Slashdot Mirror
al Qaeda Hacks XP?
acaird writes "According to this article at Newbytes, members of al Qaeda may have worked for Microsoft and planted "trojans, trapdoors, and bugs in Windows XP"."
This stuff screams of hoax to me, but it is showing up on the Washington
Post.
If this goes on..."Next week on Jerry Springer: Bill Gates is sleeping with my sister!"
Carousel is a lie!
Speaking as a programmer who works for a big software company, it's unlikely that anything like that would be able to get through.
Code generally goes through peer reviews and quality assurance before it is accepted into the main stream. Say waht you want about MS, but I'm sure they do these things (they can afford it!)
To bypass these failsafes would require a lot of people along the line allowing it to slip through.
I heard they also worked for Firestone and sabotaged their tires!!!
Unless they commented there code:
security_hole();       /*b1n l@d1n r00lz!*/
Objects in the blog are closer then they ap
c'mon, this is such a pile of bullshit it's ridiculous.
Microsoft spokesman Jim Desler said Afroze's claims about the company were "bizarre and unsubstantiated and should be treated skeptically."
for once, we can all agree with a Microsoft spokesman.
And they even left OVER 700 SEKRET MESSAGES IN THE SOURCE CODE!
/usr/src/linux | wc -l
Observe:
% grep -ir 'a.*l.*q.*a.*e.*d.*a'
704
Time to outlaw leenuks, I say.
// zyqqh
From the article:
According to Desler, Microsoft has rigorous processes in place during the development of Windows to ensure the security and integrity of source code
I can sleep easier now.
Sigs are so 1990s. No way would I be seen dead with one.
These backdoors, trojans, etc. are rendered useless by the backdoors, trojans, etc. the NSA placed in XP.
Knowing Microsoft's track record, I wonder how much more damage some terrorist can add.
Consistency is overrated.
So thats who coded Outlook! 10 bucks says they were in on the whole Passport thing too!
If it ain't a Model M, it's a piece of crap.
Al Queda is not just terrorists in afghanistan. They are all around the world. They have well educated, smart people well capable of getting jobs at Microsoft.
Consistency is overrated.
"This stuff screams hoax to me, but it's showing up on the washington post"
Can we mod down a statement in an article as being redundant? The washington post all but invented "ready-shoot-aim" journalism.
There are some people that if they don't know, you can't tell 'em.
then the terrorists have won.
I'm starting to believe the FBI are actually the good guys these days... YIKES!
--Mike--
This just found in winsock.dll in XP:
seineewerastsisrorretadeuqla
just = (My)Opinion.toCents();
It screams of a hoax, so let's put it on the front page. Way to be part of the problem, Taco.
last time I checked, these afganhis were hacking and downloading movies with a commodore 64 (http://slashdot.org/article.pl?sid=01/11/17/20420 7&mode=thread)
...no other explanation needed.
Skiers and Riders -- http://www.snowjournal.com
I'm sorry, but this sort of statement is just plain silly. Any 'newly hired engineers' would hardly be in a position to place any sort of major bugs in such a large project. EVEN IF THEY COULD, since XP is relatively new, bugs placed on purpose would be no worse then any existing bugs simply due to the nature of newly released software.
Perhaps, just perhaps, a few well placed bugs could have an effect on the end product, but I see no reason why such an orginization would want to target such a thing. I can see the reason to want to make such false statement to cause yet more public doubt as to their safety, though. The likelyhood this is a ploy to crete more doubt is much greater then the likelyhood that they actually did such a thing.
On the other hand, it could very well be true. It is so out there that it just might be truely something that happened. It most certainly is no more out there then the very same network obtaining Anthrax from a US source, and mailing it all over the country..
-- I'm the root of all that's evil, but you can call me cookie..
"I, Mudd" was on sci-fi last night. I see a rewrite, something like this:
I, Ashcroft
"...XP is the only OS that can protect us from terrorists.
But XP was *made* by terrorists"
Fzzt... Pop....
Jesus was all right but his disciples were thick and ordinary. -John Lennon
has found the following phrase:
"!seineeW era tnemnrevoG SU"
mp3's are only for those with bad memories
I heard that members of al Qaeda had infiltrated Slashdot and were sabotaging the quality of reporting.
Oh wait, Taco has always posted retarded stuff.
So, does this mean goodbye to the "Bluescreen of Death" and hello to the "Bluescreen of Holy Vengeance?"
If it ain't broke, it doesn't have enough features yet.
Well now that they've routed the enemy, we can expect future versions of MS OSes to be bug and exploit-free.
BWAHAHAHAHAA
m00.
Just put this in a .REG file and the evil will be revealed...
REGEDIT4
[HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08- 00AA002F954E}]
@="Recycle Bin Laden"
Does this mean we can drop a few 'Daisy Cutters' on Redmond?
We'll know it terrorists slipped code into XP, because if they do, they'll make it support raw port access for non-priviledged users. Clearly only a terrorist would do that, so it'll be a dead giveaway.
Now, third-party patches such as those at linuxhq.com are not scrutinized by the kernel team, and these patches might possibly contain nasty code (as well as simply poor code). But if you're downloading third-party patches and applying them without reading them, you're an idiot. Can't read C, or don't understand kernel internals? Then don't apply third-party patches.
It would be far easier, as you suggest, to insert backdoors and other nasties into userspace open source programs. When was the last time you downloaded a source tarball and actually read all the code before building and installing it? The most evil of all would be a trojan in gcc -- all programs compiled with the trojaned compiler would themselves be trojans. After a while all source remnants of the trojan would be wiped away, but the trojan code would still be lurking in all our binaries. Horrible thought.
Like you say, be careful. Just because you're running Linux, or you use open source, doesn't make you immune to viruses, backdoors, trojans, or anything else.
We should all know about the wonderful editorial integrity of the Washington Post.
Not a typewriter
According to Desler, Microsoft has rigorous processes in place during the development of Windows to ensure the security and integrity of source code
Oh well, in that case!
Prasad, moderator of an Internet mailing list on south Asia security and information warfare, told Newsbytes that Afroze made the claims in a police confession.
Even if the story is true, and the guy "confessed"... I know I'd confess to writing windows XP if faced with a rubber hose.
Think about it...
Funny how /bin/laden has passed from mere mortal to a incarnation of evil, and as such responsible for all bad things.
Yesterday he was responsible for crashing the US economy. Today he is responsible for bugs in XP. Tommorow he will be responsible for sour milks, bad weather, disrespectfull children...
"...members of Osama bin Laden's Al Qaeda network, posing as computer programmers, were able to gain employment at Microsoft" - so, you can "pose" as a computer programmer, and get to modify M$'s source, can you? You don't actually have to be a programmer?
Also, I liked "According to Desler [an M$ spokesman], Microsoft has rigorous processes in place during the development of Windows to ensure the security and integrity of source code." Well, it's worked so far, hasn't it? Maybe they're just talking about how difficult it is to add intentional bugs. That, I can believe.
The very suggestion that M$ needs help adding "trojans, trapdoors, and bugs in Windows XP," is the laughable bit here.
(Outside of an Al Queda recruitment center)
"OK, people. Line to the left is suicide bombers, center line is front line soldiers, right-hand, nefarious computer geeks."
or
(2 terrorists meet to discuss their accomplishments)
"I have struck a great blow against Satan! I have planted bombs and anthrax!"
"I, too, have stuck a great blow!"
"What did you do?"
"Improper bounds checking in msetl23.dll! I used my own hasty, roll-your-own strcpy()! And as a final coup de gras*, I stole 3 product activation keys and gave them to Best Buy employees"
Please.
* terrorists may not actually use phrases like this. Consult your manual.
ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
"There is no groaning in my store"
When I read comments like this, I think of the lovable Comic Book Guy, so anal about everything. Get over the mispellings, no one is perfect, not CNN, not the BBC and not Slashdot. Besides, what is the word, "You's?" Does the think belong to You, or maybe it should read, "You is think... Ohhh, look, I can be anal and picky as well!
=-=-=-=-=-=-=-=-=
Oh bother.
The guy sure sounds loco to me.
As someone who has been through the Microsoft interview process, I find it highly doubtful that some random terrorist programmers could make it though.
Unless, of course, Al Qaeda makes learning how to get 5 gallons of liquid using 3 and 7 gallon containers part of their training.
According to Desler, Microsoft has rigorous processes in place during the development of Windows to ensure the security and integrity of source code.
Hahaha... that's how you can be sure this article's a hoax.
Developers: We can use your help.
Not to mention that the whole story is hanging on very tentative ground.
In the first place, I notice that man is a "suspected" Al Qaeda member. From what I've been seeing lately, anyone who has the wrong kind of accent or a copy of the Koran is a suspected Al Qaeda Member.
Secondly, if this man really is a member of the organization, it should be noted that bravado and misinformation are prime terrorist tactics. It's a lot easier to spread rumours about having planted bombs, or for that matter created software bugs, than it is to actually do it. And you still get the result of people being afraid to fly or afraid to use Windows.
Thirdly, as you said, even if some programmers with less than noble intentions did manage to get employed at Microsoft, the chance that they would be able to intentionally slip in a trojan horse without it being caught in testing are pretty low.
On the other hand, i suppose they couls just sabotage the american way of life by writing bad code, but then Microsoft pays people to do that anyway.
lysergically yours
Look at the effect they've already had on the global airline and tourist industries, based on a net increase in danger that's insignificant compared to road deaths. Score one for the terrorists.
And here come the ill considered security measures and infringements of civil liberties. We defend Freedom by taking it away. Score two.
Then it was time to target the the government, postal service and law enforcement with a few packets of a not particularly lethal virus (sympathies to the victims though). Again, the big impact is from the FUD, as law enforcement chase hoaxes and benign packages all over the country. Score three.
Now it's software. "All your code base belong to us!" they rant. Expect the hoaxers to jump on this and a new rash of bin Laden themed virii and worms to appear. It's pure FUD, but the problem is reassuring easily frightened and confused non-techies that it isn't true. How do you disprove the existence of allegedly hidden code?
And so for once I'm actually going to get on the bandwagon with Microsoft and give this zero credibility. This pathetic piece of bluster should not be allowed to put anyone off using XP. There's plenty of real reasons for not using it, but this isn't one of them.
If you were blocking sigs, you wouldn't have to read this.
Probably nothing more than an indication that al-Qaeda are Linux buffs and wanted to see their names on /.
# chflags noschg /bin/laden
/bin/laden
/bin/laden removed. Will replace with something even more evil.
/bin/microsoft /bin/laden
/bin/laden
/bin/microsoft
/bin/laden
# rm -f
Warning: Utitilty
# ln
# chflags schg
# chflags schg
Thank you for removing
This page left intentionally blank.
Actually, something occured to me that makes it a little bit more possible. I once read somewhere on MSDN regarding the realease of localized versions of Microsofts OSes ad applications where generally localized by outside contractors, such as those used in India, etc..
This could have, indeed, made it a great deal easier to insert some hidden #ifdef inside of, say, a comment that looks funny, and cause some issues such as providing uid checks, etc..
Perhaps I'm just thinking to much. It's amazing how easy something appears to be if you can think about it long enough..
-- I'm the root of all that's evil, but you can call me cookie..
Members of the militant group Hamas have claimed responsibility for file corruption issue found in the Linux 2.4.15 kernel.
Microsoft has rigorous processes in place during the development of Windows to ensure the security and integrity of source code.
muahahaha, now, *THAT* was funny.
The largest case of FUD EVER!
My beliefs do not require that you agree with them.
i am not an ms fan, in fact part of the reson this story will be successful is because of ms's history of poor quality management and it's closed source systems, but this article is most likely fud. after all, it's easier to *say* you've planted such things in xp then to actually do it. and since ms has a poor track record for security and since there is no public peer review of their code, it will certainly cause reasonable people fear, uncertainty and doubt about microsoft's software.
truly a case of reaping what you sow. ah, how amusing.
US Citizen living abroad? Register to vote!
Anyone got a link to it?
Best Slashdot Co
A well-crafted lie appears unquestionable - Dama Mahaleo
...for the saboteur to insert something into a product other than the kernel. Say, apache, or maybe samba. Or maybe mozilla. Or maybe even in a development product which is modified to turn a blind eye to certain types of defects, like buffer overruns.
Hell, just knowing the general class of vulnerability that one can expect to find is a big leg up for an attacker.
The point is that it could happen in any product. Really, how do you know that the spanky new game you're playing didn't open your system to attacks? It really isn't complicated and getting someone into a game company to do that sort of thing wouldn't be difficult.
But the real question is, what then? The contaminated code in question would need to execute in some sort of proximity to a resource that matters (think banks here).
Please mod this post only if you think others should/n't read this. I have enough ego^H^H^Hkarma. Thanks!
But I don't understand how people thought it was Off Topic, I mean OBL is the ring leader of Al Quieda (sp?)
~ now you know
Younger readers may not be familiar with a similar earlier threat to the American Way of Life.
Fluoridated water was widely suspected to a communist plot , mostly to induce widespread sterility.
Fortunately, alert citizens foiled the effort by placing their water in quart-sized glass jars on top of American flags in direct sunlight for several hours prior to drinking. As a consequence, the intended effect of sterility was mitigated and the only after effects of the threat have been the subnormal intelligence of offspring.
At least, that's what I heard from my father.
"Provided by the management for your protection."
It turns out that al Qaeda is actually a bitter DR-DOS user group.
Why spend the time, money, and effort to sneak someone into Microsoft to add a back door? Look at the damage done by Goner, Sircam, LoveBug, and all the rest using the front door! Anyone talented enough to a) get a job at Microsoft (even as an H1B temp), b) add a back door or timebomb to the XP code, and c) do it in such a way that it doesn't get noticed, has enough talent to stay at home and write lovebug knockoffs.
Brian
I'm as anti-Microsoft as the next guy (well, probably more anti-MS then most actually), but this has to be a hoax.
If a terrorist organization did succed in infiltrating MS and backdooring thier OS, why would they say anything? it much more useful to them to keep it quiet. On the other hand, if they didn't succed in do it, saying they have is the next best thing. Remember terrorism thrives on scare tactics, and convincing your enemy to chase ghosts.
the mear fact someone is taking credit for it before anyone else found out about it, means it probably didnt actually happen.
RA7
---
"Consistency is the hobgoblin of small minds" - RWE
Sounds to me like al-Qaeda is just looking to take credit for the chaos caused by others.
"You will feel our wrath in the endless bugs and security holes in Windows XP!"
What's next? "We will cause random car accidents in busy intersections and will lace cigarettes with deadly carcinogens!" OOooo, their prophecies are coming true, everybody! Head for the hills!
Reminds me of when Saddam Insane bought all those PS2s.
The GeekNights podcast is going strong. Listen!
Dont tell *anyone*.
The events of september the 11th have shown us that al Qaeda are very, very good at keeping secrets.
Therefore this is a hoax or deliberate scaremongering tactics.
I think you'll find that starting with a 5 gallon container might be considered cheating.
ObSoln:
Fill 7
(Fill 3 from 7:Discard 3) twice
Decant remaining 1 from 7 to 3.
Fill 7. Top up 3 from 7, leaving 5 in 7.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
7:30p. This just in - We have learned that the alleged Al Qaeda computing complex was destroyed. US Marines were seen removing five hourglasses, an abacus, and a piece of aluminum foil that were allegedly behind a massive recent distributed denial of service.
As has been pointed aout alrady, this type of thing would not be hard to do for a well financed oganizatoin like AL Queda (getting someone hired t MS). And according to the article, this guy predicted the attack on the Indian Parliament which killed 7 people on thrusday. Surely this gives him a bit of credit, and his allegations should be investigated?
Also, what the heck would they do?
Mind you, I beleive this to be a hoax. Potentialy however, a backdoor or trojan hardcoded into XP, means that every XP system can be easily hacked by anyone who knows how to use it. In theory, I could write a program, that portscans systems on the internet, looking for a paticular port opened by this trojan, then infects the system, which in turn starts the process over. As the number of infected systems grew, the traffic on the internet would increase, making a very effective internet wide Denial of Service attack. It would also be possible, and much easier, to just have the OS self destruct after after a random amount of time. Have the trojan delete or corrupt random DLL's, forcing you to do a reinstall or overwrite the first 1K of the hard drive forcing you to have to run fdisk and reformat your disk before reinstalling. With a backdoor or trojan, all this and more becomes trival to do accross 90% of the home computers in the U.S.
"Our products just aren't engineered for security,"
-Brian Valentine,VP in charge of MS Windows Development
I have worked for several major software companies, including Microsoft, as a co-op.
:)
The standard practices at Microsoft do not include a lot of code review (even for a co-op). You could easily sneak stuff in there.
That being said, I'll wait until I see proof before I believe this one.
I have nothing to worry about, however. My standard practice is to never install a Microsoft OS until it has been "in the field" for -at least- a year
Secondly, while I agree that it's unlikely that a terrorist would approach a 13-year old kid and say, "Hey, you should start excelling in Math and then attend college to get a CS degree so that 10 years from now you can go work at Microsoft for 4 years or so (enough to gain the confidence of your managers) and then start putting back doors and bugs in their OS," it's far more plausible that a terrorist would approach a already working programmer who's naive and idealistic -- and perhaps *already* working at and trusted by managers at Microsoft -- and say, "Hey, here's how you can really help your faith..."
The evaluation of an action as 'practical' . . . depends on what it is that one wishes to practice.
- Spiking Ted Kennedy's lunchtime beverage with gin and vermouth
Not to mention...Law is whatever is boldly asserted and plausibly maintained. -- Aaron Burr
Also, don't forget the ones that are there by poor implimentation. You know, like sound files in email that get executed without warning.
Also, don't forget the ones that are there due to poor design. You know, like an email client that runs as root because there are no real user accounts and the underlying file system will not support that and ....
Don't forget to combine all of the above with poor judgement. Well, running M$ with anything but in single user non networked air gap protected mode is poor judgement. Worse judgement is attatching a camera and an always on high speed internet connection in your freaking bedroom, ha-ha(banned in Saudi Arabia).
Alah-Akbar. It's true you know.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I am talking about the same system of quality control here, but let's be realistic...we're talking about actual EXECUTABLE PROCESSES (since that's what trojans are) that are slipping through here. Not some obscure, nearly impossible-to-find directory traversal hack. Believe me, something like this would have been found.
and yes, that concern HAS been addressed already. Repeatedly. Too many times in too many discussions. We're all well aware of the blunders from Redmond. We don't need you to keep telling us how bad they suck. Besides, everybody makes mistakes sometimes. So please spare us the typical zealotry.
I'll bet he kicks ass on Half-Life.
Snowball did it!
Four legs good! Two legs baaaaad!!!
You see? You see? Your stupid minds! Stupid! Stupid!
Hacking will become synonymous with terrorism (MS was already hoping it would be), and before long will be prosecuted as such.
It's a good thing Skylarov got out of the country when he did. With Bin Laden nowhere to be found in Tora Bora, the hawks have GOT to be hungry for whatever scapegoats they can get their hands on.
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
Al Qaeda members aren't supposed to know what the other members are doing. Their own mission is revealed to them at the last moment.
In the article they mention the following : "authorities find some of his claims inconsistent and "too theatrical to believe.""
This guy is probably not even a member of Al Qaeda, he's just a crazy guy who's probably too dumb to even be a terrorist.
I'm sorry (maybe), but the mental images conjured up by this line
of a terrorist non-programmer attempting to bluff his way through a code review are hilarious. I would love to see what the Monty Python crew could do with this as the basis for a skit..."Bill Gates holds press release on Al Qaeda hacks in Windows XP."
Redmond- Bill Gates today held a press release to confirm the presence of "hacked" code in the Windows XP product, and admitted for the first time that all previous versions of Windows also had "hacked" code inserted maliciously by covert Al Qaeda operatives within the Microsoft Corporation. "We have confirmed the presence of this code in all versions of Microsoft Windows from 3.0 to XP. The code we have found was planted by covert Al Qaeda operatives who were employed by Microsoft for years. This was a long-term terrorist operation planned years in advance and executed with frightening efficiency. We have investigated the code and found it to be the cause of instability in Windows products. As a matter of fact, the infamous "Blue Screen of Death" was in fact an Al Qaeda trojan. We will be release a full list in the coming week of all the Windows problems that the Al Qaeda terrorists are responsible for after a full investigation of all the things that make Windows suck."
- For the complete works of Shakespeare: cat
... where this looney says they planned to attack the Houses of Parliament and Tower Bridge.
Parliament perhaps, but not Tower Bridge. If they were interested in tourist attractions in the US, they would have put a plane into the statue of Liberty. It doesn't fit their pattern. Tower Bridge isn't even that big a deal as a symbol of the City. The Tower itself, or St Pauls, or Buck Huse, would be more likely.
Canary Wharf, I could believe.
~~~~~ BigLig2? You mean there's another one of me?
I got a BSOD the other day and managed to scrawl this down before rebooting my hung box:
I thought it was a prank at first, or some weird virus. Also I remember a story a few days ago on"What is the sound of one belly slapping?"
$5 / month hosted VPS on linux = awesome!
What do geese have to do with terrorism?
You are in a maze of twisty little passages, all alike.
Ahhh, it all makes sense now. No matter how hard I tried, I could never land properly in MS Flight Simulator.
I'm sitting here on a Windows box right now, and the very idea that Al Qaeda could get jobs at MS, hack the s@$%%$#%#%Die American Scum@$#@$@#$ is just ludicrous. I mean, learning how to fly a plane is one thing but !Q%#@$^%@#$^#$$The blood of the infidels will run red in the streets!%@#$%%#$%$%getting a CS degree, getting hired by MS, and then slipping all those hacks through the system? That strains my credulity.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
At only $27,000 each, a Daisy Cutter would be both faster and cheaper than waiting for the courts to break up Microsoft.
Even Slashdot wants to hide some things
... to learn to fly those jets! This is the most subtle aspect of the conspiracy yet!
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
They were planting features, not trojans or trapdoors.
Probably not into the kernel itself, as changes there are carefully thought-out. Think of the kernel as the crown jewels. But then again you wouldn't need to get it into the kernel.
As you move a proposed exploit away from the kernel and into more remote areas, you both increase your chances of being able to slip an exploit past the code owners, and reduce the number of people likely to deploy it. Reducing this to absurdium, you could create a full root exploit and "get it past the code owners" with 100% probability by starting your own project. But then again, you'd likely only wind up exploiting your own machine.
Heck, if you managed to get an exploit into a certain incremental release of the kernel (2.3.14, for example) you'd still only get a fraction of the Linux users (not everyone downloads and applies each new kernel release) and once the exploit was discovered and publicized, it would likely be patched out of existence much quicker than it's Windows counterpart.
Then there's the whole "many eyes" problem. In a closed source situation, you can assess exactly who the code reviewer will be, what their weaknesses (and concerns) are likely to be, and hide in those shadows (or avoid sensitive areas.) You also have the benefit of knowing the exact compiler which will be used, what the compile environment and options will be, what test cases will be run, etc.
In an open source setting, any proposed patch is likely to generate a hundred complaints about what it breaks (or slows down) from a hundred different people you never even knew were using that code compiling it on a hundred different compilers (some of which were written by their users) and porting it to a hundred (well, maybe ten) different hardware platforms. And that's even if you aren't trying to slip in a trojan. And fully half of those people will know more about that particular software than you do.
The thing about things we don't know is we often don't know we don't know them.
Let's just whine about it instead of moving on. Way to fill the page up with trash.
Hypocracy, see above.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Al-Qaeda does have a motive to introduce bugs into Windows XP, which will be deployed widely around the world, especially in the US. Al-Qaeda's leadership has stated that their goal is the destruction of America. To the extent that the American economy relies on Microsoft products, this alleged subversion would give Al-Qaeda information, the ability to disrupt systems over remote connections, and, when revealed as true, the ability to make the world's population panic and distrust their current set of leaders.
Al-Qaeda is known to have hatched many crazy schemes, including one involving a helium balloon that would have distributed anthrax in Washington, DC. This alleged subversion of Windows XP is crazy, but it fits with Al-Qaeda's modus operandi.
Al-Qaeda has different kinds of people on their payroll. It is conceivable that they hired experienced computer programmers who came under the cultish influence of Bin Laden.
Microsoft's software development proceeds not just in the US, but in other countries, too. This geographic diversity would make it easier for an Al-Qaeda operative to be hired by Microsoft.
Even if Al-Qaeda could not get its operative hired by Microsoft, it could have slipped the code into XP through a variety of means. Some people have mentioned third-party modules.
Another obvious choice would be to breach physical security at a Microsoft building, and insert the trojan or backdoor when no one else was around.
They could have cracked into Microsoft's core developer sites. This could have been accomplished via cracking techniques, social engineering, or breach of physical security combined with placement of of hardware or software that allowed the access. Any of these options would have allowed them to place the trojan horse or backdoor password.
As for Microsoft's code review process, there is little detailed public knowledge on how thorough it is. It does miss many security related bugs. No one individual can possibly look at all the XP code. Thus, the crucial part of the system is accountability, ensuring that trusted reviewers look at all the XP code. Has this been done?
Nevertheless, the story seems too unlikely. If Al-Qaeda carried out this alleged subversion successfully, why haven't we seen more ill effects from it yet? You'd think they would have already attempted to hack into sites and cause havoc and mayhem. That hasn't happened yet.
Nevertheless, I would hope that the security people at Microsoft are doing some double checking of the XP code.
I am not a lawyer. Do not take my words as legal advice. If you need legal advice, consult an attorney.
No, english is enough of a gibberish tongue on it's own without terrorists. :)
THey obviously used the excel easter egg flight simulator to train the hijakers!!!
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Perhaps these guys have been instructed that if they feel the need to "spill the beans" they should spill 3 or 4 phony beans along with the real ones. That way, our security has to track multiple potential threats. I'm sure nothing would please them more than to see us spend the time and money required to audit all of the Windows code.
Perhaps there is a rational way to tell which threats are real; some kind of "threat profiling".
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
There is no way that you could try to put a terrorist-sized hole in XP without a lot of people noticing.
-For the months before the OS ships every line of code that is modified is examined on several levels; every bug that is found could potentially be investigated by any of dozens of people in any part of the organization...
-There's nearly a 1/1 ratio of Test/Dev in the critical parts of the system; to do this you would have to get the developer(s) and the tester(s) responsible for that chunk of code/functionality.
-Automated tools run by seperate groups review changes and record owners; try to sabotage something once & you won't get a second chance.
-Automated tools run by testers review code that's not exercised by test-passes, reporting on changes so that the hole can be filled.
This simply did not happen and it's embarrassing that this pseudo-technical forum is giving the report even a little credit. I would expect better from even the bitter/angry/biased-microsoft-haters that make up the such a vocal percentage of the slashdot crowd.
It's pure FUD, but the problem is reassuring easily frightened and confused non-techies that it isn't true. How do you disprove the existence of allegedly hidden code?
How about peer review of source code and check sums for compiled code? How else do you prove the intergrity of a thing, by a billion dollar advert budget? Yeah.
For years the softies have put out FUD about not being able to trust free software due to a lack of central control. True? Of course not. Yet it scares lots of people into a closed source surender of their rights and money. It's part of the reason they have all the piles of money they do from pushing some of the worst built, least secured software ever. They deserve to get this shoved right back at them.
The track record justifies a lack of trust, but they can blame terrorists if they want.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Given the long-term planning that Al Queda is known for, and their penchant for using the tools of the West against the West, I would be unsurprised if they planted people into companies doing Y2K patchwork for major financial institutions or other mission-critical systems. Most of that code was NOT code reviewed due to time constraints, and the work was done overseas by the lowest bidders. This is a recipe for disaster and was predicted as such years ago. Now that we know exactly how crazy these motherfuckers are, the warnings seem a lot more important.
Just my paranoid guess.
-jon
Remember Amalek.
Where they've hit is already public knowledge...
--- Metamoderating abusive downgraders since my 300th post.
The amount of people that have access to the Linux source code is several orders of magnitude greater than Windows. That works in Linux's favor. Linux programs also are regularly ported to several different architectures. That's useful too. A lot of times subtle bugs can be found when the source is ported. Especially if it is ported to a radically different architecture using a totally different compiler.
Not only that, but Linux source code sometimes gets reused. That sort of thing helps as well. There is nothing like having someone else reuse your code for something totally unrelated for shaking out bugs.
Not that Free Software is perfect, but it certainly seems better than the alternative (in this regard).
So what are the QA procedures for Solitaire? I'm sure that gets almost as much runtime on most office machines as the networking stack.
I don't think they would have had to put a backdoor into the kernel for them to cause problems.
.
load "linux",8,1
it is highly unlikely that there'll be fibre optics being piped into Tora Bora.
You assume there are no Terrorist Cells anywhere else in the world. There is plenty of fiber in the US, Germany, Finland and many other countries. This also asumes one needs a highspeed connection to hack, this is also not true, all that is needed is a laptop and a phone line, preferably a payphone or a phone in a motel room far from where you live.
Fascism should more properly be called corporatism, since it is the merger of state and corporate power - Benito Mussoli
Wow, al Qaeda is evil, they worked for Microsoft!
Linux O Muerte!
Hell, maybe you can just swab some of that sweat off of him at any of his pep rallies..
XML is like violence. If it doesn't solve the problem, use more.
You got it. The only way to respond to a troll is with a better troll. Oh, wait, did I just hit "submit"? Damn.
Expanding a vast wasteland since 1996.
My policy is half of that: the first half!
Canary Wharf would be a great target if it were better known. Parliament and any of the castles would be likely choices, along with MI-6. Of course the IRA has already nicked that one once.
St. Pauls seems unlikely to me, because they've always avoided religious targets. They seem to really take aim at the flashy secular elements of western civ. Sbarro's pizza, the World Trade Center, the Pentagon, discos, etc.
if ($it != $onething) {$it = $another;}
Latest news reports advise that a cell of 4 terrorists have been operating at the Boeing Renton site. Police advised earlier today that 3 of the 4 have been detained.
Boeing security stated that the terrorists Bin Sleepin, Bin Drinkin and Bin Fightin have been arrested on immigration issues. The Police advise further that they can find no one fitting the description of the fourth cell member, Bin Workin, in the area. Police are confident that anyone who looks like Bin Workin will be very easy to spot in the plant.
Ask them questions they won't know the answers to.
Like talk about the Grey Screen of Death and see if they notice. Or see if they can tell you what TCP/IP stands for - hint - it's not Taliban Control Program/Intifada Protocol like they think.
And if they don't get all hot and bothered by the BSD booth babes, you know they must be terrorists.
-
--- Will in Seattle - What are you doing to fight the War?
... it clearly shows how Open Source Software is more secure than proprietary software, contrary to Microsoft's favorite claim in defense of NT/XP servers.
Nobody could possibly claim a terrorist organization got its patches into the official releases of Open Source tools.
This message is provided under the terms outlined at http://www.bero.org/terms.html
I don't know about you guys, but how the hell to you "pose" as a programmer? Either you are, or your not!
lol
I think next week maybe I'll pose as a surgeon or a lawyer and get a raise!
Cheating?
When all you need is 5 gallons, it makes really good busines sense to trade in the 3 and the 7 for a single 5.
That's a better answer than the correct one. And that's BOUND to make a good impression as M$.
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
So, are those who install Outlook aiding and abetting Terrorism? It sure is a huge hole in the system...
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
We've known for a long time that Osama bil Gates is a digital terrorist, the ring leader of the "Active Qaeda" terrorist network.
Tired of FB/Google censorship? Visit UNCENSORED!
That sounds reasonable. However, by that logic there should never have been any exploits for a Microsoft product, right? Maybe you are assuming that the trojan would be glaringly obvious. I would assume the opposite - that it would be the kind of vulnerability we've already seen many times in IIS and Outlook. Something that could be called an honest mistake.
I still don't really believe the story, but I think you are dismissing it too lightly.
I believe that early on there was a bugged version of gcc that went undetected for years. (The binary didn't match to source, but whenever it was recompiled it patched itself to still contain the bug.)
I don't remember what the bug did. Or even, actually, whether this is folklore rather than truth, though I remember it as truth.
Still, even if it were folklore, it seems a feasible scenario (as long as one assumes that the compiler doesn't get renamed, e.g.).
.
I think we've pushed this "anyone can grow up to be president" thing too far.
It's al just FUD to cover up the Magic Lantern introduction. Really.
karma capped
I.e., while the code was being modified during the GA process, the result is the most "fit" bit across all iterations, included statically in the final program.
For example:
"no evidence of malicious code in the operating system has been reported".
:}
Never attribute to malice that which can be adequately explained by stupidity.
Hand me that airplane glue and I'll tell you another story.
I hope you get my drift. Do I personally believe that terrorists have infiltrated Microsoft and planted bugs in the code? Not likely. Is the scenario conceivable? Absolutely.
Is this good? NO! Is it common? In my experience, in the literature of our industry, and of the opinion of most of the programmers I personally know (which is a large sample), it is the *rule* rather than the exception, unfotunately.
Shoo, M$ troll...
t_t_b
I'm on PJ's "enemies" list! Are you?
Could this just posibly be Microsoft's latest ploy to disguise all the bugs and problems that already exist in their programs?
CoyboyNeal is God
"-For the months before the OS ships every line of code that is modified is examined on several levels; every bug that is found could potentially be investigated by any of dozens of people in any part of the organization..."
That is the only one of your statements that could be likely to actually result in catching an intentional security hole, and I won't believe it at face value without supporting evidence, such as a description of the actual code review procedures. The typical code review in the industry (and I've seen other major operating system code and supposedly secure procedures in accordance with DoD standards) may be to check that the code being modified is in the area it purports to fix a bug or whatever and is by an engineer who knows that area. On occasion, a reviewing engineer may check the code to see that it changes the behavior in the way it is supposed to. Rarely would an engineer scrutinize the code to see if it subversively changed the code in a way it wasn't supposed to.
"-There's nearly a 1/1 ratio of Test/Dev in the critical parts of the system; to do this you would have to get the developer(s) and the tester(s) responsible for that chunk of code/functionality."
The conclusion of that statement does not follow from the first part. Only the developer needs to be an adversarial agent, because a tester is not necessarily going to catch an intentional security hole. I think it is not even likely, because a designed hole isn't going to show a lot of evidence. E.g., a buffer overrun error is an error whenever the buffer is overrun, whether by 1 byte or 1 million. A designed hole may show up only when certain data is presented, and testing would never catch such a hole. This is why I only believe your code-review claim would catch a hole, if there were a real, meaningful code review.
"-Automated tools run by seperate groups review changes and record owners; try to sabotage something once & you won't get a second chance."
All this means is that changes can only be made by persons assigned to work on that particular code and must be associated with a recorded bug fix or design specification. That is little impediment to adding a security hole; it just means the code implementing the hole has to be submitted to the source along with a recorded bug fix or design specification in the same area.
"-Automated tools run by testers review code that's not exercised by test-passes, reporting on changes so that the hole can be filled."
As above, testing will not catch a design hole.
This doesn't mean I believe there is a terrorist-planted hole in Windows, just that I don't believe Microsoft's procedures would be likely to catch one.
"According to Desler, Microsoft has rigorous processes in place during the development of Windows to ensure the security and integrity of source code."
Yeah, but not the security and integrity of Windows
-no broken link
Developers! Developers! Developers! Developers!
As an employee who has worked in the OS division of Microsoft I would like to say unequivocally that this article is complete crap.
Just curious, have they fired the dudes who are responsible bunches of holes in IIS and Outlook?
I meant, I'm just curious. Thanks in advance, Bill.
Huh? I have been using Linux since 1995 when I wandered into Linux-land looking for an inexpensive C compiler.
Is there some part of my argument that you feel is naive, or are you just trolling?
Nope, delivery is extra. Do you think finding someone to sign for it will be a problem?
Even Slashdot wants to hide some things