Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Security: On A Path As Clear As It Is Reliable

Posted by ryuzaki0 on from the snap-crack-crack-crack-pop dept.

bobthemonkey13 writes: "It appears that Microsoft's 'secure' E-Book system has been cracked. MIT Technology Review is reporting that an anonymous programmer has figured out how to bypass the 'advanced antipiracy features' in Microsoft Reader. This sounds a lot like what Dmitry did except for two things: The MS E-Book hacker has (wisely) decided to remain anonymous, and he's not publishing his program. God bless the U.S., where moving a book from your home to your office is a federal offence." Along similar lines, an Anonymous Coward indicates this story at USA Today titled "Expert Hacks Hotmail in 1 Line of Code." "I'm in awe! Unless someone can figure out how to execute pseudocode or half a line this isn't beatable. I hope this get's fixed or the whole future of pay-per-view web services could be impacted. :-q" Good thing Microsoft isn't quite sure what to do with all this universal-password stuff. (Thanks to Sacha Prins.)

Jamie adds:

In other news about poor security where you least expect it, Kitetoa informed Veridian a little while ago that: "Any script kiddy can root your web site. And... By the way... Someone already did it (as you should have seen at www.veridian.com/upload/ if you knew anything about internet security)."

I don't know what that URL gives you now, but as of this writing, and for the last several hours, it's read:

fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn

This is the same Veridian that the Defense Department picked to track computer network attacks on DoD systems, specifically attacks coming from China.

9 of 360 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  2. Re:3 == 1 ?! by evilquaker · · Score: 5, Funny
    The headline clearly reads, "Expert hacks Hotmail in 1 line of code". Then in the second sentence of the first paragraph, "It took just three lines of code for Grossman to breach Hotmail filters..."

    And the line after that reads:

    The second time it took just one line.

    Well, at least you tried to read the article... that's more than most of the Slashbots.

    --
    To within half a percent, pi seconds is a nanocentury. -- Tom Duff
  3. Worm at Cracked Veridian? by Ferd+Lamarche · · Score: 5, Interesting

    Well, this is strange. I'm sitting on a Windows 98 box with McAfee VShield v4.0.3 installed and virus definition files from 2001/06/13. Whenever I try to go to http://www.veridian.com/upload/ with either IE 4.01 or Netscape 4.70, McAfee pops a warning dialogue saying I have just downloaded a worm called "SunOS/BoxPoison.worm". I also have a small Perl program I can use to perform command-line HTTP downloads, and with it, I can download the page at http://www.veridian.com/upload/ without any problems.

    I'm probably getting the warning because something in the HTML code matches the signature for a known worm. But still, if the message on the site isn't enough to scare people, the warning from their virus scanner certainly will!

    HTTP/1.1 200 OK
    Server: Microsoft-IIS/5.0
    Content-Location: http://www.veridian.com/upload/index.htm
    Date: Fri, 31 Aug 2001 03:51:47 GMT
    Content-Type: text/html
    Accept-Ranges: bytes
    Last-Modified: Wed, 09 May 2001 12:53:30 GMT
    ETag: "6a8163c87d8c01:943"
    Content-Length: 289

    (Slashcode has inserted a few spaces into the following HTML... I hope this doesn't trip your virus scanner...)

    <html><body bgcolor=black><br><br><br>&lt ;br><br><br><table width=100%><td><p align ="center"><font size=7 color=red>fuck USA Government</font><tr><td><p align="cen ter"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</htm l>

  4. Re:this is what freenet was made for! by AntiFreeze · · Score: 5, Insightful
    Civil Disobedience is done in the name of change, and therefore *requires* accountability. Doing this like an anonymous coward, distributing it and not letting yourself be known is lame, and will be seen rightly as an act of cowardice. Granted, the cowardice is justified as a certain russian programmer can tell you.
    You are mistaking cowardice with discretion. One must be very careful under today's laws with what one releases. Not wanting to fight is not cowardice, it is picking your battles. If source is released, or a name is released, there are serious legal reprocussions - which cost millions of dollars to fend off - while, on the other hand, just letting people know it is possible creates the same community sentiment without ending up in jail for the rest of your life.
    --

    ---
    "Of course, that's just my opinion. I could be wrong." --Dennis Miller

  5. Re:Security: Antonyms: See Microsoft by TOTKChief · · Score: 5, Insightful

    Actually, they are.

    The other day, I was on the hall where a good chunk of my professors have offices. I got into a discussion with a few of them, and the gist was this:

    "We've been telling folks around here for a while that we don't like Microsoft products, but because they're the de facto standard, we're forced to use them. Thank God for all the hackers that find holes and the real jerks that exploit them.

    Of course, I got to wondering about that; we talk about White Hats and Black Hats, but even the Black Hats serve a purpose, if your goal is to rid the world of Microsoft. I'm not sure that it is for me--I'd be happy to use their products if they would code good stuff. [Posted from IE6 on Win2K, but only because I have to have a Windows box to do my school crap...]

    But to the point, the end users are getting frustrated with all the security holes. In this case, these guys don't want their research exposed by something like SirCam, which could very easily happen. I think they'd happily go for a switch if solid interoperability with those Left Behind in the Microsoft world could exist.

    And hey, remember that these are aerospace engineering professors, who aren't always at the vanguard of computing technology. I mean, I've had to do research with them using F77...

    --
    -- Geof F. Morris
  6. Re:I'm normally not one to hate on Microsoft stori by Black+Parrot · · Score: 5, Insightful

    > > There's plenty of security holes in every stock Linux distro too, you know.

    > But, unlike with M$ products, you can plug them, since you have the SOURCE.

    And increasingly important, you can talk about them without fear of drawing a Go To Jail card.

    --
    Sheesh, evil *and* a jerk. -- Jade
  7. Re:Cross-site scripting?? by Ramses0 · · Score: 5, Informative
    A lot of interactive websites can take user input (like slashdot did when you typed in your comment). A lot of times, they'll even redisplay it for you (like when you click preview).

    Most of the time, when you let users type something, you don't mind showing it back to them (they typed it after all). But with cross-site scripting, when you visit www.haxor.com, they'll provide you a link to www.phpnuke.org, but take advantage of the fact that phpnuke.org will display whatever that user has typed in.

    Normally this isn't a problem, but there are people who are really good with javascript that can basically email your cookies to somebody@haxor.com after you've clicked that link. Once they've got your cookies, they can usually pretend to be you- submitting comments, stories, etc. Changing passwords. On PHPNuke, this isn't such a bad thing, but I wouldn't want anybody messing with me on my online banking site.

    Take a look at the previous example. I mailed the Nuke authors about 3 months ago telling them about the above problem. No response. Don't use Nuke for anything you want to be secure. The explanation of what just happened is that search.php displayed whatever "query" contained. I stuck a few special bits of html (ie a close bracket) into their search box. When it got re-displayed, I prematurely exited their input field. This gave me free reign to put nifty red font tags onto their page. Imagine that it was evil javascript instead.

    To prevent cross-site scripting attacks, you must remember to escape all untrusted data before displaying it to a user. For PHP, it would be something like: [input type=text value="[?PHP echo htmlspecialchars($their_input); ?]"]

    The htmlspecialchars function automagically kills all dangerous characters before writing the data, making it much more difficult to attack.

    --Robert

  8. Re:Microsoft Security Model - implemented via DMCA by ichimunki · · Score: 5, Insightful

    Yes, it does matter. The most important issue here is that the DMCA protects bad security. I can't wait for MS to say "there have been no published or known exploits to XYZ Security Package, so it is secure", then later selling the US Government some NT-based, web-based nuclear missile launcher running off IIS. Or they sell systems to Citibank or the Federal Reserve.

    Then some well-paid foreign hacker can crack the server, launch the missile at Canada and all heck breaks loose. Or some terrorist sympathizer can funnel money to his buddies, or simply cause havoc in major US financial systems.

    Do you really think the best hackers in the world are all boring enough to work for the NSA, or even born in the US? Are we really supposed to feel secure knowing that the main obstacle preventing our "secure" systems all over from being cracked is the danger of being cracked? Talented hackers are not script kiddies. Talented hackers won't be leaving little notes like "j00 4r3 0wn3d". Talented hackers just might not care about the things the rest of us care about-- and they may be largely immune to legal action.

    I think it's important that we consider the DMCA not only an affront to our traditional rights as consumers (i.e. Fair Use), but a danger to national security.

    The whole thing is a bit like making it illegal to publish reviews of various locks from the hardware store. Yeah, it will keep consumer reports from telling shoppers which locks are high grade titanium or alloys and which locks are flimsy plastic, but it won't keep crooks from figuring out which is which and having a field day breaking into houses secured with the plastic locks.

    --
    I do not have a signature
  9. Civil Disobedience? by why-is-it · · Score: 5, Insightful

    this guy should upload the code to freenet where, hopefully, it is impossible to remove the program or discover the author. This is the exact kind of thing freenet was designed for, so if the author is out there in slashland, go for it! Civil Disobedience ra ra ra!

    No. The whole point of civil disobedience is that a law or regulation is openly defied in a very public manner, and the transgressors challenge the authorities to enforce the law. The belief is that should the larger public become aware of the law and the inappropriate punishment that comes from breaking it, the government will feel compelled to change the law. As well, if enough people are openly breaking this law, the system will get clogged up with trivialities.

    Civil disobedience is not hiding in the shadows and skulking around under cover of anonymity.

    And this gets a +5 insightful? WTF?

    --
    *** Where are we going? And what's with this handbasket?