Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Security: On A Path As Clear As It Is Reliable

Posted by ryuzaki0 on from the snap-crack-crack-crack-pop dept.

bobthemonkey13 writes: "It appears that Microsoft's 'secure' E-Book system has been cracked. MIT Technology Review is reporting that an anonymous programmer has figured out how to bypass the 'advanced antipiracy features' in Microsoft Reader. This sounds a lot like what Dmitry did except for two things: The MS E-Book hacker has (wisely) decided to remain anonymous, and he's not publishing his program. God bless the U.S., where moving a book from your home to your office is a federal offence." Along similar lines, an Anonymous Coward indicates this story at USA Today titled "Expert Hacks Hotmail in 1 Line of Code." "I'm in awe! Unless someone can figure out how to execute pseudocode or half a line this isn't beatable. I hope this get's fixed or the whole future of pay-per-view web services could be impacted. :-q" Good thing Microsoft isn't quite sure what to do with all this universal-password stuff. (Thanks to Sacha Prins.)

Jamie adds:

In other news about poor security where you least expect it, Kitetoa informed Veridian a little while ago that: "Any script kiddy can root your web site. And... By the way... Someone already did it (as you should have seen at www.veridian.com/upload/ if you knew anything about internet security)."

I don't know what that URL gives you now, but as of this writing, and for the last several hours, it's read:

fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn

This is the same Veridian that the Defense Department picked to track computer network attacks on DoD systems, specifically attacks coming from China.

5 of 360 comments (clear)

  1. Security: Antonyms: See Microsoft by UnknownSoldier · · Score: 4, Interesting

    The unfortunate thing is, that while it seems "M$ software gets hacked every other month", the general consumer isn't making security (or I should the lack of it? :) a big deal.

  2. Mommy,I'm Scared by notext · · Score: 4, Interesting

    Everytime I read about hailstorm, I am in shock but at the same time scared.

    First, off I can't believe that Mircosoft thinks they should be in control of so much personal information.

    Second, that Microsoft thinks they can somehow keep it safe.

    Third, and this is what scares me. A lot of John Q. Public will give them all this information.

    Better them than me I guess.

  3. The MS hack by MobyDisk · · Score: 4, Interesting
    It sounds like they used a well-known technique of adding javascript/java/some other active code that nabs information such as URL & cookies into an email. It then uses that info to do something like sending it to an anonymous collection account.

    With new forms of active content being added to web pages all the time, it is amazing that anything with dynamic content. I know that's vague, but that sounds like the gist of it.

  4. Worm at Cracked Veridian? by Ferd+Lamarche · · Score: 5, Interesting

    Well, this is strange. I'm sitting on a Windows 98 box with McAfee VShield v4.0.3 installed and virus definition files from 2001/06/13. Whenever I try to go to http://www.veridian.com/upload/ with either IE 4.01 or Netscape 4.70, McAfee pops a warning dialogue saying I have just downloaded a worm called "SunOS/BoxPoison.worm". I also have a small Perl program I can use to perform command-line HTTP downloads, and with it, I can download the page at http://www.veridian.com/upload/ without any problems.

    I'm probably getting the warning because something in the HTML code matches the signature for a known worm. But still, if the message on the site isn't enough to scare people, the warning from their virus scanner certainly will!

    HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.0
    Content-Location: http://www.veridian.com/upload/index.htm
    Date: Fri, 31 Aug 2001 03:51:47 GMT
    Content-Type: text/html
    Accept-Ranges: bytes
    Last-Modified: Wed, 09 May 2001 12:53:30 GMT
    ETag: "6a8163c87d8c01:943"
    Content-Length: 289

    (Slashcode has inserted a few spaces into the following HTML... I hope this doesn't trip your virus scanner...)

    <html><body bgcolor=black><br><br><br>&lt ;br><br><br><table width=100%><td><p align ="center"><font size=7 color=red>fuck USA Government</font><tr><td><p align="cen ter"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</htm l>

  5. Actually, this brings up an interesting point. by nyet · · Score: 4, Interesting

    While I agree with you in principle, this does tickle something in the back of my brain. If the DMCA causes so many people to wish to remain anonymous when they discover a vulnerability, why not FLOOD the media with bogus exploit reports? Just claim you won't release it due to the DMCA. Eventually, if enough random hackers do this, and enough people buy it, there will be so much paranoia of "hidden" exploits, that eventually somebody will call for mass disclosure. And the only way this can happen is for global DMCA amnesty.. similar to what brought about whistle blower legislation.