Back Orifice 2000 on CNN.COM

LLatson writes "CNN.COM is running an article about Sir Distic releasing Back Orifice 2000. Sounds like this time it will run on NT..." Comments on why this is being done, as well as a source release and a few changes to the 2k system.

Re:NT *is* horrible - Maybe it's you

[Rational]

There is no telling what some people will love.

Nay

[Aglassis]

Nay, for two reasons:

1. On UNIX systems telneting and trying to log in as root will not work
2. Telnet has security measures and can be disabled by the server at will.

Re:Nay

[IntlHarvester]

No, the AC is correct here. BackOrifice is just a remote control program (think PC Anywhere or any of the others in the Windows world). Do programs exist like this for Unix? How about X Windows?

If I tricked a UNIX user into running a modified telnet or something that would give me remote root access, it wouldn't matter if telnetd was disabled. The only reason UNIX is less vulerable to something like this is that users spend less time logged in as root and are more careful. But that's more of a human issue than a technical one.


--

It's NOT bullshit

[vivaldi]

BO is hyped, but its not bullshit. The programming model is similiar to VNC and PCA, but the delivery is vastly different. BO is a stealth product designed to lurk and attack, this is precisely why 12 year old kids are getting excited. And if BO version 2 users can change ports/protocols on their own, detection will be difficult and those 12 year olds will certainly be excited about something.

CIH virus

[delmoi]

Nothing happend to the guy who wrote teh CIH virus, beacuse he didn't ever distribute it, he just showed it to some frends, and I guess it "got out" on its own

as for the mellisa virus writer, well since he uploaded it himself (and it had the same GUID as the 'samples' on his virus writing site, and he did it from his home phone) he acted in a wonton act of distruction.
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

Re:But wait, could it be... USEFUL?

[J+Story]

a little off-topic, and no doubt well-known, but this is what folk did in the olden days.

Bravo! Hats off!

[jabber]

I know that this is mostly a 'me too' type of reply, but Tweety Fish has made an excellent point.

We all remember the stink that went up after Farmer and Venema (sp?) released SATAN. (COPS before that)

Anyone out there remember Asmodeus?
Any sysadmins here ever use a rootkit on their boxen to see what it did, and what to watch for? Without port scanners there wouldn't be firewalls, and without sniffers there wouldn't be encryption.

I know tfish is looking even farther than the benefits of reacting to a security threat. And a good thing too. Something like BO, designed to have such a low activity signature as to be undetectable by a casual user, is a huge accomplishment for a Windows product.

There are benefits for network admin tools, from having the BO code available. And if M$ doesn't learn, at least the rest of us will.

Re:???

[fliptout]

Really, who will be nice enough to break into my system and send me an endearingly personal email telling me how to plug my security holes? Not gonna happen- whoever finds the holes will exploit them to the fullest and fuck me over.

Frankly, I prefer not to have any uninvited guests.

Re:Fun Stuff

[jjohnson]

Just to be clear, I'm not a member of the CDC. Nonetheless, your responses aren't great.

0: Microsoft SUX!!! (0 because it's the _true_ motivation for all of the following arguments) Response: Yeah whatever. Nobody likes M$, but millions of us rely on their products in our homes and our workplaces. Some of us don't have a choice in the matter. If you want us to use something else, make something better.

While its true that many don't have a choice in the OS used in their office, or by default because they're unable to install another, there are still lots of better, or at least different choices out there. Your crack about 'make something better' is probably the most succinct description of the motivation behind hacking, and all it's produced, that I've ever seen.

1: It's just an administration tool. Response: [snip] If this is just a tool why not create a shortcut on the desktop called 'Uninstall Back Orifice'?

One reason is to protect the administration tool. The network admin at my company is constantly telling people to enable Norton Antivirus; every time she has to clean their system manually, in fact.

You're right that BO is more than an administration tool: it's a political point that, for all the damage and heartache, is a valid point. See your reponse about leaving your house unlocked...

2: It's MS' fault for having the security holes in the first place. Response: [snip] If I leave my door unlocked that doesn't make it my fault when you steal my things. You're still the criminal.

I'm still a criminal, and you're still stupid for having left your door unlocked. Moreover, your home insurance won't cover you because you left your door unlocked; if you won't take known security measures to protect yourself, then you bear part of the blame.

3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?

My understanding of the release of the first BO is that Microsoft was offered an advance copy, and turned it down, while denying there was any security problem at all. Microsoft is a business, and what a business can get away with, it will. It's as simple as that, and if you disagree, you've never had the privilege of riding a cubicle in corporate America.

4: We're helping the community by bringing these problems to the attention of the public. Response: Clearly the only community CDC is concerned with is the script-kiddie community. Their program is extremely destructive to the common user and is most effective when used against inexperienced users. All they have done for the community is reinforce the atmosphere of distrust that pervades the internet today.

All they've done is force people to confront the problem. They've made a deliberate public showing of it because it wasn't to impress the script kiddies, it was to force a resolution to the issue. Yes, people may suffer because of it, but it takes a hard lesson sometimes. As for the atmosphere of distrust, which is better: suspicion all around or blissful ignorance?

Eternal Vigilance and Careful Security

[Invisible+Panther]

The parable of the wholy redhat box:

Some friends of mine thought that it would be cool to setup a redhat box with at their school district. Zipity fast line and an administrator who was interested in samba made it seem both fun and possible.

So the machine sat there and was played with, and various stuff. Then some script kiddie found his way in. With a 'Rewt' kit and some time all of a sudden the machine no longer was under the control of my friends but someone who was creative enough to pick a uid of 420.

The point: Even a linux box can be filled with security holes and even on a linux box something like bo can run (port 31337 now allows anyone to telnet in and doesn't even require a login for root access).

I don't really mind people developing these root kits or bo or whatever exploits they care to come up with, but I don't like people screwing around with other peoples machines as these exploits invariably lead to. Now that my friends know about the various holes they are ready to reinstall and start patching holes, but if the machine were something serious they'd be screwed.

With various holes know, we (the comunity of computer users, and the comunity in general) should make sure that they are fixed. As well we should make sure that these exploits are not exploited by the corporations or anyone else.

peace

watch out for the conspirisy of tall men

Kernel modules

[Rozzin]

Doesn't the insertion of a kernel module require root access?

This is sad.

[Gary+Gnu]

If cDc is sincerely concerned with M$ security they would have given M$ and the public suggestions on how to fix the problem but instead they release this dumb program to show that it could be done. I find cDc's analogy quite funny in a sense that it is flawed and no one in the right mind would formulate the same analogy.

I do not even know why they are making such a big deal out of this. It is the same as the original Back Orifice + NT capabilities which requires that the infected program be run by Administrator. One could say that this could be done the same for UNIX or BeOS provided that the "Super User" is the one who will be running the infected program. Most large corporations are very careful about running unsupported software (i.e. stuff that's downloaded from the internet) anyway so I doubt this would make a big impact to most people. I see the target of Back Orifice 2k as Warez kiddies who probably didn't pay for their WinNT licenses anyway.

Re:This is sad.

[tqbf]

Do you honestly think there's anything that
Back Orifice does that Microsoft Engineering
doesn't already know? I have met and talked
to Sir Dystik on a number of occasions, and
my impression of him is that he is someone who
knows what a "security advisory" is and what
the conventions are (prerelease to vendor,
publication of a patch/workaround, etc) for
releasing them.

This ISN'T a new security hole. cDc doesn't need
to teach Microsoft ANYTHING. This is a a statement
(IMO, an effective one) to the public about the
security implications of OTHER, WELL KNOWN
Win32 security problems. They are, to co-opt the
motto of the L0pht, "making the theoretical
practical".

This is a good thing. You can show all the scary
press about BO2K to your IT managers and get
resources to properly secure your NT boxes. You
should appreciate (and exploit) this.

Re:heh, they're releasing the source code too...

[TriangleMan]

So if you release BO2K under GPL, does this mean that if you infect someone's machine then you have to offer to give them the source :^)

Re:what is with people

[john+barleycorn]

"Making it publicly available and open-source means that nothing is 'hidden' and there are no surprises waiting in store. "

In the hours,days,weeks and months to come as we see dozens (possibly hundreds) of slight variations, total modifications and custom built worms come out of that source code I doubt you will still believe that.

This program is a serious threat to NT security. As others have pointed out the problem isnt so much that NT is "insecure" (though ther are definitly problems in that department), its that the users and quite a few of its admistrators are just plain dumb wher security is concerned. And as I heard someone say in a previous thread: All it will take is one stupid user/admin to compremise the entire network. It will just make the process easy. Really easy.

Of course, yes all of this and more is possible on a unix system. The difference is unix is a diverse set of operating systems. Porting code to different Unices takes time and some skill. BO2k will run flawlessly on any target machine making it extremly easy for anyone to use (no coding experiance required) and therfor that much more dangerous.

However I dont think Its all bad. Its just like any other peice of software: It can be used for bad things or for good things. Dont blame it on the software or the authors (anyone who says writting software is in itself 'evil' is a total dope) - blame it on the assholes that actually use it maliciously.

And hey: If you THAT worried about it take that WinNT CD and chuck it out the window. Order a copy of Linux, FreeBSD or Solaris7 and put that PC to real use.

Re:cDc justified

[os10000]

There are so many messages here who just take it
for granted that NT is insecure. NT has a solid
security architecture that is more fine-grained
than that of Linux. This means it COULD be better.
The real problem is that MS Office is designed for
a single user and requires you to have the equivalent
of ROOT access to run it (OK, I'm exaggerating and
I've never had office on my computer so I wouldn't
know, but disprove me). You could do exactly the
same with Linux (pop up a box in netscape, make the user type their password, mail it home), only that a user has less rights on Linux.

Re:AMA polluting meat

[Ri-Del]

I see your point. If we engineered cows to be resistant to e.coli then we'd have a "more secure" cow. So in effect the problem actually does and does not already exist depending on your perspective. However it isn't a problem until e. coli shows up. Heh, I guess what I said could also be more amusingly applied to humans. We've got lots of design flaws, look at the "common cold!" (I'm joking here)

Who would've thought we could use cows as an analogy for OS secuity designs?

Re:AMA polluting meat

[Dr.+Evil]

Sure, a security problem is a security problem only if someone decides to exploit it.

In my world, people exercise reasonable measures to protect their valuables. The measures of protection are proportional to the worth of the object/valuables. That's why banks have vaults and safety deposit boxes.

If Microsoft is going to claim that their operating systems are secure, I don't think they're the victim when people realize that their doors are wide open. The victims are the people who rely on Microsoft products for security. Microsoft should take responsability for their marketing claims and engineering blunders.

Surfing at -1 is fun!

[SeanNi]

Whoooeee! The stuff people come up with!

Just imagine, if I wasn't surfing /. at -1, I'd never get to read all these absorbing and fascinating insights into the world!

(LOL!)
--
- Sean

Because

[Scutter]

They do it becasue they can. Most irritating.



I won't say first, even though i am. :-)

Re:Back Orifice for Linux...

[tqbf]

What are you talking about? This is certainly
not the only way to "prevent things like this".

First, all trojans take advantage of capabilities
offered by the systems they infect. Kernel trojans
take advantage of device drivers and context
switching code. In this respect, all operating
system functionality is subject to misuse by
malicious code (such as BO2K). Obviously, this
is not the problem that needs to be "fixed".

Next, the issue being discussed with respect to
trojans that affect OS kernels is detectability.
It simply is HARDER to detect a well-written NT
trojan. The security community does not have
the detailed information about the NT OS internals
needed to develop good detection schemes for
kernel trojans.

This stands in stark contrast to Linux trojans,
which must in some manner be based on and affect
the operation of the Linux kernel. The difference
here is that the effect of a Linux kernel trojan
is made measurable by the amount of information
publically available on the Linux kernel.

Unlike NT.

Finally, the point you're making ("the only fix
is to remove the functionality") is completely
bogus. The problem is that NT is configured and
used in a way that makes the distribution of BO
and it's siblings trivial. That is not a hard
problem to solve. "Don't run unverified code
inside of mail attachments". "Don't run programs
you get from suspicious sources." "MD5 binaries
you distribute to the public."

This isn't rocket science.

Re:Fun Stuff

[MSG]

If you want us to use something else, make something better.

I believe that there has ALWAYS been something better. The mac was better than win 3.1, people were just too cheap to pay the extra money for one. You get what you pay for.

1: It's just an administration tool.
If this is just a tool why not create a shortcut on the desktop called 'Uninstall Back Orifice'?

Because if you are a network system admin, you don't really want people changing the software on their machines. Especially removing the program that you use to take care of said machines. To that end, if your client is scriptable, then you could run periodic, scheduled checks on all of your MS workstations to check for unwanted system changes. Thats a great and wonderfull thing.

2: It's MS' fault for having the security holes in the first place. There may be defects in the product, but that gives you no right to write a program whose primary purpose is to punish those who use it.

My responce: bull. If you want to give BO a purpose other than that stated, then it is perhaps a good argument for designing/using systems with security in mind. At least if you value your privacy and data. If BO didn't expose the basic flaws in such designs some other program would. It's only a matter of time. By releasing BO very publicly, both the users and the engineers of those systems get a good reason for using a better design. The idea is not to punish users, but to convince them that they need to demand better design from their vendors. Let me say that again: If such a program were not released publicly, then it would be released quietly. If it were done in that manner, then consumers would not worry about their systems, and continue to live in a deluded blissful belief that they were safe. The design would not improve.

3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?

First, when was the last time that MS fixed anything that wasn't demanded of them. If a problem exists, but isn't being exploited, they usually ignore it untill it is being exploited. Second, and most unfortunate is that these problems are inherent to the design of Windows. I don't think that MS could "fix" them if they wanted to. It would break too much existing software. BO is written with standard Win32 api calls. What's that? Yes, Microsoft DESIGNED WINDOWS TO ALLOW PROGRAMS TO DO THIS.

All they have done for the community is reinforce the atmosphere of distrust that pervades the internet today.

Who do you trust?

No, I'm not a member of cDc. I don't know if they want new members. I have, however, been very pleased with BO. I gained 100% access to my own place of business's network without any physical access. By doing so, I made the argument that security in the office was of prime importance. It held water, and we took some steps to make our Windows machines more secure. That's right, BO had exactly it's described effect. Is that so surprizing?

Are they attacking MS or stealing their niche?

[Sun+Tzu]

"Groups of (mostly teenaged) hackers... release nasty computer bugs..."

Looks like Micros~1 has some serious competition from cDc. ;)

Microsoft as martyr?

[kmb]

While few people here wouldn't like to see Microsoft get a come-uppance, this sounds like the most incredibly juvenile, wise-ass way to do it. While these twits never mention preferring Linux to Windows, maybe someone should forward them the advocacy FAQ anyway.

"Excuse me, but you realize, of course, that you're just helping to make Windows `better' in the long run?"

Has anyone ever heard of a major user or someone in a business setting abandoning Windows mainly over security/virus fears?

Re:Microsoft as martyr?

[GreenPickles]

Yes the unix version (without pretty gui interface) was released shortly after the original release.

Re:Microsoft as martyr?

[Bwah]

"Excuse me, but you realize, of course, that you're just helping to make Windows `better' in the long run?"

Yeah, so? Do you have a problem with that? I sure as hell don't use windows when I don't have to, but since it is forced on me as an email machine at work, I would sure like it to be secure.

If you have a problem with MS fixing their own OS due to security concerns I think you need to step back and think about your views. Why do you care so much about it?

/dev

Re:Microsoft as martyr?

[_Sprocket_]

Has anyone ever heard of a major user or someone in a business setting abandoning Windows mainly over security/virus fears?

Yes. The US Army. In a FCW article (that was referenced by a slashdot article), they talk about how the US Army picked Solaris with Lotus Notes for secure communications over WinNT and Exchange due to security concerns with the OS.

The contract was for the Army Battle Command System (ABCS) which apparently deals with secure communications in the battlefield. I'm sure it was a hefty contract. But there's more to it.

An interesting sidenote to all this (and the REAL meat of the article) is that Microsoft is scrambling to make a Unix Exchange client to support the Defense Department's secure Defense Message System (DMS) program. The fear is that if the US Army starts to go this direction with messaging on Unix, they're just as likely to scrap Exchange servers back at home to make everything cross compatible.

Re:Microsoft as martyr?

[GreenPickles]

Wait a second... Do you know who these guys are? They aren't linux zelots. They're purpose in life is not to convert people over to unix (although they probably would prefer that people would use unixies rather than win95). They get their kicks from poking fun at Microsoft and their Windows products by poking holes in it, and screwing around with it.

Re:Back Orifice for Linux...

[tqbf]

It doesn't hide processes. man kill(1).

I'm sure comparable problems exist in the
manner it hides files.

Re:cDc justified

[IntlHarvester]

MS Office 97 doesn't quite need Administrator/root, but it does require write access to a few files in \WINNT\SYSTEM32 and much of it's program directory, as well as in odd places in the Registry.

MS Office and other poorly designed programs (Netscape) are one big reason the default permissions on NT4 are so loose. The problem isn't really the OS, it's how the installer sets everything up. That and most workstation users logon as a local adminstrator.

(As a side note Microsoft has taken alot of blows on this from those familiar with unix, as well as their own user community. I'd expect Windows/Office 2000 to be much better in this respect. Win2000 beta appears to ship much tighter, and then includes some scripts to loosen things for compatiblity with certain apps.)
--

Boy my management would love this!

[nevets]

Management would love to have this. They could see what your doing with your time. Right down to the keystrokes.

Actually, if this does what it claims then management should really be worried about security. But noone will do anything until its too late.

PS.
I saw this article a few days ago and tried to submit it, but slashdot wasn't responding :( so I just gave up.

Re:Not a good thing

[_Sprocket_]

I totally see you point, but we have to look at the big picture. That is, ordinary people can download this thing and use it for whatever purpose they wish, whether it be a network admin testing out security, or a person using it maliciously to take advantage of a network without security against it.

I'm a sysadmin for a large Us Gov't agency. As such, my machines are a prime target for external attacks. So I can understand the concern for creating tools that "ordinary people" (ie: script kiddies) can use without any real technical knowlege. Keeping up with this kind of stuff can certainly add to my already overloaded schedule. But to be honest, the kind of threat this creates is not my biggest fear.

My biggest fear is the unpublished exploit. Published security holes get fixed. History has shown a tendancy with Vendors to ignore security issues until they become politically embarassing. This leads to vulnerabilities in my system(s) that I am unaware of and, consequently, can be exploited without my knowlege.

Lets not kid ourselves here... people with malicious intent WILL share their knowlege with others of the same inclination. At the same time, they're less likely to take steps towards patching the hole they are taking advantage of.

By bringing security issues to the public eye, people like the cDc are helping ensure the security of our environments improve. It may be additional work to keep up with these improvements. However, I don't know about your environment, buy mine demands a hell of a lot of hassle whenever one of our machines is compromised.

Re:Fun Stuff

[Shabazz]

I hate MS just as much as the next guy, but I still think it is messed up to release a program like this. The end result is that script kiddies will do the only thing they know how to do.

While sir dystic might say he wants MS to boast its security, I think it is clear that this is a thinly disguised one. How is this different from releasing the source code to a virus and then letting the script kiddies actually send it out?

Excellent.

[Shoeboy]

Smaller, nimbler, faster, easily customizable... This sounds like the perfect replacement for SMS Remote Control. Now I just need to sell my boss on the idea...
--Shoeboy

Re:Excellent.

[ToLu+the+Happy+Furby]

Actually, it's not so funny. Friend of mine (my roommate actually) used the original Back Orifice to remote admin the network at the place he worked.

And why not? It's free, it does everything he wanted, and most importantly, it consumes very little resources compared to competing commercial products. And my friend got paid a bunch for 10 minutes a week of playing around with it from his dorm-room computer.

Question is, why can't I get a job like that?

Analogies

[Gleef]

The big trouble with the Center for Disease Control analogy is that that CDC is a government agency with a public trust to uphold. Similarly, the AMA would like people to think they are a responsible, trustworthy and benign organization. In either case there would be a betrayal of trust.

The Cult of the Dead Cow has no such responsibilities, and no trust is betrayed. If you really want a tainted meat analogye, compare them with ecoterrorists, poisoning meat to prove that McDonalds doesn't follow proper hygiene procedures. Even that's not a great analogy, since the cDc's programs don't have the potential loss of life that a meat poisoning scheme would.

Why is it bad?

[bogado]

If a cracker tool can be done, I shure prefer that it's done in front of every one eyes like cDc is doing. If BO 2000 weren't created by the cDc it would probable be done by another cracker. Shure, now every kid can use it, but we know what they can do. The most dangerous tool is the one that is not visible.

--
"take the red pill and you stay in wonderland and I'll show you how deep the rabitt hole goes"

AMA polluting meat

[luge]

The article makes an interesting analogy, claiming that CDC releasing BO in order to force MS to clean up is the equivalent of the American Medical Association polluting meat with e. coli to force a cleanup by meat suppliers. However, the article ignores the point that the government has created channels by which the meat suppliers can be regulated, and that nature provides regular e. coli outbreaks to check on our precautions. Since the only oversight on MS is the market, and there is no such thing as a "natural" security problem, problems must be highlighted by human groups like the CDC, and the market must be manipulated in order to get a response.

Anyway, that's my two cents- I'd love to find the author's email to let him know, but I can't find it. Any clue?
-Luge

Re:AMA polluting meat

[byoung]

> -smug vegetarian :)

So, I guess that you haven't been hearing about all the vegetables that have been getting e.coli as well?

Here's more information.

Relevant quote:

Alfalfa sprouts, the quintessential health food used as garnish on everything from salads to hamburgers, sickened an estimated 20,000 people in the United States in two outbreaks in 1995, researchers say.

Don't be so smug. Vegetarians aren't e.coli free. =)

Bun is neither meat nor cheese.

Re:AMA polluting meat

[AArthur]

I would be mad if my security system in the office could be broken into via. some back door / secret way in (and the manifacture convently forgot to tell me).

If that back door was announced on TV (rendering my security system useless), I would feel more secure, since I now know about this exploit.

Since I now know that my security system is useless (and the world also knows that), I feel compleded to fix my security system up.

CDC is doing the right thing with Back Orifice 2000, releasing the source code. Now I can know for sure how they are breaking in, and I can fix it (using some little hack onto Windows, since I can not directly modify the source code). (Microsoft fixing it soon... haha)

Re:AMA polluting meat

[Seth+The+Man]

I'm pretty sure sd's email is something along the lines of s_d@cultdeadcow.com or sirdystic@cultdeadcow.com ..

I know he's on #cdc(efnet) quite a bit, so you might check there if you want to get a hold of him.

What's highly amusing to me is how seriously people are taking cDc. When was the last time you read any of the cDc text files? cDc was started by a couple of 14-15 yr olds in Lubbock, Texas. Kids who rode BMXs and ran BBS's on their Apple IIes. Now they've got stories on Geraldo and CNN?

It's a crazy ass world.

Re:AMA polluting meat

[AArthur]

Cows and farm animals can not be easily made resistant to the e.coli virus. Cows can't be changed (yet) by humans to get rid of the e.coli virus. No vaccine exists yet.

This is different with Windows. Microsoft could have and can engineer Windows easily to be resistant against the Back Orifice attacks out there. Linux / Unix is resitant to these kind of types of attacks. Did it require advance sicence and gene engineering? No. It just required some simple engineering ideas.

Re:AMA polluting meat

[Hygelac]

tom_spring@pcworld.com
"Your heart is free. Have the courage to follow 'er."

Re:AMA polluting meat

[Ri-Del]

Yes, I noticed the same thing. If someone were infectin cattle with e. coli bacteria, they would be introducing a problem that did not exist before hand. Back Orifice exploits problems that already exist.

I looked for the author's email address at both CNN and IDG.net where the article originated but was also unsuccesful in locating the address.

Re:AMA polluting meat

[Tattva]

"Yes, I noticed the same thing. If someone were infectin cattle with e. coli bacteria, they would be introducing a problem that did not exist before hand. "

I disagree with your point about problems that already exist. Correct me if I'm wrong, but I was under the impression Back Orifice is only as powerful as the user permissions of the account used to install it (exploiting the same API's any user with those priviledges could do anyway.)

How brilliant, someone gives you the keys to his house, you make copies and give them to all your punk friends to clean the place out and burn it down.

Back Orifice exposes that NT does allow users with proper permission to do whatever they want. That's a design decision, not a defect.

Re:AMA polluting meat

[hany]

If I leave my home unlocked at night, is that a security problem?

IMHO it is. good thiefs know that people are ussualy leaving garden doors open, that key is hidden near the doors, that valuable objects are somewhere under bed, etc.

it's only a problem if someone chooses to exploit my (arguable) carelesness

i would be very happy if nobody will be interested in "exploiting" my carelesness. but this requires that every man on earth (creature in universe?) have to be "good". is that possible?

this is somehow near the analogy of deseases. diseases are here so we have to fight them and it keeps us in condition (mostly). in perfectly sterile world we'll be happy, we'll be living longer BUT there will be much higher risk of one (even simple) disease destroying whole world. same with computer viruses and exploits: if there were no viruses and crackers (those bad guys exploiting bugs to cause bad things) we'll be very happy but than just ONE virus/hacker can destroy everything.

Re:AMA polluting meat

[luge]

But it allows not just the user to do it- also anyone who happens to know what port BO is installed on, without a password, as long as the program is running. THAT is a design defect.
~luge
(besides, there are no "permissions" in 95/98- which was the original target.)

Re:AMA polluting meat

[Dr.+Evil]

Analogies like these are just intended to stir people up. The thought of the AMA, a public organization doing anything of the sort, potentially killing millions of innocent people would be outrageous. Therefore, releasing backorifice must be similarly outrageous.

To paraphrase Bill Gates... "It's just a remote administration tool"

If that's what he believes, then to use their twisted analogies and flawed logic, the meat producers, after years of outbreaks of disease, to the suggestion of stepping up security argue "why would anybody want to taint beef?"

It's a horrible analogy. The facts of computer security aren't as black and white as deadly bacteria and food supplies.

(I agree with your criticisms, I just don't think the analogy is worth extending into that of governement regulation and control)

Re:AMA polluting meat

[Obscure+Images]

I may be slipping out some information a bit early, but BO2k does not have a default port and will NOT ALLOW a server to have no password. That is by design, as it will generally stop, or at least slow down people who would like to scan for BO2k. It also weeds out the people who can't figure out what a port is.

Re:AMA polluting meat

[DanaL]

I think the analogy still stands. If I introduce e. coli to a cow, I *am* exploiting a problem that already exists: dead cows are vulnerable to e. coli infections, much like '95 or NT is vulernable to Back Orifice.

-smug vegetarian :)

Re:AMA polluting meat

[luge]

I knew about the port thing (it was in some of the early press releases) but not the password detail. If you open source it, a more virulent version will be out soon anyway.
~luge
P.S. What license will the source be under?

Re:AMA polluting meat

[jabber]

If someone were infectin cattle with e. coli bacteria, they would be introducing a problem that did not exist before hand. Back Orifice exploits problems that already exist.

I don't really agree.

If I leave my home unlocked at night, is that a security problem? No, it's only a problem if someone chooses to exploit my (arguable) carelesness. Same with NT.

I wouldn't put a "this house is unlocked" sign on my lawn for the same reason that M$ doesn't publicize their careless design/implementation. The probability of exploitation skyrockets.

The CDC put a lot of effort into BO. Just as distributed.net put a lot of effort into showing that RSA ain't all that secure either. M$ didn't just leave the system wide open. It took someone with savvy and time to write a tool to take advantage of a loose hinge on a basement window. Now the CDC is giving every hooligan in the neighborhood that tool. Now M$ needs to fix the hinge. Next time, the CDC will climb up on the porch roof, and jimmie the bathroom window with a credit card..

Cat and mouse.

Re:AMA polluting meat

[luge]

I'm certainly not advocating government control, but since it is not present, some other force has to be present to limit/coerce/constrain the beast. Generally speaking, the market plays that role, but specific incidents have to occur to bring information to the attention of the market.
~luge

Re:AMA polluting meat

[Obscure+Images]

Some of the code will be GPL, some will be completely free, no licence at all.

As for a more virulent version... someone would have to make an initially virulent version. Currently BO2K doesn't go anywhere it hasn't been put. It has no viral behavior at all, and even by itself is not even a trojan.

Re:AMA polluting meat

[juggleme]

Wouldn't it be nice if reality was closer to this analogy? Any time I got a nasty bug I could format my entire body... provided I make daily backups of important parts of my brain.

Seriously though, this is just another example of why computer analogies should be left completely alone.

Re:Imagine

[SeanNi]

> ensuring that 99% of all successful NT attacks will have the uniform signature of a BO2K installation to accompany them...

You forget, mon ami, that cDc is releasing the source. That means that people are free to modify the program as they desire (a phonomenon very familiar to us of the Free Software/Open Source persuasion).

Who's to say what "signature" these modified BO2K variants will have? Who's to say how identifiable they will be?
--
- Sean

Re:WHY exactly is it....

[twit]

Correct metaphor: if you bought someone a gun, show them how to use it, and they shoot themself.

Microsoft frequently makes claims as to the security of their products without making any efforts to actually prove it to the security community. An example of this is the virtual private network scheme - the algorithm and implementation is untested, untried, and unproven. If one uses it, one must take MS's word as to its efficacy.

MS compounds the error of their ways by placing the blame on the cracker/hacker who exploits their security holes. If you wish to continue with the gun metaphor, perhaps this would be analogous to a claim that guns don't kill people, people kill people.

"Self-Appointed Security Watchdogs"

[tqbf]

Apparently some of you are under the impression
that the security community is some sort of
professional organization, like the IEEE, that
you have to obtain membership from to participate.

You are wrong. What we know about security in
1999 is 90% the result of independant research
work done by people trying to find new ways to
break into computer systems.

The security community is aware of stack overflow
vulnerabilities in large part due to a successful
attack on the Internet that happened in the 80s.
The relevance of the attack on modern Unix systems
was underscored by the 8lgm (with the Sendmail
8.6.12 advisory), a group that did nothing but
post exploit code for new security problems they
discovered. And immense code audits that Linux
and 4.4BSD went through to overflows were the
direct result of Mudge and Aleph One posting
detailed "how-to-write-an-exploit" cookbooks for
hackers.

Nobody of any repute in the security community
criticizes any of these people for what they've
done. To do so would be silly; we know that our
software would be less secure without these
people, as well as we know that crackers had
access to the information long before we did.

The entire security community is BASED on the
concept of PEER REVIEW, where anonymous strangers
(preferably scruffy college kids, for theatric
effect) scour published code and design documents
and find flaws. We wouldn't have Blowfish and
IDEA if it weren't for Biham and Shamir ripping
up DES.

cDc is following along in the same tradition,
and it's a tradition that we need to ensure is
maintained. Nobody is doing the security community
any favors by attempting to villify Sir Dystik.
It is incredibly important that we not set a
precedent for shooting the messenger.

Re:Why all the stealth features then?

[Helge+Hafting]

If you are the admin of a corporate PC running NT, you tell the user, if you touch this program intentionally your boss will hear about it, and they leave it alone.

And when my boss asks "why did you kill that program?" I just tell them I didn't - it probably crashed by itself or because of some os glitch.

Re:what is with people

[Reid+Fleming]

I have no doubt that cDc's great "demo" will consist of someone logging in as Admin (or obviously an account in the administrators) group, running their application, and then smugly smiling as it does exactly what it should do, which is run as a background process. WOW! Tricky!

No doubt whatsoever? Then I suppose you wouldn't mind placing a wager on that? Meet me at Defcon before Saturday 2:00pm and we will make a bet. Bring money.

Re:Fun Stuff

[Rozzin]

Windows just makes everything so much easier for the cracker hacker making such programs...

MS DOS was never intended to be at all secure--it was always a purely single-user system.

Windows 3.1 was never meant to be secure--it was just a single-user, single-instance shell to the single-user, single-task DOS.

Win9x was never meant to be secure--it was just a more powerful utility with pretty much exactly the same purpose as Windows 3.1. The `hit escape to bypass login' thing isn't a mistake or a `security hole'--Win95 logins only exist to maintain multiple sets of settings.

WinNT didn't start out as a multiuser operating system with built-in paranoia, so it hasn't been, and isn't going to be, easy for Microsoft to tack that onto it.

MS Windows is `insecure', but that was initially the point to the OS.

Windows 9x, these days, is a video-game system, and it's pretty good for that, and not much more. Besides, you don't really need a video-game system to be `secure'....

Let's get things all straight, and use the right tools for the job--not all operating systems (or shells) are good for everything (which makes me think of all of the full-screen Windows games--what's the point of a window system when you want to run things full-screen? How much better would the games go if you just didn't load the Windows GUI to begin with?).

good sides and bad sides

[Giraffit]

The good side is that after being hacked by BO stupid users who actually actuvate dubious files will learn. and if they won't - they deserve it.

The good side is that equally stupid user i.e. the crackers will actualy feel sooooo smart.
The good point of that is that sooner or later they will be caught, thats the punishment for stupid hackers.

Symtops of Closed Source

[Adam+Knapp]

I don't think that exploits like this have so much to do with tha fact that Win NT is a crappy operating system but with that fact that it is closed source. If NT was open-source underjust about any meaning of the term we wouldn't just see an exploit like back orifice published, we would see both the exploit and a fix published. Why? because no cracker wants his system to be cracked by another cracker using his own crack.

what is with people

It is incredibly that so many people don't even understand what is going on before they open there mouths, I am in no way saining that MS products are secure.

But this is not a security hole, it is a remote administration program that has to be installed. It doesn't matter what the OS is, if you install a program that was written to give remote admin capabilities, then you have given people that ability.

How does this constitue a security hole on M$ part. It sound more like a security hole in the person using the computer. I can remote admin many differnt OS's does that make them insecure also.

People please think, think before you speak, or politicians will take that away from you also.

Re:what is with people

[Palin+Majere]

"What is with" people is the fact that while BO 2K is a program that must be installed, it does _not_ require Administrator-level access to do so. There are numerous unpatched security holes in Windows 95, 98, and NT that allow unpriviledged users to act as fully priviledged Administrators.

The analogy here is that every NT box has a walking 'root' attack built into it...

Now, would you want a security hole like this in a multi-user system? All it takes is _one_ downloaded email program and your entire network is compromised.

Let's think about this a moment:
BO 2k (and the original BO) is designed so that it can install invisibly after being attached to another program that _executes normally_. This means that Script Kiddie A can attach BO 2k to, say, a copy of the latest version of WinZip. He then sends that copy of WinZip out in a nicely drafted email to several people at an office. The insant one of those people downloads that email and installs the new version of WinZip (which works fine, and is in all ways a 'normal' version of WinZip), they have just infected the entire network with BO2k.

Now tell me this is a 'remote administration' feature and not security vulnerability.

The very nature of remote administration implies that you must have privledged access to the machine in order to administer it. BO2k allow _unprivledged_ users to both install and administer it.

While I disapprove of the cDc's choice of methods, I can at least say that if they had to make this program, they are at least distributing it properly. Making it publicly available and open-source means that nothing is 'hidden' and there are no surprises waiting in store. Patches could conceivably be easily produced by Microsoft, and programs to detect, counteract, and remove it should be easily developed as well.

This IS a security threat people. Take it lightly and I'm sure you'll rapidly change your tune after your network is taken over by Script Kiddie A exploiting known Microsoft security vulnerabilities.

Re:Idiocy

[WiPEOUT]

"This 'security' risk is nothing specific to the Windows world."

The security risk *is* specific to the Windows world. BO/BO2K can be installed by any user, priviledged or not.

To do the same on a Unix-based system, one would need either root access or a poorly configured system (ie. you need to somehow trick a priviledged user into running it for you).

"Any mildly compitant [sic] sys admin would know not to run random files on the server, so as long as the admin isn't dumb, the system is secure."

Thanks for emphasising my point. Your problem is that under Windows, anyone can install BO, not simply the system administrator.

Aside from that, any problems that are discovered in an open-source Unix-based OS have patches released within *hours*. Contrast this with MS's responses to past issues, and come to your own conclusions.

"Designing this program to comprimise [sic] a system that isn't designed to be secure is ridiculous."

I couldn't agree more. But Microsoft claims that its "enterprise-ready" OS *is* secure. Your ridicule should be directed at MS.

Re:Imagine

[tqbf]

cDc hasn't invented anything. The source code
is meaningless to the research community as a
document of any new problems.

cDc probably hasn't done anything in the code
for BO2K that wasn't already documented in MSDN.
The source code probably will not convey any
new revelations to the computer underground.

BO2K is not a new concept. The equivalent has
probably been floating around the computer
underground for ages. The idea is simply much
better documented now, and MS has a very
compelling reason to address the issue directly.

It is a fairly well-accepted tenet of the
security community that whenever you hear about
new source code being released, you should assume
it HAS been released to the underground for
quite some time beforehand. What makes you think
that BO2K, or something much worse, hasn't been
available to modify by crackers for years?

This same logic could be applied to Aleph One's
"Smashing the Stack" paper (the harbinger of
31336 different stack overflow exploits). With
the benefit of hindsight, we see that the result
of this exploit cookbook (which was, by the way,
far more dangerous than BO2K source code, given
that it [and it's immediate antecedants] DID
contain revelations to the computer underground)
was the almost complete eradication of stack
overflows from Linux and 4.4BSD.

On a lesser scale, the release of the rootkit
trojans had the same effect for the Unix security
community --- you'd have a hard time hiding the
original rootkit on even a naievely administrated
network these days.

BO2K will have the same effect on NT.

Re:The best thing for BO is to become useful.

[Gog_Magog]

If it has a legitamite purpose, then MS can't really just "ban" it. :-) They might have to actually fix the security holes.

Re:bad journalism

[whoop]

If all anologies are flawed, then aren't all flaws analogies? Or, wait a minute...

NT *is* horrible

[cthompso]

I do have to disagree with it's "a decent system." I've administered both NT and *nix boxes, and it's just night and day.

Re:Yet more MS bashing

[Kierkan]

Please read this, then think again if they really make great GUIs.

Re:Just twits getting self-excited.

[generic]

I agree that UNIX distros need work to secure them out of the box, the problem is microsoft has no security model for 98/95. NT can be made much more secure with some work; however, I wont allow our firewall to be built on one for a few reasons.

1) Patches releases take to long
2) Stability
3) The UNIX os's have been around for 30 years and poked at longer.
4) Go ahead install that service pack on your critical NT system I dare you.
5) automation.

Re:Not a good thing

[delmoi]

Its my hope the cDc would release a BO and BO2000 "detector and eliminator" and copyright the hell out of it. This way you're not only exposing MS' security flaws, but you're also protecting the people who might be exploited by them.

you'd also make a shitload of money :)
(well, after the first BO came out a lot of companys came out with free fixes)

what's really insidious though, is that beacuse the source is open, its posible to modify it just enogh to evade detection....
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

a pain in the ass

[delmoi]

I think what he ment was that with the source available, it would be simple for somone with resonable skils to hack up a custom version that can avoid virus detection (infact I plan on doing this :P)
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

Re:But wait, could it be... USEFUL?

[TheMeld]

Agreed...

$ diff -u VNC_OR_SOME_GOOD_REMOTE_CONTROL_PROG BO2K
- bloat
+ speed
- tell the user you installed it

I never understood why people thought BO was a security exploit. It's a quiet remote control app. The fact that people have coded silent installers is not a security hole, either. I could probably, in a couple hours, write a little proggie to silently install VNC on someone's computer. Or any other remote control app for that matter (VNC would be easy because it's GPL'd).

Re:analogies suck around here

[squarooticus]

Okay, you people are misunderstanding the point of analogies. If I say something like "Ted Kennedy's mouth is to words as a sphincter is to shit," I'm not comparing Ted Kennedy's mouth or his words to either sphincters or shit.

In an analogy A:B=C:D, there is no implied relationship between individual elements (such as A and C or A and D or even A and B); rather, the relationship between A and B is said to be equivalent or nearly equivalent to that of C and D, even if A(B) has absolutely nothing to do with C(D). Nothing more is implied.

Kyle

NP: Gamma Ray, Sigh No More
--
Kyle R. Rose, MIT LCS

Re:How long has BackOrifice been around?

[Gawyn]

Yes, the new and improved BO might not make them patch things up, but what about its new features? Ability to watch the user's screen in real time? Ability to run on a microphone and hear anything that is going on? A modular version to add even more features? Made to run on NT?


These things will really pound on companies, who will yell at M$ for making shitty OS's, then the companies, if they are smart, will change. Where I work, _EVERYONE_ uses NT4 and it would take a lot of time to bring everything up to speed after a changeover, so we can't go to Unix/BSD/whatever.
I am not a CDC member, but I have used BO. I got into 3 of my friend's computers by sending them the infected thing and I told them it was a C program I made. They ran it, I took over their system and popped up messages telling them what I had just done to their system.

~Gawyn~

Re:Imagine

[joq]

Is it going to have yet another backdoor going to cDc?

Now lets get realistic for a second. If it were worth anything more then a new script kiddie tool why not bring it out at PC expo as opposed to DefCon? Program something good for a change. And I don't mean that in the sense that the program sucks. You know damn well it's intentions are for the losers who wouldn't know how to hack a chicken with an ax point blank. Think of all the data thats going to be destroyed when some 14 year old loser download it and sweeps subnets because his little high school hoe just dumped him and now he wants to DELTREE your whole damn pc.

You and I both know the true purpose behind BO is just a slap in the face to Microcrap and a way to intrude networks and nothing more.

...by the way whats up to the l0pht section of you guys... ;)

Dumbing down

[True+Dork]

I am not a Windows NT fan (nor do I play one on TV), but I admin about 60 Windows machines as workstations at work. What I have noticed is the absolute lack of knowledge that a lot of these users have. In Win9x, there are no levels of admin/poweruser/domain user/guest. People are encouraged everywhere you turn to run this neato exe from a web site with a "~" in the URL. Screen savers that have an install instead of just a .scr file are a perfect example.

But that's only part of the problem. Mass production of MCSEs isnt helping.

I've been admining NT and Linux for quite a while now, but I decided to enroll in (ugh...I know...shaddup) MCSE school to learn the little details I would need to throw back out at the test to be "certified". It was pretty depressing. In the ENTIRE NT wks and svr sections, I only recall seeing "dont stay logged in as the Admin" once. It was never stated in class. I was one of two people in the class who had even installed NT. (They give you a 120 day eval) Several people didnt have computers.

IF you are going to use NT as an important server, you should really set it up with strictly what you need, service pack it as best you can, lock the console, and never log in locally unless there is a problem. I have gone to way too many places seeing people using the server as their workstation logged in as Administrator with IE4 and Outlook (with Word as the editor) both open having no idea what that can do. Getting your hands on people to run your servers intelligently (or for God's sake learn yourself) is the best plan if you must use NT. Dont use IT staffing firms. And the most important rule: If the NT machine matters to you, dont put it on the Internet. If you must put it on the internet, dont browse from it and DAMNIT, DISABLE netbios on the nic that is facing the internet. These cant solve all problems, but it's all you can really do.

This is not taught to the people who really really want to be an admin in MCSE school. People arent learning. I have no idea what the solution to this is. I can make all the noise I want about it, but someone always knows better.

It is pretty silly to see this as some massive threat. IP Masqing or proxying or whatever should stop this from happening to you unless someone makes one that opens control outbound actively to a predefined host instead of passively waiting for a connection. People were scanning clients on IRC for PC-Anywhere connections to look for blank passwords. Why is cDc worse? Open netbios shares, buggy Windows ftp servers, etc are much more of a problem for the people willing to have MS products directly on the Internet, but again, that's user error and they probably didnt know.

Maybe I'm way off track here, but I dunno. Just thought I'd ramble :) Take care.

-True Dork

Re:Open Source, dangers thereof

[Gawyn]

Ban open-source software for the public? What are you, some kind of M$ neo-nazi or something? Yes, some hackers will open-source their software to their hacker pals will make even nastier versions.

What about open source OS's? *nix? You are saying that in order to make open-sourcing illegal, you would completely obliderate an operating system which has out-performed the current most-used operating system of windows?

~Gawyn~

Re:Fun Stuff

[Lamesword]

(I'm not a cDc member, but I find the above post to be the best introduction to what I have to say.)

Somebody should break into the CDC's computers and screw with their files so they can see how 'beneficial' it is.

Go for it! I'm sure you wouldn't be the first to try, and if you succeeded, you would have demonstrated that they should use better software.

2: It's MS' fault for having the security holes in the first place. Response: Bull. Microsoft's engineers have attempted to create a product that will be useful to people. There may be defects in the product, but that gives you no right to write a program whose primary purpose is to punish those who use it. If I leave my door unlocked that doesn't make it my fault when you steal my things. You're still the criminal.

Microsoft's engineers have most likely attempted to create a product that is as profitable as possible; that's how publically traded companies work. Unfortunately, the software market has demonstrated that what is most profitable is not what is most secure, stable, flexible, etc.

Also, I think that analogies to physical things like windows, cars, guns, and cows, are inaccurate. High physical security isn't feasible in our day to day lives; e.g. Kevlar vests are expensive and currently unfashionable. However, decent computer security is both feasible and sexy, so it is acceptable--and I believe beneficial--to create an environment in which it is necessary.

3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?

History has shown that MS drags their feet on fixing security holes that are given to them privately, in advance. Remember the IIS hole that eEye found? (See www.eeye.com for specifics.) To summarize, Microsoft was given a week of advance notice, but apparently did nothing until exploits were already available. Even then, they called eEye irresponsible for releasing an exploit after others already existed!

However, I don't feel that eEye had any ethical obligation to give Microsoft the advance notice that they did. If everyone always gives Microsoft (or any other company) advance notice about security holes, then Microsoft has little financial incentive to put more effort into releasing a product that is secure to begin with. I think it's shortsighted to look at the actions of a group like cDc in the context of a single exploit; you need to look at the long term effect they have on the market. If Microsoft has to pay dearly for each security hole in their products (in this case, paying in terms of lost revenue from people who decide to use more secure products), they will be more concerned about the security of their products, because it will increase their profitability.

The only way that users win when it comes to security holes is simply to have secure software. If vendors are treated with too much leniency, this will never be achieved.

Idiocy

[CoolAss]

This 'security' risk is nothing specific to the Windows world. It is not that hard to do the exact same thing on Unix. (There are several programs availble to do this on Linux and BSD...)

Any mildly compitant sys admin would know not to run random files on the server, so as long as the admin isn't dumb, the system is secure.

WinNT is just as secure, if not more secure, than most Unix systems. I see hundreds of new exploits for Unix systems every week, but much fewer available for NT.

I obtained a copy of BO 2000, and I was unable to get it to run on NT. I tried it on 3 seperate NT systems including 2 copies of Workstation, and 1 of Server. It gave me the same illegal operation on all three systems.

It did, however, copy it's key to the registry, and move itself to the WinNT directory. Each time I started up, however, I got a blue screen with the error, and after I hit enter, the system booted normally.

I have a feeling that BO 2000 *may* run on NT, but I couldn't get it to work.

BO 2000 ran great on Win98, and 95... and there are some nice improvements.

I personally think that BO is dumb. Designing this program to comprimise a system that isn't designed to be secure is rediculous. It simply shows the childish tendancies of many hackers.

Re:Idiocy

[Gawyn]

Yes, but if ANYONE who does have the priveleges to do such things gets the BO 2K infection, no matter what, your network is going to get it, and you will spend hours and hours working to clean your network.

~Gawyn~

Re:Idiocy

[tqbf]

WinNT is just as secure, if not more secure, than most Unix systems. I see hundreds of new exploits for Unix systems every week, but much fewer available for NT.

This is silly logic. Of course you see
more "Unix exploits" than NT exploits.
Unix is open source, which makes it easier
to find exploits. The only people that
have comparable resources and ability in
the NT community are not going to release
their discoveries to the public.

Re:Idiocy

[_Lint_]

You're right about one thing: NT isn't designed to be a secure system. However, Microsoft continually advertizes it as such.
Also, cDc has also Notifies Microsoft, PRIOR to releasing the origiinal BO. Microsoft continually ignored them. They went to the press. Microsoft basicly called them liars, saying that their OS was secure, and that it was impossible for anyone to do what cDc said they could do.
Releasing BO was the only way to make MS own up to the problems in their OS. And they *STILL* downplay it.
Finally: Yes dozens (not hundreds) of Unix exploits are discovered each week. But each week, dozens of fixes/patches/updates are released. Remember that attack that was discovered in the linux kernel a month or so ago? How fast was a patch released? within Hours. How often does MS release security fixes for URGENT security holes? Why does BO still work one year later? Why does MS CHARGE for upgrades that fix security problems? cDc doesn't have to write a BO for Unix. The Open Source/Free Software community already handles security concerns responsibly. MS clearly doesn't, and BO offers consumers the best chance of forcing MS to handle security problems responsibly. They certainly aren't doing that now.

Re:Idiocy

[seanb]

"BackOrifice does NOT take advantage of any secret OS backdoors, and operates just like ANY internet server."

That is precisely the problem. Without using any back doors, only an idiotically open API, BO is able to do far more than any userland app should be able to.
From the cDc website:

"It uses documented calls built into Windows to do such things as:

Reveal all cached passwords. This includes passwords for web sites, dialup connections, network drives and printers, and the passwords of any application that stores user passwords in the operating system. (This Windows feature was implemented apparently so the user won't be inconvenienced by having to remember his passwords every time he uses his computer.)

Create shares hidden to the user and list the passwords of existing shares.

Make itself mostly invisible. Back Orifice does not appear in the control-alt-delete list of running programs, and can only be killed by a low level process viewer which Windows 95 does not ship with. To their credit, Windows 98 does ship with a process viewer, but it is not installed by default. "

Windows Security Holes (was: Oh please)

[musique]

The biggest security hole with Windows is that it is too easy to run programs that open security holes. It is too difficult to protect a system when your executables are read/write by users and executables have so much control over resources. It's too easy to attach trojan horses to e-mails (aka Melissa).

I was shocked when many of my NT programs did not run or gave warning/error messages when I protected their directories (i.e. \Program Files) as read only. Unix has it right in this department--protecting the /usr tree from the user!

Re:Why all the stealth features then?

[ufdraco]

If you were an ordinary user of NT, do you think you would WANT an admin to be able to see what you were doing, etc? No. If they knew it was there, they would kill it (and NT gives you enough power that you CAN do just that).

So, to keep it running, you'd want to make sure the users didn't even know it was there. Hence the stealth features.

Re:Not a good thing

[dark3r]

The issue is not whether MS Win products have security holes; they do. It is a commonly accepted fact. The point is that by releasing Back Orifice and Back Orifice 2000, you're (cDc) opening up anyone unlucky enough to run an attached executable or any other method of delivery crackers may design to a complete loss of privacy and control of their computer to anyone who knows just enough.
Its one thing to code this from scratch, run it from a command line, and analyze packets etc. Its an entirely different issue to slap a GUI interface on it, make it self installing, completely user friendly, *and* make it completely hidden from the victim. Not anyone can code or decipher IP packets, but when its so easy to take control and access someone's computer, you're letting the wrong kind of people into the toybox.
Conclusion: BO and BO2000 will not hurt MS. MS will release a patch (maybe) and move on to another software product (definitely). BO and BO2000 will simply hurt the people who use MS.
Its my hope the cDc would release a BO and BO2000 "detector and eliminator" and copyright the hell out of it. This way you're not only exposing MS' security flaws, but you're also protecting the people who might be exploited by them.

Re:Yet more MS bashing

[eponymous+cohort]

Microsoft, if you fault them everywhere else, is extremely good at making user friendly interfaces.

Microsoft is good at making interfaces that appear user friendly. They will claim that they can automatically configure XYZ, and then fail half-way through the process. They offer no details on why it failed

The fact that it takes them 4 revisions to get it right (four revisions they make us pay for)

NT 4 is right? (Ok I know the first version of NT was labeled NT 3.1, so 4 should be only 2 or 3)

Conflicting logic

[Chris+Andreasen]

Wait a sec...
In your post you said both
"WinNT is just as secure, if not more secure, than most Unix systems."
and
"I personally think that BO is dumb. Designing this program to comprimise a system that isn't designed to be secure is rediculous."
Is it just me or do your statements conflict with one another?

Re:bad journalism

[whoop]

How about adding a little bit like needing the user to click a button to say "Yes, you may come in?" Perhaps even making and none of the secret accessing as default. Then you would have a decent argument against all the antivirus companies that will mark it as a trojan, which you know they will.

Re:Fun Stuff

[cernnunous]

I think it would be safe to say that the majority of exploit programs like this ARE designed to attack "other" operating systems, primarily Unix. Every Unix admin I know hasa copy of Satan at their fingertips, and use it.

As to your other point, a default install of Linux wouldn't stand up against programs designed specifically to exploit them, that's what patches are for. The difference between patching the holes in Linux (and most unices) and Windows is the time between when the exploit is announced and when the patch is available. Most of the stuff BO is taking advantage of has been known about for quite a while and there is still no patch. Most exploits on Linux are patched within a couple days, often within a few hours.

Cernnunous

Re:But wait, could it be... USEFUL?

[Captain+Teflon]

If you had a comprehensive remote control application that ran unobtrusively and efficiently on any win32 system, was released absolutely free and open source, and came with a comprehensive SDK for developing your own modules, plugins and clients for whatever platform you choose to use for administration, and it was released by somebody more "respectable" than us louts at the Cult of the Dead Cow, would you call it a threat?

Would you agree Virtual Network Computing (http://www.uk.research.att.com/vnc) goes at least some way towards meeting that goal? Without including the stealth features and self promotional posturing as our self-appointed security watchdogs?

You guys in CDC are obviously good programmers. If you're serious about protecting security, I hope you expand to probing other OS's too and not just concentrate on the Gates-bashing which too many here have an obsession about.

Re:Why all the stealth features then?

[ufdraco]

I only wish that were always so. Unfortunately the real world of corporate politics doesn't work that way. There are often people that should do as the admin says, but don't have to because they are buddy-buddy with somebody more powerful than the admin (or his boss) is. Or maybe this person is more important than the admin is (i.e. this person makes more money for the company than the admin does). Either way, it doesn't work to threaten the user.

Besides, why even put it out for a fight if you can just hide it so the user doesn't know any better? Stealth makes it much easier.

back doors and open source.

[McFly777]

>Well, from what I hear the source will be
>available - so I doubt there will be any back
>doors (and if there are any - they will likely
>be caught rather quickly)

Just make sure you compile from the sources and don't just take a binary copy!

I also heard there was a backdoor in the original BO. Has anyone confirmed this? What info did it actually send?

--McFly

Re:Instant poll

[seanb]

Look at the poll results. Do far most people thing BO2K will either help or both help & harm.

Re:Fun Stuff

[Lamesword]

When BO was released, Microsoft didn't suffer, ordinary users suffered. To try to influence MS by hurting users is nothing more than terrorism.

The only way to prevent users from suffering is to have secure software. I understand that users did suffer from BO, but I think the blame lies with the people who used the program maliciously, and the people who created a product that allows such tools to be so successful.

"But why create tools that others can use maliciously?" When security holes exist and remain unfixed, they will be found and exploits will be created; it is merely a question of who knows about the hole, and who knows about the exploits. Before Back Orifice was released, how many users already knew that this sort of thing could happen to their computer? How many knew that similar tools already existed? As a system administrator, I appreciate the work these groups do because it helps me protect my systems and users; every security hole that they find and yell about publically is a security hole that I can prevent from being very harmful.

"So why not just let the vendor know about the hole in advance?" I want the people who write my software to care about security before the product ships, so I think it's important for security holes to be an embarrassment to the vendor. Anyway, when security holes are publically known, anyone who has important data to protect has the opportunity to protect it--the damage is limited to those who don't care about security, or those who think they care but are unwilling to put any effort into protecting themselves (and in this case, the "effort" could be nothing more than choosing products with a good reputation for security).

Re:The naysayers don't get it

[gehrehmee]

Exactly!
In my opinion, the cDc isn't so much against the code of Microsoft, but against the organization of Microsoft. The code sucks, but there's a reason...
BO simply brings to light all the problems. If they were really problems in Windows code, they would be fixed by now. Instead, it's a problem in the way Microsfot HANDLES its code.

Personally, I'm all for the cDc releasing a program to remove BO. (Of course, hacked versions couldn't be removed on account of this). But a simple effort to help users clear up the mess will do alot to help allieviate the negative response the unenlightened give it.

Re:But wait, could it be... USEFUL?

[Tweety+Fish]

VNC isn't bad... because of it's model, it tends to be bandwidth intensive and pretty slow. Back Orifice 2000 is a much more efficient (if less pretty) model for networked remote admin.

As far as turning to other OS's, well, that's a possibility. This is sure a hell of a lot of fun, though, and *nix users, at least, tend to already know what their system is doing at any given time ( or at least, they can figure it out), and thus don't need the particular variety of help the cDc has been providing.

Re:Fun Stuff

[tqbf]

Point by point:

1.) Sir Dystik and Dildog did hack on their own
machines. All they're doing is publishing the
results.

2.) The fact that an "administration tool" can
be used for nefarious purposes does not make it
any less of an administration tool. Netcat, inetd,
and the GNU C compiler are all used by crackers.

3.) Anyone who suggests CMU CERT (or any FIRST
organization) as an avenue for disclosing security
holes has never dealt with CERT or FIRST. CERTs
automatic reaction to being presented with a new
security problem is to consult the affected
vendor. CERT releases nothing without the approval
of the affected vendors.

CERT, and more importantly the public's idea of
CERT's role, is a major problem with the security
community today.

4.) If cDc released a "crippled" version of BO2K,
Microsoft would immediately reply by claiming to
the press that the issue was "theoretical" and
"harmless" to normal users. That would defeat the
purpose of releasing BO2K.

5.) I don't understand how you can, with a
straight face, compare someone who killed hundreds
of people with two people who wrote and published
code. This is offensive on many levels.

6.) It takes a very naieve perspective on the
security community to assume that a "benign"
disclosure of a security hole will provoke any
action from Microsoft or any other corporate
software vendor. Having dealt directly with
Microsoft in a security hole disclosure, I can
state with confidence that Microsoft's primary
goal is NOT to responsibly notify the public as
quickly as possible.

The whole idea behind BO2K is an elaborate attempt
to call Microsoft's bluff (that the problems BO
takes advantage of don't affect MS's flagship
operating system, that any problems that do affect
NT are simply theoretical, and that nobody really
exploits problems on NT, unlike under Unix).

There wouldn't be an issue if Microsoft was honest
about the issues affecting its products. The same
issues affect Linux, but they are for the most
part acknowledged and dealt with. Thus, there's
really not much fun in poking holes in Linux.

USEFUL? hmm...Hell ya!

[law]

"respectable"
Respectable is too subjective, I would think that the only difference between CDC members and me is; my thin veneer of ass kissing.
(No I don't crack, but my open source idealogy is in quiet contrast to the Luddite mentality of my employer.)

"Back Orifice 2000 is a tremendously useful tool for any administrator."

Agreed, I admin about 100 NT worksations, this could be a great tool.

"The Cult of the Dead Cow isn't just about scaring people into wanting real security. We want computers to be fully under the command of the people who use them, not the vendors who sell them."

I tire of Closed Software trying to take control away, instead of enabling me. Why is closed software always aimed at the lowest common denominator?

I am glad to see BO2000 and CDC is around.

A bit of logic on BO2K

[DeltaCrash]

Keep in mind that the admin has to launch the client app. Just because the bug is out there dosen't mean there's no way around catching it. Just be wary of who has access to the NT deck, and don't launch any forign programs; I always thought that was the first 2 rules for being an admin. I can understand why everyone got so uptight with the older BO; beginner and intermediate Windows users are usually fond of funny little .exe programs that show a virtual puppy run across the screen or something. It goes to show how gullible some people are. But that should be a diffrent story for admins. I seriously doubt that any self-respecting network administrator will run a 40k .exe file to watch a few pixels do a dance...
Although it could always be a Freudian version of euphanasia. Who's to say?

-DeltaCrash

Re:...

[dark3r]

There are/were several sites that sprung up after BO's release claiming to rid your system of BO.
If BO is run with its defaults unchanged, the executable shows up in the Registry under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce or RunServicesOnce or RonOnceEx. A more insidious user would change the default settings and most likely would not send you a pop-up stating he likes your porn collection.

Bad move...

[nmarshall]

...Sorry but the cult requires me to curse you house etc... nothing personal, dont worry the pain only lasts for eternity... :)

La mayyitan ma qadirun yatabaqqa sarmadi Fa idha yaji' al-shudhdhadh fa-l-maut qad yantahi. Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn. Zi Dingir Ana Kanpa, Zi Dingir Kia Kanpa

nmarshall
#include "standard_disclaimer.h"
R.U. SIRIUS: THE ONLY POSSIBLE RESPONSE

Microsoft seeks BackOrifice warez

[drougie]

It was written somewhere that Microsoft was keeping "a close eye" on Back Orifice 2000. Could it be that they are somehow connected and can get a hold of pre-release coppies? I bet so, and I also bet that immediately after this thing is released at DefCon, that Microsoft will be ready with a quick counter as well as bug fixes and news releases, etc.
But still, isn't that unethical of them?

Re:Microsoft seeks BackOrifice warez

[Obscure+Images]

We didn't pass any copies to anyone outside of cDc and beta testers. Microsoft will have to wait like everyone else.

Re:Microsoft seeks BackOrifice warez

[Tweety+Fish]

I think you overestimate Microsoft's proactivness when it comes to security issues. I'm sure they're interested, but a prerelease copy? Maybe we're a little better at keeping a handle on our betas than some people are.

Re:Microsoft seeks BackOrifice warez

[dattaway]

Microsoft interested in security issues? Somehow I feel it is more macho they are more interested in offensive measures than defensive.

I'd like to see the neighborhood traffic on your street. How many are dark vans and limos with dark tinted windows and stay parked close to your house? Have you ever walked up to one of them to say "Hi!" to the occupants? I'm sure there is a vested interest in knowing who you are and watching your residence, friends, and place of work.

Re:Microsoft seeks BackOrifice warez

[Saint+Nobody]

if you were actually doing this for security purposes, then why not let ms have a prerelease copy? that would give them opportunity to fix the problems, making the negative aspects of back orifice a moot point. script kiddies couldn't exploit those holes.
I honestly don't think ms would fix the holes, but they deserve the opportunity.

Re:Fun Stuff

[uberfunk]

I don't like it, for two reasons that come to mind immediately:

1) It shouldn't be as public as it is. Remember the movie Sneakers? I'd like it to be more like that... hackers actually hired by the companies they are breaking into, rather than random acts of violence by geeks who are bitter that Bill's operating system sells better than theirs. Granted, Windows has some serious security issues, but this isn't a mature way to publicize them, and the majority of people will be annoyed with the hackers rather than with Microsoft. It doesn't go too far to point out the problems.

2) It targets Windows. How many programs out there are actually designed to attack "other" operating systems? How well would the default install of Linux stand up to a program designed to exploit its security flaws? Granted, you can hack it... but what good is an OS that is only good to hackers? I'd like to see a port of Linux with the ease of Caldera which has impeccable security. Until then, we can laugh at MS, but it's a hollow victory.

Re:Maybe if you had a clue...

[tqbf]

In those cases, "less" invisible. Both of
those (old) tricks are incredibly easy to
get past.

Re: "ps": keep a backup copy of "ps" somewhere
and periodically diff the -ax output against
that of the "real" ps. If they differ, panic.

Re: "ls": keep a backup copy of "ls" somewhere
and periodically diff the -lua output against
that of the "real" ls. If they differ, panic.

There's a procedure to discover attempts at
hiding things on Unix systems for any trick an
attacker uses. Regardless of how low-level the
attacker puts her trojan.

Re:Fun Stuff

[tqbf]

Releasing the exploit for the ISS overflow
did not make a bad problem worse. It would have
been impossible to make the problem any worse
than it already was: Remote administrative
access via an extremely popular, very public
network service, and it was already being
exploited in the underground.

At that point, no amount of information that could
have been released to the public could do anything
but help.

It's unfortunate, but predictable, that a
community of users and vendors, not accustomed
to handling security problems professionally,
could do nothing but resorting to pointing fingers
and shooting the messenger.

Re:read the source? bullshit!

[tqbf]

A modified Linux kernel is easy to detect, but
not with "md5". Read the source code. md5 does
an open() on the target file. It is trivially
easy to hook open() in the kernel, detect attempts
to read "vmlinuz", and return the original file
instead of the modified one.

Poof. Perfect looking signature and you didn't
even have to cryptanalyze MD5. What a break!

If it still works Microsoft dident do a good job

[will12]

If the program still works than wouldent that suggest that Microsoft hasent done enough to fix the problems, and the sorce code will help them fix the problems but also allow people to exploit more.

Solution to your query my friend.

[DeltaCrash]

Please note that the Melissa virus got much media hype, as Back Oriface barely got a chortle. The media hype therefore begat public histeria, which therefore begat Big Brother's attempt to show the aformentioned histerical public that they knew what the hell they were doing.

Now, the fault lies with who? Microsloth, who makes products which resembles a piece of swiss cheese; or the person or group who exploits those holes?

Oh, by the way:
Note that MS really hasn't done much about the Back Oriface problem! They know it's there; hell, they even made the comment, and I quote,

"That vulnerability is completely theoretical."

Now then, if it's theoretical, WHY DOES THE EXPLOIT WORK?!? Perhaps it's a marketing ploy-
"Windows 2000 is completely unaffected by Back Oriface, created by evil, dangerous, and nazi computer hackers!"
Can you see it too, or is it time to take my medication?

Re:Maybe if you had a clue...

[Plugh]

Au contraire.

As a previous poster said, ANYTHING can be made more-or less "invisible", simply by hard-coding a hack into the tool that you use to "see" with. In *nix, you might recompile ps to that 'my_superroot' never shows up in the output.

Then replace the real ps with it, set its timestamp back, and viola. Hell, you can even hack 'ls' so that it always reports the right size and timestamp for the 'ps' program (and ls itself, of course). The above examples are not *nix-specific, the same method applies to process viewer -- or, hell, the .DLLs it relies on for system information!

MORAL: Once someone has "administrator" (root) on your system, it's only a matter of how bad they want to f&*% you.

Unix isn't open source...

[demon]

Unix itself isn't open source. The free BSD variants (Net/Open/FreeBSD) and Linux are, Solaris sorta-kinda-maybe is, and the others I know of are not.

Re:Export restrictions?

[Tweety+Fish]

We are taking steps to make absolutely sure that our distribution of BO2K violates no state or federal laws.

We also strongly believe that people should be able to use the software with strong encryption.

Not a good thing

[StephenJ]

I dunno. This thing plagued our college campus for a few months until we got it under control. Our network is NT on a UNIX backbone.

I agree with the CNN article: this cult's motives don't make any sense; it's like a cult from the automobile industry who steals cars to make everyone get car alarms. It does much more harm than good. This is a negative way of getting attention to network security, not a positive way.

Re:Not a good thing

[Tweety+Fish]

First of all, if your campus network was NT, you would have had >0 problems with Back Orifice, because it didn't run on NT.

Second of all, the tool we are releasing is an incredibly useful and powerful remote administration tool, much better than anything else currently available from Microsoft, Symantec or anybody else. If Microsoft didn't make it so irritatingly difficult to figure out what your server is actually doing at any given moment, the security concerns would be a moot point.

Re:Not a good thing

[pal]

i oby-ject.

it's not quite like a fiendish automobile cult stealing cars to make you buy car alarms. any analogy is flawed, but, come on, cdc isn't stealing anything.

if you want to make an automobile analogy, i prefer to think it's like someone pointing out that gm hasn't provided your car with a lock!

that's the point, right? i see every reason to blame microsoft for all the security problems their products have. of course, you can blame the guy that breaks into your system, but how productive is that?

at least putting pressure on microsoft might get them to fix their problems. an even better solution: don't use (or pay for) their products.

whatever happened to the poor guy that got arrested for allegedly releasing melissa a few months ago? i feel bad for him. compare his fate to that of the office development team, and ask yourself who's more to blame.

- pal

Re:Not a good thing

[StephenJ]

I totally see you point, but we have to look at the big picture. That is, ordinary people can download this thing and use it for whatever purpose they wish, whether it be a network admin testing out security, or a person using it maliciously to take advantage of a network without security against it. Some may say, "too bad for the network admin". I understand where cDc is coming from. It can produce results, but it it also probable that problems could result.

My analogy was incorrect before. A better (perhaps not entirely accurate) one is an auto parts store selling a master key for all Ford vehicles, which would put pressure on both Ford motor corporation and all Ford customers to purchase a different lock for their vehicles.

Re:Not a good thing

[j_edge]

it's like a cult from the automobile industry who steals cars to make everyone get car alarms

Actually, they would open your door and start your car for you, since your car manufacturer doesn't require keys. It is not equivalent to theft. Though of course they'd write up a text file telling everyone (thieves, owners, manufacturers) the stupidity of creating a car with no locks. And to top it off they'd do it in that oh-so-humourous way that the cDc is famous for. (and it's very, very far from murder, as the "computer security experts" equate it with in their analogy.)

Re:Not a good thing

[tqbf]

A.) Please stop using analogies to communicate.
Read the discussion so far. Do you notice that
people are wasting more breath discussing the
flaws in the analogies than they are the issue
itself? cDc didn't infect meat or steal cars.
They wrote code. I think we're intelligent enough
to discuss that.

B.) cDc didn't create ANY security problems. The
attitude that says they did is called "security
through obscurity", and it doesn't work. The
computer underground is consistantly and blatantly
underestimated by people, most of whom have no
connection to the security research community,
who think that system crackers didn't have tools
prior to their public release.

The functional equivalent of Back Orifice was
already in the hands of people you definitely did
NOT want to have these tools long before Sir Dystik released the first Back Orifice trojan.

Pull your head out of the sand.

Re:BO vs VNC/PC Anywhere

[Tweety+Fish]

Even in the original Back Orifice you could specify a port and password. While you cannot mask out certain IPs (which you should be doing at a firewall/gateway anyhow), strong encryption and authentication are probably a better solution for protecting your BO installs from unauthorized users.

Users are the problem

[Restil]

BO2K doesn't exploit bugs in the OS so much that it exploits the gullability of the users USING that OS. Windows 95/98/NT give a user practically full control over their machine. If I want to delete any file on my hard drive, you can bet that there won't be many things to stop me. If I want to upgrade my drivers so I can play a certain game, the OS won't be complaining about it. And if a friend sends me a cool program and I try to run it, then the OS will let it run. And no matter what that program does, the OS will let it do it.

In many cases, its more technilogically difficult to install BO2K than it would be to install a backdoor under a *nix based OS. If there are any known exploits on a *nix box (and usually there is), then someone could install a backdoor from remote. They could safely sit at their own computer halfway around the world and install their backdoor. BO2K requires access to the physical computer itself, or at the very least, access to a server where programs the user might run may be located at.

This means, ultimately, that a user HAS to be duped into executing a program. You can debate until the sun goes dead about the malicious intentions of the author, until the user actually installs the program on their computer, it won't work. This is the problem with giving a user too much control over their system when they aren't experienced enough to know how to avoid doing anything stupid.

So microsoft needs to fix this problem. How exactly would they go about fixing it? They could release a version of the operating system specifically aimed toward the clueless user, which severely limits the access a user can have to their own system. This could actually be useful in corporate environments, but your average home user might not want to go through several extensive security checks so they can upgrade their mouse driver. This kinda goes against the
whole PNP philosophy.

Perhaps a community written pamphlet, maybe 20 pages long that computer vendors could distribute with new computers, modems, and ISP's could send to all new customers, might be useful toward solving a lot of these problems. It could explain basic online ettiquite, how to properly conduct one-self in newsgroups, how to avoid the pedophiles online without sacrificing freedom. How to avoid spam, and basic rules about never running programs that people send you, not to forward chain letters, and maybe even touch some of those controversial subjects like how to properly monitor your children's internet activity without excessively invading their privacy at the same time. If such a booklet could be reproduced for free by the vendors for practically nothing, then perhaps a lot of these problems could be addressed without the need of virus scanners, censors, extreme security measures, or new laws that only infringe on the rights of law abiding citizens.

Just an idea.

-Restil

Oh please

These people are just in it for the attention. You first have to install the trojan to even get it to work, which in no way proves that Windows has security issues (it does, but this isn't the way to prove it). If you've downloaded and installed the trojan without knowing it, tough break. Don't blame Windows, it's your own dumb-ass fault.

Re:Oh please

[dattaway]

Its a trojan waiting to be installed through some email document/application attatchment. Attatching word documents seems to be very popular with people who are trapped in the Windows environment.

Re:Oh please

[fr0g]

I agree. Windows 9x is not a networking OS and it dosent run "servers" on it to exploit. And if somebody installes it themselves or if they download the latest 0 day warez with BO wrapped into the *.exe its their dumb fault. I work for a very large computer manufactuer as a technician and I will enjoy every minute of charging folks like this 50 bucks to remove it.

Re:Oh please

[questionlp]

I completely agree, since the trojan horse just pops open a certain port or two so the client proggie can worm inside.

A *real* security hole would be to find a way to get control of the OS without having a piece of software running on the receiving end of the attack.

This kind of "tool" just makes things worse by lying and passing FUD around the net.

Re:Fun Stuff

[jjohnson]

The last time this happened, the antivirus companies had a patch out within days. Microsoft did fuck all.

It's been reported that, along with BO2K, the CDC will release a patch as well. They'll be including the source code, and they've publicized the hell out of it just so that people are aware of the risk.

This just isn't the huge threat you're making it out to be. As happens with every new virus or whatever that comes out, the network admin at my company will send out an email warning people not to open EXE files.

Once again, Microsoft appears to be doing fuck all. Everyone else is fixing their systems to close a gaping hole.

I honestly don't see how this could have been handled better. Should Sir Dystic, having figured out how to do it, promptly forgotten, hoping no one else would figure it out? The threat had to be real to get the action to fix it; that's been made plain by the scrambling of antivirus companies.

It would be nice if no one ever wrote viruses, and if we didn't have to lock our houses at night. However, Microsoft isn't just selling us houses that can't be locked properly, they're refusing to admit the problem exists and help fix it; they're telling us the lock is fine, and if BO2K is what it takes to admit that a serious problem needs fixing, then I won't feel badly for anyone who suffers for it when they could have avoided it.

It's a tool people

[Plasmoid]

It's a tool kind of like a gun. You can do positive things(Hunt for food) or negative things(slaghter people). It really depends on how you use it. You could easily use this for remote administration or for destroying entire networks of data. It's all up to you.

Re:It's a tool people

[topher1kenobe]

Sure you do. I have, and it was tasty.

Re:It's a tool people

[Ares]

You'll take notice that no mention of handgun was made.

If God hadn't intended for us to eat animals he wouldn't have made them of meat.

Re:It's a tool people

[dattaway]

you don't hunt for food with a handgun..


I have.

Re:It's a tool people

[hawk]

>you don't hunt for food with a handgun..

>vegetarianism for all.

If all you're after is vegetables, why would you use anything bigger than a handgun? Killer turnips? Mutated venus fly traps?

vegetarians for all. preferably grilled.

Re:Idiot

[ivan_13013]

Umm.. the original BO *IS* a decent remote administration tool. When I used to use Windows95 in the office, I could view text files containing my todo lists and phone numbers and such in a web browser, and telnet to my DOS prompt from the other side of the building. And with (albeit minimal) password protection and encryption, too!

Their software *is* innovative. What program can you run in under 140 K which includes a basic web server, process control, telnet access to text applications, screen shots, password protection and more? For that matter, what Windows application runs in under 140K, period? I think my mouse driver was about 200K.

I don't understand how you think such a monitoring program is destructive or that its writers "should all be shot" for providing it. Who's forcing you to use it? Oh yeah, that's right, you're forced to bend over for CDC because of MS "security" and the strange compulsion to always click on executable email attachments.

Microsoft's "Alert" about BO2K

[Yakman]

This is a bit of a "Premier Alert" Microsoft sent out regarding BO2K.

"What is Microsoft doing about BO2K? Microsoft is closely monitoring the situation, and is committed to helping customers have a safe, enjoyable computing experience.

I don't understand why they don't just fix their Swiss Cheese Security Model ;) It's probably a bit late to post this, but it's very funny (at least I thought so)

Its GPL

[Uart]

Thats right, its open source!!! haha, windows sucks...

Weeding through Micro(BS)oft

[DeltaCrash]

"What is Microsoft doing about BO2K? Microsoft is closely monitoring the situationand is committed to helping customers have a safe, enjoyable computing experience."

(Read: MicroSoft isn't doing a damn thing about BO2K. We may have a few guys a DEFCON scouting around. It dosen't matter anyway, we already have your cash.)

Simpler terms: HA HA SUCKERS! YOU BOUGHT OUR PRODUCT NOW YOU'RE STUCK WITH IT!

You learn to weed through MicroBS gradually. It's a talent I guess.

It's odd; Win95 came out with all these new little features, and it was toted as bug free. Next Win98 comes out and it says it's "Improved". Again, the MicroBS- Improved means that something needed fixed in the older version. In other terms:
"Oops- there were some bugs in our bug free software, but instead of fixing them for free, we'll just make you pay again, fix the old bugs, and put some new ones in."

Please note that other OSes do this too, but they arn't as bug ridden or as hyped as the Windows brand. Now a new question is posed- why use a highly flawed OS? Can I get an amen for *nix and MacOS?

-DC

Bad analogy, as usual

[squarooticus]

I take issue with the following analogy:

Releasing a hacking tool like Back
Orifice 2000 in the name of
safeguarding computer privacy is a bit
like the American Medical Association
infecting cattle with the deadly e. coli
bacteria to inspire food companies to
sell healthier meats.

The correct analogy in this case would be the AMA infecting cattle with E. coli to make cattle owners produce cattle that are resistant to that bacteria. I'm not surprised he used an incorrect analogy: the right one would undermine the "popular" opinion that virii and hackers are universally bad, instead of good for flagrantly (and typically non-destructively) exploiting security flaws and shoddy programming.

Kyle

NP: Arkhe, S/T
--
Kyle R. Rose, MIT LCS

Re:Bad analogy, as usual

just to let you know ALL cattle have e. coli.
In fact most animals including humans have e. coli. The e. coli bacteria live in our intestines and aid in our digestive processes. Our relationship with them is symbiotic, as longs as they don't creep into our stomachs.

We react negatively to different strains of e. coli when they get into our stomach. Some strains are worse than others, e.g., the ones found in cattle.

But the gist of your point is well taken.
I still like the car alarm analogy.

Re:Bad analogy, as usual

[Hard_Code]

Even the revised analogy is bad, because it indicates the cattle are infected with something that isn't already there. The bugs are *already* there, waiting to spring up and bite somebody. Perhaps a better analogy would be somebody putting coloring in the meat that made disease show up in some nasty bright color...or made meat that had some flaw in it taste terrible (which would be a good thing).

Anyway, all these analogies are wrong because AFAIK BO2K doesn't exploit *bugs*, per se, it exploits *poor design* in the OS.

Re:Open Source, dangers thereof

[NtG]

The whole OSS movement won't change for one trojan horse. In fact, it wouldn't change for 100.
Anyway, there's nothing to say that its not beneficial. I'm sure the code would be educational.

Re:bad journalism

[Obscure+Images]

Just as a side note here, there are no current members of cDc who are teenagers. Yes, ladies and gentlemen, we are all adults. We all work for a living, pay our taxes, avoid breaking laws and live our lives the way we please within those boundries. Now, even though this isn't the right thread, I'm typing here now.

I will be using BO2K on my machines at the place that I work. I will do so with the permission and support of my CFO. The reason for this is simple. Using BO2K I can fix most common problems with my user's machines without having to leave my desk. I can tune in to a user's machine and see what they are doing wrong, and help them fix things. This saves me time and energy, and my time is valuable. The less time I have to spend monkeying around with users machines, the more time I can spend writing code.

Oh, as for privacy: I have a plug-in that I wrote that pops up a little flashing light in the corner of the screen everytime I'm monitoring someone's system. They know when I'm doing it, they also know I only do it when they need help and everyone is happy.

Did I mention that BO2k isn't a Trojan? It can be used maliciously in a trojan-like way, but the same could be said for any other product in this class.

Re:Fun Stuff

[nmarshall]

hmmmm web based linux control panel? so you can install it on a box and then control it without takeing the blame? but making one shouldnt be that hard... just make a Back Orifice 2000 perl mod. then build your cgi / form thingi...
nmarshall
#include "standard_disclaimer.h"
R.U. SIRIUS: THE ONLY POSSIBLE RESPONSE

:P

[Byter]

"remove nospam for e-mail"

You have to remove the dot after "nospam" as well. :P

Re:Fun Stuff

[Sonik]

Really, it doesn't say ANYTHING about the quality of win9x! Couldn't this sort of thing be written for ANY OS?

Not the same

[Jakyll]

Exposing cows to E Coli is adding something to the lab that wasn't there.

Exploiting inherent weaknesses of a program is simply doing something with the material you already were presented with that someone else hasn't yet thought of.

In other words, reworking the genetic material that is already there.

It's pointing out the flaws and begging them to be fixed!

Dynamite in your basement.

[seanb]

You're absolutely right. I don't mind at all if you keep 3 tons of dynamite in your basement. None of my business, and I don't care.
If you try to use that dynamite to blow up something that doesn't belong to you, on the other hand...

Best Analogy Yet

[docwhat]

This is more like someone showing where you can get a chocolate bar and saying, "If you feed this to your dog, it will make it sick and probably kill it."

The cDc is not installing this. It *is* available, but using the idea that if they didn't write it and make it *obviously* available, then someone would do it silently or such that it would take a while for everyone else to figure it out.

Why is anyone concerned, anyway? When I ran NT, I kept this off my machine (and other annoying trojans) by following simple security proceedures. Things that most people should follow.

My computers have never had a virus. I have been handed one floppy with material on it that I needed that was infected. And I found it right away and removed it.

Because I'm lucky? No, because I am reasonably cautious. I never trust my semi-skilled boss to be virus free. I never trust those "run this little program. It's cute." emails.

As for the argument as to why cDc released it; If MS doesn't care about the quality of their product (which they are only in as such it keeps their image good and makes them money) then their customers must be made aware.

I don't expect this to sway anyone. It seems most people are very biased into their opinions on MS and their win products. I really don't much care except to say that use the tool that fits and that is comfortable (in that order).

Ciao!

Sadly enough...

[WareW01f]

... BO2K (kinda rolls of the tounge, don't it?) is more pro-WinNT that anti. The people working on it know a lot about the OS and therefore have spent quite a bit of time with it. In the short term it makes M$ look bad, but in the long term it actually improves their product. (That is _if_ they do anything to plug up the holes.)

What's even sadder is that this could all be avoided if M$ was as open as Linux and there was an open envionment for users to say something like "Hey, you gotta problem here, thought you'd like to know." and get a responce. That's not the way it works.

I guess the way I view it is yes, the ethics of giving 'fire' to script kiddeez is somewhat questionable, but as with Melissa and every other stupid hole in M$ software who's more to blame? The person pointing out the way to a wide open back door, or M$ telling everone not to worry, they're getting the most secure system around? Let me tell you that as someone who unfortunately has to put up with an NT network at present, it's a bit disturbing when I read about a hole in NT and see a link to an exploit _days_ before I'm notified by Micro$oft's security mailing list that there's even a problem, and then all they ever do is play it down and point out how rare it is and what little threat it is to my system.

Personally, I say more power to cDc. Somebody has to speak up and sometimes it takes some punk wiping out a network with a keystroke to get the right people to listen. All's fair in code and war. If it's not CNN it looks like somebodies already doing that. Maybe this time they'll learn.

Re:analogies suck around here

[seanb]

Yes, and we are saying that the relationship between A and B is NOT equivelent to the relationship between C and D. You are understood. Others simply disagree.

Re:'wholes'

[BitchLick]

Actually, NT has many exploits to get Administrator privileges from a simple user account. BO2k probably uses those instead of popping up a window asking to be run by the Administrator :)

Privacy Concerns?

[KevCo]

Apart from the possible exploitation by crackers, what about the privacy concerns of an employer using this software?

Imagine and IS department making this part of their standard workstation build? They could claim that it is for remote administration but could also use it for spying on everything that an employee does on his/her PC. Granted, users shouldn't be doing anything questionable in the first place but still, there are some things that should be kept private.

Re:Privacy Concerns?

[hany]

it's only the question of education.

if i'm working on some UNIX machine on which i'm not the root (or not the only one root) i know that somebody CAN watch what i'm doing and look at my files.

if someone is told that he has BO on his machine for remote administration and he do not realize he can be watched it's his own fault.

and something litle about administrstors: if admin is competent, than he care about proper functioning of system not about spying users for fun (or whatever).

Re:Privacy Concerns?

[poink]

If you think BO is a breach of privacy, then just wait until your company is bitten by the Windows Terminal Server and MetaFrame bug. Such wonderful features, like "ghosting" (remote viewing/control) without user notifcation (the admin can choose to pop up a box warning you). There are all sorts of log and audit trail things, and if your company has a proxy server, than your web activity is prob. also logged.

Even worse, if you have a decent PBX/Vmail system, then administrative stations can log and save your call activity, break into calls without notification, etc.

The amount of privacy one has at a workplace is suprisingly small.

PS - Most IS people that I know don't like to target individuals for monitoring, and when it does occur, it usally happens at the request/order of The Boss.

Re:Privacy Concerns?

[dillon_rinker]

PS - Most IS people that I know don't like to target individuals for monitoring, and when it does occur, it usally happens at the request/order of the Boss.

I would suggest that the one exception to this is that IS people like to target the Boss for monitoring and report his eventual misdeeds to the BOSS.

Re:Privacy Concerns?

[ansible]

Hmmm... I can do most/all of that now in a Unix/X environment. The basic point is that if I have root access to a system, I can do anything. That's always been true of Unix, and is becoming increasing true with Windows NT.

James

BO is usefull

I find BO to be most usefull in the remote management of my computer.

Having at one time or another had shoutcasts/ftp servers/webservers and anything else going, BO provided a really easy way to run/shut-down/reconfigure these...

The only thing I was worried about was that the server might provide a back door (go figure?) for the cDc... anyone know about that?

- I am ODiV, hear me type.

Re:BO is usefull

[Dilbert_]

As far as I remember, there was a back door in the BO client, which sent reports of all conducted subnet sweeps back to a certain IP address belonging to someone of the cDc or someone affiliated closely with them. But if BO2K is open source, that won't be the case anymore I guess...

Re:BO is usefull

[Nicholas+Schumacher]

>The only thing I was worried about was that the
>server might provide a back door (go figure?) for
>the cDc... anyone know about that?


Well, from what I hear the source will be available - so I doubt there will be any back
doors (and if there are any - they will likely be caught rather quickly)


-Nick

Re:Because [is isn't it best though?]

[Scutter]

I disagree. CODC releases BO to point out security holes. Their whole philosphy with BO is "someone else should fix the security holes". Their efforts could be more productively focused towards providing software to make systems MORE secure, not less (incidentally making them some bucks in the process). The security specialists can't churn out protection software as fast as the trojans (or virii, or whatever) can be released and proliferate, leaving us (system admins) stuck in the danger zone. This is just going to create one more headache for me that I won't be able to do anything about.
Doesn't it make more sense to have them (CODC et. al.) on our side instead of on the bad guys'?

Re:Perfect example

[demon]

Wrong answer. cDc tried telling Microsoft about the flaws they've found. Microsoft chose not to respond. cDc decided that wasn't good enough. I think it's perfectly legitimate to release an exploit (especially when the individual exploits that make up BO have been around for some time, just not necessarily all in one package). It makes people aware that there actually IS a problem. Of course, Microsoft would have people believe that BO introduces the bugs, and that their software is bug-free. That's not the case, though - the bugs are already there, this software just exploits them. Also, as others have said, it's more plain bad design than it is just bugs.

cDc justified

[blahtree]

Most detractors of the policy of the cult of the dead cow releasing back orifice label the practice as irresponsible, and juvenile. Yet what is the alternative? If cDc had quietly said to ms, "Hey look, we know how to exploit these holes in your OS, please remedy the situation," it would end there. The easy holes would be fixed, but the rest would remain open because only a small group of people knew about them. MS would try to sweep it under the carpet.

Given how widespread Windows is, this is really pretty scary. The information that was restricted to a few individuals wouldn't remain that way, and soon many crackers would know how to do what they please with a Windows box. Eventually, the public would catch on.

Compare this to the current scenario where the public is informed right at the start. This presumably should force ms into action. Seems like a better solution to me.

Re:cDc justified

[sethg]

Groups like cDc are doing us a valuable service, for the following reasons:

• For many computer-related commercial products (e.g., operating systems, cellular phones, Web server programs), if you can give the impression that your product is more secure than your competitor's product, then (all other factors being equal) you will sell more.
• The people who buy these products, and the people who review them for industry magazines, can't distinguish a product with bad security from a product with good security. Even a computer-security professional may not be able to find security weaknesses right away; there may be one subtle bug that can leaves your system wide open to an intruder, but finding the bug might take weeks or months of full-time work, especially if the people evaluating the product don't have access to the source code.
• It's a lot easier to boast about your product's security than it is to actually implement a secure product. This is especially true when your product has selling points other than security: a hundred programmer-hours spent improving the user interface will probably do more for your sales than a hundred programmer-hours spent looking for security holes.

Therefore, when you get wind of a security hole in one of your products, you have a powerful incentive to sit on your hands. Patching the security flaw will take programmer-hours away from adding spiffy new features to the next version of the product. And sending out an emergency patch to fix a security flaw is bad for your reputation, because by doing so, you're admitting that you overstated how secure your product was in the first place.

Public revelations of security flaws are the best way to push these companies into action, since it takes away their incentive to procrastinate.

Recommended reading: "Why Cryptography Is Harder Than It Looks", by Bruce Schneier, and "Trends in 'Press Release' Security Advisories", by someone at l0pht.

Actually, NT doesn't.

[Zico]

Thanks for letting us all in on your ignorance, though. Of course, if you haven't been applying the necessary fixes for the past couple of years, I could root your little Linux box at will.

Cheers,
ZicoKnows@hotmail.com,
who knows that most Slashdotters will believe it anyway

Re:Fun Stuff

[demon]

My response to your points:

0: Yes, Microsoft sucks. If they're so bad, (which I believe they are) I don't think millions should be relying on them to have the "latest technology" spoon-fed to them.

1: If you're gullible enough to just RUN an untrusted binary, I tend to think that you get exactly what you deserve. (yes, I sound like an elitist snob. so sue me, ok?)

2: Of course M$ should shoulder some blame for the security holes being there. They add features for the sake of adding features, leaving gaping holes in, and not caring that their lovely little "feature" makes a system that much more exploitable. If you leave your front door unlocked and you know you are in an area where crime is possible (i.e. most anywhere), and your stereo/television/computer/etc. get(s) stolen, I'm NOT going to shed too many tears. If you cared about your belongings you'd take proper precautions against having them stolen!

3: cDc told Microsoft about these exploits ages ago. Microsoft hasn't been too proactive about getting them fixed. I don't think giving them prerelease source for BO2000 is gonna make a huge difference.

4: They ARE helping the community. If used in a particular way, it is a useful administration tool. If used otherwise, it's a script kiddie's wet dream come to life. If someone doesn't expose the security flaws in Windows, Microsoft doesn't have much incentive to fix them - they'll do like they've frequently done, try to sweep it under the rug. "Never mind the man behind that curtain!"

Come on. You are refusing to see that this is how security testing works - on Linux, too, when a security hole is found, an exploit is written, then a patch is written and sent to the relevant people. Unfortunately, with Windows, patching is difficult to impossible, so the best that can be done is to expose the problems, so that maybe enough people will demand they be fixed.

(note: I'm not a cDc member, I've never used BackOrifice. However, I think they're doing a public service.)

Yet more MS bashing

[The+Raven]

Back orifice is a very nice remote administration tool. If it wasn't deliberately created to run silently and stealthily, they could probably have sold it for several hundred dollars a pop, and never made headlines anywhere (just made lots of money).

However, I take exception to your flagrant disragard for reality in your blind M$ bashing. I'm not a MS lover... far from it. I think their server tools are crashy, buggy crap. But their GUI end is better than any competing interface, even very pretty ones like beOS.

Microsoft, if you fault them everywhere else, is extremely good at making user friendly interfaces. You may complain about their inability to ship bug free products, their brain dead patch and upgrade methodology, their incompitent server technology, their flagrant monopolistic tactics... but you cannot fault their ability to make useful, usable graphical interfaces, and their continuation at the head of usability. (I admit I have a pet peeve when it comes to usability... I worship Jacob Neilson)

Microsoft created, on their own (ignoring their original theft of Apple's basic paradigm) most of the graphical widgets and design standards we live with today, even in Linux. It's no mistake that KDE and Gnome have a distinct resemblance to Windows... Windows has an excellent GUI.

Microsoft has a habit of releasing crappy products for versions 1, 2 and 3, and finally in versions 4+ they generally start sucking less and less until they really don't suck much at all (though, by then they are major bloatware also). The fact that it takes them 4 revisions to get it right (four revisions they make us pay for) is unacceptible, but once they do get it right, they do a pretty good job.

I guess I don't have a particular reason to bash on your post... it's not like it really really bugs me, I read and enjoy /. every day, and this is the first post such as this I've made.

The Raven

Re:heh, they're releasing the source code too...

[Obscure+Images]

Exactly one year ago, we released the first version of Back Orifice to the cries of "Make it open source! Make it open source!" We listen to our public and hence the source is completely open, complete with a fully documented SDK. BO2K is industrial strength software for the people, for FREE. It is also clearly better than the competition. If free software is a pain in the ass, why don't you go tell Linus to start charging for kernels?

Re:Fun Stuff

[Erik+Hollensbe]

I hate MS just as much as the next guy, but I still think it is messed up to release a program like this. The end result is that script kiddies will do the only thing they know how to do.

People are missing the point that these holes ALREADY exist. What CDC is doing is just what you are explaining, giving something for the technically challenged (read: script kiddies) to exploit to the point of blatant redundancy, which will HOPEFULLY provide some certain company in redmond to get off their ass and acknowledge the fact that these bugs do exist.

The simple thing is, is that if places like rootshell, l0pht, and CDC didn't exist, we'd still have wonderful "features" like the winnuke and teardrop. IIRC Microsoft took quite a long time fixing winnuke, and took very little time (in comparison) when fixing teardrop. They learned from their mistakes, because people were getting rather tired of complaining about how their computers were locking up when on IRC.

This all comes down to simple math. The more publicized an exploit is, the quicker it gets fixed. So CDC wraps a whole bunch of exploits into one nice little package with an easy to use interface, makes it hard to get rid of, and starts calling the press houses.

This isn't rocket science, it's called politics.

-Erik-

Re:Fun Stuff :Wrong example

[Pako]

2: It's MS' fault for having the security holes in the first place.
...
If I leave my door unlocked that doesn't make it my fault when you steal my things. You're still the criminal.

IMHO, this is more accurate:
"If I pay big bucks for a good security door/lock, but any thief can still break in easily, then the guy that sold me the door is the criminal. And the thief, of course. Everyone but me."

And now, imagine who are the guys that sell doors, who the thieves...

Pako

New Disclaimer

[seppy]

>>It should be noted that PC World Online has no >>independent confirmation that new Back Orifice >>2000 program actually lives up to the claims of >>Cult of the Dead Cow.

It should be legally mandated that any article speaking of upcoming Microsoft products carry a disclaimer similar to this.

.02

But wait, could it be... USEFUL?

[Tweety+Fish]

For those who believe that Back Orifice 2000 is some malicious tool that may or may not cause untold havoc for win32 consider this:

If you had a comprehensive remote control application that ran unobtrusively and efficiently on any win32 system, was released absolutely free and open source, and came with a comprehensive SDK for developing your own modules, plugins and clients for whatever platform you choose to use for administration, and it was released by somebody more "respectable" than us louts at the Cult of the Dead Cow, would you call it a threat?

Back Orifice 2000 is a tremendously useful tool for any administrator, and will only become more valuable as hackers around the world (please note that I understand that word, and I do mean hackers) modify and extend it. Managing windows networks is a far easier and richer experience when you have something like BO2K to work with. Is it a mixed blessing? Possibly so. But the best way to make BO2K work for you is to use it, and understand it.

The Cult of the Dead Cow isn't just about scaring people into wanting real security. We want computers to be fully under the command of the people who use them, not the vendors who sell them. One way to make that happen is by convincing major vendors that they need to tighten up their products and make SURE that customers understand how to keep themselves secure, and that the products help them do that. The other way is by letting those same users get at the functional guts of the systems they use, without the layers of obfuscation and abstraction that characterize a modern operating system. Hopefully, BO2K will achieve both these goals.

Back Orifice 2000. Show some control.

Re:Fun Stuff (tried Gspot yet??)

[MSG]

There are *nix based controls, actually. I authored "gspot" myself, from the original *nix sources. It was kinda fun, though I get less respect from some of my co-workers. There's at least one other graphical control for Linux, too.

If you want gspot, you can find it on freshmeat.

key words "RUNS INVISIBLY"

[nmarshall]

BackOrifice is nothing more than a version of pcAnywhere that runs invisibly (more or less).

key words, "runs invisibly". now, explane why is it so damn diffaclt for NT to tell me whats going on inside? with linux this isnt a problem i can telnet in and ask it what running and unless someone has "fixed" top or ps i know whats running and whats not.

yea it maybe a ego-trip, but then most all of my programing is an ego-trip ie it is just damn kewl to tell a computer what to do and have it do it, and it is even better when other people find my program useful.

also try reading some of cDc's essays, they dont just hack, errr crack... some of their writing is just damn funny!

ps: Jesus can't save you out here, Cthulhu has eaten him...

nmarshall
#include "standard_disclaimer.h"
R.U. SIRIUS: THE ONLY POSSIBLE RESPONSE

Re:key words "RUNS INVISIBLY"

[L0rdJedi]

The original Back Orifice ran invisibly. To my knowledge, this is because Windows 95 doesn't have a low level process viewer like NT does. It may not run invisibly under NT (be viewable in the process viewer), but we won't know until the 10th. That is unless cDc has released details about BO2K that I'm not aware of (which is very possible).

Re:key words "RUNS INVISIBLY"

[8ballcane]

wintop. really nice low level process shower. Shame it was released only as a kernel toy, not a part of the operating system

Script Kiddies

[AaronW]

The script kiddies are going to love this. I'm on a cable modem and run a Perl script called booby (see http://members.home.com/lazyx/booby which emulates BO. It's interesting to see how many script kiddies try hacking in without knowing everything they do is emulated and being logged. Most of the kiddies I see don't really know what they're doing, but I've seen some pretty malicious people out there.

The potential of this program is fairly large. If someone made an installer that would search out other systems on the LAN and install it on them as well this could be a nightmare (shudder) for Micro$oft shops. One more reason to not use M$ products.

Of course *NIX can be vulnerable as well to this type of trojan horse. The user security of *NIX may be better, but security is only as good as the user using it. The main difference, I believe, is that *NIX users are a lot more knowlegable about their systems and are much less likely to download and install software of questionable origins.

A more apropos analogy

[jabber]

A more apropos analogy would be that of the CDC (Ctr for Disease Ctrl) periodically releasing new and mutant strains of diseases into municipal drinking water to make sure that major hospitals are making their patients immune to illness in general, rather than innoculating them against many specific strains of many specific diseases.

All that the Clan of the Deceased Cattle is demonstrating - however effectively - is that M$ doesn't make the best mousetrap. But then who does?

Re:A more apropos analogy

[Shafik]

Now you are mixing apples and oranges here. You could compare virus protection software as a hospital but you can not compare MS to a hospital. the logic is all wrong. MS is a product producer a hospital is a service provider. There is a huge huge difference. The first anology was although faulty, it was logical.

And no they are not demonstrating that MS does not make a better mouse trap. Windows is a well estahblished product that most of the world uses and as it has been shown by Mellissa(sp?) et al that means one hole can cause major major world wide problems. So _it is_ MS's responsibility to deal with these issues better then they currently are and if they need to embaress MS by relasing products like BO 2000 to get that done then they will.

nuff said

quick demo on/for the author?

[Gordo]

From the article:

It should be noted that PC World Online has no independent confirmation that new Back Orifice 2000 program actually lives up to the claims of Cult of the Dead Cow.

Hmmm, if the author is running NT then perhaps one of you cDc chaps would be good enough to give him a quick demo? *grin*

Heh. Nevermind.

[Dast]

Found it at this URL:
http://www.cultdeadcow.com/tools/bo2k/pr19990702 .html

Re:Fun Stuff

[dattaway]

If you don't believe this program should be so public, then you must be one of the people that put trust in security through obscurity. This is what got Windows in the trap that it is. The problem is that NT is too popular and dominates the workforce already. That means massive security holes waiting to be breached. Would you like to have a position with lots of information waiting to be cracked and have your trust in a company that produces products that leak and crash? Its a terrible problem. What kind of secure encryption does NT enjoy? If you shared a network with disgruntled employees, would you be safe? Think about your job security...

proactive vs. reactive.

[Xamot]

They are being reactive if something has already been publisized. They would be proactive if the fixed it before that.

--

Re:Back Orifice for Linux...

[tqbf]

Modifying system calls does not make a trojan
undetectable, even "pretty much". Because of the
fact that kernel source is readily available to
both white hats AND black hats, crackers who want
to develop "stealth trojans" have a considerably
harder time under Linux than under NT (where the
kernel source is available only to black hats).

This is a fundamental security advantage held
only by open-source operating systems.

Re:If it still works Microsoft dident do a good jo

[egon]

If you're going to use this philosophy, you must continue on to say that Linux has never addressed the issue and hence must be doing an even worse job.

People, people, people. This program does not point out a single flaw with Microsoft, as much as I would like it to. A program like this could just as easily be written for linux, sco, hell - even openbsd.

About all this program does point out is the gullibility of the Windows user base.

e. coli? Back Orifice?

[cje]

Am I the only one who finds it ironic that the Centers for Disease Control and Cult of the Dead Cow have the same acronym?

bad journalism

[Sourdough]

I'm disappointed in the author's use of his own opinion in this article. This is supposed to be a hard news story, not an editorial. He does present the Cult of the Dead Cow's explanation for why they write these programs, but then makes an argument agains them directly. He doesn't even bother to get quotes from anyone, but simply makes the argument himself. (He says something about "computer security experts" but doesn't elaborate.) This is just plain bad journalism. I learned not to do that in high school journalism class. I would imagine that someone who works for a major news organization like IDG would know better.

Re:bad journalism

[whoop]

Journalism does not mean that anymore. To be a journalist, one must:

1) repeat verbatim that which comes across the wires. It is gospel.

2) There are no two sides to any issue, just the right one. Have polls like, "Are you for the slaughter of children/elderly/disabled/etc, or are you a nice caring, democrat?" Then conclude that 98.32% of the world will vote for Hillary as Master of the Universe and there is no use thinking about anyone else.

3) Never go out and validate what sources say. Again, just repeat. Feel free to mix and match questions and answers to better support rule #2.

I could go on and on. But the media isn't about facts or informing the public. There was a day when saying "mostly teenaged" when talking about a group would be followed up with something like, "Joe Smith, 14, says ..." Now they just throw out whatever they feel (and want you to feel too). In this case, they want you to believe they are immature folks who should not be taken seriously. The same thing was (and still is) said of Linux hackers. Even though that survey was done that found most of the kernel hackers were older, had degrees, etc, it doesn't stop that stereotype.

The media is just another political outlet, telling you what to think, etc. Believe them, or die. If the kind and benevolent Microsoft isn't tortured by teenagers like cDc, the world would be a happy place. :)

Re:bad journalism

[bjk4]

Part of the problem is that news services are taking exacly what comes off the wire -- The problem with that is that the wire they are relaying is not a news source. It is a press-release source.

IDG is not a normal press source. Instead, they are industry analysts, who may or may not be paid to write a certain point of view. In this case, IDG is treating Linux, hackers, and Microsoft hypocritically. Microsoft doesn't release bugs, they release new features that run faster, smart, and save money over everyone else. With Linux, until recently, teenagers released hand-written code using 60's technology that ran no commercial programs, would cost more money in the long run, had no support, and was basically a bad idea. Hackers, malicious teenagers sitting in front of monitors (god forbid) release 'bugs' in M$ software (not expose bugs, they create them...) under the faulty premise of strong-arming (bad, bad word) good, beneficial software companies.

IMO, articles from IDG are not to be trusted at all. They tend to be biased extremely (or naively) toward the establishment (read contributors.) The sad part is that CNN is willing to blindly republish these articles, lending credibility to their worthlessness.

Comeback

My favorite comeback (mentioned elsewhere in these comments) is that if his analogy is correct, then this question arises: Why would someone taint meat? If noone will taint meat, why do we need protection and regulations? Therefore, we don't need security. Microsoft should eliminate all of those silly restrictions like passwords. We should lose the locks on our homes.

The underlying response is that analogies are powerful tools to befuddle issues. In this case, the analogy is biased. Don't listen to analogies, they are ALL flawed.

Re:Fun Stuff

[whoop]

Sure you can write a program to do these things on any OS. But the problem with Windows, is it thinks it's smarter than any user, so has great features like not being able to kill processes, not listing processes in the list, hiding network connections, etc. I never understood the notion of not having "permission" to kill something when I was admin on NT.

To do this sort of stuff within Linux would not just require emailing Joe User an executable, and saying "Run this to get Office 2000 for free, or $100,000 in two hours." It would take some kernel modifications to hide the things from /proc, the user would have to be root when the executable is ran and install the kernel. Then the user would have to reboot and activate that kernel, which could be several weeks for the waiting cracker. Even then, you would have to make sure the user didn't download a new kernel source tarball and install a pure kernel.

Windows just makes everything so much easier for the cracker hacker making such programs...

Re:Because [is isn't it best though?]

[Tarnar]

They are on our side. They're trying to get people to see just how utterly insecure Windows products are. If MS would accept responsibility for the flaws in their OS, then something could be done. If MS would take these things seriously and properly secure up their products, then programs like these would no longer be an issue.

Besides, it's not like you can take a look at the NT source code and write a patch for the hole. That's one of the greatest advantages of an Open development environment. Things get done to FIX things. They can't patch NT or 98 or anything so they instead point out the problems.

It's not the greatest way to solve the worlds problems, but sometimes there's just no easy way to fight against Evil(tm)

(And please take the last paragraph with a sense of humor ;-D)

Why it exactly _is_....

[RoLlEr_CoAsTeR]

Why is anything in this country the way it is? I can only offer an explanation that, b/c this government is so unorganized, inconsistent, and opportunistic (etc, etc, etc, ad infinitum), things happen like that.

I can only wonder if he's got some big $$ deal with this, and maybe somehow, this keeps him in the clear....however, I wouldn't actually know, because I'm not that well versed about the whole situation (besides the article).

Re:Because [is isn't it best though?]

[j+a+w+a+d]

I don't think it would have as much of an effect on Microsoft's marketing machine if they were "good guys" than what they're doing. With this, they get the publicity (immaturely, but still) and companies are more likely to go, "hey microsoft, how come your little windows deal doesn't stand up to this? we're switching to linux, thanks."
..................................@ @

Re:Imagine

[Tweety+Fish]

Okay. 1) if we really were only writing "script kiddie visual basic junk", would you really WANT us to turn out programming skills towards trying to help people? BO and BO2K are both non-trivial aoftware products, and BO2K is one of the single most elegant pieces of software design I've ever seen. I'm sure you don't believe me, but, by all means, check out the source when we release it.

2) I would love some clarification on why you think that BO2K (and for that matter, BO) is NOT a remote administration tool... with features like registry and file access, network .exe spawning, and process management, I fail to see your point.

Re:Imagine

[tqbf]

Why aren't you auditing your Windows NT
servers anyways? This program isn't breaking
into your servers; "viruses" and security
holes are. cDc has "caused" none of these
problems.

Windows NT "moralists" complaining about this
problem have their heads in the sand. The
problem is that circumstances exist to allow
programs like BO2K to be installed in the first
place.

You lack a very basic understanding of computer
security and threat analysis if you think that
the computer underground (ie, the community of
system crackers) didn't already have tools of
comparable power already. Posting BO2K simply
prevents IT managers and Microsoft marketeers
from denying this simple truth.

You should be thanking cDc for A.) raising
awareness of the problem and B.) ensuring that
99% of all successful NT attacks will have the
uniform signature of a BO2K installation to
accompany them...

... as opposed to either the obvious signature
of a wiped hard disk, or the much-harder-to-track
signature of a custom-coded trojan.

I LOVE THIS APPLICATION!!!

Score: -50, Rant

It's about time! They promised NT support for Back Orifice last year. Well, their exact words were, "Soon." And I think it's just a delicious pun that they call it "Back Orifice 2000."

I'm sorry if anyone finds this offensive, but I consider NT to be inferior. Microsoft typically buys its way into technology, but it never takes the time to make any true advancements of their own: they bully companies into working only with them, and when these companies do, it becomes almost impossible to get software products or device drivers for non-MS platforms. When Microsoft "embraces & extends" they're only taking someone else's work, adding a few functions so it won't work on anything but Windows, and locking up the changes so no one else can make their product compatible with the MS version. They [Microsoft] then engage the marketing machine and have their minions in the trade press hype the crap out of the product; which many of these publications routinely do despite the fact that MS' product is really just a polluted version of a good idea. The point is, I am offended by Microsoft. It is deceitful for them to engage in the practices that they do. The great irony is that they claim to be leading the world away from weak, bug ridden software, when that is in fact what they produce!

I do a dance of joy every time a new virus is announced for Windows. Like Melissa -- I loved the fact that it only infected people using MS email clients. I believe Chernobly served as a point of awakening for many people who have only used Microsoft systems. Despite the belief to the contrary, Windows is just as difficult to install from scratch as some Linux distributions. It's a lot like "The Matrix" when these people who had spent their entire lives in this fabricated reality wake up. When they first run Linux they discover that this whole time they have been mindlessly sleeping in a pool of goo with their brains hooked up to some interface -- they discover they don't have to play by the System's rules: that they have true power.

This tool also provides something interesting. Imagine a remote administration utility so powerful, that you have more control over someone's computer remotely than they have in front of it. NT doesn't even ship with a telnet server! It's ironic what this tool does, because remote administration utilities are EXACTLY what NT is lacking in. And by the way, NT is supposed to be a "Network Operating System;" but an NOS that is susceptible to viruses? Unforgiveable!

So what's the big solution? I want everyone to be able to have the opportunity to write software without getting unfairly squashed. I'd like to see software companies get behind Linux, or at least the standard Unix binary that all the commercial Unix companies are pushing. This includes Microsoft, they can write their software for Linux if they want. If everyone sticks to an open, universal platform then everyone has a fair chance at making it in the computer business. When I originally heard NT was going to be POSIX compliant I thought, "Well great!" But that changed as Microsoft opted for "proprietary" instead of "open," so they could lock MS drones into using MS only products.

So, if the cracker ethic is a means to an end, let it be. Perhaps that is the true evolution of the [computer] species.

WHY exactly is it....

[CrudPuppy]

that the guy who wrote the Melissa Virus (and the guy who wrote the Chernobyl Virus...etc, etc, etc ad infinitum) is burned at the stake, and every government agency is telling the public how the Melissa virus author (who only exploited yet another security hole in MS shitware) is going to get 10 years in federal prison and like 2 zillion dollars in fines..etc,

meanwhile, sir jerkoff can freely write, release, and boast his backshit 5000 and is somehow viewed as the saint of security...saving the public from hidden MS holes and bugs!!!

dont get me wrong, i dont happen to see any problem with EITHER of these guys...but it pisses me off to no end when our lame-shit big brotherment treats twin-cases like black and white.

bah!!

Re:WHY exactly is it....

[WPISteve]

So you are saying that if I bought a gun, gave it to a kid and showed him how to shoot someone, then I should not be responsible? The back orifice guy should be just as responsible as the user.

Re:WHY exactly is it....

[jjohnson]

Unless the Melissa author clearly explained in his post that the office file was viral, then he was firing into a crowded room. Posting it that way was his delivery system. He could have emailed it to 50 friends instead, but the Usenet post was safer (not safe enough, though...)

Is there anyone here really familiar with M$'s security model? From what little I've heard about it, I've heard that it's not bad; the problem is that it's both too different and far too complex to implement properly, which is effectively the same as bad security. The whole 'trust and digital signatures' model just doesn't seem to work, though I'm not sure that's the problem at all, since it was a digital signature on the Melissa Word file that caught the author.

Re:WHY exactly is it....

[TriangleMan]

C'mon, get real! There's one VERY important difference between Sir Dystic and the Melissa guy. Sir Dystic (so far as we know) just wrote the code (and is open-sourcing it too :^). The Melissa guy EXECUTED the code. Do you seriously think that if the Melissa guy had just put up a web-site and put the source for Melissa onto that web-site that he would have been arrested? He might have received a lot of criticism, sure. But you can't be arrested for merely exercising your first amendment rights.

It's the difference between teaching a course on how to use firearms and going out on the street and firing an AK-47 into a crowd. You might disagree with me and say that it's more like handing out guns to felons than teaching them how to use guns, but I say that the equivalent of handing out guns to felons would be not only giving them back orifice but also giving them a delivery system (i.e. an exploit). Of course, there is a nifty little tutorial on the CDC web-site on how to write a stack buffer overflow exploit. But maybe that's the equivalent of teaching a course on how to build your own gun... :^)

Re:Fun Stuff

[thal]

it could be written for almost any OS, but it couldn't so easily installed without windows' lack of a superuser/regular user login scheme and the integration of email into the system. the first one is windows' fault, the second one is just a symptom of trying to make everything easier to use.

if something like this were written for linux, first the person getting the trojan horse install program would actually have to execute/view it. in outlook express or whatever, you usually do this by just clicking on it. there is no real difference between "executing" and "viewing" in windows because of how all of the file types are set up. most linux users don't do this, simply because the gui isn't as integrated.

second, for the program to completely wipe out really important stuff, it would have to have root access. this is possible to hack in linux or something sure, but in windows every user has that access by default.

Re:Rockin.

[tqbf]

Amen. cDc will have a hard time claiming BO2K
is a "powerful administration tool" if it is
comparably secure to the original BO.

Perfect example

[Timothy+Chu]

Ok, I've got to say "me too" to this one. Somebody should moderate this previous post up to 2, at least. The example makes perfect sense.

If they *really* wanted to expose Windows NT's security flaws, they shouldn't have made the released the program to the public--maybe to a news agency, or security council, or whatever is appropriate, but not the public.

<tim><

Re:If it still works Microsoft dident do a good jo

[tqbf]

This problem already does affect Linux. There
are published kernel trojans in Phrack magazine.

The issue is that in normal Linux installations,
the only way to actually use a BO-like tool is
to gain root access to the server first. When that
occurs, the means by which root access was gained
is almost IMMEDIATELY published and resolved.

You would "fix this problem" by ensuring that
users who run applications like mail readers that
have the ability to execute content provided by
untrusted sources would NOT at the same time have
the privileges required to install something like
BO2K.

It's not like BO2K can just point at an arbitrary
NT installation and magically infect it.

Fair enough

[jabber]

So if I substitute FDA approved meat processing plants in place of hospitals in my model...

That brings it closer to the example in the article, and I think that my angle still tracks.
If the (real) CDC taints the fields with new diseases each spring, to check for cattle resistance to the concept of disease rather than a particular one, then how can that be dealt with by the packing plant? They don't know what to fight. And we all know that a computer can only be made truly secure by making it useless. People are the problem, bad design/coding just makes it easier for the bad apple.

The point I was trying to make is that CDC is exploiting newer holes each time. I agree that this is of benefit. It's nice to have someone do your debugging for you (if you're the user or even M$ itself). And if M$ fails to close the hole after it's exposed then poo-poo on them. We have choices - too bad more people don't realize that.

I do, however, take exception to the CDC making the exploit tool available to the prepubescents on AOL. My experience with hackers has been that the good ones, the ones that know what they're doing, don't go around handing guns to children. They'll document it, publicize the weakness, perhaps even provide logic to close the hole; but with their experience comes a sense of responsibility.

Making a skeleton key and leaving it in the key-copy machine is irresponsible.

Re:Fun Stuff

[CelestialScum]

Yes, now all we need is a dynamic web-frontend and a server to scan for computers infected. Then everyone whith a browser can join the fun!
This could actually be a neat project to run later on.. hehehe

Problem with BO is that it spreads like wildfire, you don't need any kind of knowledge to use it either, and it could be hard detecting it if the source is constantly changed around as well. Of course, it's not MY problem, so I just smile and nod and go on running my Linux and BSD's.
I never trusted an OS that didn't let you know what the hell you were doing anyways. Low down and dirty, it's the only way to be sure!

'wholes'

[delmoi]

There arn't really any 'wholes' in windows 9x/NT that are being exsploted here. programs like this could be made for linux just as easyly, but they'd have to be run as root, and would probably be much more noticable

in order to get into someones system, you need to get them to run them, as root. since all users on 9x/NT have root acess(well most on NT) it a little easyer, that's the only hole though
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

Re:Fun Stuff

[Rozzin]

I nice web based linux control panel would be fun though.

Doesn't Linuxconf do that?

Re:Back Orifice for Linux...

[tqbf]

You don't get it.

/proc isn't the only source of information
about what pids are on the system. That data
is leaked through many, many interfaces to the
kernel. It is tedious and tricky to plug all
of those leaks, which is exactly what you need
to do to write a process-hiding trojan under
Linux or BSD --- since anyone can read the kernel
source to find a new avenue to locate hidden
processes.

Man kill(2). Look at what kill(0,pid) does.

Better:

Man fork(2). Look at what the parent receives
as a return value.

The problem with systems like NT (and, to a
lesser extent, Solaris) is that there isn't
enough published information to give white-hats
the advantage over black-hats in the hide-
versus-seek battle of trojan development.

Word Macros + BO2K = Fun for the whole family

[ink]

In the short term it makes M$ look bad, but in the long term it actually improves their product. (That is _if_ they do anything to plug up the holes.)

That would be a good thing.

Let's see; coupling the latest NT relative path attacks with a Word macro and BO2K riding on EXPLORER.EXE. Wow. This is EASY and fully exploitable on any network that accepts e-mail. Perhaps we should write a Sendmail->Procmail HOWTO so that Microsoft Word documents are filtered out at the transport level.

The wheel is turning but the hamster is dead.