Slashdot Mirror
Microsoft PPTP Buffer Overflow; VPNs Vulnerable
An anonymous reader writes "According to this InfoWorld article, a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit. This overflow was discovered by the German security firm Phion; they have posted more info on this page." We might as well throw in yet another remote exploit for FrontPage, too. No, not last week's remote exploits - these are new. Coincidentally, the front group Microsoft organized for the purpose of quashing bug disclosure (that is, reducing Microsoft's bad press) is just now getting underway.
i wonder what the commercial applications of this are. numero 6
Somebody ought to compile a list of every unfixed MS security related bug, and mail that, every single day, to any congress[person,critter,droid] that is consulting with microsoft on 'security'.
TODO: Something witty here...
From the advisory:
A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.
A remote compromise can not be excluded,
as we were able to fill EDI and EDX with our data.
It might be that they will find a way to run arbitrary code through this exploit, but so far they were only able to crash the system.
From what I see in the German brief on the exploit, this can write to the memory of the system. So does this mean the worst that can happen is to crash a Windows box?
Also, does this apply only to Windows systems using PPTP or to VPN hardware devices as well?
I didn't see any information in Windows NT 4.0. Does this mean that the vulnerability doesn't exist, or that they haven't tested it? (The site doesn't say.)
The difference between theory and practice is that, in theory, there is no difference between theory and practice.
From: sh@phion.com [mailto:sh@phion.com]
Sent: Thursday, September 26, 2002 5:44 AM
To: bugtraq@securityfocus.com
Subject: Microsoft PPTP Server and Client remote vulnerability
phion Security Advisory 26/09/2002
Microsoft PPTP Server and Client remote vulnerability
Summary
The Microsoft PPTP Service shipping with Windows 2000 and XP contains a
remotely exploitable pre-authentication bufferoverflow.
Affected Systems
Microsoft Windows 2000 and XP running either a PPTP Server or Client.
Impact
With a specially crafted PPTP packet it is possible to overwrite kernel
memory.
A DoS resulting in a lockup of the machine has been verified on
Windows 2000 SP3 and Windows XP.
A remote compromise should be possible deploying proper shellcode,
as we were able to fill EDI and EDX with our data.
Clients are vulnerable too, because the Service always listens on port
1723 on any interface of the machine, this might be of special concern
to DSL users which use PPTP to connect to their modem.
Solution
As a temporary solution for the Client issue, one might firewall the PPTP
port in the Internet Connection Firewall for Windows XP.
We dont know of any solution for Windows 2000 and Windows XP PPTP servers.
The vendor has been informed.
Acknowledgements
The bug has been discovered by Stephan Hoffmann and Thomas Unterleitner
on behalf of phion Information Technologies.
Contact Information
phion Information Technologies can be reached via:
office@phion.com / http://www.phion.com
Stephan Hoffmann can be reached via:
sh@phion.com
Thomas Unterleitner can be reached via:
t.unterleitner@phion.com
References
[1] phion Information Technologies
http://www.phion.com/
Exploit
phion Information Technologies will not provide an exploit for this issue.
Disclaimer
This advisory does not claim to be complete or to be usable for any
purpose.
This advisory is free for open distribution in unmodified form.
Articles or Publications that are based on information from this advisory
have to include link [1].
Thank goodness they will be keeping this information from the people who will do bad things with it. I'm sure that the script kiddies would never share this information with each other! Besides the nice people who are installing these systems really should be on a "need to know" basis anyways....
Screw the end user.
isnt great that the community debugs microsoft's security software for free? they probably dont event try to test it anymore since they can rely on everyone finding the holes and reporting it immediately on slashdot.
In a stunning revalation, a string of recent articles indexed by Slashdot.org, an internet news resource for the technically inclined, declares that software is not perfect.
"For years people have believed that commercial software works flawlessly," said Slashdot editor Timothy. "We always believed that bugs in commercial software were just a myth - the kind of stories open source programmers told their children around late-night campfires."
Comments from Slashdot readers indicated the level of surprise. "It's unbelievable. Every operating system, word processor, web browser and game I've ever purchased has always worked flawlessly out of the box. And now they're telling us that there are bugs, and even security flaws? It's unbelievable!" commented one user.
"If software really does have flaws, this could really put the future of computing in jeapordy," added another. He continued, "Will people be willing to use software that saves them or their company thousands or millions of dollars a year if it's possible that an unlikely buffer overrun might release a credit card number? People will go back to writing documents with real pens and checking spelling with actual paper dictionaries!"
One apparently young poster thought there might be a little overreaction. "I don't know what a buffer overrun is, but as long as I can still IM girls to ask if they'll be my girlfriend and play counterstrike, I don't care either."
paintball
The Slashdot editors posted a link to a Microsoft-backed security organisation that is devoted to making the world a better place. Just because Microsoft, which has perpetrated just about every evil on the software industry imaginable, is the company backing this other company, doesn't mean it won't be completely impartial and cause security-related bugs to become freedom-loving United States citizens!
Slashdot is just full of trolls who can't understand that this is an ad hominem attack which means an argument that says whenever someone acts evil 100% of the time for 20 years you can't discount the possibility that this time they're acting to promote the greater good of mankind.
Just read the article, people! And I quote:
See? They're going to release drafts of the guidelines in early 2003. Nothing to worry about here, folks. Move along. DRM is good. Linux is bad. Stop worrying, buy your DVDs and CDs, and consume like you've never consumed before. If you don't like it, don't buy it. Microsoft is obligated to screw the consumer. There is no monopoly. The Justice Department meted out the justice already.
fifth sigma, inc.
Who needs an exploit to crash a Windows server?
"We can't solve problems by using the same kind of thinking we used when we created them."
This kind of information is only going to be considered "handed on a plate" to the inexperienced/newbie script kiddie who poses a minor threat. The kind of person who is going to do real damage, who has the skills and experience to aggressively hack a system is not going to gain anything from public disclosure, they will already know about the exploit. Limiting release only protects the vendor from the incessant cry for a fix..
What's an MSCE?
mstyne: real name, no gimmicks
Does Microsoft do any testing whatsoever of their software? It seems like every other day a new exploit is discovered. Is this ever going to stop? (Without hiding behind the "Organisation for Internet Safety" of course).
And yes, I'm aware that MS isn't the only guilty party when it comes to exploits and bugs, but it seems they have the most problems like this...
sudo eat my shorts
phion Information Technologies will not provide an exploit for this issue.
In reference to remarks about lawsuits. This is a smart move, this would probably help against the getting-our-asses-sued-by-MS possibilities.
If they poke their own machines I don't think it quite counts the same as hacking somebody else's machine and then telling them they're vulnerable.
I was just recently looking at the possibilities of setting up a linux VPN, instead of opening up my Windows machines (/. never posted it, boohoo for me). This looks like a good reason to do it that way, anyone have suggestions? I've looked at freeS/WAN, but the online documentation is dead
I'm downloading the freeSwan files before their server gets slashdotted now too - phorm
WTF, I just patched that box 3 minutes ago!!
Yea, so what? They won't have a patch ready for weeks. I'm going to play golf.
It is acting kinda strange. You better reboot, just to be sure.
The server's down? Again??
It can't be down. I rebooted it 5 minutes ago.
Naw, they won't bother us. It's not like we're the DOD or something.
Don't bug me now. I've almost got high score on Pinball.
Sure, I've heard of Linux. It sucks!
CNET has more details on this problem:
cnet technews
From the article:
"This is top priority","We are proceeding with all due speed." - Christopher Budd, Microsoft security response center
As usual, management has all the answers to our security problems.
This sig no verb.
Nah, PoPToP, it allows a windows vpn client to access a linux system using this broken protocol... but if the client is broken too, that sorta sucks. I have a group of VPN connections setup with my friends, we just use PPP over a SSH connection, secure, free and easy to use, lookup the howto on that one...
On Arrakis: early worm gets the bird. Magister mundi sum!
Its called Blue Screen of Death.. We're currently on tour with Buffer Overflow and Malicious Code.
Coming to a VPN near you...
"I love California. I practically grew up in Phoenix." -Dan Quayle
They must be using the million monkeys with typewriters (keyboards?) software development method.
I spent months trying to get my IPTabled firewall to allow PPTP connections to my NT server. I doubt microsoft will address this since they have all but abandoned this type of VPN. Thats settles it IPSEC in tunneling mode here I come.
Who still runs PPTP? It was found to be under-secured a while back. Everyone should have moved on to a more standard and secure technology by now. PPTP was good back when VPNs were new and hard to set up, but that time is long gone.
One of the first things I did when I took over my current company's network was to shut down PPTP and move everyone to an IPSec VPN. The upside is better security, the only downside was they had to install a client. You couldn't VPN from a stock Windows box. You have to install the Cisco client. Now with the Cisco gear working with Win2K/XP's L2TP and IPSec even that isn't an issue.
PPTP service continually listens on an I/O port
What a bullshit. PPTP service listens on socket bind do tcp/ip port. That's the network 'service'.
I/O port is a way to communicate with hardware, it's like place in computer memory (RAM) when you can write or read bytes and words of information to control computer hardware.
I/O port and network port are two different things!!
:wq
PPTP's encryption algorithm was cracked years ago (in fact, about a month after it was introduced) by Bruce Schneier (sp?) et. al. and hasn't been considered safe ever since.
So now we have a buffer overflow exploit in a "VPN" product which was already known to be insecure. Another nail in PopTop's coffin, but little else.
At the time, Schneier referred to Micro$oft's clumsy attempts at do-it-yourself encryption as "Kindergarten Cryptography."
Nothing has changed much since then, except that maybe they've graduated to somewhere around Third Grade by now....
In times of universal deceit, telling the truth gets you modded -1 Troll
I read this headline on Google News. Didn't know slashdot was getting read by it!
End of lesson. You may press the button.
is microsoft going to fix the bug or sue the german guy under DMCA ...?
Well they'll certainly fix it on W2K and XP (dunno about nt4). But sueing the German guy? Unlikely, it'll create too many legal issues, firstly US law is unlikely to apply to Germans. (That is if the judge follows the precident set in the Yahoo vs France case) And secondly the DCMA is unlikely to apply here, he hasn't done anything related to copyright. The DCMA is overrated.
This means that gazillions of machines using a "secure" ADSL channel are now vulnerable.
Ho Hum. Am I glad not to be using LoseDows.
Microsoft should start punishing their programers who are writing this code. If your writing the code responsible for accepting network connections, you should check your code for this.
Furthermore, why has microsoft not bought or written some buffer overflow detection tools and done a complete sweep of their code base. There are a ton of dlls to check, but with the right tool(s) it's nothing a team of 10-20 guys couldn't pull off in a short amount of time.
I wonder if this issue was actually known interally, and was planned on being released in SP4 or the next XP SP. I can't believe MS has not done some checking of their code tree. I would also hope that the linux kernel, SSL, and apache developers are doing the same with their code. Buffer overflows are just getting old.
Also, perhaps GCC should get a switch to detect them as well and throw warnings.
Not that Java is right in every case, but this is a good argument for using it more often in Server related products since Java doesn't suffer from buffer overflows.
They were arresting hackers.
Only on Slashdot would people complain about this. Didn't your mom ever complain about leaving the iron or stove on, and she had to drive all the way home to turn it off? This is obviously a remote shutdown mechanism put in place to allow sysadmins to turn their machines off if necessary, from home. No more late night runs to your cube! It's kind of like an "Easter Egg", if you will.
Man, we praise Tivo for allowing a certain series of keystrokes to allow 30-second fast-forwarding (or is that ReplayTV, I don't remember). But when MICROSOFT has secret, useful features in place.... we rip them apart! Come on people!
(yes, it's humor, calm down)
The initials are the same! It's not a bug - it's an example of embrace and extend!
I would really like to hear more about how you set this up. Can you fill me in a little more about how you set this up on your particular system, and any issues you ran into?
/\@/
My email is: phormix at phormix.com
s/ at
NT4 never shipped with an IPSEC or PPTP stack. Thus, they are not obliged to support that which didn't ship with the product. --M
This gives the software company a financial incentive to patch their code quickly, but also a method of keeping the disclosure limited if they need more time. Of course, there are a lot of particulars to work out, like fee amounts and what exactly to do with the money, but I think my method could work.
This could also solve the open source projects with volunteer coders can have a patch out in 2 hours, but Microsoft needs 2 months mystery.
This space intentionally left blank.
gizmo_mathboy wrote:
> So, what was MS doing during that month dedicated
> to security?
Trustworthy Computing consists of:
1) DRM (digital rights manglement).
2) Preventing untrustworthy programs from running (like open source).
3) A massive PR campaign coupled with surpressing news of bugs.
The only thing it has to do with security are bugs in #1 & #2 further eroding security, and #3 conning you into thinking they are secure.
"At this moment, it has control of systems all over the world.
And...we can't do a damn thing to stop it."
Miyasaka, "Godzilla 2000 Millennium" (Japanese version)
Read "The Onion" much?
If you can't beat them, arrange to have them beaten. -George Carlin
1. The first rule of Slashdot is to never miss a chance to slam MS and draw attention to its vulnerabilities.
2. Most Slashdot readers run Windows, whether they admit it or not. Many Slashdot readers also administer Windows boxes professionally therefore, such posts are important and informative.
What is the average of new MS bugs discovered per week? My guess would be around 3 a week.
a buffer overflow exploit has been discovered for Microsoft's PPTP implementation, which leaves Microsoft VPN solutions vulnerable to exploit.
An exploit is vulnerable to an exploit?
Currently, we don't know if the PPTP bug is real or a fake. Anyone can write an advisory like this, and there is no way you can tell if they tell the truth or not, unless you look carefully at the source code.
Okay, maybe you can confirm that their claim is true using some black box testing. Unfortunately, the guys with the unlimited time budget aren't the good ones, usually.
I don't understand the purpose of this advisory, really (at least not from a technical perspective). I don't think anyone has got a policy to disable any services based on such information. Microsoft won't admit that there is a problem until they have got a some fix. The bad guys will work overtime to discover the exact nature of this security defect, and the good guys will work overtime as usual, but are busy with other issues.
This will be number 54 if they officially issue a bulletin.
Sorry, I can't take anyone seriously who uses MS for a VPN solution.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
Sure, sloppy code and security holes are as bad as watered down drinks at a topless bar, but don't we get paid to stop crap like that from being perpetrated on our networks? Microsoft makes me look like a hero as far as security goes.
Yes, Mr. Customer, I did charge you quite a bit, but I have enclosed a listing of the bugs and security flaws that I patched while I was here. These are things you usually never know about until you get burned by them, but I feel I owe it to you to stay on top of them and help you stay current...
Microsoft+Bugs+Patches=Value added for me
Keep up the good work, Bill!
I'd be curious to know how many are buffer overflows. Seems like at least 50% are. What would it take for Microsot to incur the overhead of checking array bounds? Java seems to do this implicitly, and it works OK for tons of applications. Ever heard of a buffer overflow EXPLOIT in Java (sure, you could get an ArrayIndexOutOfBoundsException, but it wouldn't let arbitrary code run).
because MS moved on to IPSec based VPN. PPTP is not the VPN layer anymore. Win2k and XP have IPSec based VPN functionality build in.
Kindergarten cryptography? Don't think so.
Never underestimate the relief of true separation of Religion and State.
Because some individuals on here, myself included, tend to make money every time a new exploit/bug is found. Thanks to Microsoft, my childen will be able to attend Yale. I'd say these stories do a lot for me.
http://www.forum-addicts.com
Your sarcasm is noted.
I write code and I've let more bugs out than I could possibly remember. They happen, it's part of the game. But two things make this type of thing mock-worthy. 1) MS has more net worth than most countries. They need to be held to a standard that their size and resources dictates. 2) Bill has quite publicly stated that security is now their number one priority. I for one have not seen any improvement in that department.
-B
IPSec VPN is used nowadays. I doubt a lot of servers are harmed (NT4 uses PPTP VPN if you haven't installed a 3rd party product. Win2k server uses IPSec).
MS also said that they can't find a way to make this vulnerability to execute code on the target, vulnerable machine (CNet.com's article on this). An advisory from an unknown group which hasn't informed the vendor first but finds it necessary to cry out loud from the top of their lungs that they found a possible flaw in an old protocol and everyone should know about it, isn't very trustworthy IMHO. I think the german security group was running low on attention. Well, they got their attention now.
I hope next time they are not this stupid and think about the people who run vulnerable systems and first discuss the flaw with the vendor and after a period (say 3 weeks) publish the flaw.
Never underestimate the relief of true separation of Religion and State.
Well, bugger me. Some programmer (aka 'bug finder') finds a bug and decides to bug everyone else by telling them about this bug. Those buggers at the giant Bug are probably bugged about this and will be bugging every worker bugs phone line fron now on - buggers. Meanwhile I am just buggered off at the fact that I spend all my days finding and fixing bugs, bug after bug after bug, only to find that all my emails contain new reports of bugs, bugs that have occurred as the result of 'fixing' other bugs, and bugs that, well, just don't exist, can't be found, can't be reproduced or are, infact, not bugs but 'unsupported features'. I mean really, this makes no sense and if you have read this far then nor, perhaps, do you, but it BUGS ME anyw...bugger it.
Rake Free + Mac Poker: CardCrusade
So, by running Linux, I am using Windows less, therefore I am causing a dip in M$ profits (poor them. I feel soooo bad). By not having any problems, I cause you to lose money, and when you and M$ lose money, the shareholders loose money. When the share holders lose money, then people begin to cut back on M$ product purchases, thereby causing less work for you and leading to a profit loss, which in turn causes the stock price to fall again which....
So basically, I am causing the downfall of capitalism by using Linux? I feel so powerful! I wonder how far down the stock market will go if I can get all of my friends on Linux.
There is only one response to these growing doubts about the quality of proprietary software. We must put a stopper in this aiding and abetting of vandalware.
It's okay if users whisper stories around the campfire about software bugs and hacking exploits, but we must make sure that they don't begin to peel back the layers of proprietary software and peer inside. After all, it is not the user's responsibility to worry about their welfare, they need to let the properly respected authorities handle things.
The best course of action is to deny all vulnerabilities reported on this slashdot. Next, we should use these open forums to ferret out and prosecute anyone caught trafficing in vandalware or any information that could be used to create such an atrocity. Developers and users alike must be taught that they have no business worrying about what goes on inside their computer, that is the job of Proprietary Makers of Software.
FreeS/WAN works, kinda, if you don't mind it taking over routing and a couple of other things with it. pipsecd is a lot simpler (just tunnels, and not even dynamic) to set up, for fixed point-to-point links.
If you don't have to interoperate with win32 peers (other than merely routing for them), I'd suggest tinc. A lot easier to deploy than IPSec variants (in my experience), it's quite good security, and the most easily manageable solution I've come across yet, especially for meshes of more than two machines.
Freshmeat has lots of other possibilities, I haven't even tried the majority, let alone all of them. I'm sure you'll find something that suits you're needs, though. =)
Paranoid
Bwaahahahahaa.
absolute classic :-)
Rake Free + Mac Poker: CardCrusade
These are not bugs, just extended features that have not been documented. In this case a remote administration tool.
Are you seriously proposing that security vendors should blackmail software companies? I can imagine that now:
Full disclosure is the only response that makes any sense at all. The end users should be able to decide for themselves if they should risk their information with unpatched software.
after working tech support, i though MCSE stood for Microsoft Certified Stupid Enduser
Any Walken quote deserves at least a +1 Funny ;)
if the vendor knows of a vulnerability and DOES NOT disclose it to US, YOU can expect to see us in court very soon, M$ or not. As far as making the whole exploit and gruesome details known to the public I can agree that it might be overkill and help the script kiddies, but letting your customers fly blind is criminal when you know better. We've already dropped IIS because of M$'s inability to keep it secure in the face of poor design, if they keep it up we'll begin dropping other components.
errr....umm...*whooosh* *whoosh* Is this thing on ?
So, what, you're so smart that you can do it in 10 minutes?
Fucker.
Correct me if I'm wrong, but I think that says the opposite of what you think it says.
"A remote compromise can not be excluded. [emph mine]"
It sounds to me like they're saying, don't rule out remote exploits. I'm too lazy to look up what EDI and EDX are right now, but I think they're the code execution registers on x86.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Does anyone have any information regarding the Linux version of PPTP?
Why doesn't Microsoft set up software to run in the appropriate security context? When I log on as me, I might have lots of privileges on my computer and network. This does not mean that every application I run should have those privileges. By default applications like Internet Explorer run in the security context of the current user. That means that code in IE can do anything I can do. That does not make much sense most of the time. Ideally all applications (like those in these bug reports) should run with the absolute minimum of security rights. It should then be possible for me to grant applications more security rights as they need it. The problem here is not the technology - that is all there and working - it is the way defaults are set up and the UI for all of this stuff.
We need to set up server in some country that is not subject to MS or US legal control(since MS obviously owns the US govt.) Then disclose every MS Security Bug along with the exploits and tools to make use of them. If Billy Gates wants war then lets give it to him. Hack everything, everyday on every MS server, product and os. Make sure that everything gets shutdown or so corrupted that nothing functions. But of course in AmeriKa that is now terrorism so be careful or a 1kt bomb will fall on your head. Freedom requires all so I've got an unhackable copy of FreeBSD I'll donate to the project. Anyone else ready to pony up and bring the Billy Gates and MS down?
Yeah I bet Linux does have this same bug. Microsofts PPTP service was probably stolen from the Linux source code.
then hitler must have been a german too.
This overflow was discovered by the German security firm Phion; they have posted more info on this page.
contrary to popular believe, austria [the country in which innsbruck [the city where phion is located] is located] is no longer a part of germany, nor has the German government made any plans for a re-annexation in the near future.
--strangeloop
All software products made by Microsoft have always sucked, currently suck, and will continue to suck forever and ever. That is because at Microsoft, there are about five really excellent programmers who know their stuff, and they are swamped doing 0.000000001% of the work. The remainder of the software is written by 20,000 monkeys sitting at 20,000 keyboards.
Why does this situation exist? It's quite simple: Instead of thoroughly planning and implementing software using good, thorough programming practices and constantly auditing and maintaining that software to the highest standard in the business, Microsoft goes inventing a zillion and one things each day that nobody needs or wants, implements them in a quarter of the time it took for the idea to pass through someone's head, with absolutely
(no) regard for quality, efficiency, reliability, security or size WHATSOEVER. And then, they market it like it's the most secure, stable, feature-packed, inexpensive, high quality piece of software around. And then, it's discovered that the whole software is built like a treehouse attached to a dead tree by a single nail, in a boat in a swimming pool balanced on a tightrope that's held up by two termite-eaten 2x4s which are balancing against a bunch of ping-pong balls stacked on each other 300 high.
Software made by Microsoft is GARBAGE! It's a FACT, not an opinion. DO NOT BUY MICROSOFT'S ERROR-RIDDEN VIRUS-INVITING GARBAGE! USE FREE SOFTWARE INSTEAD!
Now this! Funny how things supposed to protect us are requiring a so much more complex technology that bugs bite back and achieve exactly the opposite of what's it's supposed to add in the first place, security. Actually, I always wondered what was the fuss about network sniffing, when you're connected to an ISP: who has so much time to waste to look for several mbit/s? And gbit/s on backbones? Eventually if your ISP got hacked by a SSL/PPTP hole, that's another story ;)
have you been defaced today?
http://www.counterpane.com/pptp-faq.html
some good points:
What did Bruce Schneier and Mudge actually do?
They found security flaws in Microsoft PPTP that allow attacks to sniff passwords across the network, break the encryption scheme and read confidential data, and mount denial of service attacks against PPTP servers.
How bad is it?
Very. Microsoft PPTP is very broken, and there's no real way to fix it without taking the whole thing down and starting over. This isn't just one problem, but six different problems, any one of which breaks the protocol.
I especially like the comment about "kindergarten cryptographer" mistakes
I would really like to hear more about how you set this up.
It's pretty straightforward but you must (through PPP negotiation) tell your PPTP clients where the WINS server is or you will not be able to go anywhere by name. We use PoPToP fairly regularly but are migrating to IPSec with certificates since Win2k supports it and it's a much better standard.
The other side of the coin is that limited disclosure disarms the script kiddies and cyber vandals by not giving them an exploit on a plate.
Skript kiddies are not the problem. Let this message be shouted from the hills. A sckript kiddie scrawls his name on your corporate web page and leave a little egg on your face. They are harmless. The person you need to worry about a LOT is the hacker who knows what he is doing, who already knows your flaws, and is looking for your company secrets, your pre-patent diagrams, your strategy memos and he wants to sell to the highest bidder.
"Your superior intellect is no match for our puny weapons!"
This just in: People kill each other. I guess its just a fact of life, eh? ;)
Seriously tho, if you want to be the biggest player on the block, you'd better be prepared for more scrutiny. If you wanna be #1 in a market, you'll be the one wearing the biggest bullseye.
Just like bugs are a consequence of life, so are bullseyes. They have 40 billion in the bank to fight bugs with; most other companies do not. Where as other companies deserve some slack because they dont have these resources, MS does not.
"Old man yells at systemd"
I don't think that is true, clearly Microsoft has improved enormously in the last year or so as there are far more bug fixes. It's not as if Microsoft, now concerned with security started producing software that was more defective then before.
I think there are two variables at play; one being that security is a larger field and more people are looking for defects in Microsoft's code, and not just Microsoft, you'll notice that there are not more exploits in other operating systems, such as Linux and even OpenBSD. Two, Microsoft has been MORE responsive to fixing the bugs, XP now comes with an auto updater and sends fixes out automatically (if configured to do so).
It seems clear that Microsoft is more focused on security now then ever before, this doesn't mean we'll be hearing more about bugs, it means will be hearing about them more!
-Jon
this is my sig.
Look at the link that Tweek posted. They are being very careful not to piss off the server market. Windows 95 support started to disappear without warning. Compare that decision to the page Tweek referenced and you'll see the difference in attitude.
I don't really need server names, the main purpose is just for sharing certain files and/or IPX/SPX connections (for LAN games). No need for domain names as nobody will be using this connection to go anywhere but in.
but are migrating to IPSec with certificates
What are you doing to implement this? Is there something written to do it, or are you trying to do this manually with custom apps and ipchains voodoo?
or sharing certain files and/or IPX/SPX connections
Realize there is not-inconsiderable overhead with something like SSH tunnels, that doesn't exist with a lower level solution.
IPX/SPX->PPP->SSH->TCP->IP
It may work well enough for you, but if it winds up not being fast enough, you know you need something better.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Actually, I HAVE done my homework, and it appears that you have not done yours.
Among other problems, Micro$oft's implementation of IPSec uses weak encryption.
So which one of us is still in Kindergarten? (hint: Kindergartners don't do homework)
In times of universal deceit, telling the truth gets you modded -1 Troll
Comment removed based on user account deletion
I don't really need server names, the main purpose is just for sharing certain files and/or IPX/SPX connections (for LAN games). No need for domain names as nobody will be using this connection to go anywhere but in.
I mean you need to send the WINS server info so you can get NetBIOS resolution. i.e. \\someserver instead of \\server.ip.address.here.
What are you doing to implement [Win2k x509 IPSec]?
This is where I got started. I was most confused when creating the certificates, and later (on win2k) when I realized that the software it asks you to install is just a wrapper for the code win2k already has.
Funny how things supposed to protect us are requiring a so much more complex technology that bugs bite back and achieve exactly the opposite of what's it's supposed to add in the first place, security.
It's very easy, and almost predictable, to "out-smart" yourself.
I'm not sure of the origin, but I think KISS originated in Lockheed's Skunkworks. The original "stupid" was probably something like a 19-year-old PhD from MIT. The real battle is against Mother Nature, and she's got enough tricks up her sleeve so that, comparatively, *everybody* is stupid.
"Microsoft treats security vulnerabilities as public relations problems" Bruce Schneier.
In a world that is Free and Open, who needs Windows and Gates?
Two, Microsoft has been MORE responsive to fixing the bugs, XP now comes with an auto updater and sends fixes out automatically (if configured to do so).
This is simply a method of sending out updates. It may or may not have anything to do with fixing bugs. Indeed it could just as easily ensure that buggy code gets distributed quickly.
Me: 'kay, what are we using?
IT guy: eSmith VPN
Me: Which is? PPTP VPN? IpSec?
IT guy: What? Use Windows 2K VPN to connect.
Me: Uh, right. I'll be using PPTP on my linux box, is that all right?
IT guy: No way!
Me: Why not?
IT guy: It's not on the approved software list, therefore it's a potential security risk.
Me: Uhhh... all right. Then I'll use Win2K VPN.
IT guy: Really?
Me: Sure, as far as you know.
Which pretty much sums up commercial IT. Better the devil you know than the devil you don't.
If you were blocking sigs, you wouldn't have to read this.
Phion is Austrian, not German.
but there's no excuse these days
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Phion is an AUSTRIAN company. Yes, this is a huge difference.
http://www.phion.com/contact/
Please disregard previous post and moderate it into oblivion. I was obviously on crack and lacking sleep. That's what you get by being a developper. Sorry for the waste of disk space.
:
Back to the point, what you want to do is
1) have a process listen on privileged port 21
2) upon connection, accept() it then pass the socket to an fork()ed unprivileged FTP daemon
3) watch the daemon scream and die when trying to open its data transfer connection on a privileged port.
You may be able to tell ftpd to create its data connection on an unprivileged port, or inetd/xinetd may be able to handle this.
Karma cannot be described by words alone.
I think that parent post was refering to the "no-rest-for-the-weary-MSCE" misspelling in the story, but regardless, why would you abuse someone to point out something so obvious to I think 99.99% of people who read ./?
Anway it stands for Moron Cheated then Sat Exam.
"I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
An old Red Skelton gag was "I can read reading and I can read writing but this writing is rotten". The significance of your example is that some reading is rotten.
The practice in C is to rely heavily upon NUL terminated strings. For just about any machine architecture this is just about optimal speedwise but it carries a risk of buffer overflows. Since the lenght of a source string is not known ahead of time overflow of a destination buffer area can be guarded against only at the cost of regular tests inserted inside the loop. The alternative is to represent strings as structures consisting of an integer field specifying the stringlenght followed by the actual string data. This way source and destination sizes can be compared at small overhead cost before beginning a transfer loop. This has the drawbacks of the slight pre-looping overhead, a slightly greater memory requirement for each string and an absolute upper bound imposed on string lenght. Some extra logic can work around this last difficulty. In the old days when memory was more expensive and processors slower these disadvantages were more significant. Today, I think the tradeoffs favor greater security. We need a new low level adept language to replace C that implements strings consistently as structures.
"Obtuse Anger is that which is greater than Right Anger" - Lewis Carroll
phion is located in innsbruck, AUSTRIA. not germany. it's a HUGE difference, you know..
sic luceat lux
I've been trawling the history pages to try and get a confirmation.
I think it's the 3 part I'm wrong with not the Windows bit.
I've held the "windows was assembler" bit in my head for some time, maybe I'm passing on something that someone told me.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The buffalo isn't as dangerous as everyone makes him out to be.
Statistics prove that in the United States more Americans are killed in
automobile accidents than are killed by buffalo.
-- Art Buchwald
- this post brought to you by the Automated Last Post Generator...