New Windows Worm Inching Around Internet

helixcode123 writes "The Register is reporting a Windows Worm that takes advantage of weak default passwords. This looks pretty nasty, as it mucks with the registry and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.

What were those commons passwords in Hackers?

[Eese]

I bet they just made a program that tried, "Love, sex, and god".

Re:What were those commons passwords in Hackers?

[MadocGwyn]

There was another one, but I can't tell you waht it is, its a secret.

Re:What were those commons passwords in Hackers?

[Jacer]

Hey, you forgot about secret, that was on the list too!!! 1 L1\/3 []V[]y l1f3 ây th4t []v[]0\/i3

Re:What were those commons passwords in Hackers?

[mumkin]

According to F-secure, these are the passwords it tries :

[empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin, password, Password, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 654321, 54321, 111, 000000, 00000000, 11111111, 88888888, pass, passwd, database, abcd, abc123, oracle, sybase, 123qwe, server, computer, Internet, super, 123asd, ihavenopass, godblessyou, enable, xp, 2002, 2003, 2600, 0, 110, 111111, 121212, 123123, 1234qwer, 123abc, 007, alpha, patrick, pat, administrator, root, sex, god, foobar, a, aaa, abc, test, test123, temp, temp123, win, pc, asdf, secret, qwer, yxcv, zxcv, home, xxx, owner, login, Login, pwd, pass, love, mypc, mypc123, admin123, pw123, mypass, mypass123, pw

the pat / patrick is rather weird, eh? only name in the list.

Re:What were those commons passwords in Hackers?

[mumkin]

doh! @^%$#^ submit button.

anyway, as you can see, the list does include love, sex, god, and secret.

Re:What were those commons passwords in Hackers?

[ackthpt]

Thank goodness it didn't include 'cowboyneal4ever', since I use that for everything and it has never let me down for security purposes.

Re:What were those commons passwords in Hackers?

[Malcolm+Scott]

And how many people really have 42 x's as their password?

Re:What were those commons passwords in Hackers?

[bmorris]

crap, now I have to change the password on my suitcase.

Re:What were those commons passwords in Hackers?

[carpe_noctem]

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Shit, I should go change my root password now.

Re:What were those commons passwords in Hackers?

[Fishstick]

>Hey, that's the same password as my server!

oops, after looking up the line, it should be something more like...

That's the kind of password some idiot would have on his windows machine!!

Re:What were those commons passwords in Hackers?

[MyHair]

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Shit, I should go change my root password now.

I wondered about that one, too. I'm guessing that's what happens when you hold down X until the buffer is full.

Re:What were those commons passwords in Hackers?

[rodney+dill]

What about

start123
summer03
winter03
fall2003

Re:What were those commons passwords in Hackers?

[daeley]

THANK YOU Fishstick! I was trying to remember where that was from the other day and had myself convinced it was a Simpsons quote. MetaKarma upon you.

Re:What were those commons passwords in Hackers?

I was worried there for a sec., but... *relaxing* ... "engage" isn't part of the list.

Re:What were those commons passwords in Hackers?

[galaxy300]

I'm surprised that ****** isn't in the list. That's my password for just about everything. As a matter of fact, I've noticed that it's just about everyone's password!!!

Re:What were those commons passwords in Hackers?

[RainbowSix]

Obligatory SpaceBalls Reference:

DARK HELMET: So the combination is 1,2,3,4,5 ... That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage.
PRESIDENT SKROOB: .... 1,2,3,4,5. That's amazing I've got the same combination on my luggage.

Re:What were those commons passwords in Hackers?

[LBArrettAnderson]

if the hackers need any help, here are the most common passwords for my website:

password, mypassword, asdf, fdsa, [the user's username], [the user's username backwards], guitar, qwerty, starwars, [the user's first name], [the user's last name], [the user's initials], internet, love, 12345 (spaceballs...), mercedes, batman, superman, ilove[insert name of opposite sex], [username]420, computer.

9.1% of passwords are "password", 2.6% of passwords are the username, 1.7% of passwords are the user's first name.

hope that helps!

Re:What were those commons passwords in Hackers?

[JDWTopGuy]

Just logged in to your account. Boy, your karma is in the toilet!

Re:What were those commons passwords in Hackers?

[ackthpt]

Just logged in to your account. Boy, your karma is in the toilet!

It's all those redundant or offtopic spelling and grammar corrections of CmdrTaco. It's a tough job, but someone's got to do it.

Re:What were those commons passwords in Hackers?

[fussman]

I think they should have added gandalf12, stryder, tolken, oneringtorulethemall, mordor, etc

Re:What were those commons passwords in Hackers?

You forgot:

[werd], sexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, ho, Ho, forty, fotie, watermelon, 1, 11, 111, 11111, welfare, friedchicken, fridchiken, orangesoda, grapesoda, porchsitter, porchsitter1, bitch, biatch, 2pac, 2pac1, monkey, mistah, mastah, rap, crack, smack, hood, motherland, mutherland, mutherfucker, mutherfuka, shaft, and parole.

Re:What were those commons passwords in Hackers?

[3ryon]

these are the passwords it tries : [empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin...

Whew! For a second there I thought it was trying xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Re:What were those commons passwords in Hackers?

[benna]

I bet the one that wrote its name was patrick.

Re:What were those commons passwords in Hackers?

[_xeno_]

Who'd be foolish enough to use ****** as a password? I use ********!

Re:What were those commons passwords in Hackers?

[JWSmythe]

My own survey of 267,000 passwords, here are the top ones.. If we've found them abused, they've already been changed, which I believe is why "password" is lowered from the #1 position to #2.. :)

505 1234
494 password
319 6969
241 harley
231 123456
201 golf
180 pussy
169 mustang
169 1111
143 shadow
135 1313
134 fish
130 5150
127 7777
121 qwerty
120 baseball
118 2112
116 letmein
114 12345678
114 12345

Other than these, the users name, with the variations of a leading or trailing numeral, or the name spelled backwards also rank very high, but of course, don't show properly in this list..

Sadly enough, people very frequently try to pick the same userid and password, which we no longer allow. We have some people who are *VERY* into their cars, and one who was upset because he couldn't have the name of his favorite car (Honda).. I pulled a quick report of the car manufacturers I could think of.. There are lots of variations on Chevy and Ford and their models. On one site, someone even has the userid of "Yugo".. I guess you have to have pride in what you drive. :)

If I had coded the worm, I would have gzip'd in a good dictionary file just to make things simplier.

The web site password crackers that I've seen use dictionary files, and for the passwords they try:

word
drow (word backwards)
[0-9]word (read as regex, not literal)
word[0-9]
[0-9]drow
drow[0-9]

Then they try the above with all caps, alternating capitalization, and swapping numbers for letters. (like zero for "oh", or three for "ee")

Anyone who reads this and now realizes that I hit your userid:passwd, *CHANGE YOUR PASSWORD*. You're using a stupid password, and if it's anything someoen wants to get into, they will. Even if it seems simple like a password to a web site, your web Email, or your Windows file share that no one is suppose to use.

BTW, in-store machines, like cash registers and those self-serve photo stations use words that are just as simple..

I had a few drinks before I went shopping the other day. My friend was waiting for them to find his cigarettes, so I was standing by one of the Kodak scanning stations. I tried the basic ones (1234 - 4321 - 12345), so I looked at the sales reciept. I found the store number, and voila, I was in.. I didn't bother to do anything else, I was hungry, so I went home. :) I figure if it took me 30 seconds with a buzz, it's probably too easy. BTW, there are all kinds of interesting options to set on those machines. :)

Re:What were those commons passwords in Hackers?

Not quite - it is for sanity reasons.

Re:What were those commons passwords in Hackers?

Mods: you may want to pick the best of the innumerable spaceballs references and mod it up to visibility levels - just to stop the redundancy. PS- modding this guy redundant just because I posted this wouldn't be fair - I think he's one of the early ones.

Re:What were those commons passwords in Hackers?

[irc.goatse.cx+troll]

Whats your website, and where can I get a list of users?

You know, for educational use only.

Re:What were those commons passwords in Hackers?

[seedybd]

OMG thats my password too.
It always has been and here i was thinking that no one else was as clever as me, damn trying to be original!

--JuSt A tHoUgHt--

Re:What were those commons passwords in Hackers?

[LoztInSpace]

[the user's username backwards]. Heh heh. Reminds me of a friend telling someone to use this. Bad advice aside, imagine him saying this as he simultaneously realises that the user's name is Lana.

Re:What were those commons passwords in Hackers?

[LBArrettAnderson]

hmmm.... my website has 312 users... yours is definitely more accurate =). we do have "mustang", "fish", and "6969" in there.. probably a few others on your top list but none that i can think of off the top of my head. I use only one password, which is probably stupid, but it's one of the most random things ever that no one will ever think of. (then of course there's the owners of websites who have access to it, but either they don't care about me or i trust them)... lots of people just really don't care what people do with their identity.. mainly cus people can't do much with it.

Re:What were those commons passwords in Hackers?

[NeoChichiri]

Actually...that's not entirely true...at least in the case of email or website login passwords...especially if they use either of those for business purposes. I think most of the time people just don't think of the possible problems that could arise from someone getting ahold of their password.

Re:What were those commons passwords in Hackers?

[LBArrettAnderson]

I run a calculator game website. Not many business/important people in my forums ;)... anyone who uses one of those passwords for business/important purposes needs to get "hacked" (i don't think it's called hacking at this level, just creative guessing...) so they learn a lesson. (it's unfortunate, but better sooner rather than later; usually)

Re:What were those commons passwords in Hackers?

I don't store plaintext passwords, so I just guessed the top 2, which are:

53: 123456
21: password

keep in mind we require a >= 6 char password. We only have about 4,000 users.

Re:What were those commons passwords in Hackers?

[SN74S181]

Clearly they're not targeting old time hackers. Where's xyzzy?

Re:What were those commons passwords in Hackers?

Bad advice aside, imagine him saying this as he simultaneously realises that the user's name is Lana.

It would immediately make me think of your mother.

Re:What were those commons passwords in Hackers?

[Guppy06]

Solution: Put that in as your new password, but hit ^H an arbitrary number of times before setting it.

My friends did something similar in the dorm networks for our SMB workgroup. Every name they could think of ended up with three or four workstations joining who we didn't know. So they changed our workgroup to "_________" all underscores minus the last two. You can't see how many underscores are there when they're all blended together, and nobody figured out what we did. No more problems with uninvited guests.

Re:What were those commons passwords in Hackers?

+4 Interesting?!? -5 Captain Obvious

Re:What were those commons passwords in Hackers?

[FatalTourist]

You must be a security consultant.

Re:What were those commons passwords in Hackers?

[jtdubs]

Or worse: Bob.

Re:What were those commons passwords in Hackers?

[Enigma2175]

I don't store plaintext passwords, so I just guessed the top 2, which are:

53: 123456
21: password

keep in mind we require a >= 6 char password. We only have about 4,000 users.

After reading your post, I thought I would try a few myself. Sure it's a small sample, although probably not statistically valid it certainly adds to the anecdotal evidence

mysql> select count(*) from auth;

count(*)
873
Total Users

mysql> select count(*) from auth where password = md5(username);

count(*)
90
username same as password

mysql> select count(a.username) from auth as a, contact as b where a.password = md5(b.fname);

count(a.username)

44
password is first name

mysql> select count(a.username) from auth as a, contact as b where a.password = md5(b.lname);

count(a.username)
24
Password is last name

mysql> select count(*) from auth where password = md5('password');

count(*)
10
hmmm, only 10 users with a password of password

Some more ....
mysql> select count(*) from auth where password = md5('12345');

count(*)
10

I've got to put some text here to break up the queries, hopefully it will help out a little bit. Does anyone who has read through the slashcode know what criteria is used for the lameness filter? Is is the ratio of junk characters to nonjunk characters or is there something else to it?

It seems like it causes problems.

mysql> select count(*) from auth where password = md5('1234');

count(*)
2

Now I suppose I must do a very lengthy conclusion because the lame /. lameness filter. It seems as if many of my users use passwords that are inherently insecure. There are a few I could check for, but it would involve coding time and these days management doesn't look to kindly upon code that doesn't make money. I doubt I have enough to get through the filter, but I'll give it a shot. OK, now I have had to strip several of the server responses of dashes, hopefully this time 8crosses fingers8

Jesus, what a fucking pain in the ass. Is it really that painful to the community to have a few ASCII porn pics posted? Damn I hate to have to go through this huge fucking ordeal just to post a simple fucking comment. How about a goddamn lameness filter exemption for people with excellent karma? How many ASCII goatse.cx picxtures have you seen posted with a plus 1 bonus?

It still will not post. I have stripped just about every nonletter from my post and it still will not fucking go up. what next do i need to strip the punctuation and caps so that i can get more non motherfucking bullshit junk characters in my post i guess it just goes back to the saying often quoted on slashdot i will paraphrase those who give up essential posting liberties for a little temporary safety from goatsex deserve goatsex twentyfour seven i wonder if it has ever occured to the nitwits that run this site that people might actually want to post something that is meaningful to the conversation that is not plain old text sometimes it makes things much more readable if you have some formatting and punctuation in there to break things up a bit gee its news for nerds cant these guys forsee that some geeks are going to want to post code and other things that may have more punctuation and special characters than your standard text

motherfuckers

Re:What were those commons passwords in Hackers?

120 baseball
118 2112
116 letmein
Lol. I love to see that the RUSH geeks represent. -geddy (no, really)

Re:What were those commons passwords in Hackers?

[Sycraft-fu]

I dunno, NT4 only did 14 characters max. 2000 and XP supposedly do 255, though I can't personaly verify that.

Re:What were those commons passwords in Hackers?

[JWSmythe]

That was an interesting post. But I'm replying more to what you said afterwards.

You spent good time giving an informative message, which when you hit submit, it honestly should have taken..

At the risk of sounding off-topic, I agree with you completely about the lameness filter.. Sometimes switching your input type from "Plain Old Text" to "Code" will help, but there's another filter it'll frequently be caught on bitching about too much whitespace or redundant lines. Last time, I was trying to show examples of our our DNS worked.. 18 lines with word "Address: ", and half starting with one /24 or another.. I striped out whitespace, added lines, I almost gave up, but one word finally made it click..

I can't imagine what would happen if I actually posted a significantly long chunk of code for someone, that I *COULDN"T* strip anything out of.. What do I do, write a novel behind it just to fill space to make their percentages match what a normal message should read like?

I do sympathise with them though. We get abusers on our systems all the time too, but in our case, we have an abuse button, where an abuse moderator can dump the message because it was bad.. It would seem to be an easy enough mod for here. If something gets modded down to -2, it never shows to anyone (effectively deleted). I know I should have some outragously high Karma by now (now only known as "Excellent")

They still need to do some work on here.. Too bad the bugs show up when we try doing in depth posts.. :(

Re:What were those commons passwords in Hackers?

[boots@work]

Nice post, though I can't understand what you think you're doing with hard data on Slashdot. :-)

I was standing by one of the Kodak scanning stations... BTW, there are all kinds of interesting options to set on those machines. :)

What, like force_image=goatse.jpg ?

Re:What were those commons passwords in Hackers?

[dotgain]

I don't think it's a good idea to show dots or *'s as the password is typed. Someone could see how many there are. Once you know a password has seven letters, and not six or eight, you've narrowed it down one hell of a lot, thus saving you time for a brute force attack. Much harder to count the keyclicks you'd hear.

Re:What were those commons passwords in Hackers?

[JWSmythe]

Hehehee... It didn't have internet access, or I would have.. But the Internet Kiosks at CompUSA have a mysterious habit of getting their home pages changed. :)

I wish I could do something with those refrigerators with the touch screen WinCE/XP thing to do anything.. Every time I touch one it crashes, so I don't even know if they have connectivity.

Ahhhh, the perfect diet.. Every time you go to the fridge, you see ... well, I'll not be descriptive.. I don't think I'd ever be able to eat again. :)

Re:What were those commons passwords in Hackers?

[quintessent]

2600? They're trying to H4X the H4X3R5.

Look ma, I'm 133T.

Re:What were those commons passwords in Hackers?

[fucksl4shd0t]

the list does include love, sex, god, and secret.

That, of course, is because they are all frequently confused with one another, and none of them truly exist.

Re:What were those commons passwords in Hackers?

[jaavaaguru]

My website only stores encrypted passwords. Anyone on Slashdot who stores plain text passwords should be ashamed.

Re:What were those commons passwords in Hackers?

[packeteer]

Why dont websites make a list of the most common passwords and if a user requests that one it automatically says "sorry but that password is too common and is easy for hackers to guess... try a different one" then some advice on how to pick a good one.

Re:What were those commons passwords in Hackers?

[Fweeky]

Post ASCII art; some of Slash's regexp based filters will trip over (i.e. eat literally years of CPU time if allowed to run indefinately) on certain strings, and such comments are allowed to pass. Just run your informative comment through cowsay(1) ;)

You can look at the filter runner and the compression check in Slash/Utility/Access/Access.pm (filterOK()/compressOK()), but I can't seem to find the actual regexp's they use (should be in the db schema, but I guess you have to make your own).

Re:What were those commons passwords in Hackers?

[Typhon100]

Hooray for programs that let you set options to echo different numbers of *'s.

-Typhon

Re:What were those commons passwords in Hackers?

[IanBevan]

No 'fred' ? I remember a survey years ago when one of the most common passwords was 'fred'. Don't know why ? Look at your keyboard... perhaps it's more popular in the UK ? Is 'fred' even a name in the US ?

Re:What were those commons passwords in Hackers?

[MegaFur]

I don't get it. Most times, windoze lets you look through workgroups and choose the one you want to browse them *graphically* (double-click). So there's no need to count the "_"'s. I suspect that your plan worked mostly 'cause you changed the workgroup to something other than "WORKGROUP" and a lot of people didn't think to look for workgroups with anything other than the default name.

But if I did want to count the "_"'s, I could:
1) I copy the "_"'s to the clipboard.
2) I open notepad and paste the "_"'s.
3) I count them. (= 10)

(Note: this is also a handy way to distinguish all of 'l10O' which can be hard to tell in some fonts.)

But that was a general windoze solution. If Unix utilities are available, I could run `wc' (WordCount) with no input, then paste the "_"'s in, then type [ENTER], CTRL+D and word count would tell me how many chars are there.

Yes, I know I'm being geeky an petty, but this is slashdot and I feel I should be allowed.

Re:What were those commons passwords in Hackers?

[MegaFur]

It reminds me of INTERCAL. In that joke programming language, approximately 33% of the lines have to say 'PLEASE'. If not enough lines say 'PLEASE', the compiler will say that you are rude and will refuse to compile your program. If too many lines say 'PLEASE', the compiler will accuse you of being overly polite. (It won't compile then either.)

Re:What were those commons passwords in Hackers?

[Fembot]

or ava :-)

Re:What were those commons passwords in Hackers?

[PurpleFloyd]

Very few, but I would imagine that some people fill up the password field with as many 'x's as it will hold. The idea is that the extra 'x's will be truncated, and you end up with a sort of "universal password".

Re:What were those commons passwords in Hackers?

[mattrix2k]

Well if that was on then people wouldn't be able to set the common passwords so they wouldn't become common. If you see what I mean.

Re:What were those commons passwords in Hackers?

[mattrix2k]

OK convert that to decimal:

There are 3 types of people [etc]
0 - those who do not know binary
1 - those who know binary
2 - those who laugh cuz they think they do but don't
3 - ??

Thats 4 types of people ... hmm...

Re:What were those commons passwords in Hackers?

[iapetus]

114 12345

1-2-3-4-5? That's amazing, that's the same code I have on my luggage!

Re:What were those commons passwords in Hackers?

[Placido]

>> They still need to do some work on here.. Too bad the bugs show up when we try doing in depth posts.. :(

Yeah. Those bugs that only occur sporadically are the hardest to debug.

Re:What were those commons passwords in Hackers?

[PhxBlue]

My own survey of 267,000 passwords, here are the top ones.. If we've found them abused, they've already been changed, which I believe is why "password" is lowered from the #1 position to #2.. :)

505 "1234"

That's amazing! I've got the same combination on my luggage!

Re:What were those commons passwords in Hackers?

[You're+All+Wrong]

"Is 'fred' even a name in the US?"

Ask Mr. Flintstone.

Phil

Re:What were those commons passwords in Hackers?

> There are 11 types of people-Those who know binary,those who don't,
> and those who laugh cus they think they do but don't.

00 - those who do not know binary
01 - those who know binary
10 - those who laugh cuz they think they do but don't
11 - ????

Methinks _YOU_ don't know binary. Get an education, fuckwad.

Actually, most people start counting at 1, not 0. Maybe you should get the education.

Re:What were those commons passwords in Hackers?

[chef_raekwon]

xx0sTBvdStjLOCyWVcem3Fv3CLkDZqnOpcI0Png64XKsHG43h3 4B72KfPUlbuBqELONRRYcBGh2
4t9/nPcQ86bukd8aCBIgmhZ QREAIeRNGbvNGkIw3VQoJHdsKFW B4MdFfdjwVGLRPwZwBuxQACLTP
EgC7LbaR+KklvUIkcuC3UF oWBFA4/63wMRBtfOvtAZaP9XPMgC UDdAww8oC5zwGRgH1kCvahKdgY
KAW4JWxFSsHEEw4DHALQ8W CyuKAL2IYD9ZVioeNd+ThVYbAp6g 6YrPum19tGfQQ5jyT/KOSPRuYR
ZH3c9O8e4PXju8RZKPmdk7 nbFFAIv9u0UYIMjCJkwEQokFkksl kwPyQzh5ugR+GHm7Q/QrxFlSMD
VhrR4ThT5SVXAACLiPgYhO +GnQQzpOW6AeBevEXIm8CyhCyCts NCNhx2Gpb9dgLpAyJgzgDdbZa1
lHeFRoBB6IDEghANnL9kc/ ThwgCuhmngRq0IqP5jALoEBNB1A6 jB3gx0BH45CZCrYfn6dsiD0Rrp
4m/QMSfi5FeSkAKLPBApuO ha5PMtPpAEWFTEX6ICx4oooBWBUR OGdWchURUHi1wQyJGoDcS2DL5B
YlsI30DBWBGTtYZPHLRjBQ AAhH/33M2ivhXEh1LaJEsNv/7aJl bJeukkffIL934NUgFGDYsVAXH5
dlUAEPpiOSyGsU8zpM8XDN NFYMruWoP1zwE6Ucx8iTk47jFrAi MmBttT2MA2RASsLCIkhBlgxDW4
FxwAxoggAICOWLZjBpwcrP G9qy9I9QUbB7zWgAOcc1c8Dr7OAJ WDvzOg5QDKL1g5oHm3guXAsBYW
yx00hn0lHM4TFaHiYoiRIw CgSHlC5cmQJ0yj84QkcUK0IQeuBJ HitJUjOkDKIxBpV1hyF00tQJhJ
u7zvcnOGDhoQberMobtYfM fcaKQwbkDQgJHjZlPy0G2ihU14+m iz4Hb+AcTYmo9gfh9XEGW1Dzgb
25acMGMXuisMm7flFCPgDH lTd147z0vhBiXsBjcG8/GUh1fphW JK2cqn2bOmTJ67DSKTEtMKJ2+1
aXLeLiUr07xoOAaz4cvv8L w6yZ/QLRlrcRyocuPM3rdztrlX/P y5k/bklWZijrNmA0HmTZk5bk7Q
TXPsLoSAKFsO6pytJbZzm5 XEAF/zlcXS3XFbeJAtHzFwhiN0oW ncMHIQa2df7R/k2hmj4OvVjl0G
Lf3qcEjkQUgBdDkA1BkwA9 gwqeOCuzT9OaNlgbRhum7x6BEAEB 10uurxWDduioFdQAAOWwqCwMSi
Fwe2DNuiiw3PHy3+35Re// 6h8/ZvXYCiwwwWFc8+Ogd6DKyRbe vaJbIhwwIjAzQsNmrG9ga2ljha
wgDOf+wKAFCH6HwIzz7sJQ ILFF8EcuyKWG3NXRxYi2xM27HAHp 0LxHzWhAlifWQoYmBCR4M6mYwc
kdFunqk6kbYkckGkoN8M6k NEgtxkga4bPS9qcCv9BckRixFEBu 0ruPgpiBG/jVTxE8bCgOURG2Ms
wLJhb9wA5BEvoetjVLCLVT QqaXtLLBwz0MRiC4w8PG1G1K6p/6 hiscXmXW1G1q4tFnyVsfBrnMUR
rdDNSkQgdBMSERFY6LZery 3bkCTiQ1INiAoAg4ypGHRMhbhqvt pc3NBtKmlDr0bt0kWenPAJleYC
OnPJ9icXhuOAOUmkRAFBpE kQEFB3bCCamskA4XDu6GTZHjjkoc XJ++IspvuCgPwfFPza2SCeFUrA
sSIELNBg1LRxRRCI/INCqw ZdBKw4QIcFuV/MkN5S0wLMQg6VfY d/0KblwNy7cQrm3RxEatC9qCur
XLVRJ7Vq/wJ4OGiEaQHy2c YA71ediEnmzaiUeskIAI9hARH2pK d7B5s/57fMEZg5y1TqnJf1Mazl
cyLNJM9FcPncYe5/IZqvNC MIHS88LrnsK/+D5oXFz7aoKORpKV 5qRzw+g0D8bJfaPTnmq5FLOC+l
rJvtsF4acAx9PQwffhBqRY BERRiEnrsroiEUzS9EIL79M7GIiM 6WJr4BatuzdEx4AMoncKhBvgF0
ErZRgA4BHgrqzpeAgMBDQB 0CgJqACGDAiolidFxOUaR5qTCgLR 8a3fEaMqjUoiNmFj1Bg64PgCOr
W1L7A7bNcoPOreysG7lfQg cFgLh9v6q98CXkRywCio7IQacFYD tz0FEB4Muoh9BBl/QhddANAVhr

i got it to work, i got it to work!!...err, wait. no sorry.....

Re:What were those commons passwords in Hackers?

All your base are belong to us!

Re:What were those commons passwords in Hackers?

[Bohiti]

I don't want to be a jerk.. (oh, who am I kidding?)

I think what he meant was that his buddies had a workgroup called something like "_________".
The only way to join a workgroup, in all the Windows versions I've seen, is to actually type it in. No browsing for which workgroup you want. So, anyone who wants to join his "________" domain has to know how many underscores there are. ..And as far as I know, there's no GUI way to get the name of a workgroup in Network Neighborhood into the clipboard. You can't highlight a workgroup and hit F2 (rename).

I'm sure there is a command line program you could run that lists workgroups and domains, which you could redirect output to a file, but I can't find it. I thought "Net.exe view" would do it, but my win2000 version just lists computers in my current domain.

Re:What were those commons passwords in Hackers?

[El+Kevbo]

Shit, I should go change my root password now.

Don't worry, I already did it for you.

Re:What were those commons passwords in Hackers?

A friend of mine had "***" as password for his user account in high school. That was kind of cute.

Re:What were those commons passwords in Hackers?

[egileye]

It was nice of you to give the Slashdot readership the most popular passwords on your site. Now all we need is a few usernames to go with them...

Re:What were those commons passwords in Hackers?

[julesh]

The client often demands for users to be able to 'recover' passwords without changing them, so there's not an awful lot we can do about it, in many cases. Of course, whenever this feature isn't requested passwords are encrypted.

Re:What were those commons passwords in Hackers?

[buswolley]

did yo just give a away the password to one of your 312 uers? That wasn't very nice of you

Re:What were those commons passwords in Hackers?

[Deagol]

Perhaps there was somebody clever on the network who was using smbclient? There's also a good number of programs which will comb a network looking for SMB and NetBIOS services.

Re:What were those commons passwords in Hackers?

[JWSmythe]

Mostly because users are lazy and complain a lot if they don't get their way...

Unfortunately with one of our sites, I didn't get involved with it until it had been around for years, so all the users had already picked easy passwords for themselves.. But it applies to everything... I'd bet if Cmdr Taco looked at his list, he'd have similiar password stats to mine.. Except he'd probably have a higher incidence of "slashdot" and "linux" as passwords..

Re:What were those commons passwords in Hackers?

[Dman33]

Let's see here...

6969, harley, golf, pussy, mustang, baseball...

Looks like you admin a fraternity, eh?

Re:What were those commons passwords in Hackers?

[JWSmythe]

There are 260k usernames those came from.. Good luck though, too many tries and your IP is locked out indefinately.. But I forgot to mention which site, and which database. The site I got it from uses several password databases for various (archaic) reasons.. Don't worry, even if you do guess it, the system will figure you out (300 failures and one login in 5 minutes? Duh.), and issue a new password to the user.

If we didn't have precautions in place, I would have been a bit more nervous about posting anything..

Re:What were those commons passwords in Hackers?

[JWSmythe]

Porn, actually. Funny how only a few were adult words, eh? Reading through the top 1000 or so, they're mostly variations on the 12345 theme, or dictionary words..

Re:What were those commons passwords in Hackers?

Seriously! I specifically write all my applications with MD5 passwords. If you forget your password, you get a new one. Now, I could still check by MD5ing the string in question, but at least it isn't plaintext, and if it is a good password, it will be properly secured. Mod parent +5 insightful!

Re:What were those commons passwords in Hackers?

[E-Rock]

Try this, it'll completely remove you from the browse lists.
From a cmd line:
net config server /hidden:yes

Re:What were those commons passwords in Hackers?

[default+luser]

This is the concept I've been mulling over.

Why do users need incredibly strong passwords, unless the people designing the authentication system and maintaining the databases aren't doing their job?

If the password is difficult enough to survive a few hundred dictionary hack authentication attempts without breaking, it's good enough. By then you should invalidate the password and send off a new one to the user.

I make sure my important stuff has good passwords: my baking, paypal, billpay, email, and web store accounts, that's all personal. But if I say, sign up for a gaming site, or a forum like slashdot, I use a disposable password. I don't care if somebody hacks it, it's just an account, it's replaceable. Even so, I'm fairly certain you could not guess it within 1000 attempts, which makes it secure enough for me.

Re:What were those commons passwords in Hackers?

[Blkdeath]

The client often demands for users to be able to 'recover' passwords without changing them, so there's not an awful lot we can do about it, in many cases. Of course, whenever this feature isn't requested passwords are encrypted.

"If I can recover your password, so can a malicious user. Your temporary password is ... "

Re:What were those commons passwords in Hackers?

[Lost+Engineer]

I can't believe you counted all those x's just so you could post on /.

Re:What were those commons passwords in Hackers?

[Caffeine+Pill]

So, out of curiousity - what passwords do you use?

Re:What were those commons passwords in Hackers?

[WNight]

Well, it wouldn't be hard to get user names. Just go through sign-up proceedures trying to come up with common names. Every time you're told to pick another you know it was already taken. And really, all the common first names and many irc nicks will be taken, so even without verification it'd be easy to guess.

And you've said that over 10% of passwords are a certain pass. That's about ten guesses until you get in, on average.

It wouldn't be hard to figure out which systems you run. Pull up whois records for voynetworks.com, then do a google for the information you find. Look for companies owned or admined by someone with similar info. You've said it's an adult site, so that narrows the search a bit.

And really, even if we didn't find *your* sites, I doubt other sites have more intelligent users, so if we got bored we could just go guess passwords at other sites. :)

btw, I like your logo. Classy and easily recognizable.

Re:What were those commons passwords in Hackers?

[LBArrettAnderson]

fine, make it 100 types of people, those who know it, those who don't, those who laugh cus they think they do but don't, and those who get angry cus they think they know it but don't.

Re:What were those commons passwords in Hackers?

[JWSmythe]

Well, it's your reputation. Or your liability.

People submit pictures to one of our sites. You must have a valid userid to post to one of them. We've had law enforcement contact us with subpoena's before saying the pictures were acquired in the commission of a crime, so we handed over all the information we had.. If that was your account, the police would be knocking on your door.

The most condeming case I can recall (and care to repeat) was a few years ago. I got the initial call at like 7pm Eastern. Los Angeles County Sheriff's District Attorney calling. I got the basic info, and got our lawyer on with him the next day so they could mull through everything (we cooperated fully).. Turns out this nice lady had nudie pictures in her house that her husband shot.. Someone broke in, roughed up her husband, and stole a whole bunch of stuff, including the pictures that were in her jewerly box. The robber scanned the pics, and submitted them to us as his own.. Aparently the IP and Email address we gave them was very helpful information.

Do you want someone using your Email, or saying something in a public forum as you that you wouldn't want to say? hell, even Google spiders /. , so a simple search on slashdot can bring up what this almost safe account provides..

Google Seach for Default Luser on Slashdot.

If my name is attached to something, I don't want anyone else using it. Well, I also don't use my real name online, but that's another story. :) I already know the FBI has both names in the same file (Thanks Werner, you dick. And you *STILL* owe me USD $2,000.)

Re:What were those commons passwords in Hackers?

[JWSmythe]

Hehe.. About 15 different ones, depending on the applications and security required. All are combinations of letters (mixed upper and lower case) and numbers, usually with no meaning.. Sometimes it's a special meaning. The root password I used on an ex-girlfriend's server was a reminder I loved her. One number, two upper case letters, and 4 lower case letters, not in that order. If I use words, I usually misspell them badly, so I can say them verbally to someone who knows the password, without compromising it..

PFY: What's the root password?
BOFV: fucked.
PFY: [typing] F@uch3d...[enter]

(BOFV = Bastard Operator From Voyeurweb. hehe)

Don't get any ideas. You can't SSH into any of our networks from outside. Your best bet would be to break into my apartment. Then you could SSH into an authorized workstation, who would then have access to particular servers to get to other servers.. A pain sometimes, but very useful to keep the script kiddies out.. You'd be amazed what people try.. I still have people scanning one machine I left FTP open on for the user "admin" and "root". Different IP's, different methods, but at least a few times a day. It's entertaining. :) Ok, sometimes I get bored. I'm thinking of writing a pseudo-shell that people can try to fuck around in, where I can fuck with their heads. :)
Make it look like a Cray or some such, but every time you try to do something malicious, it'll laugh at you. :)

> uname -a
unicosmk md 2.0.2.29 unicosmk CRAY T3E
> uptime
03:45:29 up 168 days, 5:42, 168 users, load average: 105.02, 110.29, 108.96
> rm -rf /
You want to what? hahahaha!
> cd /
Can't go there
> ls ~
You can't look up there! PERVERT! :)

Re:What were those commons passwords in Hackers?

[JWSmythe]

I'd give you a hint, but it wouldn't help much. I'll give you the sites in order of age.

voyeurweb.com
redclouds.com
watchcams.com
hom eclips.com
funbags.com
proadult.com
quantum.pro adult.com

There are two to four auth databases, depending on a varity of things that have happened since the site was created. So there, you have a whole bunch of sites to try...

It wasn't 10% were "pass", that was the count of a database of 260k users, so the highest one (password: 1234) is used in 505 of 260,000 accounts, or 1:500. Since the password scanners picked up on those a long time ago (like, before I was doing security), those easy passwords go with harder usernames if they still exist. :)

I'll give the short advisory first though. People password scan us all day every day..

Too many wrong passwords from an IP, and you're blocked for 24 hours.

Too many scans from a proxy, and the proxy is blocked indefinately. I have a beautiful list of anonymous proxies should anyone want to buy it from me. :) I did notice that Slashdot is already blocking some for abuse (specifically Chinese). I'm thinking of sending the whole list over to Cmdr Taco so he can update his lists. :)

If you do scan for passwords, and manage to get one right, the system will change the password for the user automatically, and Email the user with their new password, so before your script notifies you that you've won, we've already changed it. :) It's automated, so there's no lag time from us.

Thanks about the logo. I actually just jacked the picture from voyeurweb.com (our biggest site), and mangled it a little with photoshop til it looked suitable for this page.. No one goes there, unless they're bored. Until recently the only place that the name showed up is as our DNS servers and on my Email.. :) Sometimes it shows up inside the site on stuff I'm developing if I haven't changed the name to the site it belongs with yet. Mostly, I got annoyed when people would tell me, "Your site is down", meaning the one associated with my Email address. Duh, like, no one goes there. Check vvd.com, that's another of my Email domains. :) It goes with vipervideo.com, which are more porn sites from a long time ago, with a company that only exists to pay webmasters and keep existing membership. Two people on staff check the mail daily, mostly to delete spam from their boxes.. Occasionally there is a customer query, but no real traffic. Some porn does really well (like voyeurweb.com), some didn't (like vipervideo.com).

Re:What were those commons passwords in Hackers?

[julesh]

"If I can recover your password, so can a malicious user. Your temporary password is ... "

"The client is always right" (management).

Re:What were those commons passwords in Hackers?

[WNight]

Oh I had misread your earlier message as saying that 10% of all passwords were 1234.

And yeah, I can imagine you get a lot of scans. If I was to do this I'd either use proxies from major ISPs (where you likely have subscribers you wouldn't want to ban) or bounce at random intervals through many proxies, preferably private ones on friends' computers.

I like the script that changes passwords. But why not just scan the database now, mail out secure passwords to everyone who fails the check, and in the future, mark all guesses from an IP tagged as a scanner as failure, regardless of what they guess?

But, I can get more porn than I can, um... use, from The Hun's, other free services, Gnaughty (check this out) and p2p programs. It was for the intellectual exercise.

And yeah, I've got a domain I use for mail (and private pages, and hidden links that are meant for friends but aren't supposed to be secure, like pictures from parties, etc) and it doesn't have a front page (or easily guessable page) and people tell us it's down even though we don't actually send anyone there.

Re:What were those commons passwords in Hackers?

[Blkdeath]

"The client is always right" (management).

Not when they're asking you to leave your (virtual) doors open at all times they're not. If a handful of clients are making demands that could put the data belonging to all of your clients at risk, sorry, but those clients just aren't going to get their way.

Talk to your management about cost-benefeit analysis some time.

Re:What were those commons passwords in Hackers?

[JWSmythe]

Oh I had misread your earlier message as saying that 10% of all passwords were 1234.

No problem. I wasn't very clear about it. I'm in the habit of doing lists with 'wc -l', and forget that only people that work with me all the time are used to it.

And yeah, I can imagine you get a lot of scans. If I was to do this I'd either use proxies from major ISPs (where you likely have subscribers you wouldn't want to ban) or bounce at random intervals through many proxies, preferably private ones on friends' computers.

Both of those are very popular.. People have been writing applications to scan for passwords for years, so they've become very practiced at better and better methods.. The best ones I've seen use lists of thousands of proxies, sending only a few requests through each.. Sometimes fresh proxies show up, but most of the script kiddies get their proxy lists from each other, so even a good proxy will get caught by the system pretty quick. They ruin their own proxy base pretty quickly all on their own..

My biggest concern isn't even of Joe-user trying to get a password.. You're just one extra user in a base of hundreds of thousands. Who cares, right? But when you give that to 5 friends who then give it to 5 friends, then we have a whole bunch of users in (that's caught too). But the bigger problem is the people who scan for passwords just to post them to passwords sites. Now instead of 5 or 6 people coming in with that account, we can have 10,000 try within an hour. Some of those sites are big. They have their own set of rules in our security program. :) Password sites are very predictable though, so a few regular expressions can spot them coming a mile away.

Once in a while, I'll check out the password sites we've caught, and look at the other sites listed. If they're running, very frequently the extra traffic will kill the servers (just like the /. effect, except their all stealing). A lot of porn sites are very very small, and either are just virtual hostings, or just on one small server. That's where I'm lucky. We know we get lots of traffic, so we already have lots of servers up to handle the load. If I gave out a password today for all the /. users to look at free porn all day, we wouldn't take a hit in performance. A couple hundred Mb/s extra all day probably, but nothing we couldn't handle.

Cmdr Taco should do a Slashdot Interview on us one day.. :) But then there are some things I'd like to ask him..

I like the script that changes passwords. But why not just scan the database now, mail out secure passwords to everyone who fails the check, and in the future, mark all guesses from an IP tagged as a scanner as failure, regardless of what they guess?

When I started, we already had 200k users in the database. I couldn't just reissue 90% of the passwords. People would be freaking out all over the place. The ones that we do change get rather pissy over it, but we have a legitimate reason for it, rather than just saying "because we want to." I'd *LOVE* to have a script go through the database, take every dictionary word and change it to a better password, and Email the user.. But, people would be ready to kill me when 200k users start complaining. :)

But, I can get more porn than I can, um... use, from The Hun's, other free services, Gnaughty (check this out) and p2p programs. It was for the intellectual exercise.

The funny part of my whole exercise in password security is that our biggest site, voyeurweb.com, has a whole lot of good free porn on it. The pay sites are just more specific. Like, redclouds.com has hardcore pictures in it, and homeclips.com has video clips. But a million or so people use voyeurweb.com every day just because it's free.. Well, and there's no popups or ads, so it's not obnoxious.. And it's fast.. That's one of the mandates from the bosses is that all the sites *HAVE* to be fast.

And yeah, I've got a domain I use for mail (and private pages, and hidden links that are meant for friends but aren't supposed to be secure, like pictures from parties, etc) and it doesn't have a front page (or easily guessable page) and people tell us it's down even though we don't actually send anyone there.

That's exactly the way voynetworks.com and vvd.com were for years, but then people would start sending complaints to my bosses who would then bitch at me.. It was easier to put up pages with a single image, than to explain to them once every month or so that we don't actually have any content on those names. :)

Re:What were those commons passwords in Hackers?

[Wolfrider]

--DON'T DO THAT anymore. Change the policy by saying it's because of Sept 11, blah blah blah, changes that are out of your control from higher-ups and the stockholders, blahblah...

--Recovering a password is STUPID. Force them to change their passwords and get with the Security program.

Re:What were those commons passwords in Hackers?

[julesh]

In what way does this open up data belonging to other clients to risk? All that it means is that if a hacker gained access to the server they would be able to log in to various web sites (i.e. those where the client has insisted on recoverable passwords) and masquerade as other legitimate users of the site. They wouldn't gain access to any data that they couldn't already get (because by implication they have access to the database on which the passwords are stored, which is the same database as all of the other personally sensitive information), and in no way would it grant further access to any of the other client information on the system. I fail to see where the costs are in this situation.

Re:What were those commons passwords in Hackers?

[WNight]

A couple hundred Mb/s extra all day probably, but nothing we couldn't handle.

Yeah, an interview with a company that didn't mind being slashdotted might not be a bad idea. So many sites die from CPU load even if they've got plenty of bandwidth.

It'd be interesting hearing partially about what servers and what configurations you use, but also what design issues you found, especially as it looks like there's a fair bit of dynamic content.

Ditto with slashdot, constructing all these huge pages on the fly. But, I guess 90% of their users don't go past the first page which is cached for most users.

I'd *LOVE* to have a script go through the database, take every dictionary word and change it to a better password, and Email the user.. But, people would be ready to kill me when 200k users start complaining.

So many good security ideas get ditched because users don't want security, until after there's a problem.

Well, and there's no popups or ads,

Not that I see them these days... But yeah, popups are the mark of a cheesy desperate site. Sites with real content want you to stay with them, not go somewhere else for a banner click.

That's one of the mandates from the bosses is that all the sites *HAVE* to be fast.

Smart. That's one thing that sends people away quickly. I didn't browse too deeply but all the pages I opened off the front page popped right open, even when I opened all the links at once. Sounds nice to have bosses with a clue!

You appear to be based in Tampa. I was there just recently on my honeymoon. (St. Pete beach actually, but we went into Tampa for Busch Gardens.)

If I wasn't thousands of miles away I'd ask if you were looking for a perl/postgres/php guy. (I usually say 'back-end developer' but for a porn site it sounded ... wrong.)

Re:What were those commons passwords in Hackers?

[JWSmythe]

Yeah, an interview with a company that didn't mind being slashdotted might not be a bad idea. So many sites die from CPU load even if they've got plenty of bandwidth.

Since they'll never interview us, I'll just post what I know when people ask. :)


It'd be interesting hearing partially about what servers and what configurations you use, but also what design issues you found, especially as it looks like there's a fair bit of dynamic content.


We use cheap, fast servers, and lots of them. :) A long time ago we considered buying single big expensive machines, or lots of little cheap ones.. The decision was really made for us by a company that used to host Voyeurweb.. At the time (years ago), it was run on 4 200Mhz Pentium machines, and only had a couple hundred thousand users. Three of those machines are the reason for our legacy names that you still see on the site (www.voyeurweb.com, ww3.voyeurweb.com, and voy.voyeurweb.com), even though they no longer reference individual servers.

Those machines were being overwhelmed, so the hosting company bought a huge multi-processor Sun machine to do the job.. I believe the price tag was like $40k. They moved all the sites over to the new server, and it just barely took the load.

It was shortly after that, that we met up with Igor, and Igor decided that we should be what Voyeurweb is now.. We decided at the time to buy 10 relatively cheap decent servers to handle the sites, plus have room to grow. 9 of these machines were AMD K6 450Mhz with 256Mb RAM and IDE hard drives. They cost roughly $1000/each. With Apache configurations identical to the old servers, we managed to pull about 8Mb/s per machine, which was more than enough then... Over the next few months, we played with tweaking the Linux kernel (it needed lots of tweaking back then), and tweaked Apache up a bit.. We got up to 32Mb/s before Apache couldn't keep up on these machines (too many processes, not enough memory). We then went exploring other web server softwares, and found thttpd.. These same machines could now serve 80Mb/s...

We retired all those old machines a couple months ago. I have some of the parts in a cabinet in my office now, that we're putting back up as little servers as needed, from the parts that still work right. The motherboards and CPU's are all fine. Some of the memory isn't perfect, so it gets tossed. Hard drives and power supplies were most of our failures. We got years of service out of them, so I honestly have no complaints.

Most of the new Voyeurweb servers are Asus 1400r servers. Dual 1.4Ghz PIII, 2Gb RAM, IDE hard drives.. Honestly, they're beautiful machines that you can get real cheap. They can each serve 150Mb/s without flinching. It took adding TEQL to the kernel, and having two network cables plugged in. thttpd works better with mutliple instances each bound to it's own IP, at this kind of load, but it's a small sacrifice... With the current kernel (2.4.20), we're down to just a few boot-time kernel changes using /proc/, the most important being /proc/sys/fs/file-max

We do free hosting for sites that use our "ProAdult" authentication. Those go on identical machines, usually in pairs for redundancy.. There are other machines on the network, that we've built out experementing with them over the years.. I made some really nice machines with CalPC cases, and Asus motherboards.. Unfortunately, they're hard to cool. A couple companies make good CPU fans for 1u cases. We had to put an additional blower fan in to keep the CPU at a reasonable temperature.. Actually, they're from Radio Shack. :) It fits perfectly between the motherboard and the side of the case, and you can plug it straight into the chassis fan connection on the motherboard..

We're using the Asus machines more now though, because they have a great cooling method, and almost no machine failures

Re:What were those commons passwords in Hackers?

[WNight]

We got up to 32Mb/s before Apache couldn't keep up on these machines (too many processes, not enough memory). We then went exploring other web server softwares, and found thttpd.. These same machines could now serve 80Mb/s...

Big difference. Shows the importance of a *lot* of ram for servers.

We had to put an additional blower fan in to keep the CPU at a reasonable temperature.. Actually, they're from Radio Shack. :)

My biggest problem when building 1u cases for my old job was finding blowers. I should have tried Radio Shack. (None of the computer stores had heard of them, and the electronics stores didn't seem to carry them.)

We used to use one staging server, but when you have 20+ machines rsyncing a lot of data all at once, it was enough to saturate the line it was on rather quickly.

Why not keep a directory containing the old content on the staging server. Generate diffs locally and send that out, it should be easier on your bandwidth.

On this subject, I wonder if anyone has written a broadcast file server to run on ethernet... That way your server only has to send one copy of the file, as long as there aren't any routers in between which might drop broadcast packets. Security might be an issue but should be solvable fairly easily, or just worked around by using isolated ethernet segments.

We switched over to MySQL, and now have 1.9 million messages in the system.

I haven't used MySQL, but I work with Postgres a bit. I don't know enough SQL to appreciate the features it has over MySQL so I suppose either would work.

1.9 million messages is a lot. My news system (kinda like a message board, but without threads) has nine right now. :) I anticipate it'll get up into the thousands when fully deployed, but still nowhere near.

I have a whole bunch of project ideas, but can barely begin to explain how to do them.. Some of it could revolutionize the way people access the Internet.. I really need to get a site set up and put stuff like that on it..

Yeah, that'd be neat. I'd check them out at least and discuss them.

I saw your post in the robot car thread. I hope you get a few people involved. Even if you don't get an entry that can compete you'll have fun doing it.

Microsoft's fault?

[thriver]

Please tell me why isn't it Microsoft's fault? Shouldn't the service be turned off by default and when it is turned on, FORCE the user to set a proper password?

Re:Microsoft's fault?

[Anonvmous+Coward]

"Please tell me why isn't it Microsoft's fault? "

Please tell me how it's MS's fault that people pick easy to guess passwords?

Re:Microsoft's fault?

Yes, because it definitely makes sense to not have an option to have a passwordless share - especially in an office environment. [/sarcasm]

Re:Microsoft's fault?

[MattCohn.com]

Does it in Linux? First off shares arn't shared UNTILL YOU SHARE THEM. Secondly, in all Windows versions before NT/2K when you made a share with no password it warned you and yelled at you but it would let you do it. I wan't to be able to do what I want, even if it meens a share w/o a pass. And in the later versions of Windows when network shares are linked w/ username/login combo's, the default is to only allow the creator access. All other users must be spacifically set. It's not Microsoft's fault this time, sorry.

Re:Microsoft's fault?

For all of slashdot that bitches about choice, I can't believe this was said. I don't want anyone forcing me to do anything. If I want a share with a weak password on my network, for my family to gain easy access, then I want to do it. I'll make sure that the systems get used properly so worms like this one don't cause any trouble.

Re:Microsoft's fault?

Name 1 version of RedHat Linux that didn't have a remote root hole. This includes 8.0. Every version of RedHat has had a remote root hole in the default install. If you can find one version that did not please let the world know.

Re:Microsoft's fault?

Because this is slashdot. The fact that your aunt has breast cancer is Microsoft's fault.

Re:Microsoft's fault?

[AvitarX]

what about c$? or admin$?

not all shares are manually set.

if the admnistrator password is weak then the system can be comprimised this way with no shares being set (unless things have changed since NT4.0 that I don't know about.

Re:Microsoft's fault?

[fshalor]

Um, actually there are a lot of "default" shares laying around ripe for the picking. In win98, I believe it's only the system root and all the drives. I think the same are enabled in win2k. You can disable them, but they come back upon reboot. In win2k, by default, you the service which must run isn't enabled, but under win98, it's trivial to hack around and get any of the default shares. These are ones which you don't see, by the way.

Re:Microsoft's fault?

[lavalyn]

Go look at your computer's C$ share. This is the default share on a fresh 2K install.

Even if it requires local admin accounts to access this share, just that it is available, and HIDDEN, is a grave security fault!

Re:Microsoft's fault?

[Anonvmous+Coward]

"Because this is slashdot. The fact that your aunt has breast cancer is Microsoft's fault."

I hear ya man. I wonder when the Slashdot Community's going to realize that they cry wolf way too often when it comes to Microsoft. I wonder how many people read Slashdot headlines and say "Dammit, I have to read the article to see whether or not their accusation's really true."

It'd be interesting to see a stastic on how many times the term "RTFA" is used in topics containing the word "Microsoft" in them and how it compares to non-related articles.

Re:Microsoft's fault?

[shamilton]

It's not hidden in nt/2k/xp. Though when you try to delete it, you get told it's there and necessary for administrative purposes.

Re:Microsoft's fault?

[Guppy06]

"Please tell me how it's MS's fault that people pick easy to guess passwords?"

Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default. How the hell else would the worm get access to the StartUp folder? The people most vulnerable don't even know where that particular directory is, let alone how to share it.

Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).

Please tell me how it's not Microsoft's fault that XP doesn't even bother asking for a password for a new (admin!) user account unless the account is made the old-fashioned Win2k way.

The "shiney new" way XP handles user accounts by default is almost as bad as 95/98/Me. By default, all system users are listed at the log-in screen for you to pick. One of them has a password? Move on down to the next in the list. Odds are at least one of them doesn't have a password and yet has admin privileges.

True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.

No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user. Perhaps MSFT wouldn't have to spend so much money on patching these security holes if they instead spent a little capital on trying to educate users a little about (extremely) basic user accounts security. This current "security hole" has been around since NT 3.1 and hasn't been that much of a problem until Microsoft decided to give everybody admin rights by default.

Re:Microsoft's fault?

Please tell me how it's MS's fault that people pick easy to guess passwords? Many systems do test passwords to ensure certain standards of complexity are met (minimum length, alpha and numeric, more than a single dictinary word, etc.) Personally I find this annoying and intrusive; I don't mind a system pointing out the poor choice of password, but I don't like it forced on me. But if it's done well, like the error message describes exactly what is required of a viable password, it's not that bad. However, there are other things beyond just the password complexity that MS could do differently to reduce the prevalence of this problem. For example, make it really clear to users enabling file sharing that people can and will try to break in if they connect to the Internet, so strong passwords or other security means are really necessary. It's quite easy for bumbling medium-savvy people to get network sharing just enough to get files from their laptop to their PC, without ever realizing that they're opening themselves up to this vulnerability. Another thing might be to add successively longer password processing delays as incorrect passwords are attempted. I don't know if they're doing this or not, or if the attackers are doing enough guesses for it to matter, and this could be frustrating if you're trying to guess a half-remembered password yourself. But it could prevent large-vocabulary dictionary attacks. Combined with password complexity requirements (e.g., must be letters and numbers), this would be even more effective, since more guesses would be required for dictionary permutations. I'm not suggesting MS should be castigated for the current breaches, but I would suggest that there are different ways they could try to inform users and otherwise reduce attack risks in future Win releases. It's an area I expect they'll try to improve now.

Re:Microsoft's fault?

[NetJunkie]

If I have the Administrator password I can do anything I want...whether the default shares are there or not. I can easily connect to the system and share the drives out myself. The worm could just as easily do that.

XP does not show the user accounts unless you set it up for the family stuff. My XP machines in my domains don't show any user names.

Re:Microsoft's fault?

A stastic? Is that related to spastic?

Re:Microsoft's fault?

[ubernostrum]

Please tell me how it's MS's fault that people pick easy to guess passwords?

Well, it's not necessarily their fault, but I'm used to my Linux box where I'm not allowed, for example, to select a word in the dictionary as a password. On MS OSes, having some sort of feature to disallow exceedingly weak passwords wouldn't be too hard to implement and could do a lot for the security of the system . . . heck, just a simple routine that disallows "admin" and "password" would probably take care of half the machines that have been infected by this thing.

Re:Microsoft's fault?

[ahaning]

For example, make it really clear to users enabling file sharing that people can and will try to break in if they connect to the Internet, so strong passwords or other security means are really necessary.

It's a good thought, but consider this:

You should be warned that ena*click*

Are you sure that you want*click*

Sweet. My files are shared.

Re:Microsoft's fault?

[Guppy06]

"XP does not show the user accounts unless you set it up for the family stuff. My XP machines in my domains don't show any user names."

That's because you have it in a domain, using domain accounts. If you're not in a domain, the default local log-in method is that "family stuff" you're talking about.

However, you are right; I was wrong about the default behavior. Instead of a user log-in, a default XP Home install will automatically log you in to the default account "Owner," an admin account with no password(!!!!!).

Re:Microsoft's fault?

[NetJunkie]

If I have the admin password I can share out anything I want, even remotely...even with those shares. Once you have admin rights all bets are off.

Re:Microsoft's fault?

[NetJunkie]

To get to that share you need local admin rights. If I have admin rights to the system I could just share them out. They don't give me anything. By the time I get the security I need to exploit them I could just create them.

The remote management tools don't use those shares to do anything.

Re:Microsoft's fault?

[roolmarty]

From Technet article 318751 (HOWTO: Remove Administrative Shares in Windows 2000):

To remove automatic creation of the administrative shares by using Registry Editor:

• Start Registry Editor (Regedt32.exe).
• Locate and then click the following key in the registry:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters\AutoShareServer

• Change the value of the AutoShareServer key to zero (0).
  NOTE: A setting of zero (0) prevents the administrative shares, such as C$, D$, and Admin$ from being created automatically.
• Quit Registry Editor.

NOTE: If the AutoShareServer key does not exist, create the AutoShareServer key by using the following steps:

• Locate and then click the following key in the registry:
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LanmanServer\Parameters
• On the Edit menu, click Add Value.
• Type AutoShareServer, click REG_DWORD, and then click OK.
• Type 0, and then click OK.
• Quit Registry Editor, and then restart the computer.

And... From 314984 (HOWTO: Create and Delete Hidden or Administrative Shares on Client Computers) (This is for Windows XP, W2K Pro, WinNT4 Workstation)

To delete the hidden administrative shares for all root partitions and volumes (such as C$) and the system root folder (ADMIN$) and prevent Windows from re-creating them, add an AutoShareWks DWORD value to the following registry key and set its value data to 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters

These get rid of those pesky administrative shares.

Re:Microsoft's fault?

[shamilton]

Nice, but I actually find the shares convenient at times. For instance, suppose I've taken my computer to my friend's house. I've got some mp3s he wants to play, but alas I have brought only my headphones. I could get up and go all the way over to my computer, but instead I can just open \\mycomputer\D$ and enter the password when it asks. No need to point out security implications.

Re:Microsoft's fault?

Please tell me how it isn't their fault it's so f'ing easy to drop an executable into the startup folder?

Re:Microsoft's fault?

[lavalyn]

To get to that share you need the credentials of the local admin. What is the default password on that share? It's the local admin's password. What is the likelihood that the local admin of a Windows 2000 box at home is actually good?

Re:Microsoft's fault?

[Spy+Hunter]

It's MS's fault if people often pick easy to guess passwords and they didn't plan for that when they built Windows. It's a user-interface sort of issue. If you don't anticipate what your users are going to do, you're partly to blame for the resulting problems. Windows should ship with a list of common passwords and a checker that makes sure the password isn't common, in the dictionary, or weak for various other reasons. Most UNIX systems have this built into the password changing mechanism. Also, Windows should NEVER EVER allow a blank admin password.

Re:Microsoft's fault?

[_xeno_]

Or, for the terminally lazy, cut the following and save it as a .REG file. (For example, "Disable Admin Shares.reg".)

----CUT HERE----
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000
----CUT HERE----

Note the italicized line. Slashcode inserts a space there to prevent me from "page widenning". Remove that space. If the lines wrapped, then the line in italics should be one line and not two.

Once the file is saved, right click and choose "Merge". (Or just double click/single click/whatever to cause the default action to take place.) Merge the values into the registry, and this will set the keys mentioned above without the need to play with the registry. Reboot, and you should be all set to delete the C$..Z$ and ADMIN$ shares. Damn those things annoyed me - thanks for the post!

Re:Microsoft's fault?

[SomeGuyFromCA]

Nice, but I actually find the shares convenient at times. For instance, suppose I've taken my computer to my friend's house. I've got some mp3s he wants to play, but alas I have brought only my headphones. I could get up and go all the way over to my computer, but instead I can just open \\mycomputer\D$ and enter the password when it asks. No need to point out security implications.

So set up a share for your mp3s, set only to that directory, marked remote read only. Just as easy when it's done and much more secure.

Re:Microsoft's fault?

[IDIIAMOTS]

Any local account without a password in Windows XP is prohibited from remotely connecting to that machine.

Re:Microsoft's fault?

[shamilton]

That would involve getting up and going all the way over there. My anecdote was meant to be nonspecific.

Re:Microsoft's fault?

[pVoid]

Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default

The shares you talk about, you moron, are administrative shares... If your admin password is 123, you might as well pack your stuff and become a lumberjack or something.

Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).

Same as above, go you lumberjack... GO NOW!

Re:Microsoft's fault?

[TClevenger]

It's even worse with XP Home. A customer bought a Dell with that piece of crap loaded. I set up user accounts for each member of the household, but in XP Home they're either "user" (in which case a LOT of programs won't even run) or Administrator. (You have to pay for XP Professional to get "Power Users" back.) I set everyone up as Administrator and told them to call me when they get hacked and want a Real OS installed.

Re:Microsoft's fault?

[roolmarty]

Thanks for pointing out why I couldn't get rid of that damned space :)

Re:Microsoft's fault?

>The "shiney new" way XP handles user accounts by >default is almost as bad as 95/98/Me. By >default, all system users are listed at the log->in screen for you to pick. One of them has a >password? Move on down to the next in the list. >Odds are at least one of them doesn't have a >password and yet has admin privileges.

The solution is to use a password for a login, and a login for a password :-(
So the worm will fail as it checks for easy to guess passwords.

Re:Microsoft's fault?

Stastically speaking, that is proper Slashdot spelling. ;-)

Re:Microsoft's fault?

in XP Home they're either "user" (in which case a LOT of programs won't even run)

This is why we have Compatibility Mode

I set everyone up as Administrator and told them to call me when they get hacked and want a Real OS installed

(Emphasis Mine)

Re:Microsoft's fault?

[MJOverkill]

By default, all system users are listed at the log-in screen for you to pick.

You know, you can set the log in screen to be exactly like it is under Windows 2000 (logins not visible on the screen) right?

By default

You use that word 'default' quite a bit. Name me one operating system that is reasonably safe with its default install and configuration settings. It's not Microsoft's fault that these users do not know how to correctly configure their machines.

Re:Microsoft's fault?

[Herkum01]

The fact that your aunt has breast cancer is Microsoft's fault.

THAT is what I have been telling everyone! Of course they don't believe me, and that is Microsoft's fault too!

DAMN YOU MICROSOFT

Re:Microsoft's fault?

Dude!!

You rule!

Re:Microsoft's fault?

Are you for real man?

Who modded this guy up as anything but funny?!?

Re:Microsoft's fault?

Are YOU for real? Log in to post, you coward! Anonymous replies only get anonymous replies. If you have a problem with what I've said, post it under your account and we'll discuss.

Re:Microsoft's fault?

[Lshmael]

True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.

No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user.

Too true. If you have Windows XP Home, you can't even use the Local Users things in Computer Management, because it isn't displayed. If you go to system32 and open the file manually, it gives you an error message similar to "You're using Windows XP Home Edition, and you can't use this. Give us more money and try again."

Re:Microsoft's fault?

[m_pll]

have to pay for XP Professional to get "Power Users" back

I've never used XP Home, so I'm curious... Is Power Users really gone (like, doesn't show up in 'net localgroup') or is it just hidden from the UI?

I suspect it's the latter which means you can still use it.

BTW, I hope you realize that if somebody is a Power User they can easily become an admin...

Re:Microsoft's fault?

[m_pll]

No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user.

I'd say it was a design goal for XP Home... Try explaining to a typical home user why half of his games don't work if he's not an administrator.

Re:Microsoft's fault?

[Guppy06]

They're there in XP Pro, but not in XP Home.

Re:Microsoft's fault?

OMG!!! they should fix that naughty operating system so that it can't be compromised JUST BECAUSE the administrator password is weak! that's totally whack!

oh and by the way, nothing has changed since NT4.0, so you don't know about nothing, dumbfuck.

Re:Microsoft's fault?

OpenBSD

Re:Microsoft's fault?

> Name me one operating system that is reasonably
> safe with its default install and configuration
> settings.
OpenBSD.
next question?

Re:Microsoft's fault?

[blincoln]

On MS OSes, having some sort of feature to disallow exceedingly weak passwords wouldn't be too hard to implement and could do a lot for the security of the system . . .

It's already there:

Start -> Programs -> Administrative Tools -> Local Security Policy -> Account Policies -> Password Policy -> Take your pick

Now, it would make sense to turn these options up high... for advanced users. The average home user would freak out if they had to deal with this kind of complexity, and not buy 2k/XP/whatever. Or they'd forget the admin password and have to reinstall Windows, and not buy the next version.

It's always important to remember that most computer users are not anywhere near as technical as the vast majority of people who read sites like Slashdot.

Re:Microsoft's fault?

[F.Prefect]

The "default" shares (c$, etc.) don't exist in either XP Home or Professional if they're not members of a domain. (I just did a clean non-domain install of XP Pro the other day, and was confused for a while about where my default shares had gone, that's how I know.) You have to explicitly enable sharing for those shares to be created. Since most home users don't have domains, and those who do should know about the shares, my guess would be that most home XP users are not affected by this one.

Of course, once you enable file sharing the default shares are created, and you are therefore vulnerable. At that point it goes back to good old strong password requirements.

Re:Microsoft's fault?

[muzzmac]

You are in dangerous territory using the word "breasts" in any context on /.

Dangerous online nerd stampede. Story at 6.

Re:Microsoft's fault?

[rastos1]

In another words:

• those that actively set passwords are those that OS restricts
• those that do not have a password are welcome

Re:Microsoft's fault?

[JWSmythe]

Aw, it's not always Microsoft's fault.. If it isn't, we can blame the stupid users for using easy passwords. I work with Point Of Sale systems occasionally (when people ask for help), and find stupid stupid stupid passwords there. Store ID's (like as printed on your receipt), the owner's name, or just "password".. Like, they want to make it easy for the stereotypical TV hacker to get in or something.. The best one that usually gets me stuck is just hitting [enter]. I usually start off with the assumption that they used *SOMETHING* as a password. Sometimes they don't.. "It's too hard for the staff to remember."

Hey buddy, it's your security. If I come in when your cashier is on a smoke break and no one is looking, I'll just hit enter, cash out, and leave.. No problems here.

I usually go into a 15 minute speech on how secure passwords are important, and how they must mix upper and lower case letters with numbers and characters, so as to *NOT* make dictionary words. "Password" doesn't count, duh. I've gone back to the same stores months later, and tried the old password, and it worked.. I don't even have to ask for access to their system, I just get in and start fixing for them..

Good thing I'm a good guy.. I could just log in as their admin user, ring up a no-sale on all the registers, and leave.. I could even mark their logs that *THEY* cashed out all the drawers like they closed the day.. {sigh}

We can't blame Microsoft for making their customers stupid. Its just like blaming AOL for making their customers stupid. They didn't. They marketed to stupid people who would buy anything.

I don't even want to hear one word back from an AOL person on WinXP using MSIE.. You're their sucker.. You fell for getting the stupid AOL 9.999 CD and 100000 free hours, you bought Windows, and happily agreed to their licenses, and you probably bought a whole stack of beautifully hologramed Microsoft products right along with your new Microsoft taxed computer, but you'll still bitch that it crashes, and wonder why I just look at you funny because my Linux machines never crash..

I wish we had the time to educate people just a little bit.. But some of them are so dense it isn't even funny.. How do you tell them "Stop using AOL. You're paying $29.95 for a $19.95 service..". it's like saying they're paying $30 at K-Mart for a cheap toy, when they could spend $20 for the a toy that looks the same, but goes faster and is more fun to play with..

Stupid consumers will still spend $30 because the TV Ad told them it's the best..

You're the same people that will pay a couple hundred dollars for the next version of Windows that will still crash, and you'll still cry that it doesn't work.. You won't even consider that you've already bought Win3.1, Win95, Win98, Win2k, WinME, WinXP, and none of those have worked right. Maybe the next one will work properly? I have a beautiful bridge in Brooklyn to sell you too.

Shall I rant?

Re:Microsoft's fault?

"How the hell else would the worm get access to the StartUp folder?"

Each Windows user has a personal startup folder for running bits and pieces in.

Each user can access their startup folder to add programs and files to it.

When you login, you can access your startup folder.

Sheesh - if you're gonna have a go at the enemy, at least figure out what you're talking about, otherwise you sound like Colin Powell on a bad day at the UN... uninformed, unintelligent, or just trying to be smart? Who knows...

Re:Microsoft's fault?

[HawkingMattress]

Seriously, if they let you have a blank password, it's their fault. They know alot of their users do not know about security problems, so they should lead them, and maybe give a simple explanation...

Re:Microsoft's fault?

[gl4ss]

lumberjacks need computers too...

microsoft makes operating system for clueless people, they should take that into account when they're making some 'handy' default shares like that, most normal users will just want to access their computer without password, but will not have any remote access enabled(and actually believe it to be default configuration).

Re:Microsoft's fault?

[MarcQuadra]

I know a lot of idiots who installed XP and don't pick anything harder than '123' for their admin password. Most of the people I deal with always say "What would a hacker want with me? I don't keep anything important on the computer." Eventhough they keep their email, finances, personal correspondence, and credit information on them.

Re:Microsoft's fault?

[lamename]

I've been saying the same thing and nobody believes me either! I think they are just jealous because they don't hear the voices...

Re:Microsoft's fault?

[deadsaijinx*]

Do you know a place where i could find a good guide explaining how to remote connect, many thanx!

Re:Microsoft's fault?

[suraklin]

I appreciate your rant, marketing in this country is indeed aimed at the lowest common denominator. And the sheeple buy whatever is crammed down their throat.

I do have a slight issue though with your claim of Win2000/XP not "working" right. BeOS 4.5 is my main OS right now since it does most of what I need to do. I do however have a dev/gaming machine that runs WinXP Pro. This machine is always on and I have only had one lockup, and that was from bad video drivers. Otherwise XP is the most stable version of Windows yet.

Here is a better question. Would you rather have these people bitching that Windows always crashes, or bugging you because they cannot figure out how to configure Linux?

Re:Microsoft's fault?

[Jon+Abbott]

You're alive! My long lost roommate from yore. Do you have those tickets for the show on St. Patty's Day?

Re:Microsoft's fault?

[freeze128]

Hey! My aunt died from breast cancer, you insensitive clod!

Re:Microsoft's fault?

So you can install an OS that won't run 90% of the stuff the average family wants to run. Riiight.

Re:Microsoft's fault?

[operagost]

Right click My Computer and choose Manage. Select Local Users and Groups.

Re:Microsoft's fault?

Why does the average user need those "administrative shares"?

If they didn't enable these shares, the
admin password would be useless unless you
had access to the physical machine.

Re:Microsoft's fault?

[TClevenger]

Yup, after you wade through the bubble gum to get to the "real" Local Users and Groups, you get "User" or "Administrator." "Power user" is not an option.

Re:Microsoft's fault?

[TClevenger]

BTW, I hope you realize that if somebody is a Power User they can easily become an admin...

How can they do that?

Re:Microsoft's fault?

Hmmm...

You don't really know Windows do you. Well, let's put it this way, if you had a linux box with an easy way to get root SSH, would it matter if you had SMB shares with no security on them?

If a win box has a blank admin password, it can be made to execute many things, including opening up a share.

Re:Microsoft's fault?

[JWSmythe]

So, you're the other BeOS User. :)

One of the guys in our Tampa office used to be a hard-core Be user.. We used to joke that their user base was 2, so there must be one other user out there. :) It was a joke, honest. We both liked Be.. It didn't support my video card, so I went back to Linux..

On your Windows question though, how many Windows users do you know that can configure Windows themselves? Pick a random home Windows user, and port scan him. Then ask them why they have all kinds of services open. Even "advanced" users get all kinds of confused.. I had one Email me last week absolutely screaming about how we had routed his IP to the wrong network.. Turns out he had turned off the ethernet interface because he didn't think he needed it.. And on his Email tagline, he's an MSCE+I, or some such nonsense..

Windows users don't configure their machines. They come from the factory set one way, and that's how they stay forever (pretty much). We could be selling machines with Linux to be exactly the same way..

I've told Windows users to open a DOS window and type "ipconfig" (or winipcfg as correct), and they get lost just after clicking "Start-->Run". Users are all stupid, it doesn't matter what they run.. I think Apple has done a beautiful job of proving it.. They've successfully converted their users over to Unix (OS/X). As long as you don't put the scary "Unix" name on it, they aren't scared. :)

Re:Microsoft's fault?

[Sneftel]

How the hell did you get that? No password == No remote access. Password = remote access. Those that actively set passwords are welcome. Those that do not, are not.

Re:Microsoft's fault?

[BuckaBooBob]

For Xp they really should have a Good password tutorial before it asks you for a password to lock your system down... Most people never think of mergeing two words together with every other letter... But why would MS do anything good for a customer :)

Re:Microsoft's fault?

But that's the design fault, isn't it? Why should one need to be an administrator to run a game? Why should one need to be an administrator to install a game? What should happen is the way Mac OS X handles it: Run as a normal user (with admin privledges). If the app needs administrator privledegs, it asks for the users password again. If the account was set up with admin privledges (like the first account created is), then the users password works, if not... No go. Kindof like using sudo.

This is a much safer way to handle admin privledges, and you'll find out that very little (system updates, and backup software are the biggies) need to have admin access.

Re:Microsoft's fault?

blah blah blah....... Win 2K when used by SOMEONE WHO KNOWS WHAT THEIR DOING is as reliable as Linux. Linux used by a rank amateur will be as unreliable as 2K/XP when also used by a rank amateur. I think your real complaint should be to microsoft for making PC's easy to use for people that just want them to work (or not as the case may be) - after all its not right that the peon masses get to play with this stuff is it?

Re:Microsoft's fault?

So the problem is these machines have the equivalent of sshd running on them when the users don't need them?

Re:Microsoft's fault?

So another Linux guy cant find the correct Windows settings and guesses that the only way to fix the problem is to give everyone root access?
It's called compatability mode - real Windows users know about such things. Now I've told you will you go back to that family and set their PC up properly? Thought not.....

Re:Microsoft's fault?

[ubernostrum]

The average home user would freak out if they had to deal with this kind of complexity, and not buy 2k/XP/whatever. Or they'd forget the admin password and have to reinstall Windows, and not buy the next version.

So why have a pssword at all? It just complicates the user's life because he has to remember it or, worse, write it down somewhere.

Microsoft really ought to do their users a favor and just do away with user authentication; only advanced users really need it, and they can find it buried in Start -> Programs -> Admin -> Security -> Programs -> Admin -> Local Policy - Policies -> Passwords -> Admin -> Password Restrictions -> Dictionary Options . . . it practically glares out at you from there.

Re:Microsoft's fault?

[m_pll]

Power Users have write access to %programfiles%, %systemroot% and HKLM\Software. A power user could modify a CLSID key to point to his own dll and wait for an admin to instantiate this object. Or replace a file that's not protected by Windows - such as a dll/exe from a 3rd party product installed to Program Files.

Like many other features in Windows (such as 'disable command prompt' policy) Power Users exist for ease of administration, not for security. It can prevent users from shooting themselves in the foot but it will not stop a determined hacker.

On the other hand, BUILTIN\Users does represent real security boundary. There is no way a normal user can elevate himself to an admin.

Re:Microsoft's fault?

[Guppy06]

"When you login, you can access your startup folder."

We're not talking about Windows terminal emulation (or even Telnet) here. Logging in remotely through SMB involves browsing specific network shares, whether from the GUI or command line. Unless you specifically give your startup folder its own share, accessing it involves digging through the directory structure.

\\localhost\C$\Documents and Settings\username\Start Menu\Programs\Startup

And you can only do that if you know that there is a hidden share named "C$" to begin with.

A small minority of Windows users even know they have a Startup folder. Fewer know how to set up an SMB share. Fewer still understand the Windows directory structure enough to know that "desktop" and "start menu" are just directory names in "My Computer", not the other way around. Conclusion: the worm is going through the default shares.

"uninformed, unintelligent, or just trying to be smart?"

You tell me.

Re:Microsoft's fault?

What is the likelihood that the local admin of a Windows 2000 box at home is actually good?

What's the likelihood that any home user knows his admin password can be used to gain full read/write access to their computer remotely?

Many home users assume the admin password can only be used by someone with physical access to the computer, so they don't worry about making a secure password. They might choose a more secure password if they knew about this. But ideally, Windows should share anything without at least asking the user (these admin shares are really annoying, because if you delete them, they'll come back when you reboot, unless you edit your registry).

Re:Microsoft's fault?

So do it when you're on your computer anyway. Do I have to lead you by the nose?

18... 19... 20.

Re:Microsoft's fault?

[JWSmythe]

Nope, my rant was about stupid users, not Microsoft... Stupid users pick the password "password"

Just like stupid people leave their cars running while they run in to buy cigarettes and get their cars stolen.

Just like stupid people flash a wad of hundred dollar bills at the Quicky-Mart, and get mugged right outside..

I can secure a Windows server with the best of 'em. Except for security exploits (which that rant had nothing about mentioned), it'll be just as secure.. But this worm is all about stupid users picking stupid passwords for their shares. I'd be willing to bet the first password it tries is "", because every office I've ever gone into to fix a problem of any sort, that's what they've set the password to, usually with the reasoning of "oh, it's so we won't forget what it is".

This one is all about stupid people doing stupid things, no matter what platform they're on. If there was a script that tried to telnet to every *nix machine out there with blank passwords and succeeded would be making news too, but at least most people don't set blank passwords.. Or thankfully ssh won't let you in with a blank password by default (we tried it for humor).

Re:Microsoft's fault?

No, not sshd, RPC.

A cold day in...

[asparagus]

...for once a security problem that isn't really Microsoft's fault...

Taco: Hell just called. They want you turn back on the heat.

Re:A cold day in...

heh you allready got a +5 so i just wanted to say bravo!!!!!

Re:A cold day in...

[bumby]

I heard dukenukem forever was released too, and the nwn linux client!

Re:A cold day in...

They want you turn back on the heat.

Someone set us up the bomb!

Re:A cold day in...

[Sneftel]

eeeyike. I think I'm not the only one who dislikes the mental image of "CmdrTaco turning up the heat."

The Most Open Security Hole....

[scottm52]

Is the one left open by an Admin who has no business being an Admin....

But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???

Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".

Re:The Most Open Security Hole....

[dotgain]

Hmm, having a /usr/share/dict/words file might be an insecurity in itself in this case. No doubt it'd be just as easy for a windows worm to access Office's dictionary for brute force entry, thus keeping the worm itself nice and lean.

Re:The Most Open Security Hole....

[Cynikal]

But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???"

just a little... will it come to the point where people will have to be warned about having passwords less than 12 characters long and not having a minimum of 4 numerals and punctuation characters?

Re:The Most Open Security Hole....

[afidel]

I liked a friend of mines way of dealing with this, he ran a dictionary attack against the password database and a couple other tools, if your password was guessed the account was disabled and a note put in as to why, then when you called to have it re-enabled the helpdesk did an internal charge of $100 to your department, most managers would only let one crack go =)

Re:The Most Open Security Hole....

[madmarcel]

Hmmm...I could be wrong, but...
it was pointed out to me by a friend of a friend that in the computers labs here at Uni the techs have installed a little script on the linux machines that runs overnight and attempts a dictionairy crack on all/some of the user accounts. If it succeeds you will automatically get notified by email. You then have 10 days or so to change your password.

And why not, there's eh...60odd machines in each lab, and most of them don't do anything all night. (Ok ok, there's the odd lone hacker in there late at night...surfing for...eh....doing assignments ;)

It occurs to me that there must be an easier to do this :\ OTOH the techs might've found a nasty script like that running on the machines one day, that wouldn't surprise me either :o

Re:The Most Open Security Hole....

[gad_zuki!]

>But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???

Actually I feel more secure, especially if this thing hits critical mass. We're supposed to pick strong-ish passwords under the assumption that we are targeted or that we can easily be targeted. The days of 'no can access this machine anyway so I can be light on the security' are loooong gone.

Every system admin is saying, "Told you so," but in real life Joe Sixpack won't learn until he's burned. Considering this thing doesn't completely trash computers, wipe irreplacable data, etc people with weak passwords are getting off easy. If you had to pick your worms this one ain't half bad.

Whats scary is that is if SMB/NetBIOS ports are open I can just write a worm that will do a net send with the data, "FROM: Administrator: Please change your password to 0wn3D for security reasons ASAP." Then add 0wn3D to the list of passwords. The strongest password in the world isn't going to help you if you believe that little pop-up is from your sysadmin.

Re:The Most Open Security Hole....

[Doctor+Hu]

...then when you called to have it re-enabled the helpdesk did an internal charge of $100 to your department...

A place where the helpdesk charges reflect the importance of the work that's done? Color me impressed[*].

[*]Sort of green, similar to envious.

Simple solution...

[mrjive]

Unbind network sharing from your external tcp/ip settings.

This should be done by default (but of course, it isn't), and I'm sure 90% of home users don't even realize their network shares are available on the internet. A lot of them probably don't even realize that they have network shares enabled in the first place.

And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.

Re:Simple solution...

[MondoMor]

And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.


Unless you disable the "server" service (this is NOT ISS). Then those shares are disabled. Home users and many business users don't need the Server service running.

Google for Win2k Services Tweak guide and follow the many happy descriptions.

Re:Simple solution...

[geekoid]

hell, a lot of them don't relize there sharing there drive with me.... ;)

Re:Simple solution...

[lavalyn]

Better yet, go through the entire hardening process of disabling Alerter, Messenger, Server, Print Spooler (unless necessary), Indexing Service, Uninterruptible Power Supply, Telnet, Universal Plug and Play, Fax Service, Network DDE, QoS RSVP, Remote Registry Service, and whatever else you don't need.

(Those listed above tend not to be useful for 90% of users out there)

Then change the password policies, login audit policies, and a whole mesh of other things :)


Windows 2000 Professional and Server Services Configuration 411

Re:Simple solution...

[Brooks+P.]

Unbind network sharing from your external tcp/ip settings.

Can someone point me to a resource (print or web) that will tell me how to do this? Sounds like something I need to learn. Thanks.

Re:Simple solution...

...there sharing there drive...

you sound like tarzan trying to be an IT consultant. go learn some fucking grammer! damn!

Re:Simple solution...

[shamilton]

Easy, in the properties for your external network interface, simply uncheck "File and Printer Sharing for Microsoft Networks."

However, I don't think this is particularily amazing advice... only applicable to a box which happens to be acting as both a fileserver and a gateway.

If I had mod points, I'd Overrated the grandparent for exactly this reason.

sh

Re:Simple solution...

Here is a start for NetBIOS from here:
2K/XP:
Right-click on Local Area Network
Select: Properties
Select: Internet Protocol TCP/IP
Click on Properties
Click on Advanced
Select the WINS tab
Select Disable NetBIOS over TCP/IP
Click OK

Lower:
Right-click on My Network Places
Select: Properties
Select: Internet Protocol TCP/IP
Click on Properties
Select the NetBIOS tab
Uncheck: Enable NetBIOS over TCP/IP
Click OK

Removing the binding from TCP/IP is the same, up to 'Click on Properties':
Select the Bindings tab
Check: Client for Microsoft Networks
Check: File and Printer Sharing
Click OK

Warning about using NetBEUI: it slows down large networks by only using multicast (i.e. turns your switch into a regular hub). Read about it here. (By the way, that link has screenshots of the directions above.)

Re:Simple solution...

[galaxy300]

Just go into your network settings (Control Panel, Network Settings), select your network adapter(s), and make sure that File and Printer Sharing for Microsoft Networks is unchecked. That's about all it takes...

Re:Simple solution...

Of all 'theres' you could have chosen, you got the wrong one, twice.

"A lot of them don't realise they're sharing their drive with me."

Realize is probably an acceptable spelling in the US (I couldn't say for sure).

Re:Simple solution...

[Chanc_Gorkon]

And unbinding to the internet is kind of difficult to do if you have only one nic and do file sharing over it! :) If you follow this and only have one nic, then poofta.....your shares are gone. One more reason to have everything behind a firewall AND natted.

Re:Simple solution...

[galaxy300]

Good point -- I would never file share over the same NIC I used to connect to the Internet. And if I did, I would definitely use a decent firewall!

Re:Simple solution...

[Jardine]

Probably why my cable ISP blocks out the ports network shares use. Security through user stupidity, complaining, and ultimately blocking ports. I want to print annoying messages on my neighbour's printers.

Re:Simple solution...

[PissedOffGuy]

FYI XP and above (and probably win2k SPs) disable all network shares if your admin password is blank.

Re:Simple solution...

[mrjive]

Not necessarily....

If you have more than one nic, you can disable it on the nic facing the internet, if you only have one nic, and are directly connected to the internet (ie a cable modem), you should probably have this disabled anyways.

Granted, with only one nic, its the same thing as disabling filesharing, but the general procedure works for both so I didn't make that distinction in my original post.

I agree 100% with the NAT+Firewall comments....but your average home user isn't going to go to that extra trouble to protect themselves are they? Probably not.

Re:Simple solution...

[Guppy06]

"Unbind network sharing from your external tcp/ip settings."

It's a shame there's no easy way to get rid of Messenger service (ie. "net send") spam the same way. I was surprised that I still got some, even after disabling both sharing and the SMB client on my outbound connection. I ended up disabling the service, but there should be a better way...

"if your admin password is blank, then blamo - full access to your machine."

XP won't let local accounts in remotely if their password is blank, at least not by default.

Re:Simple solution...

[Orig]

"It's a shame there's no easy way to get rid of Messenger service (ie. "net send") spam the same way."

Control Panel -> Services , Set "Messenger" service startup type to "disabled".

Or just do:

C:\>net stop messenger
The Messenger service is stopping.
The Messenger service was stopped successfully.


C:\>

Re:Simple solution...

Couple of things here:

1. NATing is a horrible mess, and to be avoided entirely if it weren't for the lack of IP addresses (bring on IPv6). I prefer a stateful firewall: pass stuff in from the outside only if it's part of a connection initiated by the local boxes.
2. In England, "poofta" is derogatory slang for "homosexual".

Huh?

Okay, so it drops inst.exe into the folder... and then just waits for some mouth-breather to come along double-clicking all the .exe's he can find?

Well, I suppose if you're stupid enough to leave a default password on a shared folder, perhaps you'll fall for it, but I don't see this being a cause for widespread alarm.

Re:Huh?

In the "autostart" folder...then waits for someone to reboot the computer

Re:huh?

[Erris]

I don't remeber there being default passwords on Windows file sharing (have setup multiple filesharing networks,

He he, you don't remember because it did not tell you. Filesharing gets set up as part of other software installs without telling you. Nice eh?

Re:huh?

[Fishstick]

Interestingly, the register article says 'default', but the source they quote, http://www.f-secure.com/v-descs/deloader.shtml does not.

They cite 50 passwords that the worm tries:

Once a suitable machine is found, the worm tries to log on to the remote computer using login name Administrator and by trying 50 different passwords:

"" (empty)
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
"admin"
"Admin"
"password"
"Password"
(you get the idea)


nowhere does it claim that these are 'default' passwords in the sense that windows installs leaving them set as default. The problem is that the person installing windows picked a "weak" password. Seems a stretch to call this "default". (as in "Fred was too lazy to some up with a good password, so he picked some "default": I think it was '12345')

Your comment has too few characters per line (currently 17.0).

now I am obliged to add more crap to my post in order to reach this C/L threshold:

Deloder is a network worm infecting Windows machines which have set a weak password to the "Administrator" account. It also installs remote access tool VNC, opening the computer to the world.

no, that wasn't enough, here's more:
1) The combination to the Air Shield is ... one. 2) One! 3) One! 1) Two. 2) Two! 3) Two! 1) Three. 2) Three! 3) Three! 1) Four. 2) Four! 3) Four! *pause* 1) Five. 2) Five! 3) Five! 2) So the combination to the Air Shield is one two three four five!! 3) One two three four five!?! That's the stupidest combination I've ever heard!! That's the kind of combination some idiot would have on his luggage!!

Re:huh?

[Dynedain]

i know filesharing turns on w/ certain configurations....but it still relies on existing user controls...my point is that there isn't a 'default' password

huh?

[Dynedain]

I don't remeber there being default passwords on Windows file sharing (have setup multiple filesharing networks, both w/ Win domains/active directory and w/out)....weak passwords I'd expect, but default?

Not Microsofts Fault?

[tarogue]

If the worm is using default passwords to get in, then I would say that it *is* the fault of Microsoft. There should be no default password. When antype of networking is setup, you should be prompted to create a password. If no password is provided, no service is provided.

Re:Not Microsofts Fault?

[Snoopy77]

If you had read the article (jk) then you would know that the worm attacks those with simply passwords like [empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin, password, Password, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 654321, 54321, 111, 000000, 00000000, 11111111, 88888888, pass, passwd, database, abcd, abc123, oracle, sybase, 123qwe, server, computer, Internet, super, 123asd, ihavenopass, godblessyou, enable, xp, 2002, 2003, 2600, 0, 110, 111111, 121212, 123123, 1234qwer, 123abc, 007, alpha, patrick, pat, administrator, root, sex, god, foobar, a, aaa, abc, test, test123, temp, temp123, win, pc, asdf, secret, qwer, yxcv, zxcv, home, xxx, owner, login, Login, pwd, pass, love, mypc, mypc123, admin123, pw123, mypass, mypass123, pw

Re:Not Microsofts Fault?

[dacarr]

Those aren't necessarily default passwords.

Re:Not Microsofts Fault?

[RTPMatt]

for once a security problem that isn't really Microsoft's fault.

awww man...well can we do it anyway? Just for old-time sake?

Re:Not Microsofts Fault?

[yatest5]

If.... (totally incorrect fact) then it is MS's fault

5 - Insightful. Good work moderators.

Re:Not Microsofts Fault?

Hi!
I wish to thank you for complimenting my work. It's not so easy when us moderators usually have an IQ of about 65, and our systems full of crack.

Sincerely, A Stupid Moderator

I wonder if that is why my router is not happy

[AssFace]

I just installed a new Netgear router that has a security logging feature. It is filling up in a big way with SMB requests and UDP cals.

It is currently set to ignore anything on any port that is trying to come in - and it also apparently looks for things like DOS attacks and it is listing a lot of stuff.

I just set it up yesterday, so I don't know how much of this I would have seen prior since I never logged the attempted contections before.

Re:I wonder if that is why my router is not happy

[myowntrueself]

Let me guess, UDP port 137 is producing lots and lots of logged events?

Thats normal. There are two solutions;

1. Design, build and spread a virus or trojan which will irrevocably destroy all Windows boxes which are connected to the internet without a firewall.

Or

2. Stop logging UDP port 137.

Re:I wonder if that is why my router is not happy

[ColaMan]

I've had smb port logging on in my firewall for the last two years, connected to a modem with a static IP.

Not a day goes past without at least a dozen attempted netbios connections from various different IP's. I also get about the same amount of people trying to telnet / ftp / ssh in as well.

Glancing through the emails from logwatch over the years, it definately seems to be increasing.

Re:I wonder if that is why my router is not happy

i wonder why its not port 1337 instead.. er wait .... ok

Re:I wonder if that is why my router is not happy

[shamilton]

A dozen per day?

My DSL connection with five IP addresses behind it receives about ten requests per hour per address. All firewalled of course.

My colocated server receives about twice this.

Not trying to show off my internet penis here, but rather, I think you've rather understated the severity of smb scans.

Re:I wonder if that is why my router is not happy

[ackthpt]

Let me guess, UDP port 137 is producing lots and lots of logged events?

UDP 137 has been logging lots of hits since day 1 for this system. Fortunately I have a firewall and have been very excited to see how many worms are out there trying to find a new host. A few weeks back I examined the log for the few hours I was connected over a dial-up (no DSL or ISDN, just 56K) and found 335 attempts, most of which are aimed at 137. A quick search of this with Google yielded info that this was indeed likely caused by a worm on many computers, scanning IP addresses and testing port 137.

My first log of a probe on 445 was 3/7/2003 at 21:12 (9:12 PM in California) seems they come in pairs or threes. The number of probes has been increasing.

Given what I've seen of my firewall logs, there's no way I'll ever put another computer within spitting distance of an internet connection without a firewall. Like, cripes 'n stuff!

Re:I wonder if that is why my router is not happy

You can't be serious, can you?

The UDP 137 events are caused by Windows' automatically probing for other computers on the LAN (which, when dealing with computers directly connected to the internet, isn't much of a LAN).

Re:I wonder if that is why my router is not happy

[Tom]

Thats normal. There are two solutions;

1. Design, build and spread a virus or trojan which will irrevocably destroy all Windows boxes which are connected to the internet without a firewall.

Or

2. Stop logging UDP port 137.

Lemme see:
Option one will take a few hours for anyone who knows a bit about windos programming (if we leave out the "irrevocably" part and just repeat as necessary).
Option two will eat continuously away at my bandwidth, for which I pay. 137 attacks have for the past few months been the most common attacks/probes, so it is a significant fraction by now.

I'll go with two. M$ hasn't cleaned up their act in over five years. Anywhere in the real world, their product would've been declared as too unsafe to use and banned by now.

Re:I wonder if that is why my router is not happy

1. Design, build and spread a virus or trojan which will irrevocably destroy all Windows boxes which are connected to the internet without a firewall.

I like this option better. I've been thinking about doing it for a while now, perhaps I shall.

Risks of default passwords

[ma++i+ude]

Default passwords are of course a problem, especially when many of these systems are operated by people who probably don't even know they are running an SMB server.

Also, even those who know better often seem to leave passwords to default if the system shouldn't be accessible from the outside. A typical example of such a system is an ADSL router / firewall. I know several of these whose password is left as standard. Granted, attacking them will be more difficult (and probably cannot be automated like in this case) but once one of the hosts inside is rooted, it's easy to connect to the router from within the LAN and gain access to the rest of the services.

Re:Risks of default passwords

[John+Hasler]

> A typical example of such a system is an ADSL
> router / firewall. I know several of these whose
> password is left as standard.

Selling such a device with a default password is negligence.

Re:Risks of default passwords

[TheLink]

Some of them have backdoor passwords that you can't change.

Might be MS's fault.

[gmplague]

Actually, this might just be MS's fault. Windows 95/98 prior to 98SE and NT4 prior to service pack 4 (i think) all shipped with samba enabled by default, without a password. That means probably at least some of the hosts affected by this worm were affected because of MS's bungling.

Re:Might be MS's fault.

[lavalyn]

I doubt the non-existent and certainly not distributed open-source SAMBA suite had many security holes in Windows 95.

Re:Might be MS's fault.

[WiPEOUT]

... in other news, Microsoft SQL Server 2000 is now being included in the RedHat 8.2 distribution's default install, and a security bulletin has been released for MacOSX 10.2 Print Services running on the Commodore 64.

Re:Might be MS's fault.

How can a post be +3 informative, when it's so plainly wrong? No version of Windows shipped with Samba installed, much less on and password-less by default.

Re:Might be MS's fault.

Who the hell modded the parent informative? Check your 95/98 distibution (and while at it, check your password not to be blank either)

Re:Might be MS's fault.

[cookiepus]

you gotta admit it "sounds" informative!

Right....

[Dragon213]

Right....this one definatly can't be laid at the feet of MS...this is definatly a user problem :p

The weakest link

[lavalyn]

There is a reason why intelligent password crackers (dictionary attack) will first try passwords such as "password", "secret", "administrator", "root" or its variants before going through the main database.

It isn't only at the PHB's desk that PEBKAC can occur.

Unfortunately, in an employment environment where complicated passwords are just another encumberance and annoyance for most people, this is not going to change any time soon. /.ers are young (mostly). Most users never needed to know passwords longer than a 4 digit PIN until the last decade.

ummm....

[oliverthered]

New UNIX password: oliver
BAD PASSWORD: it is based on your username

New UNIX password: jp821968i
BAD PASSWORD: it looks like a National Insurance number.

New UNIX password: rg78kn
BAD PASSWORD: is too simple

Yeh, nothing to do with the password system.

Ok, so that's how my linux box is setup (without post install configuration), why isn't windows setup this way?

Re:ummm....

I forgot, I have a crap password at work(lots of people do). They make me change it so frequently that if I had a complex password, It'd be post-it noted to my monitor.

Re:ummm....

[seanadams.com]

Yeah, but it'll take passwords like 123!@#qwe!@#
Hint: look at your keyboard.

Re:ummm....

[suwain_2]

Not that I exactly advocate weak passwords, but you really can't compare the 'home user' Windows model with the 'Internet server' Linux model. I think a lot of people (primarily the less computer-literate) would be completely bewildered when it rejected the password they wanted to use. Personally, I use a password that's a 'l33t'-ified word (with absolutely no signifance to me... it was a random word I saw as I glanced down at my desk while trying to think of a new password), which some Linux boxes seem to reject. On the systems set up to be this picky, I su to root and change my password, allowing me to bypass the password integrity test. Not the most secure thing in the world, I suppose, but if 'hardcore Linux geeks' get flustered when their password is rejected (and find ways to *make* the system take it), imagine how relatively 'clueless' home users would feel?

Anyway, maybe it could have a very elementary test: things like "password" and its variants would be rejected, as would common derivations of the username. What might be a better idea was if when the user was asked to create / change a password, it had a section on choosing a *good* password. (And if your password was a 'common' bad one, it could explain why it's bad.)

Re:ummm....

[targo]

You can configure Windows to do the same. At my workplace the policy is rather strict, so it actually takes some effort to come up with a good password.

Re:ummm....

Probably the same reason that I've never seen a functional C2 (Common Criteria) deployment last more than a few weeks. When you have hundreds of users to manage password complexity becomes a help desk nightmare and ultimately all you end up doing is increasing the stock over at Post-IT.

However, all interations of Windows NT, including Windows XP Home and Professional, do have password complexity, aging and history rules. They just happen to not be turned on by default. Instead MS made the decision to permit users to maintain no password and have the system completely disable any form of remote access on said accounts, including SMB (which is also disabled by default in Windows XP.)

Re:ummm....

[fitten]

At a place I worked at a while back, the sysadmin ran a nightly crack on the password file. If it was able to figure out your password, you got an automated nastygram and had to change your password. Doesn't prevent all boneheadedness but it cuts down on it.

Re:ummm....

[_xeno_]

Yeah, same with mine. Unfortunately, this leads to the "Post-It Note Effect", wherein many users leave their passwords on little Post-It notes on their monitors. (And this isn't trademark infringement, I do mean Post-It brand sticky notes.) I wouldn't worry too much about it, since we are a military contractor...

Seriously though, I know one guy who thinks that everyone should let the other developers know their passwords in case they should ever need to access code on their computer. Which is even stupider than it initially sounds, since everyone's computer belongs to the corporate domain, and you can log on using your own username/password and gain access to all the files anyway.

(Since most Windows setups seem to leave every file set to be world readable (ie, readable by the "Everyone" group), this generally works. Although I just checked my Windows XP machine, and the files are only readable by the "Users" group, so I could be wrong. Don't forget that Everyone and Users are both local machine groups, and not domain groups. Or are domain members automatically Users? You might need to add the other developers to the Users group or allow Everyone read permission on the development files. Or he could just accept that anything I did is checked into CVS and I'm not going to give out my password...)

Re:ummm....

[Chanc_Gorkon]

Good question. Dictionary checking should be standard(but isn't even thought of in Windows). Mixed case letters AND numerics should also be a part of a password. Too bad it's too tough for non admins to remember that their password is D0gG1E...not that that's a good password, it's just even if it's somethign simple as a lower case doggie, they still can't remember it. Bio based security is the next big thing for security. Only way you could beat it is to be extremely good or to kill someone.

Re:ummm....

[AnotherBlackHat]

Unfortunately, this leads to the "Post-It Note Effect", wherein many users leave their passwords on little Post-It notes on their monitors.

As much as I agree that it would be better if they picked passwords that were strong and actually remembered them,
If the only choices are weak passwords or strong passwords on postit notes,
I'd prefer an office with postit notes.

Postit notes leave you vulnerable to people with physical access to your machine,
where as weak passwords leave you vulnerable to everone on the internet.
(But you can at least insist that people stick the postit notes under their keyboards or folded over so the passwords aren't casually visible.)

-- this is not a .sig

Re:ummm....

[Tsuzuki]

I think Mozilla did it pretty well. When you're setting the master security password (to add to or unlock your memorised passwords) it has a bar that fills up as you type. An insecure password shows an empty bar, a decently secure password shows a full one. You may pick a not-so-secure password (part of the bar is filled), but at least you know it's your fault when someone has a party with your bank accounts, etc. ;)

Re:ummm....

[_xeno_]

How about both? Specific guy I'm thinking of uses a capitalized dictionary word followed by "1234". When forced to change it (after it expired), he switched to "1234" followed by the same capitalized dictionary word. And he updated his Post-It note, accordingly. (Which he made sure everyone knew. After all, we all need to be sure we can log on to his computer.)

But, we don't have to worry about being vulnerable from the Internet. We have a firewall. </sarcasm>

Re:ummm....

[Misanthropic_one]

Watch out for password policies though... I used to work for a "large telephone company" and their password policy was it must be 8 characters long, contain 2 numbers, ... We did the math on it and it took the amount of allowed passwords down to a very short list!

Re:ummm....

Dictionary checking should be standard(but isn't even thought of in Windows). ???

My fscking god! It seems as if the slashdot community is getting more technically inept every day! Get a clue you fucking 'tard!!!

Re:ummm....

[oliverthered]

I know the local admin password!!! because I frequently need to install or run software with admin rights and calling up helpdesk all the time just pissed them off.

Re:ummm....

That would be 123!"£qwe!"£ on my kb.

Re:ummm....

[doublesix]

Postit notes leave you vulnerable to people with physical access to your machine, where as weak passwords leave you vulnerable to everone on the internet. I'll take the latter, thanks. Most 'computer crime' is perpetrated by people on the inside.

ACK!!!

[revery]

for once a security problem that isn't really Microsoft's fault.

What!! On Slashdot!! a story that absolves Microsoft of guilt when blind-eyed finger pointing would have been so easy...

Who are you and what have you done with the slashdot editors?!?

--

Dilbert - "If aliens take over your boss's body, is that a bad thing?"
Wally - "It depends on the aliens"

Re:ACK!!!

[oyenstikker]

But the editor is still making an insulting comment not really related to the article and not backed up in any way. It seems there are one of these lines at the end of every article related to . . .well. . .not related to Linux. The comments never add to the article. Please leave them off.

Re:ACK!!!

[JonWan]

Nah, it's the same guys. This is the pay-off for all of those Microsoft ads that show up here. Things will get back to normal tomorrow.

VB App to help?

[Anonvmous+Coward]

I think I'm going to write myself a little VB app that deletes everything (except itself) in the startup folder once in a while. I'd like to make my own list of things that are permitted in there so I'm not 'surprised' by bs like that.

Note to Microsoft: How about providing the user with a "Are you sure you want this here?" dialog every time something's copied in there?

Re:VB App to help?

[Dwedit]

Then you just end up with users blindly clicking the same "Yes" button that got Gator on their systems.

Re:VB App to help?

[MyHair]

I think I'm going to write myself a little VB app that deletes everything (except itself) in the startup folder once in a while.

Not good enough. These little viri like to put themselves in several places in the registry. Many of them replace rundll32.exe which windows calls all the time to launch any program IIRC. There are tons of other tricks, too. If a PC at work gets infected with this I'm reimaging it.

Re:VB App to help?

[OYAHHH]

I agree,

But, in the meantime there is a small little utility you can use to do just this that has worked great for me.

It is called Startup Monitor and it basically just sits around watching for programs trying to add themselves to the startup folder.

When a program tries to drop itself in the Start Folder the Startup Monitor utility pops up a dialog that asks if you want to allow the action.

You can find it at:

http://www.mlin.net/StartupMonitor.shtml

Re:VB App to help?

[galaxy300]

Unfortunately, there are a lot of programs that start up automatically that aren't in the startup folder. Try starting up the System Information wizard every once in a while or just going to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] and related registry keys every once in a while and deleting any irrelevant entries on a regular basis.

Re:VB App to help?

[RTPMatt]

How about providing the user with a "Are you sure you want this here?" dialog every time something's copied in there?

Now how would the continue to pester you about registering if every time they tryed to put that reminder crap in your startup folder you just clicked no?

Re:VB App to help?

I use Startup Monitor. It's great! Mod the parent up.

Re:VB App to help?

[Imperator]

Try StartupMonitor.

Re:VB App to help?

Oh yeah, forgot to add that it also watches for programs trying to add themselves to the various startup registry keys.

How does it "find" the password?

[weetabix]

Little bit of brute force coding? Or a very tiny dictionary? Would be interesting to see how it's done, really.

Doesnt say if it affects SAMBA, and i couldnt really find anything out. anyone else found or heard anything?

Dictionary attack + 1

[ObviousGuy]

I'd hate to see a worm built with a password guessing algorithm that just used a dictionary attack with a capitalized first letter and '1' appended at the end.

When the admin requires a password that must be at least 6 characters long, mixed case, and contain both numbers and letters, this is the most standard type of password that is generated by users. Easy to remember.

This isn't a problem with Windows, per se. It's a problem with braindead network administration that requires either nothing in the way of password requirements or such outrageously difficult "strong" passwords that users have to write them on Post-Its stuck on the monitor.

Perhaps the best solution would be biometrics?

Re:Dictionary attack + 1

[myowntrueself]

"Perhaps the best solution would be biometrics?"

Maybe. If implemented by a security guard with a pair of calipers that he measures your skull with every time you want to log on, then he logs on for you and if your skull doesn't match the numbers on his clipboard he shoots you.

Re:Dictionary attack + 1

[Exatron]

I wouldn't be scared by such a worm. I'd just use my uncursed +1 antivirus program.

Re:Dictionary attack + 1

[galaxy300]

It's not always the "braindead" netadmin, but sometimes the CEO or CIO who is requesting simple passwords so users don't complain so much. Believe it -- it has happened to me!

Re:Dictionary attack + 1

[machine+of+god]

*paranoia*

But what will you do when they steal your eyeballs!!!!

*end paranoia*

Re:Dictionary attack + 1

[archen]

At the place I work I just started to ban the number one altogether for all new passwords. Even if they just pick '2' I figure it's better than 1.

Re:Dictionary attack + 1

[HeywoodJablomi69]

I'd be safe, then. Guess what I use?

Re:Dictionary attack + 1

[swb]

There are many environments where end-user gripes and politics mean more than real security..

Re:Dictionary attack + 1

Retinal scanners need a heartbeat. You can't just rip someone's eyeballs out like they do in the movies :)

White-hat worm?

[EverStoned]

"..as it mucks with the registry and disables network sharing." Okay, a worm entering you system and messing with the registry is very bad. But isn't network (file and print) sharing the number 1 windows security risk? It would be preventing potentially more malicious attacks, or at least alering the user to the problem.

Re:White-hat worm?

[tedrlord]

Read the article. In addition to turning off file sharing, it installs a backdoor into the system.

Re:White-hat worm?

[EverStoned]

Yeah, I saw that, the IRC backdoor. Icky. But when the user noticies that he can't share files anymore, he's gonna notice somethings up and hopefull install a firewall...

Re:White-hat worm?

[tedrlord]

Yeah, I'd hope so. Your average user probably wouldn't make the connection between broken file sharing and virus, though.

Re:White-hat worm?

[EverStoned]

"Your average user" is why virus like this spread.

*sigh*

Re: White-hat worm?

[Black+Parrot]

> "Your average user" is why virus like this spread.

I think there are some major "average user" human engineering exploits underway right now. Ramping up from almost nothing 2-3 weeks ago, "Windows security patches" from total strangers are now account for almost half the spam I'm getting. I wonder what the payload really is, but I doubt that strangers are sending me security updates out of concern for my wellbeing.

And at 100K-200K per message, this phenomenon can't be good for internet bandwidth.

Oh dear!

[BladeMelbourne]

I better disconnect my Windows 3.11 with TCP/IP and Win32s, don't want it getting infected!

http://www.froggy.com.au/mike.skinner/16bitwin.htm

Re:Oh dear!

[SN74S181]

If you want to play with Win16, you should try to chase down a copy of Wabi. I have a commercial copy targeted to Linux that Caldera sold back about five years. It reimplements Windows 16 (you have to install Windows 3 onto the Wabi image with your Microsoft floppies) within X. It's similar to Wine, but limited to 16 bit.

Phew! I'm safe!

[callipygian-showsyst]

I didn't see my password:

xyzzy

on the list of passwords it tries. Guess I don't have to worry about this one.

Re:Phew! I'm safe!

Post you IP address and "WE" will test that for you.

Re:Phew! I'm safe!

[nolife]

But that helps when I play Minesweeper

Re:Phew! I'm safe!

[rjamestaylor]

Or mine:

• CPE1704TKS

No longer do I but until 1999 I used that for everything. It's the only bit of movie trivia I ever memorized (and I did it when the movie first came out).

For extra credit: name the movie. For a bonus round with Vanna, what's the password protecting?

And T3kno, if you tell my current password scheme I'll be up all night fixing servers from here to Texas!

Re:Phew! I'm safe!

[yerricde]

The password from Wargames protects the authorization to use a missile with a nuclear warhead.

Re:Phew! I'm safe!

[rjamestaylor]

You win a date with destiny!

Re:Phew! I'm safe!

[gailwynand]

Damn! Change the combination on my luggage!

Re:Phew! I'm safe!

ya mine wasn't there eather... course not all sytems like the full thing.. just stop were your system alloughs you:

zaqwsxcderfvbgtyhnmjuiklop

Re:Phew! I'm safe!

[QueenOfSwords]

Hmmm do I want to play the DVD, or a nice game of chess?

Re:Phew! I'm safe!

[Fizzl]

Hackers, protecting the US Global Thermonuclear Thingymawingy stash.

*raises an eyebrow* I think...

Re:Phew! I'm safe!

[mr3038]

mine wasn't there eather... zaqwsxcderfvbgtyhnmjuiklop

(-: Easy to remember when not using normal QWERTY keyboard, isn't it? If you want password that can be typed in faster just use alternating keys from both sides of the keyboard. Use the shift key here and there and break the alternating order once or twice and you've pretty solid password. Of couse, you shouldn't use that simple pattern.

Something like zMajqwUsiEkDlc should be pretty good password and relatively easy to remember once you have keyboard in front of you. Of course, that is far from random but the length helps a lot.

once?

[LBArrettAnderson]

for once a security problem that isn't really Microsoft's fault

this is the first time it's not Microsoft's fault? This is just another one where the user has a choice. He/She can choose a bad password, or they can be smarter than that. He/She can choose to use Windows, or they can be smarter than that.

Re:once?

This is why I read Slashdot. Mindless group think in hope of Karma.

I bet you would have better luck if you just begged for it...

"Come on, please!! Just one funny, insightful, interesting point, that's all I want! I promise I'll try to switch to Linux .. in the next year, really! PLEASE, PLEASE, PLEASE! And Micro$oft sux0rs a big one!#@%@%!"

Re:once?

lol, i am actually very pro-microsoft and anti-linux (for desktops, linux rules for servers). I just got a new username and am trying to boost my karma to get starting scores of 2. unfortunately this post didn't get modded up.

It's about time...

[evronm]

It's about time someone wrote a worm like this.

If it does enough damage, maybe people will learn, through aversive conditioning, not to use stupid passwords.

I once worked as an SA at a bank. I could guess 90% of peoples passwords in 3 tries. I'd say about 30% were the default "welcome". And the users would bitch (and occasionally get someone fired) if we told them to change them.

If it is clearly communicated that this thing is spread because of weak passwords, maybe people will wake up and start using real passwords.

Or is it just wishful thinking?

Re:It's about time...

[John+Hasler]

I repeat: _no_ system should ever have a default password. Either require the user to enter one or generate a unique one for her on the spot.

Re:It's about time...

[nurightshu]

If it does enough damage, maybe people will learn, through aversive conditioning, not to use stupid passwords.

Just like Melissa, and ILoveYou, and Klez, and Goner have taught the users to be very careful when opening e-mail attachments.

Re:It's about time...

[evronm]

Just like Melissa, and ILoveYou, and Klez, and Goner have taught the users to be very careful when opening e-mail attachments.

I know that was intended sarcastically, but I have noticed a dramtic increase in attachment awareness amongst the otherwise clueless since the viruses you mention hit.

Of course, there is a core of complete and utter morons who get bitten over and over again and never learn. And that core is alarmingly large, but it seems to me that a lot of people got it about attachments, especially after "I Love You". Hopefully, the same will happen here with stupid passwords.

Ack! It's the Rapture!

[Guppy06]

This is the seventh posting on the front page in a row by Taco. And none of them are dupes!

Dammit, I knew I should have built that bomb shelter...

Symantec's hint

[very]

On Sunday, March 09th 2003, Symantec posted AntiVirus updates on their site as well as the LiveUpdate.

LiveUpdate:
Virus Definitions released March 9
Norton AntiVirus Corp. Edition Defs Version: 50309h
Norton AntiVirus Corp. Edition Sequence Number: 21592
Total Viruses Detected: 63225

This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.

They know something, definitely.

Re:Symantec's hint

[CounterZer0]

I get updates to NAVCE every weekend.

Re:Symantec's hint

[Cyno01]

Heh, i remembered to hit live-update for once before my weekly sunday night scan last nite.

Re:Symantec's hint

[freeweed]

This worm has been on the radar for over a week now. The Internet Storm Center noticed a dramatic increase in port 445 traffic, and the fit really hit the shan on saturday/sunday (depending on where you live). Someone finally managed to get a specimin of this thing analyzed, and it's by far the biggest thing since Slammer.

Consider how little it's actually spread - we should be happy Windows is no longer vulnerable to the single-character-password flaw. Now, if only we could explain to Microsoft that it should be very, VERY difficult for the home user to share their filesystem over tcp/ip (read: world-readable), we might be able to stop these annoying little buggers. Well, at least for a few weeks :)

Re:Symantec's hint

[Florian+Weimer]

This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.

Well, they should had released it on Friday, then, when the worm started to make its rounds.

Admit it...

[SubliminalLove]

How many of you read that article and went and changed your share password from eight asterisks in a row? How many of you thought that was so clever?

~SL

My meaningful posts keep getting modded down... all incentive to contribute fading.... fading....

Re:Admit it...

My meaningful posts keep getting modded down...

I sure as fuck hope you don't think this was a meaningful post. I'm glad your incentive to contribute is fading. For the first time in my life I've felt that moderation works. Now, please let me be I'm busy anally violating your mother against her will while your dad watches.

Re:Admit it...

[SubliminalLove]

I love it. I get modded down a point for suggesting that plaigarism on slashdot isn't a great idea, but being informed that my mother is being anally raped is all good. Keep up the good work, mod system :). ~SL

He was right!

[EverStoned]

Love Sex And God are actually in there!

root, sex, god,
pass, love, mypc, ..I hate that movie.

Re:He was right!

[JWSmythe]

Funny this, but "God" specifically doesn't show up in this set of 260k users.. But there are 143 words containing "god".. Here are the top ones. :)

22 godzilla
5 godfathe
4 goddess
3 godsmack
3 gods
3 godiva
2 sungod
2 netgod
2 iamgod
2 goodgod

There were 294 words with "sex" in them, the top ones are:

84 sexy
25 sexx
17 sexsex
8 sexual
7 sexo
6 sexe
5 sussex
5 sextoy
5 sex4me
5 ilovesex

And 278 with "love" in it..

86 love
33 lover
21 lovers
14 loveme
13 iloveyou
10 loveit

Oddly enough, root came in very low.. The highest one is "rootbeer" with 7.. That'd make it ranking around 3540.. I feel unloved.. If one person had "iloveroot", that would have made my day. :)

Re:He was right!

[geekoid]

perhaps you should check the gender of a couple of those. They sound like they might make a productive date ;)

Re:Clue by four

I wasn't aware that any versions of Windows shipped with Samba.

What the hell are you talking about?

Good

[secondsun]

My login password is a 30 digit alpha numeric with special characters in it. I don't even know what my farking admin password (except it is of equal insanity and yes I am su). It is annoying to type it in but goth damn I feel like a secure guy, then I read somthing like this and feel even better.

Re:Good

Really fucking bright... next time try typing in just the first 8 characters of your password, and see if you get in. Don't bother thanking me.

Re:Good

[rlowe69]

My login password is a 30 digit alpha numeric with special characters in it.

Lemme guess:

abcdefghijklmnopqrstuvwxyz123!

Re:Good

[afidel]

anything longer than 9 digits which is not a dictionary word should be fine as that is 13,537,086,546,263,552 possible password with just {a-Z][0-9], if you have a sane retry policy (like say exponential timouts or limited number (say 30) guesses) then there is no way someone is going to break it.

Re:Good

my yahoo password is 25 alpha / numeric digets long... is that to much?

pat/patrick

St. PAtricks day is this month.

For employees that are forced to change the password monthly picking a holiday from the month is easy to remember...

Re:pat/patrick

Nice Point... W.I.H.M.P.

not in there?

[ackthpt]

And how many people really have 42 x's as their password?

What's the maximum or mininum limit for password? I generally go with 6-8 with a combination of letters and numbers, often defering to foreign languages, rather than english.

I was surprised that it didn't include:

Months (i.e. january, february, ...) since I catch people using those a lot

system (i.e. another favorite)

xyzzy

plugh

Tho I do not 'foobar' is in there, but I generally use that on internet sites where I could care less if someone assumes my identity.

Re:not in there?

[tuba_dude]

interesting system. I take a bag of marbles and throw it at my keyboard until I get 8-12 characters and go from there.

Re:not in there?

[Your+Login+Here]

For most users I think xyzzy is just a little dated.

Re:not in there?

[Surlyboi]

A hollow voice says, "fool"...

Re:not in there?

[miu]

What's the maximum or mininum limit for password?

It depends on the systems that will be using it, the cipher type used, the systems it must pass through, and so on.

16 characters is a pretty good rule of thumb for maximum length (mostly because people use md5 incorrectly). There is usually no minimum unless a front end application (or policy system) enforces one.

Re:not in there?

[Surak]

xyzzy

Nothing happens.

Re:not in there?

[chef_raekwon]

xyzzy

Nothing happens.

that should be 'ozzy'
try again.

Re:not in there?

[Reziac]

Why xyzzy?? Everyone knows the proper spelling is zzyzx!!

(http://wordways.com/zzyzx.htm, for the uninitiated)

Re:not in there?

[tijsvd]

Plugh and xyzzy are hardly passwords the average windows user would know, are they?

Real Info on this Worm

Multidropper/dropper is nasty, I am coming off of an entire weekend chasing this hunk of code.

1. Once on the system it disables personal security/firewall/virus scanning
2. Copies itself to the start up group
3. With virus scanning disabled it drops several nasty bugs.
4. Network traffic/processor utilization goes thru the roof.
5. It then tries to replicate on the next machine...
next DAT release on the 12th will include that def.

Good Luck
McAfee has an extra.dat that fights it, the

Hypocrisy

[Apreche]

Wow, this is really hilarious. Windows, is a very secure operating system, but not out of the box. It requires an amount of time and effort setting permissions and enabling/disabling services and the like. However, Windows users are generally the people who don't know how to do anything and need everything built in and done for them.

On the other hand we've got linux, the do it yourself operating system. You've got to set up, tweak, fiddle, configure, code and compile everything. Nothing is done for you. But of course, it's secure out of the box.

Now we get a worm that is/isn't Microsoft's fault. It doesn't take advantage of a hole in the windows software, like an unchecked buffer or anything. It just takes advantage of the fact that windows isn't secure by default. So who comes out to complain that something isn't automatic and built in? Oh, of course, the linux users who love the operating system where nothing is done for you and you have to write code to make software work.

linux guy: "You're operating system isn't secure by default!"
windows guy: "You're operating system isn't anything by default!"

And dont' get me wrong, I'm a dual boot win2k/mdk9 man, but this typical slashdot hypocrisy cracks me up.

Re:Hypocrisy

[pyrrho]

do you really believe you have to "write code" to use Linux?

and by default, Red Hat seemed to let me have a ton of services turned on I didn't need.

I find it difficult to believe you really use Linux. You dont' have to write anything for it.

Re:Hypocrisy

[colganc]

last time i checked most linux distro's install with wizard like programs: linux is just as easy or nearly as easy to set up/install. there is little to no tweaking and configuring needed. aw wtf...this is troll and the post im replying to is troll...what am i doing?

Re:Hypocrisy

That makes you a troll. YOU FAIL IT, sux0r

Re:Hypocrisy

[oyenstikker]

linux guy: "You're operating system isn't secure by default!"
windows guy: "You're operating system isn't anything by default!"

I use Linux. My system wasn't anything by default. But by not being anything, it was secure.

Re:Hypocrisy

[alpha_1100001]

I think that's more irony than hypocrisy.

That, of course, doesn't make it any less funny.

Re:Hypocrisy

[dankow]

linux guy: "You're operating system isn't secure by default!"
windows guy: "You're operating system isn't anything by default!"

Mac guy: "Your grammar isn't correct by default!"

Re:Hypocrisy

Wow! Great job re-iterating the OP's point. You deserve an A+ for comprehension!

Re:Hypocrisy

[theLOUDroom]

On the other hand we've got linux, the do it yourself operating system. You've got to set up, tweak, fiddle, configure, code and compile everything. Nothing is done for you. But of course, it's secure out of the box.

What a bunch of b.s. If you've really used Mandrake, you'd know you don't have to write any code to make anything work. I've been using RH7.3 as my desktop OS exclusively for a year now, and I haven't had to write any code.
I'm not saying Linux is perfect, but saying you need to write code to get Linux to even work is just a damn lie. Everything your average joe wants is usually on your distro's install cds in rpm or whatever format. Put in the disc, click on the RPM and tell it to install. How hard is that? Yes, if you WANT to be on the bleeding edge you can compile things youself. I do sometimes, but it is not a necessity.


windows guy: "You're operating system isn't anything by default!"

Linux does work by default, it just doesn't set up a bunch of network services that leave your ass out in the breeze. After using KDE, gaim, mozilla, etc for so long, using a windows box can be just frustrating. I don't think your agrument makes sense at all, all these thing as installed and work by default.

Windows, is a very secure operating system, but not out of the box.

Care to back this up? OpenBSD is a very secure operating system. I would say an updated RH6.X box is, by now, a very secure OS. Windows? Some GUI toolbox type stuff is actually run in "protection ring 0" or whatever it's called. How is that secure? How are you going to fix that without access to the kernel source?
Yeah you can tweak things to fix other problems like default administrative shares but how is an OS "very secure" if it has a flawed security model and you have to cover it with band-aids?
What proof do you have that windows can be very secure? Over the last two years:

• What's the mean time between root exploits being availible and unpatched for a win2k/IIS combination?
• What's the mean time that these exploits exist and are not fixed?
• What's the average number of days in a year that a win2K/IIS box must be taken down or is availible for a remote root exploit?

Get an idea what those numbers are, then compare them to the other operating systems I mentioned. Maybe you'll change your mind.

Finally, even if you think you can secure windows by doing a bunch of work, how is this better than all that work you claim it takes to get a linux system going?

Re:Hypocrisy

[C0LDFusion]

You must've seen my journal! Ha ha. My memes are spreading like a Windows Worm.

Re:Hypocrisy

Oh please. I think the general requirement of cluefulness on the part of Linux should be considered a feature. I mean really. MS claims that general usability is a feature. The flip side is that any moron can use, and they generally do..

franxman

Re:Hypocrisy

[pjrc]

Oh, of course, the linux users who love the operating system where nothing is done for you and you have to write code to make software work.

of course in windows, nobody needs to open/edit large files and it's ok if the system mysteriously locks up all the time.

Or at least it was in the days of Windows 3.1... when you last tried SLS or an early Slackware linux distro.

Hypocrites

[Nintendork]

"for once a security problem that isn't really Microsoft's fault"

Give Microsoft a break. Open source software has its own fair share of exploits and worms that take advantage of unpatched boxes. I subscribe to all of the securityfocus mailing lists and I can tell you that I see a lot more *nix than MS activity.

I feel sorry for those that let their hatred of a company clout their perception on information security.

-Lucas

Re:Hypocrites

[commodoresloat]

What are you going on about? Taco did give Microsoft a break. He said quite clearly, as you quoted, that this is not Microsoft's fault. He was not comparing unix to MS as you seem to assume. But in any case if you actually read the mailing lists you subscribe to, rather than just counting MS-related and UNIX-related complaints, you'd know that a larger number of UNIX-related posts has no relation to whether one OS is more or less secure than another.

Re:Hypocrites

[tres]

...I see a lot more *nix than MS activity.

This is derived from the idea that all security vulnerabilites are quantitatively the same. In fact, the danger posed by the majority of exploits listed for Open Source software is relatively minor compared to the regular influx of root level exploits that show up for the Windows platform.

Sure, you see a lot of exploits for Open Source software, but the difference is when exploits for Open Source software are found, they are:

• a) normally quite limited in their scope. *nix root exploits are relatively rare and are generally harder to take advantage of than their Windows counterparts.

• b) patched almost immediatley after the exploit is announced. We see in the world of Windows that it's not uncommon for vulerabilities to be announced and left unpatched for months. (And since you don't have access to the source, you can't do any patching yourself either.)

Don't get me wrong, when it comes down to it, I'd much rather get the best tool for the job. But when it comes to security, Microsoft Windows is not it.

Re:Hypocrites

[yatest5]

He said quite clearly, as you quoted, that this is not Microsoft's fault.

Er, no he didn't. If this is *clearly*...

"for once a security problem that isn't really Microsoft's fault."

then you are not really a Linux Zealot Faggot.

Re:Hypocrites

[terminal.dk]

Problem is, that most of the bugs contributed to Unix is not a problem in unix, but a problem with some user installed software, like Sendmail etc.

On Windows we don't attribute errors in Exchange, WordPerfect etc to the OS.

Now if we only count unix errors as those in the kernel and libc, and even Dan Bernsteins software,we get quite a bit fewer.

People can't see the difference between software from the huge company "Open Source", and the company's operating system, while it is easier for them to tell there is a difference between Windows, and an add-on product that costs hundreds of dollars.

Re:Hypocrites

[praedor]

Big difference. In linux-space, for instance, the vast majority of vulnerabilities reported and patched (virtually instantly) are found not by black hat exploiters, but by white hats working to help secure the system from attacks.

In the windoze world, the majority of vulnerabilities are exploited and reported as a result. The reason is the closed source of M$. They don't have a bazillion code hackers chipping away at it for the benefit of us all. They try to hide the flaws and then only belatedly fix a problem AFTER it is being exploited.

For linux/BSD, the reports are proactive, the Windoze vulnerabilities are reported/fixed AFTER they are exploited - as that is the main way people come to find them. There are easily as many (likely MORE) as yet unknown vulnerabilities in Windoze code right now than exist in Linux/BSD because 1) the Windoze code-base is overly huge and thus MUST contain many more mistakes, and 2) Windoze is not as thoroughly vetted by code hackers BEFORE an exploit is produced in the wild as is the case with open source systems. There are MANY more eyes going over linux kernel source than there are going over closed M$ code. That is just a fact.

Give the same number of prying eyes to both systems and I assure you that there would fall out many more vulnerabilities in the M$ code than the OSS code...because it is so frickin' huge, created by a lumbering buearacracy, and by nature restricted to a limited number of eyes. They CAN'T go over it with the same fine-toothed comb that linux/BSD gets.

Re:Hypocrites

[Nintendork]

Bullshit.

I run a Microsoft network. I read all the security bulletins. I read security related news sites to ensure that I don't miss anything important. Hell, I supported NT4 Server networking, domains, and setup for Microsoft for almost two years!

Most exploits for any piece of software are discovered by white hats. *nix, Windows, it doesn't matter. More than 95% of the time, a worm is made by some talentless asshole that doesn't have the skill to find a new exploit. Instead, he relies on spreading his worm through unpatched boxes by standing on the shoulders of white hats. If the asshole had the skills of a true security professional, he would be making decent money in the information security field. I doubt there are many people that wouldn't "sell out" by providing a noble service to the business world.

The fact that you just love to spell Microsoft related names with a bigot twist tells me that you fall under the "I hate Microsoft and therefore will have extremely biased opinions" category of people. Personally, I hate Microsoft's business practices as much as the next guy and I believe that open source is a better way to develop projects, but I don't let that opinion form the basis of ALL my computer related opinions.

-Lucas

patrick!!??!!

[natet]

Aaaah!! Damn, gotta change my password!

Seriously though, many Linux distros come configured out of the box to test your password. If it is too simple, it at the very least informs you of that problem. I don't know why Microsoft doesn't do the same thing.

Re:patrick!!??!!

Oh good, you found a way to blame Microsoft. I was worried we would have to go an entire discussion thread without blaming them for anything.

Re:patrick!!??!!

[Kpt+Kill]

uhh... yeah it does, try looking for it. ill give you a hint... Local Security settings

Re:patrick!!??!!

[natet]

I don't have a windows box handy, so I can't verify this, but if you read my post, you will see that I mention that many linux distros have this feature enabled by default.

Re:patrick!!??!!

[natet]

I really wasn't looking for a way to blame Microsoft. Honestly, that was my first thought when I read the post.

Re:patrick!!??!!

[timmyf2371]

IMHO it's more of a case of user error as opposed to vendor error. If a user wants to choose a certain password then s/he'll choose it regardless.

If an operating system requires a secure password, you'll typically end up with post-it notes on the monitor which in turn can be another security problem.

Tim

It is not

MS does not provide default user password under NT/2K/XP. If this worm is going around it is because users setup week passwords. MS is in no way responsible for stupid users.

It's not a worm, it's a DDOS countermeasure

[eagl]

Browsing through my firewall logs, a simple "file://attackeripaddy" in a browser window results in around 80% success using either no username/password, or a simple "guest" username with no password. On occasion, I'll have to throw a "C$" on the end (file://attackeripaddy/c$) but that's only necessary with fools running winNT or winXP instead of win9x. Sometimes it's even obvious that the people with compromised and unsecured computers are spammers...

Banging on my firewall then leaving their own computer open is arguably an invitation to come on in and look around. Leaving a guest account open is a clear invitation to come on in and look around just like having anonymous ftp available is an invitation to enter and at the very least look around. They're both file servers, both well known and documented...

Lock that 80% out of the internet, or even slap them upside the head temporarily, and 80% of the computers whacking away at my firewall will stop. That doesn't sound like a bad thing to me. Stupid/ignorant people who let their computer get used as a DDOS or other worm/trojan client through a basic lack of care don't get any pity from me.

Re:It's not a worm, it's a DDOS countermeasure

[IIRCAFAIKIANAL]

Of course, some of those pc's that are attacking you are probably already compromised and that's why they are being used to attack you.

If I was a spammer or hacker, I would probably have a bunch of PC's between me and my targets, and use those pc's to get more pc's ad infinitum.

(Not that I know anything about this, I program in userland against an ORACLE database behind a firewall :)

Re:It's not a worm, it's a DDOS countermeasure

[BlackListedCard]

Ummm... When I try file://andtheattakerIP/. Guess what. I see my linux directory, move from directory to directory. It does not matter what IP address that I change. Mozilla take me to the root base on my linux box???? Anybody notice this before?

Nothing happens

"xyzzy"

Nothing happens.

Re:Nothing happens

[eluusive]

You know you're addicted to NetHack when you speak passwords to computers aloud and hear "Nothing happens." in your head.

Re:Nothing happens

The "xyzzy" and "Nothing happens" references go much further back than net hack friend...

SAMBA protocol

[whereiswaldo]

Just to be the devil's advocate (literally ;), isn't SAMBA just a protocol? Since Linux supports SAMBA, is it not just as vulnerable to this worm?

And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.

Re:SAMBA protocol

[cranos]

Ummm no this worm attacks the Windows Registry, and drops an exe file, both of which don't actually exist under Linux. Samba is a protocol but its the underlying OS that would determine vulnerability.

Re:SAMBA protocol

[The+Ape+With+No+Name]

Notice it says: Startup Folder. Unless the worm can add a script to /etc/rc.d/ or cat itself into rc.local then SAMBA isn't vulnerable other than stuff on the share being available.

Other thing: time for all the LOTR lusers to change g@nbA1ph to g011um!

Re:SAMBA protocol

[Unregistered]

Yea, but copy C:\Windows\Tempor~1\Work.exe C:\Windows\StartMenu\Programs\Startup dosn't work too well on linux.

Re:SAMBA protocol

> Just to be the devil's advocate (literally ;), isn't SAMBA just a protocol? Since Linux supports SAMBA, is it not just as vulnerable to this worm?

Being picky, Samba is the open software suite that handles the SMB protocol. Yes, Samba would be as vulnerable except that by default Samba doesn't share anything - you have to tell it what you want to share via its config file. So, you probably (...but NOT definitively!..) assigned a share password at the same time you created the config file entry. Not quite the same as a share created by default with a weak password.

> And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.

Probably because the majority of their market are home users who Don't Want to have to worry about passwords 'n stuff - just arrest those stupid, inconveniencing 'hackers' and let the home users get on with their work. MS doesn't want to deal with the grief that reasonable security would cause their largest installed base.

Re:SAMBA protocol

[sn0wman3030]

Just so we're clear, SAMBA is not a protocol. The protocol you are thinking of is SMB (Server Message Block). Samba allows unix users to use SMB. Here's some info.

Re:SAMBA protocol

Nope, SMB is a protocol, SAMBA is an implementation.

Re:SAMBA protocol

[whereiswaldo]

Argh! I plead guilty to not reading TFA.

Now I will write 100 times "SAMBA is not a protocol... SAMBA is not a protocol..." :)

Re:SAMBA protocol

[afidel]

SMB (server message block) is a host of protocols (there are several versions, basically one for each major revision of windows) that are used for filesharing and some other operations in the windows networking world, there is an open protocol that has most of the features of the most recent recent incarnation of SMB called CIFS or common internet file system. The reason MS doesn't enforce strong passwords by default is the home user, mostly the parents and granparents of most slashdotters. If my mom and dad had to deal with strong password just to log into the computer they wouldn't bother (heck they asked me to setup their dialup settings to save their login password).

WRONG!

[dotgod]

Sorry, but "administrator" can't be one of the passwords the worm tries because I use that for the password on my box and everyt

NO CARRIER

Re:WRONG!

[kien]

Sorry, but "administrator" can't be one of the passwords the worm tries because I use that for the password on my box and everyt


NO CARRIER

Sheesh, time for a new keyboard. ROFL

--K.

Re:WRONG!

Garsh, as if this joke or some clever variant of it, hasn't been used too many times already. Too much noise posts on Slashdot lately. *grumble*

Re:WRONG!

[IIRCAFAIKIANAL]

Those no carrier jokes always remind me of Monty Python and the Holy Grail...

<dream sequence>
ARTHUR:
What does it say?
MAYNARD:
It reads, 'Here may be found the last words of Joseph of Arimathea. He who is valiant and pure of spirit may find the Holy Grail in the Castle of aaarrrrggh'.
ARTHUR:
What?
MAYNARD:
'...The Castle of aaarrrrggh'.
BEDEVERE:
What is that?
MAYNARD:
He must have died while carving it.
LAUNCELOT:
Oh, come on!
MAYNARD:
Well, that's what it says.
ARTHUR:
Look, if he was dying, he wouldn't bother to carve 'aarrggh'. He'd just say it!
MAYNARD:
Well, that's what's carved in the rock!
GALAHAD:
Perhaps he was dictating.
ARTHUR:
Oh, shut up. Well, does it say anything else?
MAYNARD:
No. Just 'aaarrrrggh'.
LAUNCELOT:
Aaaauugggh.
ARTHUR:
A arrrggh.
</dream sequence>

No, that's just stupid. Too bad I hit submit already...

Re:WRONG!

In Soviet Russia, the joke uses you!

Re:WRONG!

[Surak]

Actually, the NO CARRIER jokes may in fact originate from that. It wouldn't surprise me in the least. A lot of people who were big into the BBS scene in the 80s really dug Monty Python. In fact, a friend of my ran a board called "Quest for the Holy Grail" which was named after "Monty Python and the Holy Grail" (obviously). His board was the first place I saw the NO CARRIER jokes, but that doesn't mean that they started there (though I'd like to think that in my own self-delusions. :)

Re:WRONG!

[brakk]

That reminds me of a joke a friend told me when we were kids: He said his mom would right letters to their family, just regular letters telling what's going on and how the kids are doing, then at the end write "p.s. I would have included pictures, but I've already sealed the envelope."

Choose your weapons...Uh, I pick Blame!

[ackthpt]

"Please tell me why isn't it Microsoft's fault? "

Please tell me how it's MS's fault that people pick easy to guess passwords?

Some systems I haved used in the past have a built in list and/or password analyzer, for the purpose of forbidding use of easily predictable passwords. While users tend to hate what these methods limit them to, break-ins tend to be limited to those people they know.

You can't fault Microsoft for not including such a feature. Chances are, if Microsoft did build in such a feature, someone would be taking issue with it on slashdot.

A modest proposal:

Suggest Microsoft include the ability for the administrator to select a tool (yeah, I know they typically want you to use only Microsoft Brand stuff, hence the aforementioned 'issue') Does Microsoft accept advice from users, or do they only innovate buy buying up a company that already makes such a product, integrating it, then driving all competitors out of the market? (oops, I did it myself...)

Re:Choose your weapons...Uh, I pick Blame!

[NetJunkie]

Complex password checkings is an included feature. It's easily enabled.

Re:Choose your weapons...Uh, I pick Blame!

[Kevinb]

Some systems I haved used in the past have a built in list and/or password analyzer, for the purpose of forbidding use of easily predictable passwords.... You can't fault Microsoft for not including such a feature.

Actually, they did, at least in the NT OS's. Administrative Tools -> Local Security Policy -> Account Policies -> Password Policy. There are settings for password history, age, length, and complexity requirements.

Re:Choose your weapons...Uh, I pick Blame!

not to mention that it's well documented in a knowledge base article how to write your own passfilt.dll to approve or deny password changes based on whatever criteria you wish.

that can't be true, since winblows is closed source and you can't do anything with it without paying one bazillion dollars, unlike lunix, where you can have anything you want for free, as long as you code it yourself.

Re:Choose your weapons...Uh, I pick Blame!

[_Spirit]

Or easily disabled when the lazy support staff get sick of all the password calls. Believe me from my experienc with clients networks (Fortune 500 and government among them) , sloppy security is 70% admin laziness or stupidity, maybe more.

Re:Choose your weapons...Uh, I pick Blame!

[zeugma-amp]

I'm of the opinion that it is almost criminal these days for a system to not run a quick test against passwords as the user chooses it. This is the case on most, if not all linux systems I use, and many others as well.

The problem is, that many users have a large number of systems they must access, and can't be bothered to choose decent ones for each systems, and can't be bothered to change them at any regular interval once they've been set. Password aging is a pretty basic security concept that is rarely implemented.

I always reccommend the use of passwords that are not words, but are pronouncable by the user. Many years ago, when I went to work for MCI, we were assigned MCIMail accounts. When you would initially log in, it would prompt you to change your password. Rather than just let you type in any old thing, it would give you 3 choices like this.

puwacane
solahota
yamatotu

You had the option of choosing one of the three listed, or could roll the dice for another three more to your liking. I kinda liked it.

These days, there are a number of programs that will do this for you quick and easily. I'm sure most of you are aware of 'gpw', which will generate passwords similar to those listed above. I've seen many variations of the program, and in fact currently use a perl-based one on my Solaris boxes when it's time to change passwords.

I mentioned earlier that people have many different passwords to remember. This, as well as the problem of multiple usernames are a major problem for many users. Fortunately, there are software solutions for this as well. For Linux users, I like 'gpasman', which is a small program that will keep track of usernames/passwords for you that is itself protected with a password/passphrase (use a darn good one!). Windows users may find ' password safe' to be a good choice.

Both of the above programs have enabeled me to have excellent passwords everywhere. Password Safe will even generate extremely strong passwords for you.

I guess my point, if there really is one, is that some of the pain of passwords can be alleviated to some degree by good technology. I wish more people took more care in their choice of passwords. Given the results reported elsewhere on this page, they don't seem to.

Re:Choose your weapons...Uh, I pick Blame!

[operagost]

You can also load passfilt.dll to enforce the usage of caps, and numbers or special characters.

Re:Choose your weapons...Uh, I pick Blame!

And is this Admin laziness Microsoft's fault too?

Oh its /. of course it's Microsofts fault.....

Damn!

[Superfreaker]

Now I have to change the password on my luggage.

love of the Irish.

[Erris]

The pat / patrick is rather weird, eh? only name in the list

Happy Saint Patrick's day!

Re:love of the Irish.

[Theaetetus]

The pat / patrick is rather weird, eh? only name in the list

Hey! My son Temp123 would take offense at that!

-T

Re:love of the Irish.

[Jerf]

"Son, it's time we had that special man-to-man talk about where babies come from. See, your mom and I tried to, uhhh, 'swap location', and everybody knows that to swap two variables, you need a temporary variable*. Well, you're that temporary variable. You just better hope you don't go out of scope soon..."

(*: True in the general case, since the XOR trick only works in certain circumstances.)

Re:love of the Irish.

(Score: -1, Never Been Laid)

Re:love of the Irish.

[Orthanc_duo]

Pretty sure it is true for all variables on a computer (ie. binary based).

Re:love of the Irish.

the XOR trick only works in certain circumstances

What, like when your data isn't a string of bits? When was the last time that happened?

In any case, that sounds like a pretty nasty threesome.

Re:love of the Irish.

[MrFredBloggs]

>Happy Saint Patrick's day!

Put your glasses on. That's a 1, not a 7!

Re:love of the Irish.

sorry, this would be counted as a bonus here.

Re:love of the Irish.

when performing unary sex the results are undefined.

Re:love of the Irish.

[MegaFur]

Actually, it's possible to swap two integer variables without a temporary variable. Although, I don't know if I'd recommend it, on account of it's quite confusing looking and only saves you one temp. This compiles fine on gcc:

/* swap-with-no-temp */
int main()
{
int the_answer = 5, my_chaos = 42;

printf("\nmy_chaos = %d\n", my_chaos);
printf("the_answer = %d\n", the_answer);
printf("swap!\n");

the_answer = the_answer + my_chaos;
my_chaos = the_answer - my_chaos;
the_answer = the_answer - my_chaos;

printf("Erisian Sacred Number: %d\n", my_chaos);
printf("The Answer: %d\n\n", the_answer);

return 0;
}

Re:love of the Irish.

[greenrd]

Not true in Java, since you can't XOR references to objects together. So, it's not true in general.

Re:love of the Irish.

[rsearle]

Pretty sure it is true for all variables on a computer (ie. binary based).

Not if you want portable code. In particular, if you try this in C, it will likely fail unpredictably. The reason for this is that the C standard allows implementations to insert "padding bits" into non-integer variables; if those padding bits have any special meaning to the system, you're screwed.

Also, not all binary values need have a valid representation. These values are refered to as "trap values", and will often cause a program to abort.

This has been discussed several times on comp.lang.c; here's on of them:
"question about FAQ, swapping values".

Re:love of the Irish.

[gpinzone]

Your method fails when a + b > INTEGER_MAX.

Re:love of the Irish.

Quite the contrary...

You actually have several temp variables there.
Where do you think the results of the evaluated
expressions are placed?

-- CheezCake

Re:love of the Irish.

[catch23]

I think people swap other types other than integers more often probably. Especially in this polymorphic decade when everything is an object. How would you do that with an object reference or a string?

Re:love of the Irish.

[Expresso]

It works with all integer values, think about it and try it!

my_chaos = 42
the_answer = 2147483647
swap!
Erisian Sacred Number: 2147483647
The Answer: 42

I can see the headlines now:

[masteroveride]

A worm that isn't Microsoft's problem!?!? Next thing you know you'll hear about airliners falling out of the sky due to flying pigs...

... about blame

[Montreal+Geek]

Why is this not Microsoft's fault?

While, admitedly, the admin who left a default password in place deserves a beating with a big foam cluebat, the very fact that there is a default password in the first place is a major security flaw that traces its origins in Redmond.

A properly constructed security scheme would prompt you for a password upon activating the feature at the very least.

But MS is only following the Marketroid mantra "The users can't be bothered. They don't want to know. They don't want to understand."

That mantra might even be mostly true; but it still begets bad security. Users need education, not bad security.

For that matter, most features that end up having big security implications in Windows are not needed by the vast majority of the users out there, and activation (or better yet installation) of those features should be an explicit act.

-- MG

Re:... about blame

OK, fine, I understand not reading the article. But at least read the goddamn summary! NOt default passwords, WEAK passwords, fucktards!

Re:... about blame

[Black+Copter+Control]

NOt default passwords, WEAK passwords, fucktards!NOt default passwords, WEAK passwords, fucktards!

Linux/Unix programs now generally complain if you try to use really weak passwords.There's no reason why the MS equivalent's couldn't do the same thing -- especially for the admin password.

[samuel@localhost samuel]$ passwd
Changing password for user samuel.
Changing password for samuel
(current) UNIX password: _______________
New password: _______
BAD PASSWORD: it is based on a dictionary word

Pretty much a no-brainer, if you ask me.

Re:... about blame

true, it TELLS you it's a bad password, but doesn't prevent you from actually using it. Just hit enter and it will accept that password.

Good News

[Ozric]

Hey this is great. It should take out all those morons that still have code-red banging on my webserver.

To maximize the effect..

This program SHOULD have taken advantage of the Norton AntiVirus default password, 'symantec', and then worked some more magic.

Surprising

[chewedtoothpick]

Surprising that the most popular 'simple' password I have come across: drowssap wasn't on the list... either it must not be very composite, or the programmers of the worm are fairly out-of-touch.

Re:Surprising

[cat5]

and what about use the the password of 'notpassword'

Re:Surprising

[jandrese]

Yeah, and where's everyone's favorite password for those enviroments where people write down any password they need and paste it to the window: ask me.

It does get some people who never think of putting a space in their password, and it makes it harder to use as a parameter to a command which is an additional bonus. More people should use a password like *? '"`|& just to discourage that behavior.

Glad you feel better...

[wadetemp]

... unfortunately for your feelings one of my henchmen said he broke into your place last night and single-user-moded your 30 digit password out of existance.

RIAAs first strike?

[autopr0n]

Disables file sharing, hrm. Sounds like something the RIAA would like. It could cut down on collage campus shares and stuff.

12345?

[bblough]

That sounds like a password some idiot would have on his luggage.

This is a GOOD THING

[TheZax]

It's NOT a WORM, it's a SELF INSTALLING PATCH

It looks for vulnerable shares, and disables sharing on that PC, looks for others.

Thank you very much, the Net is a safer place.

And if MS wrote it, chances are it's legal (SP3 EULA).

Re:This is a GOOD THING

[machine+of+god]

It's NOT a WORM, it's a SELF INSTALLING PATCH

Called Deloder, the worm also tries to drop a backdoor component.

That is the second sentence in the article.

Not default passwords...

[NetJunkie]

These aren't default passwords. They are just bad passwords. Haven't we learned that wide open systems with bad passwords are not a good idea? I bet 90% of the exploited systems have blank passwords. Complex password requirements can be enabled.

I see a lot of people talking about the default shares (C$, D$, etc). To use these you need full admin rights. If I have full admin rights I don't need those shares. I could set those shares up myself. They don't get me anything.

It's about time people figured out that blank passwords and the Internet don't go together. Cheap NAT routers are $30 now. Go buy one. Get one for your mom. Get one for your users that work from home.

This, again, isn't a MS problem. Users need to be responsible. I also think ISPs should be blamed as well. NAT routers are cheap enough they should be built in to cable/dsl modems now. They aren't a "real" firewall but they do the job just fine.

Re:Not default passwords...

[larien]

Get one for your mom

When I helped my mother get on the internet (she uses it mainly for registering cattle movements on the web), I took a CD with Zone Alarm on it with me and installed that with the settings locked down. My home connection (linux box on ADSL) is slightly more open, with ports 22, 80 & 443 open. Only two users have access to port 22, though (unless ssh breaks again...). Everything else at home is NAT'd through the linux box.

Any self respecting desktop operating system...

[iamacat]

Should really bug users before allowing any type of remote access or automatic program download/execution. Like making one talk to a live customer support person to get an "advanced user activation code". Or at least make the user take a randomized multiple-choice quiz on security. Otherwise, you are restricted to outbound connection to WWW, DNS, POP and IMAP and the requests are filtered though a local Java proxy that check the line length and absense of suspicious control characters. Otherwise this kind of problems will just breed out of control.

well...maybe...but

[BurKaZoiD]

Is the one left open by an Admin who has no business being an Admin....

For 99.997% (Manhattan Project, anyone?) of the cases, I'd agree wholeheartedly. The rest of them, like our Network Admin where I work, are under the thumb of some stupid BEEYOTCH of an IT Director who wants to continue to use the same passwords used by the old Network Administrator (who was shitcanned by her), and refuses to allow the new guy to set newer, more secure passwords. And believe me, it's not a matter of people just not getting along. For Pete's sake, she's even yelled at me for encrypting DSN strings and sticking them in the registry of the server, instead of plopping them in a text file like everyone else, open to the world. And she totally f*cking flipped (when she read the documentation I wrote about the procedure) upon hitting the section that described how every time the DSN was accessed, read, edited, or yelled at sternly the code modified and scrambled it with a new, different algorithm. She described it as "unsafe, and taking things to an extreme that was unnecessary". She also said made some asinine comment about how we would never be able to recover the passwords if the code were ever lost, to which I recall thinking "Well first, that's job security for me, second, don't forget your goddamn passwords, and third, that's what sa access is for, you dumb bitch."

Yep, this type of commentary coming from someone who not only has no business being an IT Director, but swears on a stack of bibles she can reverse engineer MD5 in her head (we have another application that uses MD5 to hash passwords, she simply recognizes the default password hash).

I swear to God I'm not making this shit up. I wish the nasty bitch would stick to pushing pencils and leave the real work to those of us who know.

Re:well...maybe...but

[windlord]

Aye. I agree wholeheartedly. My hands are totally tied at my workplace too. They totally freak out at the thought of using a open source(WHO WILL SUPPORT IT THEN??) operating system like openbsd for their webservers and they too refused to let me change the default administrator passwords when i took over.

I am having recurrent nitemares about the previous network administrator coming in and start trashing ard the place.

Re:well...maybe...but

You see, the thing is, she probably knows about more than computers. She might even be involved in other, revenue producing projects related to whatever product your company makes their money at.

People like that are so arrogant, and they make it so hard on IT folk, with requirements that don't make sense to someone whose entire job revolves around keeping the server running. They also often make things difficult for the janitors, the assistant whose job it is to keep the cabinet with the paper by the copying machine stocked and other 'infrastructure' staff.

Re:well...maybe...but

[tetrode]

And you still work there?

Mark

Re:well...maybe...but

The problem here is that you have a woman for an IT director. It's a lot easier for women to get jobs on things other than merit.

Re:well...maybe...but

[fferreres]

I am having recurrent nitemares about the previous network administrator coming in and start trashing ard the place.

I thought of this myself as well and drew these ideas: maybe they want to at least be able to blame the last admin ("HE KNEW OUR PASSWORDS!"), maybe they already expect the last admin to have put backdoors? Maybe they just dont give a fuck about beign cautious because they haven't YET suffer the consecuences.

Why do people hire these admins?

[Dunkalis]

It boggles the mind how the admins who choose passwords like "password" or "1234" can keep a job. These people are supposed to secure systems and make sure they work in harmony. These usually go hand in hand, too. If you have insecure systems and they are breached, obviously things won't be all harmonious and blissful. If you have problems with the network, security won't matter since problems can usually lead to backdoors. If a system is compromised by this worm, I hope the companies that hired the admins give their security and networking department hell. They deserve it. No system should be cracked by a worm that searches for the sort of passwords you'd expect an idiot (or President Scroob) to have on their luggage.

How MS can "force" a person to choose a good pw?

[mark-t]

I concur with the view that services that leave a system open should not be installed by the OS until it has a moderately secure password set up for access. It is even entirely feasable to do this with Windows:

What it should do when it is about to install a service that could, theoretically, compromise the system is this (assuming the admin password has not yet been set):

"Warning, there are users for this system that have administrative priviledges but have no password set. Before this service can be installed, please enter a password to use for administration purposes. This step exists to protect your computer from being accessed by unauthorized persons. A password should be at least 8 characters long, ideally should contain numbers as well as letters, and should not be a normal english word."

The dialog presented here will have a [Cancel] button, which would cause the password setting subsystem to fail, and therefore the service would not be installed (with suitable diagnostic given such as "The service was not installed because no security password was set").

Then, after entering the password, the password subsystem can do a rudimentary analysis of the password, checking it's length, whether or not it contains letters/numbers, etc. If it fails to measure up to what is determined to be a weak password, it pops up another dialog:

"Warning, the password you have selected is considered weak because (insert detailed explanation here). Are you sure you want to use this password? [Yes] [No]" (The default option being "No"). If they click No, then they go back to the password selection.

After the user has selected a password:

"Please memorize or write this password down and keep it in a safe place. It is highly recommended that you do not leave the password anywhere that it could be easily discovered by an unauthorized person. This password is now set for the following users: [list of users on the system with admin priviledges and no prior password set]. The user(s) can change their password at any time after logging in from the Control Panel 'Users and Passwords' tool. [OK]"

The final thing would be for the OS to perform the same checks on a password when anyone wants to use the control panel tool to change it. Now the premise here is that the OS won't *FORCE* you to pick a good password, but if it made a user jump through hoops like this, you can bet your ass that there'd be WAAAAAAAY less problems with people who used MS products.

Of course, then what would the Linux and BSD zealots have left to bitch about?

All hail the ultimate logic

[concatenation]

MS should be punished because some users pick weak passwords.

This IS microsoft's fault

[chunkwhite86]

Try changing your Linux user password from the command line (hint: type passwd)

Pick something easy, like a dictionary word, or something really short.

You'll see:
[nimmerge@costanza nimmerge]$ passwd
Changing password for user george.
Changing password for george
(current) UNIX password:
New password:
BAD PASSWORD: it is too short
New password:
BAD PASSWORD: it is based on a dictionary word
New password:


Now give me a valid reason why Microsoft can't require strong passwords by default?

Re:This IS microsoft's fault

[The+Bungi]

Now give me a valid reason why Microsoft can't require strong passwords by default?

Why should they? To save themselves from stupid users and even stupider administrators? If you run a network and you don't have those rules in place, who's fault is it? Microsoft's?

But Unix is 1337 because by default it forces you to use a complicated password. All hail Unix!

Re:This IS microsoft's fault

[chunkwhite86]

To save themselves from stupid users and even stupider administrators?

No... to save themselves from hordes of eager new MCSE's!

If you run a network and you don't have those rules in place, who's fault is it? Microsoft's?

No it really isn't MS's "fault", it's the foolish server admin's.

But on the same note... When someone breaks into your apartment building, because the manager assigns all new tenants a default building access code of "1234" or "1111", who's fault is it? I would consider that to be lack of judgement on the manager's part for not forcing new tenants to select their own unique code, and preventing people from selecting easily guessed codes.

Re:This IS microsoft's fault

Dear "The Bungi",

I'm writing to you on behalf of the Slashdot editors. Due to your non-conformist thinking, as well as general lack of spelling errors, not to mention your sometimes pro-Microsoft, ahem, Micro$oft views, your Slashdot username will no longer be able to post and your IP is banned. If you would like to continue this discussion, too bad, you're banned.

Have a nice day,
slashdot@slashdot.org

Re:This IS microsoft's fault

[The+Bungi]

But on the same note... When someone breaks into your apartment building, because the manager assigns all new tenants a default building access code of "1234" or "1111", who's fault is it? I would consider that to be lack of judgement on the manager's part for not forcing new tenants to select their own unique code, and preventing people from selecting easily guessed codes.

If the apartment complex was nice enough that I wanted to live there, I'd change the code myself.

Logic's a bitch, eh? =)

Re:This IS microsoft's fault

[The+Bungi]

Thanks?

Re:This IS microsoft's fault

[chunkwhite86]

If the apartment complex was nice enough that I wanted to live there, I'd change the code myself.

You and I both would, but you know there's always some lazy and/or ignorant slob who would not. That's why we have laws - To protect people from themselves; Things that are obvious to one person may not be so obvious to another.

And I certainly would not compare Microsoft Windows to an "apartment complex; nice enough that I wanted to live there". ;-)

[empty]

[revividus]

is the default on all the win2k/xp boxes that I've installed. So, in that sense, the `default' password is on the list.

Of course, no one in their right mind should leave a password blank.

On the other hand, it reminds me of the story that rms used the null string as his password at MIT so that people who couldn't otherwise get an account could still learn to use the computers. No one was really (AFAIK) spreading malicious code, at that time, either. How times change....

Re:Hypocrites - Give M$ a break

Ofcourse unix has more bugs than MS , MS makes /begin list
win95,98,win2k,winXp and .net /end of list

unix is sco,irix,aix,redhat,debian,gentoo , solaris,sunOS, net/open/free bsd's , tru64,hp-unix , and probably many more ...

don't say linux flavours are all 1 os, if then i'd say all microsoft os's are 1 os ->
16bit viruses on 32 bit platforms, and currently developing 64 bit viruses on the latest hardware.

i'm not counting the applications on them :)
think Msoffice and IE+outlook express, it will outsum all the bugs.

Microsoft is very good in its own way, they have an excellent gui and very easy to use system, *HOWEVER* does not mean anything if you are compromised and have your financial accounts on the same disk you browse the web with :))

I'd give Microsoft a big break, infact I'd break it into kazillion pieces :))

disables network sharing.

[Deathlizard]

"disables network sharing."

Thank you god. Now all it has to do is infect our network and all those open Sharedocs shares that WinXP automaticially creates that are full of Nimda are history. Although the PC would most likely be history too.

Either way nimda would be off the network :)

Solution: Don't use weak passwords.

[ChaosDiscord]

Personally, I use a password that's a 'l33t'-ified word (with absolutely no signifance to me... it was a random word I saw as I glanced down at my desk while trying to think of a new password), which some Linux boxes seem to reject.

Good for those Linux boxes! You're using a weak password.

First, the word you selected happened to be on your desk. Most likely it's a not-uncommon term in either English, your native language (if not English), or a technical term. Any good password cracker dictionary will include all three.

Second, any good password cracker is going to try variations on the words in its dictionary. Minor misspellings, appending numbers, or translation into l33t-speak. Trying every possible minor misspelling and l33t-speak variant is relatively cheap compared to searching the entire key space. Expect them to do it!

Any test the passwd filter is doing is likely based on an attack already in use by a password cracker. It would be nice if the program gave you a reason the password was rejected (I've had apparently random password rejected), but ultimately it doesn't matter. If the passwd filter doesn't like it, a cracking program probably will like it.

Re:Solution: Don't use weak passwords.

Loloic6I821/26b4T.

Users pick bad passwords, sigh

[bigberk]

It is unfortunate that users often pick weak passwords. One of the student Win2K servers we run at our university got hacked because a remote attacker guessed a local password (=$username). However, we did learn one thing from the experience - we (or rather, I) firewalled our LAN from the internet behind a linux box. It could have been a BSD box, or a Linksys router -- who cares. This is kind of OT anyway.

I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.

In either case, to see how our Internet is currently faring check out the Internet Storm Center. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm.

Case In Point

[cranos]

Where I work the network has been split into two sections, IT and Engineering. The IT section is run suprisingly enough by trained IT personnel, the Engineering section by engineers who think they know how to run a network. Guess what the Admin password was on the Engineering servers - "".

Now if there had been basic password checking enabled from the get go, at least they would have been forced to use a bloody password.

Yeah, but...

[jrwillis]

Is that case sensitive?

Re:Yeah, but...

[_xeno_]

Yeah, I just checked. 88888888 won't work.

Re:12345? - Spaceballs Quote

[Student_Tech]

President Skroob: 12345? That's amazing I have the same combonation on my luggage. Prepare SpaceBall-1 for immediate departure and change the combonation on my luggage.

Does this make my XP box a hypocondriac?

[DudemanX]

File sharing on my XP box suddenly stopped working not too long ago. I fortunatly have a firewall and decent enough admin passwords(not to mention nothing in startup) so I'd wager I'm not infected. Doesn't change the fact that any attempts I make to renable the workgroup fail miserably. This should teach me for using a legal copy of XP. Next week I go back to pirating 2000.
--

No cheating using Google!

[rjamestaylor]

No cheating using Google!

These may not be security professionals

[jasonrocks]

despite what you may think, these people likely aren't security professionals. They are probably your regular users, or grandmas that don't even know they have file sharing enabled.

One of those is a default password

[yerricde]

If you had read the article (jk) then you would know that the worm attacks those with simply passwords like [empty]

And what's the password for a new account on Windows XP Home Edition created by the most obvious method, using all default settings?

Answer: [empty]

My computer's password is not performa6230.

Re:One of those is a default password

[benwb]

You can't access an xp machine from the network using an account with a blank password.

It's a nice idea, but ....

[Hanji]

Such a system would just really piss off the average user, who would just OK his way through it anyways and keep his password set to his dog's name, with it posted on a post-it note on his monitor, just in case he forgets.

Re:It's a nice idea, but ....

[jarran]

So? A password on a post-it on a monitor is still far more secure than no password. Luckily remote worms and script kiddies have no way of reading that post it.

I'm not saying that having your password on your computer is a good idea, but it's a much better idea than having no password.

Re:It's a nice idea, but ....

[antistuff]

you sig makes me want to write a perl virus.

if your password is "password"...

you deserve to have your system fucked up royally.

BIOMETRICS FAIL IT

[yerricde]

Perhaps the best solution would be biometrics?

Bruce Schneier warns that biometrics cannot be revoked. If somebody pirates your thumbprint, you can't be issued a new one ;-)

Re:A Security Hole...

A slashdot reader that didn't read the article or even the article summary?!? I'm shocked

Weak passwords aren't a Microsoft security hole. Encouraging stronger passwords would be a good feature, but it does not make a security hole. Crawl out of your parent's basement, take a bath, and get a fucking life.

Blank user passwords

[yerricde]

It doesn't take advantage of a hole in the windows software, like an unchecked buffer or anything.

It does take advantage of the fact that Windows allows a blank user password as a valid means of authentication. In fact, it does take advantage of "an unchecked buffer" of sorts, as the "set password" phase of the new account wizard apparently fails to check whether or not there's anything in the buffer holding the new user's password!

The "Guests" group of NT

[yerricde]

a simple "file://attackeripaddy" in a browser window results in around 80% success using either no username/password, or a simple "guest" username with no password.

The guest account in NT is a feature, analogous to "anonymous FTP". You just have to make sure that group "Guests" is denied write privileges outside of the temp folder and denied read privileges of any sensitive information.

Re:Clue by four

[Tony-A]

World domination. Samba is perceived as definitive and Microsoft as the cheap rip-off. Natural mistake.

Home computers are the problem

[yerricde]

It boggles the mind how the admins who choose passwords like "password" or "1234" can keep a job.

Problem is that the "admins" in this case are those who administer their own home computers. I see no reason why sub-$10/hr employees of Wal*Mart or Wendy's would have any appreciable connection between administering their home computers and their standing with their employers.

No system should be cracked by a worm that searches for the sort of passwords you'd expect an idiot (or President Scroob) to have on their luggage.

Then how does anybody prevent idiots from connecting their home machines to the Internet?

Ahem...

eXXPee 15 t3h sux045!

That is all.

Oh, and besides that, I hope Longhorn is as good as they claim, minus removing control of consumer's hardware with DRM bullshite.

Re:How MS can "force" a person to choose a good pw

[pi_rules]

Of course, then what would the Linux and BSD zealots have left to bitch about?

We'd probably complain that what you're talking about being an OS-level software program is really not a part of the actual OS. That's what struck me really. The service may very well be considered a pre-packed part of the whole system, but it's not really part of the OS itself.

Take NFS for instance. I could very well remove every bit of code from my Linux box dealing with NFS if I want to. Not just shutdown the service mind you, but take it -ALL- out so that I -NEVER- accidentally turn the thing on. Can you do that with MS filesharing? Nope, probably not. If you can, I sure don't know how... but I'm now Windows expert either.

It's a small gripe, but the very notion that you call it an "OS" feature irks me. It's a "service" feature, but one that happens to be bundled along with the OS.

I guess we "Linux and BSD zealots" are just more uptight about the OS vs application layer. We've got clearly defined boundaries in our minds, mostly because our software has always done a good job of forcing that distinction between OS and application.

It's nitpicking, and I admit that...

I'm curious.

[La+Temperanza]

A little OT, but do any *NIXes have Kerberos as your default auth service after a fresh install?

Re:I'm curious.

Umm..Redhat and OpenBSD. Not exactly "default" but rather easily enabled. Astaro linux supports
even ldap user authentication out of the box.

Offensive absurd passwords

[xybe]

I remember reading that a good way of making complex and easy to remember passwords was to think of surreal or absurd politically incorrect obscenities, think about martian unicorn genitalia for example. Since supposedly no one will ever will see your password you can use highly offensive words the like of which you would not say in your day to day life, so I am not advocating hate speech. Add to this some weirdness and you end up with a password that is both complex and very easy to remember. Here is an example: _religious-slur_numer-of-people_sexual-act_impossi ble place.

Re:Offensive absurd passwords

Which is cool, until somebody says 'what's your password'? (usually an admin type trying to fix your fucked up login)

I've had to say 'erm. reset it and tell me later' more than once..

for once??? give me a break.

[eyeareque]

give me a break. linux 'passwd' will warn if a password is too short or weak.. and if you are smart you dont allow root to ssh or telnet into your box directly.. so it wouldnt be possible to run an app with root priv anyway.

Windows wasn't meant to be secure.. it was meant to be easy.

Re:for once??? give me a break.

FYI Windows Server 2003 does just the same kind of warning about weak passwords. :)

But I bet Linux still doesn't do AA TTFs easily.

dammit

[Smev]

I guess after the 2 years I've been using the same exploit I'll have to learn something new :(

With windows 2000 the administrator password is accully left blank by default if you select the auto login (all users use same login) option on the windows 2000 install. That what makes this exploit so widespread. Its nothing new, Rit.edu had a the exact attack almost a year ago.

Not backdoor.

[TheLink]

Nonono, that's for the free outsourced system administration service.

Passwords?

[87C751]

It tries passwords? What, the lanman trick doesn't work anymore?

Re:Passwords?

You have to already have the SAM file to attack the lanman hash.

Re:MOD PARENT REDUNDANT

I thought that too, but the parent post was actually made first. Nice try, though. We're looking for a new Sheriff around here. Are you interested? How does Sheriff Anonymous Coward sound? You could read all the comments on slashdot looking for redundant posts. Whenever you find one, just reply to the redundant post, and I'll send in a posse. This job doesn't pay anything, and you'll be considered an idiot, and you will likely die from boredom, and you will probably lose your sexual organs from atrophy, but it's all worth it in the end when you die.

Spaceballs Quote

[eric2hill]

"1-2-3-4-5"

"1-2-3-4-5!? That's the stupidest combination I ever heard in my life, thats the kind of combination and idiot would have on their luggage!"

"1-2-3-4-5? That's the same combination that's on my luggage."

Re:How MS can "force" a person to choose a good pw

[antiher0]

Actually... the fault *is* the user's. You can turn on password strength enforcement via a local security policy. Crank up "Local Security Settings" under the administrative tools. Then go to Local Security Policies|Password Policy, then enable "Passwords must meet complexity requirements". It'd also be worth cranking up the minimum password length, enabling "Enforce password history", and lowering the Maximum Password Age. The reason it's off by default is because Joe User doesn't understand password complexity requirements.

Problem with my own machine. Mozilla into my HD!

[BlackListedCard]

Shit... Tried in Mozilla the "file://IPofanattacker/ Guess what... My own hard drive directory structure is sitting in front of me. I'm running linux and everything is fuck'n rock solid tight. All IP ports turned off. Can anyone else duplicate this. Just enter any IP address into file://(right here). Mozilla defaults to the hard drive of the actual machine it's running on????!!!! Something which I do not like....

who's on first?

[djupedal]

"What's your password?" "It's random." "Great, glad you use a smart strategy, now tell me what it is, please." "I told you, it's 'random'" "How can it be random...you have to decide it when you rotate, and of course it's picked at random...so, anyhow, tell me what it is right now... " " it's random....I just told you!!!"

Re:who's on first?

[JWSmythe]

Our users hate it when *I* assign their passwords. They're given exactly one chance to pick a strong password (when they sign up). If someone guesses their password and it gets out to a password site or whatever, my script assigns their new password.

chars.txt is a plain text file of any characters I'd like for them to use. This gives 54^8 (72,301,961,339,136) combinations. I leave out common typing mistakes like
Zero = uppercase o
One = lowercase L
One = uppercase i

I think 72 trillion combinations is slightly safer than top 100 common passwords, or words that show up in the short version of the common dictionary files. :)

I use this for our own internal passwords too, but at least I let people keep running it til they see something that pleases them. "Oh ya, that's one I'll remember." Just feel sorry for people just starting on our staff on password-change day.. :)

-----
#!/usr/bin/perl

# Define our character sets here, leaving out difficult (similiar) characters

open (LIST, "/usr/users/security/chars.list");
@chars = <LIST>;
close (LIST);
$password = join("", @chars[ map { rand @chars } (1 .. 8 ) ] );
$password =~ y/0-9A-Za-z//cd;
print "$password";
-----

Of course, for less secure applications, I've just used "no".. So, when someone asks "What's your password?", I just answer "no". They get pissed off, I take the keyboard, tap no[enter] real quick, and they wonder what I really typed. :)

BTW, for you copyright happy people out there, that join line was stolen from one of the O'Reilly books.. So, sue me.

Re:who's on first?

[djupedal]

"Can you tell me what my new pwd is, please?" "...no..." "Look jerk, I mean mr admin, sir, I need to know what my new password is, so are you going to tell me or not? "...no..."

Where's BOFH when you need him

Re:who's on first?

[JWSmythe]

BOFH: Hold on one second sir.. [click][click][click]. What was your username again?

lUSER: BOB! MY USERNAME IS BOB! WHAT'S MY PASSWORD.

BOFH: "no", Bob.. But I'm looking further into this, and it seems you may have a problem.

lUSER: Ya? What kind of problem? Everything was fine til you changed my password.

BOFH: Did you have any files in your directory?

lUSER: I just finished the annual fiscal reports!.

BOFH: [click][click][click].. Hmmmm, I don't see anything here.

lUSER: WHAT!!!!!!!!

BOFH: Hold on, lets look at the backups...

lUSER: Thank god..

BOFH: PFY, you made backups right?

PFY: there's right here in the tape degausser.

BOFH: Bob, I'm sorry, it seems there was a terrible accident with the backups..

[degausser mysteriously turns on]

lUSER: What about my Email, is it safe?

[lightbulb appears over BOFH's head]

BOFH: Lets have a look, shall we? [click][click][click] So, you've been writing to the bosses wife an awful lot.. Hmmm

lUSER: Ya, we're old friends.

BOFH: Are these nudes of her? Close friends, aren't you?

lUSER: BUT! No! Don't look at those!

PFY (whispers to BOFH): what if......

[click][click][click][click] No problem, I've removed all those nasty pictures from your box.

BOFH hangs up the phone, un plugs it from the wall, and gracefully sets it on top of the bookshelf where it won't be in the way.

"Where did you send the pics?", PFY asks...

"From: Mr. Luser
To: Bosses Wife
Bcc: to the boss, the boss's mother-in-law, luser's wife, and of course a copy in our files.", BOFH cites.

"Have we arranged for our monthly raises yet? I think it's about time. Lets check accountings database, and see how much Mr. Luser was earning us."

----

I'd love to be a BOFH writer.. But until then, I live the part in real life. :) Sometimes they're just too quick. A simple electrocution? or Halon accident just aren't as much fun as they *COULD* be having.

Just imagine the fun a BOFH could have with say an ex-girlfriend's new boyfriend, an ounce of cocaine (mixed in with 5 pounds of filler), superglue, epoxy, and a few "anonymous" phone calls to his boss, neighbors, and the police, all while being the nicest guy in the world to him too..

I've just never had a good outlet for my stories.. :) Nothing feels better than a well orchestrated revenge.

Re:who's on first?

[djupedal]

They never learn...

Re:who's on first?

[Nogami_Saeko]

Every once in a while I get someone (boss-type people) who want to know my password is so they can get onto one of the machines I administer (presumably to screw it up for me).

I just tell them that my password is the same as my ATM number (it's not of course), so I can't give it to them.

Works pretty well.

Re:who's on first?

[JWSmythe]

I tell them I use the same one for everything. My suitcase, my ATM pin, and my private vault at home. It's easy. 1234 . Just don't give it out to anyone. :)

Now, if they were smart, they'd know I have a cheap suitcase, 'cause they don't pay me enough to have good luggage to go anywhere with. I've been using the same olive drab duffle bag for the past 12 years, and it doesn't have a lock. As for the vault at home, all I have to hide in it is my clean socks, and right now I only have one pair of those. :)

Re:who's on first?

[Scumbag+Tracker]

To avoid being hacked, I set my password to "pi". Only problem is, now it takes me forever to log on in the morning. :-/

Re:who's on first?

I once told a a room full of college students that the password for one of my accounts (not one that was very important) was secret and it was in German. Not one of them had the brains to look up the German word for secret and try it. Talk about hiding something in plain sight.

Re:who's on first?

Don't quit your day job just yet, chuckles.

Re:who's on first?

[Fembot]

hehe

the password "myname" has a very similar and ammusing effect... you can waste hours of a friend's time by saying "i set your bios boot password to my name whilst we were drunk last night, and im not saying anymore" ... im sad

Re:who's on first?

[KshGoddess]

Reminds me of one user I had (actually an entire group), at a place where users created their own root password for their desktop.

Me: What's your root password?
User: what.
Me: The password for the root user, the superuser.
User: what.
Me: Look, I can't get into your desktop to fix [problem] without the root password.
User: No, no, it's w-h-a-t.

My favorite was the applications person, who after being lectured for having a crackable password (daisy1) showed up the next time around with... daisy2. *grr* This was someone who had full control to a rather important application's internals. Sigh.

Re:who's on first?

[neafevoc]

I thought about the same thing. But I also came to realize "pi" took forever, too.

So, instead, I tried "e". Still takes forever.

Re:who's on first?

[haroldK]

If you think pi and e take forever, try i. I still haven't been able to complete an install because it keeps hanging at the password selection.

Re:who's on first?

[mario]

nice :)

something *very* similar happened a few days ago, someone asking our sysop about a windows password for a standalone box (nothing where a useful password would be necessary) and they had the following talk:

what's the password?

it's secret.

hey. no. you can tell me. I've got to use this computer for a presentation.

yes, I know. it's secret.

well, okay. you had you're fun, now could you tell me the password, please?

I did tell you: secret.

oh, eh, yes.

Technical Reasons:

[Tokerat]

Everyone knows it's because your aunt worked as a secretary on her Windows 3.1 machine for years, and those ugly white windows kept the ancient monitor's CRT burning so hot straight at her chest from 9 to 5 everyday. Sheilding didn't used to be so good, you know.

Everything IS Microsoft's fault. Duh. ;-)

Weak XP

[Brat+Food]

Theres something that IS microsofts fault that will let this worm wreak havok. When you install WinXP Home, and i believe Pro, it does NOT set a password for the Administrator account, or it can be bypassed eiasly (ive seen too many boxes w/o one to think its just a random thing).

Thats right. Usually all it takes to break in to a winXP box is to hit ctrl+alt+del x 2 and your back to the normal winNT login. Then type in Administrator, no password, and unless this person knows anything about windows, and often thats not enough, your in.

Add to that that all accounts made are Administrator by default, and DONT need passwords.

What REALLY hurts windows here is not being truely multiuser on a local machine. This can be felt when you try to lock down say a web kiosk, and as you edit the Local security policy, you can watch the system lock down around you, since you CANT change it on a per user basis.

Add to this things like the viral Xupiter, and windows is chock full of holes. And leaving a winXP box in non-admin node is almost worthless, because SO many programs require admin access rendering it a pain in the ass.

While in the article, the poster mentioned its not microsofts fault, it BLATENTLY is. Windows comes SO dumbed down, i have to spend hours locking it down, turning off all the annoying services and popups, etc. Not only that, it doesnt have a default to make sure you password is at least somewhat secure. The options DO exist. From a sys admin perspective, windows is a waste of time. They NEED to have a deafult "im not a dumb user" setting you choose at startup that will among other things, make sure your system is tight and passworded.

They also need to go truly multiuser, clean up permissions w/o making them useless, and make EACH local user have a SEPERATE security policy, with an emphasis on editing it when you first install.

To put thins in perspective, in a public user setting, you leave an XP box out for use for a week, and an OSX box, i guarentee you, even the most basic setup, the OSX box will be exactly how you installed it, with a bunch of crap on the desktop.

The windows box will have every spyware app on it, stuff deleted, etc, etc.

OH, Xupiter just installed itself again, i have to go...

Re:Weak XP

[gamorck]

Really? I guess you weren't aware of the fact that XP will by default not allow the machine to be accessed through netbios remotely using an account which sports a blank password.

But then again your entire argument is constructed on pure and utter ignorance of the basic facts so I guess I shouldn't have expected anything otherwise... though a retraction on your part would be nice.

J

P.S. If a sys admin can't lock down his box without being provided a "I'm not a dumb user" checkbox - doesn't it seem like the problem may not in fact have anything to do with Microsoft at all?

Re:Weak XP

[stereoroid]

Nope - neither version of XP leave blank passwords by default. They prompt you to create one. IIRC, if you try to leave it blank, it pops up a security warning. I mean, Microsoft may be a monolithic global corp, but their individual programmers are not thatignorant of security, surely?

Here's a MS KB article about lost password handling in XP. Not ideal, but it's a start. Maybe by Windows 2112 (aka "Syrinx"), they'll find the right balance between security and usability. Linking to Microsoft? Mod that sucker down, (-42, Evil Empire Slave)

Re:Weak XP

[janda]

I bought a new laptop last weekend (03/09/2003) with Windows XP Home installed on it. When I turned it on, it gave me a screen with "who will be using this conmputer"?

I put in my name, hit "enter", and it booted up.

It's never asked me for a password for anything.

Maybe this is just something that Toshiba is doing, but they are doing it.

Re:Weak XP

That's because Home edition is for weak users like yourself. No Remote desktop, no classic sharing authentication...it sucks.

Re:Weak XP

[Brat+Food]

Ive bought systems at auctions, and they have NO password on the Administrator account. I fix computers for home users, and somehow, they have NO password on the Administrator account. The point i was trying to make is, "how can this happen"?

And, it still does not dilute the point that any password you might put in, by default, has 0 checks to see if its secure. It still does not change the fact that things like xupiter, bonzai buddy, and gator, are out there, and the average user is completly clueless of whats on his/her machine.

Any sysadmin worth his salt of COURSE tries for secure systems, but not all systems are managed by such people. The last computer i fixed, had ~20 explorer windows open automatically shortly after bootup - while extrodinary, not too musch worse then most home users boxes. And yes, NO administrator password.

I have not really cared enough to track down how these computers manage to not have an Admin password, as I usually end up reinstalling. (i know ad aware exists, and i use it, but at this point its easier to reinstall). I stick on mozilla, and get the user used to using it(this is ALWAYS difficult), but i explain, that if you use this, I wont have to come around again.

Re:Weak XP

[3.1415926535]

He was talking about console logins. Try actually reading the post before claiming that it's false next time.

Idiot.

I dunno about "valid" reasons...

[Mike+A.]

but I think I can tell you the reason Microsoft doesn't require strong passwords.

Find any of your friends who works as a network admin for a sizable company that has a strong-password policy, and ask how many times a week they have to reset people's passwords because they forgot them. Divide by the number of people at said company. Now multiply by the hundreds of millions of Windows users.

That's how many calls a week Microsoft would get from home users who'd forgot their passwords. Now add the fact that Microsoft can't reset all those passwords (or even worse, imagine if they could!)...

No, Microsoft isn't going to require strong passwords anytime soon.

Try a recent distro?

[freeweed]

I don't know about you, but an out-of-the-box RedHat 8 is pretty damn secure, assuming you don't install any services with it. Select 'high security' in the installer, and boom! Instant firewall.

Comes with more software than I've currently got loaded on my Windows machine, period. Office suite(s), games, usenet, web, mail, irc, packet sniffer, firewall, cd-burning,... I could go on, but at 4.6 gigs it's kinda scary :) Took me about 10 minutes worth of clicking on little boxes, nothing beyond the automatic partitioning that even remotely resembled thought. Bless rpms.

Anyway, your point again was?

Re:How MS can "force" a person to choose a good pw

[Sycraft-fu]

BEcause it will piss people off, that's why. Let the users and admins decide on their own password policies. For example, I have some systems that are not on a netwokr, so they have no admin password. No danger, you can't hack what you can't get at (they are in a secure area too).

Also, what is good security is a differing opinon. For example, many people think that frequent password changes are the best way. I disagree, I use really hellishly hard passwords instead (I still change them, just not all that often). Then again, I have a memory that allows me to do that.

It isn't something the OS should try an mandidate, all it will do is piss people off. If the admin wants to change teh policy, Windows has the tools to enforce almost any password policy they like.

Re:Ack! It's the Rapture!

[Enigma2175]

This is the seventh posting on the front page in a row by Taco. And none of them are dupes!

Along with that, this post observes that Taco posted a story about a worm that did not contain a snide comment about Microsoft.

It's very clear to me now, obviously the /. editors have been replaced with the cyborgs that live among us. I for one, welcome our new android overlords. As a trusted /. personality, I can be helpful in rounding up others to toil in thier underground sugar caves.

Agree

[leonbrooks]

The fact that your aunt has breast cancer is Microsoft's fault.

Absolutely! She should have deleted the password to her breasts completely and replaced it with a DSA key.

In this case, Microsoft by default allow you to choose pathetic passwords (including no password), so they're a contributor. Mind you, that decision was probably taken back in LanMan days when the most excellent of passwords still did you no good.

At a customer site where stricter password checking is enforced on the Windows boxen, the users pick random filenames from their main public share to use. <thwack>

Many

[leonbrooks]

Name me one operating system that is reasonably safe with its default install and configuration settings.

VMS (from which NT/2k/XP descends, I think literally descends as in stoops lower than). VMS has security clearances that Windows can only fantasise about, with special creams. Which really does make the security issues Microsoft's fault, doesn't it?

Mandrake Linux also does pretty well, at least as far as remote access is concerned. Services only listen on 127.0.0.1 by default and so on. (-: Install it in `paranoid' mode if you really like having to think up imaginative passwords and enable each service at three different levels before the world can see any of them. :-)

Re:Many

[swv3752]

And if you do not go through the proper scripts, any quick hacks you make will be reset in a couple of hours. :)

No no no no!

[xmda]

for once a security problem that isn't really Microsoft's fault.

No no no no! You don't understand. See, this is Slashdot, and we are always against Microsoft; it is always their fault when something goes wrong, ok?

So there you have it: rule No 1 when posting stories on Slashdot. Welcome!

Would be if...

[leonbrooks]

...many Windows versions and apps didn't install stuff like shares with empty passwords.

Re:Would be if...

[Orig]

Which windows version would that be?
NT/2k/XP installs administrative shares that are only accessible if you are a member of the Administrators group. If you have a blank administrator password that is still your fault. XP also turns off the default administrative shares if the administrator password is blank. 95/98/ME does not install any default shares, not sure about 3.11.
I am not aware of any Microsoft (desktop)applications that installs "stuff like shares with empty passwords".

If this were RISKS-Digest...

[billstewart]

If this were RISKS-Digest, somebody would comment that blaming the users might be fun, but building a system that encourages users to do obviously dumb things (or permits them) is usually a Bad Idea. (Somebody else would comment that that's not always true, because enforcing some kinds of standards without thinking about the side effects, such as Yellow Sticky Notes, is often a Bad Idea too.)

Slashdot Password Stupidity

[mib]

I see we have the expected collection of replies from people who think they're experts on passwords because they've turned on all the security settings on their debian box and ran a cracker over a shadow file. *sigh*

Here's the straight dope: passwords suck. No, seriously, I mean they really really suck. A password is either insecure because it's too "simple", or it's too hard to remember for anyone but us nerds who breezed high school without having to learn anything due to amazing powers of recall. Hard passwords are nearly always written down somewhere (how many of you carry passwords, or obfuscated passwords, in you wallet/purse, eh?). You can enforce really "hard" passwords, but all you'll do is make your users hate you. And watch you don't actually end up reducing the search space!

But hell, it doesn't matter anyway, because a complete brute-force search of the 8-character ascii domain is feasible, and is only going to get easier. (Longer passwords? Great, until you find a system you need to support that truncs at 8 -- suddenly you've got an even less secure password because the randomness in the first 8 chars wasn't an issue. Or you have to let people use phrases, and English's entropy isn't that high. What, you mean you don't manage domains of hosts with common auth? Sit back down then.)

The good news is, this doesn't mean shit. What are you trying to protect? Most people don't need uber-secure passwords. Who'd want to hack into my mother's webmail account? The effort involved wouldn't be worth any payoff.

But:

• If you're letting users grab huge lists of your encrypted passwords, you're fucked.
• If you're letting unknown parties have enough auth attempts to brute force even a non-obvious dictionary word, you're fucked
• If you have something to secure that's worth somebody spending a lot of time and effort to break into and your only security is username and password, you are completely, utterly, and royally, fucked, and I hope I never have anything to do with systems you write.

- mib

p.s. Useradd/passwd is not account management.

Re:Slashdot Password Stupidity

[diablobynight]

Ummmm what would you suggest other than just a username and password. If they need to access the data remotely we can't expect them to carry a voice print identifier with them can we? A lot of internal networks are password protected and protected by the complete inability to access them from outside the network. But really no security matters when someone can talk themselves into your company and into your server room. "Here to check the fire extinguishers, do you have one in this room here?"

Re:Slashdot Password Stupidity

[mib]

diablobynight:
A lot of internal networks are password protected and protected by the complete inability to access them from outside the network.

That's a perfect example of something to use in conjunction with passwords: firewalls/IP restrictions. There's lots of other security "tech" too, depending on the level of protection you need. I'm not saying you shouldn't have passwords -- of course you should -- just don't think they're the end of the story, no matter how "hard" you try to make them.

If your data really is worth a lot of effort to steal (or your access), you should think about whether the convenience of remote access is worth it. There's certainly no remote access to our payroll database system, for example.

Anyway, can someone talk their way into your machine room? If so, you've got a problem. How many people have acesss to it anyway? A lot more than actually need it if that's the case, I'd wager. Go see your boss and start with a "all visitors in the machine room must be accompanied by a sysadmin/operator at all times" policy. Revise as appropriate.

Is all this a pain in the ass? Yes. Security is, that's why most people do their best to ignore it and most things are designed without it in mind. Turning on cracklib for passwords is the answer if the question is "how do I get warm fuzzy feeling about security so I can get back to reading slashdot?"

- mib

p.s. Is there a limit for when you're likely to be moded up? I imagine after 24hrs nobody is reading without at least a +2 filter. Then again, I shouldn't underestimate our ability not to have lives. :)

Re:Slashdot Password Stupidity

[Christ-on-a-bike]

You've got a point, but it's been pushed a little far.

"you have to let people use phrases, and English's entropy isn't that high"

This is ridiculous. There are zillions of meaningful phrases of a few words.

What popular four-word phrase has the following sha1sum? 006d267706a93df87eef940402bf5a05f4746132

Biometrics are usually a bad idea & implementa

[billstewart]

Biometrics are usually a bad idea, and tend to be a solution out hunting for a problem. Sometimes it might make sense given the threat models that some people have, but usually it's not, and it introduces other threats. Biometric apps are often not portable (usually for security reasons, they can't go sharing fingerprint data between multiple devices), so you'll have to give your fingerprint to every machine you want to log in to. Are you sure you can trust everyone who wants your fingerprint?

They're usually badly implemented, and almost *always* implemented in closed systems with closed-source code and opaque programmer interfaces. The special hardware that they use does keep getting cheaper, but most of it doesn't provide enough documentation to know what its real weaknesses are. Do you know what it's doing with your fingerprint data, or how well that's protected? That's not only an issue of your _personal_ security, it's also a risk that somebody who can hack one device with your fingerprints can hack all the others. And fingerprints are something you've at least got 10 of -- Don't look into laser beam with remaining eyeball...

Luckily the world is safe...

[ardu]

since the worm doesn't try the most common password: ******

Do you have the password?

[Ashtead]

The password being "no" is actually one of the big subplots in Umberto Eco's "Foucaults Pendulum".

In two early chapters of that book, one of the protagonists is trying to crack the password of his vanished colleague's computer. The machine persists in asking: "Do you have the password?" and lots of permutations and magical incantations are tried.

And your website is....?

[Zone-MR]

if the hackers need any help, here are the most common passwords for my website...

Alright, but whats your website address? ;)

Tell my wife.....

[hughk]

We have a mixed setup at home, Win2K, Win 98 and about four Linux boxen. The Mrs complains when she has to change her password and because she likes to keep the same password on all the systems, she complains about Linux's "Weak Password". I just tell her that password expiries and password security tests are difficult to disable and bluff it out.

She doesn't realise that if our firewall doesn't work, there is nothing between us and the internet except those passwords. I'm luck that making a password strong enough to pass Linux means that her password is ok for Win.

That worked for me once!

[Anyd]

I swear!! I was doing some repair work on ~8 year old lab computers at my school, and of course nobody knew the bios passwords. I got so bored trying to guess it I tried *s and it worked! Wish I remembered the bios make/version. It was probably some old proprietary crap.

"complexity becomes a help desk nightmare"

So, what does that turn security into?
an absolute fucking mess?

Now you could have one password for all the plebs(the people who will probably have the most password problems).
I've worked for a couple of companies that do this:
Keridge used to have a pleb password that changed daily.
Where I work the door code changes every month
The mainframe access codes for external companies are shared amongst the staff of that company.
etc...

Anyone who needs more than basic, 'you can't do much' access will need to choose (or be assigned) a different password.

Re:Problem with my own machine. Mozilla into my HD

Just did. What the hell is up with that?

*sigh* Ce la vie, Mozilla.

Great site for good passwords

[TequilaMonster]

I use the diceware system. I generally end up with 25+ character passwords, and when mixed up cases, swap letter for number and word separator special chars are used, it gives very high strength passwords.

Then just use memory path tricks to store them in the old' grey matter, nuff said. I use the same rules every time for character substitution, so I don't have to remember the coded password, just the diceware phrase. Apply the coding, and there's the password.

User friendly!

[jotaeleemeese]

Start -> Programs -> Administrative Tools -> Local Security Policy -> Account Policies -> Password Policy -> ....

That is what I call user friendly.

I am not a Linux expert but I guess you have to change a line in a text file to achieve the same results.

Re:User friendly!

And how would Joe User know where to find the text file to achieve this result?
Once again people - all OS's are difficult for ordinary users. Just because you can compile your kernel six times before breakfast doesnt mean a "normal" user can or would even want to.

Yet again we have a lot of stupid people talking

[gamorck]

Here are at least two reasons 99% of the comments on this story are a complete and utter waste of internet bandwith:

1) http://www.theeldergeek.com/blank_password_network _access.htm

2) http://www.microsoft.com/technet/treeview/default. asp?url=/TechNet/prodtechnol/winxppro/reskit/prdp_ log_oeec.asp

Most of the people who have commented above have obviously never (a) taken the time to understand how to secure windows and (b) enjoy running their mouths endlessly about things they have no clue about. For starters no NT based OS that I know of neglects to present the user with the option to password protect the admin account during installation unlesss specifically instructed not to through the use of extended installation options. Next if any of you bothered to check out the links above you'll see that the fact that Windows XP allows for Admin level users to have blank passwords doesn't constitute a remote security hole at all. Why? Because Windows XP will not allow remote connections to be made to itself using an account whose password is blank.

Am I surprised at how many people here didn't know this? Nope. Am I surprised that a bazillion f-tards talking trash about this subject got modded up by people who are even more clueless than they are? Nope. I'll tell you what did surprise me though. Taco actually gave you people a straight up comment which pretty much hits the nail on the head here.

I never thought I would say this - but thanks a lot Taco. Maybe their is hope for ya afterall. I mean any professional NT admin who has at least one of his boxes infected with this needs to be escorted out of the building immediately. Take his paper MCSE and shove directly up his a*s because thats pretty much all it is going to be good for. Oh and be sure that the door doesnt hit his ass on the way out because it sure as hell wouldn't be worth the cleaning staffs time to have to clean that one up.

Moral of the story: Windows and Linux are just as easy to secure and require an equal amount of vigilance to keep secure. Anybody who thinks otherwise is a retard.

J

My system

[Zugok]

I can't say I keep a high security for my computer as I should (and I really should...to much pr0n to lose), but for internet banking, really important stuff online, I have a pretty foolproof system.

What I do is I take the name of someone I know for every month of the year. I associate a date with them, like birthday, day i met them etc. Sounds stupid so far, but here's what I do next

I then associate the date with the current year and decide how to mess about with the numbers. Do i just take the date at face value, or do I use date seperatrs / . and - in some sort of combination and use them as mathematical operators to generate a number? What ever I decide to do I convert the number into hex (because some passwords require numbers) and then attach it to the name of the person concerned in what ever way I choose and voila, password generated. Keeo in mind that if you use the same combination of operators when the year changes, you password is not going to change a hell of a lot for corresponding months between the years

The beauty is I've told you my system and you can't figure out any of my passwords. Better yet, you don't actually need to remember your passwords, more likely you just need to remember the mathematical operators because names and birthdays should come off the otop of your head. I can't remember my slashdot password though, I chose that before my system. Thank goodness for cookies.

Yes, it IS Microsoft's fault

[Vooch]

Their laxidasical handling of security while promoting ease-of-use instead is the number one reason everyone has so many problems. If Microsoft ever got serious about security, we would hear of DAILY issues.

Re:Yes, it IS Microsoft's fault

[janda]

"laxidasical"? How about "complete and utter disregard for all security"?

I can (almost) understand providing an application that gives a default password for something like "root", but then you should require them to log in as that user and change the password as part of the install.

Providing a lazy-password checker and requiring them to create every account with it is much better.

I can understand everybody wanting to make life easier for people, but if people can understand why you want a PIN number on your ATM card, why does everybody think they'll freak out if you tell them they need a PIN number for their computer?

Real Solution To The "Common Password" Problem?

[istartedi]

Your real password is a hash of your "friendly" password. Passwords are munged before being sent over the network, the munging being done according to a unique key in a dongle you stick into a USB port. Just don't lose the... oh... nevermind.

Of course, something like this would have to be built into the operating system. Perhaps there could be a checkbox on the Windows password dialog that said [x] use MungeMatic Password(TM).

I suppose you could store the munger key on a floppy or a CD too, but then the same idiots who use pa$$word would make dozens of copies.

And of course, this can't protect you from people sitting at your terminal with your dongle; but if that's happening, you've got bigger problems anyway.

Another possible solution? Just charge people for password changes.

Re:Real Solution To The "Common Password" Problem?

[janda]

Actually, the real solution would be best administered with a chainsaw between the metacarpels.

Re:Problem with my own machine. Mozilla into my HD

OMG just did this to the IP of a webserver and found a load of shares miscofigured, thank god i'm not the admin of that server.. left a note for them though......

DOesn't matter...

[FatSean]

Even if you encourage stronger passwords, people use the easy ones. If you force them to use strong passwords via password checkers, they just write the fucking passwords on a sticky note stuck to their monitor. I have seen this way too often to laugh anymore. I just write mine down on a card and lock it in my desk :)

Re:DOesn't matter...

[diablobynight]

I just memorize mine. is it that difficult?

Re:DOesn't matter...

[FatSean]

When I have IDs on 20 different systems, each on a different schedule of forced password changes, yeah it gets kinda tough. Add to that my company's rule that you have to go through 5 different passwords on a given system before re-use and you only get 3 tries before it locks out the account. Ugh.

It's necessary.

The lameness filter can't be removed until the moderation system is fixed. All ASCII art, whatever its purpose, is lame and should be moderated to -1. CmdrTaco knows this, but the moderators haven't figured it out yet, so sometimes they moderate ASCII art up. Therefore the lameness filter is necessary to pre-moderated ASCII art out of existence. When the moderation system is fixed, and all ASCII art is moderated to -1, then the lameness filter can be removed.

You might think to yourself "that's silly", but think about it: what happens if Jon Carmack posts an ASCII-art flowchart of how DOOM IV's engine works. A lot of people would try to moderate that up, but as you've already learned, it needs to be moderated to -1. Only when language, shoot, I mean moderation... only when moderation is perfected will we be free of the lameness filter.

I find it to be

[fudgefactor7]

From the story: "for once a security problem that isn't really Microsoft's fault."

I find it to be that most Windows security problems stem from it not being MS' fault but rather the lazy-ass Admins not patching, changing passwords, having sufficient info., etc. Of course the easy answer is for people to stop writing malware, then that would be great, but people being people like to fuck with things.

A bit more detail

[Black+Copter+Control]

Cantral Command (also known as the Vexira Anti-Virus people have a good bit more detail -- including a password list. If historical data is any indication, I'd expect about a 10-20% hit ratio just with the password 'password' (and simple variants thereof).

A good one.

[KingBuggo]

Kyle: Let me check my email first. *tap* *tap* *tap* *tap* *tap* Dan: That's a short password...what is it... "chair"? Kyle: *terror* no... Dan: *LAUGH* Kyle: Let me check my email. *tap* *tap* *tap* *tap* *tap* Dan: So...change your password? Kyle: No. Dan: What is it now..."bread" Kyle: fuck you.

Examples...

[leonbrooks]

XP Home adds new users (including the first) without passwords by default, and as Administrators by default. This makes all default shares accessible sans password.

SQL Server is installed by many workstations apps with a blank or well-known-default password.

Many services install vulnerable by default. I had a mate replace Linux with Win2k on his box, hook up to the internet and start downloading updates... and his box was trash 11 minutes later. Needless to say, he's back on Linux.

Netbios used to be 137,138,139 not 445...

[Ashurbanipal]

Did something new happen in the ME/XP/2k versions of windows? I don't use those, but on my win98 and winNT boxes the netbios ports are 137,138, and 139. Did Microsoft kerberize these services or something?

In /etc/services on all my *nix boxen port 445 is undefined, but IANA says Microsoft does indeed own 445. My samba boxes and NT servers don't show the port live with nmap, though.

The smoothwall firewall SSL admininstration application runs on 445. That's the only thing I know of offhand that uses it.....

Simple way to make password secure...

[GweeDo]

After reading all the posts that people where giving about how many insecure passwords they were finding on their system I decided to check up on the passwords on my system (I work for a web hosting company). After check my system for the standard password, sex, username, blah blah blah I keep getting 0 records found each time. Then I remembered we had a few rules about our passwords: 1. Must be between 6 to 24 characters in length. 2. Must contain at least one digit (0-9) 3. Must not contain your username (or your username backwards) With these simple rules it appears that most of the standard suckie passwords don't appear on our system. So give it a try on your system and stop users from having crappy passwords!

Another related link!

[DesiDudette]

http://business2-cnet.com.com/2100-1002-991844.htm l?type=pt&part=business2-cnet&tag=feed&subj=ne ws

Is that really better?

[WD]

Is having a password that forces a user to write it down on a little piece of paper or a post-it note really better than one that they can remember?

Re:Is that really better?

[JWSmythe]

Well, what do you think? If you can keep a piece of paper in your wallet, and only people with access to that paper know your password, it's more secure than a password that any kid on the Internet can get on a list.

Since you've asked the question, I'm tempted to try a dictionary scan of your account on here. I'll laugh if it's "password". :)

Re:Is that really better?

[fishbowl]

>Is having a password that forces a user to write
>it down on a little piece of paper or a post-it
>note really better than one that they can
>remember?

Depends on how you evaluate the risk of physical security versus the risk of remote intrusion.

I have a LOT of things on my desk that would be more useful than a list of passwords. If you broke in my office, I have high risks. On the other hand, if my passwords are weak you can do certain types of damage without breaking in my office...

FWIW, I use pwgen. I'm looking for options for a hardware /dev/random. Anyone know of a project for that?

Re:Is that really better?

[fizbin]

I like the approach that VMS used - if you asked it to, it would generate a selection of random passwords that were still pronounceable. (You were then forced to pick one as your new password, or ask for a new set)

Actually, here's a better thought for JMSmythe's system: use one of those perl markov chain programs on a markov model trained to model English words, (I'm not sure whether you should train it on a dictionary or on English text, since training it on English text will tend to overemphasize certain words) and then drop two random digits somewhere in there. Then filter for the desired length, and present the users with a choice of (say) the first 10 things to come out of the generator.

Re:Is that really better?

[WNight]

Yes. An attacker inside a company has many ways of breaking into machines. There are simple keyboard taps that you plug into the back of the machine and plug the keyboard into which will record a rolling 60k of keystrokes. They're $50 or so, last I checked. They can also reboot the machine and use a boot disk, or one of a million other things. A password hidden in a desk drawer doesn't change that much.

But, for an outside attacker who has to guess a password because he doesn't have physical access, a random password is the end of the line. A weak password gives them a machine to attack the rest of your network with.

Many admins I work with use one-time passwords and keep a list of a hundred of so in their wallets. They append a short secret string to them to stop trivial usage (and hoping that the list of one-time passwords runs out before the attacker guesses the extra part) but they treat it like credit cards. If your wallet is stolen you call one of the other admins and have your account locked until you go into work and print a new set of passwords.

Password rotation sucks

[FuzzyBad-Mofo]

Assuming a sufficiently strong password, I think enforced password rotation hurts more than it helps. As a user, it's not easy to come up with a good password. Then you want me to make up a new one every 90 days? Right. How about I just start using the same password and incrementing a number at the end ('password1, password2, password3, ...).

If that is disallowed, and I have to choose some different incomrehensible string every 90 days, then what I will do is write down the password, because there is no way in hell that I'm going to memorize something like that on an ongoing basis. What's more secure, a strong (but static) password, or a password on a post-it in my desk drawer?

Re:Password rotation sucks

[WNight]

Against who? An insider who can simply unplug your machine and use a boot floppy when it comes back (and can remove the HD and use it in his machine if you've got too many protections)? Against him a strong password is slightly more secure, but he'll probably not even try passwords, opting for the sure method.

Against someone over the network? A secure password in your desk drawer is much better than a rememberable password, or the same random pass from other systems, one of which might be compromised.

Make strong passwords, keep a list in your wallet. We're already accustomed to keeping credit cards and other sensitive things in there, so you're unlikely to lose it. And if you do, have your account locked until you change your password.

Social Hacking?

[Solitary+Angel]

This reminds me of some of the examples that I've heard Kevin Mitnick give, I think he referred to it as Social Hacking. This worm basically gains access to systems through human weaknesses instead of technological weakness. If this one does do damage, I wouldn't be surprised to see more appear using these methods. -- SA

Passwords -- OF THE FUTURE!

[Spoing]

How about 286755fad04869ca523320acce0dc6a4? Or, d577273ff885c3f84dadb8578bb41399?

Clue: md5sum

OTBinary

Your Binary is wrong
00 = 0
01 = 1
10 = 2

Good day

Re:OTBinary

[LBArrettAnderson]

No, if you read the rest of the signature, that's 3 types of people. As said above, most people start counting at 1, not 0. if there were 0b00 types of people then no one would exist.

Re:Ack! It's the Rapture!

[Sir+Network]

"It's very clear to me now, obviously the /. editors have been replaced with the cyborgs that live among us. I for one, welcome our new android overlords. As a trusted /. personality, I can be helpful in rounding up others to toil in thier underground sugar caves."

For those of you who don't know, this is a reference to a line in The Simpsons spoken by Kent Brockman.
Episode is called "Deep Space Homer" and is in season 5.

Comment removed

[account_deleted]

Comment removed based on user account deletion

UDP 137

[ackthpt]

Innocent Windows looking for a friend, or...

Opaserv

network.vbs

There were some others I found before, but I'm not finding them now, probably need to refine my search, but I don't have the time atm.

Here's some more reading material...

911, etc.

port scan

I spent some time reading up on how buffer overflows were used for exploits on this port, UDP packets, and so on. I'm not convinced this is innocent activity, particularly since I do have a firewall configured and don't see any outgoing traffic.

Learning about attacks is an ongoing thing for me and until I have all the facts, or enough of them, I'm leaving it my firewall to keep intruders out. I have seen bursts, usually on weekends when I assume more infected computers have been turned on and the worms are active. At various times I've had as many as 100 hits within 2-3 minutes.

Since I have no current reason for anyone on the internet to access my system, I believe a complete lockdown is a good position to start with. If I put it on a high-speed connection, with fixed IP and fire up services, then I'll allow ports as necessary.

Re:UDP 137

I wasn't suggesting that you should allow it through - I agree with you that far. I was just questioning the utility of logging it.

Sites that don't let you use good passwords

I've tried to use good passwords, but some sites bar you from using anything but alphanumeric characters, or LIMIT you to 6 chars..can't blame the users under those conditions.

Re:I find it to be MS's fault

[Hyped01]

In this particular case at least - and any similar - I would think that MS is (at least partially) to blame.

Making an OS that has a port for a certain protocol (namely NetBIOS) available over another *by default* that exposes it to millions of other machines (namely TCP/IP via the 'net) is definitely NOT the way to release an OS that you are claiming is supposed to be so secure.

Who is "the admin" for all of those people who are just regular home users/gamers/students (with no real interest in computers, or anyone for that matter for whom the computer is just another tool?

The answer? Microsoft. Thus, this is their screwup - again.

When you get your license and you buy your first car, does the manufacturer/dealer hold you responsible for knowing how to fix the engine or rebuild it? No - you just have to know how to use the vehicle - ie: drive, add gas, check oil and tires. Just like how every casual (ie: non "admin-type" computer user) expects that with a computer, they need to plug it in, turn it on, maybe defrag it or run a virus scan every now and then, and use their favorite program/game on it... NOT be a network admin for it.

With the Internet "slowly" making it's way into everyone's house - and via faster and faster connections - and the large majority of those Internet users being computer users, default Windows setup should account for that.

Oddly though, each new release of Windows opens MORE ports instead of less - and also even MORE "accidental" back doors.

Alternative Authentication Means

[fuzzybunny]

Authentication is usually based on some sort of combination of these three factors:

-What you know (username/password)

-What you have (token, e.g. smart card)

-What you are (biometrics)

Username/password is a _good_ authentication mechanism for CERTAIN scenarios. And, as we all know, there is no such thing as absolute security even combining the above factors (users writing PIN codes on a hardware token, etc.) But a heterogenous environment combined with good policies (and judicious application of the clue bat to users every now and then) sure reduce the fear factor with your passwords.

Sort of off topic, but it beats arguing about the problems of passwords.

Isn't that partly Microsoft's fault too?

[roystgnr]

What mechanism is more responsible than click-thru software EULAs for training computer users to believe that they should expect to regularly see large blocks of text emphatically declaring dire warnings and that they should just click "OK" without reading when those blocks of text pop up?

Re:How MS can "force" a person to choose a good pw

[SN74S181]

There's a checkoff box in the Windows 'networking' control panel to enable or disable file sharing completely. It would be damned hard to accidentally turn it back on if it's not turned on. If it's never been enabled, you need the distribution CD to enable it because the setup scripts need to copy files.

Yawn

What ever crossdressing eric.

Why not try doing some reall trolling...
No wait..

Why not get a sex change so you can really claim to be a woman.

Oh wait I forgot, you are a shemale and the only person who you will be tity fucking is yourself.

2112 !!!!

[ogre2112]

My password is out! nooo!

Ah Ha!

Nice try, but I know what you changed it to:
****************

Some details about the worm itself

[sepulcrum]

Apart from everyone complaining and joking about the strength of the average user's password i read nothing about the actual worm this is about.

The worm comes in using port 445 (this is the samba over TCP port) and tries some simple passwords (the most effective being the empty password). After the infection the worm drops the file dvldr32.exe in the startupfolder so that next time the machine is restarted the worm/virus will be installed onto the machine.

What the worm does is:
- Start scanning and infecting other random ips, it does this on a very high speed (i.e. 100's of ips per minute)
- Installs WinVNC (a vnc server for windows) that allows remote control, see the vnc webpage.
- Connects to some private IRC servers and joins a channel with some high ascii chars in the name (chinese?) and a password. The IRC server is modified so that it does not give back any information to the client, but anyone on IRC can request the ips of all the infected machines. When i tested this there were about 8000 infected machines on IRC (8000 was the IRC client limit so there are probably alot more infected machines out there).

Note that this is quite a big threat as even passive attackers can get ips of infected machines by watching their logs for connections to port 445. Most of the machines making such connections to you are either machines in your local network or infected machines (unless you do alot of samba over tcp/ip over the internet).

One can easily access the harddisks of these machines using the Admin$ share (which you know has no or only a simple password) either to get files from the users or computer or get a copy of the worm itself (it's located in \winnt\system32 folder and named dvldr32.exe). Once you have a copy of the worm you can obtain the vnc password using some good old reverse engineering tricks (which i will not give out here because that would help out scriptkiddies just a little bit too much). I tried out the password i obtained using this analysis on one of the hosts that scanned me and guess what the guy was doing on his pc, yep he was downloading porn using KaZAA.

From the looks of it this worm has already infected alot of machines. I get about one connection attempt to port 445 every 2 hours.

For some more info about the worm checkout the antiy website

Let's see how long it takes before all ISPs block their vnc (5900) and their microsoft-ds (445) ports to stop the worm or microsoft issues a security update that forces strong passwords upon users or asks for permission everytime something new is put into the startup folder.

Re:Some details about the worm itself

[mb12]

Thank you kindly for posting information regarding the actual worm - I waded through all the chatter on passwords and was relieved to find your posting.

Pi

[The+Raven]

I actually USE pi as my login... or actually, a long chunk of it from several hundred digits in. I've been slowly memorizing pi for years now by using 15-25 character passwords with digits from pi. After a couple months when I can enter the password without thinking... I move on to the next chunk of numbers in pi. I've memorized about 200 or so digits so far.

Yes it is useless. But at least I'm using the password I need to memorize for some purpose. Ever thought of learning your favorite poem by setting your password to the poem, line by line? Only practical in systems that accept long passwords, such as Netware, Win2K, or anything using Kerberos.

When does it become the user's fault?

[fudgefactor7]

My opinion of the car analogy is well documented, so I'll just skip repeating what I've already said. But you ask a valid question, namely: "Who is "the admin" for all of those people who are just regular home users/gamers/students (with no real interest in computers, or anyone for that matter for whom the computer is just another tool?"

You answered MS, but I disagree. MS is not the admin of my systems at home, I am. The car dealership is not responsible for the general mainetence and upkeep (and cleaning) of my car, I am. At some point, a home user must become the admin, take responisbility for not securing their computer, and learn something in the process. The Internet is a dangerous place, filled with scum and villany, and to leave your computer unprotected is just as silly as not having doors on your house--any moron with bad intent can walk right in and take your stuff.

Users, casual, home, grandpa-type users need--nay, must--get a clue that although computers are indeed getting more "user friendly" they're still not something to be taken lightly. And with broadband coming to more and more homes, this is something that needs to be addressed. Microsoft makes their OSes cater to the masses. It's like they took the idea of "all things to everyone" and went nuts with it. That's great, make the OS be able to do it all, wonderful; but what about it leaving open all those holes?

Ask MS and they'll tell you the same thing that I will here: at some point the user has to take control and learn how to protect himself by closing the ports and patching the system when exploits are discovered.

It seems strange to me that when MS does exactly that, by enabling automatic updating, people go crazy about privacy violations! You cannot have it both ways, wanting MS to do it for you and not having to be bothered, or not have someone "else" poke around in your business. By doing a brief nmap scan on a newly installed, but not yet comfigured Linux box, I find that there are a lot of open ports on that one as well. So this is not a MS only problem.

I totally disagree with the idea that a user cannot be empowered. I equally disagree with the notion that people, themselves, aren't to be blamed; that it's someone elses fault. This mentality has to stop! "Don't blame me my kid can't read, it's the school's fault!" (nevermind the fact that the parent was nowhere to be found and didn't spend enough time with the kid); or "Don't blame me that my system wasn't behind a firewall, it's Microsoft's fault!" (nevermind the fact that ICF has been available since Windows XP and can be turned on with a single checkmark) are equally pathetic. Just as parents need to take control of their kids' activities, monitor, guide, and assist--be a part of the learning experience for the child--people need to learn that computers are the same deal: you have to learn, adapt, understand, and protect your systems. That means patches, upgrades, more RAM, security checks, defraging, scandisking, etc.

It's a jungle out there, and just as it takes responsibility to rear a child; it takes just as much responsibility to engage (correctly) in the electronic neighborhood of the Internet.

Re:Hypocrites - Give M$ a break

Ah yes, the old ad hominem attack. Guaranteed to win any argument!

Theres only one password I need to know

And thats the one to get by foolproof at the school. I never have the time to get around it.

RTFP

From the original post:

"I ended up disabling the service, but there should be a better way..."

Lax security on Windoze on purpose?

Maybe the lack of security on XP is part of the deal with the Feds to make their collection of information easier. They've got Magic Lantern but they've also got this...

Re:Problem with my own machine. Mozilla into my HD

Look at the URL you typed.... file://IPofanattacker/

Look at the first portion: <b>file</b>://IPofanattacker/

Try visiting file:///etc/resolv.conf (or any other file).. it's going to spit back the file on your machine... just like mailto: sends an e-mail to an e-mail address, or ftp: visits an FTP site, file: will show you a file..

Re:percentages

[LBArrettAnderson]

not mine... i spent a good 15 minutes writing a script for that comment that counts all that stuff.

thanks for the gratitude for my "informative" comment.

52 digits

when I was in highschool, my math teacher had this poster of pi that ran along the top of the wall all the way around the room. becuase that class was so boring, I took that precious time to memorize 52 digits of pi, just for the hell of it. now while this is an odd talent, it has come in handy in a couple physics classes where the professor asked if anyone knew the value of pi.. and I'm still waiting for that one woman I know must exist out there somewhere that will think a recitation of 52 digits of pi is better than shakespeare any day. :)

Re:52 digits

You'll be waiting for a very, very long time.

New Windows Worm Inching Around Internet

[TW+Burger]

I have a new virus on my computer too. It seems when the Norton Antivirus Updates subscription is not renewed after a year it becomes a virus that pops up a dialog box on your Windows computer each time your start it up for the day and asks if you will renew now or later (later being limited in selection to tomorrow).