If You Hack NBC, You Don't Get to Meet Tom Brokaw

subgeek writes "Security Focus Online is carrying this story about the spot that Adrian Lamo almost had on the NBC Nightly News with Tom Brokaw. NBC changed their mind after they realized the possible legal implications of filming someone hack corporate systems. NBC also seemed a bit touchy that Lamo had gotten into their system so handily. According to the article, it took him about five minutes and one guessed password to get inside NBC's intranet from a computer at a Kinko's. Lamo's comment: "It was a very full service system.""

In the immortal words...

[swordboy]

of homer...

Proof

[chill]

Demonstrating OTHER corporations are security dumb-asses is one thing, but demonstrating THEY are security dumb-asses on nationwide television must've triggered someone's clue meter.

Legal Implications?

[LinuxWoman]

Sounds to me like they're more embarassed that he did it so easily and from such a public location. After all, he was invited by an NBC employee to attempt to hack their system.

Re:Legal Implications?

[GigsVT]

I would have gotten a signed waiver that said that the employee signing it was representing that he had authority to allow such a thing. This guy will be lucky if he isn't sued.

Re:Legal Implications?

[Oliver+Wendell+Jones]

This guy will be lucky if he isn't sued.

Sued?

Hell, he'll be lucky if isn't branded a computer terrorist and thrown in jail for life!

Re:Legal Implications?

[moankey]

They can sue for anything in this legal system. After the .com bust a friend that worked for a startup that never was, got sued along with half of the other employees for $1 million being that they didnt work hard enough as employees and caused the companies failure.

Most of the others worked something out, some ran and disappeared, but my friend felt he did nothing wrong so he decided to fight. After a year of delays, depositions, recusements, etc... and laywer fee's the plaintiff drops the suit, now my friend owe's $50k in legal fee's and is still unemployed with lawyers representing him going after him now.
He talked to former employees and apparently the plaintiff did it because he was bitter and wanted everyone to pay for the millions he thought he deserved.

So yes, they may not get money out of him but they can get frustration and disillusionment out of him for ever talking to NBC.

This kind of thing happens all the time

[DigitalSorceress]

I used to work for a television news department... this kind of thing happens all the time:

Reporter and Vidiographer are assigned some fluff or FUD piece, but come back with a story that lands a little too close for the news director's comfort... the piece gets pulled.

Lamo's lucky... with the way lawsuits and "terrorist hacker" charges are flung about nowadays, he should be thankful he's not roomin with some lifer named Bubba right about now.

Unfortunate Last Name

[Ratfactor]

Perhaps they just didn't want to admit that they'd been cracked by somebody with the last name of "Lame-O".

Reminds me of the great SNL skit with Nicholas Cage:
"The name is Dumass, Dumass!"

Re:Unfortunate Last Name

[Ratfactor]

Damn, you're right. [Slaps forehead, leaving impression]

That's what I get for not checking.

Re:Unfortunate Last Name

[MisterBlister]

You must have got it confused with the recent commercials where some guy is interviewing with Dumass & Dumass.

Re:Unfortunate Last Name

[Wind_Walker]

Actually, the SNL skit you're referring to had the punchline of "Azwipe".

The "Dumass" you're referring to is either the "Thick-Headed" commercial for A&W Root Beer, or from The Shawshank Redemption tring to pronounce Alexandre Dumas.

Not that I'm anal or anything.

Re:Unfortunate Last Name

[Ratfactor]

Shawshank!! That's it. Thanks.

Re:Unfortunate Last Name

[maxbang]

On the anal tip - the Nic Cage sketch, Rob Schneider came to the door with a telegram for Mr. Asswipe. Cage screamed, "It's AUSWEEPAY!"

Re:Unfortunate Last Name

[(H)olyGeekboy]

Reminds me of the great SNL skit with Nicholas Cage:
"The name is Dumass, Dumass!"

That's a rootbeer commercial.

Nicholas Cage's name was "Asswipe," and the line was "Excuse me, that's pronounced Os-wee-pay!"

Sorry I remembered that skit recently when trying to think up a name for my unborn child. :) (Cage made every name that his wife suggested into a tease or a taunt to see if it would be appropriate.)

Re:Unfortunate Last Name

[Puppet+Master]

I have a teacher friend, who had a student once named "SHITHEAD".

Actually, it was pronounced "Sha-Teed".

But, SHITHEAD was the actual spelling. I don't envy that kid...

So... what was the password?

[taeric]

So, if this guy was able to guess someones password, I am VERY curious as to what it was. If you know anything about the person, it makes guessing easier. However, if you don't know even the owner of the account, how do you guess a good password?

My only hunch is that the password was something like 'abc123'. It cracks me up how many people have passwords such as that and are supposedly worried about security.

It is also funny to hear what some of my friends think are secure passwords. Among them being obscure Anime characters.

Re:So... what was the password?

[Mr.+Sketch]

I'm guessing he tried 'god'.

Re:So... what was the password?

[elsegundo]

"password" is is a good try as well.

Re:So... what was the password?

[American+AC+in+Paris]

My only hunch is that the password was something like 'abc123'.

...or perhaps 'ABCNewsAnchorsAreWeenies'...

Re:So... what was the password?

[Fascist+Christ]

Often times they might use the account name as the password. That wouldn't be hard to remember.

Re:So... what was the password?

[Skuld-Chan]

I remember my password at work was an obscure anime character - but I padded it with and _ and some numbers.

When a security audit came around I was one of the *few* people who didn't get a phone call or an e-mail telling me to change my password. I use the same password on my firewall at home too and so far it hasn't been guessed.

Re:So... what was the password?

[Jucius+Maximus]

Other good guesses are that the password is the same as the login ID, or that it's the login ID with a 1 attached on the end. Maybe the password was null.

Re:So... what was the password?

It is also funny to hear what some of my friends think are secure passwords. Among them being obscure Anime characters.

Among your friends or their passwords? ;o)

Re:So... what was the password?

[Zathrus]

It cracks me up how many people have passwords such as that and are supposedly worried about security

Most passwords are crap, and there's nothing you can do about it. Passwords are doomed to be crap. You have two choices - be loose, and hope people use secure passwords (result: a few people will, most people won't), or be strict and force secure passwords (result: average users write down the new password, people who use secure ones normally get pissed off and start using crappy pw's).

I have about a half dozen secure passwords that I rotate around -- none of them have ever been cracked, and you're not going to guess them from social engineering, profiling, or dictionary attacks. I know that some of them are inherently "less secure" because they're used more commonly, and the more places they're used the more likely they'll get snarfed. When you make me exceed my normal password capacity then I'm going to use stupid things like "Abcdef1".

About the only solution is to use something like SecureID - which annoys me since I know my pw's are solid, but at least it takes care of the 90% of people who can't remember a password unless it's their SO's name, their pet's name, or a birthdate of one of the aforementioned.

Oh, and obscure anime characters are fine, as long as you use some non-alphabetic characters at the front, end, or middle. Of course, we're preaching to the choir here. The problem is the average user.

Re:So... what was the password?

[da3dAlus]

"Hmmm. That's odd. God wouldn't be up this late."

Re:So... what was the password?

[Anon-Admin]

When I was younger and doing this kind of stuff for fun, I found there was a small list of passwords that seemed to be common. They boiled down to

1) The persons login
2) password
3) qwerty
4) 123456
5) abcd
6) Company name (NBC)
7) god
8) superman
9) F**KYOU
10) work
11) The server name.

NOTE: if you are using any of the above passwords. You need to change it.

It is not hard to guess a password if the company does not have minimum requirements for the password.

Re:So... what was the password?

[scott1853]

You use your work password at home? I did that for about 2 days until I realized that I didn't want to get nailed with some keystroke logger at home and then have comprimised our entire network at work, on which I have admin rights on all the servers.

Re:So... what was the password?

[NanoGator]

"I am VERY curious as to what it was."

I got a chance to see the video. It was just five asterisks.

Re:So... what was the password?

[Trevelyan]

I'd be more worried about ppl(admins) at work(uni) getting my passwords for home

Re:So... what was the password?

[Anonvmous+Coward]

"I'm guessing he tried 'god'."

No, that only happens in the movies. Here are some other notable characteristics of fictional computers:

- They always use fonts that are at least an inch high

- Windows does not exist, nor does Mac, or anything else we've ever seen

- Computer displays are extremely animated. (They're also very noisy...) Fortunately, they have plenty of hard drive space (even in the early nineties) to play back pre-rendered animations.

- Despite the benefits of using a mouse, using a movie computer requires bursts of constant typing. The space bar and backspace keys are never used.

- Movie computers are not capable of multitasking. All you get is the exact interface you need to advance the plot.

... and so on.

The password was probably: 'password'.

Re:So... what was the password?

[Geekboy(Wizard)]

***** is the password

Re:So... what was the password?

[Surak]

'password'
'god'
'love'
'secret'
'money'
'flo wer'

'PeterJenningsCanSuckMyBigHardCock'

ya know, the usual... :)

Re:So... what was the password?

[Altus]

HA! :)

Re:So... what was the password?

[Glass+of+Water]

when i used to work at a place where i had access to a plain text file of the passwords people had created to log on to the site, the most common password was 'password'. most seemed to be names of pets, lovers, or teams, and the best one was 'domenow'. the most stupid was 'kleenex' -- obviously somebody just typed in the first thing he saw. this was a mutual fund news site, by the way.

Re:So... what was the password?

[joto]

Also...

• They have very bright screens, in fact so bright that you can read the monitor from the face of the person in front of it
• Text is usually displayed really slow, like letter for letter, with annoying beeps between each letter.
• Or, if the user is a programmer/hacker/etc, it is usually scrolling down the screen in ridiculous speed
• They never use account-based security, instead having a password for each interesting or secret document they store
• They have internet connection fast enough to show 1600x1200x20fps video in real-time two-way without any kind of jerkiness
• But still cannot download the secret document describing some secret government/corporation plan in less than a few minutes...
• They are remarkably stable, and will never crash except when being attacked by a virus/worm/whatever
• Which is usually so simple to write, that the genius hacker can throw it together in the 20 seconds it take before they have to change scene to keep the movie interesting.

Re:So... what was the password?

[snake_dad]

Right! Matter of fact, my home network is better protected then our network at the office. Most windows boxes are not even patched. Anyone walking in with a laptop and some l33t sniffers would have a field day... But we haven't been burned yet, so there is no way to convince management that security could, no should be improved. Sigh..

Re:So... what was the password?

[lommer]

He would have to have incredible intuition (ESP?) to crack a good password. But then again, if he's cracking solely from a browser window...

Re:So... what was the password?

[iocat]

And, of course, from Independence Day, we know that Aliens use AppleTalk.

Re:So... what was the password?

[Anonvmous+Coward]

hee hee

ur list is better than mine

Re:So... what was the password?

[TotallyUseless]

kleenex is the name of my cat :(
seriously. luckily i dont use her name as a password tho!

Re:So... what was the password?

[dillon_rinker]

Right. Because Apples can't use TCP/IP. Or SMB. Or IPX/SPX. Or any other protocol. Because they are not programmable and you can't adapt hardware to them.

Re:So... what was the password?

[Rainier+Wolfecastle]

Or maybe, since he knew that he was going to be meeting up with NBC, he had already successfully tried to enter their site. I know that he has some Jedi, Rainman thing going with his intuition, but five minutes from launching IE to getting in is pretty damn quick.

Re:So... what was the password?

[ShelbyCobra]

The password is...

'steak'

Re:So... what was the password?

[Jack+Brennan]

try pwgen -s 11

it's actually pretty easy to remember, after you type it in a few times. Write it down, you'll get it the third or fourth time you have to do it, and save yourself a lot of trouble in the future.

Re:So... what was the password?

[^MB^]

- Despite the benefits of using a mouse, using a movie computer requires bursts of constant typing. The space bar and backspace keys are never used

Well of course, H4X0RZ never make mistakes...

-Nick

Re:So... what was the password?

[old7]

My guess would be "Peacock"

Re:So... what was the password?

[BlackMagi]

More like, I would have thought, a system default password. Lots of (usually older) software has a default password set into it that people just never bother to change... -BM

Re:So... what was the password?

[Anonvmous+Coward]

"Well of course, H4X0RZ never make mistakes..."

Th4tz why 7hey d0nt l1ke M1cro$oft. Squiggly lines appear under everything they type!

Re:So... what was the password?

[TheLastUser]

I have noticed that whenever they have a windowing gui in MovieOS it is always some sort of X toolkit. I've seen Motif, Gnome, and even some aqua (only when they are pushing Apple gear) and a wide array of themes.

I guess the important thing is to make sure it looks different than anything anyone uses in real life :-(

Re:So... what was the password?

[jxs2151]

When you make me exceed my normal password capacity then I'm going to use stupid things like "Abcdef1".

That is exactly what I started doing at work when then got really stupid with the multitude of systems, each having different password rules, longevity, etc.

My password everywhere on their system is now 23456789 because I figure the real reason they have made the damn password rules so hard is so the admins can say "I made the rules difficult so it's not my fault that someone got cracked". It is all just a huge ass-covering exercise that I refuse to participate in.

Re:So... what was the password?

[Odinson]

Actually what you describe sounds kinda like setting up quake3 through an ssh tunnel at work.

uuhhhh I mean when I saw someone else do it.... I swear |:).

Re:So... what was the password?

[flonker]

Actually, your home network has equal protection as your office network, both of which are slightly reduced, due to the implicit trust relationship.

Re:So... what was the password?

[Ziviyr]

My guess would be "Peacock"

I wonder how many places have dirty word filters on their password system...

Re:So... what was the password?

[Quazion]

Prolly the same as the login like everyone does who can that i know, trust me our local nt admin password here is a username with the username as password. And i keep whining and i keep using it until i cant anymore ;-)

Re:So... what was the password?

[jb_nizet]

It reminds me the old Dilbert joke:

Computer : "Enter your password!"
Dilbert : "Penis"
Computer : "Sorry, your password is not long enough."

JB.

Re:So... what was the password?

[albanac]

Mac's exist in the movies: examine practically any film of the mid to late nineties (two examples without thinking: Mission: Impossible and The Net) and you'll see people using Macs.

~cHris

Re:So... what was the password?

[mmol_6453]

My college's Linux admin had(has?) a l337-type mispelling of a word for a password...It's so obvious, I have to be careful what I say...

Re:So... what was the password?

[mmol_6453]

Reminds me of another Dilbert joke:

Catbert to PHB congregation: Market analysis shows that businesses prefer UNIX.

PHB to Dilbert: We're bringing trainers this evening to make our employees eunuchs.

Re:So... what was the password?

[Anonvmous+Coward]

You also see SGI laptops.... Heh.

Re:So... what was the password?

[rhost89]

I think we have our first movie paradox here, because in the post above it clearly states that movie computers are not windows, apples etc... :)

Re:So... what was the password?

[Skuld-Chan]

Well I was a sysadmin at this place - although they probably could have done something without me knowing - I was the one who built all the system images for all the different os's run onsite.

Re:So... what was the password?

[luisdlc]

It is awfully common that users input the same for login and password.

Some years ago, a friend of mine handed out a list of the login/paswords of an internet provider (dial-up accounts) Don't ask me how he get it, but we tried it out and it was a valid list.

I wuould say that something like the 75% of the owners had exactly the same input for both, login and password.

And that about it was a five * passowrd makes me remember that old movie 'Space Balls': "The password is 1 2 3 4 5"

Re:Didn't I ...

[the+way,+what're+you]

Yep, but it mysteriously vanished (it came right after the Mr. Anti-Google story). I figured it was removed by some cracker who "hacked slashdot" and didn't care that he wouldn't get to meet Rob Malda.

Maybe they pulled his interview

[Jedi+Paramedic]

because he found out the great secret of TV anchors...

...No pants under the desk!

Re:Maybe they pulled his interview

[leviramsey]

because he found out the great secret of TV anchors...
...No pants under the desk!

Doesn't Brokaw do his newscast standing up?

Re:Maybe they pulled his interview

[oval_pants]

And no real hair.

Re:Maybe they pulled his interview

[Mononoke]

He's about the only anchor that you could approach on the street and get the time of day from, though.

Yes, but will he tell you the frequency? Dan (Kenneth) Rather won't.

Re:Maybe they pulled his interview

[Ralph+Wiggam]

I've seen on the set of plenty of local news programs. They're almost always wearing jeans and sneakers. I have seen a guy walk in front of me wearing a very nice suit jacket and little goofy tennis shorts. It's really hard not to laugh.

New slogan

[Marco_polo]

Must see PGP Key!

Slashdot, the Ultimate DoS

[LordYUK]

::Sigh:: you dont need to hack a system to bring a corporation to its knees, you just need to post a link on slashdot...

anyone have the text?

Re:Yesterday's Register story....

[Darkstar9969]

Probably should post the URL too:

TheRegisterStoryPostedYesterdayAM

This remind me of similar case in Finland

[jukal]

one guy (I worked with him in same company for some time) broke to a governmental system in Finland in a TV show, don't remember the year, maybe it was around 1985, anyway he was maybe 16 then - just old enough to be prosecuted properly.

His identity was kept secret in the TV show, but a few days after, the TV station was forced by police to reveal the identity of the guy to get him convicted. The incident got a lot of media coverage, because before that many or most had thought press has the right to protect their "sources" and do not need to reveal details about individuals.

Anyway, maybe in this Lamo case, it is more about "agitating someone to do a crime", the court might see for example that part of the motivation for breaking in some system could be the fact that he would get press coverage and fame because of it - and NBC would be to blame for agitating.... or something totally different :)

Re:This remind me of similar case in Finland

[jukal]

after some research, the year was 1986, and this was related to FIRST real hacker (yes, they were called hackers, not system crackers for example) in Finland.

Re:This remind me of similar case in Finland

[jukal]

> FIRST real hacker

that was not supposed to be add an add the missing word, thing, but the missing word is case :)

Re:This remind me of similar case in Finland

[Fred+Ferrigno]

Ironically, your attempt to clarify your ealier post requires more clarification than the post it means to clarify!

Forgive me though, it seems as if you are not a native speaker, so don't take it to heart.

Re:This remind me of similar case in Finland

[Zeinfeld]

I find the assumption that reporters are automatically entitled to protect criminals somewhat irritating. Of course there are instances in which it is important to keep the identity of a source confidential for the good of society. All to often however protecting a source is more about the private interest of the journalist.

There was a piece on NPR this morning where a reporter from the BBC described testifying at Milosevic's war crimes trial. She dismissed the argument that testifying might bring journalists into danger, "we bear witness".

In the case of journalists interviewing hackers the journalist is often being used for propaganda purposes by the hackers allowing them to propagate myths like they don't try to do harm (most do). It is astonishing (OK no it isn't it is infuriating) how often the hacker's boasts are reported as fact without question. Unfortunately it appears that only the trade press bothers to call up someone like Bruce or myself for a fact check.

What is worse is that by legitimizing hacking these reports may well come back and cause havoc. The RIAA demand to be allowed to carry out vigillante hacking to stop piracy would if implemented cause serious damage to the network. Hacking attacks frequently cause damage far beyond the immediate target.

Re:This remind me of similar case in Finland

[jukal]

> Ironically, your attempt to clarify your ealier post
> requires more clarification than the post it means to clarify

I know - and it's terrible. I first thought to clarify it, but then I thought that when a clarification of a clarification needs clarification, the methods of clarifying need re-clarification and that requires some real clarification.

Re:This remind me of similar case in Finland

[blue+trane]

Hackers (of Lamo's type) are interested in finding the truth. Expressing the truth should not be against the law.

If expressing the truth causes problems for society, the most efficient way of dealing with the problems (so they don't recur) is to acknowledge the truth and discuss it out in the open, so that (hopefully) motivation for those causing the problems will decrease, or (at least) society will be better informed and better able to cope with the problems.

Whatever NBC...

[Auckerman]

NBC seems to think that if you hide under a rock, maybe the monsters will go away.

Have these people never heard of TCP Wrappers and IPFW? I suspect not. All confidential information should be BOTH firewalled and TCP Wrappered (DENY) by default to all domains, then added on a IP by IP (or local domain) basis. I get the feeling of admins took the time to do this very basic thing, 90% of all cracks would not occur.

Re:Whatever NBC...

[Scutter]

No mac (Mac OS 9, or 8.x) have ever once been rooted or defaced in over 7 years

That's because no-one uses them as servers. *duck* :D

Re:Whatever NBC...

[gmack]

Actually that's not true. My first isp used a Mac LC-III for an email and webserver.

And yes .. it was it turned out to be a really dumb idea and they ended up terminating my access for complaining about the service.

Re:Whatever NBC...

[HappyPhunBall]

Yeah, no one like the US Army.

What's a Kinko?

[Matz_T]

Not that this is really that important to the story but, what/who is Kinko's?

Re:What's a Kinko?

[Jugomugo]

It's a copy shop where you can get flyers made, copies, use the internet, etc...

Re:What's a Kinko?

[Mr.+Sketch]

At the risk of feeding a troll, I'll respond:

Kinko's is a full-service copying/printing store that has tons of stores all over the US. Their stores also have computers that will sometimes have internet access, but they're primarily used for printing out word or powerpoint documents on high quaility laser or color laser printers.

Re:What's a Kinko?

[jeffy124]

kinko is an office copy shop type store here in the US. I've never been to one, but given their context in the article, it sounds like they have computer terminals w/ Internet in their stores.

Re:What's a Kinko?

[Boss,+Pointy+Haired]

They have outlets in American cities, kind of like an Internet cafe only more business oriented with word processing facilities, photo-copying etc.

Re:What's a Kinko?

[dr_dank]

One of those people in leather pants that likes to be spanked until they cry.

Re:What's a Kinko?

[mesec]

Hey, don't forget they have outlets in Canada ;)

Obligitory Space Balls Reference

[JohnDenver]

NBC Executive: What a coicidence! That's the exact code I use on my matched luggage!

What's the world coming to when life immitates parodies immitating life?

Re:Obligitory Space Balls Reference

[einstein]

What's the world coming to when life immitates parodies immitating life?

Oooh, Oooh, I know!

parody

what do I win?
---

Re:Obligitory Space Balls Reference

[Anonvmous+Coward]

" What's the world coming to when life immitates parodies immitating life?"

Isn't that the point of a parody? To show how absurd things would be if taken to extremes? They're bound to be right once in a while.

Spaceballs warned us of this day!!

Re:Obligitory Space Balls Reference

[JohnDenver]

1. Parodies usually immitate life's dumbest moments so as to demonstrate what NOT to do...

2. In my musings I talk about life immitating a parody (Oppostie of #1)

Can you see WHY you didn't understand my this angle of humor and how you might choke the life out of future jokes my not taking the time to find the irony, or atleast the illusion of irony? (Sometimes the fucking joke is the illusion of irony)

Do you get it now? (Christ, I'm feeling hateful today)

Re:Obligitory Space Balls Reference

[Anonvmous+Coward]

"Can you see WHY you didn't understand my this angle of humor and how you might choke the life out of future jokes my not taking the time to find the irony, or atleast the illusion of irony?"

Ya dun need to get shitty with me. I added the 'Spaceballs told us this day would come!' comment just so you'd know I got the joke. I found a moment to ask an insightful question and I did.

You need to grow up. You accuse me of not taking the time to find something in your post yet you didn't take the time to find something in mine.

I'll be sure to beat you over the head with every little point I make from now on so that you don't miss something like that again, k?

Maybe he's just a Geek

[gelfling]

I mean this is television. Maybe they took one look at him and found out he was not the buff trim hunky reality TV piece of meat that gets on TV nowadays. Maybe he has Tourette's, who knows. Why would you want to watch his interview.

Lamo: "Uh I haXord their shit in about 5 minutes it was Leet! they left a service password called PASSWORD on this gateway node and once I was there I forged an IP address or two...."

Brokaw: "ZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzz........"

Re:Maybe he's just a Geek

[nEoN+nOoDlE]

I mean this is television. Maybe they took one look at him and found out he was not the buff trim hunky reality TV piece of meat that gets on TV nowadays.

Another Simpsons quote,
They're looking for tv ugly... not ugly ugly.

As an ex-hacker I tend to only trust Mac OS server

Although RIAA website was defaced yesterday, and now NBC learns it too is easily hackable, It amuses me that people keep forgetting that no MacOS based webserver has ever been hacked into in the history of the internet.

The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.

In fact in the entire securityfocus (bugtraq) database history there has never been a Mac exploited over the internet remotely.

That is why the US Army gave up on MS IIS and got a Mac for a web server.

I am not talking about FreeBSD derived MacOS X (which already had a more than a couple of exploits) I am talking about current Mac OS 9.x and earlier.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not.

4>: Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.

5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.

4> Stack return address positioned in safer location than some intel Osses. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.

7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest, but there are millions of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc). But some huge high performance sites use load-balancing webstar. Regardless, no mac has ever been rooted.

8> MacOS source not available traditionally, except within apple, similar to Microsoft source only available to its summer interns and engineers, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.

Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.

One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1995 and is not, nor was, a widely used tool. I do not even know its name. From 1995 to 2002 not one macintosh web server on the internet has been broken into or defaced EVER. Other than that event ages ago in 1995, no mac web server has ever been rooted,defaced,owned,scanned,exploited, etc.

I think its quite amusing that there are over 200 or 300 known vulnerabilities in RedHat over the years and not one MacOS 9.x or older remote exploit hack. There are even vulnerabilities a month ago in OpenBSD.

Not one exploit. And that includes Webstar and other web servers on the Mac.

A rare set of documentation tutorials and exercises on rewriting all buffer LINUX exploits from INTEL to PowerPC was published less than a year ago. The priceless hacker tutorials were by a linux fanatic : Christopher A Shepherd, 3036 Foxhill Circle #102, Apopka, FL 32703 and he wrote the tutorials in a context against BSD-Mach Mac OSX.
but all of his unix methods will find little to exploit on a traditional MacOS server.

BTW this is NOT an add for webstar.. the recent versions of webstar sold for over the last year are insecure and cannot run on Mac OS 9.x or 8.x, and only run on the repeatedly exploited MacOS X.

--- too bad the linux community is so stubborn that they refuse to understand that the Mac has always been the most secure OS for servers.

BugTraq concurs! As does the WWW consortium.

Re:easy

[jerkychew]

Agreed. I do consulting 'rescue work' on occasion, and 90% of the places I visit have blank passwords. the remaining 9% have the default, and maybe 1% of them have decent passwords.

Although, these are all smallish companies with no IT department. I would assume that NBC has its own IT department, right?

Yeah, it is funny.

[FallLine]

It's ok to publicize the flaws of airport security, how easy it is to build a bomb, and numerous other cases where some psycho can be encouraged to kill hundreds of people. They do so nominally under the justification that exposing the flaws helps society (as if government can and will simply just put a stopper in the hole). However, when it comes to exposing the flaws in their own computer network they get philosophical all of the sudden. Funny how that works.

Re:Yeah, it is funny.

You have to listen to the American national anthem when reading the previous post, while standing with hand over your heart, crying ever so slightly and tilting your head a bit.

What happened America? Why are you SO FULL OF SHIT?

Re:Yeah, it is funny.

[RealBeanDip]

Ain't that the truth!

"me too"

Re:Yeah, it is funny.

[hesiod]

You seem to be implying that the post in question seemed overly-patriotic or something... I saw nothing like that, and you attack anonymously (turnabout is fair play) claiming he is full of shit? Man, look in a fucking mirror.

Priceless

PCMCIA 10/100 Ethernet Card for Laptop - $45
Six pack of Rockstar "Energy Drink" - $6
Network time at the local Kinko's - $2.50/hour
Getting booted from NBC Nightly News after hacking their intranet - 5 minutes effort

Scoring with the hot NBC Nightly News Producer because she's impressed with your k-r4d sk|llz - priceless

Stupid people.

[beleg777]

Only stupid people are more concerned with the fact that they were made to look bad than with the underlying truth. Instead of getting offended they should have put the kid in touch with their IT team. Or put him on it.

Re:Stupid people.

[bpfinn]

I think his previous "victims" did exactly this. He appears to avoid prosecution by helping IT departments secure their proxies for free. I'm not sure about the NYT, but I'm pretty sure WorldCom went this route.

Re:Stupid people.

[stonecypher]

> Only stupid people are more concerned with the
> fact that they were made to look bad than with
> the underlying truth

What? Where in choosing not to air a news story have you read that they're not fixing it?

Just because they don't want to make themselves look worse isn't an indication that they're stupid.

And this is how

[inerte]

The media portraits "hackers":

For his part, Lamo, who's not known for shrinking from controversy , charges the network with a failure of courage. "I can understand where they're coming from," says Lamo, in a telephone interview from somewhere on the East Coast. "But I like to think that in their place I'd take more of a risk.

Somewhere, disguised, with computer parts laying around... It seems like Lamo didn't want to give his location, yet, there were hundreds of ways to finding out.

Why speak of "hackers" like this? Are they still a sub-culture, marginalized?

Re:And this is how

[alienmole]

Why speak of "hackers" like this? Are they still a sub-culture, marginalized?

Are you kidding? In the United States, the kind of hacker that breaks into other people's systems get arrested and do jail time, if they get caught. Yeah, they're a marginalized sub-culture, like most other criminals under the law.

Re:And this is how

[inerte]

Yeah, but my point is that the media doesn't help. He looked like an international spy where his location is a secret. Doesn't have to be like this..

I'm actually surprised.

[Mulletproof]

No, really. Given the media's track record and history of hacker over-sensationalism, this story would have been the perfect oppertunity to whip your Senator, the public and your turtle into an anti-hacker frenzy. Had this story aired, I'm sure you'd be reading Anti-hacker sediment in place of this piece your reading now. The governement would be riding the anti-hacker bandwagon with full force if they actually saw how easy it was to hack into a major corporation. They wouldn't even have to air any detail; Que darkened room, silhouette of Joe Hacker, a few comments from him about what he was doing (computer masked, of course) and that sinister Nightline narrative they use for melodrama. Toss in a few screen shots of complicated, yet meaningless clips of him navigating the network and bam-- Instant media frenzy. Who cares about Tommy boy, the fact that Lamo is willing to be used as an obvious pawn in the media spotlght is scary in it's own right. Sure, he'd have his 15 minutes... Then watch as it was used to destroy his world with laws and legistlation.

Re:I'm actually surprised.

[mwjlewis]

"Toss in a few screen shots of complicated, yet meaningless clips of him navigating the network and bam-- Instant media frenzy"

Better yet, Use the movie "Take Down" with Kevin Mitnick, and the screen, with the ping replys- " I can see him, He is bouncing all around" ( this is the shot where yammo, and the guy from the cell phone company and the ISP are tring to track him down, when they are in seatle.

don't flame me as a "lamo" (teehee), I have ONLY seen the movie once.

Lamo is my hero

[zaren]

He got into Worldcom's systems while I was working there, and it threw the entire company for a loop - out of the blue, passwords were expired en mass on various portions of the network, and a weak VPN software package was crammed down the throats of the Windows users. Thousands of people had to get it installed, and ALL of the registration and training and configurations had to be handled through a VERY small pipe. That was an interesting time... good thing I wasn't one of the people that had to rely on the VPN software to do my job.

Re:Lamo is my hero

[haa...jesus+christ]

could this be why worldcom has collapsed? i knew it! the hackers did it! d4mn y0u, d4mn y0u 4ll t0 h311!

Perhaps.. but seriously.

[mindstrm]

Protecting anonymous sources is one thing, but you can't hide behind that if you are witness to a crime.

"Sorry, I'm a reporter, I don't have to testify" just doesn't hold up.

legally, if they witness this guy comitting a felony, they are obligated to report him to the police, or be tried as accessories.

Re:Perhaps.. but seriously.

[J4]

Thanks Mr Ashcroft.

Re:Perhaps.. but seriously.

[susano_otter]

Your User# is significantly more impressive than your wit. Please take a few minutes to experience the shame and humiliation enjoyed by those who realize they've opened their mouths but have nothing to say... thank you. Have a nice day!

Re:Perhaps.. but seriously.

[Stonehand]

The UN War Crimes Tribunal doesn't see things your way, either -- just ask Jonathan Randal, who's involuntarily testifying in Milosevic's trial after being forced to via subpoena.

Re:Perhaps.. but seriously.

[Kintanon]

That's where this comes in:

Prosecuter: And what was the defendant doing at the time?

Reportner: I don't remember...

Prosectuer: Well, where was the defendant?

Reporter: I'm afraid I just don't remember.

Prosectuer: Well, do you remember anything?

Reporter: Nothing that I can recall....

They can't FORCE you to remember.

Kintanon

Re:Perhaps.. but seriously.

[dillon_rinker]

Yeah, but the judge can toss your butt in the pen for contempt of court, and there's not much you can do about it. You can appeal it, and the appeals court will probably approve of it. Judges are not automatons.

Re:Perhaps.. but seriously.

[Sylver+Dragon]

That or the ultimate defense in the US:
"That depends on what your definition of is is"

Re:Perhaps.. but seriously.

[zenyu]

That has to be the stupidest thing they've ever done. I thought they wanted to stop future war crimes by prosecuting the murderers. Now we won't even try to stop war crimes cuz there will be no paid reporters telling us what's up.

if a crime, is it wrong?

[wytcld]

Is the basic doctrine here criminal trespass? Compare normal trespass. People are allowed to walk across your land and appreciate the view there unless you have taken very specific measures of placing precisely worded signs at precise intervals (except in Sweden, where people can cross your land, period). Having a fence around the land does not make it trespass to hop the fence. Having a fence and a gate where the gate has a mechanism that swings it open to anyone clever enought to utter "Open sesame" in front of it in no way makes it illegal to cross your land after going through that gate.

Granted, buildings are treated differently. (Is cyberspace inside or outside space for these purposes?) But there's still a general right of public access to places of business as long as the door opens and there's no sign or guard specifically informing you you can't go farther.

Arresting someone for what this kid did is on the level of arresting someone on a shoplifting charge who has merely walked into the store. You've walked in, so you could take something, so you're guilty?

Re:if a crime, is it wrong?

[Dannon]

Interesting analogies, but none quite applicable in this case, imho.

Is cyberspace inside or outside space for these purposes? I'd say most likely inside. Whenever you enter someone else's system in 'cyberspace', (ignoring the misleading qualities of the word, for the moment) you're 'inside' someone's server.

Treating these systems as storefronts doesn't quite work. For one thing, you can enter because the store owner -wants- people in his store. If you go causing problems, they have the legal right to kick you out. If you try to enter the 'employees-only' storage area, you could find yourself in trouble. If you enter after business hours, when the doors are locked, you're guilty of breaking and entering.

And not all places of business are storefronts. If you go walking in the front door of a factory, or many a suit-and-tie 9-to-5 office, you may find yourself stopped at the front desk unless you've been invited in. And if you use the delivery door in back to get to the Top Boss's office uninvited, again, you're asking for trouble.

Now, as I understand it, he was invited to try and find an insecure entrance. He was an invited guest, and the responsibility falls on the person who invited him. In every businessplace I've worked, all non-employees have had to be accompanied while visiting, for security reasons.

For his sake, I hope he had that invitation in writing. For the sake of the NBC employee that invited him, I hope that invitation was pre-approved by the employee's boss. And NBC's legal department. If the reporter gave an invitation which he didn't have the authority to give, that reporter is the one who could end up in the most trouble.

I'll save the cyberspace/real-space analogy rant for another time.

Re:if a crime, is it wrong?

[Tony-A]

Methinks you've got the right handle on the situation.
The internet is a public network. It's not a bunch of private, gated, security-guarded enclaves.
Public street and sidewalk. Fence with a gate (keeps children and small pets from wandering too far too fast). Screened-in front porch with screen door. Screen door to house. Main door to house. Stranger knocks on main door.
Or maybe I'm wrong and modern society has already victimized itself.

Re:if a crime, is it wrong?

[maxpublic]

Having a fence around your land *does* make it trespass if you hop the fence. Under the law, a fence is by definition a very visible warning that you are not wanted on the property without invitation. Any decent barrier will do - the fence doesn't have to be a serious obstacle (e.g, it could be split-rail - but it's still a fence, and that means you aren't allowed to cross it).

This falls under 'reasonable assumption', i.e., the average person would reasonably consider a fence to be a warning that the land beyond the fence is private property and therefore not to be trespassed on.

For extra protection signs are often posted as well, just in case you get an incredibly stupid jury who needs things spelled out for them.

In America, there is no requirement for signs of any sort if a barrier is in place. If signs are posted at regular intervals or at points of entry, then no barrier method is need. It's either/or, not both.

And if I show up with a shotgun and tell you to get the hell off my land, that too is a reasonable 'barrier' method fully condoned by the law.

Max

Re:if a crime, is it wrong?

[blue+trane]

His intent was to show that the security the organizations thought was adequate was not.

If someone points out to you that your alarm system isn't working properly, do you thank them and fix it, or try to get them arrested first?

Behind the scenes

[Ilan+Volow]

Teenage intruder: See? I run nmap 234.34.53.5 and I get a list of all the ports that are open on their machine. I can then do some other stuff with libpcap...

Brokaw: Wardrobe!....dammit, get this kid a large sleek trenchcoat, combat boots, and a pair of those $300 designer sunglasses. They're expecting neo, not urkel. Audio!...cue that "techno" music they listen to. (to "hacker")Okay, kid, your motivation is to disrupt The System, bring down The Corporate Machine that runs the government, and then make it with Carrie Ann Moss in a hovercraft.

Teenage intruder: But I just thought I would show you how I learned about this network vulnerability in my quest for knowl....

Brokaw: (to cameraman) Start rolling in five, four, three, two...

Who's Tom Brokaw?

[Animats]

You mean those talking heads on TV are real people? I thought they were all synthetic actors

No Speakers

[kev0153]

I don't have speakers, what is Homer saying? Thanks

Re:No Speakers

"It has come to my attention that NBC sucks." His voice cracks when he says, "sucks".

teleprompter

[Bowling+Moses]

It would have been great if he would have gotten into the NBC Nightly News teleprompter and put at the end of Tom Brokaw's lines "...and in other news, while visiting a low-income daycare center Dick Cheney bit the head off an infant. Additionally, I am a turnip, vroom vroom."

I bet he'd say it.

Re:teleprompter

[kin_korn_karn]

Brian Williams would. Tom Brokaw is old-school enough that he would probably read what he says first.

Re:teleprompter

[Conare]

Ouch my side! I laughed so hard that my co-workers are looking at me funny.

Re:teleprompter

[jred]

How about "...and in other news, while visiting a low-income daycare center Dick Cheney bit the head off an infant, Texas-style!!!"

I don't know who the damn /. poster was that started that Texas-style thing, but it's been stuck in my head since yesterday.

Re:teleprompter

[Sibshops]

Or he can finish Tom's lines by reading the teleprompter directly.

But that would be too easy.

Re:teleprompter

[Brendor]

I bet you've been reading bloom count.

Re:teleprompter

[quinine]

HAHAHAHHAA!

"Basset hounds got long ears."

OWJ is my hero!

As an ex-genius, I can tell you are a troll

[alienmole]

see subj

Re:As an ex-hacker I tend to only trust Mac OS ser

[mwjlewis]

It seems like you are plain asking, and or creating the challenge, as WELL AS submitting it to the right people.

I have US$0.10 to the FIRST PERSON to crack a MAC...
(nice... CRACK A MAC... )

Re:As an ex-hacker I tend to only trust Mac OS ser

[Erit]

I think its just cuz most people would rather hack windows which just makes it that much easier on them. Plus, who would waste time on a mac? ;)

Re:As an ex-hacker I tend to only trust Mac OS ser

[ruhk]

Interesting? Please.

This is a verbatim repost of an old troll--which, I might add, was shot down point for point for point.

"No root user" is NOT the same thing as "always running as root".

Re:As an ex-hacker I tend to only trust Mac OS ser

[VisualStim]

He's absolutely right. Neither one of them have yet been hacked. ;)

His website

[EricMcD]

FWIW, his website is http://adrian.adrian.org

Okay...

[Orne]

So, maybe he doesn't get his exposé on NBC about cracking NBC's networks...

But I'll bet that ABC would be happy do do a report on cracking NBC's networks...

Where are you, Mr. Jennings...

Breaking into NBC's Intranet

[Mupp252]

Lamo's comment: "It was a very full service system."

Ohh, Adrian. You should change your name from Lamo to Lmao with those witty one liners!

Re:As an ex-hacker I tend to only trust Mac OS ser

hey, i've got a doorstop here that no one has ever hacked either, perhaps i should go on and on about its virtues . . . i mean, it's about as useful as a mac!

Re:As an ex-hacker I tend to only trust Mac OS ser

[swv3752]

If MacOS is so great, why does Apple use Solaris?

Re:As an ex-hacker I tend to only trust Mac OS ser

[Dragon213]

MacOS, WinBlows server types, Linux, Unix...most hackers/crackers/defacers I know don't really care what OS you run. If there's a hole in the system, they'll find and use it. Just because there is no prior history of MacOS being hacked, that doesn't mean it hasn't been or couldn't be done. It just means that whatever the hacker/cracker/defacer wants to hack/crack/deface is usually on a M$ IIS or Apache (a few others as well, but those are the 2 big ones) webserver. The fact that MacOS-based servers have not been cracked is simply because no hacker/cracker/defacer has found any reason to break into the system. I'll leave the reasoning behind that to your imagination....

He didn't get to meet Brokaw?

[dr_dank]

Cut him some slack! At least the guy who shot Reagan got to meet Jody Foster...

Oh wait, scratch that.

... and preventing sysadmin seppuku

[edgarde]

Not just embarrassment. The story would alert every cracker & kiddie that NBC was a giant turkey with a target sign on its ass. All at once, the night of the broadcast.

Brokaw wouldn't be able to check his email for weeks.

Very Interesting....

[CarrionBird]

And I don't see anyone giving good argumants against these points. I don't see OS9 being as effcient with recourses as *nix, but that could be a option for websites that dont need big SMP servers but need security. On another note, I don't see how this is news while the hacking of RIAA gets zero mention. (IMHO they're both news, but there's somethin' fishy about the blackout on submissions concerning the now well known incident)

Re:As an ex-genius, I can tell you (all facts)

[alienmole]

Easy:

The entire premise of "secure Mac OS" web servers is based on two factors:

1. Reduced functionality tends to improve security. Mac OS web servers have extremely limited functionality, therefore are more secure by default.
2. Mac OS web servers are not widely used (a serious understatement, hardly anyone uses them), and are thus not targets for attacks. There was a time when it was quite safe to put an unprotected Windows web server on the Internet, for the same reasons, and we all know how secure they turned out to be.

It would thus be accurate to say "The Mac OS web server may be a good choice if you are clueless, do not know how to administer secure servers, and want to run an OS that is now officially obsolete."

Publishing Flaws vs. Demonstrating Flaws

[JohnDenver]

It's ok to publicize flaws in computer networks, you just can't demonstate the flaw if doing so is breaking the law. In this case, it seems like he got permission, so I doubt they could consider this an unauthorized intrusion.

As soon as you mentioned Airport Security I remember the guy who got through with something like a box cutter and announced it. They immediately arrest the guy.

This concludes our lesson on how not to blatently compare apples to oranges.

There's probably a double standard in there somewhere, but you didn't find it.

Anal Typo bitch

[Mulletproof]

Yep, your right. my bad.

Re:As an ex-hacker I tend to only trust Mac OS ser

[foobar104]

If MacOS is so great, why does Apple use Solaris?

Akamai. Apple's web site is distributed. When you connect to apple.com, you're actually getting www.apple.com.akadns.net, which runs on Solaris.

Re:As an ex-hacker I tend to only trust Mac OS ser

[Odin's+Raven]

I have nothing against most of your points, but I have a few little nits to pick:

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

Perhaps this is a philosophical nitpick on my part, but by extension shouldn't this mean that the vast majority of Windows programs should be incredibly secure? Prior to NT, all Windows developers were guaranteed that their code would be running as 'root'. That's a lot of developer-time spent in a world where everything is root. And yet, somehow, Windows still seems to have its share of security problems.

I'm not saying that Macs are as insecure as Windows boxes, just that I'm having trouble following the idea that "always being root" somehow makes programmers more security-conscious.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not.

A buffer overflow is a buffer overflow is a buffer overflow.

If you don't check that your destination buffer is big enough to hold the contents of your source buffer, then your code becomes a bug in search of an exploit. Doesn't matter if the length is stored at the beginning, doesn't matter if you count until you find a NUL. If you copy from A to B and sizeof(B) < sizeof(A), you're just looking for trouble.

Yes, ladies and gents, sometimes size does matter...

Re:As an ex-hacker I tend to only trust Mac OS ser

It amuses me that people keep forgetting that no MacOS based webserver has ever been hacked into in the history of the internet.

That's a bold statement, which you probably don't have statistics to support. The Mac has been around for 18 years or so, the web for 11. How can you be so sure?

No Root user. All mac developers know their code is always running at root.

This just means that if the box is exploited, the potential for damage is much worse. Unprotected memory means that an exploit can overwrite another program's data/code too.

I honestly think, knowing many of them, that most Mac OS programmers don't give a shit about security. They just want a program that works. Few of them seem to realize that not all data is to be trusted. (How many times have you dragged a file into your favorite application and had the whole system crash? That's proof.) I've found that UNIX programmers tend to be most aware of this.

Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS.

Enjoy your 255-charcter limit. Or the fact that a 1-character string still takes 256 bytes. (And by the way.. Many exploitable programs do in fact have length arguments/members. They only go so far; it's when the human programmer disobeys/disregards them that's the problem.)

Stack return address positioned in safer location than some intel Osses. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac places return address infornt of where the buffer would overrun. Much safer.

I don't understand this part.

void foo( int x ) {
char buf[256];
}

On i386, the stack for this function would look like this:

ebp-4: return addess
ebp: old stack pointer
ebp+4: buf
ebp+260: esp (new stack pointer)

In other words, the return address is BEHIND any local variables.

How often are strings terminated on the left rather than the right? I often do loops backwards, but it would never go to the left of the original buffer...

On the other hand, you could do this...

void foo( char *buf, void *c ) {
memcpy( buf+256, &c, sizeof(c) );
}
void bar() {
char buf[256];
foo( buf, shellcode );
}

And that could be bad... But how often is this actually possible? Most programmers are smarter than this.

"Based on historical evidence..."

[volpe]

The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on historical evidence.


Based on historical evidence, my backyard shed is burglar-proof.

Re:Very Interesting.... The post is correct.

[CarrionBird]

My expierence may be obsolete... I seem to recall have to deal with fixed ram settings for each applicaion, but that was way back in 8.something and before days.

Insight and Observations

[Mtn_Dewd]

Does anyone have insight or possible explanations as to Adrian's website? I'm interested in other people's opinions and interpretations.

Re:As an ex-hacker I tend to only trust Mac OS ser

[br0therben]

Sir,
While I agree that Mac has not experienced the volume of attacks and exploits that other Operating Systems have, I have a few minor issues with your arguments. Not all of them, as I certainly give credit where credit is due. Just a few:

1)No command shell: I profess ignorance on this point, other than I've been told that OSX runs on some sort of Unix kernel. Maybe that isn't entirely accurate, but I've seen a shell on an OSX box.

2) Well if 1 above is true, then yes you have a root user on MAc now. Sorry if I don't understand how the Mac OSX system works, anyone else have any clues?

3) Yes but are C "strings" the number one way people break into systems? It's not how Lamo has been compromising these systems...and anyway, this point has nothing to do with the kind of vulnerabilities Lamo has been exploiting (if you'd even call them vulns...more like someone exploiting stupid user tricks .

4)Yes, this is mostly true. However if a Mac cgi script allows a user to do something he shouldn't, then I don't see how it matters whether or not it is executable on Apache or Mac or whatever. What I'm trying to say is that a shopping cart cgi doesn't properly check for proper input then a user can (usually) exploit said cgi script. Cross-site scripting is a good example of this.

5)Neither does Unix. It has to have the execute bit set, usually - not that that's hard to do, given the proper access. Still I guess it's easier to do things like set a trojan "ls" command (assuming root user is dumb enough to have a "." in his path), so ok. What if I write a shell script in a bash shell in OSX? Can't I just execute that? I doubt I need a special secondary file (like an inode?) for that...sorry if I don't understand Macspeak.
6)understood, assuming it's true.
7)No, fewer macs were hacked because the code wasn't open-source. OR not totally. Am I incorrect? That cash prize has been up for like 6 years now, and even when Macs had more than 3 percent of the market there weren't any takers. I guess that makes Mac more secure...?

I guess most of your points are valid, just not poignantly so.
-Brotherben

Forget that....

[El+Camino+SS]

In the ENG news business, I have never been called a "Videographer." In the news business all across America a News Photographer is called a "Photog."

I would know this because I am currently a "photog." This person has more than likely never worked in a television newsroom.

Re:Forget that....

[DigitalSorceress]

Actually, I called it that specifically because of this: How many times have you told someone you were a news photog and they assume you meant with still cameras for a newspaper or magazine?? I used to get that

J.Random person: "Oh and what do you do for a living?"

Me: "I'm a News Photog at Channel 22"

same J.Random Person: "Oh, I didn't know they took photographs too"

Me: "No, I use a video camera... a Sony Betacam SP camcorder with a fujinon lens"

other J.Random person who thinks they know about everything: "Oh the Beta format died years ago... too bad it was much better than VHS"

Me: .. unintelligible strangling noises..

THAT is why I said videographer instead of Photog... believe me or not, I don't care past making this reply.

Big-Boo-Tay

[burgburgburg]

It's pronounced Big-Boo-Tay!!!!

(John Bigboote, Yoyodyne)
Red Lectroid, Planet 10

Re:Big-Boo-Tay

[burgburgburg]

It's not my damn planet, monkey boy.

John Bigboote, Yoyodyne Red Lectroid, Planet 10

Re:As an ex-genius, I can tell you (all facts)

[alienmole]

Millions of people continue to buy Macs to use as personal workstations - my g/f is one such, although having some technical savvy, she's running OS X. Nobody buys Macs to use as corporate web servers (the subject here is the hacking of NBC, remember?)

What functionality do you want.

Hmm, let's see... How about, say, multithreading? The ability to play DVDs without skipping if you so much as move the mouse?

Look, the old Mac OS had a cutting edge GUI when it came out, in 19-frickin-80-something. It had various usability innovations. But on the technical capabilities of the OS, it hasn't cut it for a long, long time.

Re:As an ex-hacker I tend to only trust Mac OS ser

[CarrionBird]

He's talking about OS9 not OSX. OS9 doesn't have/need a command shell (other than that debug prompt).

CBS Filmed Their Illegal Activities in 1989

[Mad+Man]

It's ok to publicize flaws in computer networks, you just can't demonstate the flaw if doing so is breaking the law. In this case, it seems like he got permission,

On the March 16, 1989 edition of CBS's 48 Hours, reporter David Martin told viewers that he converted a semi-automatic rifle to full-automatic without a license, which is a felony. CBS filmed the conversion work, and broadcast part of it on the program. Unlike David Koresh, who was suspected of doing the same thing, CBS only received a letter of reprimand from the BATF.

Re:As an ex-hacker I tend to only trust Mac OS ser

[adrew]

If you check www.apple.com (instead of just apple.com) you'll see that they're running Mac OS X.

Apple advertises this at the bottom of most of their webpages.

My guess

[SeanAhern]

I'm guessing that the password was one of:

1) "password"
2) The same as the account name. Like having "root"'s password be "root".

Re:My guess

[Ilgaz]

Reminds me a funny memory. An admin friend at newspaper he works for was scanning his own network.

That evil tool (I don't remember its name) displayed 2 lines that I'll never forget in my life:

"warning, user mac's password is set to mac"

No comment :))

Your proving my point?

[JohnDenver]

CBS *FILMED* the conversion work - Publicized - Nothing happened

David Koresh Performed the Conversion - Demonstrated - Got into trouble

Now if they reporter had PERFORMED the conversion, I'd say you're on to something.

Are there double standards? Probably.
Did you demonstrate one? No.
Did you make the same mistake as the original poster? Yes.
Will you learn to distinguish between the two? (Insert Your Answer Here)

Re:As an ex-hacker I tend to only trust Mac OS ser

[dillon_rinker]

Prior to NT, all Windows developers were guaranteed that their code would be running as 'root'

True...how many Windows 95-based web servers are there?

New DoS attack

[gallir]

http://online.securityfocus.com/news/595 is /.ted, so they will send in few hours a new security report of the worst DoS they just found.

...to avoid the DoS attack, avoid writing anything which could be interesting to those geek/nerds/freaks that waste their whole life in...

Slashdotted

[5lash]

Anyone got a Google Cache? I tried finding it, but cant work out how to get it lol. I narrowed my Google search down to the online.securityfocus.com domain but still didnt find anything. Maybe they just havent got it Indexed/Cached? Someone could at least post a txt version

HA!

[DarkHelmet]

Have you ever noticed that Tom is the drunkest sounding sober person you'll ever hear?

I bet the hacker noticed that there's an IV going into him from under the desk, and electrodes attached to his nuts if he decides to do anything stupid.

Re:As an ex-hacker I tend to only trust Mac OS ser

[vanyel]

there has never been a Mac exploited over the internet remotely

...until this post was read by hackers...

Adrian Lamo makes me laugh.

[Omniscient+Ferret]

He strikes me as cool. He broke into Yahoo News last year (Google cache) and wrote some great quotes from Attorney General Ashcroft, about "the haunting specter of inner-city minorities with unrestricted access to literature, and through literature, hope" and "They shall not overcome. Whoever told them that the truth shall set them free was obviously and grossly unfamiliar with federal law."

If you're not convinced he's not a stereotypical l337ist, check out some pictures of him. He's cool.

Re:As an ex-hacker I tend to only trust Mac OS ser

[GoatPigSheep]

why has the parent been modded as troll? It's all true, my school uses MAC OS and webstar servers and it's never been hacked (there are 10,000 people who go there as well as a large computer science department)

Re:As an ex-hacker I tend to only trust Mac OS ser

[Odin's+Raven]

True...how many Windows 95-based web servers are there?

IIRC, the (admittedly cheesy) Microsoft Personal Web Server was shipped with Win95. (Don't have any 95 boxes anymore, so won't swear to it. Win 98 definitely comes with PWS.)

Apache. (They're very open-minded. :-)

Quick check on TuCows shows 9 more web servers supporting 9x.

CNet's download.com has a whopping 192 entries in their Windows/Web Authoring/Servers area if you filter it down to Win95. But take CNet's count with a grain of salt...they don't seem to differentiate between server-support/test apps and actual servers. But I'm not gonna hunt through a list that size to get a better count.

Anyways, I think it's safe to say that, strange as it may sound, there actually are Win 9x-based servers available.

Okay, but we're starting to wander from the original "Macs are secure because they have no security" topic, which was already wandering pretty far from the "hacker denied 15 seconds of fame" topic.

I'd ask someone to mod me down, but saying "yeah, go ahead, mod this down" always seems to end up with people modding it up to +5 Insightful because it's got that ever-popular angst-driven sound first popularized by Eeyore. (Donkey. 100 Aker Woods. Cristopher Robin. Ah, never mind....)

Ahem... Okay people, listen up! My post is not insightful. It's offtopic! "Offtopic" might look a lot like "Insightful" in the moderator pulldown, but if you look really closely, you'll notice that they're spelled slightly differently. Yes, I know it's subtle...they both start with a big letter and have smaller letters afterwards. Just hang in their, kids...hopefully the next SlashCode release will have a picture-based moderation system.

I'm not a Genius But it seems he just got Lucky

[Nazmun]

I'm not a genius but it seems as though this guy just got lucky guessing a password. If you have a stupid network or system admin that uses common passwords then OS is irrelvant.

I also noticed that you mentioned hacking webservers like Webstar... the article mentions that he hacked into the intranet, this is different from hacking into a webserver.

Re:As an ex-hacker I tend to only trust Mac OS ser

[Ivop]

A Mac is emulating CPU opcodes? That's funny. Good for speed too! --Ivo

Hacking Teleprompters

[Nonesuch]

Although the host that stores the script for editing may be on the station internal LAN, with little or no security, the teleprompter itself is unlikely to be networked, and if so, is most likely on a private segment, not the main LAN.

In general, broadcast station teleprompter hardware itself is very old technology, with a simple serial cable to load the script (a text file with some very simple markup sequences to adjust speed, fonts, etc)

Among the cheapest "professional" teleprompters are Stewert, starting around $1K. You can throw together your own home-brew solution for a few bucks, but "real" TV stations are sticking with the old, expensive, pre-MS-Windows solutions.

Usually the producer and on-air talent will run through the script at a high speed (just barely readable without practice) shortly before going on air, so your timing would have to be just right if you want to add any extra little "suprises" with any chance of success.

It's an interesting idea, but even for a live news broadcast, it's not likely that you would slip anything through.

Who puts the "guest" in "guess"?

[redarius]

it was, i believe: username: guest password: guest the mighty have fallen on simpler mistakes. . . but few come to mind. :)

Re:As an ex-hacker I tend to only trust Mac OS ser

[sir99]

You've got it backwards and all mixed up. x86 stacks grow down in memory, and arguments are pushed before the return address, so it looks like this:

ebp+8: x
ebp+4: return address
ebp+0: old frame pointer
ebp-256, esp: buf

So if you write a new return address to buf[260], and write some opcodes past that to return to, you get your buffer overflow and subsequent exploit.

Sorry, TERRORISTS.NET is taken; But...

[xintegerx]

"The following alternative domains are available:" 4terrorists.com myterrorists.com netterrorists.com terroristsgroup.com terroristsonline.com terroriststech.com terroristsweb.com webterrorists.com 4-terrorists.com forterrorists.com freeterrorists.com onlineterrorists.com terroristsdirect.com terroristsit.com terroristslink.com terroristssite.com

Somehow I have a feeling that spending $15 to register any of those suggestions is worse in the eyes of the FBI than hacking a broadcasting company website worth hundreds of millions......... ;)

I don't think Lamo has anything to be afraid of :0

~Int

Re:As an ex-hacker I tend to only trust Mac OS ser

[gleam]

sure, it's a troll, but it's also wrong.

http://attrition.org/mirror/attrition/os.html#AL L

Sure, the MacOS/MacOSX defacements only represent 0.8% of total defacements, but they're still there :)

-gleam

Re: The Crack-a-Mac contest

[Saint+Fnordius]

Small bit of history here: at one time, a Swedish company ran a contest they named Crack a Mac, and offered about US$10K to the first person to be able to break into the system. They ran this twice, with one prize award (there was a second exploit, but the contest runners denied that the exploit happened. Nevertheless, it is accepted by most that it happened).

So MacOS/WebStar-based web servers have been hacked, but there is only one famous case. And never forget that any system is vulnerable to "social engineering" and shoddy passwords.

I did it too...

[mikeage]

...to Globo (the major TV network in Brazil). No, I'm not Brazillian, but they got my name from some contacts-- long story, I don't have time to go through that.

Basically, I got a call from a Producer (David Something-I-Can't-Pronounce) wondering if I'd be interested in coming down to their studio (I was in college in NYC at the time, and they're on 9th and 50-somethingth) and trying my hand at their system. I tried to borrow a friend of mines laptop so I could bring a sniffer, but I couldn't find him in time.

Instead, I went down there, "borrowed" a laptop from them, and quickly installed linux. Explaining that this is what I'd use myself, I plugged into a convenient network jack and started working.

Long story short, I chose as my victim the reporter (not the producer) who would be interviewing me later), her name was Anna Padrao Something-Begining-With-A-P. Well, her password was app426, where 4/26 was her b-day. *yawn* The only major problem was that once I was in to their BBS-like system, it was in Portugese, which I don't speak! Of course, that also let me into her email account, and she even had a shell account on their email server-- though I know she didn't even know it.

I was going to go after root next, but we had to film, so we stopped there. We filmed the whole segment, but then some higher-up though it'd embarass the network too much, so it was pulled. I still have a copy-- kinda cool to see your own voice subtitled in Portugese :)

Please...

[JohnDenver]

You wrote:
Isn't that the point of a parody? To show how absurd things would be if taken to extremes? They're bound to be right once in a while.

Spaceballs warned us of this day!!

I wish I knew somebody who installed Linux recently. I'd love to get a story posted on Slashdot

1. Your first 3 sentences were patronizing and condecending
2. Your 'Spaceballs told us this day would come' was meant to be disarming, especially after being patronizing and condecending.
3. You didn't get the joke, your disarming joke conveys NOTHING that would suggest you DID get the joke. Your patronizing insights conveyed EVERYTHING that you didn't get the joke. If anything, your disarming joke vindicated one of your point, "They're bound to be right once in a while."
4. I argue/insult for practise.
5. I didn't need to get shitty with you.
6. I don't want to grow up, but I guess I have to.
7. You seem like a very nice person.
8. Even nice people can be intentionally/inadvertantly patronizing / condescending.
9. I didn't need to get shitty with you.
10. You probably demonstrated one of the nicest ways of correcting someone (esp. the disarming notice)
11. There will always be assholes like me who will interpret your kind criticisms viciously.
12. I didn't need to get shitty with you.
13. I'm sorry

There you go. Not only do you get an apology, but you get vindication, insight into assholes, and knowning you've influenced someone for the better.

Rather than trying to learn the art of being insulting, maybe I should learn the art of being insightfully ironical...

Re:Please...

[Anonvmous+Coward]

Ya know, the apology is nice, but I really appreciate that you took the time to read what I said and proccess it. That was very classy of you and I appreciate it. I now have a very high opinion of you.

I read your response this morning and decided to step back a bit and reread my post. You're right, it does sound patronizing and condescending. Didn't originally mean it that way, and I didn't see it that way until I took a harder stab at reading it from your point of view. I believe this means I should work on making my expressions clearer in the future.

Thanks man. Have a good weekend.

No, I'm proving your point...

[JohnDenver]

Maybe if I had taking 3 seconds to read his post instead of trying to be clear, I would have understood.

Will you learn not to be such an asshole when you post? Yes, The asshole thing isn't working out, I was really insulting with some Ned Flanders guy (Nice guy, tries to be disarming) and I realized that this was getting out of hand.

I guess I always admired guys who were harshly insulting when I was a kid, because I could never do it myself. I figure I'll tune down the harshness and hatefulness and try to exercise insightful irony (much harder to do)

I'd like to challenge your factors.

[elocutio]

Mac OS web servers have extremely limited functionality, therefore are more secure by default.

Please give me a list--or even one example--of the "limited functionality" of MacOS 9.1 running WebSTAR, versus, say Red Hat running Apache. I want to know which features don't exist between the two. Hell, I'll even make it easy for you. Compare the differences of the Macintosh server that I described to a Netscape Enterprise server on Solaris. You seem like you're just mindlessly bashing Macs. If that's true, it's okay with me; I just want to know if this is an informed opinion or a troll.

Mac OS web servers are not widely used, and are thus not targets for attacks.

Are Mac OS web servers common? Not even. I think that there are something like 0.06% of the market uses WebSTAR. We're talking maybe 30-100,000 servers worldwide. So, I don't dispute that point. Are they secure? There is only one U.S. Gold Depository, not a hundred million. That doesn't make it any more or less easy to break in. However, many have made the claim that the Treasury vault in Fort Knox, Kentucky is impenetrable. My point is that the numbers have no relevance at all. Whether there is one Mac webserver or one hundred million, secure is secure is secure.

Try coming up with a way to hack a Mac webserver. Go ahead. Get a team of script kiddies together and go after a Mac running WebSTAR. Dude, I spent six months in college trying to defeat a hacker challenge posted on a Finnish newsgroup, and I couldn't get that mother to break. I'm still quite bitter about it, actually.

Hacking a Mac webserver ranks up there with proving Fermat's Last Theorem, or inventing tabletop fusion. It's likely possible, but challenging enough that only the seriosly insane need apply.

Re:I'd like to challenge your factors.

[alienmole]

You seem like you're just mindlessly bashing Macs. If that's true, it's okay with me; I just want to know if this is an informed opinion or a troll.

Not intended to be a troll - but it was a response to what was effectively a troll. The limited functionality claim was effectively made by the message I responded to: no command shell, no security permissions (all code running as root). So, it seems like the way to hack it would be to find an ISP foolish enough to use it, get an account, and take it from there...

I'll add another limitation, which is no multithreading. I can't imagine a Webstar server doing a good job of being a web application server, i.e. where it's doing something much more substantial than serving static pages. I'll admit I haven't tried it. But I've done a fair amount of server-oriented system level coding, and am very familiar with concurrency issues and the various kinds of APIs on multiple platforms, and cooperative multitasking is not going to cut it in any kind of high-demand situation.

For some testimonials, try this page: "iTools/Apache has been much more reliable than WebSTAR. WebSTAR used to tank (especially on the SSL side) twice a month at least. Under heavy load the SSL side tended to crash"; or, "I had...the same 'tanking' problems which [put me] twice a month in front of the computer to fix what had to be fixed."

4D even promoted WebStar v4.5 as "more stable" - an interesting tacit acknowledgement. Perhaps Mac vendors are just more honest... BTW, WebStar V is multithreaded, so clearly 4D are aware of the problems inherent in the prior Mac architecture.

Whether there is one Mac webserver or one hundred million, secure is secure is secure.

I think you're missing the logical point on a number of fronts. The Fort Knox example is actually a good one - no-one knows how secure it is in reality, because it hasn't suffered any serious attacks. For all we know, it might have a horrible Achille's heel. You can only make claims and assumptions, and "impenetrable" is a clearly invalid claim. Impenetrable to what? The U.S. Army? A fleet of killer radio-controlled vehicles?

As I said, you could have made a claim about the security of Windows, back around '96, and the empirical evidence would not have disagreed with you, simply because net hackers were not yet seriously targeting Windows machines. Similarly (almost conversely), the fact that you didn't succeed in cracking WebStar means very little. Without a hacker population attacking WebStar with the same gusto that they attack Windows and Unix servers, the empirical evidence is of limited value.

That all said, I'm perfectly willing to concede some basic points: a biggy is that use of the Pascal string convention is certainly less likely to suffer from buffer overruns than the C convention, and that's a major source of holes right there. I'm not saying that Webstar isn't more secure in general or by default than your average C-language web server on Unix - it may very well be. But so what? It's a bit like saying that living in Siberia, you're less likely to be mugged. True, but irrelevant to most people.

Beside, a big problem with the original message I responded to was the implication that other servers couldn't be configured to be as secure. That, I dispute strongly. None of the servers I maintain have ever been hacked, even when boxes on either side of them have been. I know of many other servers that have never been hacked. The way to be secure is to have an understanding of what makes you secure, and to act on that, not to blindly purchase something because it says "secure" on the box, shut your eyes, and hope for the best. I've maintained secure Windows servers, secure Linux servers, secure BSD servers (various flavors). I'm tempted to say something like "software doesn't make boxes insecure, people make boxes insecure." It's close to the truth.

It was really the entire combination of specious claims and invalid assumptions that caused me to react to the original message.

Yes,

[mindstrm]

you are.
Or at least, you are guilty of something, not sure what the charge would be.

THIS is insightful?

[alizard]

One would think that here of all places, at least the moderators would know that public belief in 'security by obscurity' is just another crackpot notion, to be taken as seriously as the idea that Microsoft makes secure operating systems. They could have delayed the broadcast, fixed the holes, hired Lamo or a competent security firm to make sure there weren't any more, and publically thanked him for giving them a security wakeup call.

Security by dogma is not a solution.

[FallLine]

While it MIGHT make sense in the case of computer security to always publicize everything (though I would argue this in some cases), the reverse is often true in the real world. That Joe Schmoe can pull a machine gun and kill 50 people at locations all across the country isn't the result of a bug that can be practically fixed. Maybe we can hire enough security people to stop those same psychos at a handful of locations, but the fact remains that we simply CANNOT do it at enough locations to make a difference. It is NOT economically feasible. Therefore publicizing it does not help; all it does is give inspiration to those few crackpots in this country. Do you really want to tell me that the media didn't play a huge role in the string of massacres that happened? Please. Before you shoot off at the hip and nit pick, think about what you are saying. The media has made numerous stories that practically give a recipe for the terrorists and/or pyschos, and often glean information that a terrorist could not get (by using press credentials to extract information from supposedly respectable anonymous sources in mid level government and what not). Some things are better off left unpublished, unhyped, and undescribed. Perhaps the evil doers can obtain that same data themselves, but there is a difference in the inspiration (i.e., they would have to think of it themselves), the ease of the data collected, and so on. Not publicizing it makes a difference and this case is easily demonstrated empirically.

Oh yeah, and the fact that Lamo's case might be an apt example of where obscurity by openness works only strengthens my argument.

Re:Security by dogma is not a solution.

[alizard]

Your optimism that the "bad guys" don't already know this and that the "secret" isn't simply being kept from the taxpayers in order to protect the jobs of irresponsible managers, is rarely founded.

The reason this needs to be publicized is the same reason that people who find exploits should publicize them. Like your role models at Microshit, organizations and companies rarely correct even obvious problems unless and until they are forced to do so. That "the bad guys" know is rarely motivation enough. Like in the world of computers, there are many targets and the idea that one might actually get off one's ass and perform just because someone says you have a problem seems very remote.

Perhaps if you knew anything about the real world and got your opinions somewhere other than TV news and here, you wouldn't be wasting people's time with crap posts like yours.

You should stop posting on public policy until after you learn something about how government and society works, should you happen to be capable of doing so. While you have a right to your opinion, you have no right to have it respected.

You are the classic example of the useful fool without which no terrorist operation can hope for success.

A clear sign that you're losing an argument

[FallLine]

is when you start trying to hurl personal invective into an argument. Meanwhile you completely ignore mountains of empirical evidence, leave huge gaps in your logic, and so on. How precisely does one fix the thousands of miles of open borders? What magical band aid is there for simultaneously allowing reasonably expedient international commerce and preserving high security at the same time? How is anyone helped by the media announcing the location of say, gamma radiation detectors (for the detection of nuclear materials)? What good has come of any of these announcements? ... No facts, just dogma.

Like in the world of computers, there are many targets and the idea that one might actually get off one's ass and perform just because someone says you have a problem seems very remote.

Yeah sure. Columbine and similarly modelled attacks happened within weeks of each other. This of course was just chance, right? And man, our security is so much better now for all of the coverage of the flaws in high school security. Pfft.

Real World != Computer Security.

Perhaps if you knew anything about the real world and got your opinions somewhere other than TV news and here, you wouldn't be wasting people's time with crap posts like yours.

You should stop posting on public policy until after you learn something about how government and society works, should you happen to be capable of doing so. While you have a right to your opinion, you have no right to have it respected.

Besides the fact that this stream of invective is pointless and demonstrates your insecurity, you could not be further from the truth. If you wish to compare resumes, education, intelligence, information sources, or what have you, then please step to the plate.

Re:A clear sign that you're losing an argument

[alizard]

Since your ignorance leaves you in bliss, I see no particular reason to attempt to enlighten you further. Though a mental health professional may help you explain to yourself your desire to protect bad management practices both in terms of physical and computer security.

Perhaps you aspire to become one of those bad managers, more interested in executive perks than earning your pay. Perhaps you are one of those bad managers and you fear public exposure.

Anyone defending the proposition that "security by obscurity" is a good thing has to assume a burden of proof you are obviously incapable of meeting.

Since I'm sure the subject of security in some context will be coming up again on slashdot, I'm sure I'll be encountering you again. Try to come up with better arguments next time.

Re:A clear sign that you're losing an argument

[FallLine]

Since your ignorance leaves you in bliss, I see no particular reason to attempt to enlighten you further. Though a mental health professional may help you explain to yourself your desire to protect bad management practices both in terms of physical and computer security.

Perhaps you aspire to become one of those bad managers, more interested in executive perks than earning your pay. Perhaps you are one of those bad managers and you fear public exposure.

Anyone defending the proposition that "security by obscurity" is a good thing has to assume a burden of proof you are obviously incapable of meeting.

Since I'm sure the subject of security in some context will be coming up again on slashdot, I'm sure I'll be encountering you again. Try to come up with better arguments next time.

You still can't muster anything more than the a priori assertion that all openness is good and much-loved ad hominem attacks. The entire premise of your "security through exposure" philosophy rests on the assumption that something reasonable can be done after and as a result of the exposure to make what is being exposed more secure than it was previously. That is to say that the respected advocates of this position openly admit that exposure has its draw backs (namely, that the so-called black hats will now _certainly_ use it), but that they believe its benefits out weigh the drawbacks. The trouble is that in implimentation in the real world, meaningful action is not always attainable, and is sometimes unadvisable. For instance, in the world of computer security, if you were running an embedded system that you could not remove from service and you could not fix, then you would not want to publicize its flaws (or the existence and locations of the devices). Let us further say the flaw is one someone being able to crash the device by sending it a peculiar arrangement of data. Well then taking it out of service, the only solution, is worse than the problem. Would you publicize this flaw? Would you further make the exploit public? Would you describe how easy it is to execute it and write a HOWTO for the average Joe? This is essentially what the media does time and time again.

Publication may make sense when you are talking about the latest bug in Microsoft's IIS, but that does not mean that it makes sense to practically deliver the latest flooding tool (to be distinguished from a "flaw" in any particular implimentation) to the hands of script kiddies when there is nothing that can just be fixed. Look up the smurf.c fiasco to get a feel for the reality of this. It pretty much parallels what the media does on a day to day basis.

Excellent points.

[elocutio]

I really appreciate the time you took to clarify.

I don't dispute anything you've said; in fact, I share your viewpoint. I am also deeply entrenched in the server-side world of web programming, and I tend to get a chuckle at the mindless banter of the uninformed when it comes to the whole "Mac versus PC" thing.

If I had an argument to offer in regard to webserver preference (which I really couldn't care less), I would say that when Grandma Newbie decides to try her hand at building and hosting her website, she would be much better off with WebSTAR than almost anything else. It's not a server that is easy to malign.

Here's a case-in-point--a Mac-savvy friend of mine decided to try learning Active Server Pages. He dusted off an old copy of Windows NT Server, and he configured ftp services and IIS. He called me after one week and said, "I think I've got some weird virus."

The free space on his 40GB RAID had all but disappeared. It turns out that a hacker group had turned his anonymous ftp server into a private partition and totally filled it with warez. I thought it was a pretty neat hack, if it hadn't been such a dirty thing for someone to do. :P

Now, this guy is not a computer newbie. He did just what you'd expect a beginner to do. It was a very common newbie mistake.
WebSTAR (or classic MacOS) simply won't allow that kind of malice. Grandma Newbie isn't going to ignorantly or accidentally configure a server with security holes, something that's dangerously easy to do with IIS, and slightly less so with Apache.

The point that I would argue is that WebSTAR on MacOS is much more secure than any other mainstream web server. It's not for everyone, but it really is the perfect solution for nearly every web enfant-- including, apparently, the United States Army.

...a big problem with the original message I responded to was the implication that other servers couldn't be configured to be as secure. That, I dispute strongly. None of the servers I maintain have ever been hacked, even when boxes on either side of them have been. I know of many other servers that have never been hacked. The way to be secure is to have an understanding of what makes you secure...

There. You just proved my point. Serving over the public net is a game not for the timid, and your personal cache of knowledge protects you from mindless or careless misconfiguration. The ones that aren't armed with your knowledge are gonna get hurt. It's kind of like a freestyle biker saying, "dude, those Cannondales suck." Well, they don't suck, but they won't perform the way that the radical exhibitionist is expecting.

Just because you can perform freestyle backflips with your server doesn't mean that everyone could, or should (a point that I'm confident you stipulate).

Re:Excellent points.

[alienmole]

I would say that when Grandma Newbie decides to try her hand at building and hosting her website, she would be much better off with WebSTAR than almost anything else. It's not a server that is easy to malign.

I don't have too much of a problem with this in general, although are you telling Grandma she can't have Mac OS X?

But another reason for my first response was that the original topic was the hacking of NBC - which ought to have more sophisticated IT resources than Grandma Newbie. My response assumed that the issue is not really how secure a server is "out of the box", since an organization like NBC ought to at least have enough knowledge to perform the most basic standard hardening steps. Even a Windows server can be made quite secure with very little effort - but it does take a bit of a priori knowledge. Actually, the biggest problem with Windows servers seems to be how easily they can be made insecure again - e.g. by reinstalling a service pack.

Ironically, it's quite likely that the weak point in the NBC incident was something other than a web server, anyway.