Slashdot Mirror

← Back to Stories (view on slashdot.org)

If You Hack NBC, You Don't Get to Meet Tom Brokaw

Posted by CmdrTaco on from the thats-pretty-funny dept.

subgeek writes "Security Focus Online is carrying this story about the spot that Adrian Lamo almost had on the NBC Nightly News with Tom Brokaw. NBC changed their mind after they realized the possible legal implications of filming someone hack corporate systems. NBC also seemed a bit touchy that Lamo had gotten into their system so handily. According to the article, it took him about five minutes and one guessed password to get inside NBC's intranet from a computer at a Kinko's. Lamo's comment: "It was a very full service system.""

8 of 319 comments (clear)

  1. Re:Unfortunate Last Name by Wind_Walker · · Score: 4, Informative
    Actually, the SNL skit you're referring to had the punchline of "Azwipe".

    The "Dumass" you're referring to is either the "Thick-Headed" commercial for A&W Root Beer, or from The Shawshank Redemption tring to pronounce Alexandre Dumas.

    Not that I'm anal or anything.

  2. Re:No Speakers by Anonymous Coward · · Score: 1, Informative

    "It has come to my attention that NBC sucks." His voice cracks when he says, "sucks".

  3. Re:As an ex-hacker I tend to only trust Mac OS ser by ruhk · · Score: 2, Informative

    Interesting? Please.

    This is a verbatim repost of an old troll--which, I might add, was shot down point for point for point.

    "No root user" is NOT the same thing as "always running as root".

    --



    404 Error: .sig not found.
  4. Re:As an ex-genius, I can tell you (all facts) by alienmole · · Score: 4, Informative
    Easy:

    The entire premise of "secure Mac OS" web servers is based on two factors:

    1. Reduced functionality tends to improve security. Mac OS web servers have extremely limited functionality, therefore are more secure by default.
    2. Mac OS web servers are not widely used (a serious understatement, hardly anyone uses them), and are thus not targets for attacks. There was a time when it was quite safe to put an unprotected Windows web server on the Internet, for the same reasons, and we all know how secure they turned out to be.

    It would thus be accurate to say "The Mac OS web server may be a good choice if you are clueless, do not know how to administer secure servers, and want to run an OS that is now officially obsolete."

  5. Re:As an ex-hacker I tend to only trust Mac OS ser by foobar104 · · Score: 3, Informative

    If MacOS is so great, why does Apple use Solaris?

    Akamai. Apple's web site is distributed. When you connect to apple.com, you're actually getting www.apple.com.akadns.net, which runs on Solaris.

  6. Re:As an ex-hacker I tend to only trust Mac OS ser by Odin's+Raven · · Score: 2, Informative
    I have nothing against most of your points, but I have a few little nits to pick:

    2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

    Perhaps this is a philosophical nitpick on my part, but by extension shouldn't this mean that the vast majority of Windows programs should be incredibly secure? Prior to NT, all Windows developers were guaranteed that their code would be running as 'root'. That's a lot of developer-time spent in a world where everything is root. And yet, somehow, Windows still seems to have its share of security problems.

    I'm not saying that Macs are as insecure as Windows boxes, just that I'm having trouble following the idea that "always being root" somehow makes programmers more security-conscious.

    3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not.

    A buffer overflow is a buffer overflow is a buffer overflow.

    If you don't check that your destination buffer is big enough to hold the contents of your source buffer, then your code becomes a bug in search of an exploit. Doesn't matter if the length is stored at the beginning, doesn't matter if you count until you find a NUL. If you copy from A to B and sizeof(B) < sizeof(A), you're just looking for trouble.

    Yes, ladies and gents, sometimes size does matter...

    --
    A marriage is always made up of two people who are prepared to swear that only the other one snores.
  7. Re:As an ex-hacker I tend to only trust Mac OS ser by Anonymous Coward · · Score: 1, Informative
    It amuses me that people keep forgetting that no MacOS based webserver has ever been hacked into in the history of the internet.
    That's a bold statement, which you probably don't have statistics to support. The Mac has been around for 18 years or so, the web for 11. How can you be so sure?
    No Root user. All mac developers know their code is always running at root.
    This just means that if the box is exploited, the potential for damage is much worse. Unprotected memory means that an exploit can overwrite another program's data/code too.

    I honestly think, knowing many of them, that most Mac OS programmers don't give a shit about security. They just want a program that works. Few of them seem to realize that not all data is to be trusted. (How many times have you dragged a file into your favorite application and had the whole system crash? That's proof.) I've found that UNIX programmers tend to be most aware of this.
    Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS.
    Enjoy your 255-charcter limit. Or the fact that a 1-character string still takes 256 bytes. (And by the way.. Many exploitable programs do in fact have length arguments/members. They only go so far; it's when the human programmer disobeys/disregards them that's the problem.)
    Stack return address positioned in safer location than some intel Osses. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.
    I don't understand this part.

    void foo( int x ) {
    char buf[256];
    }

    On i386, the stack for this function would look like this:

    ebp-4: return addess
    ebp: old stack pointer
    ebp+4: buf
    ebp+260: esp (new stack pointer)

    In other words, the return address is BEHIND any local variables.

    How often are strings terminated on the left rather than the right? I often do loops backwards, but it would never go to the left of the original buffer...

    On the other hand, you could do this...

    void foo( char *buf, void *c ) {
    memcpy( buf+256, &c, sizeof(c) );
    }
    void bar() {
    char buf[256];
    foo( buf, shellcode );
    }

    And that could be bad... But how often is this actually possible? Most programmers are smarter than this.
  8. Re:Unfortunate Last Name by (H)olyGeekboy · · Score: 2, Informative

    Reminds me of the great SNL skit with Nicholas Cage:
    "The name is Dumass, Dumass!"

    That's a rootbeer commercial.

    Nicholas Cage's name was "Asswipe," and the line was "Excuse me, that's pronounced Os-wee-pay!"

    Sorry I remembered that skit recently when trying to think up a name for my unborn child. :) (Cage made every name that his wife suggested into a tease or a taunt to see if it would be appropriate.)