Slashdot Mirror
Vista Hackers Get Busy
An anonymous reader writes "Microsoft's long-awaited Windows Vista release Thursday for business customers will get more than just the passing attention of network administrators. That's because hackers will be eagerly waiting to do what hackers do best: start some mischief." Some folks on the Black Hat set got a sneak peek at Vista earlier this year, so they've had time to prepare.
Because crackers were obviously waiting until Vista was available in stores.
Make it better. The less piracy of windows there is in the world, the more people will get into free alternatives
My turnips listen for the soft cry of your love
Microsoft software will always be a puzzle game to hackers and such; closed, hidden, and exciting to find.
I don't even have the operating system installed and I'm worrying about the hackers and the virus already.
...Viruses and other bits of Malware will be out in the wild ready to hit machines running Vista when corporations and other VLK owners start getting it installed and running. Microsoft claims it is their "Most Secure Operating System EVER," should be interesting to see how well they actually do maintaining that claim. I bet nothing for 2 days, but ~5 within the next week. What should be more interesting is how much press they get, and how Microsoft responds to them.
1. Windows will always have "enough" security for most users. There's no incentive for them to do any better because they own the market already. Therefore, end-user security is not important.
o ws_Vista
2. The target is too big and the OS too poorly designed for running a reasonably safe desktop.
3. The outlook for system administration is good because there will be plenty of work.
What's sad is the Wikipedia page that compares Vista to XP conveniently studiously avoids the fact that Microsoft and the media corporations now control essential parts of your computer. http://en.wikipedia.org/wiki/Features_new_to_Wind
I give the first verified Vista exploit 90 days from the day they ship to consumers. What's your bet?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
``Some folks on the Black Hat set got a sneak peek at Vista earlier this year''
It seems to me pretty much everyone got a sneak peek at Vista earlier this year.
Please correct me if I got my facts wrong.
If you are a writer or journalist, don't say or write hacker when you mean cracker. If you work with writers or journalists, educate them on this issue and push them to do the right thing. If you catch a newspaper or magazine abusing the work `hacker', write them and straigten them out (this appendix includes a model letter).
The New Hacker's Dictionary
CC.
TaijiQuan (Huang, 5 loosenings)
They were all standing around with their tents in their black hats waiting to crack stuff and make keygens and shit. I asked why they were waiting in line when they could have had the RTM weeks ago on Usenet? They replied, "What's Usenet?" Those black hats must really fuck with the circulation in your head. I wonder if Slashdot editors wear black hats.
Windows Mail identifies and stops all ten threats on its list,
Stratio-Zip, Netsky-D, and MyDoom-O are able to bypass security when a third-party email client is used.
Good proof that Vista is insecure.
Sorry, going to be almost entirely off-topic here because a submission on this was rejected and I think it deserves at least some exposure. If it was Outlook eating e-mails Slashdot would be having a field day, but alright.
0 9
ThunderBird v1.5.0.8 introduced an issue where malformed e-mails (namely the Referer: header value matches the Message-Id: header value) is causing the e-mails not to be displayed. They are received, they're in the mailbox file, but they're not displayed. The error is probably somewhere in the Threading code, but affects non-threaded Views all the same. Worse yet, if you compact your folders (as you are recommended to do regularly), the invisible e-mails will also actually be deleted.
This issue has been in ThunderBird since 1.5.0.8 release, obviously. It was first discovered on November 9th. A bug was logged on November 11th. It is now December 1st (here anyway), and an official fixed release is not expected until later this month.
There is no telling how many users are affected by this bug, as most users will never realize that the mail isn't arriving - and when told, the first few things they would check is spam filters, their ISP's spam filters, firewalls, junk filters, and then the MozillaZine page on disappearing e-mail (sad that there's such a page) - which makes no mention of this bug either.
I'll take an exploit any day - turn my machine into a zombie if you must - but causing me to lose mail for no good reason, knowing about it, and not officially fixing it, is inexcusable.
That said - the fix is in the 1.8 branch, in 2.0, and in the nightly builds. Thing is, only way to know about it is if you read the bug (change referrer - bugzilla.mozilla blocks slashdot referrers):
https://bugzilla.mozilla.org/show_bug.cgi?id=3604
o Exploits will be in older code.
o The first "exploits" announced will be simply userland Trojans, as will most that follow.
o Old-style remote exploits will be unusual and dramatically rarer than we're used to.
o Nobody will notice the difference. The media will lump all problems together and the reports will boil down to "LOL V1st4 pwned".
MS has hunted down unsafe APIs and banned crypto algorithms that are damaged (MD5) or that nobody can figure out how to use correctly (RC4). They compile with stack canaries. They've added address space layout randomization. A large number of people in Canada will forever snarl at me in derision for saying this, but Microsoft is beginning to absorb lessons from the success of OpenBSD.
It's never going to be the same, of course. There's not enough money in the world to audit Microsoft's cetacean code base to OpenBSD standards and I can't believe the design of Windows would support privilege separation.
Then the interesting thing would be to see how many people actually just keep Linux.
- Greg
Start a happiness pandemic
we had to manipulate the bits with our fingers, in the snow, without gloves on!
You had FINGERS? You lucky dog. We used to sit around at night, in the freezing cold, dreaming about what it would be like to have fingers...
Seven puppies were harmed during the making of this post.
Mercy me I can't imagine there will be any vulnerabilities at all in this newest highest priced, longest to develop & release version of Microsoft's ratio sum ultra of enterprise operating systems. And even if there are and someone exploits them that would just be unfair and mean. I'm sure I wouldn't want to know about any exploits in this the most critical and hyped version of Microsoft Windows.
I take it, from your tone, that you're implying that the lack of attacks against Mac OS has nothing to do with its small marketshare. Interesting that you post this one day after Apple patched 31 security holes. And there were three months earlier this year when Apple patched 40+, 20+, and 20+ security holes. So the holes are there aplenty, but they're not being exploited for some reason. If small marketshare isn't the reason that those holes haven't been exploited, then what is the reason? Why don't you suggest a reason?
Maybe it isn't small marketshare, but it certainly isn't that the holes aren't there (like Mac fanboys like to suggest).
-- "I never gave these stories much credence." - HAL 9000
I take it, from your tone, that you're implying that the lack of attacks against Mac OS has nothing to do with its small marketshare.
How perceptive!
Interesting that you post this one day after Apple patched 31 security holes
And then you falter.
Not all security holes are created equal you know; Some security holes are harder to exploit than others. You can never remove all security holes so you approach security using a tactic called "defense in depth" which builds a layered approach to security, such that even if you have a weakness at some level either the levels above will prevent access for an exploit, or an exploit can only get so far. So Apple fixing 31 security holes means only that they are indeed vigilant about patching security problems.
Still virus and malware free, even with these 31 exploits it would seem....
And there were three months earlier this year when Apple patched 40+, 20+, and 20+ security holes
Yes, and three months earlier we also had no malware or viruses.
So the holes are there aplenty, but they're not being exploited for some reason.
(a) you obviously had no idea what the holes were in, and (b) as I said you can never remove all holes - only a fool would imagine that to be possible.
To help you reach a deeper understanding of the situation, consider this - some of those "holes aplenty" were in the OS X SSH server. yet by default OS X does not have SSH enabled. So, realistically, a hole in that system means nothing for a virus writer, because they cannot count of enough people to be running SSH to make that an exploit they can reach. That is but one example.
If small marketshare isn't the reason that those holes haven't been exploited, then what is the reason? Why don't you suggest a reason?
I have - defense in depth. It's too difficult currently to reach the exploits that are open, or to do anything of use when you reach them. Furthermore a good deep defense also means that if an exploit should infect a computer, it's far easier to remove the malicious code - whcih lesses the desire to write an exploit because its lifespan will not be as great.
Let's turn your whole argument around. Apache is a popular web server, far more popular than any other. Yet it too has a distinct lack of sucessful exploits against it compared with other servers. Since marketshare does not seem to tell us anything about the likleyhood of successful attacks, some other force is at work - and that is a better overall security model.
Maybe it isn't small marketshare, but it certainly isn't that the holes aren't there (like Mac fanboys like to suggest).
Mac "fanboys" rarely suggest there are no holes, just that OS X has better security by default which reduces the impact and effect of the holes that will ALWAYS be there. Only "Windows Bitches" distort that argument to claim otherwise. Say, didn't you jus make that mistake?
"There is more worth loving than we have strength to love." - Brian Jay Stanley