Slashdot Mirror
Microsoft News Update
Microsoft news of the past few days: Media Player 9 is the subject of a few articles, including one on its integrated digital restrictions and one on changes in its privacy options. Microsoft is releasing certain API's, and is releasing a service pack for Windows XP, under the requirements of its antitrust settlement with the Federal Gov't. On the downside, code to crash any modern Windows machine with NetBIOS enabled is now floating around the net, and there's been more publicity of the vulnerabilities in Microsoft IIS/SSL.
I mean come on... We've been nuking win95 machines since '96... It's time to find a new protocol!
I apparently forgot that sig != uptime...
On the downside, code to crash any modern Windows machine with NetBIOS enabled is now floating around the net
Well, one good way to help the propagation along would be to post a link to it on slashdot so thousands of script kiddies can get ahold of it... oh wait..
According to this article anyone using cracked WPA activation or certain serial numbers will not be allowed to use windows update or install SP1. This will apparently not affect the OEM copies that have been floating around for month before the windows XP release date.
By that logic, is this part of Microsoft's plan? Since Linux is seen as good by the general public for, amongst other reasons, giving away the source code, is Microsoft trying to make the (erroneous) impression that they're giving away source code as well?
All you have to do is winess the general confusion when a game maker releases some source code ("The RtCW Source Code has been released! This means the game is free!") to see that the general public still doesn't "get" this idea.
Schnapple
One article says Media Player 9 will allow the user to select how much information is set to content providers. But the other goes into detail about the new DRM featurs of MP9. One of the biggest is a 3rd party clearing house for certificate athentication and authorization.
So you get a DRM enabled media file. When you play it, Media Player has to contact this server to find out if you are allowed to play it. They can track every time you play this file.
Maybe you'll have a feature that protects your privacy, but if you don't let the player contact the clearing house, you can't play the files.
Also, I'm sure everyone saw it coming. The reason Microsoft changed their EULA is because of this new DRM crack down. They want any program that can open a DRMed file to have to be authenticated, and they want to be able to disable any program that will attempt to get around these restrictions, and they don't want to get in trouble for messing up software you have installed.
Good thing I use a free and open OS. But if this type of thing continues, all media produced will be encrypted and you'll have to contact the DRM server to view it. So it won't matter. Just wait until router manufacturers are convinced to not all their producted to transmit any packets that haven't been DRMified properly.
Well, im not sure about everyone else.. But I know us developers at the WINE project have found the new APIs (documented here) to be anything but useful..
Well, the register does say "what Microsoft has got in there is a grotesque, badly-documented pile of poo it doesn't fully understand itself." (in regards to the fact that the few new APIs microsoft released doco's on are other useless or all together wrong!.)
David.
stuff
However he has now topped himself by linking to a script kiddie tool to what may be an unpatched bug on a website that gets hundreds of thousands of hits a day. What the fuck? Do you see MSNBC or C|Net linking to r00tkits whenever a Linux vulnerability is released?
Roblimo as Editor-in-Chief, you are responsible for his work and quite frankly he is the worst part of the Slashdot experience (now that I've upped my threshold to 4).
Are we talking about MS02-045 ? If you really MUST supply a link to the attack tool you should AT LEAST supply a link to the fix as well!
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
From the article:
"Welcome to Windows Media Player 9 Series," the opening screen of the Privacy Options panel reads. "Microsoft is committed to protecting your personal privacy. To enhance your experience with features including album art and pay-per-view-services, data must be sent and received over the Internet and/or saved on your PC. The options below enable you to customize these privacy settings."
OK, so right from the get-go users are presented with the issue of sending information from their computer. Certainly this is an enhancement feature, if done correctly and the user really has control over what is going on. In the long run, the real power and benefit of computers and networks comes with sharing information, and as people become more comfortable with it, software that includes network features will be more powerful and more popular. For example, see the popularity of the CDDB in CD players.
However, how do you really know what sort of information your software is sending over the network? As we start to take advantage of network features, it will become impossible to rely on personal firewalls to curb outbound traffic - you want your CD player to send some ID to the CDDB so it can retrief the correct tracklisting for the CD you're playing, so you have to tell your personal firewall to allow your CD player to connect to the net. After that point, you are trusting the CD player to behave properly and not betray you.
The article acknowledges this:
"As more applications become Web-aware in order to provide services and information back to the user, consumers need to be aware of the quid pro quo that's taking place and exactly what information is being provided to the vendors," Gartenberg said. "What Microsoft appears to have done here looks like a step in the right direction, if it makes it into the final product."
So the issue boils down to trust. Do you trust Microsoft? I'm sorry, but I do not. No matter what they put in their GUI as far as options go, you can never quite be sure about what their software is sending back to them.
With open source, at the very least you're allowed to look at the code and see what your software is really doing...
http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS02-045.asp
But I assume it's 'better' to let people suffer instead of helping them out, is it? You dont have to post links to security bulletins, but if you post a link to a DoS tool, why not supply the link to the patch as well, to let the reader decide if he/she wants to be vulnerable or not.
(good system administrators have already disabled TCP/IP over Netbios (disable Tcp/IP over NetBios helper service) of course and stopped the server service as well, on online systems, among other netbios related crap which is not needed on the internet (NetBios package: "whohoo a router, what's that!")
Never underestimate the relief of true separation of Religion and State.
According to the Microsoft whitepaper found here, there are 11 components of XP that automatically download material from the Internet. If you've ever clicked the "always trust Microsoft" box (something unlikely here, I realize, but many have), then things like Media Player will download and install new media codecs without any notice, for example. Another thing that we're all concerned with relate to DRM: a built in feature of XP will silently download and install "revocation lists", which list programs that are not allowed to play DRM-encoded content.
From Russ at BugTraq:
Before too many more messages;
1. SMBDie = RedButton = Wow, incredibly talented programmer. This sure was a tool we needed.
2. If RestrictAnonymous is set, non-authenticated users can't use it, any authenticated user can.
3. If you're in an environment where any old computer connected to your network can use TCP139/TCP445, set up a sniffer (Network Monitor works) and watch for the source of the traffic. Then beat that person over the head with their PC. Do that either before or after you patch your systems with MS02-045. If more testing of the patch is required, beat them a little every day until your testing is complete.
4. If you're in an environment where you have TCP139/TCP445 open to the Internet, you don't need NTBugtraq, you need Dr. Phil. Buy a $50 Linksys router and put it in front of your machine and use it to block all but those few you really want open (which doesn't include those two).
5. Randy Hinders suggests that disabling NetBIOS over TCPIP works, I'm not yet 100% convinced. Either way, it should be easier to apply the patch than disabling NetBIOS over TCPIP.
The MS Security Bulletin honestly did do a great job of explaining all of this, more people should read it more carefully.
Cheers,
Russ - NTBugtraq Editor
What's this "think" you're talking about? Can you eat that?
And MS plans (apparently) to "bomb" any cracked installations of XP. (I gather some sort of cracked DLL or file monkeyed with the WPA and allowed for pseudo-activation.)
MS is still not clear about this. But I'm curious if MS finally got the hint and is now planning to keep a database of all "authentic" Windows XP keys. If this is the case, then I assume the various keygens won't work. (Or they'll work, but when it comes time to activate, you'll find that you don't actually have an "authentic" key.)
Slightly OT, but I thought I'd share my own XP activation experience. It happened last night and it bascially stumped Microsoft.
The short story goes something like this: I'm an MSDN subscriber. My MSDN subscription entitles me to Windows XP keys that will activate up to 10 pcs. So far so good.
Anyway, I go to the MSDN site, log in with my usual username and password. Generate my keys. Get my "10 activation" key for Office XP, Pro XP, Home XP.
Now, according to the license, these generated keys will activate 10 pcs for each application. (In other words, I can put WinXP Pro on my workstation at work and my workstation at home. This counts as two "activations" on two different PCs and is completely within the terms of the license. Each computer, of course, has to be for "development" purposes -- which, oddly enough, they are. My computer at home is actually a computer I use when I telecommute. And I develop on it. So, again, I'm completely within the terms of license agreement.)
Okay, so that's the background. Here's the good part: I install WinXP Pro on my home "work" workstation using the MSDN supplied key. (The copy of WinXP Pro I'm installing, BTW, is the ISO I downloaded from the MSDN site. The copy of Windows XP I'm legally entitled to according to the terms of my MSDN unverisal subscription.)
The MSDN issued key passes the first XP keycheck -- the check that appears before it actually installs. No complaints, install goes smoothly. I boot to the desktop. All's fine. Looks like it installed perfectly.
Except Windows tells me my key is no good.
But wait! It *took* the key when it asked for it, right? Yes. It took it.
I re-enter the key. (And, yes, I'm using the MSDN supplied key on the MSDN ISO -- not the volume license CD, the actual ISO downloaded from the MSDN site.)
Still says my key is no good. It then generates an installation ID -- an obscenely long number -- and tells me that I have to call the 1-888 toll-free activation center.
I call. I give my installation ID. Wait, I'm told, that's not the right installation ID. Generate another one.
I generate another installation ID. (There's a button that can do this when you install XP.)
I read it back. It's still not a valid installation ID.
The activation center guy said he never saw this happen before. Am I reading the correct ID? Did I transpose any digits?
Nope. It's all correct. Read it from right to left, he tells me. I do. Read it from left to right, he tells me. I do.
Wow, he says. I've never seen this before. You have a valid key, he tells me, but Windows is generating an *incorrect* installation ID.
I say, well, I don't care what's going on, I want this thing activated.
Pause. Sir? Can you read me the ID again?
I do. This is the sixth or seventh time I read the ID. Nope, he tells me. Still no good. He puts me on hold. I stay on hold. Sir, he tells me. I'm sorry. Sorry? We can't do anything. You what?
We've never seen this before.
You're kidding.
If you have a correct key, you should get a correct installation ID.
Yes, I say.
Can you read me your key?
I read it. Read it again. And again.
Sir?
Yes?
The key is correct.
I know the key is correct.
Can I put you on hold again?
So I sit and wait. And wait. All told, I've been "activating" for 30 minutes by this time.
Guy comes back on the phone. Sir? We can't do anything.
You're kidding.
He apologizes. He tells me again that he's never seen this happen. You're sure you're using a legit copy?
I explain my MSDN subscription (active, BTW), my MSDN key, my MSDN ISO download.
I'm sorry, he tells me. Try MSDN.
I call MSDN.
Go through the same thing.
Wow, the MSDN tech support guy says. I've never seen this before.
What now?
Good question, he tells me.
He puts me on hold. Consults with a manager.
Sir? There's nothing we can do.
Give me another key.
I can't. I don't have authorization.
Give me someone who has authorization.
We can't generate another key until the morning.
You're kidding. I'm stuck?
I'm afraid so. I've never seen this before, he says.
By this time I'm furious. I want this motherfucker activated.
Finally, the guy puts me on hold.
Sir? I've got a brand new copy of Windows Pro Retail. In my hands. I'm going to read you the key. But you didn't get this from me.
You're giving me another key?
You didn't get this from me, he repeats.
He reads the key. I read it back. That's all I can do, sir, he tells me.
I appreciate it. (Trying to stay calm.) Thank you.
I'm only doing this because you've got a problem we can't fix. You have a valid key, but it's not generating a valid installation ID.
By this time, over an hour has passed. I'm still trying to activate.
He has me enter the new key. I enter it. Try to activate. Comes up with a message: "This key has no more activations."
I wig out. You're fucking shitting me, I tell me. You're fucking shitting me.
Okay, he says. He explains that we'll have to wait until tomorrow morning to get the key re-activated. He'll make sure it gets re-activated first thing. But that's all we can do, he says. I can't do any more tonight.
I tell him that this -- my situation -- is why people pirate software. It's quicker to get a keygen and generate a phony key than to go through this, waste my time and waste my money.
He's sympathetic. I understand, he says. But we'll get this fixed.
Then: Sir?
Yes?
You didn't get that key from me.
Flash forward: right now. It's the next morning. I'm at my desk. I'm reading Slashdot. I'm on hold with Microsoft tech support. I've called three different tech supoort numbers this morning.
They cannot get my copy of Windows XP Pro activated. They cannot re-activate the "mystery" key that my friend last night gave me.
This is the first time they've seen this problem.
Can we get some more specifics? they ask me.
New hard drive, new CDROM, new motherboard. Everything is new.
They're mystified.
I'm still on hold. I'm reading Slashdot while I'm on hold.
A moment ago: Sir? Can you read your key?
I read it.
Yep, they tell me. That's a valid key. Wow. I've never seen this before.
In the era of security conscious people, running someone else's .exe file is really stupid, even if you think it might be funny.
And this tool got front-paged on Slashdot. How stupid can you possibly get?
I just installed a fresh w2k last night, after not being able to get my ATI All in Wonder Radeon 7500 to work with XF86 (what's with that? btw... tried RH7.3, Mdk8.2, and Lycoris to no avail, although they all recognized the card). The only things installed thus far are the OS and the ATI drivers/apps (for running the USB remote and such). I can assure you that this binary took the box out as quick as I could hit enter.
put the what in the where?
If you let FTP traffic through. malicious code will get in through there. If you leave port 80 open, malicious code will get through there. If you leave port 23 open, malicious code will get in through there. If you let e-mail in, even if you virus-scan it, malicious code will get in. If there is a single floppy disk drive on your network, malicious code will get in. Same for CD-ROM drives.
Firewalls can make things inconvenient for people (users as well as crackers), but there is always a balance that must be met between how much inconvencience the users can tolerate and how important it is to inconvenience crackers. That balance is never going to lean very far towards the 'inconveniencing crackers' side.