Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hotmail Servers Shut Down by Code Red

Posted by CmdrTaco on from the is-it-a-problem-yet dept.

An Anonymous Coward writes: "SF Gate has this story about Code Red taking down some of Microsoft's Hotmail servers. That's funny." So is Code Red a problem yet? Meanwhile my sircams have stopped, except for 2 people who mail me a hundred or more a day. Thank god for filters, but if I had a monthly bandwidth cap, I'd be pissed.

8 of 460 comments (clear)

  1. Definitive answer to Hotmail front-end OS by doctor_oktagon · · Score: 4, Insightful

    I just queried Netcraft What's That Site Running and it answers:

    The site www.hotmail.com is running Microsoft-IIS/5.0 on Windows 2000

    I also tried the SSL Port 443 and it's also hosted on IIS5/Win2K. Hope this clears up any confusion *grin*

    One thing to consider here folks: this is a classic case of Security Process falling down. It just so happens it's an Win2K hole in this instance. If Hotmail still ran BSD and there was a root exploit discovered, someone still needs to follow the process and plug the hole.

    NB: I'm not excusing MS here ... I'm laughing as much as everyone!

  2. Re:Microsoft to be the target of (more) lawsuits? by slimme · · Score: 4, Insightful

    Who has losses that arise from code red?

    ISP's and individuals/companies paying for bandwith used.

    Who causes this mess?

    People who haven't patched their software (gross negligence).

    Who can sue who?

    People who have losses because of gross negligence.

    Micorosoft is shielded by a EULA that limits (or denies)liability (although this EULA might not be fully apllicable worldwide).

  3. Microsoft to be the target of (more) lawsuits? by DG · · Score: 5, Insightful

    Back in the Dark Ages of corporate acceptance of Free Software (circa '97 or so) a common pointy-haired manager complaint was "Who do we sue?"

    IE, if the software contained some fatal flaw that resulted in Actual Money being lost, the corporation could go after a commercial software house in the courts in an attempt to recover costs.

    Free Software, being provided as a community service with no sue-able corporation behind it, lacked this perceived accountability.

    Well, here we have a gold-plated example of a fatal flaw in a piece of commercial software, coupled to a lax attitude towards fixing it, that has without question resulted in the loss of Actual Money by a great deal of people. One would think then, that IS Managers across the world would be queuing up to sue Microsoft and recover their costs.

    Anybody seeing any evidence of this happening?

    --
    Want to learn about race cars? Read my Book
  4. Re:Security versus Ease-Of-use by SCHecklerX · · Score: 3, Insightful
    These are servers.

    They are difficult to patch or upgrade or remotely configure or fix, or even publish to.

    So...how, exactly, are these systems easy to use again?

  5. Re:How to choose a web server for your company by Helevius · · Score: 3, Insightful
    I agree the sys admin matters, but it's not as simple as that. Try reading Securing Windows NT/2000 Servers by Stefan Norberg. To securely admin a Windows NT/2000 box, Stefan advocates ripping most of its guts out (NetBIOS, Workstation and Server services, etc.)

    NT's standard remote admin tools, like Event Viewer and Server Manager, require RPC using NetBIOS, which is difficult if not impossible to secure.

    UNIX may have its problems, but secure remote administration using native tools is not one of them.

    Helevius

  6. Re:BSD by smooc · · Score: 3, Insightful

    I thought just the webfrontends are running a version of Windows & IIS, the backend is still FreeBSD.

    Or did they change that by now?

    --
    - In Memoriam: Jeroen de Bruin (1972-2004), bye bro
  7. Re:Make Sense by ckd · · Score: 3, Insightful
    I doubt it, since only some of the W2K HotMail servers are infected (according to Microsoft, anyway). I suppose they missed a few or just ran out of time to patch them all - how many boxen do you think they have to patch? Lots?

    The patch has been out since what, June? MS is happy to say "we had a patch out months ago, sent out plenty of warnings, everyone had plenty of time to stop this, it's not our fault they didn't patch it" when people complain about the problem.

    The fact that they didn't get their systems patched is a real indictment of either their system administration practices (if even the vendor doesn't install widely-publicized vendor patches, how can they claim that Bob's Bait Store should always be up to date?) or the "easy administration" of W2K. Unfortunately I doubt anyone will actually be indicted....

  8. Re:Ironic... by patter · · Score: 3, Insightful

    They've coded themselves into a hole where people don't want to upgrade their software to new versions every year or two

    Actually, this is so true it hurts. I work for a company with customers all over the world. Unfortunately, we decided to switch our Unix based software to NT several years ago (we maintain both versions, but I'm stuck working with the NT shit).

    We just completed testing to see if our stuff runs on Win2K a little while ago, and are talking about XP testing soon.

    The ironic thing is, I'm only aware of one of our customers who is even running win2K, and that's for the improved terminal server version (based on Citrix if memory serves). The vast majority of our international customer base isn't going to switch away from NT for years (unless we stupidly force them to).

    We're prediciting very poor sales of XP server whenever it's due to ship, at least to customers in our industry. Microshaft should really look into expanding beyond the 'sell, sell, sell' mentality that worked for them in the 80's.

    --
    -- If at first you do succeed, try to hide your astonishment. -- Harry F. Banks