Slashdot Mirror
Back Orifice 2000 on CNN.COM
LLatson writes "CNN.COM is running an article about Sir Distic
releasing Back Orifice 2000. Sounds like this
time it will run on NT..." Comments on why this
is being done, as well as a source release and a few
changes to the 2k system.
I know that this is mostly a 'me too' type of reply, but Tweety Fish has made an excellent point.
We all remember the stink that went up after Farmer and Venema (sp?) released SATAN. (COPS before that)
Anyone out there remember Asmodeus?
Any sysadmins here ever use a rootkit on their boxen to see what it did, and what to watch for? Without port scanners there wouldn't be firewalls, and without sniffers there wouldn't be encryption.
I know tfish is looking even farther than the benefits of reacting to a security threat. And a good thing too. Something like BO, designed to have such a low activity signature as to be undetectable by a casual user, is a huge accomplishment for a Windows product.
There are benefits for network admin tools, from having the BO code available. And if M$ doesn't learn, at least the rest of us will.
-- What you do today will cost you a day of your life.
No, the AC is correct here. BackOrifice is just a remote control program (think PC Anywhere or any of the others in the Windows world). Do programs exist like this for Unix? How about X Windows?
If I tricked a UNIX user into running a modified telnet or something that would give me remote root access, it wouldn't matter if telnetd was disabled. The only reason UNIX is less vulerable to something like this is that users spend less time logged in as root and are more careful. But that's more of a human issue than a technical one.
--
Business. Numbers. Money. People. Computer World.
"Groups of (mostly teenaged) hackers... release nasty computer bugs..."
;)
Looks like Micros~1 has some serious competition from cDc.
Geeky modern art T-shirts
While few people here wouldn't like to see Microsoft get a come-uppance, this sounds like the most incredibly juvenile, wise-ass way to do it. While these twits never mention preferring Linux to Windows, maybe someone should forward them the advocacy FAQ anyway.
"Excuse me, but you realize, of course, that you're just helping to make Windows `better' in the long run?"
Has anyone ever heard of a major user or someone in a business setting abandoning Windows mainly over security/virus fears?
MS Office 97 doesn't quite need Administrator/root, but it does require write access to a few files in \WINNT\SYSTEM32 and much of it's program directory, as well as in odd places in the Registry.
MS Office and other poorly designed programs (Netscape) are one big reason the default permissions on NT4 are so loose. The problem isn't really the OS, it's how the installer sets everything up. That and most workstation users logon as a local adminstrator.
(As a side note Microsoft has taken alot of blows on this from those familiar with unix, as well as their own user community. I'd expect Windows/Office 2000 to be much better in this respect. Win2000 beta appears to ship much tighter, and then includes some scripts to loosen things for compatiblity with certain apps.)
--
Business. Numbers. Money. People. Computer World.
Smaller, nimbler, faster, easily customizable... This sounds like the perfect replacement for SMS Remote Control. Now I just need to sell my boss on the idea...
--Shoeboy
The big trouble with the Center for Disease Control analogy is that that CDC is a government agency with a public trust to uphold. Similarly, the AMA would like people to think they are a responsible, trustworthy and benign organization. In either case there would be a betrayal of trust.
The Cult of the Dead Cow has no such responsibilities, and no trust is betrayed. If you really want a tainted meat analogye, compare them with ecoterrorists, poisoning meat to prove that McDonalds doesn't follow proper hygiene procedures. Even that's not a great analogy, since the cDc's programs don't have the potential loss of life that a meat poisoning scheme would.
----
Open mind, insert foot.
The article makes an interesting analogy, claiming that CDC releasing BO in order to force MS to clean up is the equivalent of the American Medical Association polluting meat with e. coli to force a cleanup by meat suppliers. However, the article ignores the point that the government has created channels by which the meat suppliers can be regulated, and that nature provides regular e. coli outbreaks to check on our precautions. Since the only oversight on MS is the market, and there is no such thing as a "natural" security problem, problems must be highlighted by human groups like the CDC, and the market must be manipulated in order to get a response.
Anyway, that's my two cents- I'd love to find the author's email to let him know, but I can't find it. Any clue?
-Luge
IAAL,BIANLY
"What is with" people is the fact that while BO 2K is a program that must be installed, it does _not_ require Administrator-level access to do so. There are numerous unpatched security holes in Windows 95, 98, and NT that allow unpriviledged users to act as fully priviledged Administrators.
The analogy here is that every NT box has a walking 'root' attack built into it...
Now, would you want a security hole like this in a multi-user system? All it takes is _one_ downloaded email program and your entire network is compromised.
Let's think about this a moment:
BO 2k (and the original BO) is designed so that it can install invisibly after being attached to another program that _executes normally_. This means that Script Kiddie A can attach BO 2k to, say, a copy of the latest version of WinZip. He then sends that copy of WinZip out in a nicely drafted email to several people at an office. The insant one of those people downloads that email and installs the new version of WinZip (which works fine, and is in all ways a 'normal' version of WinZip), they have just infected the entire network with BO2k.
Now tell me this is a 'remote administration' feature and not security vulnerability.
The very nature of remote administration implies that you must have privledged access to the machine in order to administer it. BO2k allow _unprivledged_ users to both install and administer it.
While I disapprove of the cDc's choice of methods, I can at least say that if they had to make this program, they are at least distributing it properly. Making it publicly available and open-source means that nothing is 'hidden' and there are no surprises waiting in store. Patches could conceivably be easily produced by Microsoft, and programs to detect, counteract, and remove it should be easily developed as well.
This IS a security threat people. Take it lightly and I'm sure you'll rapidly change your tune after your network is taken over by Script Kiddie A exploiting known Microsoft security vulnerabilities.
Microsoft is good at making interfaces that appear user friendly. They will claim that they can automatically configure XYZ, and then fail half-way through the process. They offer no details on why it failed
The fact that it takes them 4 revisions to get it right (four revisions they make us pay for)NT 4 is right? (Ok I know the first version of NT was labeled NT 3.1, so 4 should be only 2 or 3)
Of all the comments I've ever posted, this is definately one of them
I dunno. This thing plagued our college campus for a few months until we got it under control. Our network is NT on a UNIX backbone.
I agree with the CNN article: this cult's motives don't make any sense; it's like a cult from the automobile industry who steals cars to make everyone get car alarms. It does much more harm than good. This is a negative way of getting attention to network security, not a positive way.
The correct analogy in this case would be the AMA infecting cattle with E. coli to make cattle owners produce cattle that are resistant to that bacteria. I'm not surprised he used an incorrect analogy: the right one would undermine the "popular" opinion that virii and hackers are universally bad, instead of good for flagrantly (and typically non-destructively) exploiting security flaws and shoddy programming.
Kyle
NP: Arkhe, S/T
--
Kyle R. Rose, MIT LCS
[ home ]
We didn't pass any copies to anyone outside of cDc and beta testers. Microsoft will have to wait like everyone else.
obscure images/cDc obscure@cultdeadcow.com www.cultdeadcow.com
... BO2K (kinda rolls of the tounge, don't it?) is more pro-WinNT that anti. The people working on it know a lot about the OS and therefore have spent quite a bit of time with it. In the short term it makes M$ look bad, but in the long term it actually improves their product. (That is _if_ they do anything to plug up the holes.)
What's even sadder is that this could all be avoided if M$ was as open as Linux and there was an open envionment for users to say something like "Hey, you gotta problem here, thought you'd like to know." and get a responce. That's not the way it works.
I guess the way I view it is yes, the ethics of giving 'fire' to script kiddeez is somewhat questionable, but as with Melissa and every other stupid hole in M$ software who's more to blame? The person pointing out the way to a wide open back door, or M$ telling everone not to worry, they're getting the most secure system around? Let me tell you that as someone who unfortunately has to put up with an NT network at present, it's a bit disturbing when I read about a hole in NT and see a link to an exploit _days_ before I'm notified by Micro$oft's security mailing list that there's even a problem, and then all they ever do is play it down and point out how rare it is and what little threat it is to my system.
Personally, I say more power to cDc. Somebody has to speak up and sometimes it takes some punk wiping out a network with a keystroke to get the right people to listen. All's fair in code and war. If it's not CNN it looks like somebodies already doing that. Maybe this time they'll learn.
Microsoft interested in security issues? Somehow I feel it is more macho they are more interested in offensive measures than defensive.
I'd like to see the neighborhood traffic on your street. How many are dark vans and limos with dark tinted windows and stay parked close to your house? Have you ever walked up to one of them to say "Hi!" to the occupants? I'm sure there is a vested interest in knowing who you are and watching your residence, friends, and place of work.
Imagine and IS department making this part of their standard workstation build? They could claim that it is for remote administration but could also use it for spying on everything that an employee does on his/her PC. Granted, users shouldn't be doing anything questionable in the first place but still, there are some things that should be kept private.
you don't hunt for food with a handgun..
I have.
Exactly one year ago, we released the first version of Back Orifice to the cries of "Make it open source! Make it open source!" We listen to our public and hence the source is completely open, complete with a fully documented SDK. BO2K is industrial strength software for the people, for FREE. It is also clearly better than the competition. If free software is a pain in the ass, why don't you go tell Linus to start charging for kernels?
obscure images/cDc obscure@cultdeadcow.com www.cultdeadcow.com
>>It should be noted that PC World Online has no >>independent confirmation that new Back Orifice >>2000 program actually lives up to the claims of >>Cult of the Dead Cow.
It should be legally mandated that any article speaking of upcoming Microsoft products carry a disclaimer similar to this.
.02
Brian Seppanen
Minister of Information and Propaganda
Area 54 The Secret Government Disco Labs Provo
For those who believe that Back Orifice 2000 is some malicious tool that may or may not cause untold havoc for win32 consider this:
If you had a comprehensive remote control application that ran unobtrusively and efficiently on any win32 system, was released absolutely free and open source, and came with a comprehensive SDK for developing your own modules, plugins and clients for whatever platform you choose to use for administration, and it was released by somebody more "respectable" than us louts at the Cult of the Dead Cow, would you call it a threat?
Back Orifice 2000 is a tremendously useful tool for any administrator, and will only become more valuable as hackers around the world (please note that I understand that word, and I do mean hackers) modify and extend it. Managing windows networks is a far easier and richer experience when you have something like BO2K to work with. Is it a mixed blessing? Possibly so. But the best way to make BO2K work for you is to use it, and understand it.
The Cult of the Dead Cow isn't just about scaring people into wanting real security. We want computers to be fully under the command of the people who use them, not the vendors who sell them. One way to make that happen is by convincing major vendors that they need to tighten up their products and make SURE that customers understand how to keep themselves secure, and that the products help them do that. The other way is by letting those same users get at the functional guts of the systems they use, without the layers of obfuscation and abstraction that characterize a modern operating system. Hopefully, BO2K will achieve both these goals.
Back Orifice 2000. Show some control.
A more apropos analogy would be that of the CDC (Ctr for Disease Ctrl) periodically releasing new and mutant strains of diseases into municipal drinking water to make sure that major hospitals are making their patients immune to illness in general, rather than innoculating them against many specific strains of many specific diseases.
All that the Clan of the Deceased Cattle is demonstrating - however effectively - is that M$ doesn't make the best mousetrap. But then who does?
-- What you do today will cost you a day of your life.
It should be noted that PC World Online has no independent confirmation that new Back Orifice 2000 program actually lives up to the claims of Cult of the Dead Cow.
Hmmm, if the author is running NT then perhaps one of you cDc chaps would be good enough to give him a quick demo? *grin*
If you don't believe this program should be so public, then you must be one of the people that put trust in security through obscurity. This is what got Windows in the trap that it is. The problem is that NT is too popular and dominates the workforce already. That means massive security holes waiting to be breached. Would you like to have a position with lots of information waiting to be cracked and have your trust in a company that produces products that leak and crash? Its a terrible problem. What kind of secure encryption does NT enjoy? If you shared a network with disgruntled employees, would you be safe? Think about your job security...
Its a trojan waiting to be installed through some email document/application attatchment. Attatching word documents seems to be very popular with people who are trapped in the Windows environment.
Am I the only one who finds it ironic that the Centers for Disease Control and Cult of the Dead Cow have the same acronym?
We're going down, in a spiral to the ground
I'm disappointed in the author's use of his own opinion in this article. This is supposed to be a hard news story, not an editorial. He does present the Cult of the Dead Cow's explanation for why they write these programs, but then makes an argument agains them directly. He doesn't even bother to get quotes from anyone, but simply makes the argument himself. (He says something about "computer security experts" but doesn't elaborate.) This is just plain bad journalism. I learned not to do that in high school journalism class. I would imagine that someone who works for a major news organization like IDG would know better.
Score: -50, Rant
It's about time! They promised NT support for Back Orifice last year. Well, their exact words were, "Soon." And I think it's just a delicious pun that they call it "Back Orifice 2000."
I'm sorry if anyone finds this offensive, but I consider NT to be inferior. Microsoft typically buys its way into technology, but it never takes the time to make any true advancements of their own: they bully companies into working only with them, and when these companies do, it becomes almost impossible to get software products or device drivers for non-MS platforms. When Microsoft "embraces & extends" they're only taking someone else's work, adding a few functions so it won't work on anything but Windows, and locking up the changes so no one else can make their product compatible with the MS version. They [Microsoft] then engage the marketing machine and have their minions in the trade press hype the crap out of the product; which many of these publications routinely do despite the fact that MS' product is really just a polluted version of a good idea. The point is, I am offended by Microsoft. It is deceitful for them to engage in the practices that they do. The great irony is that they claim to be leading the world away from weak, bug ridden software, when that is in fact what they produce!
I do a dance of joy every time a new virus is announced for Windows. Like Melissa -- I loved the fact that it only infected people using MS email clients. I believe Chernobly served as a point of awakening for many people who have only used Microsoft systems. Despite the belief to the contrary, Windows is just as difficult to install from scratch as some Linux distributions. It's a lot like "The Matrix" when these people who had spent their entire lives in this fabricated reality wake up. When they first run Linux they discover that this whole time they have been mindlessly sleeping in a pool of goo with their brains hooked up to some interface -- they discover they don't have to play by the System's rules: that they have true power.
This tool also provides something interesting. Imagine a remote administration utility so powerful, that you have more control over someone's computer remotely than they have in front of it. NT doesn't even ship with a telnet server! It's ironic what this tool does, because remote administration utilities are EXACTLY what NT is lacking in. And by the way, NT is supposed to be a "Network Operating System;" but an NOS that is susceptible to viruses? Unforgiveable!
So what's the big solution? I want everyone to be able to have the opportunity to write software without getting unfairly squashed. I'd like to see software companies get behind Linux, or at least the standard Unix binary that all the commercial Unix companies are pushing. This includes Microsoft, they can write their software for Linux if they want. If everyone sticks to an open, universal platform then everyone has a fair chance at making it in the computer business. When I originally heard NT was going to be POSIX compliant I thought, "Well great!" But that changed as Microsoft opted for "proprietary" instead of "open," so they could lock MS drones into using MS only products.
So, if the cracker ethic is a means to an end, let it be. Perhaps that is the true evolution of the [computer] species.
>you don't hunt for food with a handgun..
>vegetarianism for all.
If all you're after is vegetables, why would you use anything bigger than a handgun? Killer turnips? Mutated venus fly traps?
vegetarians for all. preferably grilled.
This problem already does affect Linux. There
are published kernel trojans in Phrack magazine.
The issue is that in normal Linux installations,
the only way to actually use a BO-like tool is
to gain root access to the server first. When that
occurs, the means by which root access was gained
is almost IMMEDIATELY published and resolved.
You would "fix this problem" by ensuring that
users who run applications like mail readers that
have the ability to execute content provided by
untrusted sources would NOT at the same time have
the privileges required to install something like
BO2K.
It's not like BO2K can just point at an arbitrary
NT installation and magically infect it.
So if I substitute FDA approved meat processing plants in place of hospitals in my model...
That brings it closer to the example in the article, and I think that my angle still tracks.
If the (real) CDC taints the fields with new diseases each spring, to check for cattle resistance to the concept of disease rather than a particular one, then how can that be dealt with by the packing plant? They don't know what to fight. And we all know that a computer can only be made truly secure by making it useless. People are the problem, bad design/coding just makes it easier for the bad apple.
The point I was trying to make is that CDC is exploiting newer holes each time. I agree that this is of benefit. It's nice to have someone do your debugging for you (if you're the user or even M$ itself). And if M$ fails to close the hole after it's exposed then poo-poo on them. We have choices - too bad more people don't realize that.
I do, however, take exception to the CDC making the exploit tool available to the prepubescents on AOL. My experience with hackers has been that the good ones, the ones that know what they're doing, don't go around handing guns to children. They'll document it, publicize the weakness, perhaps even provide logic to close the hole; but with their experience comes a sense of responsibility.
Making a skeleton key and leaving it in the key-copy machine is irresponsible.
-- What you do today will cost you a day of your life.