Slashdot Mirror
Microsoft News Update
Microsoft news of the past few days: Media Player 9 is the subject of a few articles, including one on its integrated digital restrictions and one on changes in its privacy options. Microsoft is releasing certain API's, and is releasing a service pack for Windows XP, under the requirements of its antitrust settlement with the Federal Gov't. On the downside, code to crash any modern Windows machine with NetBIOS enabled is now floating around the net, and there's been more publicity of the vulnerabilities in Microsoft IIS/SSL.
I mean come on... We've been nuking win95 machines since '96... It's time to find a new protocol!
I apparently forgot that sig != uptime...
I still think Microsoft's actions are shifty. Ok, let's release some code, but not a lot of it or enough to be completely useful. We'll bring a few *nix users over, a few Mac zealouts back, and more customers for us because they no longer think of us as the "bad guy" because we showed we can be open source. BS. It's a half-assed solution to a ass-backward situation. If they can't do it right, should they even be doing it at all?
Here's a box running IIS that appears to be having some security issues.
Agreed that I am on a 600 Mhz P3 with 128 MB RAM but still. OK, rant over.
On the downside, code to crash any modern Windows machine with NetBIOS enabled is now floating around the net
Well, one good way to help the propagation along would be to post a link to it on slashdot so thousands of script kiddies can get ahold of it... oh wait..
I still think my win95 pc would be better off getting knocked off my desk than if I "upgraded" it.
Apparently, you can also crash a Windows box by pouring beer into the fan outlet of the power supply. Code to be posted soon.
Roving Web-Teleoperated Robot
According to this article anyone using cracked WPA activation or certain serial numbers will not be allowed to use windows update or install SP1. This will apparently not affect the OEM copies that have been floating around for month before the windows XP release date.
But to link directly to the crash-windows-in-one-easy-step binary? That's just plain irresponsible.
"SlashDot: The Cracker's friend!"
Businesses will be switching to Linux in droves after this.
HMM... as if script kiddies don't have it easy enough, lets put a link to a 'crash' script on the front page of slashdot... Do the editors on slashdot ever think before they post links?
---
Programming is like sex... Make one mistake and support it the rest of your life.
1.)Microsoft OSes will suck That's always true. Think about it. We're running prettied-up versions of WIndows 3.1 on 2ghz 386s. Well, not _me_. I have my Octane2 on my desk. 2.)Microsoft OSes will have bugs And easy to exploit bugs, too. I could get into a very long and stupid flamewar about this, but I will not. 3.)The Death and Taxes thing 4.)Big band music is evil 5.)There is no fact of life #5.
SMBdie.zip
Ima' gonn go huntin' winders machines now. BOOM!! BOOM!!
Actually, this looks like fun to do to coworkers.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
By that logic, is this part of Microsoft's plan? Since Linux is seen as good by the general public for, amongst other reasons, giving away the source code, is Microsoft trying to make the (erroneous) impression that they're giving away source code as well?
All you have to do is winess the general confusion when a game maker releases some source code ("The RtCW Source Code has been released! This means the game is free!") to see that the general public still doesn't "get" this idea.
Schnapple
1995: "We are the Microsoft, resistance is futile, you will be assilimated"
2002: "We are the Microsoft, resistance is futile, you will be assilimated"
Already more than 350 million player applications use Microsoft Windows Media CODEC (coder-decoder) and the plan is to extend it off the desktop into the home-theatre lounge room, DVD players, cinema and for professional film and television production, replacing industry standards Avid and Apple QuickTime.
Soon I will have to option to buy M$ home theater equipment. Does that mean that it will crash every day so I won't be able to watch/ listen to the media? Does that also mean that I will have to deal with the rights management? Will it also automatically download updates that I will not be informed of?
One article says Media Player 9 will allow the user to select how much information is set to content providers. But the other goes into detail about the new DRM featurs of MP9. One of the biggest is a 3rd party clearing house for certificate athentication and authorization.
So you get a DRM enabled media file. When you play it, Media Player has to contact this server to find out if you are allowed to play it. They can track every time you play this file.
Maybe you'll have a feature that protects your privacy, but if you don't let the player contact the clearing house, you can't play the files.
Also, I'm sure everyone saw it coming. The reason Microsoft changed their EULA is because of this new DRM crack down. They want any program that can open a DRMed file to have to be authenticated, and they want to be able to disable any program that will attempt to get around these restrictions, and they don't want to get in trouble for messing up software you have installed.
Good thing I use a free and open OS. But if this type of thing continues, all media produced will be encrypted and you'll have to contact the DRM server to view it. So it won't matter. Just wait until router manufacturers are convinced to not all their producted to transmit any packets that haven't been DRMified properly.
I love it when MS stories are posted. It's so easy to rack up karma!
MS SUCKS! WOOHOO!! Free mod-points to all!
*wonders if his social satire will be dismissed as sophmoric*
"Derp de derp."
Bah. SHOW US THE SOURCE (that and I cant really be bothered to boot into Doze to test it. Not like most people dont have NetBIOS firewalled off anyway)
From the article:
In the Microsoft world, makers of software that play media streams ("media players") will have to get a licence from Microsoft before they will be allowed to process content encoded in the Windows Media format.
Microsoft's Media Player v9.0 adds an extra level of protection, calling an outside licensing server run by a copyright clearing house, which then issues an encrypted licence key before playback begins.
Ok, so if I'm off the Internet, and Microsoft's Media Player can't verify a thing, is it going to (a) break or (b) work anyway?
I'd bet on (b) myself. I think though, for most people, the take home lesson will be to stop using Microsoft supplied or derived media tools entirely.
Well, im not sure about everyone else.. But I know us developers at the WINE project have found the new APIs (documented here) to be anything but useful..
Well, the register does say "what Microsoft has got in there is a grotesque, badly-documented pile of poo it doesn't fully understand itself." (in regards to the fact that the few new APIs microsoft released doco's on are other useless or all together wrong!.)
David.
stuff
How long before somebody inserts it into Samba code, and repackages it and puts it out there? Like what happened with OpenBSD/OpenSSH. All the windows boxes of anybody using the bogus Samba would be crashing left and right, but would anybody notice anything unusual?
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
I like the idea of Slashdot serving up all of the Microsoft news in one, easy-to-download package like this.
IN TEH FUCHAR, LITERSY WLIL EB OPSHANAL!!!!!111
I fail to see how slagging of Microsoft is supposed to be "journalism". I want news, stuff I don't know yet and I care about. If I wanted to hear a guy rant about how bad Microsoft is, I'd record myself after my computer suffered yet another crash and plays that back.
Besides, it's funny how this doesn't mention anything like, the OpenSSL trojan/crack, or the fact Konquerer was affected by the same SSL bug as IE some times ago and why not mention the recent Apache bugs as well? Then again, who am I to expect anything but biased journalism from you people...
Hate me!
This is just an example. Solaris has a libftp.so in /usr/lib. ftp uses libftp. You want to make your own ftp program but you don't know the functions in libftp.so. Do we all chide solaris for not releasing this information? No, because why should Solaris have to give you this information? Its not too hard to create your own libftp that does what you want it to do, instead of being locked in by another developer's work. I hate all of this 'the APIs are undocumented' crap that is spewed everywhere. I don't think anyone was complaining about not being able to use the functions in mso.dll when Office 95 first came out.
-dk
Link to the code but don't tell us non-coders how to defend against it. "NetBIOS enabled" can mean many different things, after all. NetBIOS enabled on the target interface or on any interface? Anybody with NetBIOS running on their internet interface is a fool to begin with and probably deserves to be crashed...
Of course, even that could be solved easily enough with a router and/or port blocking.
This just proves how biased Slashdot really is against Microsoft.
"Yeah, Microsoft is being upfront about their privacy policies, and is publishing the API specs... but, we don't like to talk about the good things that Microsoft does. So here's a link to a tool to crash Windows machines. Enjoy!"
Blah.
It's kind of like acid rain and starving children in Africa. I mean who gives a fuck anymore?
I have a program to crash windows: Notepad.exe. I can also crash a windows box using Excel.exe, Word.exe, Outlook.exe, HelloWorld.exe...
You know, the funny part is I am actually willing to pay a reasonable amount to get the OS, and even a reasonable amount to use additional copies. But that into about discounts on the price is crap...
Sell me the first license for whatever cost(although the current price is way to high, $49.99 for Professional/Home is much more reasonable) and charge a nominal fee for additonal licenses, like say $9.99....Honestly they would probably have less of a pirating problem if they would charge resonable fees....
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
I thought Windows already came with a code to crash it. That being Windows itself.
Ah am not a crook! (\(-__-)/)
- A new feature will enable computer manufacturers to selectively hide and display Microsoft's integrated programs displayed on the start menu of the operating system, including Microsoft's Internet Explorer Web browser, Windows Media Player and Windows Messenger programs.
Isn't this tantamount to purjury? Their claim that it would criple the system and that it couldn't be removed was obviously false, if all that was necessary to satisfy the courts was to remove the icon from the desktop. Sure, MS is allowed to spin things a bit in the media, but in the courtroom, nearly explicit lies are illegal, no?During the federal antitrust trial, Microsoft argued that such a change would cripple the Windows program.
The change will make it possible for hardware vendors to customize their systems by striking business deals to include alternative programs from companies like America Online and RealNetworks.
It will also permit computer users to reselect the hidden Microsoft programs if they choose.
However he has now topped himself by linking to a script kiddie tool to what may be an unpatched bug on a website that gets hundreds of thousands of hits a day. What the fuck? Do you see MSNBC or C|Net linking to r00tkits whenever a Linux vulnerability is released?
Roblimo as Editor-in-Chief, you are responsible for his work and quite frankly he is the worst part of the Slashdot experience (now that I've upped my threshold to 4).
Are we talking about MS02-045 ? If you really MUST supply a link to the attack tool you should AT LEAST supply a link to the fix as well!
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
it failed to stop any of our machines...waste of time
From the article:
"Welcome to Windows Media Player 9 Series," the opening screen of the Privacy Options panel reads. "Microsoft is committed to protecting your personal privacy. To enhance your experience with features including album art and pay-per-view-services, data must be sent and received over the Internet and/or saved on your PC. The options below enable you to customize these privacy settings."
OK, so right from the get-go users are presented with the issue of sending information from their computer. Certainly this is an enhancement feature, if done correctly and the user really has control over what is going on. In the long run, the real power and benefit of computers and networks comes with sharing information, and as people become more comfortable with it, software that includes network features will be more powerful and more popular. For example, see the popularity of the CDDB in CD players.
However, how do you really know what sort of information your software is sending over the network? As we start to take advantage of network features, it will become impossible to rely on personal firewalls to curb outbound traffic - you want your CD player to send some ID to the CDDB so it can retrief the correct tracklisting for the CD you're playing, so you have to tell your personal firewall to allow your CD player to connect to the net. After that point, you are trusting the CD player to behave properly and not betray you.
The article acknowledges this:
"As more applications become Web-aware in order to provide services and information back to the user, consumers need to be aware of the quid pro quo that's taking place and exactly what information is being provided to the vendors," Gartenberg said. "What Microsoft appears to have done here looks like a step in the right direction, if it makes it into the final product."
So the issue boils down to trust. Do you trust Microsoft? I'm sorry, but I do not. No matter what they put in their GUI as far as options go, you can never quite be sure about what their software is sending back to them.
With open source, at the very least you're allowed to look at the code and see what your software is really doing...
Has anyone reading this **ever** seen any MS source code for their OS's?
There's one guy here (hello Dave) that counters my open-source arguments with, "Oh but you can now get the source-code to WinCE", but that doesn't hold water for me.
Get your own free personal location tracker
http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-045.asp
But I assume it's 'better' to let people suffer instead of helping them out, is it? You dont have to post links to security bulletins, but if you post a link to a DoS tool, why not supply the link to the patch as well, to let the reader decide if he/she wants to be vulnerable or not.
(good system administrators have already disabled TCP/IP over Netbios (disable Tcp/IP over NetBios helper service) of course and stopped the server service as well, on online systems, among other netbios related crap which is not needed on the internet (NetBios package: "whohoo a router, what's that!")
Never underestimate the relief of true separation of Religion and State.
All software is inherently flawed, I have yet to see ANY software put out by ANYONE that is bug free. Just because 90% of the computers in the world run a certain piece of software thus giving any bug more exposure that doesn't make microsoft products any worse than any other product out there.
Maybe I'm wrong about this, but I'd like to see proof if there's any *nix distrobution that is 100% bug free or has absolutely no security vulnerabilities.
Honestly, if windows is so bad, so full of bugs, why does it keep selling? Lack of alternative? I think not, according to the slashdot community, linux is a more than viable alternative. People are stupid? Well I can see a point there but if you get down to it, it hasn't been as horrible as the slashdot community makes it out to be since it keeps selling.
My main problem with microsoft is that they keep selling updates as new operating systems (Windows ME as my case in point).
I'm just tired of seeing a bunch of posts on slashdot everytime microsoft relesases a bugfix about how horrible microsoft is.
According to the Microsoft whitepaper found here, there are 11 components of XP that automatically download material from the Internet. If you've ever clicked the "always trust Microsoft" box (something unlikely here, I realize, but many have), then things like Media Player will download and install new media codecs without any notice, for example. Another thing that we're all concerned with relate to DRM: a built in feature of XP will silently download and install "revocation lists", which list programs that are not allowed to play DRM-encoded content.
I would imagine this "disclosing source code" thing could be a confusion partially started by Microsoft. Just like their "Freedom of Choice" campaign (where you get to "choose" Microsoft), they misrepresent things that they are actually doing in order to get more attention and make them sound like they are doing something "good."
I think that this situation is parallel to the free software / open source naming and definition quirks. When people see this they automatically think it must be free -- free as in free beer. This is just one of many things that the general public needs to be informed about, and not by acting like we, as techies, know everything but by being informative and helpful.
A computer is a valuable tool, so use it and stop whining.
Not only does the SMBdie app not work at all for win9x boxes, but of the 4 win 2000, two win XP, and 1 win.NET boxes I tested it on, it failed with a "f#@$, this box is not vulnerable" error. I'm glad to see my machines aren't (easily) crashable, but this also casts doubt as to the credulity of the claims that that this truly is an exploit, or that Microsoft is indeed at fault at all.
Have we come to the point where we're making up Windows exploits to make MS look bad? A kind of back-at-ya FUD? I would have thought that there were enough genuine exploits to go around.
--
Was there a judgement in the case that the whole world is ignoring?
Get it straight. It is a Proposed Settlement. It has not been approved by the judge. There are no requirements.
Looks like Microsoft is suceeding in spinning the antitrust case the way it wants....
Its funny, laugh!
Pixels keep you awake!
From Russ at BugTraq:
Before too many more messages;
1. SMBDie = RedButton = Wow, incredibly talented programmer. This sure was a tool we needed.
2. If RestrictAnonymous is set, non-authenticated users can't use it, any authenticated user can.
3. If you're in an environment where any old computer connected to your network can use TCP139/TCP445, set up a sniffer (Network Monitor works) and watch for the source of the traffic. Then beat that person over the head with their PC. Do that either before or after you patch your systems with MS02-045. If more testing of the patch is required, beat them a little every day until your testing is complete.
4. If you're in an environment where you have TCP139/TCP445 open to the Internet, you don't need NTBugtraq, you need Dr. Phil. Buy a $50 Linksys router and put it in front of your machine and use it to block all but those few you really want open (which doesn't include those two).
5. Randy Hinders suggests that disabling NetBIOS over TCPIP works, I'm not yet 100% convinced. Either way, it should be easier to apply the patch than disabling NetBIOS over TCPIP.
The MS Security Bulletin honestly did do a great job of explaining all of this, more people should read it more carefully.
Cheers,
Russ - NTBugtraq Editor
Was I asleep or somthing when did the Microsoft case get settled?
I thought they were doing it out of the good or there harts.
thank God the internet isn't a human right.
this was posted on bugtraq a day or two ago
IT IS RELEVANT!! MOD PARENT UP
You realize that having this post moderated +4 with a bold :link directly to the crash-windows-in-one-easy-step binary actually augment the visibility of the said irresponsible comment ?
;-)
I would not have check the link otherwise.
all you ever do with respect to MS is sneer at them and post negative shit. cunts.
It doesn't show on my Opera 6.05 browser,that may give you another clue what MS is...
PS: Yea, it supports every standard, save it with IE, open with Opera, it shows.
Downside: On the downside, code to crash any modern Windows machine with NetBIOS enabled is now floating around the net
Upside of Downside: My cablemodem provider blocks some commonly abused ports (including NetBIOS).
Downside of Upside of Downside: I don't like my broadband provider to block ports that they feel are "commonly abused". I have a good firewall in place, and I think that every other user (broadband or not) on the internet should have one too.
But hey, that's just my $0.02US
The potential further exists for oppressive governments to use the revocation feature to censor what we see and hear. In this Orwellian scenario it would be possible to erase from the collective consciousness striking images of the lone student facing down a tank in Tiananmen Square ...
.NET servers.
.NET servers like hotcakes? Maybe in communist China. With enough bad press I think a lot of companies will think twice about buying server software from microsoft. Oh right... we don't have much choice.
But instead of censoring, he says, Microsoft's aim is more mundane - simply to use the free player to sell more
I suppose that being able to censor anything on people's computers will sell
So what do new Windows versions have to offer me? More restrictions, more limitations, more tracking of my viewing/usage habits, a direct interface with the "copyright clearing house" to check every time I go to play an MP3 if I actually have 'rights' to play it.
I stopped "upgrading" at windows 2000. I suggest you do too.
mike
The dissenting states wanted IE completely removed from the computer. Which would have taken MSHTML.DLL with it, which would have broken countless other programs that use MSHTML.DLL to do HTML rendering.
But this is the only way that Microsoft will ever fix the bug. You know how unresponsive they are when a security vulerability is discovered in something like NetBIOS. The only thing that they patch quickly is remote roots in IIS.
I've known that this is possible for some time - I once had a machine with bad RAM (altough I didn't know it at the time) While copying files between it and some other system, the other system (with good ram) suddenly blue-screened. Granted, it was windows 95, but I spent some time trying to figure out what sequence of SMB datagrams would kill a win9x box. Now I have a tool that will give me the information I had been looking for all those years ago.
why not supply the link to the patch as well
That's what comments and moderation are for - in case the author misses something glaring, like a link to a bug's patch, the general public has a voice to let everyone know.
So stop bitching, ass.
--
And MS plans (apparently) to "bomb" any cracked installations of XP. (I gather some sort of cracked DLL or file monkeyed with the WPA and allowed for pseudo-activation.)
MS is still not clear about this. But I'm curious if MS finally got the hint and is now planning to keep a database of all "authentic" Windows XP keys. If this is the case, then I assume the various keygens won't work. (Or they'll work, but when it comes time to activate, you'll find that you don't actually have an "authentic" key.)
Slightly OT, but I thought I'd share my own XP activation experience. It happened last night and it bascially stumped Microsoft.
The short story goes something like this: I'm an MSDN subscriber. My MSDN subscription entitles me to Windows XP keys that will activate up to 10 pcs. So far so good.
Anyway, I go to the MSDN site, log in with my usual username and password. Generate my keys. Get my "10 activation" key for Office XP, Pro XP, Home XP.
Now, according to the license, these generated keys will activate 10 pcs for each application. (In other words, I can put WinXP Pro on my workstation at work and my workstation at home. This counts as two "activations" on two different PCs and is completely within the terms of the license. Each computer, of course, has to be for "development" purposes -- which, oddly enough, they are. My computer at home is actually a computer I use when I telecommute. And I develop on it. So, again, I'm completely within the terms of license agreement.)
Okay, so that's the background. Here's the good part: I install WinXP Pro on my home "work" workstation using the MSDN supplied key. (The copy of WinXP Pro I'm installing, BTW, is the ISO I downloaded from the MSDN site. The copy of Windows XP I'm legally entitled to according to the terms of my MSDN unverisal subscription.)
The MSDN issued key passes the first XP keycheck -- the check that appears before it actually installs. No complaints, install goes smoothly. I boot to the desktop. All's fine. Looks like it installed perfectly.
Except Windows tells me my key is no good.
But wait! It *took* the key when it asked for it, right? Yes. It took it.
I re-enter the key. (And, yes, I'm using the MSDN supplied key on the MSDN ISO -- not the volume license CD, the actual ISO downloaded from the MSDN site.)
Still says my key is no good. It then generates an installation ID -- an obscenely long number -- and tells me that I have to call the 1-888 toll-free activation center.
I call. I give my installation ID. Wait, I'm told, that's not the right installation ID. Generate another one.
I generate another installation ID. (There's a button that can do this when you install XP.)
I read it back. It's still not a valid installation ID.
The activation center guy said he never saw this happen before. Am I reading the correct ID? Did I transpose any digits?
Nope. It's all correct. Read it from right to left, he tells me. I do. Read it from left to right, he tells me. I do.
Wow, he says. I've never seen this before. You have a valid key, he tells me, but Windows is generating an *incorrect* installation ID.
I say, well, I don't care what's going on, I want this thing activated.
Pause. Sir? Can you read me the ID again?
I do. This is the sixth or seventh time I read the ID. Nope, he tells me. Still no good. He puts me on hold. I stay on hold. Sir, he tells me. I'm sorry. Sorry? We can't do anything. You what?
We've never seen this before.
You're kidding.
If you have a correct key, you should get a correct installation ID.
Yes, I say.
Can you read me your key?
I read it. Read it again. And again.
Sir?
Yes?
The key is correct.
I know the key is correct.
Can I put you on hold again?
So I sit and wait. And wait. All told, I've been "activating" for 30 minutes by this time.
Guy comes back on the phone. Sir? We can't do anything.
You're kidding.
He apologizes. He tells me again that he's never seen this happen. You're sure you're using a legit copy?
I explain my MSDN subscription (active, BTW), my MSDN key, my MSDN ISO download.
I'm sorry, he tells me. Try MSDN.
I call MSDN.
Go through the same thing.
Wow, the MSDN tech support guy says. I've never seen this before.
What now?
Good question, he tells me.
He puts me on hold. Consults with a manager.
Sir? There's nothing we can do.
Give me another key.
I can't. I don't have authorization.
Give me someone who has authorization.
We can't generate another key until the morning.
You're kidding. I'm stuck?
I'm afraid so. I've never seen this before, he says.
By this time I'm furious. I want this motherfucker activated.
Finally, the guy puts me on hold.
Sir? I've got a brand new copy of Windows Pro Retail. In my hands. I'm going to read you the key. But you didn't get this from me.
You're giving me another key?
You didn't get this from me, he repeats.
He reads the key. I read it back. That's all I can do, sir, he tells me.
I appreciate it. (Trying to stay calm.) Thank you.
I'm only doing this because you've got a problem we can't fix. You have a valid key, but it's not generating a valid installation ID.
By this time, over an hour has passed. I'm still trying to activate.
He has me enter the new key. I enter it. Try to activate. Comes up with a message: "This key has no more activations."
I wig out. You're fucking shitting me, I tell me. You're fucking shitting me.
Okay, he says. He explains that we'll have to wait until tomorrow morning to get the key re-activated. He'll make sure it gets re-activated first thing. But that's all we can do, he says. I can't do any more tonight.
I tell him that this -- my situation -- is why people pirate software. It's quicker to get a keygen and generate a phony key than to go through this, waste my time and waste my money.
He's sympathetic. I understand, he says. But we'll get this fixed.
Then: Sir?
Yes?
You didn't get that key from me.
Flash forward: right now. It's the next morning. I'm at my desk. I'm reading Slashdot. I'm on hold with Microsoft tech support. I've called three different tech supoort numbers this morning.
They cannot get my copy of Windows XP Pro activated. They cannot re-activate the "mystery" key that my friend last night gave me.
This is the first time they've seen this problem.
Can we get some more specifics? they ask me.
New hard drive, new CDROM, new motherboard. Everything is new.
They're mystified.
I'm still on hold. I'm reading Slashdot while I'm on hold.
A moment ago: Sir? Can you read your key?
I read it.
Yep, they tell me. That's a valid key. Wow. I've never seen this before.
So use it for this purpose, then hide the icon in program files/funny games/crap/IE or something :)
People really should read http://technet.microsoft.com more often and the security homepage where 'best practises' how-to's are linked which will explain which little registry tweaks and services should be disabled/enabled to prevent attacks.
Never underestimate the relief of true separation of Religion and State.
people are stupid and and don't know even how to avoid buying it.
ms has a nasty habit of leaving bugs untouched and hoping they will fix themselfs, with *nix there is usually a patch available preeetty fast when the security hole becomes public(and in most cases with software with good design the bugs are isolated so that they don't compromise the entire system).
world was created 5 seconds before this post as it is.
Unfortunately, this exploit even works on boxes that have the "NULL session" registry patch. Time to go patch all the NT desktops in the office. *sigh*
What makes you think a Slashdot forum is supposed to constitute "journalism" in the first place?
Slashdot puts the drinks on the bar -- it's up to the users to decide what to do with them.
Also, unless I'm mistaken, all of the deficienies of recent Open Source software had been discussed ad nausium on Slashdot already. If you really pine for Open Source bad news, read the archives.
Did anyone else notice that in the Times article there is no mention of the fact that the agreement with the Justice Department has not been approved by the courts. I would think that the Times would have a knowledgeable writer on the issue, but they seem to have just parroted the MS press release. Since Microsoft thinks they have a finalized agreement, that must be true, right? Who cares what the states think, or for that matter what the judges think?
10 PRINT "Your computer caused a general protection fault press space to continue..."
20 IF INKEY$<>" " GO TO 20
30 CLS : GO TO 10
This code is under the GPL version foobar or later.
"Clicking the Start button will suffice in crashing M$ Windows."
Hey look! A graduate of the Bob Saget School of Comedy finally got some print work!
Good job buddy!
is /. becoming the MS channel or what?
Great, thats all I need at my job today, a bunch of users calling up wondering why they got hacked today.
Really thx...
Mod this up MS TROLL
Oh goodie, it runs under WINE.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The biggest problem with API's is that they are
dependent on secret code to work; therefore,
it just strengthens the Windows monopoly.
Open source == freedom; closed source API's are
bondage.
In the era of security conscious people, running someone else's .exe file is really stupid, even if you think it might be funny.
And this tool got front-paged on Slashdot. How stupid can you possibly get?
YOU FOOL! Everyone knows TeX is bug free :-)
Belief is the currency of delusion.
Here's a snippet from the Microsoft Windows Media Player EULA (added in June with the "Security" update):
"Digital Rights Management (Security). You agree that in order to protect the integrity of content and software protected by digital rights management ('Secure Content), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. These security related updates may disable your ability to copy and/or play Secure Content and use other software on your computer . If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update."
So, in pretty plain English, MS is basically saying we can control what applications you can run on your computer. Oh, and we'll post it in some obscure place on the web for ya. Fun.
The article that I got this from is here.
About posting a link to an exploit tool?
How many of you posting or modding this up also support the free exchange of ideas, including how to back up or media shift a DVD, or extract a portion for review?
You think there's a difference? Bullshit. Your argument is "raise the cost of entry to put off casual abusers". How is that different from the argument that (e.g.) librarians or teachers can gain access to knowledge to let them make copies or extracts from a DVD, if they know exactly who to ask and how to ask them?
That's the trouble with the free exchange of ideas. It's easy to pay lip service until you see something that you don't like being made freely available, at which point the prissy voice gets put on and cries of "Well, that's just irresponsible!" get made. One more step down that line, and you'll be exhorting us to think of the children.
One issue, one standard. The issue here is the free and frank and convenient exchange of knowledge, including knowledge that you don't want people to have. Pick a position.
If you were blocking sigs, you wouldn't have to read this.
Just tested against a locked down Win2k Pro system and no go. Also tried a Win98 box and didn't work there either.
Do really dense people warp space more than others?
Any ideas on how this works on samba, is it merely an OS/netbios communication issue or is it something in the protocol that could take out SMB service on a *nix box?
Don't call my crazy, that's what they called me back in the home!
The "code to crash any Windows machine with NETBIOS enabled" doesn't work. It finishes with a deeply disappointed "f**ck, this computer is not vulnerable?!"
;-)
I tested it with all Windows machines available here (2000,XP). Please post some info when Service Pack for this tool is released
Microsoft security, meet hacker's quality code?
Extraordinary Vacations. Exceptional Prices
No OS is 100% bug free and has no security vulnerabilites, but I think the main issue is response time and admission.
Most *nix vendors get patches out to any security holes pretty damn fast (usually within 72 hours) even when its not something huge. I think most people are frustrated that Microsoft cannot work in this timeframe and/or tries to downplay the seriousness of their holes. If they had the same paranoia (for lack of a better word) that *nix vendors have about their holes, then the results would be more favorable.
Windows keeps selling because yes, there is a lack of an alternative in most people's minds. Linux is approaching this status, but at the current time it can't support everything that Windows does (mainly because lack of market share does not entice companies to develop for *nix). MacOS is starting to gain a foothold also, but again, it is something NEW. You would be surprised how many people are resistent to change.
And flipping to a new OS for a large company is a monumental undertaking, so it doesn't happen often.
That's all I want to know. MP7/8 worked fine on my Win2KPro PC at work, but fritzed up my CD burner software completely; it wasn't until our hardware administrator told me there was a known incompatability that I took it off and had a working burner again.
Of course, my CD burner software came with the PC, and it's at least one and a half releases out-of-date. But it sounded like our hardware admin knew this to be a consistent problem with MP7/8. I'm still using MP6, along with Media Jukebox when I absolutely have to.
For the last week, every day when I first boot my Win2k rig, IE is launched with an ad for FirstLook.com. I have no idea where this came from; the only stuff I've installed recently on this box were the "required" patches from MS, for IE, Media Player etc. There is a thread here on the topic: http://www.computing.net/networking/wwwboard/forum /8981.html
It'a appearently pretty deeply rooted. If this is being distributed inside "patches" to Win2k, perhaps it represents a new low, even for MS.
By strange coincidence I'm about a week into running my first Linux system .
Besides, anyone smart has NETBIOS blocked at the firewall already, right?
NetBIOS is a Layer 2 protocol. It would be highly unusual for any router, much less a firewall, to propagate Layer 2 traffic.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
"Broken Moderation" is a redundancy around here.
Microsoft has ported DivX (not the codec) to the PC with Windows Media Player 9. Now get out there and explain the analogy to your non-technical friends and colleagues.
CEE5210S The signal SIGHUP was received.
I don't think that anyone will disagree with you that software is buggy. Yes, its true that you can't determine "how" buggy software is based on percentages, etc (likewise statistics can be twisted in many ways to show the untruth), however based on user experience I'm sure a large amount of people making these complaints are making them for a reason.
For example, here is why I stopped using Windows: in August of 1995 I started taking CS classes. I had just gotten a new system and bought Windows 95. After successfully crashing my system over and over again, I went to the bookstore and bought a copy of a book that contained Slackware. I installed it, went back to my programming and was able to write code without crashing my system. Yes I was an unskilled programmer then and I wrote buggy programs, but the difference is that with one of them, the program just had to die (linux) with the other one, I had to wait for the OS to restart (windows).
Since then I've gained a lot of experience, and the one thing that I keep re-enforcing to myself everytime I even think of going that way is that windows is a waste of money and a waste of time. If you do read through their programmers documentation they do not point out problems in their APIs that they do not intend to fix (for example there are some bugs in the Keyboard driver that have been around since DOS that windows will not fix because they don't want to make something not backwards compatible -- my friend who found that out had to pay $50 even though they are a member of MSDN and even though the bug has been around for years). I don't even have the time to get started on the bugs that persist through VB that M$ has no intention of fixing. They will only fix bugs that bring bad press to the company in national media.
Programmers dislike windows because windows is bug ridden with no chance of being fixed. In other words its hell to program for windows. Its and unenjoyable experience. From a programmers perspective, its not worth betting the company on.
If you really can't figure out why windows sells...its because of marketing. Business people tend to look at what "looks pretty in marketing" not meaning what really looks pretty, but who has the best marketing. Most people know that M$ is the kind of marketing and that is why they are successful. Programmers are not typically given the chance to decide what products will make their company tick -- that's typically left up to the "business analysts" -- people who know nothing about how difficult it will be to actually work around all the bugs that you uncover in a peticular system.
Come watch my system BSOD all day and you'll understand why programmers hate windows. The go hang out with my boss who sends me screen shots of windows explorer instead of just sending me a path name to a file and you'll understand why people are still buying windows.
"Everybody knows the moon's made of cheese," Wallace.
Did you fuckers even test that file? I've got NetBIOS turned on with no firewall and one of my friends tried to crash me, but it just says the following: ... (port 139) ...
Connecting to remote computer
Connected.
Session established.
Protocol negotiated.
NULL session established.
Operating System : Windows XP
Connected to IPC$.
Sending exploit
Fuck, this computer is not vulnerable !!!
I have yet to see ANY software put out by ANYONE that is bug free.
I can write you a bug free "Hello, World" program if you like.
All software is inherently flawed, I have yet to see ANY software put out by ANYONE that is bug free. Just because 90% of the computers in the world run a certain piece of software thus giving any bug more exposure that doesn't make microsoft products any worse than any other product out there.
You make some good points: Most software is buggy... But MS *does* have a bad track-record in this arena, and it is not always because 90% of users run that particular software.
Case in point: Apache is more widely used than IIS, yet you rarely hear of problems with Apache... IIS, on the other hand....
my religion lies somewhere between buddhism and super monkey ball - pamphlet?
Windows sells better _because_ it is riddled with bugs, mis-features and quirks. This is one of the reasons I can't behave like a "proper" OSS advocate and recommend an alternative desktop OS. (I won't mention the fact that MS still has the productivity software suite market by the gonads.) If Windows were to be a mature and stable product, clueless business users wouldn't continually impose MS-only "standards" on all their colleagues. The sad fact is that it is far easier to put up with the cruft than it is to instigate a change. It is not acceptable to loose time due to in inability to handle the files from a lunatic customer using whatever is the latest and greatest MS format or feature. "Everyone uses MS" - we are tied by the shackle of compatibility.
I was already patched days before this was posted here thanks to Windows' Critical Update Notification. I mean, if the sky is falling with all of these exploits like /. would like you to think, how come script kiddies don't take down Microsoft.com, Dell.com, or any other major IIS site?
P.S. Awesome Sig.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Explain.
I thought that this was a bit interesting. It's a shame that they didn't release the source code for it so that you could use it in a script to check for security vulnerabilities on end-user systems.
Shouldn't the title be "Microsoft .NEWS Update"?
Maybe I'm wrong about this, but I'd like to see proof if there's any *nix distrobution that is 100% bug free or has absolutely no security vulnerabilities.
Almost no piece of software, UNIX included, is bug free. However, in UNIX, I can isolate my web browser, for example, to run in an unprivileged user account, even with a faked root directory, to ensure the occasional HTML or JavaScript hack doesn't compromise any other part of my system. Granted, not many people do this, but at least there is the option of doing this, for those people who really care about security. Also, most companies behind UNIX implementations don't have creepy EULAs like those from Microsoft.
Honestly, if windows is so bad, so full of bugs, why does it keep selling? Lack of alternative?
Yes. You may find this suprising, but most people simply don't percieve that there is something other than Windows. Microsoft has so successfully driven competition out of the consumer PC market that most people don't even think "well, maybe I'll try a Mac". They simply default on the choice of Windows.
Also, look around at the meager selection of operating systems. Only the Mac OS truly is as "user friendly" as Windows. All other attempts at commercial user-friendly systems have been crushed by Microsoft. Now, only things like GNOME and KDE remain to add to the MS and Apple duo, but these efforts are still several years from maturity.
Healthcare article at Kuro5hin
here
This vulnerability, a stack overflow in the initial packet to TCP/1433 allows an attacker access to the target system as LOCAL/SYSTEM ("root").
MS has a bad PUBLIC record. Linux is just as bad, but it doesn't make every headline. Just yesterday we fixed a bug in the kernel that would cause it to panic just by unplugging and plugging in a printer to the parallel port a couple of times. And get this, it was a classic case of trusting untrusted data and causing a HUGE buffer overflow. How quality is that?
Not to mention the thousands of bugs that any Linux user that doesn't have his head buried in his ass would be able to admit to. Try actually developing for Linux and you'll find out what a tangle of error prone spaghetti code it really is.
I know that objectivity is an art of thought that died years ago, but maybe, little by little we could at least try to resurrect it.
Re: Windows Media 9, who runs the licensing/authentication servers to authenticate the player? Microsoft? Or does each provider have their own server? The article did not state this.
There's 10 types of people in this world, those who understand binary and those who don't.
No, actually that's what adult supervision is for. That "michael" needs some has been clearly apparent.
For SlashDot to make a credible leap from clipping service/sandbox to journalism, the editor-in-chief, or someone in an overview role who does not spend most of his time aggregating content, needs to be more involved in the day-to-day.
You have to read the legalese in the EULA to see what the end consumer is left with, the big flashy headlines are pretty meaningless when you have to sign those very rights away.
All software is inherently flawed, I have yet to see ANY software put out by ANYONE that is bug free.
/.ers, how could it still sell? Two words: Abusive monopoly. There's a lot in that one word that explains it (and I've spelled it out before), but they all fall under the umbrella of that. Let me put it another way: Even if MS products were much crappier than they are (irrespective of how crappy you believe they are), they would still sell and the current situation would only be marginally different today.
/. story about an MS bug (note that in this case, it isn't a bugfix, just a bug). Why? Because I already know. I mean, it's not like this is the bug that made me decide that MS products are crap. It's horribly redundant, and yeah it does make them look like screaming MS-bashers. But I'm also sick of the "No software is bug free!" defense, which sounds more lame with every passing bug[fix].
I actually like this response, because it is an interesting dichotomy. It is simultaneously clever and stupid. It is clever, because it is true, and being unable to argue against the truth of the statement it will often be accepted as a valid argument for why the particular bug or buggy software in question should not be judged harshly.
It is stupid, because it is not in any way a valid argument against judging such things harshly. Logically speaking, the statement simply says that for every piece of software, there exists a bug. It is not a statement at all about the quantity or severity of those bugs, and thus cannot be used to erase differences between software.
Though in the end the statement is more stupid than clever, because in what other areas would the same statement be accepted as valid, even by those who aren't experts in the field?
"Your engine has horrible efficiency!"
"Hey, no engine can be 100% efficient."
"Your tires keep self-destructing!"
"Hey, no tire is completely immune to failure."
"Your condoms are too thin and tear all the time!"
"Hey, no birth control is completely effective."
"You murdered 374 people with a salad shooter!"
"Hey, no human is completely without sin."
Yeah, I can't see that working, either.
Now, the exposure argument isn't completely bald-facedly invalid. The effect of that is really hard to say, however, since usage isn't the relevant statistic, but people trying to find bugs is. It would be premature to assume that the latter scales linearly with the former. The degree of technical people attracted to the other platforms, the degree of such using other platforms in more important situations than home desktop use, etc. all contribute to blind the equation. Also, Microsoft attempts to decrease the exposure of the bugs found by others (and who can say how many bugs they find internally that are not exposed at all?).
My point is that "There are so many bugs found in MS products only because it is more exposed" does not hold.
As to why it still sells... Well, that's not exactly the question. The question is if it is as buggy as supposed by
But you know what? I'm sick of the "MS sucks" posts in every
Though really, my main complaint with MS isn't their bugginess at this point, it's how they deal with the bugs, trying to spin them to save face rather than presenting honest information. It's irresponsible. "No, SSL can never be hacked! Ignore the hacker doing it RIGHT NOW!" *sigh*
The enemies of Democracy are
I have a twitch in my fingers urging me to point out the MPlayer available for most unicies can play more or less any video-format when configured correctly. Obviously this isn't going to make you switch to GNU/Linux, but I'm telling you it's worth checking out when you regain your computer freedom.
Agreed that I am on a 450 Mhz P3 with 128 RAM but still, there are no problems in resources.
START DEVILSADVOCATE
At home I use windows XP pro and to date I've had only had one crash that caused me to have to reboot the machine
At work (I'm also a developer) we use windows 2000 pro, and reboots due to bad code (on my end) have been few and far between.
END DEVILSADVOCATE
Yes, there are bugs out there that haven't been fixed, but on the whole I think the latest releases of windows (2000, XP Pro) are very stable. Granted the older releases (9X, ME) are complete Sheit and I cringe every time I get a 'bug' reported in our software and it turns out to be they're running 9X/ME. In those cases I usually want to personally go and shoot bill gates in the head.
Agreed, you have some very good points, and I do agree microsoft could be more timely with their bug fixes/fix the longstanding existing bugs, but overall I think they're finally doing a good job with their windows products (2000/XP pro). I think most of the slashdot community who haven't tried XP Pro and have given up on windows in the past might change their minds just a little if they only tried it.
Of course, maybe I misunderstood the hack, and it really does apply to NetBT. That would be really bad, coming this late in the game. [There were NetBT DOS's of NT 4.0 many years ago.]
Motherfucker:
If Slashdot did something similar to this for one of their little pet hobby OSes like Red Hat or Debian, people like you would be spraying piss all over their desk in fury.
NetBIOS (I admit that the name has meant a few different things as it evolved) is not the same as NetBEUI. NetBEUI is a layer 2 protocol, and is not propogated by most routers. (unless the "router" is really an ethernet bridge in disguise)
NetBIOS is a programming interface implemented as a bunch of packet types which can be sent out either over NetBEUI or over IP. (sitting mostly on top of TCP, though I think some packets are sent out with UDP). IP is extremely routable.
Who the hell leaves NetBIOS enabled? Only people with an IQ 40, as far as I know.
The CSRSS Backspace Bug is a bug in the Win32 subsystem server process (csrss.exe) in Windows NT. It is particularly notable for several reasons:
- It crashes the entire operating system.
- One does not have to have administrator privileges in order to trigger it.
- One does not even need to execute programs in order to trigger it.
If you don't believe me, then check it out for yourself. BTW, M$ has fixed this in Win2k SP3 and WinXP SP1 but since WinNT4 will have no more Service Packs, this is a permanent bug in WinNT4.Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
"It enables finely tuned licensing terms and conditions, such as limited 24-hour play, a set number of plays over a given time, or an outright purchase licence that lets the viewer watch the video or listen to music whenever they want. It will also be used to bind content to a specific PC, so that it cannot be redistributed"
:)
Oh, this also means that when your internet connection is down, OR the "certificate clearinghouse" server is down, you can't listen to music or watch videos that you already purchased, since the certificate can't be verified. We all know how stable M$ servers are, and of course the certificate server will have to run M$ software, or it couldn't trust itself.
Oh, and while I'm grumbling... today's DMCA thought: Does humming a copyrighted tune violate the DMCA? You are using your neurons to circumvent copy-protection and allow others to hear the tune without paying...
Micro$oft who? Never heard of them.
According to the XP service pack 1 website:here
There are some open license keys floating around the internet that will stop working. Can you imagine the fallout from this?
You are a systems administrator for a large company and your whole tech staff has taken home the open license keys (illegally) for their home machines...and then they get on the internet. Now, after deploying XP sp-1, all your corporate desktops stop working. Your company hasn't done anything illegal, yet the company will suffer the consequences.
This may be the best thing yet for Linux.
-ted
The potential further exists for oppressive governments to use the revocation feature to censor what we see and hear. In this Orwellian scenario it would be possible to erase from the collective consciousness striking images of the lone student facing down a tank in Tiananmen Square
Well we don't need censorware to hide political images in america. The media does it all on it's own.
Ever see this on cnn?
No.
You won't see the facts.
Honestly, if windows is so bad, so full of bugs, why does it keep selling?
Well, let's start at the beginning...
Why did DOS sell? Because it was the cheapest functional OS IBM could license for it's machines.
Why did DOS become prevasive? Because IBM was dumb enough to contract DOS on a non-exclusive basis (MS could license it to anyone they wanted) and stupid enough to start using an open hardware model...viola, a bunch of IBM-clones running DOS.
So DOS became a standard. Win3.1 comes out, people start moving to that (it runs with DOS, and ooh, shiney!).
As Windows became the dominant OS, MS was able to tie people/groups into using it by using proprietary formats for documents and killing/buying it's competitors.
Yadda yadda yadda, Google for Microsoft anti trust, read the rest there.
Thomas Galvin
On the Windows Xp Newsgroup, a guy named Gazwad claims the key was released by himself as a joke.
The World is Yours.
If you let FTP traffic through. malicious code will get in through there. If you leave port 80 open, malicious code will get through there. If you leave port 23 open, malicious code will get in through there. If you let e-mail in, even if you virus-scan it, malicious code will get in. If there is a single floppy disk drive on your network, malicious code will get in. Same for CD-ROM drives.
Firewalls can make things inconvenient for people (users as well as crackers), but there is always a balance that must be met between how much inconvencience the users can tolerate and how important it is to inconvenience crackers. That balance is never going to lean very far towards the 'inconveniencing crackers' side.
I guess if they are getting better at fixing bugs, then that's good. I guess in my mind, since timing is key, they already missed the boat technologically. That doesn't mean that I'm going to ignore them or needlessly flame them, but it does mean that I'm only going to pay attention to them if they have any ground breaking technological break throughs that I can't get anywhere else. Granted if I want to keep getting money in my account for work, I know that I can't ignore them if they continue to nock perfectly good companies off the market with their monopolistic powers, so I will deal with that when I get there.
Do they still make you pay for support when you're reporting a bug?
"Everybody knows the moon's made of cheese," Wallace.
I contacted the author of SMBDIE.EXE, and he told me that it crashes NetBIOS over TCP [NetBT], but not NetBIOS over IPX [NBX]. Here is his response:
Girls are not that stupid. Anyone doing that is just going to get slapped.
Actually, if I'm not mistaken, the Windows XP registration key code is stored as a system registry entry. Therefore, people with that FCKGW key could simply run regedit (or regedt32), and modify the appropriate entry with a usable key code before upgrading to SP1.
I haven't tried this to be sure it still works, but I know for a fact I've gotten this to work on copies of Win '9x.
Worst case - they have to do a full re-install with a different key code before they can use the SP1 and auto-updates, but I'm not sure it's that bad.
...maybe this'll be what I need to convince the wife to "Switch"...
I thought Windows already came with a code to crash it. That being Windows itself.
:p)
Hehe thats what they want you to think. In reality its not the source code, its just the APIs(CrashWindow, BuggerUpWindowEx etc
I think you responded to the wrong post... But I will counter anyways ;)
The parent post said MS products are only known as "buggy" because they are used by the majority and therefore more bugs are revealed, as opposed to them just having more bugs in total. I said this is not always the case, because Apache typically has a lot less problems than IIS as far as exploits and security bugs are concerned, yet is more widely used than IIS. So in other words, the number/severity of bugs found is not always proportional to the market-share percentage of the product. Sometimes it is, sometimes it isnt.
my religion lies somewhere between buddhism and super monkey ball - pamphlet?
Gimme a break. Who says that /. HAS to "make a credible leap" to anything? Who the hell ever said /. SHOULD be "journalism"??
You're an ass, too. If you don't like it, get your tech news somewhere else, and stop whining about what you get for free.
My Hello World programs run great! They're flawless!
There are four boxes used in defense of liberty: soap, ballot, jury, ammo. Use in that order.
Hey,
Why don't we ask microsoft if we can interview the guy that writes their EULA's? You know, what is the process, how are they reviewed, how are modifications recommended, who has to sign off on them........might be an interesting angle on the machinations of MS.
And if any MS employees are reading this, feel free to enlighten us on how the whole thing works...
Check zinf out, (formaly known as freeamp). Its has plenty of good features (inc skins which u dont like) but it very small (compared to wmp), it also has a playlist editor similar to wmp media library (which i like)
The story points to http://packetstorm.decepticons.org/filedesc/SMBdie .zip.html, which has a code to crash a windows machine. This zip has a file called SMBdie.exe, which is infected with the HackTool virus.
Sheesh, talk about sheep...
Viruses can be imbedded easily in .wma files. The answer here, of course, is stick to mp3 or ogg, which are pure data (unlike wma).
The trouble is, with Windows Media Player (WiMP), if you put a trojan in a wma file and rename it to mp3, the trojan will execute.
No other media player I know of will play a file with a misnamed extension. No other music file format except wma and its drm can carry "nasties".
When Microsoft talks about security, they're not talking about YOUR security.
Why on earth does Microsoft allow its affiliates to advertise on Slashdot? Nothing like opening up a Windows-bashing article only to be taken out by a low-flying Microsoft.NET ad. I bet they generate tons of .NET sales on the OSDN.
The OpenBSD trojan made front-page news here.
Apache was fixed less than 12 hours after the surprise announcement of the bug.
The NetBios bug has been known to MS for a long time, it still wasn't fixed as of last week's critical security patch. Obviously, it isn't a critical problem in Microsoft's opinion.
KDE took a whopping 95 minutes to have a patch out for the SSL hole in Konqueror, IE still wasn't fixed as of last week's critical security patch. Obviously, it isn't a critical problem in Microsoft's opinion.
Every operating system is going to have exploits, they're all too complex to be perfect. What defines good software is the speed that discovered holes are closed. If you don't mind having your ass exposed to the world for weeks while some marketdroid determines the cost-effectiveness of fixing a security hole, keep running Microsoft.
They got your money, and don't care about your silly problems with their software. The biggest FUD garbage about free software is the "who's accountable" bullshit. Read that Micro$oft license again, it says they guarantee nothing, whatever bad happens is your own damned fault, and you agreed to that. Now, tell me again, who are you going to sue?
2. it doesnt work with 9x.
3. The patch has been out for quite some time as mentioned earlier in the thread.
4. I picked remote systems too to test this on, like my friend computers. (Read: authorized). Only once it was sucessful and then the sytem was patched with the given fix (WinXP Pro).
http://support.microsoft.com/default.aspx?scid=
So we know this exploit attacks NT systems only, and it's totally useless. I've seen better script kiddie executables which would do 100x more harm than this worthless junk.
So the question is.. why was this even newsworthy?
Just in case anyone cares, I downloaded the "crash tool" which works nicely within the office behind the firewall but norton antivirus found it as a virus!!!
any thoughts?
Winston Chan, the MS digital media mgr, says a couple things that need translating.
The purpose of DRM is, "to keep honest users honest." Translation: to keep everybody paying, and paying, and paying...
Censorship through license revocation will not be a problem because, "You [would] need all the content to be able to be revoked, and to do that you need all the content to come from the same service, which is unlikely. This is not something that is possible." Translation: we haven't figured out how to pull that one off.
Hitting a major site is the fastest way to find yourself in the clutches of the FBI. Hitting your SMB competitor down the road is less likely because they probably won't know what hit them anyway.
I can't speak on an "in the know" basis, but I know that if I was a Black Hat and had wonderful exploit X, I would save it for A) something worth taking a huge risk B) A low on the radar company/web site and C) One that doesn't have the proper resources to track intrusion effectively.
Just because there haven't been a lot of crackers/hackers (choose your term) being wisked away by the FBI on CNN does not mean they don't exist and that there is no intrusion happening.
Post the URI some more! Maybe it won't break next time!
Good point - you can be more selective, allowing the software to send out information, but only to sites of your choosing. But why would you choose them? Because you trust them. It still comes down to a question of whether or not you trust the software creators. With proprietary software, you have no choice but to rely on trust. With open source software, if you wish, you can rely on facts. Facts are preferable to trust. At least by my reckoning.
The reason Windows patches take so long to be released is not that no one cares -- it's that it has to go through extensive quality control, managerial approval, etc. If say the Linux folk release their 10 minutes-later patch, and something breaks, what are you going to do? Nothing, it's your tough luck. If Microsoft messes up, and since they have a much greater market share, they'd be in a deep pile of doo-doo. (Yes, I know this has happened before, and there was an uprising against the MS camp).
No you can't unless you have audited your code, the OS and the compiler. That will be one hell of an expensive 'Hello World'. Don't belive me? Try this (Hello World)++ on an NT kernel based Windows system:
#include <stdio.h>
int main()
{
printf("Hello World");
for(int i=0;i < 666; ++i){
printf("\t\b\b");
}
return 0;
}
--
Reverse outsourcing: it's the future
First of all, you had to write that bug into it. simplifying it to:
#include
int main() { puts("Hello, World"); return 0; }
Would help immensely.
Secondly, who said I was going to use a compiler, or even a real OS for that matter? I could easily write a bug-free DOS based Hello World prog in assembly. Any bugs would be outside of its code, before or after it gets executed. I could go one step further and create an embedded device that would immediately start up with my code and halt when it's done. No bugs in software.
Not to bust your pompous bubble, but this program does act as an active trojan
As I was saying, all that's missing is a little adult supervision.
If we have indeed established that SlashDot has no ambitions and aspirations, and/or is genetically incapable of making a credible leap/leap into credibility, then I would say that their course into Mediocrity is set firmly and their sailing should be smooth.
I believe, however, that Taco et. al. have bigger ideas, and are probably more embarrassed by the juvenile anti-MS tubthumping of some of their associates than we will ever be privy to -- especially in light of Microsoft's position as an advertiser here.
stop whining about what you get for free.
Well, obviously, it was not a whine. I haven't whined in over 40 years. But more importantly, you are 100 percent off base about the economics of SlashDot. Almost everything on the Web is free; SlashDot's competition charges no fees. Much of SlashDot's competition for my tech news reading time employ professional, accountable journalists. SlashDot is not growing by virtue of its Linux-cum-Boba Fett geek niche; it is clearly casting its net wider (as it must, if it does not want to be relegated to the list of vanity and curiosity sites). With all that free competition, not to mention original content vying for eyeballs, my guess is that SlashDot is actively concerned about "tweaking," if not necessarily "polishing," its image.
What do YOU think, Azghoul? At the next SlashDot staff meeting (or earlier), are the Editor-in-Chief and the more senior editors slapping michael on the back saying, "Hey, don't worry about it, kid, ya done good," or are they lovingly, gently, nurturingly, but firmly coaching him to be a little more careful next time?
People are stupid?
Just by reading your post I would think that the answer would be obivious.Since Win2k, the key has been stored encrypted and hidden in the registry. It's probably easy to find, but you can't easily replace it.
Is your browser retarded?
VisualStudio.NET bombs the Linux developer right back to the stone age.
La-hoo za-her
You mean, such as taking out Windows Update itself, as well as a number of internal Microsoft servers and desktops? Code Red did that.
And don't forget those Russians who broke into Microsoft's internal network and rifled through their source code repository. "Trustworthy computing," indeed.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Is it really FUD? Add a sound or video recording to your presentation. Forget to uncheck an obscure box. Transfer it to the auditorium computer. Do the presentation minus the audio you recorded yourself and minus the video from your camcorder. Is it really FUD? See www.sdmi.org for details. Sorry to those who are PDF limited. Your own created content is to be encoded upon creation and bandwidth limited to monural voice grade recording. It won't play when transferred to the auditorium computer. It is not FUD, it is in the specification.
The truth shall set you free!
But I assume it's 'better' to let people suffer instead of helping them out, is it? You dont have to post links to security bulletins, but if you post a link to a DoS tool, why not supply the link to the patch as well...
Because people that are venerable to this exploit are dumb. They run an inferrior operating system that is venerable to lots of easy to use cracking tools. They choose not to update it regularly. In essence, these people have called down the thunder on themselves. Why should we be obligated to help them out? If we post links to programs that can knock their computers offline, mabey they will see the light and switch to the more secure *nix operating systems and stop bothering me with their Code Red and their Network Neighborhood. Remember, these people are so stupid that they need to be rudely awakened to the fact that the software they are using is written by a terrible, malicious company, and should be abandoned.
Or so I read on slashdot.
~Will
sig?
So, MS intends to limit any media you download to the shelf life of the computer you use to download? That would mean, if the article accurately presented it, consumers must repurchase movies, music, etc if they buy new computers.
DRM would restrict sharing that not only falls under "fair use" but would also stifle innovative products in the future. I can't imagine how incredibly complicated and expensive life would become for power users who have at least two of the following:
-desktop
-laptop
-handheld
-next gen cell phone
-mp3 player
-home network
Even worse, Digital Rights Management would seem to PUNISH victims of:
-Stolen computers
-Corrupt software or dead hard drives
-Hacker attacks
If DRM ever took off, just imagine the countless file class action lawsuits against hardware and software manufacturers, ISPs, movie studios, and record labels! Someone has to be liable if, for some reason, you your copy of LOTR2 is lost because you couldn't backup the legit file you bought and downloaded.
IMHO I don't think people like the idea of becoming dependent on the reliability and security of hardware and software in an age of computing when products have more bugs and complaints than features, not to mention they'll become outdated before they reach the selves.
Another scenario is that digital media would suffer a quick death and retail stores would again be the kings of media.
In all this mess, if DRM is tweaked to avoid this unjust punishment to honest customers by creating a database to record your purchases in case of disaster, consumer's individual profiles would become statistical fodder for overzealous marketing vultures. Ugh.
____________
"Technological progress has merely provided us with more efficient means for going backwards."
-Aldous Huxley
"Technological progress has merely provided us with more efficient means for going backwards." -Aldous Huxley
How far out of context can one go? Code Red was a DOS, something that has plagued all network enabled OS's.
Yes, those sneaky Russians and their internal Microsoft contact that helped them get in.
Yes, trustworthy computing sounds stupid, but IF Microsoft has actually done anything we will not see the affects of it until the next major product releases. If you know anything about software development you don't just state an initiative and get results overnight.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
> you don't just state an initiative and get results overnight.
In spite of what Microsoft wants everyone to think
Anyone notice that Norton Anti-Virus freaks out about this file, saying its infected with HackTool. Interesting surprise.
I may have, in a fit of pique, hit the "Okay, shaft me Microsoft - I trust you" button. You do you got back to being asked each time?
Cheers.
The idea is "to keep honest users honest".
Strange, I though the idea was to make dishonest users honest? Apparently it's okay to be dishonest, but if you are honest, you must be a crook?
It doesn't make sense. But then when did any of these restrictions make sense...
Regards,
You have got that right - We have basically entered the era when it is necissary to break the use^H^H^H copy protection before using your software.
I have experienced similar troubles with other products - I won't go into details now - where in the end using a cracked copy instead of the available legit copy was by far the best way to proceeed.
My Karma: ran over your Dogma
StrawberryFrog
Once you've agreed, All Your Base Are Belong to Them.
Not that anyone is reading this old stuff :)
:)
Pulled the proggy SMBdie.zip from PacketStorm and Norton nearly had a cow. Check it out:
Date: 8/29/2002, Time: 20:19:48,
The file SMBdie.exe in compressed file E:\Downloaded\SMBdie.zip was infected with the Hacktool virus.
The file was deleted.
File is right off the page. Checksum is:
c812c8b9b3e5fe258fa8c56e04dce843
This would definately give the script runners out there something to do.
...no law without exceptions and additions and... here's the FAQ: http://www.killfile.org/faqs/godwin.html
Excellence: Moderate (mostly affected by comments on your karma)
I thought GW stood for GateWay...
The Web is like Usenet, but
the elephants are untrained.
I didn't check back on this story, but I decided to respond, and who knows, maybe you'll read this sometime...
/trying/ to be anything more than what it is: A clearinghouse for 'interesting' or controversial news from around the net, with the occasional original bit (like a book review).
/no idea/ what's going on behind closed doors at Slashdot. How you can say that it "must" cast a wider net is arrogant, as well as your statement about Slashdot's economics. We have no real idea what they're economics are, do we? Do we care?
My point here: I don't believe Slashdot is
I don't pretend to know what they are trying to accomplish long-term with this site, and I think it's folly to get on here as a commenter and complain about what they're doing.
I do, however, realize that's something of an American tradition, very similar to guys calling sports talk shows to scream at a coach and GM for personnel decisions.
We have
I suggest that if the bosses don't like what Michael's doing, he won't be doing it for too much longer. It's not like "/. editor" is a public sector job...
But it all gets back to my real point, which is to ask, why the hell should people like you sit out on the comment board, bitching about what some editor wrote, on a site that is utterly free? You even suggest there is a great deal of competition for your free website reading time: Go read other sites if you don't like what's happening here. Vote with your mouse.