.dll loaded.

2. To run the dll remotely you need to have read access to the dll. This is not assigned by default. Typically on systems with multiple virtual hosts the administrator could have stuck everyone with a virtual host on the system into a group and given that group access to the dll. This would imply that any virtual host maintainer could look at other hosts' files. Obviously a misconfigured host might allow anonymous access, but this would require purposeful actions by the administrator for this to exist.

3. The files in question are asp files. This dll gives you the ability to read asp source, so it is possible that hardcoded user names and passwords to backend systems may be viewed. This is essentially the risk that Rain Forest Puppy found.

4. There exists a buffer overflow in the dvwssr.dll. At offset 0x581811C9 in the DLL is an unchecked lstrcpy. By sending a large string of characters, the dvwssr.dll can be overflowed. By carefully constructing these characters, it is possible to remotely execute commands as "system" which can be used for elevating priviledges. The buffer overflow was uncovered by CoreSDI.

5. In theory if you can get the hash of a user with the access, you can exploit the buffer overflow. This is called "passing the hash", and essentially means that you use the hash without cracking the password to authenticate to the target server. See http://www.ntbugtraq.com/default.asp?pid=36&sid=1& A2=ind9704&L=NTBUGTRAQ&P=R2734&D=0 for details from RAZOR's Paul Ashton on the basis for this technique. This technique is currently one of the stars of Foundstone's "Hacking Exposed: Live" presentations being put on by George Kurtz and Eric Schultze at security shows around the globe. Certainly in theory this could be adapted to this exploit.

6. Sniffing the NT LanMan password hash being sent by a legitimate FP98 user using L0phtcrack, and subsequently cracking the password would certainly give you the proper access to run the dll, and therefore elevate priviledges. This would of course mean that the sniffer would have to be located between the legit user and the target server, but is not beyond the realm of possibility.

Detection of the DLL:

Detection is quite simple. The following examples use NetCat:

Example 1: $ nc -v -w2 target.system 80 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

HTTP/1.0 500 Server Error (The system could not find the environment option that was entered. )

The 500 error means dvwssr.dll is not present.

Example 2: $ nc -v -w2 target.system 80 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

HTTP/1.0 401 Access Denied

The 401 error means dvwssr.dll is present but you do not have the rights to it.

Example 3: $ nc -v -w2 target.system 80 GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice)

Connection closed by foreign host.

The connection closed means that you had the rights to run the DLL, but since no parameters were passed the connection was completed.

Users of BindView's HackerShield can use the Rapid Fire Update released on the evening of April 14 to detect the presense of the DLL on their systems they manage.

Elimination of Vulnerability:

Microsoft's original recommendation of removal of the DLL still stands as this eliminates the vulnerability completely. See http://www.microsoft.com/technet/security/bulletin /ms00-025.asp for details.

Slashdot...

[Scoria]

... Why is the Netscape Engineers are Weenies vulnerability/backdoor so perfect?

I didn't even have to read past the Yahoo article to realize what it was. The dynamic link library mentioned plus FrontPage 98 clicked in even my head.

Since the editors of Slashdot love bashing MS, can't they at least learn of NT's vulnerabilities before posting them? Anyone who knew something about NT would have spotted that was old before reposting it.

No offense to Slashdot and I'm not a troll. I just can't believe this.

Not really a security hole.

[AnotherBlackHat]

It's not really a security hole unless you can use it to perform a denial of service attack against the company that sells the broken software.

So?

[J3zmund]

The fact that there's a backdoor in MS products does not shock me. The fact the MS ADMITTED there is a back door IS a bit surprising.

Is any really surprised by this backdoor at all?

If so, please explain...

the password is...

[DragonPup]

"Bend over and say hello to Uncle Billy!"

-Henry
"Getting your large intestines removed doesn't hurt at all. Until you wake up" -Me

Re:what a surprise

[Ayende+Rahien]

No, it doesn't.
Apache on Win32 is a joke.

"IIS sucks" is news?

[tuxlove]

I think it's well established that IIS is a hunk of Internet Swiss cheese. This story just reinforces that yet again. Yada Yada.

Anyone using IIS for actual important stuff and making it publically accessible is either extremely ignorant or very stupid. You can't secure IIS, so if you use it you are simply acknowledging to the world that you don't care about the sanctity of your host system.

Again?

[Ultra64]

Didn't this happen once before?
I seem to remember reading an article where it was discovered that MS had left a password "Netscape engineers are weenies" or something to that effect.
Someone correct me if I'm wrong...

Poll Idea

[SiMac]

New slashdot poll: Are netscape programmers really weenies?


--

is it old story or old news?

[whizmaven]

read this: http://news.cnet.com/news/0-1003-200-5933518.html? tag=st.ne.1003.saslnk.saseml

Re:Cisco

[Einziger]

LOL - dude you have such good spin on things you might consider politics. So let me get this straight, by microsloth codding a backdoor in, they are really providing a service? Yup they sure are providing a service, the service of gaining unauthorized access. LOL

Explaining how .Net does not equal Web Services

[Computer!]

Web Services are built on SOAP, which is built with XML. Web Services are a concept made possible by XML and SOAP, not a development environment and platform built on a Common Language Runtime, or CLR. Web Services are so platform agnostic, they make Java look proprietary. You can build Web Services on Sun. You can build Web Services with Tcl. You can use Java to write SOAP and Web Service-enabled apps on any platform, even (trumpets) Linux.

I shouldn't have to explain why .Net is platform-specific, but I will. .Net, although it can be, will never be ported to other OSs without being reverse engineered. It is primarily a Windows technology, and will neither be free like beer nor speech. This isn't a problem to me since they pay me to write software for a living, and I like to eat. It might be a problem for some of you, and definately means that .Net isn't Web Services. My post wasn't a troll at all, just an effort to afford anti-MS posts the same nitpicking that FreeBSD vs. Debian vs. Whatever posts already enjoy.

Scary Stuff

[dev!null!4d]

So it appears that little old Microsoft may be able to get in and out of servers as they wish? Can this be legal?

I'm a little supprised someone with a decompiler hasn't found this whole already?

Quiz

[mightyflash]

What does the filename "dvwssr.dll" stand for? (acronym)

"The company is also asking customers to delete the computer file called "dvwssr.dll", which contains the offending code. It is installed on Microsoft's Internet-server software with FrontPage 98 extensions."

Really now...

[qon]

Anyone who's surprised by this revelation (if it's confirmed) really should lay off the happy pipe. It's of a piece with their time-honored strategy.

Have they forgotten the point is to make a product that benefits their customers? How do 'features' like this benefit anyone other than Microsoft? As time goes by, I just keep finding more and more good reasons to avoid Microsoft and all their products.

Q

Nothing to be done

[chemical55]

This is seemingly too ridiculous to be true, and yet nothing is going to be done to MS about it. Imagine if Ford installed hidden cameras in their cars or Nike placed tracking devices in their shoes? The outcry would be tremendous. It is as if people don't fully understand the problem, it can safety be ignored. Arggg..whats the use?

I wondered...

[boiscout]

I always wondered how the "Made With Mac" images on all my pages got switched to "Powered With Win NT" images shortly after I moved from a Linux Box to an NT box.

Holding Microsoft Accountable

[Spiffy+Biff]

With a company behind it (MS or Other), their reputation is on the line. If I do discover a backdoor in my open source product, who do I hold accountable?

How exactly does one go about "holding Microsoft accountable?" I assume that you mean accountable for any damage you might suffer as a result of the backdoor. Well, didn't you read the disclaimer in the fine print of their licensing contract:

"Microsoft makes no claim, express or implied, as to the merchantability of this product, or to its fitness for any purpose..." (or some such nonsense)

Now, maybe Microsoft can't cover their ass in the case of a hole they deliberately planted in the software, but-- short of maybe the U.S. government-- who in this world has the financial clout to duke it out with Microsoft in a court of law? (Make no mistake, you *will* have to prove your case in court to see dime one from Microsoft.) I'm afraid this idea of "holding Microsoft accountable" for their crappy software is just a pipe dream.

And as for Microsoft's reputation as a warranty of quality and security, this is just so obviously not the case that I won't even dignify it with a response.