Many Hackers Accidentally Send Their Code To Microsoft

joshgnosis writes "When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman. 'It's amazing how much stuff we get.' Heckman also said Microsoft was a common target for people testing their attacks. 'The first thing [script kiddies] do is fire off all these attacks at Microsoft.com. On average we get attacked between 7000 and 9000 times per second.'"

How Does It Encapsulate the Source Code?

[eldavojohn]

When the hacker's system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.

I understand how this would be able to hand you their script or interpreted file but all the compiled byte code in the utilities they use would do you little good unless you were extremely patient. I don't know what percentage of exploits exist in the way scripts are interpreted (unless we're talking Internet Explorer) but I always assumed the really good and juicy exploits are those compiled down -- you know like a fake DLL that needs to be placed in the system path.

Crash reports probably include the script that was running and maybe the binary file running but how could it access the source code of an arbitrary task/thread/program? Are you saying that they're actually developing this stuff in a Microsoft IDE (like Visual Studio) that actually phones home source code upon program crash? That sounds like a guaranteed way to keep me away from Visual Studio.

Furthermore, how can you tell if this is a malware developer or the first unfortunate victim? Or even an outlier victim whose machine was luckily not correctly configured for the attack?

One thing's for sure: I hope Microsoft is bright enough to log everything they get so that when an exploit is found in the wild sans source code they can do a Hamming distance or some such analysis on it to pin down its origin and also look at the deltas to figure out what the developer was changing between releases so they can better understand the exploit.

Re:How Does It Encapsulate the Source Code?

[DigitalSorceress]

Maybe the report includes a dump of working memory?

Just a thought, thought that would make it kind of big.

Re:How Does It Encapsulate the Source Code?

[kyrio]

RTFA

Re:How Does It Encapsulate the Source Code?

[Taagehornet]

Crash reports probably include the script that was running and maybe the binary file running but how could it access the source code of an arbitrary task/thread/program?

According to TFA Heckman gave a presentation of XSS and SQL injection attacks. So, I imagine that what we're talking about here is Microsoft receiving a dump of IE process memory, which of course will include the malicious script.

Furthermore, how can you tell if this is a malware developer or the first unfortunate victim? Or even an outlier victim whose machine was luckily not correctly configured for the attack?

If you get a sequence of error reports from the same IP within a short period of time, where the only difference is that the script bringing IE down has been modified slightly, you've probably got the developer at the other end of the line. (Online source control on a budget? ;-)

Are you saying that they're actually developing this stuff in a Microsoft IDE (like Visual Studio) that actually phones home source code upon program crash? That sounds like a guaranteed way to keep me away from Visual Studio.

Where did that come from?

Re:How Does It Encapsulate the Source Code?

[onlysolution]

Crash dumps sent to Microsoft can contain memory used by the Windows process that was hosed by the virus writer, which could very well include whatever machine code was injected in to the process's memory or the invalid input that caused the crash . No phoning home via Visual Studio is required (amazing FUD with your speculation there, by the way,) the nature of the attack means the code/data is going to be exactly in the place it needs to be for MS to get at it without doing anything nefarious.

Re:How Does It Encapsulate the Source Code?

[recoiledsnake]

I guess they find it when Microsoft analyzes the crash logs and is able to see the assembly code trying buffer overflows etc. Think core dump in Linux. I wouldn't think Microsoft would send the source code to themselves.

Re:How Does It Encapsulate the Source Code?

amazing FUD

Remember folks, here at Slashdot, asking a question is Fear, Uncertainty and Doubt.

Re:How Does It Encapsulate the Source Code?

"Would you be less likely to vote for McCain over Bush if you discovered that he had an illegitimate black child?"

Hey, it's just a question; it's not making any claims.

Re:How Does It Encapsulate the Source Code?

compiled byte code in the utilities they use would do you little good unless you were extremely patient

Many people in the Windows OS team only debug at assembly level. For e.g. Raymond Chen.

http://blogs.msdn.com/b/oldnewthing/archive/2004/11/11/255800.aspx

"1. Once the optimizer has messed with your code source level debugging falls apart.

2. Most debugging is done remotely. When you have to debug a customer's machine 5000 miles away over a 56k modem, you can't tell them, "First, I want you to install Visual Studio on your domain controller..."

3. Installing a GUI debugger on the test machine changes the system configuration and therefore influences the test itself. Imagine if Windows XP had some horrific bug that goes away when you install Visual Studio. If all test machines had Visual Studio installed on them, then this bug would never be found!

4. Just today I had to debug a problem that occurred only immediately after installing the OS. No chance to install VS even if you wanted to.

5. If you're debugging the OS itself (say the window manager), then you can't use a GUI debugger since it needs the window manager to draw its UI!

Conclusion: Since so much debugging is done in situations where GUI debugging is not possible, you are quickly forced to become an expert at command line debugging. At which point the incremental benefit of a fancy debugger is rather small.

"You can't possibly debug any significant size project in this fashion."

Shhh, don't tell the Windows team. Not all debugging is done at asm-level, but a significant chunk is. They'd be pretty disheartened to learn that what they're doing is impossible.

Re:How Does It Encapsulate the Source Code?

The binary code can still reveal the vulnerability being worked on, if it includes a serious bug M$ isn't aware of yet.

Re:How Does It Encapsulate the Source Code?

[Sir_Sri]

The visual studio thing is actually an interesting question. If, in the process of writing code you crash visual studio, or the whole OS and then send an error report to MS will it contain your source code? To some degree the same applies to any application, if you crash notepad++ and send a crash report to MS it would make sense that it contain well, whatever was being typed in notepad++. if you crash your copy of Mafia 2 does it send the savegame?

It's somewhat outside the scope of the article, but really, all those crash reports you can send to MS have to contain a lot of stuff for them to be useful.

Re:How Does It Encapsulate the Source Code?

People who think source code is the be all and end all of programming are often hilarious. "I don't have the source code, therefore I can't understand what the program does." "I don't have the source code, therefore I can't understand what the program is doing." I mean, have you ever used a debugger before, or do you spam your code with thousands of log statements? In most crashes, all you need is a copy of the stack and registers to deduce how it was caused. A hacker can be identified from his continual shifting tactics to exploit a program in a way that works.

Re:How Does It Encapsulate the Source Code?

[SilverEyes]

Not necessarily. Microsoft uses to reports to fix Windows problems or problems with their own products (or third party drivers, etc). They have that source and symbols. All they need from the user is the memory space and exceptions of the faulting process and which version of symbols were used.

I don't think Microsoft really cares about fixing application crashes other than for their public perception. They would be concerned that a Windows crash was possible in some particular way, and didn't recover/fail gracefully - and this boils down to the code that is sitting below the application code so they wouldn't need your source.

The only data that could be sent would be data currently in the memory space. So if the process had *str1= "Need to buy groceries: meat, eggs, cheese" , *str2 = "Assassinate the president at 17:30 on Tuesday", they would be able to see that by debugging through the stack variables and looking at where it's stored (i.e. heap). I'm not precisely sure how minidumps are configured - they may not include heap information.

Re:How Does It Encapsulate the Source Code?

Debug statements (asserts, etc) would be compiled into the code and sent. Source code, definitely not. VS stores it into an external database (a PDB file which maps code to instructions) and it can be 100s of MBs; sending that crash log would take hours. IIRC crash logs don't include heap memory, just the memory for code (including all DLLs) so that would rule out save games.

Really guys. You're talking about Windows, which has billions of dollars in corporate invested developer money. Microsoft isn't snooping on your revolutionary code. Lay off the FUD please.

Re:How Does It Encapsulate the Source Code?

[internewt]

Yeap, the integrated spyware in many applications, mostly proprietary ones, is one of the worst things about current software.

The spyware is usually presented to the user as some hand-holding feature, like update checks, or crash reporting. This article does demonstrate though that at least 1 proprietary vendor does get and look at data that could be potentially private. What if IE crashes on a private website, like an intranet or password protected www site for a few friends? MS will get at least some of that data, it looks like.

The article presents the story in the context of nasty hackers (but I think they took out the bit about the hackers being paedo-terr'ist hackers), which is exploiting most users' naivete. The users don't realise that if the baddies can have their privacy violated, the goodies can too. Proper journalism would have addressed this, but ZDNet is just another example of an industry rag trying to promote the industry as wonderful.

The possible extra info leaked when things like crash reporting and update checks are performed has always been enough for me to turn off features like those, or even avoid products with those features. eg MP3Tag gained an update check mechanism, I removed the application and installed the oldest version without the spyware.

Re:How Does It Encapsulate the Source Code?

You want to bend McCain over a bush - and do WHAT?!?! You deviant . . .

Re:How Does It Encapsulate the Source Code?

[Runaway1956]

"5. If you're debugging the OS itself (say the window manager), then you can't use a GUI debugger since it needs the window manager to draw its UI!"

*cough*

In any REAL OS, the window manager isn't part of the OS. All a window manager is supposed to do is - like - you know - MANAGE THE WINDOWS!

Oh, sorry, I forgot. We're talking about Windows OS. My bad.

Re:How Does It Encapsulate the Source Code?

[dave420]

Score: 5, Muppet

Did you miss the bit where Windows asks if you want to submit the data? Apparently so.

Re:How Does It Encapsulate the Source Code?

[C0vardeAn0nim0]

some programas can be "decompiled" into a more human readable text.

if you have a *NIX/linux box around, try running something through strace. see all those system and library calls? that and an automated analysis of how the program flows can give you something close to the original source program. now, if the binary still have the debug symbols (i.e. it's not a stripped binary), it's even easier.

Re:How Does It Encapsulate the Source Code?

So, you gave up on bugfixes and new features for MP3Tag because they added an optional update checking mechanism and Microsoft is violating your privacy because they offer you the option to send a report if an application crashes.

It's insane that stuff like that get's modded up.

Re:How Does It Encapsulate the Source Code?

[Len]

RTFA

But it's all the way in Australia!

Re:How Does It Encapsulate the Source Code?

How about we just take a dump and send it to Microsoft? And, let's be fair, send one to Apple too for their crap-laden Quicktime.

Re:How Does It Encapsulate the Source Code?

[thePowerOfGrayskull]

Not sure why this is modded insightful. RTFA doesn't answer the question, except to say

When the hacker's system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.

it doesn't explain how the "error details" comes to be "including the malicious code". He goes on to say

"People have sent us their virus code when they're trying to develop their virus and they keep crashing their systems," Heckman said. "It's amazing how much stuff we get."

System crash implies a bluescreen - which further implies a memory dump -- but R-ing TFA doesn't answer the question one way or the other.

Re:How Does It Encapsulate the Source Code?

[thePowerOfGrayskull]

amazing FUD

Remember folks, here at Slashdot, asking a question is Fear, Uncertainty and Doubt.

Actually I think he meant Fuzzy Underwear Daemon. But I'm not positive.

Re:How Does It Encapsulate the Source Code?

Uh, no. The ideal case for an assembly decompiler is with a C or C-like language that only supports imperative programming. Even still the produced code will probably be 2-10x as large, exceedingly verbose, and largely incomprehensible due to style and naming loss, missing comments, inline expansion, and algorithmic unravelment. It's good only for function-by-function analysis with non-small programs.

Once you get into higher-level languages that support things like functional and template metaprogramming, exceptions, class semantics including polymorphism and virtual inheritance, and a Turing-complete preprocessor, decompilation quickly becomes ridiculous with a generated code size 50-300x as large as the original codebase.

Re:How Does It Encapsulate the Source Code?

That anal-retentive pedantry isn't really relevant at all. If you're debugging the window manager, or anything else the GUI debugger depends on, whether or not it's part of what you want to call the OS, then you can't use the GUI debugger.

A window manager is part of every Windows OS distribution SKU for ages. So if you're debugging a part of a Windows distribution, THEN you can't use a GUI debugger. Happy?

Re:How Does It Encapsulate the Source Code?

Since people have already explained browser-based hacks, let's go for the other situation:
If you're dev'ing a standalone program and it crashes, Windows Error Reporting will offer to send the process's coredump to MS (which means it's already isolated), who offers this compilation of crash information to developers for a fee. This is how normal developers can benefit from WER.
If you're dev'ing a standalone program and *Windows* crashes, they'll be the ones that get said coredump. If it happens often enough, MS will get interested. When MS gets interested, it'll task its army of compatibility experts to disassemble the program and figures out what's going on. These guys are good. Very good. We're talking over 10 years of experience-good. (Google "Old New Thing" and read Raymond Chen's stories about how they get badly-behaved programs to work for a new Windows version)
They don't NEED to see the source. The disassembly works just as well. So yes, anytime a wannabe hacker clicks Yes to WER, MS gets a little message detailing exactly how they're trying to break Windows.

PD: Before the MS-haters pop up: No, that doesn't mean they magically and instantly fix everything. Windows is fucking huge and debugging's a slow process. And we all know the smart guys don't click yes to the WER dialog anyways.

Re:How Does It Encapsulate the Source Code?

what part os "some" you didn't understand ?

Re:How Does It Encapsulate the Source Code?

[Blakey+Rat]

In any REAL OS, the window manager isn't part of the OS. All a window manager is supposed to do is - like - you know - MANAGE THE WINDOWS!

How many OSes ship with a window manager? I'm guessing at least 90%. Almost all Linux OSes do. Apple's OS X does. Windows does, obviously. Solaris does.

So which OSes exactly do you consider "real?" (And, as opposed to what? Imaginary?) I'd love to know.

Re:How Does It Encapsulate the Source Code?

... what?

Re:How Does It Encapsulate the Source Code?

that and an automated analysis of how the program flows can give you something close to the original source program.

Re:How Does It Encapsulate the Source Code?

[Runaway1956]

The standard Linux OS ships with at least one window manager. It also ships with hundreds of applications that I generally find no use for. In a real OS, you can CHOOSE which, if any, window manager you want to run. The window manager is not the OS.

Re:How Does It Encapsulate the Source Code?

[Runaway1956]

Anal retentive? I've been called a lot of things, but not that. Perhaps you should re-read what I said. "In any REAL OS, the window manager isn't part of the OS. All a window manager is supposed to do is - like - you know - MANAGE THE WINDOWS!"

Now, bear in mind that even with Windows, you can change out the shell under which you are working. That is, change out the window manager for something more to your liking. Nextstep or some such a thing. Sure, it relies on the Windows OS to run - but it's a completely different WINDOW MANAGER.

Anal retentive. Grow up, kid.

Re:How Does It Encapsulate the Source Code?

ObBashQuote: #222389

<AcidGame> Shit!
<legozrule> What?
<AcidGame> I downloaded an xbox emulator, and when I tried playing a game, it locked up, so I decided to end it.
<legozrule> Then what?
<AcidGame> I accidently clicked 'send error report to microsoft' >_<

Re:How Does It Encapsulate the Source Code?

[Blakey+Rat]

The standard Linux OS ships with at least one window manager.

Ok, so you're confirming my point.

The window manager is not the OS.

No, it's not the OS. But it's part of the OS.

Look, we all know what you're doing here. You're trying to create some stupid artificial distinction between Windows and other OSes so that you can feel justified in calling Windows a "fake" OS. (Or whatever opposes "real" in your little worldview.) Fine, you hate Microsoft, we get it.

You're trying to redefine OS to mean "the kernel and maybe some CLI utilities." That's not what the term means, that's not what it's ever meant.

So if you're going to hate Microsoft, do so in a way that makes sense and doesn't require redefining terms everybody knows. Hey, you could even *gasp* come up with *actual reasons* to hate them, instead of making up some stupid shit like "Windows is inferior because it ships with a window manager, hur hur!!"

Re:How Does It Encapsulate the Source Code?

[ian_from_brisbane]

System crash implies a bluescreen

Maybe if 'system' means the OS, but not if 'system' means the hacker's program/virus/code, in which case you might just get an end program prompt.

Re:How Does It Encapsulate the Source Code?

[mhelander]

To be fair, so do everyone who send in the data.

Re:How Does It Encapsulate the Source Code?

[Runaway1956]

No, I'm trying to point out that a window manager is NOT PART of any operating system. If you really think that Windows won't run without a window manager, then you don't know Windows - or any other OS. For most people, a windows manager is a crucial part of the DESKTOP - but that doesn't make it part of the OPERATING SYSTEM. I'm not even trying to define DOS for you. (just to head off some asinine commentary on MS-DOS x.xx or any other - DOS means Disk Operating System)

The OPERATING SYSTEM need not even include much in the way of CLI utilities. I can set up a router or a server, then rip out almost every thing that isn't directly related to the services that I want to run. It's STILL an operating system with no window manager.

Stop assuming that you know what I mean, or what I intend, and admit that a window manager is not part of any operating system. Like any other part of a desktop, you can mix and match to suit your own taste. Hur hur back at you.

Re:How Does It Encapsulate the Source Code?

When VS crashes and you opt to send an error report, sometimes you get a second dialog that says something along the lines of "It seems like what caused the crash had to do with VS interacting with your code, do you mind if we grab some of your code files along with the error report?" You can click no if you don't want to give up your code, but most people probably just clicky-clicky.

Re:How Does It Encapsulate the Source Code?

[Blakey+Rat]

No, I'm trying to point out that a window manager is NOT PART of any operating system.

Ok; we'll do it your way. OS means something completely different than 99.9% of the population understands it to mean. We're in Bizarro Runaway1956 World right now. I just grew an evil goatee.

If you really think that Windows won't run without a window manager, then you don't know Windows - or any other OS.

Wait! You just said Windows wasn't a "real" OS because it shipped with a window manager. Now you're saying that Windows runs just fine without a window manager-- just like any other OS!!! (We've already established that most other OSes ship with a window manager.)

So how is Windows not a "real" OS? Even in Bizarro Runaway1956 World your argument doesn't make any goddamned sense as anything except a rationalization allowing you to make fun of Microsoft.

Now let's re-enter the real world:

If you really think that Windows won't run without a window manager, then you don't know Windows

By that logic, "OS" means "kernel". After all, NT will run without a window manager, without any device drivers, without any filesystems, without any applications. So obviously the drivers, filesystem, and all applications are not part of the OS... right? I'm just using your words here.

The OPERATING SYSTEM need not even include much in the way of CLI utilities. I can set up a router or a server, then rip out almost every thing that isn't directly related to the services that I want to run. It's STILL an operating system with no window manager.

And how does Windows fit in? You can strip down Windows to exactly what you need as well.

Stop assuming that you know what I mean, or what I intend, and admit that a window manager is not part of any operating system.

Look, even if we enter your Bizarro World, and assume "OS" means "kernel", we've already demonstrated that your assertion that Windows isn't a "real" OS *makes no sense*. So why did you even post that little gem in the first place? It's just a completely random dig at Microsoft for absolutely no reason. (I'm happy to notice it got modded appropriately.)

You've yet to explain:
1) What other OSes are "real"
2) What the alternative to "real" even is. Is Windows fake? Is Windows imaginary? Is it irrational? "Real" has many definitions, and we don't know which one you're using.

Re:How Does It Encapsulate the Source Code?

[malakai]

Windows Error Reporting only sends mini-dumps. You won't see code or contents of notepad/word etc. You get the callstack for all running threads, exception information that caused the fault, list of all loaded modules and processor context for all threads.

Re:How Does It Encapsulate the Source Code?

[Sneezer]

The reason the article doesn't explain how Microsoft crash dumps work is because no one understands them.

This guy seems to be closest to understanding of anyone I've found:
http://www.wintellect.com/CS/blogs/jrobbins/archive/2009/05/11/pdb-files-what-every-developer-must-know.aspx

Re:How Does It Encapsulate the Source Code?

You're misusing quantifiers. Just because a WM isn't a part of your router's operating system doesn't mean that it isn't a part of Windows, the operating system. For the obligatory car analogy, you're acting as if spinning rims aren't a part of any car, because they aren't a part of some car.

Re:How Does It Encapsulate the Source Code?

[internewt]

So, you gave up on bugfixes and new features for MP3Tag because they added an optional update checking mechanism...

Yes, yes I did avoid bugfixes and new features, as the principle of privacy is more important to me.

The choices are use an old version of the software, use a current version and live with a lower level of privacy (the application notified the developer each time the application was run, IIRC), or use a different product. As I quite like MP3Tag, I took the first choice, though have been keeping my eyes peeled for something to fit category 3.

MP3Tag, even though it is freeware, isn't OSS. I would rather use Free software whenever possible these days. The more software has features that possibly benefit the developer or publisher more than the user, the more I step away from using their products at all.

A developer doesn't want support questions from users on old versions, and an update mechanism helps push users onto the new versions. For for-profit entities, the fewer versions the user base are using, the lower the support costs.

and Microsoft is violating your privacy because they offer you the option to send a report if an application crashes.

An option that is ticked by default, in not a simple to find place. Any declaration of privacy compromise will be hidden away in pages of legalese that very few people read, and fewer understand.

I know I don't understand legalese, nor the inner workings of Windows, or other proprietary products, so I act sceptically about anything that is said.

It's insane that stuff like that get's modded up.

What is insane is how the user is seen as secondary to the desires of the developer[1], or the business' interests, and that people accept this shit situation!

[1] Though a simple utility can be someone's pet project. As much as users might bitch, its is ultimately up to the developer how the application works, and what features are there or not. The user is free to walk away when they like.

Re:How Does It Encapsulate the Source Code?

God damn you are a fucking nerd.

Re:How Does It Encapsulate the Source Code?

[internewt]

Nice to think being a muppet is worth modding up.

Also, you have to trust the optional submission isn't buggy, and does what the user wants. Yeah, that's clutching at straws, but I can think of at least one instance of proprietary software privacy raping when it shouldn't have been. Real, years ago, was "accidentally" uniquely identifying installations of its player when it declared them anonymous.

The data collected via crash reports and update checking mechanisms could have commercial worth to the vendor. They have a financial interest in possibly misleading the user as to exactly what the update checks or crash reports do.

Re:How Does It Encapsulate the Source Code?

[jeremyp]

It's just a completely random dig at Microsoft for absolutely no reason.

Of course it is. The discussion was about how it's impossible to debug Windows with a graphical debugger especially when it's the Windows Manager you are debugging. The fact that the said Window Manager is tightly integrated into the system is irrelevant.

The fact is that, if it runs in the GUI, a debugger tends to be unresponsive when the GUI is stopped on a break point.

Re:How Does It Encapsulate the Source Code?

[shutdown+-p+now]

Crash reports probably include the script that was running and maybe the binary file running but how could it access the source code of an arbitrary task/thread/program? Are you saying that they're actually developing this stuff in a Microsoft IDE (like Visual Studio) that actually phones home source code upon program crash? That sounds like a guaranteed way to keep me away from Visual Studio.

Let me try to explain how this works.

WER (Windows Error Reporting) applies to any application you run on Windows. If something crashes, you'll be offered to send a report. In fact, third-party application developers can register to directly receive reports for their apps through the same system. For MS apps - including Visual Studio - the data ends up at MS.

The "phone home" process, as of Win7, works that way with the default settings: the initial "phone" on crash is automatic (you will see the "Windows checking for a solution to a problem" dialog), but includes the absolute minimum of information - name of binary that crashed and its embedded version number, that kind of thing. This is used to determine if the problem is known, and to direct the user to a web page describing how to solve it (e.g. update an application). You can change these defaults - including switching the thing off altogether - at "Control Panel\System and Security\Action Center\Problem Reporting Settings".

If the issue is not known, the user is explicitly requested to send additional information to MS to help debug it. If you don't click "Send", then nothing else goes. Now that stuff actually includes a process dump of the offending process, which can, obviously, include some private information. That is covered by this privacy statement. It will also tell you what data, exactly, it is going to send, so that you may look at it and decide if you want to proceed or not.

Now, the only way your source code can end up in that report is if you get Visual Studio (or whatever application you're using to edit the code) to crash, and then send the report via WER. Even then it's not a given, because, by default, reports do not include process heap data, only the stack, so that the report is small and is uploaded quickly without annoying the user. Gathering of heap data (and then still only of the offending processs) is enabled on a case-by-case basis when it's deemed necessary for identifying the source of the problem. And, of course, practically all text editors (including VS) keep edited code on the heap.

In case of TFA, they're rather talking about people writing exploits, which, by definition, do something that is normally caught by WER. A successful exploit won't be, of course, but before you get to that point you'd likely spend a lot of time testing & debugging it, and then you'd get a few WER-reported crashes. If you send in those, loaded parts of the binary may end up in the report. It's not the source code, of course, but then exploits are typically very small and low-level, so there isn't a huge difference between source and assembly in understanding how they work.

Re:How Does It Encapsulate the Source Code?

[shutdown+-p+now]

It is possible for a developer investigating a WER report to request that further reports also include the heap of the offending process. It is only used sparingly, to investigate tough issues where some crucial information is on the heap, because it significantly increases the size of the report, and the amount of time it takes to upload it (and therefore the likelihood that the annoyed user will just click "Cancel" before it completes). But it is possible. And heap dump will likely include the "code or contents of notepad/word etc" - assuming the process that crashed was notepad.exe or winword.exe.

Re:How Does It Encapsulate the Source Code?

Yes but you can blame the journalist for that. They are obviously talking about the "Program X has encountered a serious error and needs to close. Would you like to report the problem to Microsoft?" dialogs. Those ones presumably send in the working memory of the crashing program only, which would be relatively small when compressed, if the exploit code is small, which it usually would be. Code here means machine code, which contrary to popular belief, is actually quite easy to turn back into a mostly readable assembly file, if it contains debugging symbols. Which it will, if it is still being developed.

Also don't forget that these things work by exploiting bugs and causing crashes. If, for example, you're trying to overflow a buffer to inject code, it might take you a while before you find the right things to overflow with before you find the set of input that causes it to crash in the way you want.

Also "script kiddies" is wrong by definition since script kiddies don't write exploits, they download them from the internet.

Dunno why I am bothering to write this since nobody reads AC comments anyway.

Re:How Does It Encapsulate the Source Code?

Yes it does answer the question if you understand what is gathered in the memory dump. Among other things, the memory dump includes the area of memory containing the code that caused the crash. Ergo, when the dump is sent to Microsoft they get the malicious code.

Re:How Does It Encapsulate the Source Code?

"When THE HACKERS SYSTEM crashes IN WINDOWS [...]" (emphasis mine). That is, the hacker's program crashes, not Windows. So while Windows the OS is still happily running (i.e. not blue screening), it notes the crash and offers to send details about the running program to Microsoft. It won't send the code per se, but it will possibly send a stack trace which is indicative of the code.

Re:How Does It Encapsulate the Source Code?

[thePowerOfGrayskull]

The problem is that they don't specifically say that it was a crash dump. Very good article, BTW - thanks for posting it. I was surprised to find a couple of tidbits in there that I didn't already know on the subject.

Re:How Does It Encapsulate the Source Code?

[Runaway1956]

Allow me to explain in depth.

Dummies think that what they see on the screen is the operating system. If it's pretty and shiny, then it's a good operating system. If it's not so pretty and shiny, then it's a bad operating system.

If the window manager is the operating system, or even an important part of the operating system, then so is notepad.

To use AC's car analogy - after market, bolt on optional parts that might find their way onto your car are NOT part of the car. Not the fuzzy dice hanging from the mirror, not the lighted license plate holder, not even those horrendously ugly rims that kids have to have. And, most certainly not the 30 million decibel base thumping speakers that require you to remove the backseat for installation.

No real operating system requires a window manager to do it's job. Does Windows REQUIRE a window manager to run? You tell me. Is Windows a real operating system, or not?

Now, get off of my lawn.

Re:How Does It Encapsulate the Source Code?

[thePowerOfGrayskull]

As you pointed out - due to a journalist who didn't know the right questions to ask (or who cared more for the sexier info about how XSS and injection were still popular attacks) we can't be 100% sure but I would agree with what you wrote. The amount of data sent in a crash dump is limited, but sufficient to see the exploit code.

Re:How Does It Encapsulate the Source Code?

[QuietObserver]

I've seen at least three comments by you that have been modded "Troll" without and viable justification (in my opinion). You have at been succinct in your statements, and are making no offhand accusations, that I can see. I only wish I had points so I could correct this injustice for you. Thank you for the thought provoking statements.

Re:How Does It Encapsulate the Source Code?

[thePowerOfGrayskull]

Great! Could you point out where he mentioned the memory dump?

Why no, no you can't. That's because he didn't - or the reporter didn't bother to report it. I'm not saying it's not the case -- it probably is -- but the I *am* saying that RTFA isn't the right answer here because TFA doesn't have the details.

Re:How Does It Encapsulate the Source Code?

[thePowerOfGrayskull]

Except who refers to a program crash as a system crash? This is probably just a case of imprecise reporting , but my point was only that the article as written really didn't have enough information to say for sure -- without making assumptions.

Re:How Does It Encapsulate the Source Code?

[thePowerOfGrayskull]

Yeah, just oddly worded. I'm guessing the reporter got something mixed up.

Re:How Does It Encapsulate the Source Code?

[Blakey+Rat]

If the window manager is the operating system, or even an important part of the operating system, then so is notepad.

Notepad is part of the operating system.

No real operating system requires a window manager to do it's job.

To my knowledge, the only operating system that required a window manager to do its job was Mac Classic, and I might be wrong about that.

Does Windows REQUIRE a window manager to run? You tell me.

No it does not. Wait, you're asking ME? You're the one claiming Windows isn't "real", and now you're admitting you don't even know this about it? Why should I take your authority on what is "real" and what isn't, since you're not even familiar with the product we're discussing?

Is Windows a real operating system, or not?

Since you still haven't explained what "real" means in your little parlance, I'm going to assume you're talking about the definition of "real" and most effectively makes you look like an idiot:

Of course it's fucking real. What do you think, every other person on Earth is hallucinating except yourself?

Re:How Does It Encapsulate the Source Code?

[Runaway1956]

Oh, dear GOD! Now, Notepad is part of the operating system?

Those tens of thousands of people who have used Nlite to strip trash out of the Windows OS, removing Trident, IE, Media Player, and more - what OS are they using? I guess it's not a Microsoft Operating System anymore, right?

Quite obviously, you don't speak English, and/or you fail to understand what an operating system is. The only other explanation for this "discussion" is that you are a Microsoft shill.

I should use your statement as my sig. "Notepad is part of the operating system" - Blakey Rat

Re:How Does It Encapsulate the Source Code?

[Blakey+Rat]

And you still haven't defined "real."

Re:How Does It Encapsulate the Source Code?

[Runaway1956]

A real operating system enables you to use your computer to perform tasks that you define. For the computer illiterate, that would mean providing a nearly idiot proof GUI. For the computer literate, such a GUI may or may not be desirable. But, the WINDOW MANAGER is just one of many utilities availabe to an operating system. The window manager is NOT part of the operating system - not even in Windows. It can be torn out and replaced, even by someone who is not especially computer literate.

Re:How Does It Encapsulate the Source Code?

[Blakey+Rat]

Ok. And Windows isn't "real" by that definition because...?

I'm just asking you to support your own point. It's not like I'm grilling you or anything-- it took like 8 posts just to get you to define "real", now I need to find out why Windows doesn't fit that definition.

Re:How Does It Encapsulate the Source Code?

[b4dc0d3r]

Wow you're wrong and have no idea how wrong you are. Almost everything the GUI does is thread-safe, except for the odd MUTEX. In the GUI, those are really very well handled, although the rare mishap does occur. I routinely debug the window management code from another window. Even under SoftIce, which is supposed to run under the OS (Win9x), it actually runs inside the OS as a kernel level service and simply manages its own window. You can still see the other windows being managed, while debugging the window management.

The key is that it is thread-safe. It loads its context usually from fs:0 and continues on its way, unaware that it's being debugged. Hit a breakpoint and you stop that thread, but all other threads continue. Each process is separate, and you can have separate instances of the shell. It's the checkbox in Win9x that says to run explorer in separate process, or something like that - the folder options. So one crash doesn't crash the whole shell. They are not just separate threads, but separate processes that continue executing regardless of how bungled what you're debugging gets. Until you fault in kernel mode, in which case BSOD brings the whole house down.

So I'd like to know more information on just how wrong the past 20 years of assembly-level debugging on Windows have been for me, if you have an explanation.

WinDBG runs as a GUI app (it's actually a terrible bolt-on of a GUI onto a command-line interface), but you can debug the GUI all day long with it. Most of the GUI is not in the kernel, and in Vista they actually moved almost the whole thing out of the kernel. They moved it back in Win7 becuase of context-switching performance problems, which is why it was kernel mode to begin with. But most of it is outside. So you can debug the majority of the GUI at user mode. Things like SoftIce, which are really kernel-mode debuggers, can debug the kernel mode GDI code while it's running. Only if you use something like kdb, which is set up to run remotely, do you run into not being able to debug the GUI, and that's only a small fraction of the code.

Not sure if I'm being repetitive, or merely repeating myself enough times that you might think about reading some of this and learning.

Re:How Does It Encapsulate the Source Code?

[Kalriath]

And don't forget that developers can also request that further dumps include (pseudo-)arbitrary files from the file system as well.

Re:How Does It Encapsulate the Source Code?

[Pigskin-Referee]

The reason the article doesn't explain how Microsoft crash dumps work is because no one understands them.

This guy seems to be closest to understanding of anyone I've found:
http://www.wintellect.com/CS/blogs/jrobbins/archive/2009/05/11/pdb-files-what-every-developer-must-know.aspx

man xorg.conf(5)

VIDEOADAPTOR SECTION
              Nobody wants to say how this works. Maybe nobody knows ...

Re:How Does It Encapsulate the Source Code?

[KiloByte]

It's not impossible, it's just orders of magnitude harder and less efficient.

And if, as Raymond claims, a significant chunk of debugging is done that way, it's no wonder why Windows is buggy to such a ridiculous degree.

Debian and probably most if not all other distributions mandate all packages to be compiled with -g for this reason, and when a toolchain problem on hppa broke -g in a good deal of cases, that was the stone that caused hppa to get dropped from squeeze.

Re:How Does It Encapsulate the Source Code?

[Runaway1956]

It's your PERCEPTION of what an operating system is. It's the common man's PERCEPTION of what an operating system is. I use Linux almost exclusively. If I show someone the CLI, they aren't the LEAST bit interested. If I show them the X desktop, they are slightly more interested. Show them Gnome or KDE, the interest level goes up. Compiz? They just ooh and ahhh over it, creaming in their jeans.

It's PERCEPTION of what an operating system is. Each of my desktops are capable of doing the very same tasks, equally well.

The desktop is just eye candy - it is not an operating system. The REAL operating system is hidden from all the clueless people who believe that a window manager is the OS. And, from people who think that Notepad is part of the OS.

Unix, Solaris, Linux, or even Windows - you can do more real work from the CLI than "most" people have ever done inside of a window manager.

Re:How Does It Encapsulate the Source Code?

[Blakey+Rat]

And Windows isn't a "real" operating system because...?

You know if you ever answer the question, I'll stop asking it. I'm not even going to bother arguing with your more ridiculous statements. I'm just waiting for you to explain *your* *own* *assertion* about Windows.

(I'd love to see an architect get more work done with a CLI than a GUI-- or a musician, or a 3D artist, or pretty much anybody on Earth other than a Linux system administrator. If you honestly believe your last paragraph, that just means you've led a very sheltered life.)

To Be Fair

[sonicmerlin]

They're not necessarily all trying to be malicious. For a lot of people learning code requires hands-on experience, and if hacking is their interest and primary motivator to improve their coding skills, what better target to experiment on than one of the most hated software companies in all the lands?

Re:To Be Fair

[pnewhook]

Yes thats a great idea. And I want to improve my marksmanship so I'm going to go shoot up some banks and a few police stations. I'm sure they will understand I'm only trying to improve my skills.

Re:To Be Fair

[tehcyder]

I think that if you want to be a hacker/cracker, it's probably not a good idea to take your first baby steps in public, as it were.

Re:To Be Fair

[Your.Master]

This isn't about arresting people, it's about fixing exploits. It doesn't matter how pure or foul their intentions were; if they send the exploit to Microsoft then Microsoft can detect and fix it.

::head shake::

[Pojut]

Fucking script kiddies...in MY day, we actually HACKED.

Wait, I was born in '84...

Re:::head shake::

[oodaloop]

Soooooo should I get off your playground, or what?

Re:::head shake::

[Pojut]

I'm totally going to use that...awesome :-)

Re:::head shake::

[thijsh]

Get out of my dystopian future! I'm from 1984...

Re:::head shake::

[inode_buddha]

I feel old - 1967 here. My first memory of computing involved punch cards.

Re:::head shake::

[thousandinone]

I was born in 83. Gimme ur lunch money, kid!

Re:::head shake::

[confused+one]

damn kids. While you were still being carried around in your Mama's belly, I was already hacking...

Re:::head shake::

[Is0m0rph]

1970 here. I learned to program basic on TRS80s when I was a kid and did most of my early hacking on an Apple 2. My first calls out were on an Apple Cat with an acoustic coupler.

Re:::head shake::

[PinkFreud]

I was born in 83. Gimme ur lunch money, kid!

1976. Now get off my lawn.

Re:::head shake::

[interval1066]

'63. Get off of MY lawn.

Re:::head shake::

[sconeu]

Darned kids today! Why, back in my day, we didn't have no fancy computer or nothing. We had to count on our fingers! In a raging snowstorm! And we liked it that way!

Rassum fassum mumble grumble darned kids...

Now git offn' my lawn!

1962

Re:::head shake::

[Ed_Pinkley]

I'm near the same age. My first was a TI 99/4a... with a cassete tape drive. Yea! Then, I had a commodore 64. Did you script kiddies have to type in your programs from a magazine? No? Didn't think so! *And* to get to the store that sold the magazine I had to walk up hill.. (wait for it) both ways! badump psh.

Re:::head shake::

[Lord+of+Hyphens]

1985, although my first computing experience was BASIC on a TRS80 when I was 6-8. Friend of mine had an Apple IIc. Not quite sure of the implications to my geek cred there, though.

Re:::head shake::

[BigBlueOx]

'52. Get ... um ... the hell ... ah ... what were we talking about?

Re:::head shake::

[X0563511]

'86 - Basic on a TI-99/4.

That said, coding never really caught my interest.

Re:::head shake::

[PinkFreud]

Well played. Now, go take your alzheimers medication before you forget. *duck*

Re:::head shake::

[jd]

'69. You may be older, but I'm holding Woodstock on your lawn whether you like it or not.

Re:::head shake::

[LVSlushdat]

1950... Get Off My.... what was I thinking about???

Re:::head shake::

You're not a real hacker unless you've blown a captain crunch whistle into a phone.

Re:::head shake::

[DFurno2003]

You probably cant hear him telling you to get off his moms lawn as sound does not travel out of the basement well.

Re:::head shake::

..If you voted for Comrade Obama, check back with me in a couple years.. I'm betting you won't like him then...

Well, it's been almost two years since I voted him, and other than the fact that he's too far to the right on gay marriage, I'm pretty happy.

Re:::head shake::

[Mad+Leper]

1962 here, earliest memory was using batch processed punch cards in Junior High. Hand your card stack over to the teacher on Monday, Board of Education would process them on Wednesday and you'd get your printout back on Thursday. Correct your errors and send them back next Monday.

High school had an actual computer with drum memory and a teletype with a paper tape reader. Spent many late nights entering the code for the TREK program, damn my fingers hurt from pushing those keys. Wish I had kept the paper tapes, only my sliderule remains as a memento.

Re:::head shake::

1983 here. I did my first hacking by beating my head against Seth Warner's two volume "Abstract Algebra". My hacking is much cooler than yours.

Re:::head shake::

[Convector]

You were born the same year that Agricola defeated the Caledonians in the Battle of Mons Graupius?

Re:::head shake::

[Is0m0rph]

I didn't go to school for coding I went for Electrical Engineering. But I've been a software developer now for the last 16 years.

So then what's with the wait?

[damn_registrars]

From the summary

On average we get attacked between 7000 and 9000 times per second

If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?

Re:So then what's with the wait?

[Hinhule]

Maybe their servers run Linux?

Re:So then what's with the wait?

[halfaperson]

Most likely the majority of those are simple denial of service attacks.

Re:So then what's with the wait?

[ScentCone]

why don't they respond quicker?

What makes you think that any of those 7k script kiddie attacks on MS's public-facing web presence actually show with anything the least bit new?

Re:So then what's with the wait?

[nmoog]

I'm guessing it's because the real "hackers" don't accidentally click the send button.

Re:So then what's with the wait?

[DIplomatic]

From the summary

On average we get attacked between 7000 and 9000 times per second

If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?

In what possible way does an attack across the internet at Microsoft.com translate to exposing a flaw in the Windows operating system? That's like saying submitting an angry letter to the editor of your newspaper exposes the fact that one of the side windows on your house doesn't close properly.

Re:So then what's with the wait?

[Shados]

I know you're jesting, but aside for their download/msdn sections sometimes being hosted by a third party who actually does run Linux, Microsoft.com for the most part runs on IIS. Not only that, but its actually hosted on SharePoint.

Re:So then what's with the wait?

[damn_registrars]

On average we get attacked between 7000 and 9000 times per second

If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?

In what possible way does an attack across the internet at Microsoft.com translate to exposing a flaw in the Windows operating system?

If you read the start of the summary:

When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft

So the attack they are describing is actually the malware crap that is being sent in after windows crashes. Hence we aren't actually talking about www.microsoft.com being attacked - although one might expect that to be running windows server anyways - rather we're talking about random workstations around the world being attacked or used as guinea pigs.

Re:So then what's with the wait?

[PePe242]

Real hackers use MS-DOS!

Re:So then what's with the wait?

Summary reading fail

Re:So then what's with the wait?

[ageoffri]

I deal with IDS every single day. Now granted MS is being attacked several orders of magnitude greater then what I deal with, but between IDS and firewall nearly every single attack will be blocked before it hits the first MS server. Then hopefully MS is following good security standards and only has the presentation layer in their DMS with more firewall and IDS or IPS and you have a multi-tiered defense that means the actual servers see very, very few attack attempts.

Re:So then what's with the wait?

[pnewhook]

If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?

Do you really think any of those 7000 to 9000 attacks actually got through? No, so therefore they are already fixed. These are just stupid script kiddies learning to be terrorists. They are probably just modifying code fond on the net that has long since been protected against.

Re:So then what's with the wait?

You're incorrect, though the summary is confusing so I see how you could get lost.

The summary is talking about 2 things

1. "Hackers" who are testing malware that crashes systems often unintentionally send the report of the crash and what caused it to Microsoft.

2. Microsoft.com is often attacked via the web, to the tune of 7000-9000 times per second.

These two things are largely unrelated. Go back and re-read TFS.

Re:So then what's with the wait?

[interval1066]

No, real hackers turn off that stupid "Help" background process.

Re:So then what's with the wait?

[wkcole]

From the summary

On average we get attacked between 7000 and 9000 times per second

If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?

Smart attackers do not aim new types of attack at MS or other targets where there is likely to be clueful attentiveness. As anyone who is engaged in clueful attentiveness to external attacks against heavily-attacked systems knows, the actual risk is not evenly spread across all attacks and the overwhelming majority of attacks are completely harmless for minimally protected systems. For example: I have managed systems that have seen SSH password guessing attacks bursting into the hundreds/second order of magnitude, but purely passive and simple protective measures (including default configurations of some components) made those "attacks" completely harmless. They didn't even amount to a DoS attack, because they were entirely the result of being a high profile target of a lot of idiots rather than being a really high value target of anyone with half a clue. High profile targets attract every script kiddy on the net, high value targets are usually well enough protected that they aren't useful detection systems. This is why the concept of the "honeypot" exists: a system with a relatively low profile that is made to look like a weakly-protected high-value target in order to attract serious attacks.

Re:So then what's with the wait?

Maybe their servers run Linux?

If their servers ran Linux, it would not survive the 7000-9000 attacks.

Re:So then what's with the wait?

[Tobortaf1]

I'm guessing it's because the real "hackers" don't accidentally click the send button.

haha right - well played.

Re:So then what's with the wait?

[shutdown+-p+now]

Real "hackers" would probably just disable WER entirely.

Re:So then what's with the wait?

[Capt.DrumkenBum]

Then hopefully MS is following good security standards

You are hilarious! Do you do stand up?
Microsoft, good security standards... You are killing me. :)

Re:So then what's with the wait?

From the summary

On average we get attacked between 7000 and 9000 times per second

If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?

Because those attacks are against a web site, which doesn't have anything to do with the OS people run on their home computers.
They didn't say they get 7000+ crash dump reports per second, and from my own personal experience most crashes I've seen are more a fault of the program not the OS itself. Figure your average click-happy user who will gladly install a file called "deleteallmyshitforme.exe" will also click 'submit' on the crash report when it starts deleting core system files. So most of what they get isn't going to be all that useful for fixing actual security holes in the first place.

Yes... sure...

[xtracto]

'The first thing [script kiddies] do is fire off all these attacks at Microsoft.com.

Ahem.. yes... sure... I attack Microsoft machines only by accident... sorry, didn't see what I was writing in the uRL... not that I *want* to fsck with my beloved MS servers... no way, ahem...

kk, now I'm gonna go back to try installing sub-seven to wga.microsoft.com

Re:Yes... sure...

Hey mod, I found a sense of humor dropped in my thrash can.. you might like to have it.

But

[zarathruster]

Real hackers don't use windows...

Re:But

[maxwell+demon]

Yes, that's because they live in basements where windows wouldn't be of any use anyway.

Re:But

[The+MAZZTer]

They have to test their code somehow...

Re:But

[Kaziganthi]

Well played, sir.

Re:But

[Abstrackt]

That explains why they enter through the back door.

Re:But

Real hackers definitely develop exploits on the only desktop OS that currently matters- Windows. They also run OS X and Linux, and probably a variant of BSD.

Re:But

[zarathruster]

I see what you did there

Decription process running.......

Many "Hackers" inadvertently "send" their code to Micro$loth, the hard part is recompiling their hacker code so they can pretend they wrote it. Wait wait thats not what I said. Damn code borrowing fairies. Where is my +4 sword of truth.

So now crackers have a new way to attack Microsoft

[tomhudson]

An application that generates random gibberish that "look" like a script, then sends it embedded in a fake crash dump to Microsoft for analysis.

"Fuzzing" isn't limited to code on the local machine any more - you can now try it on Microsoft employees.

Then add further fake crash dumps from legitimate apps that didn't crash; enough of them, from enough machines, and Microsoft will be looking for non-existent bugs.

Hilarious

[assertation]

"When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman.

So, even if someone steals a copy of the exam for them, Microsoft still can't pass the test? :)

Re:Hilarious

HAhahahahah

Re:Hilarious

[assertation]

I see you got modded down too.

I guess there is just too much of a fanboy culture in tech for comments like mine to be seen and taken as a light hearted joke.

Re:Hilarious

[halfaperson]

Yeah, that or "HAhahahahah" posts just doesn't contribute much to the discussion.

Re:Hilarious

[assertation]

Really?

I can't tell you how many times I seen jokes, with no informative content or even a good point, get modded all of the way up to "5".

My light hearted joke was modded down because of a fanboy culture

Re:Hilarious

[halfaperson]

I wasn't commenting on your joke, but the following "haha" post. But yeah your joke lacked both "informative content or even a good point" so it should probably have been modded +5 :)

Re:Hilarious

[assertation]

True, but I happened to think it was witty and that others would find it so. Of course, I am biased.

It is a sad statement about tech culture that it had to be modded down so that other people wouldn't see it and get their panties bunched up. A more mature culture would have simply ignored it if they did not find it funny.

Preview but no fixes?

[Exitar]

So they get a "preview" of malware, refuse to fix their OS for months after exploits go live and instead blame people that published info about them?

Re:Preview but no fixes?

[Junior+J.+Junior+III]

Maybe they do fix these 7000-9000/day attacks. Maybe there are yet more attacks that the developers are smart enough not to tip off MS about, and those are the ones that they are not patching.

I'm not saying this is the case, but it's a possibility.

Re:Preview but no fixes?

[The+Moof]

It's all signal to noise ratio. Maybe the majority of those attacks are for vulnerabilities they have already patched, or possibly even not even for their platform. Hell, even when I look at my server logs, there are tons of requests trying to exploit a vulnerability in some package I've never installed. Just a quick peek right now shows 2500+ 404 errors looking for phpMyAdmin.

Re:Preview but no fixes?

[AvitarX]

I think there are two different things going on.

Hackers writing actual exploits that are new, and sending crash reports to MS.

And Script Kiddies downlowding and running scripts, which they tend to test on microsoft.com.

The second group are probably low risk, as they are using known code/exploits, the actual hackers on the other hand may actually be revealing some new bugs, with the bug reporting tool. heck, maybe it's intentional.

Re:Preview but no fixes?

Or maybe the fact that these viruses are attempts that failed and don't actually need to be patched against.

Re:Preview but no fixes?

you mean 7000-9000 per second

Funny how TFA stats the same exploits work

I find it sad in a way that the same exploits (SQL injection, etc.) are still the same old standbys. This is something MS really can't do anything about because it is the app developers who have to sanitize their inputs and use parametrized queries.

Microsoft is doing a good job in trying to make the Windows ecosystem as secure as possible. But what keeps MS from doing so in a lot of cases are third party programmers who write code that crashes if DEP is turned on, won't bother with ASLR, and prompts the user for elevated access often. At least the last part is gone somewhat, although developers screamed bloody murder that they can't assume every user has Administrator rights.

Windows is the only platform I know of where developers don't care about it other than to make money from it. On Linux, OS X, iOS, AIX, and other platforms, software makers refuse to shit where they sleep and they make sure that their code is decently secure and well written.

Re:Funny how TFA stats the same exploits work

[LoztInSpace]

I find it sad in a way that the same exploits (SQL injection, etc.) are still the same old standbys. This is something MS really can't do anything about because it is the app developers who have to sanitize their inputs and use parametrized queries.

You mean escaped outputs rather than sanitized inputs, right? Not that there's anything wrong with making sure your inputs make sense, but it's the output that matters.

Re:Funny how TFA stats the same exploits work

[FutureDomain]

Nope. SQL Injection occurs when you don't sanitize the inputs and hackers can pass SQL code to your program that gets inserted directly into SQL queries. You're probably thinking of XSS attacks which require not sanitizing the outputs so that raw HTML can be printed to the browser window.

Re:Funny how TFA stats the same exploits work

Sanitized as in cleaned inputs, to remove the dirty injections

Re:Funny how TFA stats the same exploits work

[jonwil]

Microsoft already has tools like "code analysis" that can pick up buffer overflows and stuff.
There is no reason Microsoft couldn't produce tools designed to check .NET code for things like unsafe handling of inputs, incorrect use of SQL (i.e. using it in ways that leave you open to SQL injection) etc and warn people of potential bugs or security problems.

Re:Funny how TFA stats the same exploits work

[LoztInSpace]

That's why I questioned it. This is ineffective and not really the way to go. Your domain may well determine that certain characters are not allowed but this whole practice of not allowing data that vaguely look like other things is wrong.

Re:Funny how TFA stats the same exploits work

[LoztInSpace]

Not quite what I meant. SQL injection occurs when you don't parameratise your queries. If you do this then there is no reason to clean the input. This is a form of escaping rather than sanitizing, so I kind of class that as output because it's passing my data across some interface that will interpret my data in some way.
So, I basically agree:
1 - escape output according to the requirements of your destination system
2 - in the case of SQL this is achieved by using parameters.

I still maintain that "cleaning" input is wrong because you never know where it's going to go.

What about the competition?

[Fractal+Dice]

Malware is one thing, but how often have competitors made this mistake when developing their products? Is it anti-competitive if Microsoft analyzes competing products that are accidentally sent to them during their development? Would it be practical as a form of corporate espionage?

Re:What about the competition?

[SilverEyes]

It would be utterly impractical. Compare it to just buying the source code or product from their competitor and disassembling it themselves? If they are committed to corporate espionage, why rely on a random variable? VS and Windows don't send source of your project into MS, it sends a crash dump (i.e. core dump) of the process for analysis. Even if you configure a full crash dump it doesn't send source (it would then be full process memory, register state, exception records, maybe pdb's / symbols used of faulting process - not sure).

As others have pointed out though, having symbols and instruction memory can be enough to look for buffer overflow attacks, but I don't think you would want to reconstruct a competitor's product from a crash dump (and most large application products involve more than one process anyway).

Re:What about the competition?

[Nevo]

Microsoft doesn't look at application crashes for applications they didn't develop. If the vendor is a member of OCA, they pass the crash on to the vendor.

Microsoft *will* look at a crash if Windows crashed.

...Fixed Title

[hggs]

Many crackers accidentally send their code to Microsoft.
There, fixed that for you.
--
Did I just say that?

Re:...Fixed Title

[bigredradio]

Thank You.

Re:...Fixed Title

[cciRRus]

Resistance is futile. Accept it.

Re:...Fixed Title

[mcgrew]

I spell it "crHackers". The popular press has bastardized our word, so we need a new one.

People actually do that?

[HelioWalton]

People actually hit the 'send' button? I always hit 'don't send', even if it is a Microsoft product. The "solutions" they give are almost always generic enough to be completely useless. It's not worth the time to look at them.

Re:People actually do that?

[SilverEyes]

While I agree, I have had a case where it linked a driver update that fixed an application incompatibility/crashing issue. It also provides metrics on the scope of an issue to MS which they may presumably pass on to other companies... oh wait, you said 'almost always'.

Re:People actually do that?

As a developer, we've had Microsoft contact us on a couple of occasions with crash information about our application that was coming in from people sending in those crash dumps. They are definitely not useless.

Re:People actually do that?

[Nevo]

See if the information at http://blogs.msdn.com/b/oldnewthing/archive/2010/08/04/10045651.aspx changes your mind.

Re:People actually do that?

[HelioWalton]

Nope, but now I can go and turn off error reporting! Hadn't realized it was just a service...

What a wank web site

What a fucking annoying website. You click the link, and you get a nearly blank page (thanks adblock). There is a link to continue to the article, but I figure it won't work as I reject all cookies. So I change my user agent to be the Google bot, and the page loads fine.

Oh well, best inform Google that ZDNet is serving different content to the Google bot than Firefox. I think they de-list sites that do shit like that!

And now once the site has loaded, I see they have used position:fixed to keep some box in people's faces. I'm sorry, but the use of position:fixed to display stuff prominently is about as annoying as pop-up windows full of adverts. And the box is trying to get people to join their site, and a link to twitter. So the content of the pseudo popup is simply about trying to get users back to the site over and over. Not something that is actually what the user might find useful, like the stupid slashdot floaty slider thing for adjusting comments being displayed.

There's some fucking wankers of web designers out there.

7000 - 9000 / sec ??

[bl8n8r]

Those numbers seem suspiciously inflated. I'm going to guess the majority of these packets are icmp from bots checking ping.

Re:7000 - 9000 / sec ??

[IndustrialComplex]

Those numbers seem suspiciously inflated. I'm going to guess the majority of these packets are icmp from bots checking ping.

There are what, 1-2 billion people currently on the internet at any one time (probably exceeds that) Let's say 99.9% don't develop malware.

That would put the number of currently active malware developers at 2,000,000. If 10% of them write a program that tries to attack microsoft.com, that's 200,000 programs. If each one of those only tries once every 10 seconds, that could be 20,000 individual programs attacking microsoft.com every second.

Ok, so maybe somewhere those numbers are inflated. Cut it down by another order of 100. That would be 200 unique pieces of malware.

Now the magic: It's not 0.1% of the internet users developing malware that targets microsoft.com. It's 40-60% of the internet users whose computers have been compromised and are attacking microsoft.com.

So 10k attacks per second? Not a stretch at all. These things scale.

Re:7000 - 9000 / sec ??

[ChronoFish]

"On average we get attacked between 7000 and 9000 times per second.'"

Why is the average a range? Why not just say "On average we get attacked 8000 times per second.'"

Or are they just making stuff up?

-CF

Re:7000 - 9000 / sec ??

[stealth_finger]

"On average we get attacked between 7000 and 9000 times per second.'" Why is the average a range? Why not just say "On average we get attacked 8000 times per second.'" Or are they just making stuff up? -CF

if they made it up they should've said they get over 9000, or is that too obvious?

Re:7000 - 9000 / sec ??

[Blakey+Rat]

Or maybe they didn't expect uber-pedantic Slashdot posters to obsess over every single word.

Look, obviously "X times per second" is an average-- it pretty much has to be unless you want the guy to call out a new value every single second. That would make for a really crummy interview.

What he probably means is "the average number of attacks varies between 7000 and 9000 times per second depending on traffic levels, time of day, number of active exploits, and probably other factors we haven't yet thought of."

You know, the exact same thing a normal non-pedant person would assume he meant.

Re:7000 - 9000 / sec ??

[nikanj]

There are what, 1-2 billion people currently on the internet at any one time (probably exceeds that).

I seriously doubt this figure. China, India and Africa add up to about half of the worlds population, and from what I've gathered they barely have the broadband penetration to have one people in six on the net every day. Having one people in six on the internet at any given time would mean that something like 30% of the population in the western world is online right now, always.

Surely...

[Trelane]

They immediately share the new virus information with the other anti-virus vendors, right?

Of course! That's how windows is written.

[tekrat]

Thousands of hackers across the globe send their malware, virii, and trojans to Microsoft, where it is collected, pieced together and compiled. Then MS puts it in a box and calls it an OS.

If you notice, there is a direct correlation between the number of hackers sending their code to MS and the amount of bloat in each new software package released by MS.

Another mystery solved! You're welcome.

Re:Of course! That's how windows is written.

[SilverEyes]

Best comment ever!

I wonder if enough virii and separate malware are compiled together if it can form some kind of evolving ecosystem (and yes, it was in xkcd, but the idea is far older than that). The next version of Windows will be watching you... you know... more than normal.

Re:Of course! That's how windows is written.

[theskipper]

Holy crap, my kingdom for a mod point.

Re:Of course! That's how windows is written.

[Darth+Hamsy]

This is the one error I can't help but correct, apologies. The word is viruses. 'Virii' is completely wrong.

Re:Of course! That's how windows is written.

[DMUTPeregrine]

Virus has no Latin plural form, so the English plural "viruses" is used. (Virus -i n. slimy liquid, slime; poison, especially of snakes, venom, any harsh taste or smell.)
Thus, it's a third-declension group noun, and thus declines virus, viris, viri, virem, vire. (Nominative, Genitive, Dative, Accusative, Ablative, in that order. http://en.wikipedia.org/wiki/Latin_declension#Comparisons_to_English_usage has a good explanation of what those cases mean.) "Virii" is never correct, because the root is "vir" not "viri". The word is "virus" not "virius"."Viri" can be correct, however, when the virus is the indirect object of the sentence. "Move the cell to the virus" would be correct English, but if one insists on using Latin declensions it would be "Move the cell to the viri."
The Dative singular is the ONLY correct use of "Viri", and even then it's debatable as that's a Latin convention, not an English convention.

Very confusing article

[microbee]

The article is talking about two things: developing virus (and sending crashdump to Microsoft) and attacking Microsoft.com. These are not the same thing.

And a crashdump containing virus does not mean it's the hacker that sent it. It could well be the victim. So while the speaker wants to say something entertaining, I wonder how truthful it actually is.

Re:Very confusing article

[BangaIorean]

And moreover, the piece of news in the article about MS getting system crash reports caused by 'script kiddies testing their malware' 7000-9000 times per SECOND is just too goddamn high. I'd say, take this article with a drum of salt.

Re:Very confusing article

[jd]

Maybe they're testing it live. Admittedly, 7k-9k reports/sec seems high even if you factor in Internet Worm-style growth. Ignoring the setting up and tearing down of connections, those bug reports are presumably non-trivial in size (especially if they include any core-dumps). Even if no actual code gets sent, and the article implies otherwise, searching a database for similar (but not necessarily identical) reports and properly digesting them at the rates described would be murder. There aren't many databases that could handle that kind of throughput. (Even Google doesn't have to do the digesting as well as the searching.)

Now, if the claim had been 7k-9k of crash-dump data per second at peak times, that might be more believable - especially if there's a lot of data involved in any specific crash-dump report.

Re:Very confusing article

On what basis do you think 7000-9000 per second is unusual for one of the biggest and most obvious targets on the web? It's not like one script kiddy has to press and release the enter key for every attempt; they have computers which can automate making attacks.

Why do they care?

[minstrelmike]

Those crash logs are about as useful to Microsoft as the crash logs of Excel or Word. If they aren't paying attention to those, why should they think they could understand anything else?

The basic crashes of first run viruses are probably readable to the employees so that's why they sort of understand what's going on.

in 6.4kB of RAM

These days we are actually dealing with 6.4*10^6 kilo-bytes of it.

Everyone ignores error reporting.

[dicobalt]

One of the first things I do on a fresh install is turn off error reporting. It has always amazed me that I have never seen a corporate network turn it off. Everyday tons of proprietary information is transmitted to Microsoft in error reports.

Re:So now crackers have a new way to attack Micros

[LifesABeach]

You wrote, "...will be looking..."

Wouldn't a corporate policy change that major require a filing with the SEC?

Re:So now crackers have a new way to attack Micros

[recoiledsnake]

Doubt Microsoft employees directly run the code... they instead look at the assembly code to see what the reason for the crash was. Even otherwise, I am sure they use VMs with network access which are wiped and rolled back once testing is done.

"between 7000 and 9000 times per second.'"

Am I understanding this correctly? In the article these are system crashes being sent to MS? 7K-9K of system crashes a SECOND? Wow.

Re:"between 7000 and 9000 times per second.'"

[Your.Master]

No, you are not. Those are attacks sent to microsoft.com. System crashes are a different number which are probably going to a different place.

Re:So now crackers have a new way to attack Micros

[SilverEyes]

I don't know. They are supposed to use their own products, which means they have to use Hyper-V and Virtual PC instead of VMware. I doubt anyone's ability to get those working :P

How did MS use these virus snippets?

[140Mandak262Jamuna]

"When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman.

And when asked what Microsoft does with these code snippets, Mr Heckman said, "We promptly use it everywhere we could. Otherwise Vista would have been delayed even more. We include all these viruses as BHOs [Browser Helper Objects] in our default distribution. Why should the user endure the trouble and torture of visiting a malware site to acquire the user experience of getting buggy crashing software? We provide it first hand from within Windows itself. We take pride in being backward compatible with every vulnerability, bug and malware that was developed on/for the previous windows platform."

Re:So now crackers have a new way to attack Micros

[theskipper]

Interesting. Then add time as a variable to further complicate detection. Each machine in the botnet sending a report every rand(168) hours. For a large enough set of compromised machines, the statistics of which reported crashes float to the top of the queue would certainly be messed up.

Plus If they were to filter these botnet machines at the IP level for a particular app then it would block real reports from coming in, further skewing the stats. There are real users sitting behind these compromised machines after all.

Ouch.

The Gist I Got Of The Article

[Ukab+the+Great]

Hackers and Developers are both lazy. This is why things haven't gotten any worse and also why things haven't gotten any better.

They report it !?

[confused+one]

Damn. I'm a part-time dev and I turn off that feature because I don't want Microsoft seeing my mistakes. And they're harmless. Pretty damn bold (and stupid) to be writing malicious code and reporting the failures back to the Microsoft.

Re:So now crackers have a new way to attack Micros

[odies]

Uh, do you honestly think that for example Microsoft's graphics team uses Paint instead of Photoshop?

ROCKY?

Mr. & Mrs. Hechman were/are fans of Sly?

Re:So now crackers have a new way to attack Micros

[SilverEyes]

Never know, I didn't realize MS did lots of graphics work. I would believe they use Hyper-V instead of VMware, and Visual Studio instead of whathaveyou (Dev-cpp or whatever), Team Foundation Server instead of TortoiseSVN or CVS etc. etc.

Possible source of the crash reports?

I suspect the types of crash dump he's talking about are the ones from Blue screens of death. With Vista and onwards windows gives you the opportunity to send those dumps to Microsoft once you've rebooted to see if it's a common problem and get a fix or for them to analyse it. The proper crash dumps from them are likely to be reasonably informative. Certainly more so than a regular program crash where you report to Microsoft. Given the fact that Virus writers are likely to be trying to hook into low level stuff it is plausible that they would end up with BSOD's as they develop their malware.

fir57

you're ytold. It's partner. And if *BSd has steadily

Re:So now crackers have a new way to attack Micros

A virtual machine is a virtual machine no matter what software you use to run it.

Attacks on Microsoft.com

"On average we get attacked between 7000 and 9000 times per second."

And sometimes we get attacked OVER 9000 times per second!

So Microsoft should...

[Virmal]

..perhaps reciprocate?

Dear MS developers,

thanks for telling.

Re:So now crackers have a new way to attack Micros

[Princeofcups]

... and Microsoft will be looking for non-existent bugs.

Do you really think that Microsoft has a team of people searching through these reports and actively fixing bugs based on them? It's more a metric of how bad a known bug is, that is, how many people are reporting crashes from known bug A as opposed to known bug B.

Making a little lemonade there?

[rnturn]

I'm thinking that saying that the script kiddies are sending you their code is a little like saying that the people throwing bricks through your windows (no pun intended) are giving them to you for your new backyard BBQ pit.

And one surely hopes that this is not a large part of Microsoft's security research thought it might explain how so many Windows vulnerabilities are announced after they're already seen in the wild.

Re:So now crackers have a new way to attack Micros

They do tend to use Hyper-V and Med-V, but those kind of work.

Visual Studio lives side by side with many other options such as Source Insight (as an IDE), WinDbg (as a debugger), ntsd, kd, etc.. WinDbg might be the most popular tool there, and it is also a Microsoft tool.

Different projects use different source control systems, but Source Depot is very common. That's a variant of Perforce.

Designers likewise use whatever they want. Site licenses exist for Photoshop.

This shouldn't be a surprise. Much fuss is made outside of Microsoft about how many Microsoft employees use iPhones.

You can learn a lot from an internship.

Microsoft must like the taste of it's own toes.

So microsoft proudly boasts that they get the source for some of these viruses and they still can't send out a patch in time? Heckman must have his foot so far in his mouth he can lick his own heel. I should not complain, I make plenty of money cleaning out virus crippled windows machines while my own Slackware powered machines hum along happily.

Re:So now crackers have a new way to attack Micros

[tlhIngan]

Do you really think that Microsoft has a team of people searching through these reports and actively fixing bugs based on them? It's more a metric of how bad a known bug is, that is, how many people are reporting crashes from known bug A as opposed to known bug B.

That Windows Error Reporting actually has an unexpected side effect - spikes in crash reports often indicate a new virus is on the loose...
http://blogs.msdn.com/b/oldnewthing/archive/2008/05/21/8525411.aspx

Re:So now crackers have a new way to attack Micros

[Nevo]

Actually, Microsoft does fix bugs based on these reports. http://blogs.msdn.com/b/oldnewthing/archive/2010/08/04/10045651.aspx

7000-9000 attacks per second?

[stealth_finger]

Are we to take that as 7000-9000 windows machines crashing per second?

1-2 billion concurrent internet users?

.. out of which 0.1% is developing malware?
Or even better, of which 40-60% are malwared and target MS.com?
That would imply that those 1-2 billion concurrent user all use a Windows computer.

Please share your references used with us

Re:1-2 billion concurrent internet users?

[IndustrialComplex]

.. out of which 0.1% is developing malware?
Or even better, of which 40-60% are malwared and target MS.com?
That would imply that those 1-2 billion concurrent user all use a Windows computer.

Please share your references used with us

Windows has an 85% market share (conservative estimate) It's general common knowledge sourced in a great many places.

As for infection rates? Here is a simple graphic. Again a search will turn up more info.
http://i.zdnet.com/blogs/apwg_pandasecurity_crimeware2.jpg
from: http://www.zdnet.com/blog/security/report-48-of-22-million-scanned-computers-infected-with-malware/5365

It shows of 22 million scanned computers, 48% were infected.

I don't think my statements were unreasonable in their assumptions. It would be like me saying the US population is somewhere over 300 million. I'm not a research paper, and this isn't a journal where sources are always given.

Nobody else appears to have said it...

But I don't have time to do a complete check. Nonetheless I only have to say,

If there was any increase in the traffic microsoft was getting then it would be over 9000.

Re:So now crackers have a new way to attack Micros

[shutdown+-p+now]

Do you really think that Microsoft has a team of people searching through these reports and actively fixing bugs based on them?

Being one of those people (as pretty much any other developer in MS), I definitely think so :)

The system is much more complicated, of course. You can imagine the sheer amount of reports MS is receiving every day (cue the 95 BSOD joke here). Clearly there needs to be some sort of automated processing for it, and there is.

For starters, there are always those folk running the original pristine IE6 on XP SP1 or something, who are hitting bugs that have been fixed ages ago. Obviously you don't want to investigate that, but it's possible to forward people to a webpage explaining the issue and urging to update (typically a KB for a security vuln on TechNet ;).

Then it needs to figure out which reports are dupes of which. For "popular" bugs, you can easily have several thousand people hit it in quick succession. I won't even pretend to know how WER (Windows Error Reporting, which is what the mechanism is called) does that kind of analysis. It looks at the nature of the problem (e.g. segfault, stack cookie corruption etc) and at the call stack, that's for sure, but it goes way beyond that. There is a dedicated team somewhere which works on it, and it's the kind of place where you put the sign "dragons and bearded men in glasses be here". Well, or maybe "SkyNet be here" would be more apt these days. Anyway, by liberal application of pixie dust (from employee's grinded iPhones, the rumor goes!), reports are grouped by specific issues, and the product and area within it is tentatively identified for each.

At that point, it actually lands up in the pile of stuff to do for the team responsible for that area, and stuff goes same as for normal bugs from there - triage, assignment to individual developers, investigation, and (hopefully!) fix.

Now, mind you, I'm not saying that any bug exposed via a WER report is going to be fixed. In fact most probably aren't. The problem is, this kind of post-mortem debugging is hard - oh, it catches stupid mistakes really well (uninitialized pointers, that kind of thing), but those are exceedingly rare in practice. And for more complicated stuff - especially when anything asynchronous is involved - the code that caused the issue can be very far from where the crash actually happens, and all you get from WER is a report at the latter point. Sometimes you can try to look at it and guess the sequence of user actions (and other conditions) that led to this crash, and actually repro it, and then debug live. Sometimes you can carefully put the pieces of the puzzle together to form enough of the picture to pinpoint the code right away. Often, though, you can't really do much given what you have - and, for privacy reasons, we cannot try to contact people who send the reports.

Still, I personally fixed a bunch of issues that came in from WER, so it's a net positive.

Re:So now crackers have a new way to attack Micros

[unencode200x]

Developers can also sign up to receive the WER reports for their "in the wild" applications: http://msdn.microsoft.com/en-us/library/bb513641(VS.85).aspx

Re:So now crackers have a new way to attack Micros

[shutdown+-p+now]

Yeah, here is when you sign up for that. And people are encouraged to do so - it's better to provide a single unified UI for the users to do the same thing across many apps, not to mention the quality of analysis tools that MS already has is likely better than what most organizations can afford to develop on their own.

Re:So now crackers have a new way to attack Micros

are you assuming they look at them?

Re:So now crackers have a new way to attack Micros

[shutdown+-p+now]

Link swallowed in another post, sorry. Here:

http://www.microsoft.com/whdc/winlogo/maintain/StartWER.mspx

Re:So now crackers have a new way to attack Micros

Actually, when I was first learning C++, I wrote a program that did nothing but attempt to divide by zero to see what would happen. Of course, the program crashed and the little "Would you like to tell Microsoft about this problem" dialog box came up. So I made a script that would continually run the program and send a report to Microsoft. I hope they're still trying to figure out why my computer wasn't able to divide by zero hundreds of times.

They surely get some from me...

[SharpFang]

While trying to read nonexistent pages on my server results in 402 Payment Required (pay me and I'll write this page for you), the URLs for most comon IIS exploits all return 301 Moved Permanently with a redirect to Microsoft. I don't know how many hacker tools support 301, but I guess some do...

Script kiddies are just like idiot bank robbers?

[bcarl314]

I suppose this is like a bank robber who robs a bank, then promptly asks to deposit their newfound loot into their account at the same bank.

Wire Shark

[NSN+A392-99-964-5927]

Disabling Error Reporting helps. Firing up wireshark shows up huge results checking in to Microsoft http://www.wireshark.org/ (formerly known as Ethereal) I have no need to tell Nix users about Snort and Acid http://www.snort.org/ or how microsoft has an epileptic fit if you run Cain and Able http://www.oxid.it/ Most hackers are not 31337 but idiots, My old friends at the the old place pulltheplug but now http://www.overthewire.org/ had root in less than 1 minute in a war game memorable war game. I really do not know what to say apart from do your own research, it is your own responsibility to protect yourself online but sadly some people are just not that smart. Be brave /.ers.I am not a hacker from Cult of the Cow.... Meow! :)

Doesn't this imply ...

[IchBinEinPenguin]

... that ALL developers send their code to Microsoft every time it crashes?