MS Security: On A Path As Clear As It Is Reliable

bobthemonkey13 writes: "It appears that Microsoft's 'secure' E-Book system has been cracked. MIT Technology Review is reporting that an anonymous programmer has figured out how to bypass the 'advanced antipiracy features' in Microsoft Reader. This sounds a lot like what Dmitry did except for two things: The MS E-Book hacker has (wisely) decided to remain anonymous, and he's not publishing his program. God bless the U.S., where moving a book from your home to your office is a federal offence." Along similar lines, an Anonymous Coward indicates this story at USA Today titled "Expert Hacks Hotmail in 1 Line of Code." "I'm in awe! Unless someone can figure out how to execute pseudocode or half a line this isn't beatable. I hope this get's fixed or the whole future of pay-per-view web services could be impacted. :-q" Good thing Microsoft isn't quite sure what to do with all this universal-password stuff. (Thanks to Sacha Prins.)

Jamie adds:

In other news about poor security where you least expect it, Kitetoa informed Veridian a little while ago that: "Any script kiddy can root your web site. And... By the way... Someone already did it (as you should have seen at www.veridian.com/upload/ if you knew anything about internet security)."

I don't know what that URL gives you now, but as of this writing, and for the last several hours, it's read:

fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn

This is the same Veridian that the Defense Department picked to track computer network attacks on DoD systems, specifically attacks coming from China.

Security: Antonyms: See Microsoft

[UnknownSoldier]

The unfortunate thing is, that while it seems "M$ software gets hacked every other month", the general consumer isn't making security (or I should the lack of it? :) a big deal.

Re:Security: Antonyms: See Microsoft

[TOTKChief]

Actually, they are.

The other day, I was on the hall where a good chunk of my professors have offices. I got into a discussion with a few of them, and the gist was this:

"We've been telling folks around here for a while that we don't like Microsoft products, but because they're the de facto standard, we're forced to use them. Thank God for all the hackers that find holes and the real jerks that exploit them.

Of course, I got to wondering about that; we talk about White Hats and Black Hats, but even the Black Hats serve a purpose, if your goal is to rid the world of Microsoft. I'm not sure that it is for me--I'd be happy to use their products if they would code good stuff. [Posted from IE6 on Win2K, but only because I have to have a Windows box to do my school crap...]

But to the point, the end users are getting frustrated with all the security holes. In this case, these guys don't want their research exposed by something like SirCam, which could very easily happen. I think they'd happily go for a switch if solid interoperability with those Left Behind in the Microsoft world could exist.

And hey, remember that these are aerospace engineering professors, who aren't always at the vanguard of computing technology. I mean, I've had to do research with them using F77...

Mommy,I'm Scared

[notext]

Everytime I read about hailstorm, I am in shock but at the same time scared.

First, off I can't believe that Mircosoft thinks they should be in control of so much personal information.

Second, that Microsoft thinks they can somehow keep it safe.

Third, and this is what scares me. A lot of John Q. Public will give them all this information.

Better them than me I guess.

Comment removed

[account_deleted]

Comment removed based on user account deletion

The MS hack

[MobyDisk]

It sounds like they used a well-known technique of adding javascript/java/some other active code that nabs information such as URL & cookies into an email. It then uses that info to do something like sending it to an anonymous collection account.

With new forms of active content being added to web pages all the time, it is amazing that anything with dynamic content. I know that's vague, but that sounds like the gist of it.

Re:3 == 1 ?!

[evilquaker]

The headline clearly reads, "Expert hacks Hotmail in 1 line of code". Then in the second sentence of the first paragraph, "It took just three lines of code for Grossman to breach Hotmail filters..."

And the line after that reads:

The second time it took just one line.

Well, at least you tried to read the article... that's more than most of the Slashbots.

Worm at Cracked Veridian?

[Ferd+Lamarche]

Well, this is strange. I'm sitting on a Windows 98 box with McAfee VShield v4.0.3 installed and virus definition files from 2001/06/13. Whenever I try to go to http://www.veridian.com/upload/ with either IE 4.01 or Netscape 4.70, McAfee pops a warning dialogue saying I have just downloaded a worm called "SunOS/BoxPoison.worm". I also have a small Perl program I can use to perform command-line HTTP downloads, and with it, I can download the page at http://www.veridian.com/upload/ without any problems.

I'm probably getting the warning because something in the HTML code matches the signature for a known worm. But still, if the message on the site isn't enough to scare people, the warning from their virus scanner certainly will!

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Content-Location: http://www.veridian.com/upload/index.htm
Date: Fri, 31 Aug 2001 03:51:47 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 09 May 2001 12:53:30 GMT
ETag: "6a8163c87d8c01:943"
Content-Length: 289

(Slashcode has inserted a few spaces into the following HTML... I hope this doesn't trip your virus scanner...)

<html><body bgcolor=black><br><br><br>&lt ;br><br><br><table width=100%><td><p align ="center"><font size=7 color=red>fuck USA Government</font><tr><td><p align="cen ter"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</htm l>

Re:this is what freenet was made for!

[AntiFreeze]

Civil Disobedience is done in the name of change, and therefore *requires* accountability. Doing this like an anonymous coward, distributing it and not letting yourself be known is lame, and will be seen rightly as an act of cowardice. Granted, the cowardice is justified as a certain russian programmer can tell you.

You are mistaking cowardice with discretion. One must be very careful under today's laws with what one releases. Not wanting to fight is not cowardice, it is picking your battles. If source is released, or a name is released, there are serious legal reprocussions - which cost millions of dollars to fend off - while, on the other hand, just letting people know it is possible creates the same community sentiment without ending up in jail for the rest of your life.

Re:I'm normally not one to hate on Microsoft stori

[Black+Parrot]

> > There's plenty of security holes in every stock Linux distro too, you know.

> But, unlike with M$ products, you can plug them, since you have the SOURCE.

And increasingly important, you can talk about them without fear of drawing a Go To Jail card.

Re:Cross-site scripting??

[Ramses0]

A lot of interactive websites can take user input (like slashdot did when you typed in your comment). A lot of times, they'll even redisplay it for you (like when you click preview).

Most of the time, when you let users type something, you don't mind showing it back to them (they typed it after all). But with cross-site scripting, when you visit www.haxor.com, they'll provide you a link to www.phpnuke.org, but take advantage of the fact that phpnuke.org will display whatever that user has typed in.

Normally this isn't a problem, but there are people who are really good with javascript that can basically email your cookies to somebody@haxor.com after you've clicked that link. Once they've got your cookies, they can usually pretend to be you- submitting comments, stories, etc. Changing passwords. On PHPNuke, this isn't such a bad thing, but I wouldn't want anybody messing with me on my online banking site.

Take a look at the previous example. I mailed the Nuke authors about 3 months ago telling them about the above problem. No response. Don't use Nuke for anything you want to be secure. The explanation of what just happened is that search.php displayed whatever "query" contained. I stuck a few special bits of html (ie a close bracket) into their search box. When it got re-displayed, I prematurely exited their input field. This gave me free reign to put nifty red font tags onto their page. Imagine that it was evil javascript instead.

To prevent cross-site scripting attacks, you must remember to escape all untrusted data before displaying it to a user. For PHP, it would be something like: [input type=text value="[?PHP echo htmlspecialchars($their_input); ?]"]

The htmlspecialchars function automagically kills all dangerous characters before writing the data, making it much more difficult to attack.

--Robert

Actually, this brings up an interesting point.

[nyet]

While I agree with you in principle, this does tickle something in the back of my brain. If the DMCA causes so many people to wish to remain anonymous when they discover a vulnerability, why not FLOOD the media with bogus exploit reports? Just claim you won't release it due to the DMCA. Eventually, if enough random hackers do this, and enough people buy it, there will be so much paranoia of "hidden" exploits, that eventually somebody will call for mass disclosure. And the only way this can happen is for global DMCA amnesty.. similar to what brought about whistle blower legislation.

Re:Microsoft Security Model - implemented via DMCA

[ichimunki]

Yes, it does matter. The most important issue here is that the DMCA protects bad security. I can't wait for MS to say "there have been no published or known exploits to XYZ Security Package, so it is secure", then later selling the US Government some NT-based, web-based nuclear missile launcher running off IIS. Or they sell systems to Citibank or the Federal Reserve.

Then some well-paid foreign hacker can crack the server, launch the missile at Canada and all heck breaks loose. Or some terrorist sympathizer can funnel money to his buddies, or simply cause havoc in major US financial systems.

Do you really think the best hackers in the world are all boring enough to work for the NSA, or even born in the US? Are we really supposed to feel secure knowing that the main obstacle preventing our "secure" systems all over from being cracked is the danger of being cracked? Talented hackers are not script kiddies. Talented hackers won't be leaving little notes like "j00 4r3 0wn3d". Talented hackers just might not care about the things the rest of us care about-- and they may be largely immune to legal action.

I think it's important that we consider the DMCA not only an affront to our traditional rights as consumers (i.e. Fair Use), but a danger to national security.

The whole thing is a bit like making it illegal to publish reviews of various locks from the hardware store. Yeah, it will keep consumer reports from telling shoppers which locks are high grade titanium or alloys and which locks are flimsy plastic, but it won't keep crooks from figuring out which is which and having a field day breaking into houses secured with the plastic locks.

Civil Disobedience?

[why-is-it]

this guy should upload the code to freenet where, hopefully, it is impossible to remove the program or discover the author. This is the exact kind of thing freenet was designed for, so if the author is out there in slashland, go for it! Civil Disobedience ra ra ra!

No. The whole point of civil disobedience is that a law or regulation is openly defied in a very public manner, and the transgressors challenge the authorities to enforce the law. The belief is that should the larger public become aware of the law and the inappropriate punishment that comes from breaking it, the government will feel compelled to change the law. As well, if enough people are openly breaking this law, the system will get clogged up with trivialities.

Civil disobedience is not hiding in the shadows and skulking around under cover of anonymity.

And this gets a +5 insightful? WTF?