Back Orifice 2000 on CNN.COM

LLatson writes "CNN.COM is running an article about Sir Distic releasing Back Orifice 2000. Sounds like this time it will run on NT..." Comments on why this is being done, as well as a source release and a few changes to the 2k system.

Re:NT *is* horrible - Maybe it's you

[Rational]

There is no telling what some people will love.

Nay

[Aglassis]

Nay, for two reasons:

1. On UNIX systems telneting and trying to log in as root will not work
2. Telnet has security measures and can be disabled by the server at will.

Re:Nay

[IntlHarvester]

No, the AC is correct here. BackOrifice is just a remote control program (think PC Anywhere or any of the others in the Windows world). Do programs exist like this for Unix? How about X Windows?

If I tricked a UNIX user into running a modified telnet or something that would give me remote root access, it wouldn't matter if telnetd was disabled. The only reason UNIX is less vulerable to something like this is that users spend less time logged in as root and are more careful. But that's more of a human issue than a technical one.


--

How long has BackOrifice been around?

...and M$ still hasn't dealt with the security issues! I doubt making a new & improved BackOrifice is going to get them to patch things up.

(I've got no idea of the code in NT, but my guess is that in order to patch these security holes, a complete rewrite would be necessary.)

Re:How long has BackOrifice been around?

Seems like system32 was made before BO. Could be wrong tho.

Re:How long has BackOrifice been around?

[Gawyn]

Yes, the new and improved BO might not make them patch things up, but what about its new features? Ability to watch the user's screen in real time? Ability to run on a microphone and hear anything that is going on? A modular version to add even more features? Made to run on NT?


These things will really pound on companies, who will yell at M$ for making shitty OS's, then the companies, if they are smart, will change. Where I work, _EVERYONE_ uses NT4 and it would take a lot of time to bring everything up to speed after a changeover, so we can't go to Unix/BSD/whatever.
I am not a CDC member, but I have used BO. I got into 3 of my friend's computers by sending them the infected thing and I told them it was a C program I made. They ran it, I took over their system and popped up messages telling them what I had just done to their system.

~Gawyn~

It's NOT bullshit

[vivaldi]

BO is hyped, but its not bullshit. The programming model is similiar to VNC and PCA, but the delivery is vastly different. BO is a stealth product designed to lurk and attack, this is precisely why 12 year old kids are getting excited. And if BO version 2 users can change ports/protocols on their own, detection will be difficult and those 12 year olds will certainly be excited about something.

CIH virus

[delmoi]

Nothing happend to the guy who wrote teh CIH virus, beacuse he didn't ever distribute it, he just showed it to some frends, and I guess it "got out" on its own

as for the mellisa virus writer, well since he uploaded it himself (and it had the same GUID as the 'samples' on his virus writing site, and he did it from his home phone) he acted in a wonton act of distruction.
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

Re:But wait, could it be... USEFUL?

[J+Story]

a little off-topic, and no doubt well-known, but this is what folk did in the olden days.

Bravo! Hats off!

[jabber]

I know that this is mostly a 'me too' type of reply, but Tweety Fish has made an excellent point.

We all remember the stink that went up after Farmer and Venema (sp?) released SATAN. (COPS before that)

Anyone out there remember Asmodeus?
Any sysadmins here ever use a rootkit on their boxen to see what it did, and what to watch for? Without port scanners there wouldn't be firewalls, and without sniffers there wouldn't be encryption.

I know tfish is looking even farther than the benefits of reacting to a security threat. And a good thing too. Something like BO, designed to have such a low activity signature as to be undetectable by a casual user, is a huge accomplishment for a Windows product.

There are benefits for network admin tools, from having the BO code available. And if M$ doesn't learn, at least the rest of us will.

Re:???

[fliptout]

Really, who will be nice enough to break into my system and send me an endearingly personal email telling me how to plug my security holes? Not gonna happen- whoever finds the holes will exploit them to the fullest and fuck me over.

Frankly, I prefer not to have any uninvited guests.

Re:Fun Stuff

[jjohnson]

Just to be clear, I'm not a member of the CDC. Nonetheless, your responses aren't great.

0: Microsoft SUX!!! (0 because it's the _true_ motivation for all of the following arguments) Response: Yeah whatever. Nobody likes M$, but millions of us rely on their products in our homes and our workplaces. Some of us don't have a choice in the matter. If you want us to use something else, make something better.

While its true that many don't have a choice in the OS used in their office, or by default because they're unable to install another, there are still lots of better, or at least different choices out there. Your crack about 'make something better' is probably the most succinct description of the motivation behind hacking, and all it's produced, that I've ever seen.

1: It's just an administration tool. Response: [snip] If this is just a tool why not create a shortcut on the desktop called 'Uninstall Back Orifice'?

One reason is to protect the administration tool. The network admin at my company is constantly telling people to enable Norton Antivirus; every time she has to clean their system manually, in fact.

You're right that BO is more than an administration tool: it's a political point that, for all the damage and heartache, is a valid point. See your reponse about leaving your house unlocked...

2: It's MS' fault for having the security holes in the first place. Response: [snip] If I leave my door unlocked that doesn't make it my fault when you steal my things. You're still the criminal.

I'm still a criminal, and you're still stupid for having left your door unlocked. Moreover, your home insurance won't cover you because you left your door unlocked; if you won't take known security measures to protect yourself, then you bear part of the blame.

3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?

My understanding of the release of the first BO is that Microsoft was offered an advance copy, and turned it down, while denying there was any security problem at all. Microsoft is a business, and what a business can get away with, it will. It's as simple as that, and if you disagree, you've never had the privilege of riding a cubicle in corporate America.

4: We're helping the community by bringing these problems to the attention of the public. Response: Clearly the only community CDC is concerned with is the script-kiddie community. Their program is extremely destructive to the common user and is most effective when used against inexperienced users. All they have done for the community is reinforce the atmosphere of distrust that pervades the internet today.

All they've done is force people to confront the problem. They've made a deliberate public showing of it because it wasn't to impress the script kiddies, it was to force a resolution to the issue. Yes, people may suffer because of it, but it takes a hard lesson sometimes. As for the atmosphere of distrust, which is better: suspicion all around or blissful ignorance?

Eternal Vigilance and Careful Security

[Invisible+Panther]

The parable of the wholy redhat box:

Some friends of mine thought that it would be cool to setup a redhat box with at their school district. Zipity fast line and an administrator who was interested in samba made it seem both fun and possible.

So the machine sat there and was played with, and various stuff. Then some script kiddie found his way in. With a 'Rewt' kit and some time all of a sudden the machine no longer was under the control of my friends but someone who was creative enough to pick a uid of 420.

The point: Even a linux box can be filled with security holes and even on a linux box something like bo can run (port 31337 now allows anyone to telnet in and doesn't even require a login for root access).

I don't really mind people developing these root kits or bo or whatever exploits they care to come up with, but I don't like people screwing around with other peoples machines as these exploits invariably lead to. Now that my friends know about the various holes they are ready to reinstall and start patching holes, but if the machine were something serious they'd be screwed.

With various holes know, we (the comunity of computer users, and the comunity in general) should make sure that they are fixed. As well we should make sure that these exploits are not exploited by the corporations or anyone else.

peace

watch out for the conspirisy of tall men

Kernel modules

[Rozzin]

Doesn't the insertion of a kernel module require root access?

This is sad.

[Gary+Gnu]

If cDc is sincerely concerned with M$ security they would have given M$ and the public suggestions on how to fix the problem but instead they release this dumb program to show that it could be done. I find cDc's analogy quite funny in a sense that it is flawed and no one in the right mind would formulate the same analogy.

I do not even know why they are making such a big deal out of this. It is the same as the original Back Orifice + NT capabilities which requires that the infected program be run by Administrator. One could say that this could be done the same for UNIX or BeOS provided that the "Super User" is the one who will be running the infected program. Most large corporations are very careful about running unsupported software (i.e. stuff that's downloaded from the internet) anyway so I doubt this would make a big impact to most people. I see the target of Back Orifice 2k as Warez kiddies who probably didn't pay for their WinNT licenses anyway.

Re:This is sad.

[tqbf]

Do you honestly think there's anything that
Back Orifice does that Microsoft Engineering
doesn't already know? I have met and talked
to Sir Dystik on a number of occasions, and
my impression of him is that he is someone who
knows what a "security advisory" is and what
the conventions are (prerelease to vendor,
publication of a patch/workaround, etc) for
releasing them.

This ISN'T a new security hole. cDc doesn't need
to teach Microsoft ANYTHING. This is a a statement
(IMO, an effective one) to the public about the
security implications of OTHER, WELL KNOWN
Win32 security problems. They are, to co-opt the
motto of the L0pht, "making the theoretical
practical".

This is a good thing. You can show all the scary
press about BO2K to your IT managers and get
resources to properly secure your NT boxes. You
should appreciate (and exploit) this.

Re:heh, they're releasing the source code too...

[TriangleMan]

So if you release BO2K under GPL, does this mean that if you infect someone's machine then you have to offer to give them the source :^)

Re:what is with people

[john+barleycorn]

"Making it publicly available and open-source means that nothing is 'hidden' and there are no surprises waiting in store. "

In the hours,days,weeks and months to come as we see dozens (possibly hundreds) of slight variations, total modifications and custom built worms come out of that source code I doubt you will still believe that.

This program is a serious threat to NT security. As others have pointed out the problem isnt so much that NT is "insecure" (though ther are definitly problems in that department), its that the users and quite a few of its admistrators are just plain dumb wher security is concerned. And as I heard someone say in a previous thread: All it will take is one stupid user/admin to compremise the entire network. It will just make the process easy. Really easy.

Of course, yes all of this and more is possible on a unix system. The difference is unix is a diverse set of operating systems. Porting code to different Unices takes time and some skill. BO2k will run flawlessly on any target machine making it extremly easy for anyone to use (no coding experiance required) and therfor that much more dangerous.

However I dont think Its all bad. Its just like any other peice of software: It can be used for bad things or for good things. Dont blame it on the software or the authors (anyone who says writting software is in itself 'evil' is a total dope) - blame it on the assholes that actually use it maliciously.

And hey: If you THAT worried about it take that WinNT CD and chuck it out the window. Order a copy of Linux, FreeBSD or Solaris7 and put that PC to real use.

Curious

Does the Back Orifice server require any kind of password, or is this an option you set?

I thought it was just something you embed into an exe or something and get unknowing people to run it, at which point it would silently install itself into the system. Then you could use the client to track down people who had installed it, and use their machines.

At least that's what I gather from the bits and pieces I've seen about it.

So if you install this on your network, what's stopping people on the outside from controling your machines?

Re:Curious

You can specify a password for the BO server to use... You can also specify a port other than the default 31337. (which annoyingly my isp blocks and as a result I had a hard time using my University Computer over Christmas break)

Re:Why all the stealth features then?

Uh, no.
If you are the admin of a corporate PC running NT, you tell the user, if you touch this program intentionally your boss will hear about it, and they leave it alone.
No stealth required.

Re:cDc justified

[os10000]

There are so many messages here who just take it
for granted that NT is insecure. NT has a solid
security architecture that is more fine-grained
than that of Linux. This means it COULD be better.
The real problem is that MS Office is designed for
a single user and requires you to have the equivalent
of ROOT access to run it (OK, I'm exaggerating and
I've never had office on my computer so I wouldn't
know, but disprove me). You could do exactly the
same with Linux (pop up a box in netscape, make the user type their password, mail it home), only that a user has less rights on Linux.

Re:AMA polluting meat

[Ri-Del]

I see your point. If we engineered cows to be resistant to e.coli then we'd have a "more secure" cow. So in effect the problem actually does and does not already exist depending on your perspective. However it isn't a problem until e. coli shows up. Heh, I guess what I said could also be more amusingly applied to humans. We've got lots of design flaws, look at the "common cold!" (I'm joking here)

Who would've thought we could use cows as an analogy for OS secuity designs?

Re:AMA polluting meat

[Dr.+Evil]

Sure, a security problem is a security problem only if someone decides to exploit it.

In my world, people exercise reasonable measures to protect their valuables. The measures of protection are proportional to the worth of the object/valuables. That's why banks have vaults and safety deposit boxes.

If Microsoft is going to claim that their operating systems are secure, I don't think they're the victim when people realize that their doors are wide open. The victims are the people who rely on Microsoft products for security. Microsoft should take responsability for their marketing claims and engineering blunders.

Why all the stealth features then?

If BO's main purpose is remote administration, what's the point of having all the stealth features then? Why does it go through such great lengths to hide itself from the user of the machine it's run on if it's something that they supposedly would want running?

Re:Why all the stealth features then?

[Helge+Hafting]

If you are the admin of a corporate PC running NT, you tell the user, if you touch this program intentionally your boss will hear about it, and they leave it alone.

And when my boss asks "why did you kill that program?" I just tell them I didn't - it probably crashed by itself or because of some os glitch.

Re:Why all the stealth features then?

[ufdraco]

If you were an ordinary user of NT, do you think you would WANT an admin to be able to see what you were doing, etc? No. If they knew it was there, they would kill it (and NT gives you enough power that you CAN do just that).

So, to keep it running, you'd want to make sure the users didn't even know it was there. Hence the stealth features.

Re:Why all the stealth features then?

[ufdraco]

I only wish that were always so. Unfortunately the real world of corporate politics doesn't work that way. There are often people that should do as the admin says, but don't have to because they are buddy-buddy with somebody more powerful than the admin (or his boss) is. Or maybe this person is more important than the admin is (i.e. this person makes more money for the company than the admin does). Either way, it doesn't work to threaten the user.

Besides, why even put it out for a fight if you can just hide it so the user doesn't know any better? Stealth makes it much easier.

Like System32

Yeah the punks who made that just sat on it after showing it on CNN. Punks!

Yeah I hear ya.

That is what a company I was working for did. Put some software called System32 on the machines both NT an 95 and screwed around with the employees. Stupid kids making this stuff and releasing it.

Could you use this to...

If you can peer into the Win95 spool, you should be able to see what the WinPrinter is being sent.

Could this be used to reverse engineer drivers for these ugly things?

System32

I heard of that one. It gave you a shell on NT and would even push it thru a firewall or something. Interesting program. Do you know the URL?

Surfing at -1 is fun!

[SeanNi]

Whoooeee! The stuff people come up with!

Just imagine, if I wasn't surfing /. at -1, I'd never get to read all these absorbing and fascinating insights into the world!

(LOL!)
--
- Sean

Re:Back Orifice for Linux...

You are right, modifying system calls cannot make something undetectable... This module overwrites a kernel data structure instead. It does however redirect specific system calls to hide files and processes and has a nice patch to setuid() and execve().

Because

[Scutter]

They do it becasue they can. Most irritating.



I won't say first, even though i am. :-)

Re:Back Orifice for Linux...

[tqbf]

What are you talking about? This is certainly
not the only way to "prevent things like this".

First, all trojans take advantage of capabilities
offered by the systems they infect. Kernel trojans
take advantage of device drivers and context
switching code. In this respect, all operating
system functionality is subject to misuse by
malicious code (such as BO2K). Obviously, this
is not the problem that needs to be "fixed".

Next, the issue being discussed with respect to
trojans that affect OS kernels is detectability.
It simply is HARDER to detect a well-written NT
trojan. The security community does not have
the detailed information about the NT OS internals
needed to develop good detection schemes for
kernel trojans.

This stands in stark contrast to Linux trojans,
which must in some manner be based on and affect
the operation of the Linux kernel. The difference
here is that the effect of a Linux kernel trojan
is made measurable by the amount of information
publically available on the Linux kernel.

Unlike NT.

Finally, the point you're making ("the only fix
is to remove the functionality") is completely
bogus. The problem is that NT is configured and
used in a way that makes the distribution of BO
and it's siblings trivial. That is not a hard
problem to solve. "Don't run unverified code
inside of mail attachments". "Don't run programs
you get from suspicious sources." "MD5 binaries
you distribute to the public."

This isn't rocket science.

Re:Fun Stuff

[MSG]

If you want us to use something else, make something better.

I believe that there has ALWAYS been something better. The mac was better than win 3.1, people were just too cheap to pay the extra money for one. You get what you pay for.

1: It's just an administration tool.
If this is just a tool why not create a shortcut on the desktop called 'Uninstall Back Orifice'?

Because if you are a network system admin, you don't really want people changing the software on their machines. Especially removing the program that you use to take care of said machines. To that end, if your client is scriptable, then you could run periodic, scheduled checks on all of your MS workstations to check for unwanted system changes. Thats a great and wonderfull thing.

2: It's MS' fault for having the security holes in the first place. There may be defects in the product, but that gives you no right to write a program whose primary purpose is to punish those who use it.

My responce: bull. If you want to give BO a purpose other than that stated, then it is perhaps a good argument for designing/using systems with security in mind. At least if you value your privacy and data. If BO didn't expose the basic flaws in such designs some other program would. It's only a matter of time. By releasing BO very publicly, both the users and the engineers of those systems get a good reason for using a better design. The idea is not to punish users, but to convince them that they need to demand better design from their vendors. Let me say that again: If such a program were not released publicly, then it would be released quietly. If it were done in that manner, then consumers would not worry about their systems, and continue to live in a deluded blissful belief that they were safe. The design would not improve.

3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?

First, when was the last time that MS fixed anything that wasn't demanded of them. If a problem exists, but isn't being exploited, they usually ignore it untill it is being exploited. Second, and most unfortunate is that these problems are inherent to the design of Windows. I don't think that MS could "fix" them if they wanted to. It would break too much existing software. BO is written with standard Win32 api calls. What's that? Yes, Microsoft DESIGNED WINDOWS TO ALLOW PROGRAMS TO DO THIS.

All they have done for the community is reinforce the atmosphere of distrust that pervades the internet today.

Who do you trust?

No, I'm not a member of cDc. I don't know if they want new members. I have, however, been very pleased with BO. I gained 100% access to my own place of business's network without any physical access. By doing so, I made the argument that security in the office was of prime importance. It held water, and we took some steps to make our Windows machines more secure. That's right, BO had exactly it's described effect. Is that so surprizing?

Fun Stuff

I don't know about you guys, but i love this program. It's a fine example of how shi**y Win9x is and should only give MS a reason to make a real product. I nice web based linux control panel would be fun though.

Re:Fun Stuff

[Shabazz]

I hate MS just as much as the next guy, but I still think it is messed up to release a program like this. The end result is that script kiddies will do the only thing they know how to do.

While sir dystic might say he wants MS to boast its security, I think it is clear that this is a thinly disguised one. How is this different from releasing the source code to a virus and then letting the script kiddies actually send it out?

Re:Fun Stuff

Oh yeah! This program is kewl! That'll show M$!

Yeah, it was a fucking riot when my 'friend' thought it would be funny to send me the trojan two days after I bought my computer. Programs started crashing left and right and he couldn't figure out how to uninstall it. I followed the instructions from CDC to uninstall it and things seemed to get better, but a year later when I upgraded my virus scanner I found out I was still infected.

Somebody should break into the CDC's computers and screw with their files so they can see how 'beneficial' it is. He could tell them, "don't worry, your computer is crashing for the better good of the community," or, "the program that is letting some stranger delete your hard work is a very useful administration tool."

As I see it the CDC camp has five basic arguments for the existence of BO:

0: Microsoft SUX!!! (0 because it's the _true_ motivation for all of the following arguments)

Response: Yeah whatever. Nobody likes M$, but millions of us rely on their products in our homes and our workplaces. Some of us don't have a choice in the matter. If you want us to use something else, make something better.


1: It's just an administration tool.

Response: Sure, and an AK-47 is just a hunting rifle. The features and marketing of any tool are as integral to the identity of that tool as its core functionality. This is why there are so many different computer languages, despite the fact that they are almost all functionally equivalent. BO is marketed as an exploit of a security hole and is designed to make installation on an unsuspecting user's system as easy and quiet as possible. If this is just a tool why not notify the user that he is about to give up control of his computer when he installs the trojan file? If this is just a tool why not create a shortcut on the desktop called 'Uninstall Back Orifice'?


2: It's MS' fault for having the security holes in the first place.

Response: Bull. Microsoft's engineers have attempted to create a product that will be useful to people. There may be defects in the product, but that gives you no right to write a program whose primary purpose is to punish those who use it. If I leave my door unlocked that doesn't make it my fault when you steal my things. You're still the criminal.


3: MS wouldn't fix the holes if we didn't exploit them.

Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?


4: We're helping the community by bringing these problems to the attention of the public.

Response: Clearly the only community CDC is concerned with is the script-kiddie community. Their program is extremely destructive to the common user and is most effective when used against inexperienced users. All they have done for the community is reinforce the atmosphere of distrust that pervades the internet today.


If you are one of the members of the CDC who reads these boards (I've seen you post on other threads), I challenge you to counter these points. You owe us that much for all the harm that you have done and intend to do.

-A dissatisfied Back Orifice 'user'

Re:Fun Stuff

[Rozzin]

Windows just makes everything so much easier for the cracker hacker making such programs...

MS DOS was never intended to be at all secure--it was always a purely single-user system.

Windows 3.1 was never meant to be secure--it was just a single-user, single-instance shell to the single-user, single-task DOS.

Win9x was never meant to be secure--it was just a more powerful utility with pretty much exactly the same purpose as Windows 3.1. The `hit escape to bypass login' thing isn't a mistake or a `security hole'--Win95 logins only exist to maintain multiple sets of settings.

WinNT didn't start out as a multiuser operating system with built-in paranoia, so it hasn't been, and isn't going to be, easy for Microsoft to tack that onto it.

MS Windows is `insecure', but that was initially the point to the OS.

Windows 9x, these days, is a video-game system, and it's pretty good for that, and not much more. Besides, you don't really need a video-game system to be `secure'....

Let's get things all straight, and use the right tools for the job--not all operating systems (or shells) are good for everything (which makes me think of all of the full-screen Windows games--what's the point of a window system when you want to run things full-screen? How much better would the games go if you just didn't load the Windows GUI to begin with?).

Re:Fun Stuff

I'm pretty sure you *CAN* login interactively as SYSTEM. If you the user rights are set to allow your username to login as part of the operating system, you should have all the same permissions as SYSTEM.

Re:Fun Stuff

[Lamesword]

(I'm not a cDc member, but I find the above post to be the best introduction to what I have to say.)

Somebody should break into the CDC's computers and screw with their files so they can see how 'beneficial' it is.

Go for it! I'm sure you wouldn't be the first to try, and if you succeeded, you would have demonstrated that they should use better software.

2: It's MS' fault for having the security holes in the first place. Response: Bull. Microsoft's engineers have attempted to create a product that will be useful to people. There may be defects in the product, but that gives you no right to write a program whose primary purpose is to punish those who use it. If I leave my door unlocked that doesn't make it my fault when you steal my things. You're still the criminal.

Microsoft's engineers have most likely attempted to create a product that is as profitable as possible; that's how publically traded companies work. Unfortunately, the software market has demonstrated that what is most profitable is not what is most secure, stable, flexible, etc.

Also, I think that analogies to physical things like windows, cars, guns, and cows, are inaccurate. High physical security isn't feasible in our day to day lives; e.g. Kevlar vests are expensive and currently unfashionable. However, decent computer security is both feasible and sexy, so it is acceptable--and I believe beneficial--to create an environment in which it is necessary.

3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?

History has shown that MS drags their feet on fixing security holes that are given to them privately, in advance. Remember the IIS hole that eEye found? (See www.eeye.com for specifics.) To summarize, Microsoft was given a week of advance notice, but apparently did nothing until exploits were already available. Even then, they called eEye irresponsible for releasing an exploit after others already existed!

However, I don't feel that eEye had any ethical obligation to give Microsoft the advance notice that they did. If everyone always gives Microsoft (or any other company) advance notice about security holes, then Microsoft has little financial incentive to put more effort into releasing a product that is secure to begin with. I think it's shortsighted to look at the actions of a group like cDc in the context of a single exploit; you need to look at the long term effect they have on the market. If Microsoft has to pay dearly for each security hole in their products (in this case, paying in terms of lost revenue from people who decide to use more secure products), they will be more concerned about the security of their products, because it will increase their profitability.

The only way that users win when it comes to security holes is simply to have secure software. If vendors are treated with too much leniency, this will never be achieved.

Re:Fun Stuff

...the user would have to be root when the executable is ran...

But won't BO2K require special priveledges as well, such as being logged in as Administrator (or a member of the Server Operators group)?

I never understood the notion of not having "permission" to kill something when I was admin on NT.

The resource kit kill command works well. Also keep in mind that a closer equivalent to root and init is NT's local System account. Administrators do not have full priveledges on NT, and thus your confusion.

Even though you cannot logon as the System interactively, it is not very difficult to run things under the system account. Logon as an administrator and start the scheduler service if it is not already running. Then run soon /i CMD.exe and five seconds later you have a command prompt running as "NT Authority/System" (as output from whoami). This assumes the scheduler service is running under the system account and you have the resource kit for the "soon" command. Subsitute the "at" command as needed ("soon" is just a frontend for "at").

It is interesting how many Linux users think they know more about Windows NT than they do. It is disappointing because it is in large part a symptom of the anti-Microsoft movement. Zealot like behavior will only help to guarentee the success of Microsoft.

Re:Fun Stuff

> there is no real difference between "executing" and "viewing" in windows because of how all of the file types are set up.

I recall M$ was in progress to make it possible to write DirectX calls into HTML for IE5. I really do hope they found the clue and cancelled the idea. Personally I wouldn't like the idea that a web page can access client's hardware rather directly.

Re:Fun Stuff

[cernnunous]

I think it would be safe to say that the majority of exploit programs like this ARE designed to attack "other" operating systems, primarily Unix. Every Unix admin I know hasa copy of Satan at their fingertips, and use it.

As to your other point, a default install of Linux wouldn't stand up against programs designed specifically to exploit them, that's what patches are for. The difference between patching the holes in Linux (and most unices) and Windows is the time between when the exploit is announced and when the patch is available. Most of the stuff BO is taking advantage of has been known about for quite a while and there is still no patch. Most exploits on Linux are patched within a couple days, often within a few hours.

Cernnunous

Re:Fun Stuff

From the original poster:

Your rebuttals:
Your crack about 'make something better' is probably the most succinct description of the motivation behind hacking, and all it's produced, that I've ever seen.

My point exactly. Hack all you want on your own machine. Do whatever you want with your bits but leave mine alone. It's bullshit to attack me because you don't like Microsoft.

One reason is to protect the administration tool.

Fine, a user uninstall might not be useful for an admin tool, but you don't dispute my point that BO is not "just an admin tool."

I'm still a criminal

Exactly. Just because a security hole exists doesn't give you the right to exploit it. That's still not a cool thing to do, particularly when the victim of your abuse is not the responsible party. It's like knocking down your neighbor's house to show that his builder used poor materials.

My understanding of the release of the first BO is that Microsoft was offered an advance copy, and turned it down, while denying there was any security problem at all. Microsoft is a business, and what a business can get away with, it will.

If that's true, MS really dropped the ball. That's still no excuse for presenting the script-kid community with a fully realized tool for taking over other people's systems. CDC had plenty of non-destructive alternatives for taking their message to the public. (CERT, to name one.) This was (and is) grandstanding, pure and simple.

All they've done is force people to confront the problem.

No, that's not quite all they've done. They could have done that by creating a harmless easter-egg type virus. They could have done that by releasing a crippled product that pointed out the holes without allowing the user to exploit them. What they have done is create a program that facilitates invasion of another person's computer, and that program has been used extensively for that purpose. Now they're releasing a more powerful version of that tool, and including source code. That's a real disservice to the community.

Yes, people may suffer because of it, but it takes a hard lesson sometimes.

This is the same sort of rationalization that allowed Tim McVeigh to sleep at night.

As for the atmosphere of distrust, which is better: suspicion all around or blissful ignorance?

Who said anything about ignorance? To make the community aware of a problem you don't need to write a powerful, extensible, open-source tool for exploiting it and then tell the world. You don't need to create a program that's only going to harm people who aren't responsible for the problem. That's just irresponsible, juvenile and despicable.

CDC should own up to the consequences of their actions and just admit that their only sincere motivation is the first one I listed.

-Still dissatisfied.

Re:Fun Stuff

Even then, they called eEye irresponsible for releasing an exploit after others already existed!

Imagine that! Calling them irresponsible for releasing an exploit to a security hole! Calling them irresponsible for making a bad problem worse! The nerve!

If vendors are treated with too much leniency, this will never be achieved.

When BO was released, Microsoft didn't suffer, ordinary users suffered. To try to influence MS by hurting users is nothing more than terrorism.

Re:Fun Stuff

[Lamesword]

When BO was released, Microsoft didn't suffer, ordinary users suffered. To try to influence MS by hurting users is nothing more than terrorism.

The only way to prevent users from suffering is to have secure software. I understand that users did suffer from BO, but I think the blame lies with the people who used the program maliciously, and the people who created a product that allows such tools to be so successful.

"But why create tools that others can use maliciously?" When security holes exist and remain unfixed, they will be found and exploits will be created; it is merely a question of who knows about the hole, and who knows about the exploits. Before Back Orifice was released, how many users already knew that this sort of thing could happen to their computer? How many knew that similar tools already existed? As a system administrator, I appreciate the work these groups do because it helps me protect my systems and users; every security hole that they find and yell about publically is a security hole that I can prevent from being very harmful.

"So why not just let the vendor know about the hole in advance?" I want the people who write my software to care about security before the product ships, so I think it's important for security holes to be an embarrassment to the vendor. Anyway, when security holes are publically known, anyone who has important data to protect has the opportunity to protect it--the damage is limited to those who don't care about security, or those who think they care but are unwilling to put any effort into protecting themselves (and in this case, the "effort" could be nothing more than choosing products with a good reputation for security).

Re:Fun Stuff

[tqbf]

Point by point:

1.) Sir Dystik and Dildog did hack on their own
machines. All they're doing is publishing the
results.

2.) The fact that an "administration tool" can
be used for nefarious purposes does not make it
any less of an administration tool. Netcat, inetd,
and the GNU C compiler are all used by crackers.

3.) Anyone who suggests CMU CERT (or any FIRST
organization) as an avenue for disclosing security
holes has never dealt with CERT or FIRST. CERTs
automatic reaction to being presented with a new
security problem is to consult the affected
vendor. CERT releases nothing without the approval
of the affected vendors.

CERT, and more importantly the public's idea of
CERT's role, is a major problem with the security
community today.

4.) If cDc released a "crippled" version of BO2K,
Microsoft would immediately reply by claiming to
the press that the issue was "theoretical" and
"harmless" to normal users. That would defeat the
purpose of releasing BO2K.

5.) I don't understand how you can, with a
straight face, compare someone who killed hundreds
of people with two people who wrote and published
code. This is offensive on many levels.

6.) It takes a very naieve perspective on the
security community to assume that a "benign"
disclosure of a security hole will provoke any
action from Microsoft or any other corporate
software vendor. Having dealt directly with
Microsoft in a security hole disclosure, I can
state with confidence that Microsoft's primary
goal is NOT to responsibly notify the public as
quickly as possible.

The whole idea behind BO2K is an elaborate attempt
to call Microsoft's bluff (that the problems BO
takes advantage of don't affect MS's flagship
operating system, that any problems that do affect
NT are simply theoretical, and that nobody really
exploits problems on NT, unlike under Unix).

There wouldn't be an issue if Microsoft was honest
about the issues affecting its products. The same
issues affect Linux, but they are for the most
part acknowledged and dealt with. Thus, there's
really not much fun in poking holes in Linux.

Re:Fun Stuff

That's not the same as logging in *as* the SYSTEM, but I agree that with user rights you should be able to give yourself the same level of access that SYSTEM has.

Re:Fun Stuff

[uberfunk]

I don't like it, for two reasons that come to mind immediately:

1) It shouldn't be as public as it is. Remember the movie Sneakers? I'd like it to be more like that... hackers actually hired by the companies they are breaking into, rather than random acts of violence by geeks who are bitter that Bill's operating system sells better than theirs. Granted, Windows has some serious security issues, but this isn't a mature way to publicize them, and the majority of people will be annoyed with the hackers rather than with Microsoft. It doesn't go too far to point out the problems.

2) It targets Windows. How many programs out there are actually designed to attack "other" operating systems? How well would the default install of Linux stand up to a program designed to exploit its security flaws? Granted, you can hack it... but what good is an OS that is only good to hackers? I'd like to see a port of Linux with the ease of Caldera which has impeccable security. Until then, we can laugh at MS, but it's a hollow victory.

Re:Fun Stuff

[tqbf]

Releasing the exploit for the ISS overflow
did not make a bad problem worse. It would have
been impossible to make the problem any worse
than it already was: Remote administrative
access via an extremely popular, very public
network service, and it was already being
exploited in the underground.

At that point, no amount of information that could
have been released to the public could do anything
but help.

It's unfortunate, but predictable, that a
community of users and vendors, not accustomed
to handling security problems professionally,
could do nothing but resorting to pointing fingers
and shooting the messenger.

Re:Fun Stuff

In response to the above two posts:

tqbf:

Netcat, inetd, and the GNU C compiler are all used by crackers.

Yes, but BO is designed for and marketed directly to crackers. There's a difference. Hunting rifles are used by killers, but assault rifles are designed for warfare -- in other words killing humans. Common sense (and law) dictates that they be treated differently.

4.) If cDc released a "crippled" version of BO2K, Microsoft would immediately reply by claiming to the press that the issue was "theoretical" and "harmless" to normal users.

Uh, don't you think this is just a wee bit past the 'healthy cynicism' threshold? You don't think that a program that allowed other people to look at everything on your computer would generate an outcry, even if it didn't allow you to take control? Particularly if it was released with a text file explaining the possibilities? Regardless, cdc didn't give us the chance to find out, and innocent people paid the price.

5.) I don't understand how you can, with a straight face, compare someone who killed hundreds of people with two people who wrote and published code.

The crime is different and far less severe, but the rationalization is exactly the same. Both decided unilaterally that the realization of their political goals was sufficient justification for unleashing suffering on innocents. The main difference is that cdc wants us to thank them for it and worship their ingenuity.

To jjohnson:

It's been reported that, along with BO2K, the CDC will release a patch as well. They'll be including the source code, and they've publicized the hell out of it just so that people are aware of the risk. This just isn't the huge threat you're making it out to be. As happens with every new virus or whatever that comes out, the network admin at my company will send out an email warning people not to open EXE files.

That's fine if you're technically savvy and tuned in to the channels that cdc used to publicize their actions, but those sorts of people aren't the ones that BO affects in the first place. BO is harmful to people who are new to computing, people who might not even be aware that they were infected in the first place. These people don't work at companies with network admins, and they won't know that they need to search out the cult of the dead cow's patch to fix their computers.

I honestly don't see how this could have been handled better.

I gave you two ways of handling this better, even if insist there has to be an exploit:
1. A warning dialog on installation of the trojan.
2. A crippled version of BO.
Both would have made people aware that the problem was exploitable without subjecting innocents to unnecessary damage.

if BO2K is what it takes to admit that a serious problem needs fixing, then I won't feel badly for anyone who suffers for it when they could have avoided it.

The problem with this justification is that the people who are suffering are not those responsible for the problem!

I readily admit that MS blew it here. I am willing to accept that they drag their feet on security issues. I realize that nobody should run untrusted .EXE files. What I will not accept is the hero worship of cdc. Most of the vermin who write viruses and trojans have the decency to stay under their rocks. cdc has the gall to ask us for our thanks. They have not created a demonstration of a security hole. They have created a tool for exploiting a security hole, they have marketed and packaged it for crackers, and they have made it as powerful and as extensible as they were able. They have released this tool to the public without concern for how it is used. Don't try to tell me that this was necessary or ethical -- it was neither. It was just spiteful and reckless.

-Still Dissatisfied.

Re:Fun Stuff

[jjohnson]

The last time this happened, the antivirus companies had a patch out within days. Microsoft did fuck all.

It's been reported that, along with BO2K, the CDC will release a patch as well. They'll be including the source code, and they've publicized the hell out of it just so that people are aware of the risk.

This just isn't the huge threat you're making it out to be. As happens with every new virus or whatever that comes out, the network admin at my company will send out an email warning people not to open EXE files.

Once again, Microsoft appears to be doing fuck all. Everyone else is fixing their systems to close a gaping hole.

I honestly don't see how this could have been handled better. Should Sir Dystic, having figured out how to do it, promptly forgotten, hoping no one else would figure it out? The threat had to be real to get the action to fix it; that's been made plain by the scrambling of antivirus companies.

It would be nice if no one ever wrote viruses, and if we didn't have to lock our houses at night. However, Microsoft isn't just selling us houses that can't be locked properly, they're refusing to admit the problem exists and help fix it; they're telling us the lock is fine, and if BO2K is what it takes to admit that a serious problem needs fixing, then I won't feel badly for anyone who suffers for it when they could have avoided it.

Re:Fun Stuff

[nmarshall]

hmmmm web based linux control panel? so you can install it on a box and then control it without takeing the blame? but making one shouldnt be that hard... just make a Back Orifice 2000 perl mod. then build your cgi / form thingi...
nmarshall
#include "standard_disclaimer.h"
R.U. SIRIUS: THE ONLY POSSIBLE RESPONSE

Re:Fun Stuff

[Sonik]

Really, it doesn't say ANYTHING about the quality of win9x! Couldn't this sort of thing be written for ANY OS?

Re:Fun Stuff

[demon]

My response to your points:

0: Yes, Microsoft sucks. If they're so bad, (which I believe they are) I don't think millions should be relying on them to have the "latest technology" spoon-fed to them.

1: If you're gullible enough to just RUN an untrusted binary, I tend to think that you get exactly what you deserve. (yes, I sound like an elitist snob. so sue me, ok?)

2: Of course M$ should shoulder some blame for the security holes being there. They add features for the sake of adding features, leaving gaping holes in, and not caring that their lovely little "feature" makes a system that much more exploitable. If you leave your front door unlocked and you know you are in an area where crime is possible (i.e. most anywhere), and your stereo/television/computer/etc. get(s) stolen, I'm NOT going to shed too many tears. If you cared about your belongings you'd take proper precautions against having them stolen!

3: cDc told Microsoft about these exploits ages ago. Microsoft hasn't been too proactive about getting them fixed. I don't think giving them prerelease source for BO2000 is gonna make a huge difference.

4: They ARE helping the community. If used in a particular way, it is a useful administration tool. If used otherwise, it's a script kiddie's wet dream come to life. If someone doesn't expose the security flaws in Windows, Microsoft doesn't have much incentive to fix them - they'll do like they've frequently done, try to sweep it under the rug. "Never mind the man behind that curtain!"

Come on. You are refusing to see that this is how security testing works - on Linux, too, when a security hole is found, an exploit is written, then a patch is written and sent to the relevant people. Unfortunately, with Windows, patching is difficult to impossible, so the best that can be done is to expose the problems, so that maybe enough people will demand they be fixed.

(note: I'm not a cDc member, I've never used BackOrifice. However, I think they're doing a public service.)

Re:Fun Stuff

Well It's been there for a long long time... These programs are called, Crack, Satan, cops etc...
They exist and are found usefull by unix system administrators.
If Nt sysadmins are not clever enough to use
this info to their advantage, well too bad for them
It is a shame that ms people get offended for a silly
thing like this.
If you are not aware how burglars can enter your house, how can you protect yourself?

Re:Fun Stuff

[Erik+Hollensbe]

I hate MS just as much as the next guy, but I still think it is messed up to release a program like this. The end result is that script kiddies will do the only thing they know how to do.

People are missing the point that these holes ALREADY exist. What CDC is doing is just what you are explaining, giving something for the technically challenged (read: script kiddies) to exploit to the point of blatant redundancy, which will HOPEFULLY provide some certain company in redmond to get off their ass and acknowledge the fact that these bugs do exist.

The simple thing is, is that if places like rootshell, l0pht, and CDC didn't exist, we'd still have wonderful "features" like the winnuke and teardrop. IIRC Microsoft took quite a long time fixing winnuke, and took very little time (in comparison) when fixing teardrop. They learned from their mistakes, because people were getting rather tired of complaining about how their computers were locking up when on IRC.

This all comes down to simple math. The more publicized an exploit is, the quicker it gets fixed. So CDC wraps a whole bunch of exploits into one nice little package with an easy to use interface, makes it hard to get rid of, and starts calling the press houses.

This isn't rocket science, it's called politics.

-Erik-

Re:Fun Stuff

[dattaway]

If you don't believe this program should be so public, then you must be one of the people that put trust in security through obscurity. This is what got Windows in the trap that it is. The problem is that NT is too popular and dominates the workforce already. That means massive security holes waiting to be breached. Would you like to have a position with lots of information waiting to be cracked and have your trust in a company that produces products that leak and crash? Its a terrible problem. What kind of secure encryption does NT enjoy? If you shared a network with disgruntled employees, would you be safe? Think about your job security...

Re:Fun Stuff

[whoop]

Sure you can write a program to do these things on any OS. But the problem with Windows, is it thinks it's smarter than any user, so has great features like not being able to kill processes, not listing processes in the list, hiding network connections, etc. I never understood the notion of not having "permission" to kill something when I was admin on NT.

To do this sort of stuff within Linux would not just require emailing Joe User an executable, and saying "Run this to get Office 2000 for free, or $100,000 in two hours." It would take some kernel modifications to hide the things from /proc, the user would have to be root when the executable is ran and install the kernel. Then the user would have to reboot and activate that kernel, which could be several weeks for the waiting cracker. Even then, you would have to make sure the user didn't download a new kernel source tarball and install a pure kernel.

Windows just makes everything so much easier for the cracker hacker making such programs...

Re:Fun Stuff

Heh. But one could still confound a Joe User, if not root, w/ a trojan -- if there's enough quota space available. Something along the lines of...

* a mutant libc, designed to hide certain files
(perhaps by name, or inode number recorded in
a given file, etc) and processes
* a fake shell, that automatically (invisibly)
adds to LD_PRELOAD, and perhaps invokes a
mystery startup script of its own
* invoking chsh to force that shell

Root would spot it, but your average Joe User might not.

Re:Fun Stuff

[thal]

it could be written for almost any OS, but it couldn't so easily installed without windows' lack of a superuser/regular user login scheme and the integration of email into the system. the first one is windows' fault, the second one is just a symptom of trying to make everything easier to use.

if something like this were written for linux, first the person getting the trojan horse install program would actually have to execute/view it. in outlook express or whatever, you usually do this by just clicking on it. there is no real difference between "executing" and "viewing" in windows because of how all of the file types are set up. most linux users don't do this, simply because the gui isn't as integrated.

second, for the program to completely wipe out really important stuff, it would have to have root access. this is possible to hack in linux or something sure, but in windows every user has that access by default.

Re:Fun Stuff

It would take some kernel modifications to hide the things from /proc, the user would have to be root when theexecutable is ran and install the kernel. Then the user would have to reboot and activate that kernel, which could be several weeks for the waiting cracker.

Actually, a kernel module can overwrite system calls without rebooting. See my post with a link to a working (won't compile with glibc2 though) example.

Re:Fun Stuff

[CelestialScum]

Yes, now all we need is a dynamic web-frontend and a server to scan for computers infected. Then everyone whith a browser can join the fun!
This could actually be a neat project to run later on.. hehehe

Problem with BO is that it spreads like wildfire, you don't need any kind of knowledge to use it either, and it could be hard detecting it if the source is constantly changed around as well. Of course, it's not MY problem, so I just smile and nod and go on running my Linux and BSD's.
I never trusted an OS that didn't let you know what the hell you were doing anyways. Low down and dirty, it's the only way to be sure!

Re:Fun Stuff

[Rozzin]

I nice web based linux control panel would be fun though.

Doesn't Linuxconf do that?

System32 URL?

I tried doing a search for it but, system32 turns out to be a common word related to windoze so i haven't found it yet. it had some kind of management that tracked installed copies that i remember.

Are they attacking MS or stealing their niche?

[Sun+Tzu]

"Groups of (mostly teenaged) hackers... release nasty computer bugs..."

Looks like Micros~1 has some serious competition from cDc. ;)

Re:It's a tool people

[mattc]

Good. Then you shouldn't mind if I store 3 tons of dynamite in my garage.

Microsoft as martyr?

[kmb]

While few people here wouldn't like to see Microsoft get a come-uppance, this sounds like the most incredibly juvenile, wise-ass way to do it. While these twits never mention preferring Linux to Windows, maybe someone should forward them the advocacy FAQ anyway.

"Excuse me, but you realize, of course, that you're just helping to make Windows `better' in the long run?"

Has anyone ever heard of a major user or someone in a business setting abandoning Windows mainly over security/virus fears?

Re:Microsoft as martyr?

There are also Mac and Amiga clients out there.

The cDc guys don't really care much about OSes either way, though overall I understand they're pretty pro-Apple.

Re:Microsoft as martyr?

Correct me if I'm wrong, but wasn't the remote control client only available for Windows on the last version of BO? I thought I read that a *nix version was new to this release. That would rule out hard-core Linux zealots.

Re:Microsoft as martyr?

I can read an upcoming M$ press-release in my mind: 'Windows 2000 will ship really soon from now and it won't suffer from this flaw. We engourage everyone to update into Win2k.'

Re:Microsoft as martyr?

[GreenPickles]

Yes the unix version (without pretty gui interface) was released shortly after the original release.

Re:Microsoft as martyr?

[Bwah]

"Excuse me, but you realize, of course, that you're just helping to make Windows `better' in the long run?"

Yeah, so? Do you have a problem with that? I sure as hell don't use windows when I don't have to, but since it is forced on me as an email machine at work, I would sure like it to be secure.

If you have a problem with MS fixing their own OS due to security concerns I think you need to step back and think about your views. Why do you care so much about it?

/dev

Re:Microsoft as martyr?

[_Sprocket_]

Has anyone ever heard of a major user or someone in a business setting abandoning Windows mainly over security/virus fears?

Yes. The US Army. In a FCW article (that was referenced by a slashdot article), they talk about how the US Army picked Solaris with Lotus Notes for secure communications over WinNT and Exchange due to security concerns with the OS.

The contract was for the Army Battle Command System (ABCS) which apparently deals with secure communications in the battlefield. I'm sure it was a hefty contract. But there's more to it.

An interesting sidenote to all this (and the REAL meat of the article) is that Microsoft is scrambling to make a Unix Exchange client to support the Defense Department's secure Defense Message System (DMS) program. The fear is that if the US Army starts to go this direction with messaging on Unix, they're just as likely to scrap Exchange servers back at home to make everything cross compatible.

Re:Microsoft as martyr?

[GreenPickles]

Wait a second... Do you know who these guys are? They aren't linux zelots. They're purpose in life is not to convert people over to unix (although they probably would prefer that people would use unixies rather than win95). They get their kicks from poking fun at Microsoft and their Windows products by poking holes in it, and screwing around with it.

Re:Back Orifice for Linux...

[tqbf]

It doesn't hide processes. man kill(1).

I'm sure comparable problems exist in the
manner it hides files.

Re:cDc justified

[IntlHarvester]

MS Office 97 doesn't quite need Administrator/root, but it does require write access to a few files in \WINNT\SYSTEM32 and much of it's program directory, as well as in odd places in the Registry.

MS Office and other poorly designed programs (Netscape) are one big reason the default permissions on NT4 are so loose. The problem isn't really the OS, it's how the installer sets everything up. That and most workstation users logon as a local adminstrator.

(As a side note Microsoft has taken alot of blows on this from those familiar with unix, as well as their own user community. I'd expect Windows/Office 2000 to be much better in this respect. Win2000 beta appears to ship much tighter, and then includes some scripts to loosen things for compatiblity with certain apps.)
--

Boy my management would love this!

[nevets]

Management would love to have this. They could see what your doing with your time. Right down to the keystrokes.

Actually, if this does what it claims then management should really be worried about security. But noone will do anything until its too late.

PS.
I saw this article a few days ago and tried to submit it, but slashdot wasn't responding :( so I just gave up.

Re:I LOVE THIS APPLICATION!!!

I always just used system32 for that. it had nt support at the first release.

Re:Not a good thing

[_Sprocket_]

I totally see you point, but we have to look at the big picture. That is, ordinary people can download this thing and use it for whatever purpose they wish, whether it be a network admin testing out security, or a person using it maliciously to take advantage of a network without security against it.

I'm a sysadmin for a large Us Gov't agency. As such, my machines are a prime target for external attacks. So I can understand the concern for creating tools that "ordinary people" (ie: script kiddies) can use without any real technical knowlege. Keeping up with this kind of stuff can certainly add to my already overloaded schedule. But to be honest, the kind of threat this creates is not my biggest fear.

My biggest fear is the unpublished exploit. Published security holes get fixed. History has shown a tendancy with Vendors to ignore security issues until they become politically embarassing. This leads to vulnerabilities in my system(s) that I am unaware of and, consequently, can be exploited without my knowlege.

Lets not kid ourselves here... people with malicious intent WILL share their knowlege with others of the same inclination. At the same time, they're less likely to take steps towards patching the hole they are taking advantage of.

By bringing security issues to the public eye, people like the cDc are helping ensure the security of our environments improve. It may be additional work to keep up with these improvements. However, I don't know about your environment, buy mine demands a hell of a lot of hassle whenever one of our machines is compromised.

Re:BO vs VNC/PC Anywhere

You can password protect BO.

The cDc'd would have an even worse time claiming this as a remote admin tool if this wasn't so.

-
I am ODiV, hear me type.

Excellent.

[Shoeboy]

Smaller, nimbler, faster, easily customizable... This sounds like the perfect replacement for SMS Remote Control. Now I just need to sell my boss on the idea...
--Shoeboy

Re:Excellent.

[ToLu+the+Happy+Furby]

Actually, it's not so funny. Friend of mine (my roommate actually) used the original Back Orifice to remote admin the network at the place he worked.

And why not? It's free, it does everything he wanted, and most importantly, it consumes very little resources compared to competing commercial products. And my friend got paid a bunch for 10 minutes a week of playing around with it from his dorm-room computer.

Question is, why can't I get a job like that?

Analogies

[Gleef]

The big trouble with the Center for Disease Control analogy is that that CDC is a government agency with a public trust to uphold. Similarly, the AMA would like people to think they are a responsible, trustworthy and benign organization. In either case there would be a betrayal of trust.

The Cult of the Dead Cow has no such responsibilities, and no trust is betrayed. If you really want a tainted meat analogye, compare them with ecoterrorists, poisoning meat to prove that McDonalds doesn't follow proper hygiene procedures. Even that's not a great analogy, since the cDc's programs don't have the potential loss of life that a meat poisoning scheme would.

Re:Because [is isn't it best though?]

I feel better knowing that at least these wholes will be known publicly and raise some sense of awareness rather than in a closed private environment where exploitation could continue unfettered. These wholes exist, the fact that the wholes are present is irritating, knowing how to monitor and defend against such programs/wholes is one spin off of releasing such an exploit. If back orifice had not been so wide spread the first time around, would there be as many countermeasures now?

I'm a coward.

Why is it bad?

[bogado]

If a cracker tool can be done, I shure prefer that it's done in front of every one eyes like cDc is doing. If BO 2000 weren't created by the cDc it would probable be done by another cracker. Shure, now every kid can use it, but we know what they can do. The most dangerous tool is the one that is not visible.

--
"take the red pill and you stay in wonderland and I'll show you how deep the rabitt hole goes"

AMA polluting meat

[luge]

The article makes an interesting analogy, claiming that CDC releasing BO in order to force MS to clean up is the equivalent of the American Medical Association polluting meat with e. coli to force a cleanup by meat suppliers. However, the article ignores the point that the government has created channels by which the meat suppliers can be regulated, and that nature provides regular e. coli outbreaks to check on our precautions. Since the only oversight on MS is the market, and there is no such thing as a "natural" security problem, problems must be highlighted by human groups like the CDC, and the market must be manipulated in order to get a response.

Anyway, that's my two cents- I'd love to find the author's email to let him know, but I can't find it. Any clue?
-Luge

Re:AMA polluting meat

[byoung]

> -smug vegetarian :)

So, I guess that you haven't been hearing about all the vegetables that have been getting e.coli as well?

Here's more information.

Relevant quote:

Alfalfa sprouts, the quintessential health food used as garnish on everything from salads to hamburgers, sickened an estimated 20,000 people in the United States in two outbreaks in 1995, researchers say.

Don't be so smug. Vegetarians aren't e.coli free. =)

Bun is neither meat nor cheese.

Re:AMA polluting meat

[AArthur]

I would be mad if my security system in the office could be broken into via. some back door / secret way in (and the manifacture convently forgot to tell me).

If that back door was announced on TV (rendering my security system useless), I would feel more secure, since I now know about this exploit.

Since I now know that my security system is useless (and the world also knows that), I feel compleded to fix my security system up.

CDC is doing the right thing with Back Orifice 2000, releasing the source code. Now I can know for sure how they are breaking in, and I can fix it (using some little hack onto Windows, since I can not directly modify the source code). (Microsoft fixing it soon... haha)

Re:AMA polluting meat

[Seth+The+Man]

I'm pretty sure sd's email is something along the lines of s_d@cultdeadcow.com or sirdystic@cultdeadcow.com ..

I know he's on #cdc(efnet) quite a bit, so you might check there if you want to get a hold of him.

What's highly amusing to me is how seriously people are taking cDc. When was the last time you read any of the cDc text files? cDc was started by a couple of 14-15 yr olds in Lubbock, Texas. Kids who rode BMXs and ran BBS's on their Apple IIes. Now they've got stories on Geraldo and CNN?

It's a crazy ass world.

Re:AMA polluting meat

[AArthur]

Cows and farm animals can not be easily made resistant to the e.coli virus. Cows can't be changed (yet) by humans to get rid of the e.coli virus. No vaccine exists yet.

This is different with Windows. Microsoft could have and can engineer Windows easily to be resistant against the Back Orifice attacks out there. Linux / Unix is resitant to these kind of types of attacks. Did it require advance sicence and gene engineering? No. It just required some simple engineering ideas.

Re:AMA polluting meat

[Hygelac]

tom_spring@pcworld.com
"Your heart is free. Have the courage to follow 'er."

Re:AMA polluting meat

[Ri-Del]

Yes, I noticed the same thing. If someone were infectin cattle with e. coli bacteria, they would be introducing a problem that did not exist before hand. Back Orifice exploits problems that already exist.

I looked for the author's email address at both CNN and IDG.net where the article originated but was also unsuccesful in locating the address.

Re:AMA polluting meat

[Tattva]

"Yes, I noticed the same thing. If someone were infectin cattle with e. coli bacteria, they would be introducing a problem that did not exist before hand. "

I disagree with your point about problems that already exist. Correct me if I'm wrong, but I was under the impression Back Orifice is only as powerful as the user permissions of the account used to install it (exploiting the same API's any user with those priviledges could do anyway.)

How brilliant, someone gives you the keys to his house, you make copies and give them to all your punk friends to clean the place out and burn it down.

Back Orifice exposes that NT does allow users with proper permission to do whatever they want. That's a design decision, not a defect.

Re:AMA polluting meat

[hany]

If I leave my home unlocked at night, is that a security problem?

IMHO it is. good thiefs know that people are ussualy leaving garden doors open, that key is hidden near the doors, that valuable objects are somewhere under bed, etc.

it's only a problem if someone chooses to exploit my (arguable) carelesness

i would be very happy if nobody will be interested in "exploiting" my carelesness. but this requires that every man on earth (creature in universe?) have to be "good". is that possible?

this is somehow near the analogy of deseases. diseases are here so we have to fight them and it keeps us in condition (mostly). in perfectly sterile world we'll be happy, we'll be living longer BUT there will be much higher risk of one (even simple) disease destroying whole world. same with computer viruses and exploits: if there were no viruses and crackers (those bad guys exploiting bugs to cause bad things) we'll be very happy but than just ONE virus/hacker can destroy everything.

Re:AMA polluting meat

[luge]

But it allows not just the user to do it- also anyone who happens to know what port BO is installed on, without a password, as long as the program is running. THAT is a design defect.
~luge
(besides, there are no "permissions" in 95/98- which was the original target.)

Re:AMA polluting meat

[Dr.+Evil]

Analogies like these are just intended to stir people up. The thought of the AMA, a public organization doing anything of the sort, potentially killing millions of innocent people would be outrageous. Therefore, releasing backorifice must be similarly outrageous.

To paraphrase Bill Gates... "It's just a remote administration tool"

If that's what he believes, then to use their twisted analogies and flawed logic, the meat producers, after years of outbreaks of disease, to the suggestion of stepping up security argue "why would anybody want to taint beef?"

It's a horrible analogy. The facts of computer security aren't as black and white as deadly bacteria and food supplies.

(I agree with your criticisms, I just don't think the analogy is worth extending into that of governement regulation and control)

Re:AMA polluting meat

[Obscure+Images]

I may be slipping out some information a bit early, but BO2k does not have a default port and will NOT ALLOW a server to have no password. That is by design, as it will generally stop, or at least slow down people who would like to scan for BO2k. It also weeds out the people who can't figure out what a port is.

Re:AMA polluting meat

Get real these problems exist in every operating system that allows user input over a network. Like telnet. All these kids are doing is writing a glorified version of telnet for NT.

Re:AMA polluting meat

[DanaL]

I think the analogy still stands. If I introduce e. coli to a cow, I *am* exploiting a problem that already exists: dead cows are vulnerable to e. coli infections, much like '95 or NT is vulernable to Back Orifice.

-smug vegetarian :)

Re:AMA polluting meat

[luge]

I knew about the port thing (it was in some of the early press releases) but not the password detail. If you open source it, a more virulent version will be out soon anyway.
~luge
P.S. What license will the source be under?

Re:AMA polluting meat

[jabber]

If someone were infectin cattle with e. coli bacteria, they would be introducing a problem that did not exist before hand. Back Orifice exploits problems that already exist.

I don't really agree.

If I leave my home unlocked at night, is that a security problem? No, it's only a problem if someone chooses to exploit my (arguable) carelesness. Same with NT.

I wouldn't put a "this house is unlocked" sign on my lawn for the same reason that M$ doesn't publicize their careless design/implementation. The probability of exploitation skyrockets.

The CDC put a lot of effort into BO. Just as distributed.net put a lot of effort into showing that RSA ain't all that secure either. M$ didn't just leave the system wide open. It took someone with savvy and time to write a tool to take advantage of a loose hinge on a basement window. Now the CDC is giving every hooligan in the neighborhood that tool. Now M$ needs to fix the hinge. Next time, the CDC will climb up on the porch roof, and jimmie the bathroom window with a credit card..

Cat and mouse.

Re:AMA polluting meat

[luge]

I'm certainly not advocating government control, but since it is not present, some other force has to be present to limit/coerce/constrain the beast. Generally speaking, the market plays that role, but specific incidents have to occur to bring information to the attention of the market.
~luge

Re:AMA polluting meat

[Obscure+Images]

Some of the code will be GPL, some will be completely free, no licence at all.

As for a more virulent version... someone would have to make an initially virulent version. Currently BO2K doesn't go anywhere it hasn't been put. It has no viral behavior at all, and even by itself is not even a trojan.

Re:AMA polluting meat

I agree, the analogy os sensationalism.

Re:AMA polluting meat

[juggleme]

Wouldn't it be nice if reality was closer to this analogy? Any time I got a nasty bug I could format my entire body... provided I make daily backups of important parts of my brain.

Seriously though, this is just another example of why computer analogies should be left completely alone.

Full control?!!! My ass!

I use Micros~1 Internet Exploder... EVERY URL I've ever visited is in a humungous file THAT CANNOT BE DELETED. Actually, I've two of 'em. One can be removed by specifying a new cache folder and re-booting (yawn)... but the other- I'm stuck with. I DO NOT want my boss to come and read a file which shows hundreds of www.filthytosser.com addresses...

If I "surf" at lunch-time or after hours, that's MY business. But why the FUNK do I have to MANUALLY 1) clear history 2) clear cache 3) clear Recent Documents, etc 4) Hope for the best
after each session?!!! B***ards.

Re:Privacy Concerns?

spying on everything that an employee does on his/her PC.

Spying on employees using their personal computers is one thing but you are going to have a hard time convincing people it is wrong for a company to keep track of how their computers are used on their time.

If any company actually tries to use BO to monitor hundreds and hundreds of people... well, good luck.

Re:what is with people

..unpatched security holes in Windows 95, 98, and NT that allow unpriviledged users..

Unpriviledged users? In Win9x? Sure...

Also, I might be wrong here but BO2k does not spread itself (but it could though).

By your logic, Microsoft should come out with security patches for Laplink and Pc Anywhere! Of course there just as many "un-informed" people who leave those set for public access as people who add accounts on their unix boxes without passwords.

Here's a great security advisory: starting IIS and changing the webroot to C:\ can allow remote users to get your files. I guess microsoft should issue a patch to block the webroot from being changed to c:\!

Now for a real exploit.. Send messages to every linux user you know but encode the message with the remote pine exploit. Have it download a small script that will put ~/bin as the first directory in their PATH and download a trojan 'su' program to their bin/ directory. The next time they su, it will mail you the password. Now THAT is an exploit! This could be done entirely in perl for cross-platform exploitability.

See the obvious difference here? For BO to run, it requires a specific user action. This pine exploit (there is just about one for every version) runs WITHOUT user action. Just reading a message which results in downloading code and executing it is a bad thing(tm).

Note: The pine 4.10-1 rpm with redhat is patched with this patch which prevents actual execution but other distributions may not be so lucky.

Re:Imagine

[SeanNi]

> ensuring that 99% of all successful NT attacks will have the uniform signature of a BO2K installation to accompany them...

You forget, mon ami, that cDc is releasing the source. That means that people are free to modify the program as they desire (a phonomenon very familiar to us of the Free Software/Open Source persuasion).

Who's to say what "signature" these modified BO2K variants will have? Who's to say how identifiable they will be?
--
- Sean

They are kind of sad really when you think about

it...

First off all this does is give script kiddies who don't know better thinking he's a hax0r (did I spell that right?:) This we could do without. I think if your going to do it you can at least learn what your doing.

Second if they do release the source code (which I doubt) it may spawn hybrids, but it will also allow someone to kill it off. After I could just infect my machine with my version which doesn't do anything except listen.

Third. This doesn't prove how lax security is on windoze, all it proves is that you shouldn't run software you don't know it's origins. It just punishes the stupid.

I have been infected twice with BO, after the first time I got my machine totally sorted out. I haven't been infected since and if I do get infected I know pretty quickly (I knew straight off the second time).

Also it's amazing how stupid some script kiddies are. I've had numerous port scans while on the net, most of the BO related ones the script kiddie has infected themselves or doesn't know enough about the net to protect thier connection. And any who are protected I just report anyway (that gets the remaining kiddies). All that leaves is the professionals (who should know better:)

Re:FUD!?!

Well I remember people putting system32 on some boxes. They used a combination of exploits to get it installed and running as administrator. Wasn't that hard as I recall.

Re:Idiocy

Win98 is NOT enterprise ready, NT is. No one in their right mind would run 98 in a corporate network environment, for exactly that reason.
However NT is common place, and our users run NT boxes setup up in such a way as to make it impossible for them to install applications, or create services etc. Added to that, our email servers scan all mail for nasty executables, and has quite happily thrown out every copy of melissa sent into our organisation, and I expect the same to be true of this.

The security hole is not in the OS it's in the admins & users!! If you had a linux box setup as loosely as some people have their NT boxes, it would be just as easy to crack. But seeing as 99% of the kids writing this stuff are Linux advocates and M$ haters, they ain't gonna spend time trying to make Linux look bad are they???

Re:Because a whole is a hole

oh, i think it stands for window's hole == whole?

Re:WHY exactly is it....

[twit]

Correct metaphor: if you bought someone a gun, show them how to use it, and they shoot themself.

Microsoft frequently makes claims as to the security of their products without making any efforts to actually prove it to the security community. An example of this is the virtual private network scheme - the algorithm and implementation is untested, untried, and unproven. If one uses it, one must take MS's word as to its efficacy.

MS compounds the error of their ways by placing the blame on the cracker/hacker who exploits their security holes. If you wish to continue with the gun metaphor, perhaps this would be analogous to a claim that guns don't kill people, people kill people.

"Self-Appointed Security Watchdogs"

[tqbf]

Apparently some of you are under the impression
that the security community is some sort of
professional organization, like the IEEE, that
you have to obtain membership from to participate.

You are wrong. What we know about security in
1999 is 90% the result of independant research
work done by people trying to find new ways to
break into computer systems.

The security community is aware of stack overflow
vulnerabilities in large part due to a successful
attack on the Internet that happened in the 80s.
The relevance of the attack on modern Unix systems
was underscored by the 8lgm (with the Sendmail
8.6.12 advisory), a group that did nothing but
post exploit code for new security problems they
discovered. And immense code audits that Linux
and 4.4BSD went through to overflows were the
direct result of Mudge and Aleph One posting
detailed "how-to-write-an-exploit" cookbooks for
hackers.

Nobody of any repute in the security community
criticizes any of these people for what they've
done. To do so would be silly; we know that our
software would be less secure without these
people, as well as we know that crackers had
access to the information long before we did.

The entire security community is BASED on the
concept of PEER REVIEW, where anonymous strangers
(preferably scruffy college kids, for theatric
effect) scour published code and design documents
and find flaws. We wouldn't have Blowfish and
IDEA if it weren't for Biham and Shamir ripping
up DES.

cDc is following along in the same tradition,
and it's a tradition that we need to ensure is
maintained. Nobody is doing the security community
any favors by attempting to villify Sir Dystik.
It is incredibly important that we not set a
precedent for shooting the messenger.

Re:what is with people

[Reid+Fleming]

I have no doubt that cDc's great "demo" will consist of someone logging in as Admin (or obviously an account in the administrators) group, running their application, and then smugly smiling as it does exactly what it should do, which is run as a background process. WOW! Tricky!

No doubt whatsoever? Then I suppose you wouldn't mind placing a wager on that? Meet me at Defcon before Saturday 2:00pm and we will make a bet. Bring money.

Re:BO is usefull

That was one of the big reasons I used system32 was because they gave source.

good sides and bad sides

[Giraffit]

The good side is that after being hacked by BO stupid users who actually actuvate dubious files will learn. and if they won't - they deserve it.

The good side is that equally stupid user i.e. the crackers will actualy feel sooooo smart.
The good point of that is that sooner or later they will be caught, thats the punishment for stupid hackers.

Symtops of Closed Source

[Adam+Knapp]

I don't think that exploits like this have so much to do with tha fact that Win NT is a crappy operating system but with that fact that it is closed source. If NT was open-source underjust about any meaning of the term we wouldn't just see an exploit like back orifice published, we would see both the exploit and a fix published. Why? because no cracker wants his system to be cracked by another cracker using his own crack.

Re:Symtops of Closed Source

Back Orifice is as much of an exploit as starting up Pc Anywhere or Laplink (you would be suprised that how many of these systems that don't have passwords set!) The hole in IIS was an exploit. Back Orifice is simply a trojan (if even that because it doesn't pretend to do anything else) like the macro viruses floating around.

Re:Symtops of Closed Source

Network + Run a Process = Back Orifice. To say their little product is simplistic is a GROSS understatement, and the fact that the idiots that inhabit this web board think it is an "exploit" absolutely proves outright how grossly uneducated many of you are on NT.

Re:Idiot

Yeah I remember system32 was pretty small too, but it just gave a command prompt or let you run stuff remotely thru a webpage it would d/l. I just wish they would have put that keystroke capture in system32.

what is with people

It is incredibly that so many people don't even understand what is going on before they open there mouths, I am in no way saining that MS products are secure.

But this is not a security hole, it is a remote administration program that has to be installed. It doesn't matter what the OS is, if you install a program that was written to give remote admin capabilities, then you have given people that ability.

How does this constitue a security hole on M$ part. It sound more like a security hole in the person using the computer. I can remote admin many differnt OS's does that make them insecure also.

People please think, think before you speak, or politicians will take that away from you also.

Re:what is with people

[Palin+Majere]

"What is with" people is the fact that while BO 2K is a program that must be installed, it does _not_ require Administrator-level access to do so. There are numerous unpatched security holes in Windows 95, 98, and NT that allow unpriviledged users to act as fully priviledged Administrators.

The analogy here is that every NT box has a walking 'root' attack built into it...

Now, would you want a security hole like this in a multi-user system? All it takes is _one_ downloaded email program and your entire network is compromised.

Let's think about this a moment:
BO 2k (and the original BO) is designed so that it can install invisibly after being attached to another program that _executes normally_. This means that Script Kiddie A can attach BO 2k to, say, a copy of the latest version of WinZip. He then sends that copy of WinZip out in a nicely drafted email to several people at an office. The insant one of those people downloads that email and installs the new version of WinZip (which works fine, and is in all ways a 'normal' version of WinZip), they have just infected the entire network with BO2k.

Now tell me this is a 'remote administration' feature and not security vulnerability.

The very nature of remote administration implies that you must have privledged access to the machine in order to administer it. BO2k allow _unprivledged_ users to both install and administer it.

While I disapprove of the cDc's choice of methods, I can at least say that if they had to make this program, they are at least distributing it properly. Making it publicly available and open-source means that nothing is 'hidden' and there are no surprises waiting in store. Patches could conceivably be easily produced by Microsoft, and programs to detect, counteract, and remove it should be easily developed as well.

This IS a security threat people. Take it lightly and I'm sure you'll rapidly change your tune after your network is taken over by Script Kiddie A exploiting known Microsoft security vulnerabilities.

Re:what is with people

""What is with" people is the fact that while BO 2K is a program that must be installed, it does _not_ require Administrator-level access to do so. There are numerous unpatched security holes in Windows 95, 98, and NT that allow unpriviledged users to act as fully priviledged Administrators. "

Firstly, there is no such thing as Administrator in 95 or 98, and they were never intended to be secure operating systems.

As far as NT: There WERE several holes that allow a process to trick its way to admin level (just as there were in Linux and just about any other OS. Bugs are an unfortunate reality of complex software), but as far as most security experts are concerned those holes no longer exist. If this cDc demo DID exploit any such bug (which given the gross simplicity of previous code of theirs, I HIGHLY doubt it and you sure seem to be presuming a lot), I guarantee I'd have a Microsoft Security Advisory in my inbox within 12 hours.

I have no doubt that cDc's great "demo" will consist of someone logging in as Admin (or obviously an account in the administrators) group, running their application, and then smugly smiling as it does exactly what it should do, which is run as a background process. WOW! Tricky! What GENIUSES! The media will of course click their cameras and write reports of this great new hacker/cracker/smackdaddy tool that we must fear...

This stuff is so banal and absurd it gives me a headach. How bloody STUPID can people be?

Export restrictions?

Aren't you running into trouble with the enclosed encription routines when BO is exported?

Maybe it would be worth releasing an Open Source version without encryption (and maybe without the 'invisibility' feature).
That way, people could use the code for 'friendly' purposes, and it would be more difficult to create a modified (and hence more difficult to detect) malign version of BO.
The binary version would provide for enough headaches for M$

Re:Export restrictions?

[Tweety+Fish]

We are taking steps to make absolutely sure that our distribution of BO2K violates no state or federal laws.

We also strongly believe that people should be able to use the software with strong encryption.

Re:Idiocy

[WiPEOUT]

"This 'security' risk is nothing specific to the Windows world."

The security risk *is* specific to the Windows world. BO/BO2K can be installed by any user, priviledged or not.

To do the same on a Unix-based system, one would need either root access or a poorly configured system (ie. you need to somehow trick a priviledged user into running it for you).

"Any mildly compitant [sic] sys admin would know not to run random files on the server, so as long as the admin isn't dumb, the system is secure."

Thanks for emphasising my point. Your problem is that under Windows, anyone can install BO, not simply the system administrator.

Aside from that, any problems that are discovered in an open-source Unix-based OS have patches released within *hours*. Contrast this with MS's responses to past issues, and come to your own conclusions.

"Designing this program to comprimise [sic] a system that isn't designed to be secure is ridiculous."

I couldn't agree more. But Microsoft claims that its "enterprise-ready" OS *is* secure. Your ridicule should be directed at MS.

Re:???

Looks like I misunderstood you, and you misunderstood me.

> If somebody is kind enough to alert me of my system insecurity, I will gladly reciprocate the gesture with my boot up their ass.

I infered either:

1 - the cDc releasing bo and telling you that windows has a problem...
2 - A user who catches a security hole _and reports it_

But still... You'd rather not know possible security problems?

-
I am ODiV, hear me type.

Re:Imagine

[tqbf]

cDc hasn't invented anything. The source code
is meaningless to the research community as a
document of any new problems.

cDc probably hasn't done anything in the code
for BO2K that wasn't already documented in MSDN.
The source code probably will not convey any
new revelations to the computer underground.

BO2K is not a new concept. The equivalent has
probably been floating around the computer
underground for ages. The idea is simply much
better documented now, and MS has a very
compelling reason to address the issue directly.

It is a fairly well-accepted tenet of the
security community that whenever you hear about
new source code being released, you should assume
it HAS been released to the underground for
quite some time beforehand. What makes you think
that BO2K, or something much worse, hasn't been
available to modify by crackers for years?

This same logic could be applied to Aleph One's
"Smashing the Stack" paper (the harbinger of
31336 different stack overflow exploits). With
the benefit of hindsight, we see that the result
of this exploit cookbook (which was, by the way,
far more dangerous than BO2K source code, given
that it [and it's immediate antecedants] DID
contain revelations to the computer underground)
was the almost complete eradication of stack
overflows from Linux and 4.4BSD.

On a lesser scale, the release of the rootkit
trojans had the same effect for the Unix security
community --- you'd have a hard time hiding the
original rootkit on even a naievely administrated
network these days.

BO2K will have the same effect on NT.

Re:The best thing for BO is to become useful.

[Gog_Magog]

If it has a legitamite purpose, then MS can't really just "ban" it. :-) They might have to actually fix the security holes.

Re:bad journalism

[whoop]

If all anologies are flawed, then aren't all flaws analogies? Or, wait a minute...

Re:key words "RUNS INVISIBLY"

Cthulhu. Yeah right.

Re:Fun Stuff (tried Gspot yet??)

I think I'll have to have my girlfriend help me. Apparently I have trouble finding g-spots.

Re:BO vs VNC/PC Anywhere

The old BO was easily "exploitable" by people who didn't install it. BO2000 seems to address this issue.

On the other hand, PC Anywhere is easily "exploitable" by people who didn't install it, too.

NT *is* horrible

[cthompso]

I do have to disagree with it's "a decent system." I've administered both NT and *nix boxes, and it's just night and day.

Re:Yet more MS bashing

[Kierkan]

Please read this, then think again if they really make great GUIs.

Re:Just twits getting self-excited.

[generic]

I agree that UNIX distros need work to secure them out of the box, the problem is microsoft has no security model for 98/95. NT can be made much more secure with some work; however, I wont allow our firewall to be built on one for a few reasons.

1) Patches releases take to long
2) Stability
3) The UNIX os's have been around for 30 years and poked at longer.
4) Go ahead install that service pack on your critical NT system I dare you.
5) automation.

Re:Not a good thing

[delmoi]

Its my hope the cDc would release a BO and BO2000 "detector and eliminator" and copyright the hell out of it. This way you're not only exposing MS' security flaws, but you're also protecting the people who might be exploited by them.

you'd also make a shitload of money :)
(well, after the first BO came out a lot of companys came out with free fixes)

what's really insidious though, is that beacuse the source is open, its posible to modify it just enogh to evade detection....
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

Re:key words "RUNS INVISIBLY"

It doesn't run invisibly. The process has to be listed among running processes. I assume it won't be the same as the prior version of BO and be something like BOSERVER.EXE. But, if you know you're machine well, and you know NT, you can tell something is up just by looking at the processes list in task manager. Which any knowledgeable NT user does on a regular basis.
It's all irrelevant anyway. If you're on the net, and you're not security conscious, it's your own damn fault if you end up with a virus, trojan or worm. You'd have no one to blame but yourself.
When it comes down to it, security really doesn't have a lot to do with operating system. It's the administrator. Windows 95 isn't that hard to secure...and NT is even easier. Linux isn't secure out of the box, but it can be made so. Not wholly secure of course, that's impossible, but this kind of kiddie script garbage is easily avoided with any operating system.
Don't turn this into a security issue...because it isn't. If you could get it onto a machine without the operator causing it in some way (running an unkwnown exe, sharing the hard drive over TCP/IP, etc), it's their fault, not the OS.
Sorry for babbling :)

Bill

Re:Idiocy

"Win98 is NOT enterprise ready, NT is. No one in their right mind would run 98 in a corporate network environment, for exactly that reason."

Funny then that M$ only uses Win9x clients in their benchmarks, not NT.
Their argument is just that Win9x is the "corporate standard" for clients, not NT.

(And yes, I know that Samba is much faster with NT clients than with Win9x, in contrast to NT)

a pain in the ass

[delmoi]

I think what he ment was that with the source available, it would be simple for somone with resonable skils to hack up a custom version that can avoid virus detection (infact I plan on doing this :P)
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

Re:I LOVE THIS APPLICATION!!!

Do you have a link?

Re:But wait, could it be... USEFUL?

[TheMeld]

Agreed...

$ diff -u VNC_OR_SOME_GOOD_REMOTE_CONTROL_PROG BO2K
- bloat
+ speed
- tell the user you installed it

I never understood why people thought BO was a security exploit. It's a quiet remote control app. The fact that people have coded silent installers is not a security hole, either. I could probably, in a couple hours, write a little proggie to silently install VNC on someone's computer. Or any other remote control app for that matter (VNC would be easy because it's GPL'd).

Re:analogies suck around here

[squarooticus]

Okay, you people are misunderstanding the point of analogies. If I say something like "Ted Kennedy's mouth is to words as a sphincter is to shit," I'm not comparing Ted Kennedy's mouth or his words to either sphincters or shit.

In an analogy A:B=C:D, there is no implied relationship between individual elements (such as A and C or A and D or even A and B); rather, the relationship between A and B is said to be equivalent or nearly equivalent to that of C and D, even if A(B) has absolutely nothing to do with C(D). Nothing more is implied.

Kyle

NP: Gamma Ray, Sigh No More
--
Kyle R. Rose, MIT LCS

Re:Imagine

[joq]

Is it going to have yet another backdoor going to cDc?

Now lets get realistic for a second. If it were worth anything more then a new script kiddie tool why not bring it out at PC expo as opposed to DefCon? Program something good for a change. And I don't mean that in the sense that the program sucks. You know damn well it's intentions are for the losers who wouldn't know how to hack a chicken with an ax point blank. Think of all the data thats going to be destroyed when some 14 year old loser download it and sweeps subnets because his little high school hoe just dumped him and now he wants to DELTREE your whole damn pc.

You and I both know the true purpose behind BO is just a slap in the face to Microcrap and a way to intrude networks and nothing more.

...by the way whats up to the l0pht section of you guys... ;)

IT WILL BE GPL'D

This release will be GPL'd so we can all hack away and take a look at some Windows internals. That sounds exciting to me!!!!!

Right.

And what I was saying is that the analogies presented thus far were NOT equivalent. Thank you for clearing that up.

Re:Idiot

Man, some of you just aren't getting it.

BO was made to be just barely dangerous enough to cause a stink and get press attention. It's not about 'hacking', it's about politics and pressing an issue. It could have been a LOT worse, but making "scary hacker appz" was not the point.

CDC predates "script-kiddies" by about, oh, a dozen years. There's an agenda going on here, and I think you'd be well-served to look at the broader picture. All of those guys are at least in their mid '20s, ranging up through their '40s.

Watch what happens at Defcon on Saturday during their presentation. A lot of this should become more clear.

Dumbing down

[True+Dork]

I am not a Windows NT fan (nor do I play one on TV), but I admin about 60 Windows machines as workstations at work. What I have noticed is the absolute lack of knowledge that a lot of these users have. In Win9x, there are no levels of admin/poweruser/domain user/guest. People are encouraged everywhere you turn to run this neato exe from a web site with a "~" in the URL. Screen savers that have an install instead of just a .scr file are a perfect example.

But that's only part of the problem. Mass production of MCSEs isnt helping.

I've been admining NT and Linux for quite a while now, but I decided to enroll in (ugh...I know...shaddup) MCSE school to learn the little details I would need to throw back out at the test to be "certified". It was pretty depressing. In the ENTIRE NT wks and svr sections, I only recall seeing "dont stay logged in as the Admin" once. It was never stated in class. I was one of two people in the class who had even installed NT. (They give you a 120 day eval) Several people didnt have computers.

IF you are going to use NT as an important server, you should really set it up with strictly what you need, service pack it as best you can, lock the console, and never log in locally unless there is a problem. I have gone to way too many places seeing people using the server as their workstation logged in as Administrator with IE4 and Outlook (with Word as the editor) both open having no idea what that can do. Getting your hands on people to run your servers intelligently (or for God's sake learn yourself) is the best plan if you must use NT. Dont use IT staffing firms. And the most important rule: If the NT machine matters to you, dont put it on the Internet. If you must put it on the internet, dont browse from it and DAMNIT, DISABLE netbios on the nic that is facing the internet. These cant solve all problems, but it's all you can really do.

This is not taught to the people who really really want to be an admin in MCSE school. People arent learning. I have no idea what the solution to this is. I can make all the noise I want about it, but someone always knows better.

It is pretty silly to see this as some massive threat. IP Masqing or proxying or whatever should stop this from happening to you unless someone makes one that opens control outbound actively to a predefined host instead of passively waiting for a connection. People were scanning clients on IRC for PC-Anywhere connections to look for blank passwords. Why is cDc worse? Open netbios shares, buggy Windows ftp servers, etc are much more of a problem for the people willing to have MS products directly on the Internet, but again, that's user error and they probably didnt know.

Maybe I'm way off track here, but I dunno. Just thought I'd ramble :) Take care.

-True Dork

Re:Dumbing down

I saw an advertisment the other day that went something like this: "Enroll now at XXX for MCSE training. No computer experience necessary!" That gave me a little laugh.

Anyway, although there is little hope for Win9x, NT can be perfectly secure. Microsoft has a nice checklist that my mom could even follow to secure a server. Overall, NT seems to be more resistant to hacking then other OSes. (but that hack worked because things wern't firewalled)

Of course the "dumbing down" is going to happen to Linux too. I tell the other admins all the time "don't login with telnet", "don't take out /etc/securetty", and "don't keep users with no passwords" but they don't seem to listen. It is just easier to take those shortcuts.

Here's an interesting idea.. Is it possible to force win9x (with a registry hack or something) to only run signed executables? That would help against BO but is pretty useless against macros.

Re:Open Source, dangers thereof

[Gawyn]

Ban open-source software for the public? What are you, some kind of M$ neo-nazi or something? Yes, some hackers will open-source their software to their hacker pals will make even nastier versions.

What about open source OS's? *nix? You are saying that in order to make open-sourcing illegal, you would completely obliderate an operating system which has out-performed the current most-used operating system of windows?

~Gawyn~

Re:FUD!?!

Yes, you are right. The only possible way this could be an exploit is maybe if it was combined with the IIS hole. (but does that leave you at Administrator level?) Any OS which allows itself to run user supplied data will have this "feature". Linux, NT, and other multi-user OS's are a little more immune because a normal user can't (or shouldn't...) be able to run programs which affect other users. Once you get root/Adminstrator access however, all bets are off!

Re:Sadly enough...

I don't care who writes the software I use as long as it is secure and I have access to the source. If Microsoft wrote a secure OS which I could have access to the source, I would not hesitate to run it. The security and freedom offered by an OS is what is important, not who wrote it. This is why I currently run Linux and am looking into FreeBSD.

If BO2K alerts people to the poor security model of Windows, that's good. If the only way to get Microsoft to address and fix the security issues of their product is to hit them in the face with a pie once in a while, then do it.

Idiocy

[CoolAss]

This 'security' risk is nothing specific to the Windows world. It is not that hard to do the exact same thing on Unix. (There are several programs availble to do this on Linux and BSD...)

Any mildly compitant sys admin would know not to run random files on the server, so as long as the admin isn't dumb, the system is secure.

WinNT is just as secure, if not more secure, than most Unix systems. I see hundreds of new exploits for Unix systems every week, but much fewer available for NT.

I obtained a copy of BO 2000, and I was unable to get it to run on NT. I tried it on 3 seperate NT systems including 2 copies of Workstation, and 1 of Server. It gave me the same illegal operation on all three systems.

It did, however, copy it's key to the registry, and move itself to the WinNT directory. Each time I started up, however, I got a blue screen with the error, and after I hit enter, the system booted normally.

I have a feeling that BO 2000 *may* run on NT, but I couldn't get it to work.

BO 2000 ran great on Win98, and 95... and there are some nice improvements.

I personally think that BO is dumb. Designing this program to comprimise a system that isn't designed to be secure is rediculous. It simply shows the childish tendancies of many hackers.

Re:Idiocy

[Gawyn]

Yes, but if ANYONE who does have the priveleges to do such things gets the BO 2K infection, no matter what, your network is going to get it, and you will spend hours and hours working to clean your network.

~Gawyn~

Re:Idiocy

[tqbf]

WinNT is just as secure, if not more secure, than most Unix systems. I see hundreds of new exploits for Unix systems every week, but much fewer available for NT.

This is silly logic. Of course you see
more "Unix exploits" than NT exploits.

Re:Idiocy

[tqbf]

WinNT is just as secure, if not more secure, than most Unix systems. I see hundreds of new exploits for Unix systems every week, but much fewer available for NT.

This is silly logic. Of course you see
more "Unix exploits" than NT exploits.
Unix is open source, which makes it easier
to find exploits. The only people that
have comparable resources and ability in
the NT community are not going to release
their discoveries to the public.

Re:Idiocy

[_Lint_]

You're right about one thing: NT isn't designed to be a secure system. However, Microsoft continually advertizes it as such.
Also, cDc has also Notifies Microsoft, PRIOR to releasing the origiinal BO. Microsoft continually ignored them. They went to the press. Microsoft basicly called them liars, saying that their OS was secure, and that it was impossible for anyone to do what cDc said they could do.
Releasing BO was the only way to make MS own up to the problems in their OS. And they *STILL* downplay it.
Finally: Yes dozens (not hundreds) of Unix exploits are discovered each week. But each week, dozens of fixes/patches/updates are released. Remember that attack that was discovered in the linux kernel a month or so ago? How fast was a patch released? within Hours. How often does MS release security fixes for URGENT security holes? Why does BO still work one year later? Why does MS CHARGE for upgrades that fix security problems? cDc doesn't have to write a BO for Unix. The Open Source/Free Software community already handles security concerns responsibly. MS clearly doesn't, and BO offers consumers the best chance of forcing MS to handle security problems responsibly. They certainly aren't doing that now.

Re:Idiocy

"You're right about one thing: NT isn't designed to be a secure system."

Whatever. NT is a far more secure system than Linux is and was designed from the beginning with security in mind.

"Releasing BO was the only way to make MS own up to the problems in their OS."

BackOrifice does NOT take advantage of any secret OS backdoors, and operates just like ANY internet server. There is nothing more "exploitive" about someone voluntarily running BO than running a QuakeWorld server. That's why MS told them to get lost. They're a bunch of media hungry clowns.

Re:Idiocy

[seanb]

"BackOrifice does NOT take advantage of any secret OS backdoors, and operates just like ANY internet server."

That is precisely the problem. Without using any back doors, only an idiotically open API, BO is able to do far more than any userland app should be able to.
From the cDc website:

"It uses documented calls built into Windows to do such things as:

Reveal all cached passwords. This includes passwords for web sites, dialup connections, network drives and printers, and the passwords of any application that stores user passwords in the operating system. (This Windows feature was implemented apparently so the user won't be inconvenienced by having to remember his passwords every time he uses his computer.)

Create shares hidden to the user and list the passwords of existing shares.

Make itself mostly invisible. Back Orifice does not appear in the control-alt-delete list of running programs, and can only be killed by a low level process viewer which Windows 95 does not ship with. To their credit, Windows 98 does ship with a process viewer, but it is not installed by default. "

Windows Security Holes (was: Oh please)

[musique]

The biggest security hole with Windows is that it is too easy to run programs that open security holes. It is too difficult to protect a system when your executables are read/write by users and executables have so much control over resources. It's too easy to attach trojan horses to e-mails (aka Melissa).

I was shocked when many of my NT programs did not run or gave warning/error messages when I protected their directories (i.e. \Program Files) as read only. Unix has it right in this department--protecting the /usr tree from the user!

Re:Not a good thing

[dark3r]

The issue is not whether MS Win products have security holes; they do. It is a commonly accepted fact. The point is that by releasing Back Orifice and Back Orifice 2000, you're (cDc) opening up anyone unlucky enough to run an attached executable or any other method of delivery crackers may design to a complete loss of privacy and control of their computer to anyone who knows just enough.
Its one thing to code this from scratch, run it from a command line, and analyze packets etc. Its an entirely different issue to slap a GUI interface on it, make it self installing, completely user friendly, *and* make it completely hidden from the victim. Not anyone can code or decipher IP packets, but when its so easy to take control and access someone's computer, you're letting the wrong kind of people into the toybox.
Conclusion: BO and BO2000 will not hurt MS. MS will release a patch (maybe) and move on to another software product (definitely). BO and BO2000 will simply hurt the people who use MS.
Its my hope the cDc would release a BO and BO2000 "detector and eliminator" and copyright the hell out of it. This way you're not only exposing MS' security flaws, but you're also protecting the people who might be exploited by them.

Re:Yet more MS bashing

[eponymous+cohort]

Microsoft, if you fault them everywhere else, is extremely good at making user friendly interfaces.

Microsoft is good at making interfaces that appear user friendly. They will claim that they can automatically configure XYZ, and then fail half-way through the process. They offer no details on why it failed

The fact that it takes them 4 revisions to get it right (four revisions they make us pay for)

NT 4 is right? (Ok I know the first version of NT was labeled NT 3.1, so 4 should be only 2 or 3)

Conflicting logic

[Chris+Andreasen]

Wait a sec...
In your post you said both
"WinNT is just as secure, if not more secure, than most Unix systems."
and
"I personally think that BO is dumb. Designing this program to comprimise a system that isn't designed to be secure is rediculous."
Is it just me or do your statements conflict with one another?

Re:bad journalism

[whoop]

How about adding a little bit like needing the user to click a button to say "Yes, you may come in?" Perhaps even making and none of the secret accessing as default. Then you would have a decent argument against all the antivirus companies that will mark it as a trojan, which you know they will.

Re:But wait, could it be... USEFUL?

[Captain+Teflon]

If you had a comprehensive remote control application that ran unobtrusively and efficiently on any win32 system, was released absolutely free and open source, and came with a comprehensive SDK for developing your own modules, plugins and clients for whatever platform you choose to use for administration, and it was released by somebody more "respectable" than us louts at the Cult of the Dead Cow, would you call it a threat?

Would you agree Virtual Network Computing (http://www.uk.research.att.com/vnc) goes at least some way towards meeting that goal? Without including the stealth features and self promotional posturing as our self-appointed security watchdogs?

You guys in CDC are obviously good programmers. If you're serious about protecting security, I hope you expand to probing other OS's too and not just concentrate on the Gates-bashing which too many here have an obsession about.

Re:Because [is isn't it best though?]

Hey, I heard cDc is being courted with SHOE ENDORSEMENTS from both Adidas and Vans?!?!?!

WTF? I remember reading their freaky stories about people having sex with rabbits in the 5th grade. Now this. Crazy.

MS EMPLOYEE?

If I worked for Microsoft, I would post something like the above comment. I would downplay it before it came out, (typical FUD), and then I would scare people into thinking that their machines would crash if they used it intentionally.

Perhaps you don't actually work for MS, but I can see them trying to use this tactic. It will be a fun war to watch...

Re:MS EMPLOYEE?

Oh shut up. FUD is like some sort of retard mantra on here. If it doesn't conform with the psycho anti-microsoft drivel, it's FUD.

FUD FUD FUD FUD FUD!

Re:MS EMPLOYEE?

Grow up kid. Are you implying that I ONLY refute FUD when it works against Linux?

Wrong!

I refute ANY kind of FUD, because it is poor logic. (Kind of like your use of the term "retard". I hope you don't use that term to put down people on a regular basis.)

Grow up.

back doors and open source.

[McFly777]

>Well, from what I hear the source will be
>available - so I doubt there will be any back
>doors (and if there are any - they will likely
>be caught rather quickly)

Just make sure you compile from the sources and don't just take a binary copy!

I also heard there was a backdoor in the original BO. Has anyone confirmed this? What info did it actually send?

--McFly

Re:Instant poll

It's worse! The poll doesn't even have a "neither" option! You can't even pick a non-threatning (news making) option... :-(

Re:Instant poll

[seanb]

Look at the poll results. Do far most people thing BO2K will either help or both help & harm.

"Back Orifice RULES!" - says net/sys-admin

These trojans, that exploit 'features' in the Win32 API, point to some serious shit. I hate Windows and all its familiy members. Not just because I think MS products are crap (I do - for many reasons), but because people are going to get hurt in using these systems. Now, I don't like that, but it seems necessary. If BO-like trojans keep on infecting networks, then maybe, *maybe*, MS will wise up and improve their OS-es.
Now I can hear people screaming "But people shouldn't get hurt!!!!" - ah, says me, MS should not have produced this crap in the first place. The people who stand to lose most are people like me. If a network gets compromised (or the computer of an employee), who gets the blame? That's right. Yours truely.

I segement my networks. I install filtering software (go linux/freebsd/etc!) *INSIDE* my networks. This allows me (and my fellow admins) to monitor the traffic easily and also quickly find out who has been stupid enough to allow their machine to be trojaned and educate them. No direct traffic is allowed to the internet. (Well, expect for my connections.. I have to play Quake, right?) But my users are protected for their own stupidity (yes, that's how I think about most people) and this safeguards our corporate integrity as well.


Bottom line folks...


Security does not end at your firewall. Monitor your internal traffic! It is very, very important. This also allows you to catch 'hackers' (ok, crackers) inside your own network. If you think that you have none, you are probably mistaken. Almost every joe I know has tried some Windows 'Hacking' Tool inside his work network. (Not only mine).

Remember, if things go wrong, *you* get the blame.


** Anonymous for obvious reasons.

Re:NT *is* horrible - Maybe it's you

Maybe that says something about you NT admin skills, because there's a whole lot of NT admins out there who love (well, like) NT, and it doesn't crash as often as a lot of people have reported around here.

Just an observation: It is hard to find a Windows NT zealot. It is far too easy to find a Linux zealot. The anti-Microsoft rhetoric (propoganda?) seen on places like /. is really an embarrassment to the Linux community.

Re:The naysayers don't get it

[gehrehmee]

Exactly!
In my opinion, the cDc isn't so much against the code of Microsoft, but against the organization of Microsoft. The code sucks, but there's a reason...
BO simply brings to light all the problems. If they were really problems in Windows code, they would be fixed by now. Instead, it's a problem in the way Microsfot HANDLES its code.

Personally, I'm all for the cDc releasing a program to remove BO. (Of course, hacked versions couldn't be removed on account of this). But a simple effort to help users clear up the mess will do alot to help allieviate the negative response the unenlightened give it.

MS Response to the original

Microsoft's original response to Back Orifice says in part:
"Back Orifice" does not expose or exploit any security issue regarding Windows, Windows NT, or the Microsoft BackOffice suite of products.

Re:But wait, could it be... USEFUL?

[Tweety+Fish]

VNC isn't bad... because of it's model, it tends to be bandwidth intensive and pretty slow. Back Orifice 2000 is a much more efficient (if less pretty) model for networked remote admin.

As far as turning to other OS's, well, that's a possibility. This is sure a hell of a lot of fun, though, and *nix users, at least, tend to already know what their system is doing at any given time ( or at least, they can figure it out), and thus don't need the particular variety of help the cDc has been providing.

USEFUL? hmm...Hell ya!

[law]

"respectable"
Respectable is too subjective, I would think that the only difference between CDC members and me is; my thin veneer of ass kissing.
(No I don't crack, but my open source idealogy is in quiet contrast to the Luddite mentality of my employer.)

"Back Orifice 2000 is a tremendously useful tool for any administrator."

Agreed, I admin about 100 NT worksations, this could be a great tool.

"The Cult of the Dead Cow isn't just about scaring people into wanting real security. We want computers to be fully under the command of the people who use them, not the vendors who sell them."

I tire of Closed Software trying to take control away, instead of enabling me. Why is closed software always aimed at the lowest common denominator?

I am glad to see BO2000 and CDC is around.

A bit of logic on BO2K

[DeltaCrash]

Keep in mind that the admin has to launch the client app. Just because the bug is out there dosen't mean there's no way around catching it. Just be wary of who has access to the NT deck, and don't launch any forign programs; I always thought that was the first 2 rules for being an admin. I can understand why everyone got so uptight with the older BO; beginner and intermediate Windows users are usually fond of funny little .exe programs that show a virtual puppy run across the screen or something. It goes to show how gullible some people are. But that should be a diffrent story for admins. I seriously doubt that any self-respecting network administrator will run a 40k .exe file to watch a few pixels do a dance...
Although it could always be a Freudian version of euphanasia. Who's to say?

-DeltaCrash

FUD!?!

Correct me if I am wrong, but wasn't BO just a service (daemon)? And won't BO2K be just a service? In other words, in order to be installed, the user has to have enough rights to install a service. Under Windows 9x this is everyone. Under Windows NT this would be Administrators and Server Operators(?).

So where is the security hole in the OS? Seems to me it is a human security issue, something that affects every OS!!!

Re:FUD!?!

By default IIS runs under the system account, so that would be bad news. Not sure how much work it is to run it under a different account or what features you might have to give up to accomplish that. I have done this with Netscape Enterprise and Directory servers. I just can't use their respective admin servers to start/stop them or do directory backups. I have to e.g. use the Services control panel for that (the usual trade-off for a higher level of security).

On Unix, don't you have to tun e.g. Apache as root? I could be mistaken, but I thought O'Rielly's book on Apache discussed this.

Re:...

[dark3r]

There are/were several sites that sprung up after BO's release claiming to rid your system of BO.
If BO is run with its defaults unchanged, the executable shows up in the Registry under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce or RunServicesOnce or RonOnceEx. A more insidious user would change the default settings and most likely would not send you a pop-up stating he likes your porn collection.

Bad move...

[nmarshall]

...Sorry but the cult requires me to curse you house etc... nothing personal, dont worry the pain only lasts for eternity... :)

La mayyitan ma qadirun yatabaqqa sarmadi Fa idha yaji' al-shudhdhadh fa-l-maut qad yantahi. Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn. Zi Dingir Ana Kanpa, Zi Dingir Kia Kanpa

nmarshall
#include "standard_disclaimer.h"
R.U. SIRIUS: THE ONLY POSSIBLE RESPONSE

Just make a bad situation, worse

Nothing else seems to catch the attention as
a release of a backdoor.

I say as long as cDc are having fun....
...and allowing us to have a little to....

Then by all means, target anything and everything.

This is supposed to be fun right.

Re:Just make a bad situation, worse

woohoo! yeah baby. just like throwing bricks though storefront windows and tagging wharehouse walls!

destruction is just so kewl!

Microsoft seeks BackOrifice warez

[drougie]

It was written somewhere that Microsoft was keeping "a close eye" on Back Orifice 2000. Could it be that they are somehow connected and can get a hold of pre-release coppies? I bet so, and I also bet that immediately after this thing is released at DefCon, that Microsoft will be ready with a quick counter as well as bug fixes and news releases, etc.
But still, isn't that unethical of them?

Re:Microsoft seeks BackOrifice warez

[Obscure+Images]

We didn't pass any copies to anyone outside of cDc and beta testers. Microsoft will have to wait like everyone else.

Re:Microsoft seeks BackOrifice warez

[Tweety+Fish]

I think you overestimate Microsoft's proactivness when it comes to security issues. I'm sure they're interested, but a prerelease copy? Maybe we're a little better at keeping a handle on our betas than some people are.

Re:Microsoft seeks BackOrifice warez

[dattaway]

Microsoft interested in security issues? Somehow I feel it is more macho they are more interested in offensive measures than defensive.

I'd like to see the neighborhood traffic on your street. How many are dark vans and limos with dark tinted windows and stay parked close to your house? Have you ever walked up to one of them to say "Hi!" to the occupants? I'm sure there is a vested interest in knowing who you are and watching your residence, friends, and place of work.

Re:Microsoft seeks BackOrifice warez

They are proactive when it comes to publicized security issues...

Re:Microsoft seeks BackOrifice warez

[Saint+Nobody]

if you were actually doing this for security purposes, then why not let ms have a prerelease copy? that would give them opportunity to fix the problems, making the negative aspects of back orifice a moot point. script kiddies couldn't exploit those holes.
I honestly don't think ms would fix the holes, but they deserve the opportunity.

Re:Microsoft seeks BackOrifice warez

In that case, wouldn't it be highlighting Microsoft's lack of proactiveness by giving them a pre-release copy, source and all, and not seeing a fix come out?

Maybe if you had a clue...

No process can run invisibly on NT. Period. Either it shows up as a device driver, a service or a process.
If you bothered to actually learn NT you'd know how to find out what's going on inside it.

cDc's not funny. They're a bunch of attention seeking people who are, I gotta give them credit for this, pretty good at getting media's attention (but media is pretty much a bunch of clueless morons).

-Filur

Re:Maybe if you had a clue...

[tqbf]

In those cases, "less" invisible. Both of
those (old) tricks are incredibly easy to
get past.

Re: "ps": keep a backup copy of "ps" somewhere
and periodically diff the -ax output against
that of the "real" ps. If they differ, panic.

Re: "ls": keep a backup copy of "ls" somewhere
and periodically diff the -lua output against
that of the "real" ls. If they differ, panic.

There's a procedure to discover attempts at
hiding things on Unix systems for any trick an
attacker uses. Regardless of how low-level the
attacker puts her trojan.

Re:Maybe if you had a clue...

[Plugh]

Au contraire.

As a previous poster said, ANYTHING can be made more-or less "invisible", simply by hard-coding a hack into the tool that you use to "see" with. In *nix, you might recompile ps to that 'my_superroot' never shows up in the output.

Then replace the real ps with it, set its timestamp back, and viola. Hell, you can even hack 'ls' so that it always reports the right size and timestamp for the 'ps' program (and ls itself, of course). The above examples are not *nix-specific, the same method applies to process viewer -- or, hell, the .DLLs it relies on for system information!

MORAL: Once someone has "administrator" (root) on your system, it's only a matter of how bad they want to f&*% you.

Re:read the source? bullshit!

[tqbf]

A modified Linux kernel is easy to detect, but
not with "md5". Read the source code. md5 does
an open() on the target file. It is trivially
easy to hook open() in the kernel, detect attempts
to read "vmlinuz", and return the original file
instead of the modified one.

Poof. Perfect looking signature and you didn't
even have to cryptanalyze MD5. What a break!

If it still works Microsoft dident do a good job

[will12]

If the program still works than wouldent that suggest that Microsoft hasent done enough to fix the problems, and the sorce code will help them fix the problems but also allow people to exploit more.

Solution to your query my friend.

[DeltaCrash]

Please note that the Melissa virus got much media hype, as Back Oriface barely got a chortle. The media hype therefore begat public histeria, which therefore begat Big Brother's attempt to show the aformentioned histerical public that they knew what the hell they were doing.

Now, the fault lies with who? Microsloth, who makes products which resembles a piece of swiss cheese; or the person or group who exploits those holes?

Oh, by the way:
Note that MS really hasn't done much about the Back Oriface problem! They know it's there; hell, they even made the comment, and I quote,

"That vulnerability is completely theoretical."

Now then, if it's theoretical, WHY DOES THE EXPLOIT WORK?!? Perhaps it's a marketing ploy-
"Windows 2000 is completely unaffected by Back Oriface, created by evil, dangerous, and nazi computer hackers!"
Can you see it too, or is it time to take my medication?

Instant poll

I like the instant poll that they had on the CNN
site -- just how many of the type of folk that
can't separate hackers from crackers are going
to say that Back Orifice helps provoke security
enhancements? They are practically feeding the
"right" (never-question-microsoft) answer through
the poll. Hopefully, the results won't come back to haunt us...

Re:NT *is* horrible - Maybe it's you

Maybe that says something about you NT admin skills, because there's a whole lot of NT admins out there who love (well, like) NT, and it doesn't crash as often as a lot of people have reported around here.

Unix isn't open source...

[demon]

Unix itself isn't open source. The free BSD variants (Net/Open/FreeBSD) and Linux are, Solaris sorta-kinda-maybe is, and the others I know of are not.

Idiot

[Foogle]

Oh yeah, NT is such a horrible OS... C'mon, get real. It's a decent system and, even if it weren't, the "holes" in the Windows system that these crackers are exploiting aren't really holes at all.

BackOrifice is nothing more than a version of pcAnywhere that runs invisibly (more or less). This could actually be a decent remote administration tool if it weren't built to be used covertly.

And as for their claims that it's all to promote good security - Bullshit. It's such an ego-trip for them to think that people are worried about apps that *they* wrote. The fact of the matter is that their software doesn't do anything spectacular or innovative - it's just destructive. Olivetti Labs in England wrote something very similar under the name of VNC. It's for remote control of PCs. No one talks about them being at the forefront of security because they're doing it for the usefulness of the program, not the publicity.

The Cult of the Dead Cow (JESUS! What a friggin script-kid name!!) should all be shot.

Of course, that's just my opinion - I could be wrong.

Re:Idiot

[ivan_13013]

Umm.. the original BO *IS* a decent remote administration tool. When I used to use Windows95 in the office, I could view text files containing my todo lists and phone numbers and such in a web browser, and telnet to my DOS prompt from the other side of the building. And with (albeit minimal) password protection and encryption, too!

Their software *is* innovative. What program can you run in under 140 K which includes a basic web server, process control, telnet access to text applications, screen shots, password protection and more? For that matter, what Windows application runs in under 140K, period? I think my mouse driver was about 200K.

I don't understand how you think such a monitoring program is destructive or that its writers "should all be shot" for providing it. Who's forcing you to use it? Oh yeah, that's right, you're forced to bend over for CDC because of MS "security" and the strange compulsion to always click on executable email attachments.

Surely you're joking...

...or psychotic.

If you're actually serious and in a position of authority, you scare the hell out of me

Not a good thing

[StephenJ]

I dunno. This thing plagued our college campus for a few months until we got it under control. Our network is NT on a UNIX backbone.

I agree with the CNN article: this cult's motives don't make any sense; it's like a cult from the automobile industry who steals cars to make everyone get car alarms. It does much more harm than good. This is a negative way of getting attention to network security, not a positive way.

Re:Not a good thing

[Tweety+Fish]

First of all, if your campus network was NT, you would have had >0 problems with Back Orifice, because it didn't run on NT.

Second of all, the tool we are releasing is an incredibly useful and powerful remote administration tool, much better than anything else currently available from Microsoft, Symantec or anybody else. If Microsoft didn't make it so irritatingly difficult to figure out what your server is actually doing at any given moment, the security concerns would be a moot point.

Re:Not a good thing

I agree with the CNN article: this cult's motives don't make any sense; it's like a cult from the automobile industry who steals cars to make everyone get car alarms. It does much more harm than good. This is a negative way of getting attention to network security, not a positive way.

For as long as the bbs scene thrived, cDc was around pointing out the security holes in software(s). Following each text they released, a horde of the k-rad 31337 would abuse the exploit until it got patched. 'Media saturation'.

jon l [201]

Re:Not a good thing

[pal]

i oby-ject.

it's not quite like a fiendish automobile cult stealing cars to make you buy car alarms. any analogy is flawed, but, come on, cdc isn't stealing anything.

if you want to make an automobile analogy, i prefer to think it's like someone pointing out that gm hasn't provided your car with a lock!

that's the point, right? i see every reason to blame microsoft for all the security problems their products have. of course, you can blame the guy that breaks into your system, but how productive is that?

at least putting pressure on microsoft might get them to fix their problems. an even better solution: don't use (or pay for) their products.

whatever happened to the poor guy that got arrested for allegedly releasing melissa a few months ago? i feel bad for him. compare his fate to that of the office development team, and ask yourself who's more to blame.

- pal

Re:Not a good thing

[StephenJ]

I totally see you point, but we have to look at the big picture. That is, ordinary people can download this thing and use it for whatever purpose they wish, whether it be a network admin testing out security, or a person using it maliciously to take advantage of a network without security against it. Some may say, "too bad for the network admin". I understand where cDc is coming from. It can produce results, but it it also probable that problems could result.

My analogy was incorrect before. A better (perhaps not entirely accurate) one is an auto parts store selling a master key for all Ford vehicles, which would put pressure on both Ford motor corporation and all Ford customers to purchase a different lock for their vehicles.

Re:Not a good thing

[j_edge]

it's like a cult from the automobile industry who steals cars to make everyone get car alarms

Actually, they would open your door and start your car for you, since your car manufacturer doesn't require keys. It is not equivalent to theft. Though of course they'd write up a text file telling everyone (thieves, owners, manufacturers) the stupidity of creating a car with no locks. And to top it off they'd do it in that oh-so-humourous way that the cDc is famous for. (and it's very, very far from murder, as the "computer security experts" equate it with in their analogy.)

Re:Not a good thing

[tqbf]

A.) Please stop using analogies to communicate.
Read the discussion so far. Do you notice that
people are wasting more breath discussing the
flaws in the analogies than they are the issue
itself? cDc didn't infect meat or steal cars.
They wrote code. I think we're intelligent enough
to discuss that.

B.) cDc didn't create ANY security problems. The
attitude that says they did is called "security
through obscurity", and it doesn't work. The
computer underground is consistantly and blatantly
underestimated by people, most of whom have no
connection to the security research community,
who think that system crackers didn't have tools
prior to their public release.

The functional equivalent of Back Orifice was
already in the hands of people you definitely did
NOT want to have these tools long before Sir Dystik released the first Back Orifice trojan.

Pull your head out of the sand.

Re:NT *is* horrible - Maybe it's you

Exactly. A good example is Linux.

fyi: dirt is a hoax. more info @ netcriminals.org

dirt has never been able to deliver on most of its promises- and the author is a charlatan.

Re:BO vs VNC/PC Anywhere

[Tweety+Fish]

Even in the original Back Orifice you could specify a port and password. While you cannot mask out certain IPs (which you should be doing at a firewall/gateway anyhow), strong encryption and authentication are probably a better solution for protecting your BO installs from unauthorized users.

Re:key words "RUNS INVISIBLY"

Jesus. Yeah right :)

Users are the problem

[Restil]

BO2K doesn't exploit bugs in the OS so much that it exploits the gullability of the users USING that OS. Windows 95/98/NT give a user practically full control over their machine. If I want to delete any file on my hard drive, you can bet that there won't be many things to stop me. If I want to upgrade my drivers so I can play a certain game, the OS won't be complaining about it. And if a friend sends me a cool program and I try to run it, then the OS will let it run. And no matter what that program does, the OS will let it do it.

In many cases, its more technilogically difficult to install BO2K than it would be to install a backdoor under a *nix based OS. If there are any known exploits on a *nix box (and usually there is), then someone could install a backdoor from remote. They could safely sit at their own computer halfway around the world and install their backdoor. BO2K requires access to the physical computer itself, or at the very least, access to a server where programs the user might run may be located at.

This means, ultimately, that a user HAS to be duped into executing a program. You can debate until the sun goes dead about the malicious intentions of the author, until the user actually installs the program on their computer, it won't work. This is the problem with giving a user too much control over their system when they aren't experienced enough to know how to avoid doing anything stupid.

So microsoft needs to fix this problem. How exactly would they go about fixing it? They could release a version of the operating system specifically aimed toward the clueless user, which severely limits the access a user can have to their own system. This could actually be useful in corporate environments, but your average home user might not want to go through several extensive security checks so they can upgrade their mouse driver. This kinda goes against the
whole PNP philosophy.

Perhaps a community written pamphlet, maybe 20 pages long that computer vendors could distribute with new computers, modems, and ISP's could send to all new customers, might be useful toward solving a lot of these problems. It could explain basic online ettiquite, how to properly conduct one-self in newsgroups, how to avoid the pedophiles online without sacrificing freedom. How to avoid spam, and basic rules about never running programs that people send you, not to forward chain letters, and maybe even touch some of those controversial subjects like how to properly monitor your children's internet activity without excessively invading their privacy at the same time. If such a booklet could be reproduced for free by the vendors for practically nothing, then perhaps a lot of these problems could be addressed without the need of virus scanners, censors, extreme security measures, or new laws that only infringe on the rights of law abiding citizens.

Just an idea.

-Restil

Oh please

These people are just in it for the attention. You first have to install the trojan to even get it to work, which in no way proves that Windows has security issues (it does, but this isn't the way to prove it). If you've downloaded and installed the trojan without knowing it, tough break. Don't blame Windows, it's your own dumb-ass fault.

Re:Oh please

[dattaway]

Its a trojan waiting to be installed through some email document/application attatchment. Attatching word documents seems to be very popular with people who are trapped in the Windows environment.

Re:Oh please

[fr0g]

I agree. Windows 9x is not a networking OS and it dosent run "servers" on it to exploit. And if somebody installes it themselves or if they download the latest 0 day warez with BO wrapped into the *.exe its their dumb fault. I work for a very large computer manufactuer as a technician and I will enjoy every minute of charging folks like this 50 bucks to remove it.

Re:Oh please

[questionlp]

I completely agree, since the trojan horse just pops open a certain port or two so the client proggie can worm inside.

A *real* security hole would be to find a way to get control of the OS without having a piece of software running on the receiving end of the attack.

This kind of "tool" just makes things worse by lying and passing FUD around the net.

Re:Oh please

[tqbf]

Of course they're in it for the attention.

Just like everyone else working in computer
security research.

Fortunately, the goals of the security community
are compatible with those of Sir Dystik.

It's a tool people

[Plasmoid]

It's a tool kind of like a gun. You can do positive things(Hunt for food) or negative things(slaghter people). It really depends on how you use it. You could easily use this for remote administration or for destroying entire networks of data. It's all up to you.

Re:It's a tool people

you don't hunt for food with a handgun..

vegetarianism for all.

Re:It's a tool people

[topher1kenobe]

Sure you do. I have, and it was tasty.

Re:It's a tool people

[Ares]

You'll take notice that no mention of handgun was made.

If God hadn't intended for us to eat animals he wouldn't have made them of meat.

Re:It's a tool people

[dattaway]

you don't hunt for food with a handgun..


I have.

Re:It's a tool people

[hawk]

>you don't hunt for food with a handgun..

>vegetarianism for all.

If all you're after is vegetables, why would you use anything bigger than a handgun? Killer turnips? Mutated venus fly traps?

vegetarians for all. preferably grilled.

Re:I LOVE THIS APPLICATION!!!

You're a psycho.

Seriously.

It's people like you that make the Linux community look like a bunch of slobbering, idiotic, cultish clowns.

Re:Back Orifice for Linux...

But the pids are hidden from /proc. You could go through and kill all pids which aren't listed but that is somewhat dangerous. I haven't chased down the source to kill (/bin/kill and the bash built-in kill are different) but I suspect they check for the pid before sending the kill signal. Patching those wouldn't be too difficult but what has to be patched next?

This whole issue is sortof like the Java applet vs. ActiveX controls. By design, Java protects your system from malicious applets (except for implementation bugs which can be fixed) but offers nowhere near the functionality of ActiveX. Every additional feature in an OS increases the potential for abuse.

Re:WHY exactly is it....

I've read that the Melissa virus was first posted to alt.sex or some such news group. The author posted a Microsoft Word (or was it excel?) document. He did not execute it! The people who downloaded it executed it (sometimes without knowing it).

IMO, there is still room to argue that the post to USENET of the virus is protected speech. Not that you could ever find a jury that could understand the technicalities involved.

Taking your AK-47 analogy, he didn't go shouting it off in public, but he did leave a loaded one laying around in a public place.

Microsoft's "Alert" about BO2K

[Yakman]

This is a bit of a "Premier Alert" Microsoft sent out regarding BO2K.

"What is Microsoft doing about BO2K? Microsoft is closely monitoring the situation, and is committed to helping customers have a safe, enjoyable computing experience.

I don't understand why they don't just fix their Swiss Cheese Security Model ;) It's probably a bit late to post this, but it's very funny (at least I thought so)

Its GPL

[Uart]

Thats right, its open source!!! haha, windows sucks...

Weeding through Micro(BS)oft

[DeltaCrash]

"What is Microsoft doing about BO2K? Microsoft is closely monitoring the situationand is committed to helping customers have a safe, enjoyable computing experience."

(Read: MicroSoft isn't doing a damn thing about BO2K. We may have a few guys a DEFCON scouting around. It dosen't matter anyway, we already have your cash.)

Simpler terms: HA HA SUCKERS! YOU BOUGHT OUR PRODUCT NOW YOU'RE STUCK WITH IT!

You learn to weed through MicroBS gradually. It's a talent I guess.

It's odd; Win95 came out with all these new little features, and it was toted as bug free. Next Win98 comes out and it says it's "Improved". Again, the MicroBS- Improved means that something needed fixed in the older version. In other terms:
"Oops- there were some bugs in our bug free software, but instead of fixing them for free, we'll just make you pay again, fix the old bugs, and put some new ones in."

Please note that other OSes do this too, but they arn't as bug ridden or as hyped as the Windows brand. Now a new question is posed- why use a highly flawed OS? Can I get an amen for *nix and MacOS?

-DC

Bad analogy, as usual

[squarooticus]

I take issue with the following analogy:

Releasing a hacking tool like Back
Orifice 2000 in the name of
safeguarding computer privacy is a bit
like the American Medical Association
infecting cattle with the deadly e. coli
bacteria to inspire food companies to
sell healthier meats.

The correct analogy in this case would be the AMA infecting cattle with E. coli to make cattle owners produce cattle that are resistant to that bacteria. I'm not surprised he used an incorrect analogy: the right one would undermine the "popular" opinion that virii and hackers are universally bad, instead of good for flagrantly (and typically non-destructively) exploiting security flaws and shoddy programming.

Kyle

NP: Arkhe, S/T
--
Kyle R. Rose, MIT LCS

Re:Bad analogy, as usual

just to let you know ALL cattle have e. coli.
In fact most animals including humans have e. coli. The e. coli bacteria live in our intestines and aid in our digestive processes. Our relationship with them is symbiotic, as longs as they don't creep into our stomachs.

We react negatively to different strains of e. coli when they get into our stomach. Some strains are worse than others, e.g., the ones found in cattle.

But the gist of your point is well taken.
I still like the car alarm analogy.

Re:Bad analogy, as usual

[Hard_Code]

Even the revised analogy is bad, because it indicates the cattle are infected with something that isn't already there. The bugs are *already* there, waiting to spring up and bite somebody. Perhaps a better analogy would be somebody putting coloring in the meat that made disease show up in some nasty bright color...or made meat that had some flaw in it taste terrible (which would be a good thing).

Anyway, all these analogies are wrong because AFAIK BO2K doesn't exploit *bugs*, per se, it exploits *poor design* in the OS.

Re:Open Source, dangers thereof

[NtG]

The whole OSS movement won't change for one trojan horse. In fact, it wouldn't change for 100.
Anyway, there's nothing to say that its not beneficial. I'm sure the code would be educational.

Re:bad journalism

[Obscure+Images]

Just as a side note here, there are no current members of cDc who are teenagers. Yes, ladies and gentlemen, we are all adults. We all work for a living, pay our taxes, avoid breaking laws and live our lives the way we please within those boundries. Now, even though this isn't the right thread, I'm typing here now.

I will be using BO2K on my machines at the place that I work. I will do so with the permission and support of my CFO. The reason for this is simple. Using BO2K I can fix most common problems with my user's machines without having to leave my desk. I can tune in to a user's machine and see what they are doing wrong, and help them fix things. This saves me time and energy, and my time is valuable. The less time I have to spend monkeying around with users machines, the more time I can spend writing code.

Oh, as for privacy: I have a plug-in that I wrote that pops up a little flashing light in the corner of the screen everytime I'm monitoring someone's system. They know when I'm doing it, they also know I only do it when they need help and everyone is happy.

Did I mention that BO2k isn't a Trojan? It can be used maliciously in a trojan-like way, but the same could be said for any other product in this class.

:P

[Byter]

"remove nospam for e-mail"

You have to remove the dot after "nospam" as well. :P

Not the same

[Jakyll]

Exposing cows to E Coli is adding something to the lab that wasn't there.

Exploiting inherent weaknesses of a program is simply doing something with the material you already were presented with that someone else hasn't yet thought of.

In other words, reworking the genetic material that is already there.

It's pointing out the flaws and begging them to be fixed!

Re:Because a whole is a hole

Whole must equal hole.

Yes, I have heard of one

An aquaintance of mine who worked at a security auditing firm, upon hearing that a major client wanted to switch from NT to Unix decided to provide a demonstration of Window's security failings.



He sent an email message to a windows machine on their network that without even being opened installed back orfice on the machine using a known buffer overflow. Now that was cute.

Dynamite in your basement.

[seanb]

You're absolutely right. I don't mind at all if you keep 3 tons of dynamite in your basement. None of my business, and I don't care.
If you try to use that dynamite to blow up something that doesn't belong to you, on the other hand...

Best Analogy Yet

[docwhat]

This is more like someone showing where you can get a chocolate bar and saying, "If you feed this to your dog, it will make it sick and probably kill it."

The cDc is not installing this. It *is* available, but using the idea that if they didn't write it and make it *obviously* available, then someone would do it silently or such that it would take a while for everyone else to figure it out.

Why is anyone concerned, anyway? When I ran NT, I kept this off my machine (and other annoying trojans) by following simple security proceedures. Things that most people should follow.

My computers have never had a virus. I have been handed one floppy with material on it that I needed that was infected. And I found it right away and removed it.

Because I'm lucky? No, because I am reasonably cautious. I never trust my semi-skilled boss to be virus free. I never trust those "run this little program. It's cute." emails.

As for the argument as to why cDc released it; If MS doesn't care about the quality of their product (which they are only in as such it keeps their image good and makes them money) then their customers must be made aware.

I don't expect this to sway anyone. It seems most people are very biased into their opinions on MS and their win products. I really don't much care except to say that use the tool that fits and that is comfortable (in that order).

Ciao!

heh, they're releasing the source code too...

that'll make it a real pain in the arse

Re:heh, they're releasing the source code too...

[Obscure+Images]

Exactly one year ago, we released the first version of Back Orifice to the cries of "Make it open source! Make it open source!" We listen to our public and hence the source is completely open, complete with a fully documented SDK. BO2K is industrial strength software for the people, for FREE. It is also clearly better than the competition. If free software is a pain in the ass, why don't you go tell Linus to start charging for kernels?

Re:heh, they're releasing the source code too...

Thank you. I want to take a look at this. Is it faster than VNC? My parents use a Windows 95 machine as a print server for a cheap WinPrinter; it would be nice to be able to see the spool on Linux. With the source, it may be easier to do this, and I think it would be interesting to look at. I think the only concern is that people who have to deal with this will see more strains of it. Honestly, though, if you release it _only_ in source, that may keep it away from a lot of the "script kiddies", but then that may not coincide with your motives.

LAW ENFORCEMENT HAS THEIR OWN VERSION OF THIS!

Dirt is law enforcement's version of back orfice. Perhaps these security inadequacies are Microsoft's favor to law enforcement for certain priviliges?

http://www.pcworld.com/pcwtoday/article/0,1510,1 1614,00.html

I think this is just giving the power that law enforcement has had for a while to the people and showing them how much freedom they're giving up.

Sadly enough...

[WareW01f]

... BO2K (kinda rolls of the tounge, don't it?) is more pro-WinNT that anti. The people working on it know a lot about the OS and therefore have spent quite a bit of time with it. In the short term it makes M$ look bad, but in the long term it actually improves their product. (That is _if_ they do anything to plug up the holes.)

What's even sadder is that this could all be avoided if M$ was as open as Linux and there was an open envionment for users to say something like "Hey, you gotta problem here, thought you'd like to know." and get a responce. That's not the way it works.

I guess the way I view it is yes, the ethics of giving 'fire' to script kiddeez is somewhat questionable, but as with Melissa and every other stupid hole in M$ software who's more to blame? The person pointing out the way to a wide open back door, or M$ telling everone not to worry, they're getting the most secure system around? Let me tell you that as someone who unfortunately has to put up with an NT network at present, it's a bit disturbing when I read about a hole in NT and see a link to an exploit _days_ before I'm notified by Micro$oft's security mailing list that there's even a problem, and then all they ever do is play it down and point out how rare it is and what little threat it is to my system.

Personally, I say more power to cDc. Somebody has to speak up and sometimes it takes some punk wiping out a network with a keystroke to get the right people to listen. All's fair in code and war. If it's not CNN it looks like somebodies already doing that. Maybe this time they'll learn.

Re:analogies suck around here

[seanb]

Yes, and we are saying that the relationship between A and B is NOT equivelent to the relationship between C and D. You are understood. Others simply disagree.

Re:'wholes'

[BitchLick]

Actually, NT has many exploits to get Administrator privileges from a simple user account. BO2k probably uses those instead of popping up a window asking to be run by the Administrator :)

Privacy Concerns?

[KevCo]

Apart from the possible exploitation by crackers, what about the privacy concerns of an employer using this software?

Imagine and IS department making this part of their standard workstation build? They could claim that it is for remote administration but could also use it for spying on everything that an employee does on his/her PC. Granted, users shouldn't be doing anything questionable in the first place but still, there are some things that should be kept private.

Re:Privacy Concerns?

[hany]

it's only the question of education.

if i'm working on some UNIX machine on which i'm not the root (or not the only one root) i know that somebody CAN watch what i'm doing and look at my files.

if someone is told that he has BO on his machine for remote administration and he do not realize he can be watched it's his own fault.

and something litle about administrstors: if admin is competent, than he care about proper functioning of system not about spying users for fun (or whatever).

Re:Privacy Concerns?

[poink]

If you think BO is a breach of privacy, then just wait until your company is bitten by the Windows Terminal Server and MetaFrame bug. Such wonderful features, like "ghosting" (remote viewing/control) without user notifcation (the admin can choose to pop up a box warning you). There are all sorts of log and audit trail things, and if your company has a proxy server, than your web activity is prob. also logged.

Even worse, if you have a decent PBX/Vmail system, then administrative stations can log and save your call activity, break into calls without notification, etc.

The amount of privacy one has at a workplace is suprisingly small.

PS - Most IS people that I know don't like to target individuals for monitoring, and when it does occur, it usally happens at the request/order of The Boss.

Re:Privacy Concerns?

[dillon_rinker]

PS - Most IS people that I know don't like to target individuals for monitoring, and when it does occur, it usally happens at the request/order of the Boss.

I would suggest that the one exception to this is that IS people like to target the Boss for monitoring and report his eventual misdeeds to the BOSS.

Re:Privacy Concerns?

[ansible]

Hmmm... I can do most/all of that now in a Unix/X environment. The basic point is that if I have root access to a system, I can do anything. That's always been true of Unix, and is becoming increasing true with Windows NT.

James

Re:Because [is isn't it best though?]

If you a systems admin, and worth a crap, then you have plenty of free time and make good money, shut up and actually do some work.

BO is usefull

I find BO to be most usefull in the remote management of my computer.

Having at one time or another had shoutcasts/ftp servers/webservers and anything else going, BO provided a really easy way to run/shut-down/reconfigure these...

The only thing I was worried about was that the server might provide a back door (go figure?) for the cDc... anyone know about that?

- I am ODiV, hear me type.

Re:BO is usefull

[Dilbert_]

As far as I remember, there was a back door in the BO client, which sent reports of all conducted subnet sweeps back to a certain IP address belonging to someone of the cDc or someone affiliated closely with them. But if BO2K is open source, that won't be the case anymore I guess...

Re:BO is usefull

And now they're releasing a version with source. Cool, huh?

Re:BO is usefull

[Nicholas+Schumacher]

>The only thing I was worried about was that the
>server might provide a back door (go figure?) for
>the cDc... anyone know about that?


Well, from what I hear the source will be available - so I doubt there will be any back
doors (and if there are any - they will likely be caught rather quickly)


-Nick

Use as an admin tool.

I'd really like to get a copy of this to try it out as an admin tool. (PCAnywhere can be a real hassle.) If I can use it to admin NT and 9x boxen from *nix boxen, even a little bit, I'll be real happy.

One of the great things about open sourcing it is that if there's something missing that I want (can I restrict access to certain IPs?), there's a decent chance I can add it.

Re:Because [is isn't it best though?]

[Scutter]

I disagree. CODC releases BO to point out security holes. Their whole philosphy with BO is "someone else should fix the security holes". Their efforts could be more productively focused towards providing software to make systems MORE secure, not less (incidentally making them some bucks in the process). The security specialists can't churn out protection software as fast as the trojans (or virii, or whatever) can be released and proliferate, leaving us (system admins) stuck in the danger zone. This is just going to create one more headache for me that I won't be able to do anything about.
Doesn't it make more sense to have them (CODC et. al.) on our side instead of on the bad guys'?

Re:Perfect example

[demon]

Wrong answer. cDc tried telling Microsoft about the flaws they've found. Microsoft chose not to respond. cDc decided that wasn't good enough. I think it's perfectly legitimate to release an exploit (especially when the individual exploits that make up BO have been around for some time, just not necessarily all in one package). It makes people aware that there actually IS a problem. Of course, Microsoft would have people believe that BO introduces the bugs, and that their software is bug-free. That's not the case, though - the bugs are already there, this software just exploits them. Also, as others have said, it's more plain bad design than it is just bugs.

Moneys worth.

"...and quite a few of its admistrators are just plain dumb wher security is concerned"

Well it's certainly nice to know that MSCE="getting your moneys worth" especially with this new revelation.

cDc justified

[blahtree]

Most detractors of the policy of the cult of the dead cow releasing back orifice label the practice as irresponsible, and juvenile. Yet what is the alternative? If cDc had quietly said to ms, "Hey look, we know how to exploit these holes in your OS, please remedy the situation," it would end there. The easy holes would be fixed, but the rest would remain open because only a small group of people knew about them. MS would try to sweep it under the carpet.

Given how widespread Windows is, this is really pretty scary. The information that was restricted to a few individuals wouldn't remain that way, and soon many crackers would know how to do what they please with a Windows box. Eventually, the public would catch on.

Compare this to the current scenario where the public is informed right at the start. This presumably should force ms into action. Seems like a better solution to me.

Re:cDc justified

Um, what hole? If you can convince Joe User to run a trojan, than unless you can show that it grants privileges that the User could not obtain w/o additional authentication, what's the big deal?

Re:cDc justified

[sethg]

Groups like cDc are doing us a valuable service, for the following reasons:

• For many computer-related commercial products (e.g., operating systems, cellular phones, Web server programs), if you can give the impression that your product is more secure than your competitor's product, then (all other factors being equal) you will sell more.
• The people who buy these products, and the people who review them for industry magazines, can't distinguish a product with bad security from a product with good security. Even a computer-security professional may not be able to find security weaknesses right away; there may be one subtle bug that can leaves your system wide open to an intruder, but finding the bug might take weeks or months of full-time work, especially if the people evaluating the product don't have access to the source code.
• It's a lot easier to boast about your product's security than it is to actually implement a secure product. This is especially true when your product has selling points other than security: a hundred programmer-hours spent improving the user interface will probably do more for your sales than a hundred programmer-hours spent looking for security holes.

Therefore, when you get wind of a security hole in one of your products, you have a powerful incentive to sit on your hands. Patching the security flaw will take programmer-hours away from adding spiffy new features to the next version of the product. And sending out an emergency patch to fix a security flaw is bad for your reputation, because by doing so, you're admitting that you overstated how secure your product was in the first place.

Public revelations of security flaws are the best way to push these companies into action, since it takes away their incentive to procrastinate.

Recommended reading: "Why Cryptography Is Harder Than It Looks", by Bruce Schneier, and "Trends in 'Press Release' Security Advisories", by someone at l0pht.

Actually, NT doesn't.

[Zico]

Thanks for letting us all in on your ignorance, though. Of course, if you haven't been applying the necessary fixes for the past couple of years, I could root your little Linux box at will.

Cheers,
ZicoKnows@hotmail.com,
who knows that most Slashdotters will believe it anyway

Perl Front end

There is already a perl front end on freshmeat called "boscript". It looks a little out of date, but it would be easy to make a CGI interface from this.

Just twits getting self-excited.

It's even easier to do the same in a un*x/X-window environment. All you need is the magic cookie of your victim, and then you can make the X-server believes you're that very same guy, so you have every right he has.

I've seen all that stuff (remote mouse/kbd control punching holes in windows, locking remotely the terminal with a jigsaw puzzle) 7 or 8 years ago.

All you need is access to the right file...All you need is a careless or inexperienced user. You can type commands through someone else tty if he let it 'mesg y' (at least it was true a few years back).

I'm not an M$ follower, but Un*x systems generally need some admin work before achieving a decent level of security. It's just the same for M$ products. They can be decently secure, but it still requires some work, as the default behaviors are sometimes insane (Autolaunching whatever you received in your mailbox can be quite dangerous...).

Even the strongest castle is vulnerable to intrusion if you leave the main gate open and all the guards are dead-drunk...

Good to know

It's good to know that the CDC has updated their
remote administration tools in time for W2K. These guys are really on the ball.

Open Source, dangers thereof

Well, this just goes to show how open source is not good.
People with bad motives are encouraged to distribute source
to dangerous programs like this one to gain attention and prestige
in a crowd of hackers and crackers who should have better
things to do with their time.

Aren't there laws against exporting dangerous products - that might
include source code to programs like this one. Actually a lot of open
source is dangerous in the hands of the wrong people - people
with bad motivations or merely incompetent people. For example,
so many Linux users setting up servers and internet domains
causing all kinds of headaches for ISP's.

Perhaps source code (to all programs) should be restricted as
to its distribution - only to certified software engineers approved
by some kind of industry standards committee. Anyone else
caught distributing source code would be subject to seizure of
the contrband and heavy fines, etc. Computers seem to be
dangerous tools in the hands of the wrong people - all this puts
national security at risk!

What is the difference, really, between open source and warez.
People worked hard to develop software and don't always like to
see their work made available at no cost to freeloaders. Those who
choose to freely distribute their own source code usually have
a hidden agenda - to do harm or unfairly comptete with companies
and individuals struggling to protect their intellectual property
and their livelihoods.

It's time to clean up this industry and put these hackers and
crackers out of business, along with their internet site which
distribute such "open source" software.

read the source? bullshit!

Hacker hacks computer A
Hacker moves old kernel source tree to /usr/src/linux.bak
Hacker unpacks kernel tarball to /usr/src/linux and copies kernel config from linux.bak
Hacker applys backdoor patch to new kernel sources in /usr/src/linux
Hacker compiles kernel and installs it in /boot
Hacker _REMOVES_ kernel source directory /usr/src/linux and moved real source dir 'linux.bak' back to 'linux'
Mallicous code binary kernel image not as sources. User cant detect backdoor by reading the sources becoz they have never been modified. The only way to find the backdoor is to use 'strings' 'e/grep' or 'truss' on the binary kernel image to try to locate the new syscalls, a wery hard job becoz he dont know what strings to search for.

Re:read the source? bullshit!

The original link was to a loadable kernel module (LKM) which could be inserted in a running kernel without touching the kernel image or source. The problem now is how to get loaded again when the system reboots...

A modified kernel is pretty easy to detect. Try 'md5sum /boot/vmlinuz' (assuming you are on redhat). If even one byte changes, the whole number will change. This isn't 100% protection because a) md5sum is only printing a 128 bit number representing a kernel that is probably 4,000,000+ bits and b) your neighborhood hacker could have patched the kernel to give direct md5sum to the original kernel stored somewhere on disk so the md5sum would be the same.

The bottom line is if someone has unrestricted memory and/or disk access to a system, they can cause some serious problems. Win9x places virtually no restrictions on this activity while Linux and NT protect themselves quite well. Both OSes are exploitable out of the box though so make sure to keep up on the security patches and disable anything you don't need.

Yet more MS bashing

[The+Raven]

Back orifice is a very nice remote administration tool. If it wasn't deliberately created to run silently and stealthily, they could probably have sold it for several hundred dollars a pop, and never made headlines anywhere (just made lots of money).

However, I take exception to your flagrant disragard for reality in your blind M$ bashing. I'm not a MS lover... far from it. I think their server tools are crashy, buggy crap. But their GUI end is better than any competing interface, even very pretty ones like beOS.

Microsoft, if you fault them everywhere else, is extremely good at making user friendly interfaces. You may complain about their inability to ship bug free products, their brain dead patch and upgrade methodology, their incompitent server technology, their flagrant monopolistic tactics... but you cannot fault their ability to make useful, usable graphical interfaces, and their continuation at the head of usability. (I admit I have a pet peeve when it comes to usability... I worship Jacob Neilson)

Microsoft created, on their own (ignoring their original theft of Apple's basic paradigm) most of the graphical widgets and design standards we live with today, even in Linux. It's no mistake that KDE and Gnome have a distinct resemblance to Windows... Windows has an excellent GUI.

Microsoft has a habit of releasing crappy products for versions 1, 2 and 3, and finally in versions 4+ they generally start sucking less and less until they really don't suck much at all (though, by then they are major bloatware also). The fact that it takes them 4 revisions to get it right (four revisions they make us pay for) is unacceptible, but once they do get it right, they do a pretty good job.

I guess I don't have a particular reason to bash on your post... it's not like it really really bugs me, I read and enjoy /. every day, and this is the first post such as this I've made.

The Raven

Re: hole == whole

yeah, it does... heh, boss walked in as I posted, and well, no proofing it... sorry for that extreme err.

Re:Fun Stuff :Wrong example

[Pako]

2: It's MS' fault for having the security holes in the first place.
...
If I leave my door unlocked that doesn't make it my fault when you steal my things. You're still the criminal.

IMHO, this is more accurate:
"If I pay big bucks for a good security door/lock, but any thief can still break in easily, then the guy that sold me the door is the criminal. And the thief, of course. Everyone but me."

And now, imagine who are the guys that sell doors, who the thieves...

Pako

New Disclaimer

[seppy]

>>It should be noted that PC World Online has no >>independent confirmation that new Back Orifice >>2000 program actually lives up to the claims of >>Cult of the Dead Cow.

It should be legally mandated that any article speaking of upcoming Microsoft products carry a disclaimer similar to this.

.02

Re:New Disclaimer

Yes indeed!

"According to a Microsoft marketing executive Windows 98 is an easier, faster way to get on the Internet."

"It should be noted that Slashdot has no independent confirmation that the new Windows 98 program actually lives up to the claims of Microsoft."

Re:Because a whole is a hole

And if you're running Windows, you get the whole hole.

But wait, could it be... USEFUL?

[Tweety+Fish]

For those who believe that Back Orifice 2000 is some malicious tool that may or may not cause untold havoc for win32 consider this:

If you had a comprehensive remote control application that ran unobtrusively and efficiently on any win32 system, was released absolutely free and open source, and came with a comprehensive SDK for developing your own modules, plugins and clients for whatever platform you choose to use for administration, and it was released by somebody more "respectable" than us louts at the Cult of the Dead Cow, would you call it a threat?

Back Orifice 2000 is a tremendously useful tool for any administrator, and will only become more valuable as hackers around the world (please note that I understand that word, and I do mean hackers) modify and extend it. Managing windows networks is a far easier and richer experience when you have something like BO2K to work with. Is it a mixed blessing? Possibly so. But the best way to make BO2K work for you is to use it, and understand it.

The Cult of the Dead Cow isn't just about scaring people into wanting real security. We want computers to be fully under the command of the people who use them, not the vendors who sell them. One way to make that happen is by convincing major vendors that they need to tighten up their products and make SURE that customers understand how to keep themselves secure, and that the products help them do that. The other way is by letting those same users get at the functional guts of the systems they use, without the layers of obfuscation and abstraction that characterize a modern operating system. Hopefully, BO2K will achieve both these goals.

Back Orifice 2000. Show some control.

Re:Fun Stuff (tried Gspot yet??)

[MSG]

There are *nix based controls, actually. I authored "gspot" myself, from the original *nix sources. It was kinda fun, though I get less respect from some of my co-workers. There's at least one other graphical control for Linux, too.

If you want gspot, you can find it on freshmeat.

key words "RUNS INVISIBLY"

[nmarshall]

BackOrifice is nothing more than a version of pcAnywhere that runs invisibly (more or less).

key words, "runs invisibly". now, explane why is it so damn diffaclt for NT to tell me whats going on inside? with linux this isnt a problem i can telnet in and ask it what running and unless someone has "fixed" top or ps i know whats running and whats not.

yea it maybe a ego-trip, but then most all of my programing is an ego-trip ie it is just damn kewl to tell a computer what to do and have it do it, and it is even better when other people find my program useful.

also try reading some of cDc's essays, they dont just hack, errr crack... some of their writing is just damn funny!

ps: Jesus can't save you out here, Cthulhu has eaten him...

nmarshall
#include "standard_disclaimer.h"
R.U. SIRIUS: THE ONLY POSSIBLE RESPONSE

Re:key words "RUNS INVISIBLY"

[L0rdJedi]

The original Back Orifice ran invisibly. To my knowledge, this is because Windows 95 doesn't have a low level process viewer like NT does. It may not run invisibly under NT (be viewable in the process viewer), but we won't know until the 10th. That is unless cDc has released details about BO2K that I'm not aware of (which is very possible).

Re:key words "RUNS INVISIBLY"

[8ballcane]

wintop. really nice low level process shower. Shame it was released only as a kernel toy, not a part of the operating system

Rockin.

[Dast]

Anyone know if the encryption between the client and server will be any better?

Re:Rockin.

[tqbf]

Amen. cDc will have a hard time claiming BO2K
is a "powerful administration tool" if it is
comparably secure to the original BO.

Script Kiddies

[AaronW]

The script kiddies are going to love this. I'm on a cable modem and run a Perl script called booby (see http://members.home.com/lazyx/booby which emulates BO. It's interesting to see how many script kiddies try hacking in without knowing everything they do is emulated and being logged. Most of the kiddies I see don't really know what they're doing, but I've seen some pretty malicious people out there.

The potential of this program is fairly large. If someone made an installer that would search out other systems on the LAN and install it on them as well this could be a nightmare (shudder) for Micro$oft shops. One more reason to not use M$ products.

Of course *NIX can be vulnerable as well to this type of trojan horse. The user security of *NIX may be better, but security is only as good as the user using it. The main difference, I believe, is that *NIX users are a lot more knowlegable about their systems and are much less likely to download and install software of questionable origins.

A more apropos analogy

[jabber]

A more apropos analogy would be that of the CDC (Ctr for Disease Ctrl) periodically releasing new and mutant strains of diseases into municipal drinking water to make sure that major hospitals are making their patients immune to illness in general, rather than innoculating them against many specific strains of many specific diseases.

All that the Clan of the Deceased Cattle is demonstrating - however effectively - is that M$ doesn't make the best mousetrap. But then who does?

Re:A more apropos analogy

[Shafik]

Now you are mixing apples and oranges here. You could compare virus protection software as a hospital but you can not compare MS to a hospital. the logic is all wrong. MS is a product producer a hospital is a service provider. There is a huge huge difference. The first anology was although faulty, it was logical.

And no they are not demonstrating that MS does not make a better mouse trap. Windows is a well estahblished product that most of the world uses and as it has been shown by Mellissa(sp?) et al that means one hole can cause major major world wide problems. So _it is_ MS's responsibility to deal with these issues better then they currently are and if they need to embaress MS by relasing products like BO 2000 to get that done then they will.

nuff said

Re:A more apropos analogy

What a mess of an analogy. Back Orifice isn't virus. There's no disease being released here.

Re:If it still works Microsoft dident do a good jo

dident=didn't
wouldent=wouldn't
hasent=hasn't

there, got my anal nit-picking done for the day all at once! :-)

(moderators, please demote this into the basement)

quick demo on/for the author?

[Gordo]

From the article:

It should be noted that PC World Online has no independent confirmation that new Back Orifice 2000 program actually lives up to the claims of Cult of the Dead Cow.

Hmmm, if the author is running NT then perhaps one of you cDc chaps would be good enough to give him a quick demo? *grin*

Heh. Nevermind.

[Dast]

Found it at this URL:
http://www.cultdeadcow.com/tools/bo2k/pr19990702 .html

Re:Because [is isn't it best though?]

Much love to the sysadmins of the world, but what you said is exactly true, and it contradicts your whole point. (Or is it your hole point ?) Guys like CODC and various nefarious virologists, trojan writers and so on CAN churn out security exploints for Windows at a phenomenal rate simply because there is so MUCH in Windows to exploit ! And to attempt to use their powers for good, as you suggest, is also futile. To make a third-party security program for Windows is to applying a bandaid to a cancer patient. The problems are inside, in the kernel, where your apps can't go, and where they therefore can't help. Sure, it sucks to be a sysadmin in this day and age, if you're in the all-too-common position of being forced to use an inferior OS by some guy in a suit, when doing so only makes your life a living hell and you KNOW better. But BO isn't targeted at chaps like you (and me, for that matter). It's a message addresed to the aforementioned suits, which says roughly "If you allow your ignorance of security issues to put yourself in an avoidable position of being vulnerable, we will exploit you." Less directly, it's a message to Microsoft reading "If you don't get your act together and kick out something that passes for a real Operating System, we will scare away all of your precious customers."

Unfortunately, this war, like any other, has left some innocent casualties, and from the point of view you espouse I would imagine you're one of them. But make no mistake, CODC are the Good Guys, same as Linus and Alan, same as anybody else you care to mention who fights against the woeful status quo of computing. At least, they're the good guys as long as the virtue you uphold is a secure and stable technology infrastructure on which to build a more connected future.

I for one am a patriot to the end.

Back Orifice for Linux...

Close, but even nastier:

http://www.phrack.com/search .phtml?view&article=p52-18. It modifies system calls to make itself invisible and pretty much undetectable. The #include lines are mangled from the html display. Look at the source if you want to give this a try. It works on 2.0.x but I don't have the guts to try it on a 2.2.x production system.

Re:Back Orifice for Linux...

[tqbf]

Modifying system calls does not make a trojan
undetectable, even "pretty much". Because of the
fact that kernel source is readily available to
both white hats AND black hats, crackers who want
to develop "stealth trojans" have a considerably
harder time under Linux than under NT (where the
kernel source is available only to black hats).

This is a fundamental security advantage held
only by open-source operating systems.

Re:Back Orifice for Linux...

[tqbf]

You don't get it.

/proc isn't the only source of information
about what pids are on the system. That data
is leaked through many, many interfaces to the
kernel. It is tedious and tricky to plug all
of those leaks, which is exactly what you need
to do to write a process-hiding trojan under
Linux or BSD --- since anyone can read the kernel
source to find a new avenue to locate hidden
processes.

Man kill(2). Look at what kill(0,pid) does.

Better:

Man fork(2). Look at what the parent receives
as a return value.

The problem with systems like NT (and, to a
lesser extent, Solaris) is that there isn't
enough published information to give white-hats
the advantage over black-hats in the hide-
versus-seek battle of trojan development.

Re:Back Orifice for Linux...

The issue of source code is irrelevant. The source code and kernel image remains 100% untouched. Just like BO 2k and the macro viruses, this module takes advantage of functionality provided by the operating system or application. The only way to prevent things like this is to remove that functionality from the system entirely.

proactive vs. reactive.

[Xamot]

They are being reactive if something has already been publisized. They would be proactive if the fixed it before that.

--

Hey, it's cool.

I say let 'em code it. cDc folks code, and go demo the software in front of folks at expos. If they were malicious, they'd keep quiet about it and use it for evil. This is HELPFUL. The emperor has no clothes. If I'm spending about $1000.00 on an operating system and it has easy exploits, I certainly would want to know about them - wouldn't you?

Microsoft does the same type of thing with their office apps and WebTV (OK, so they don't capture keystrokes - YET) but they don't tell you about it. cDc gets a post on CNN.

This is educating the consumer, whether he wants to be or not.

-----
"There are some things we don't want to know about - important things!"

Imagine

[joq]

Image for a quick minute what it would be like if the cDc used their programming skills for something positive instead of this lame script kiddie visual basic junk. Great now I have to audit my NT server first thing when I get to work tommorow.

I find the legal disclaimer humorous... A remote administration tool? hah. Thats some funny shit. Oh well thank god I use SuSE and OpenBSD at home.

Re:Imagine

[Tweety+Fish]

Okay. 1) if we really were only writing "script kiddie visual basic junk", would you really WANT us to turn out programming skills towards trying to help people? BO and BO2K are both non-trivial aoftware products, and BO2K is one of the single most elegant pieces of software design I've ever seen. I'm sure you don't believe me, but, by all means, check out the source when we release it.

2) I would love some clarification on why you think that BO2K (and for that matter, BO) is NOT a remote administration tool... with features like registry and file access, network .exe spawning, and process management, I fail to see your point.

Re:Imagine

[tqbf]

Why aren't you auditing your Windows NT
servers anyways? This program isn't breaking
into your servers; "viruses" and security
holes are. cDc has "caused" none of these
problems.

Windows NT "moralists" complaining about this
problem have their heads in the sand. The
problem is that circumstances exist to allow
programs like BO2K to be installed in the first
place.

You lack a very basic understanding of computer
security and threat analysis if you think that
the computer underground (ie, the community of
system crackers) didn't already have tools of
comparable power already. Posting BO2K simply
prevents IT managers and Microsoft marketeers
from denying this simple truth.

You should be thanking cDc for A.) raising
awareness of the problem and B.) ensuring that
99% of all successful NT attacks will have the
uniform signature of a BO2K installation to
accompany them...

... as opposed to either the obvious signature
of a wiped hard disk, or the much-harder-to-track
signature of a custom-coded trojan.

Re:If it still works Microsoft dident do a good jo

[egon]

If you're going to use this philosophy, you must continue on to say that Linux has never addressed the issue and hence must be doing an even worse job.

People, people, people. This program does not point out a single flaw with Microsoft, as much as I would like it to. A program like this could just as easily be written for linux, sco, hell - even openbsd.

About all this program does point out is the gullibility of the Windows user base.

e. coli? Back Orifice?

[cje]

Am I the only one who finds it ironic that the Centers for Disease Control and Cult of the Dead Cow have the same acronym?

Re:If it still works Microsoft dident do a good jo

And how would you fix this problem? By disabling networking in NT or not allowing TCP/IP servers to run and bind to a port. Come on this is a problem that could appear on any server running any operating system attached to the Internet. Even Linux.

bad journalism

[Sourdough]

I'm disappointed in the author's use of his own opinion in this article. This is supposed to be a hard news story, not an editorial. He does present the Cult of the Dead Cow's explanation for why they write these programs, but then makes an argument agains them directly. He doesn't even bother to get quotes from anyone, but simply makes the argument himself. (He says something about "computer security experts" but doesn't elaborate.) This is just plain bad journalism. I learned not to do that in high school journalism class. I would imagine that someone who works for a major news organization like IDG would know better.

Re:bad journalism

[whoop]

Journalism does not mean that anymore. To be a journalist, one must:

1) repeat verbatim that which comes across the wires. It is gospel.

2) There are no two sides to any issue, just the right one. Have polls like, "Are you for the slaughter of children/elderly/disabled/etc, or are you a nice caring, democrat?" Then conclude that 98.32% of the world will vote for Hillary as Master of the Universe and there is no use thinking about anyone else.

3) Never go out and validate what sources say. Again, just repeat. Feel free to mix and match questions and answers to better support rule #2.

I could go on and on. But the media isn't about facts or informing the public. There was a day when saying "mostly teenaged" when talking about a group would be followed up with something like, "Joe Smith, 14, says ..." Now they just throw out whatever they feel (and want you to feel too). In this case, they want you to believe they are immature folks who should not be taken seriously. The same thing was (and still is) said of Linux hackers. Even though that survey was done that found most of the kernel hackers were older, had degrees, etc, it doesn't stop that stereotype.

The media is just another political outlet, telling you what to think, etc. Believe them, or die. If the kind and benevolent Microsoft isn't tortured by teenagers like cDc, the world would be a happy place. :)

Re:bad journalism

[bjk4]

Part of the problem is that news services are taking exacly what comes off the wire -- The problem with that is that the wire they are relaying is not a news source. It is a press-release source.

IDG is not a normal press source. Instead, they are industry analysts, who may or may not be paid to write a certain point of view. In this case, IDG is treating Linux, hackers, and Microsoft hypocritically. Microsoft doesn't release bugs, they release new features that run faster, smart, and save money over everyone else. With Linux, until recently, teenagers released hand-written code using 60's technology that ran no commercial programs, would cost more money in the long run, had no support, and was basically a bad idea. Hackers, malicious teenagers sitting in front of monitors (god forbid) release 'bugs' in M$ software (not expose bugs, they create them...) under the faulty premise of strong-arming (bad, bad word) good, beneficial software companies.

IMO, articles from IDG are not to be trusted at all. They tend to be biased extremely (or naively) toward the establishment (read contributors.) The sad part is that CNN is willing to blindly republish these articles, lending credibility to their worthlessness.

Comeback

My favorite comeback (mentioned elsewhere in these comments) is that if his analogy is correct, then this question arises: Why would someone taint meat? If noone will taint meat, why do we need protection and regulations? Therefore, we don't need security. Microsoft should eliminate all of those silly restrictions like passwords. We should lose the locks on our homes.

The underlying response is that analogies are powerful tools to befuddle issues. In this case, the analogy is biased. Don't listen to analogies, they are ALL flawed.

Re:Because [is isn't it best though?]

[Tarnar]

They are on our side. They're trying to get people to see just how utterly insecure Windows products are. If MS would accept responsibility for the flaws in their OS, then something could be done. If MS would take these things seriously and properly secure up their products, then programs like these would no longer be an issue.

Besides, it's not like you can take a look at the NT source code and write a patch for the hole. That's one of the greatest advantages of an Open development environment. Things get done to FIX things. They can't patch NT or 98 or anything so they instead point out the problems.

It's not the greatest way to solve the worlds problems, but sometimes there's just no easy way to fight against Evil(tm)

(And please take the last paragraph with a sense of humor ;-D)

???

So you'd rather unknowingly have your system broken into and abused on a regular basis?

-
I am ODiV, hear me type.

Why it exactly _is_....

[RoLlEr_CoAsTeR]

Why is anything in this country the way it is? I can only offer an explanation that, b/c this government is so unorganized, inconsistent, and opportunistic (etc, etc, etc, ad infinitum), things happen like that.

I can only wonder if he's got some big $$ deal with this, and maybe somehow, this keeps him in the clear....however, I wouldn't actually know, because I'm not that well versed about the whole situation (besides the article).

Re:Because [is isn't it best though?]

[j+a+w+a+d]

I don't think it would have as much of an effect on Microsoft's marketing machine if they were "good guys" than what they're doing. With this, they get the publicity (immaturely, but still) and companies are more likely to go, "hey microsoft, how come your little windows deal doesn't stand up to this? we're switching to linux, thanks."
..................................@ @

I LOVE THIS APPLICATION!!!

Score: -50, Rant

It's about time! They promised NT support for Back Orifice last year. Well, their exact words were, "Soon." And I think it's just a delicious pun that they call it "Back Orifice 2000."

I'm sorry if anyone finds this offensive, but I consider NT to be inferior. Microsoft typically buys its way into technology, but it never takes the time to make any true advancements of their own: they bully companies into working only with them, and when these companies do, it becomes almost impossible to get software products or device drivers for non-MS platforms. When Microsoft "embraces & extends" they're only taking someone else's work, adding a few functions so it won't work on anything but Windows, and locking up the changes so no one else can make their product compatible with the MS version. They [Microsoft] then engage the marketing machine and have their minions in the trade press hype the crap out of the product; which many of these publications routinely do despite the fact that MS' product is really just a polluted version of a good idea. The point is, I am offended by Microsoft. It is deceitful for them to engage in the practices that they do. The great irony is that they claim to be leading the world away from weak, bug ridden software, when that is in fact what they produce!

I do a dance of joy every time a new virus is announced for Windows. Like Melissa -- I loved the fact that it only infected people using MS email clients. I believe Chernobly served as a point of awakening for many people who have only used Microsoft systems. Despite the belief to the contrary, Windows is just as difficult to install from scratch as some Linux distributions. It's a lot like "The Matrix" when these people who had spent their entire lives in this fabricated reality wake up. When they first run Linux they discover that this whole time they have been mindlessly sleeping in a pool of goo with their brains hooked up to some interface -- they discover they don't have to play by the System's rules: that they have true power.

This tool also provides something interesting. Imagine a remote administration utility so powerful, that you have more control over someone's computer remotely than they have in front of it. NT doesn't even ship with a telnet server! It's ironic what this tool does, because remote administration utilities are EXACTLY what NT is lacking in. And by the way, NT is supposed to be a "Network Operating System;" but an NOS that is susceptible to viruses? Unforgiveable!

So what's the big solution? I want everyone to be able to have the opportunity to write software without getting unfairly squashed. I'd like to see software companies get behind Linux, or at least the standard Unix binary that all the commercial Unix companies are pushing. This includes Microsoft, they can write their software for Linux if they want. If everyone sticks to an open, universal platform then everyone has a fair chance at making it in the computer business. When I originally heard NT was going to be POSIX compliant I thought, "Well great!" But that changed as Microsoft opted for "proprietary" instead of "open," so they could lock MS drones into using MS only products.

So, if the cracker ethic is a means to an end, let it be. Perhaps that is the true evolution of the [computer] species.

Re:Because [is isn't it best though?]

what impressed me was the poll, an overwhelming majority felt it would help. ((either help or help and hurt)) What set these guys off was M$'s arrogance. M$ has no incentive to plug the holes, unless competiton forces them to do so. right now M$ has the business community by the balls. The business community has no other alternative for the desktop.

Get used to fending off the efforts of some snot nosed kid with his VisualBasic. He will have free reign, because M$ doesn't care.

I like cdc, I think they are the ninties version of the yippies. Give em hell!!!

WHY exactly is it....

[CrudPuppy]

that the guy who wrote the Melissa Virus (and the guy who wrote the Chernobyl Virus...etc, etc, etc ad infinitum) is burned at the stake, and every government agency is telling the public how the Melissa virus author (who only exploited yet another security hole in MS shitware) is going to get 10 years in federal prison and like 2 zillion dollars in fines..etc,

meanwhile, sir jerkoff can freely write, release, and boast his backshit 5000 and is somehow viewed as the saint of security...saving the public from hidden MS holes and bugs!!!

dont get me wrong, i dont happen to see any problem with EITHER of these guys...but it pisses me off to no end when our lame-shit big brotherment treats twin-cases like black and white.

bah!!

Re:WHY exactly is it....

[WPISteve]

So you are saying that if I bought a gun, gave it to a kid and showed him how to shoot someone, then I should not be responsible? The back orifice guy should be just as responsible as the user.

Re:WHY exactly is it....

[jjohnson]

Unless the Melissa author clearly explained in his post that the office file was viral, then he was firing into a crowded room. Posting it that way was his delivery system. He could have emailed it to 50 friends instead, but the Usenet post was safer (not safe enough, though...)

Is there anyone here really familiar with M$'s security model? From what little I've heard about it, I've heard that it's not bad; the problem is that it's both too different and far too complex to implement properly, which is effectively the same as bad security. The whole 'trust and digital signatures' model just doesn't seem to work, though I'm not sure that's the problem at all, since it was a digital signature on the Melissa Word file that caught the author.

Re:WHY exactly is it....

[TriangleMan]

C'mon, get real! There's one VERY important difference between Sir Dystic and the Melissa guy. Sir Dystic (so far as we know) just wrote the code (and is open-sourcing it too :^). The Melissa guy EXECUTED the code. Do you seriously think that if the Melissa guy had just put up a web-site and put the source for Melissa onto that web-site that he would have been arrested? He might have received a lot of criticism, sure. But you can't be arrested for merely exercising your first amendment rights.

It's the difference between teaching a course on how to use firearms and going out on the street and firing an AK-47 into a crowd. You might disagree with me and say that it's more like handing out guns to felons than teaching them how to use guns, but I say that the equivalent of handing out guns to felons would be not only giving them back orifice but also giving them a delivery system (i.e. an exploit). Of course, there is a nifty little tutorial on the CDC web-site on how to write a stack buffer overflow exploit. But maybe that's the equivalent of teaching a course on how to build your own gun... :^)

Eliminate with Extreme Altruism

[fliptout]

If somebody is kind enough to alert me of my system insecurity, I will gladly reciprocate the gesture with my boot up their ass.

BO2k

according to the author of the article, we should just accept the fact that there are tons of security holes in windows, and instead of releasing a program that will allow the masses to be exploited, and force MS to fix some of the problems, we should let Windows users be attacked one by one, letting MS continue to write poor operating systems.

While I agree that anyone that uses BO just to cause trouble really isn't helping any, I think the fact that the program exists should make bug fixes be released faster. Raising comsumer awareness is a good thing.

Also, it's hardly like infecting cattle with a disease. The security holes are already there...BO just takes advantage of them.

Mystery meat = mad cow meat...yummy

analogies suck around here

The thing is, cDc is not INFECTING anyone. To use the cattle analogy, is difficult. They would be saying 'hey we're making Ecoli O157 available to anyone who wants it'. If someone then picks it up, and infects your local dairy farm... well, then you might have a problem.

Good or bad? I dunno. It still requires INSTALLATION onto the target system, which usually has to be achieved via some other exploit or local access or simple social engineering. So BO2K in and of itself is not truly problematic.

Similarily, someone installing a vanilla year-old Linux distro is probably going to find his or her system just as vulnerable. The difference here, is that Un*x boxes already provide a great deal of control from the shell. BO2K simply adds that control to Windows.

- Speed

Perfect example

[Timothy+Chu]

Ok, I've got to say "me too" to this one. Somebody should moderate this previous post up to 2, at least. The example makes perfect sense.

If they *really* wanted to expose Windows NT's security flaws, they shouldn't have made the released the program to the public--maybe to a news agency, or security council, or whatever is appropriate, but not the public.

<tim><

Re:If it still works Microsoft dident do a good jo

[tqbf]

This problem already does affect Linux. There
are published kernel trojans in Phrack magazine.

The issue is that in normal Linux installations,
the only way to actually use a BO-like tool is
to gain root access to the server first. When that
occurs, the means by which root access was gained
is almost IMMEDIATELY published and resolved.

You would "fix this problem" by ensuring that
users who run applications like mail readers that
have the ability to execute content provided by
untrusted sources would NOT at the same time have
the privileges required to install something like
BO2K.

It's not like BO2K can just point at an arbitrary
NT installation and magically infect it.

Fair enough

[jabber]

So if I substitute FDA approved meat processing plants in place of hospitals in my model...

That brings it closer to the example in the article, and I think that my angle still tracks.
If the (real) CDC taints the fields with new diseases each spring, to check for cattle resistance to the concept of disease rather than a particular one, then how can that be dealt with by the packing plant? They don't know what to fight. And we all know that a computer can only be made truly secure by making it useless. People are the problem, bad design/coding just makes it easier for the bad apple.

The point I was trying to make is that CDC is exploiting newer holes each time. I agree that this is of benefit. It's nice to have someone do your debugging for you (if you're the user or even M$ itself). And if M$ fails to close the hole after it's exposed then poo-poo on them. We have choices - too bad more people don't realize that.

I do, however, take exception to the CDC making the exploit tool available to the prepubescents on AOL. My experience with hackers has been that the good ones, the ones that know what they're doing, don't go around handing guns to children. They'll document it, publicize the weakness, perhaps even provide logic to close the hole; but with their experience comes a sense of responsibility.

Making a skeleton key and leaving it in the key-copy machine is irresponsible.

...

Has the past Back Orifice been neutralized yet?
I haven't seen anything from MS saying that, so I'm guessing you have to look around for fixes.

cDc should also release a program to remove Back Orifice from systems.

I wonder why the guy put (mostly teenaged) in there. How do you get statistics for such things?

What will MS do when confronted? Probably give a bunch of excuses. They probably won't try to fix any of the holes, or will save those fixes for the next version of Windows that comes out in 2 years. I saw lots of articles predicting that we would have to pay for win96, win 97 ...etc after win 95. MS just made the space between versions 2 years so people wouldn't notice as much.

If it was Linux, someone who doesn't want their site infected would probably go and look at the BO source and code a fix, and probably patch up some of the security holes. Or, if you were managing a site, you could do it yourself.

With MS, you'd either have to wait for a service pack, or go find a program that removes back orifice but doesn't patch up any of the security holes.

'wholes'

[delmoi]

There arn't really any 'wholes' in windows 9x/NT that are being exsploted here. programs like this could be made for linux just as easyly, but they'd have to be run as root, and would probably be much more noticable

in order to get into someones system, you need to get them to run them, as root. since all users on 9x/NT have root acess(well most on NT) it a little easyer, that's the only hole though
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

The naysayers don't get it

Can anyone name an instance where someone has brought to the attention of Microsoft a fatal security flaw, and Microsoft provided a fix within a month of the notice before the security flaw became known to the internet community?

The fact of the matter is that MS, as most companies, do not want to spend large sums of money to correct security flaws in their product. In fact, the only motivation I can see to make MS correct such a flaw is the concern over market share when hackers shutdown paying customer's NT systems because of those flaws.

Just as pathetic is management not moving to correct a flaw when the fix is available. They only move when actually hit. (With perhaps a few exceptions in the financial industries...)

The analogies given might sound applicable to this situation, but they are really unfair. The reality is that neither MS or customers move to fix a security flaw until it actually affects them. It takes crap like BO2K, and script kiddies to use them, before anything gets done.

Do you guys really think that BO2K exploits new holes in NT to make it a more effective cracking tool? HA! Its just a rewrapped interface that exploits the same old holes in NT that haven't been fixed by MS. Perhaps there is a new twist or two, but I think its pretty disgraceful that the same vulnerabilities exist after one year of widespread notice. Why hasn't MS released patches to Win95, WinNT, Win31, & MSDOS v5 & v3.x to supplant the flawed LANMAN security protocols?

As egregious as it is to clean up after a security break-in or DOA attack, its probably just as bad to leave a company open to covert extraction of their intellectual product. That would be the result of "conscientious" security experts who only informed a software developer of a security hole and never released the information to the public to exploit.

BO vs VNC/PC Anywhere

Yes, you probably could use BO as a substitute for VNC/PC Anywhere. But the fact is that it probably doesn't have an option so that it can only be accessed withing your local network. So basically, anybody will be able to find it with a BO client and get into your machine.
Well, I guess if you use IP Masq or Proxy then it probably wouldn't find the other machine, but I wouldn't be willing to even take the chance.

Word Macros + BO2K = Fun for the whole family

[ink]

In the short term it makes M$ look bad, but in the long term it actually improves their product. (That is _if_ they do anything to plug up the holes.)

That would be a good thing.

Let's see; coupling the latest NT relative path attacks with a Word macro and BO2K riding on EXPLORER.EXE. Wow. This is EASY and fully exploitable on any network that accepts e-mail. Perhaps we should write a Sendmail->Procmail HOWTO so that Microsoft Word documents are filtered out at the transport level.

The wheel is turning but the hamster is dead.

Dream on

If they haven't truly fixed the holes released by the original BO, why would they change NOW?

No, if they're watching, its only to allow their marketing people launch pre-emptive FUD when BO2K gets released.

MS learned a long time ago its cheaper to convince your customer that they wanted to use a pile of crap than to make a product that wasn't crap. Competent marketing people are cheaper to implement than paying competent programmers to fix.