Slashdot Mirror
FBI, Pentagon Talk to MS about XP Hole
(eternal_software) writes: "The Associated Press is reporting that the FBI and Defense Department are talking to Microsoft about the serious flaws found in the XP operating system. As we all know, the most recent flaw allowed any XP machine to be hijacked simply by connecting it to the internet. The government is getting involved because of growing U.S. concerns about risks to the 'net as a whole." In fact, the FBI would like you to go a bit beyond the MS patch. davecl points out the updated page put out by the National Infrastructure Protection Center about this vulnerability as well.
now we see the Gov't take a special interest in
the latest XP hole.
Dont know about you, but I am really dont know what to think?
Sigs are dangerous coy things
the fact remains, ms code *can* be secure, obviously just not xp, good to see them getting their act togethor
If you ignore ACs because they are anonymous - you're an idiot.
MS XP patch disabled network card on my computer!
I guess the computer is really safe now.
"Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it. "
thats really messed up that and scary
(Hmmm.. magic latern)
--
What is the sound of this sentence?
Microsoft has known for five weeks that XP had a serious security hole. They didn't do anything to warn customers who bought XP during that time. They just kept telling how XP is so secure.
It's unbeliavable what Microsoft can get away with. I don't think the hole and the patch are the important issues here. I'm shocked how Microsoft can lie to the whole world for five weeks and people still trust them.
Microsoft should have withdrawn XP and fixed it. Expecially as they don't even have any serious competitors. What they showed was that they don't care about the safety of their customers. They just want to make money no matter what.
What the makers of Linux distributions must do is concentrate on usability (and by extension consistency) and further refining their installers so that anyone off of the street can choose and then run Linux as painlessly as they have done with all the different windoze generations.
Ximian are the closest to making easy to use tools that even my Aunt Grace (70) can use. A fully blown distribution from Ximian would be "most welcome" to use parliamentary language.
ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it.
I must be living under a rock because this is the first I've heard of this. XP just starts downloading files without any action from the user? Does anyone beside me feel uncomfortable about that?
I honestly and truly hope that the US government brings them to their knees about this. That's wishful thinking, I know. However, two statements in particular in the Yahoo! article surprised me:
1. Microsoft declined to tell U.S. officials Friday how many consumers downloaded and installed its fix during the first 24 hours it was available.
2. Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch.
The reasons for point 1 are quite clear though. Acting on point 1 would indicate what a fiction the sales figures for XP really are.
Point 2 is more difficult to fathom... perhaps they're hoping people won't notice? Why on earth, other than their disdain for non-corporate users, wouldn't they send out the reminder? Or even a reminder stressing the improtance of installing the auto-updater?
After all the blather and FUD from Redmond, they again pushed a product out the door with great media hype which is again unsecure. It would be so ironic if Microsoft were punished for this kind of negligence after getting a slap on the wrist. I don't expect that to happen though.
A feeling of having made the same mistake before: Deja Foobar
This is the DoJ (FBI) we're talking about, they want to thank Bill personally for keeping them all busy and employed during these uncertain economic times. Also, I'm sure there's a card with a box of chocolates on the way to Redmond from McAfee.
A feeling of having made the same mistake before: Deja Foobar
"Yeah, but those eEye guys didn't want to be on our Security-Through-Obscurity team! And we had all these great goodies for them!"
-------
Warning: Slashdot may contain traces of nuts.
...that security will suffer when you make an os too easy to use. It's an age-old tradeoff: security vs. ease of use. Moreover, with more features comes more complexity and with more complexity come more security holes.
Don't want to check to see if there's a patch needed for your OS? Don't worry, we'll have the OS check for you. We can't guarantee that your computer will be talking to our servers when it downloads the patches but hey! it'll be automatic! Come to think of it, we can't even secure our own servers so we're not too sure what you'll be downloading even if you are talking to our servers but hey! - it's automatic!
I can't think of a better argument for limiting the services an os provides than this fiasco.
MagikSlinger is almost certainly right about this. However, if there is a terrorist group out there which was organized and sophisticated enough to carry out another large-scale, imaginative attack (which I doubt), Microsoft might be on their list for these reasons:
- It's American, and a symbol of American characteristics such as innovation, which is in itself hated by reactionaries.
- It's extremely visible.
- Its market dominance could be perceived as "imperialist" or culturally imperialist by people who think like that.
- It's a center of wealth and therefore, in puritanical minds, of evil decadence.
- It could be thought of as a "vital organ" of the American economy by someone who doesn't realize how decentralized the American economy is.
Arguing against an attack on Microsoft is the idea that it's causing enough trouble for the US by itself, but this concept is probably beyond the reach of most fanatics.
Why care? Well, I found out after installing MSN Messenger that most of the features are useless behind a NATed network unless your router/firewall understands UPNP. Of course, Microsoft ICS and Servers understand it. I was getting frustrated since I couldn't use MSN messenger except for messages behind my home linux firewall. ICQ features like file transfer work fine by port forwarding the necessary ports or using a kernel module for it.
So, here's the interesting bit. UPNP works by telling the other client on the other end what your private IP address is. Microsoft's docs say this is necessary for the other client to be able to find out how to talk back to you. I think this is stupid. The other end of an MSN connection just needs to look at the source IP in the packets it receives and just send there and hope the owner of the IP knows what to do.
However, UPNP apparently knows how to handled multiple chains of NAT networks, kinda like I guess an old fashioned UUCP bang path. Problem is, it seems like one can modify that "bang path" to route return packets to false places. Can you say DDOS?
So I sent a rant to my friends about this on December 10, and about how UPNP is a security hole waiting to happen according to posts I read out of google searches...
Here's my rant...
Microsoft claims UPNP is a universal open standard. It'd be interesting to learn more about its origins and who is really controlling development of it, security of it, etc. Microsoft claims all manner of peripheral vendors will be supporting it.
Is the concept itself as flawed as it seems, or is this just yet another case of Microsoft's implementation of something being flawed?
In epidemiology, one of the mitigating factors of the spread of any disease is simply the diverse genetic makeup of the targeted population.
The opposite to this is what's called a monoculture, where one particular genetic structure is present in the large majority of the population. Such situations will usually not last long, beacuse once something is found that affects that population, it spreads quickly and decisively.
With Windows having such a large share of the market as it is, could this be considered the electronic equivalent of a monoculture? Would one major virus or security flaw cause much more damage to the net than otherwise would have happened, because of the homogenity of the net's computer systems in terms of OS?
Whether the king is Linux or Windows or MacOS, or..., is having a near monopoly market share ofany one OS a good thing in light of this philosophy? Hmm. GFood for thought.
There's 10 types of people in this world, those who understand binary and those who don't.
I'm thinking new computers that have been bought this Christmas as presents. I wonder how many of these computers are preinstalled with Windows XP. As we speak, these computers are all wrapped in gift papers; who will patch them? Do people even have time to do anything else except get prepared for the big day? And are people aware of the severe security flaw?
Probably quite many of those computers go to people who are going to have it as their first computer. And what are they going to do first? Turn it on. And probably, go online with it..
And the crackers will be waiting for the easy prey.
__
Zarathustra.fi
Modern man has no goal, no aim, no ideals.
where Burns and Smithers goes through high security steel doors, scanning stations, gates and end up in the control room that has a old screen door to the outdoors in it allowing a stray dog in. Seems to me that sums up Microsoft's entire security structure.
bonus karma points to anyone who correctly identifies the show number.
"Oh for christ sake"- Montgomery Burns after discovering a stray dog in his XP like high security control room.
....... Thus ends my attempt at wit or whatever
This would be a damm good way to get Magic Lantern on a whole lot of systems.
This was mentioned earlier, but now the FBI is pushin it as well, Coincedence??
On the other hand, you have fingers
Why buy a CD? Using this bug, you can install Mandrake remotely to all Windows XP systems connected to the internet.
They failed to protect the country from terrorists and now they're trying to rebuild their reputation among the population by getting involved in the Internet. Th
:)
Looks like MS isn't the only one with good marketers
I set up an XP Home Edition box on 12/14 and after installation, went to Windows Update. Found a dozen (4 critical, 4 non-critical) updates waiting for me.
So what is up with those buffer overflows...do Microsoft developers hate users and not care about quality? Well, no. It only takes one buffer overflow in the whole system that hundreds of developers have worked on, to make it vulnerable.
At Microsoft the ultimate way people are valued is at review time when bonuses, stock options, and raises are awarded. Do developers get hosed for leaving buffer overflows in? Well, not as of when I left (April 2000). But maybe that will change, slowly.
Eventually you have to stop accepting excuses like "Gee code is really complicated and I thought I was being careful" or "we really tried to think through this design" and recognize that essentially every buffer overflow comes from being lazy as a developer, or not accounting for what kind of garbage packets can come in off the net. If Microsoft starts emphasizing that you can be fired for leaving a buffer overflow in, then things might change. Of course it's a little unfair, there is no doubt lots of clunky code in there that just doesn't happen to expose an externally exploitable buffer overflow (and merely crashes the system or something), but you start emphasizing the necessity to go over things with a fine-tooth comb to prevent buffer overflows, it will improve all the code.
Because although there may be a few cases where someone really tried to check boundary conditions and just did it wrong in the code, in most cases developers are just being lazy about writing the code robustly to begin with. Plus if you have some code to prevent this and you write it wrong, you haven't tested your code properly anyway.
More ruminations at this osopinion article.
- adam
I remember when NT 4.0 came out (they were fairly low key with NT 3.x) and Microsoft claiming it was far more secure than UNIX and you wouldn't have buffer overflows because the source was closed and people couldn't find them even if they existed.
I also remember many years ago them claiming NT was more secure and showing the number of submissions of security holes posted to Bugtraq (before NTbugtraq) there were for UNIX vs NT (back when nothing serious ran on NT and no one really cared less about it to look for holes).
Now they want their code running in everything, including acting as firewall devices. I find this so fucking funny I could just split a gut. You're going to protect machines running code "x" by installing a device running much of the same code "x" to protect those machines from the world?
I just find it a bit frightening. The entire world running on code from one manufacturer that is not open to public review. I'm even more surprised that foreign governments are so trusting of it.
You know what's scary? We just bought an EMC disk array and had to give it an IP address for management. Did a port scan on it. WTF? It's listening on netbios ports. Use smbclient to take a gander at it and low and behold....
Domain=[AZBYCXDWEVFU] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
Workgroup Master
AZBYCXDWEVFU CLARIION_SPB
I call EMC and they say "Oh, the new clariions run a stripped down NT kernel in their service processors." :-( Joy... my SAN is now trusted to that super sekure Microsoft code. At least I can block it from the world through my router which, for now, is running non-Microsoft code...
Can you imagine the harm one could do with a hole in THAT? The financial world survived WTC through redundancy and real-time mirrors of data kept in far flung locations. There are disaster recovery data centers where entire warehouses are filled with machines just waiting to kick in during a crisis. So now you have your storage area networks themselves controlled by Microsoft code. Just exploit the hole-of-the-week to get your code inside a corporate or government firewall, seek out these storage networks running NT kernel code, trash them, take out the primary and backup locations. Chaos.
You're saying that the same people who "need" the auto-updater because they're clue-deficient will know to do this? These people are sitting ducks.
Even the FBI is crying "buffer overflow," following in Microsoft's footsteps to divert attention for a designed-in security flaw.
It makes sense, from the perspective of a defensive Microsoft. "Buffer overflow? Who hasn't slipped up once or twice and had a buffer overflow bug? We have our code scanners routing out the last one or two of these bugs, they'll all be gone soon and we'll all be safe."
The bigger gaff is that they designed the OS to say "hack me" (or words to that effect) whenever some other device--any other device--asks to fondle, as it were, the OS's drivers. That this is a huge security exposure is obvious to anyone who is old enough to remember the early days of hacking. Some hotshot designers at Microsoft, (probably with degrees in marketing, not computing) designed this "hack me" feature into the OS intentionally.
Now they have the attention of the NIPC/FBI. Even FBI agents (who, over the last 10 years, gave new meaning to the term "anti-intellegence") know that on Christmas day, millions of un-patched XP OS's are going on line, in the same 24-hour period. The hackers will be waiting to stick their electronic -er-fingers in those exposed UPNP ports and leave behind a little deposit.
Maybe, maybe not, the FBI realizes that some of those systems will have time-delay bugs planted in the pre-patched OS's. Then, downloading the patch will produce the false security that keeps the spirit of the XP season alive throughout the coming year.
The silver lining? Corporate PHB's, the holy grail of Microsoft marketing, will lose confidence in any of Mr.Bill's claims of reliability and security, once and for all. XP was supposed to be the one-size-fits-all OS, from palmtops to corporate web front-ends to data warehouses. (not that it was the first attempt at this unification by Microsoft, or even their competitors.) Even the golf-buddy execs are going to remember the day when the FBI started pushing patches to the monopolist's holey flagship.
Did anybody notice, last year, when Bill Gates started to cut the cord to Microsoft? He did see the big fall coming, you know. Not as stupid as we make him out to be, eh?
How about the biggest reasons:
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
``This is the first network-based, remote compromise that I'm aware of for Windows desktop systems,'' said Scott Culp, manager of Microsoft's security response center. ``Every Windows XP user needs to immediately take action.'' He called it a ``very serious vulnerability.''
r os oft_hackers_7.html
``This is the most secure version of Windows we have ever released,'' said Culp, adding that complex software ``will always fall short of perfection.''
http://dailynews.yahoo.com/h/ap/20011220/tc/mic
You can't handle the truth.
IIRC, NT at some point was rated secure when not networked.
Under capitalism man exploits man. Under communism it's the other way around.
This is a really, really, really big one. It should be in the newspapers. Microsoft has claimed some time ago (free karma to the one who posts a link) that closed source, for-profit software and operating systems are more secure because the company can actually *hire* people to do security audits of the source code, whereas open source developers aren't motivated to do it because it's really boring, and there's no glory in it.
Now, we all know that OpenBSD has proved them wrong, by proving not only that open source developers *want* to do hardcore security audits of the source code, but that doing hardcore security audits on source code prevents security holes from being released into the wild. OpenBSD hasn't had a remotely exploitable security hole in the default install in FOUR YEARS! Windows XP has been in release for for all of about two months, and already there's a major security exploit found.
This proves by Microsoft's OWN ADMISSION, either they do not hire people to do the hardcore security audits they say they can, or if they do, they can't do it as well as the volunteers who "obviously" don't do it at all because there's no monetary motivation to do so.
With lies like this, Microsoft couldn't get into a Better Business Beurau if they paid each of its members a billion dollars.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Yes, but how much does Microsoft ADVERTISE that they are innovative. How many times do you think the word innovate shows up on www.microsoft.com?
:)
Exactly. Microsoft does occasionally innovate. Having to click twice on a menu entry in the menu bar to get all the options is an innovation! It's a lousy one, but still...
The real problem with MS is, as you said, their Real Innovations:Advertised Innovations ratio. It's pretty low. It's not that they're not creative, they're just not as creative as they say they are. If a person acted like that, you'd call them "full of themselves". You probably wonldn't like them very much either
My understanding is that NTFS' journaling was rudimentary at best. It hasn't been until its recent incarnation (introduced with Win2k) that its managed anything close to a true journaling file system.