cDc Charges MS w/ Distributing Cracker Software

davidr writes "Microsoft's response to Back Orifice 2000 has been to characterize it as a hacker tool instead of a network administration tool, because it can be installed stealthily and used to monitor users without their knowledge. cDc has reponded by pointing out that Microsoft's own tool, SMS, does the same exact thing! They've called for antivirus software for SMS and challenged Microsoft to recall it. " Read this one. Its interesting. Having never used SMS (hell, I haven't really used windows in a year or so) I'll leave it up to you guys to figure out if this is true.

Re:HAHAHAHA

What doesn't work better than anything microsoft built?

Drum Roll Please.......

Communicator!

(waiting patiently for Mozilla)

hrmmm..

--I think that cDc has a completely valid point here. One question about their announcement, tho. At the bottom, they have various other 'excerps'. I'm wondering if perhaps some of these are related to the earlier version of BO, which really was a trojan. The text doesn't seem to clearly specify. Even if that's true, the main body text seems to make the point nicely.

Not quite the same

I'm not very fond of SMS, but there's a significant difference between allowing a domain administrator run a remote control tool, and creating an app which circumvents NT security to allow anyone to remote control a computer. In my opinion this is CDC FUD.

Re:Not quite the same

[Chandon+Seldon]

Nak. Is no difference. BO2K doesn't circumvent NT Security. Is legit remote admin tool. I can tell you haven't read the BO2K web site.

*EXACTLY*

Microsoft made the mistake in attacking the stealth feature of BO2K, and cDc responded right back saying that SMS was just as bad as BO2K because it was stealthy too.

what Microsoft should have mentioned instead were the features of BO2K that *really* made it intended to be malicious. The lockup command, password getting commands, microphone monitoring, etc.

But the worst thing about BO was actually mentioned in the cDc article when quoting Microsoft: "And, once it's installed, it makes the system available to other people on the Internet."

This is one key difference between SMS and BO2K. BO2K has a scanner feature (I believe another poster mentioned it), and if you scan a few subnets, you're going to see a bunch of open BO2K servers just waiting there for the hacking. SMS does not have such a scanning feature, and doesn't leave itself open over the internet.

Also, BO2K is small, and can be easily insterted into a trojan mail macro or an activex control or a buffer overflow or whatnot. Try doing that with SMS!

There's more that makes BO2K made for malicious activity than simply the stealth feature, folks. cDc is just FUDding microsoft here.

Re:*EXACTLY*

[Trepidity]

BO, even since the original release, has included the ability to change the port it operates on and to use a password to weakly encrypt all communcations. The only reason many BO and BO2K systems are open to anybody over the internet is because they use the default port (31337) and aren't configured to use a password.

In my experience, a LOT of the BO infected machines (I haven't done any work with BO2K) are machines which have a c:\bo or c:\cdc directory, leading me to the conclusion that these are script kiddies who downloaded Back Orifice and then proceeded to run the executables that come with it before reading the textfile, installing the server on their own system in the process. They get what they deserve.

Re:*EXACTLY*

[psaltes]

this is silly...b02k doesnt do anything that can't be done with linux command line tools. Are they evil? and command line tools that perform those functions are installed with the OS

Re:*EXACTLY*

[stimpy]

I thought it was:

netscape

Re:*EXACTLY*

[dirty]

kill -STOP -1

if the person is in X that will pretty lock the machine (to the user's perspective anyway). If you can execute the command as root, then the entire machine is pretty much gone, can't even do a reboot.

For all of you who tried this type: kill -CONT -1 to restart everything.

Re:*EXACTLY*

[HiThere]

but by GPLing it, the have released the source. Anyone who wants to bother can create a new version with whatever they object to stripped out. I wouldn't call it perfect, but certainly several steps this side of evil. (Which side of neutral is another matter.)

And for MS to accuse them of what it, itself, does is.. well, its on the side away from good.

Re:*EXACTLY*

[delmoi]

Also, BO2K is small, and can be easily insterted into a trojan mail macro or an activex control or a buffer overflow or whatnot. Try doing that with SMS!

I'm sure it could be done
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

Re:*EXACTLY*

[delmoi]

s BO is usually installed as a trojan horse, it typically has no security against the script kiddies and can access anything that root

this isn't neciaraly true, as Bo can be protected with a password, and put on a diffrent port, witch is just about all the security you can get from a telnet server (other than turning it off)

Bo *can* be used securely
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

Re:*EXACTLY*

[timster]

No, it's:
gnome-session
and also:
startkde

Re:*EXACTLY*

[SwissPope]

/* fork bomb - lock up linux as a regular user */
#include

void main() {
while(1) {
fork();
}
}

Re:*EXACTLY*

[SwissPope]

/* fork bomb - lock up linux as a regular user */
void main() { while(1) { fork(); } }

Re:*EXACTLY*

[AaronW]

Where is the Linux "lockup" command? Also, can anyone go and remotely reboot a Linux system, crash it, format the drive, cd / ; rm -rf *, etc? Only if you are root. As BO is usually installed as a trojan horse, it typically has no security against the script kiddies and can access anything that root on Linux can access. On some of the security news groups I've seen numerous people post about how they lost everything due to some script kiddie deleting everything on their systems.

Linux has the advantage in that it is much more immune to trojan horses than Win 9x since only files writable by the user can be wiped out. Of course, other files like /etc/passwd can be downloaded by a trojan and analyzed by the cracker. Also, let's face it, most home Linux users arn't that familiar with security and probably don't worry about it.

Having BO on a system (if installed via trojan horse with no security) is like leaving your Linux box on the Internet with FTP and telnet access enabled and a root password of "password" or "root".

Even the most harmful things can do you good

I disagree. Even the most dangerous and harmful tools are extremely useful to point two very painful but important facts: microsoft's OS's aren't secure, and people should be more careful when they download and install software.

If someone hacks you, that should be a wakeup call that you need to improve your security. And I'm not just talking about software; policies should always be more paranoid than necessary.

If the OS was designed better, and the user was more wary, this wouldn't be a problem at all, now would it? So don't go blaming the messenger; please kindly thank him for informing you of a problem you might not have previously been aware of. I mean, why do you think they release the source code?

ps - I'm not even going into the topic of why a computer user should have to be an expert - s/he shouldn't, but they should know the dangers of being online and downloading and installing software.

SMS is a tool of control

[Pasc]

Where I work everybody connects to the SMS server except my group, because we all run Linux. I don't know what SMS does, but corporate IS resents that they can't monitor us. They use it as a tool of control.

I believe SMS also does good stuff like updating software and stuff like that, but like I said, I don't know.

Re:SMS is a tool of control

[dattaway]

If I work at a place that has SMS installed, how do I disable it (short of running Linux?)

Re:As well they should

[whoop]

Where I last worked, they had some remote control tools. Netfinity from (I think) IBM has the checkbox for asking a user before taking over the desktop unchecked by default. With no visible indication that RC is taking place (nothing in the systray, etc) it also is just as stealthy, although it is much less useful than last year's Back Oriface. Then the company started moving to IBM's Tivoli program. It as well requires a checkbox to ask the user before establishing a connection. So it too should be either banished or welcomed.

It all comes down to who cDc is. They probably will never be taken as a legitimate organization, so their products will be labelled as virii/trojans...

Re:Funny that....

[Octal]

Yes, but the virus still REPRODUCED on it's own, even if it was spread by infected files on disks or BBSes.

What's in a name?

[Shaheen]

This is an unmistakable case of hypocrisy. Microsoft does sell this product with the knowledge that it could be used in a malicious way. What stops one from using it? Bloat, obviously. Microsoft has most likely bloated SMS to the point that it can only be used efficiently on an Enterprise size network - which is what most of these tools is meant for.

Now, on the topic of my subject: What's in a name? SMS sounds official - and therefore (to the unknowing public) - it is. Now, think about the name "Back Orifice 2000". What does that say?

To anyone who has heard of Back Office, it immediately strikes a fear in an IS person: Back Orifice!? Sounds like a virus already, doesn't it? The 2000 immediately says that this software is geared toward Windows 2000 and the like.

Microsoft is using BO2K's name against it simply by including it in a sentence: "Back Orifice 2000 is a trojan horse."

Regular people out there won't like to hear something called "Back Orifice" and most likely wouldn't use it just for the sake of the name. It's a shame that software's merits must be based upon names.

Heck, next thing you know is that the Vatican will be denouncing the use of the GIMP because it has homosexual connotations.

Re:What's in a name?

[buttplug]

Beware the inferences M$ is making here. Basically, a corporation like M$ can release a product called SMS, charge $1000 for it, target its usefulness toward admins and call the entire charade "productivity management software".

Now open source authors can come along and develop something that we can see the source code for, is anti-bloat, but has something of a devious name and does the same thing as SMS. Therefore its intentions are malicious, the program is trojan horse, a virus, blah blah blah.

Never mind that someone with less than good intentions can use either software package to do bad things. I suppose that if you install FreeBSD on a dual-boot computer with its new capability to read NTFS partitions, that is also a "intentional security risk" propagated by the "evil open-source programmers".

Re:Hey! What about porting BO2K to Linux?

[strredwolf]

Why? You just have to telnet (or better off, ssh) into the box you've got Samba running and manage it from the command line (or with ssh, using X11). Why port BO to Linux when it's locked up tighter than what Microsoft can do with Win-Anything at this time?



---
Spammed? Click here for free slack on how to fight it!

Re:I wonder how many law enforcement agencies use

[HoserHead]

I don't know about your country, but here in Canada illegally obtained evidence is not as important as getting the person behind bars. I'm reminded of certain police officers who videotaped a drug deal in a hotel room illegally. The judge agreed it was illegal, but also agreed that putting drug dealers off the streets was more important than guarding their rights.

Also, regardless of how you get it, if you have a warrant you're ok -- so I wouldn't be surprised to see BO[2k] being used by law enforcement agencies all over the place.

Re:I wonder how many law enforcement agencies use

[HoserHead]

Well, the truth of it is that illegal evidence is not generally used, but it can be used if necessary. What generally happens is that the evidence is thrown out, but not the case - wheras in the states the entire case is thrown out the window.

Re:Well, they're sorta the same

[cduffy]

Apple's network management tools do the piping mic input out thing, keystroke logging and the like. It's great if (like the admins at the high school where I worked w/ those Macs) you're trying to catch folks accessing porn.

Tried uninstalling SMS lately without your admin's OK? If you're on a well-secured NT box (ha!) it's not that trivial.

bugtraq %PWD% 'exploit' in NT

[DaveTerrell]

There was a BugTraq issue a few weeks ago about the lame search path that is used by Windows NT. It searches $HOME before *anything* else and so all you really need to do is put explorer.exe on the home drive and put a bo2k thread in it (well, you get the point). This can all be done easily within Word macros.

Actually, it searches . first. It's just that . is the same as %HOME% when you first log in. Let's please be acacurate when pointing out how insecure NT is... :)

Re:CORP hidden surveillance - Is LEGAL

[sterwill]

To play devil's advocate here... how can you call it a real democracy if you're not free to remotely inspect and control the hardware you paid for, as legal owner or under legal authority of the corporation that owns those assets?

Democracy, voting for government action, doesn't come into this. I would call such a country a "free state for employees but not property owners."

SYSTEM 32 was . . . .

[LoCoPuff]

. . a project that a friend of mine was working on WAY before BO . . . and it basically did the same thing . . .

True Dat on the "Ohhs and Ahhs" . . . Some hack for fortune, some hack for fame . . . some just want to rip off other ideas and claim them as their own by using the media . . .

my 2 centavos

Re:Hyppocritical War

[Danse]

They aren't doing it to "beat" Microsoft. They are exploiting the security problems in the OS in an effort to get Microsoft to fix them. In this case the whole analogy goes out the window since they aren't out to kick the goats off the mountain. I dunno. This analogy didn't really work well for me. Basically I agree that Microsoft has long ignored their security problems and will not even admit to having them in most cases. Given that degree of denial, I don't see any other way this group of people could influence Microsoft to fix the problems.

Re:another unlogical MS Troll

[Danse]

and it's not hidden away surreptitiously like BO2k.

Umm.. SMS can be hidden too. It's not hard.

It consists of a lot more than just remote control

Just because BO2K doesn't do everything that SMS does, it's not legit?

You could, with effort, seperate the remote control component out and use it alone, I guess, but it would be difficult to use without the entire SMS infrastructure.

What difference does it make. Microsoft could sell all the components together or separate. It wouldn't matter. The remote component obviously doesn't NEED an infrastructure to work properly, or BO2K wouldn't exist. It's just a matter of how they coded it. MS doesn't know how to make anything that works independently anymore. All products must be tied together.

Again - the difference is obvious to any but the most hardened anti-MS nerd.

Oooh... nice one. Back up flimsy argument with an ad-hominem for good measure. Maybe this'll scare you off:

If you don't agree with me then you are obviously an MS apologist with less mental capacity than my cat.

Re:Probably used frequently

[Danse]

Since the government/police/other agencies are going to use these methods to watch us anyway, maybe we should just make it all legal. They can try to watch us... we can try to watch them... and we can both use whatever technical means we have available to avoid being watched. What other solution is there that's even marginally fair given the information we have that says that the police aren't obeying the current laws anyway? Why have the laws restricting us then?

Re:CORP hidden surveillance - Is LEGAL

[demon]

You can't TELL me you don't know how to spell 'ethics'. If you are a college graduate... good grief, I fear the implications.

Re:CORP hidden surveillance - Is LEGAL

[demon]

Well, just so you all know, we don't live in a democracy. We live in a constitutional republic that follows some democratic tenets. People seem to confuse the two quite frequently.

Re:Discovering hidden surveillance

[demon]

I wonder if running 'netstat -a | more' under Windows would show the opened/listen port.

Re:Down with spelling flamers!!

[demon]

If you were from a foreign domain that was obviously from a non-English-speaking country, I'd buy this excuse. I don't think that 'wvsc.edu' falls under that particular area, however.

Ethics is a major class in most colleges that I know of. I just find it quite amazing that someone who is (obviously) going to college wouldn't know that.

I'm not a "newbee" (newbie), but thanks for playing anyway.

I'm not that anally retentive. Or maybe I am. I've never bothered to check. :p

And I'm glad you love me so much as to reply to me. If I'm just a "newbee flamer" who isn't worth your time... I'm just so glad you care so much! ;)

Re:Down with spelling flamers!!

[demon]

Okay, maybe my sarcasm was uncalled for. I just happen to think 'ethics' is a rather important word. (And one that certain businesses and gov't officials need to be reintroduced to.) Were it ANY other word, I mightn't have said anything about it.

Also, some misspellings are simple finger missteps. I've had a few of those. But actually not knowing the spelling of that particular word strikes me as rather odd.

I'm sorry for any hurt feelings, but that's just the way I see it.

Try Anonymizer

[YuppieScum]

at http://www.anonymizer.com

Re:Hmm.

[sjames]

I find being able to kill the password protected screen saver with ctrl-alt-del very funny. It is very irresponsable of MS to lull the user into a sense of security like that. It's be like a Linux distro coming with a version of login that asks for a password but doesn't check it. That and the fact that Win'9x doesn't support meaningful file permissions makes it an insecure system.

Granted, any system can be compromised with physical access, but most make it much harder to be discreet about it.

Re:Hmm.

[sjames]

To be fair, nearly any system can be compromised by booting from a floppy. The solution s are the same in all cases, a boot password (make sure the BIOS doesn't have a backdoor (most did at one time, I don't know if they still do)), or remove the floppy drive.

For higher security needs, encrypt the filesystem (on systems that support it).

Re:Hmm.

[sjames]

I use XDM all the time. Add the following to passwd:
xdm::0:0:XDM:/root:/usr/X11R6/bin/xdm
Just type xdm at login: and it comes up.

If you'd rather just start X, run it nohup, and log off of the console session.

That way, if someone kills X, they get a login: only. If they just kill the session, they get xdm login. If you want a text vc, just switch and login. The minor inconvenience is just the cost of security.

Don't forget to set a password on LILO so people can't just boot single. Set a configuration password in BIOS and disable booting from floppy and cdrom as well.

If you do all of the above, you guarentee that the box will have to be opened to get in. If you set up an encrypted loop device as well, even ripping the drives out and putting them on another system won't expose your data.

Re:Hmm.

[sjames]

This is an interesting idea, but does it not open a whole other box of security problems adding a second root user with no passwd? (especially with networked machine)

It does require that XDM be looked at carefully. As long as XDM is secure, the extra entry is also secure since it will just run XDM and then log back out. PAM can be configured to only allow that login from the console. If the would be cracker tries to use a well timed ^c to interrupt XDM, they might possably succeed in running X without XDM, but that doesn't buy them anything.

I consider that line a security enhancement because it reduces the chances of forgetfully leaving a VC logged in.

I'm not sure what to do about the powermac situation. I suppose to be safe, you'd have to remove any drive that allows removable media to boot :-(. Poaasbly someone with more powermac experiance knows a better way.

IMPORTANT note about PC BIOS passwords: At one time, a surprising number of them had hard coded back door passwords. Tech support would give those out to users who forgot their passwords rather than telling them they must clear their CMOS. Very dumb. I don't know if that is still done or not, only that MINE doesn't have one. Only a disassembler will tell you for sure.

The jumper these pins to clear the BIOS isn't too bad, but drian the battery with a pair of jumpers and a resister to clear the BIOS is better.

Wait a Minute!

[dgreer]

BO2K doesn't require SQLServer 7.0 and NT 4.0 and all the little licenses that go with them, so it MUST be evil! ;^)

Then BO2K just collects several cracker tools.

[bkosse]

BO2K has functions they can pretty much only be used maliciously with are not contained in SMS. Examples, piping microphone input to a BO client, logging keystrokes, scanning for BO servers, etc. I don't know EVERYTHING SMS can do because, well, I try to avoid most Microsoft contact, but some of it is unavoidable in my job.
SMS can scan (actually, just running the client gives the server lots of information). I'm not sure its logging functions but it also ties into network monitor (if it's installed). However, the keystroke logging is actually the most administratively beneficial component of BO2K. Being able to see just what the inputs were that caused the system to crash.... Think about it. It's also a feature enabled in some other remote admin tools. Furthermore, the microphone piping does require a mic attached to the system, yes? Also, BO hides itself by making it's executables and registry entries look like system files/keys, which makes it a pain should you decide it's time to uninstall.
Look at Office 2000. The links it creates in your start menu aren't real shortcuts, they're like the control panel. I didn't discover this until I tried running EVWM which pulled the real name from the link rather than the short name.

Most legit remote managment tools can be removed with a minimal effort.
Um... Sure. Right. :)

I'm not trying to defend MS here, but if cDc claims that BO2K is anything but a hacker tool, they're only kidding themselves.
Just like Microsoft is kidding themselves saying SMS isn't a cracking tool.

I want to see Gates eat a big steaming turd as much as the next guy, but I think cDc is going about it entirely the wrong way, and I think they're doomed to failure.
Right. Sure you want Gates to "eat a big steaming turd." We believe you.

SMS 1.2 and hiding. -- last links were bad.

[bkosse]

GIF of how to turn off visibility. Notice how both permission required and visible signal are unchecked.

All the warning you get. WUSER32 is the process (it's not visible under the Applications pane) that runs SMS.

I don't know what SMS 2.0 behaves like as we aren't using it here yet.

Re:SMS 1.2 and hiding. -- last links were bad.

[ink]

Actually, it can even hide itself without showing WUSER32 in the process list. It can run as a separate thread inside some other executable (welcome to the wonderful world of "I'm not a process I'm a thread").

There was a BugTraq issue a few weeks ago about the lame search path that is used by Windows NT. It searches $HOME before *anything* else and so all you really need to do is put explorer.exe on the home drive and put a bo2k thread in it (well, you get the point). This can all be done easily within Word macros.

Another thing that bugs me: A user can do this and under certain circumnstances the process is kept alive between logins. AND, as if that weren't enough: it registers itself as a startup program (all users have the ability to do this on a default NT install) and as soon as the Administrator logs in...

Microsoft has a lot of work to do in order to make NT safe for multiple-user workstations.

The wheel is turning but the hamster is dead.

Re:As well they should

[sql*kitten]

Not if the user doesn't know SMS is there. Here's the "evil use of SMS" scenario: I'm a cracker wanting to take remote control of Joe User's computer. So I sneak into Joe's office when Joe isn't there and has forgotten to password-protect his screensaver, and I install SMS from the CD-ROM I always carry with me.

• SMS displays an indication to the user that they are under remote control
• SMS cannot be installed without access to SQL Server and the Domain Controller anyway. An administrator with these privileges would not need SMS!
• SMS is a legitimate, supported product for remote installation and helpdesk functions. If you think remote access to a user workstation is a bad thing, best disable telnetd/sshd/rsh on your LAN now. Many Unix users like to criticise MS for lack of remote administration, SMS is Microsoft's answer. It can install a software package unattended and remotely - you can, for example, upgrade a thousand installations of Office to the latest version overnight, easy. You can audit machines and check whether your office in Malaysia needs more memory in their machines before deploying your latest application, all sorts of cool stuff like that. Warez k1dz hate SMS cos it finds their pirate software and the LAN admin busts them for it.
• cDc are a self-proclaimed malicious hacker group, and released their product to other self-proclaimed hackers at a hacking event. SMS is sold to enterprise customers who legally own their own machines.

(Yes, I'm an MCSE with SMS elective.)

Re:As well they should

[Robin+Hood]

No the point is that SMS is installed and authorized by the System adminstrators who have all legal rights to do so whereas the BO2K is not an administration tool and is installed without authorization.

Six of one, a half-dozen of the other. BO2K can be installed and authorized by the system administrators. And SMS can be installed by unauthorized users if they have the appropriate permissions (I don't know NT very well, but surely the same permissions -- write access to the C: drive, for one -- would be required to install BO2K as to install SMS).

Also SMS's remote control facility can be turned off by the user to prevent the admin from connecting.

Not if the user doesn't know SMS is there. Here's the "evil use of SMS" scenario: I'm a cracker wanting to take remote control of Joe User's computer. So I sneak into Joe's office when Joe isn't there and has forgotten to password-protect his screensaver, and I install SMS from the CD-ROM I always carry with me. Or I find some excuse to be in Joe's office and I watch him type his password (you'd be surprised how slowly some people type their passwords in). Anyway, I get SMS installed and (posing as Joe, the user) check the "allow remote control" box and the "hide" box. Now Joe's computer has SMS installed on it and he doesn't know.

Run through the scenario above, substituting BO2K for SMS. See? Not so different, are they? Both are remote-control-of-a-computer tools that don't always announce their presence. The only difference is that SMS costs quite a bit of money, while BO2K can be downloaded free of charge. Thus a lot more people will have access to a copy of BO2K than a copy of SMS.

The point is that both SMS and BO2K can be installed by admins for legitimate purposes, or they can be installed secretly by crackers for security-breaking purposes. A rifle can be used for hunting, or it can be used to murder someone. Rifles aren't inherently evil (let's not start a gun-control flamewar here), but they can be used for evil purposes. Same principle with BO2K.
-----

Re:Cause you can't...

[Enahs]

*sighs* I just wish that people would engage their brains before replying... :^)

While it's true that most of the security "features" that Windoze has are not present in Linux, does not mean that a BO server couldn't be ported to Linux.

BTW, older versions of BO command-line clients were available for Linux--is the same true now? I don't use BO because I don't care that much (don't use Windows; don't like harassing people.)

Re:Security Geniuses at Microsoft

[Rational]

Funnily enough, the Microsoft BOB team went on to form Valve and create Half-Life...

Yes, I was surprised too...

Re:Something to bear in mind

[Gregg+M]

BO2K remains a monumental pain in the nuts for innocent Windows administrators.

What makes you think this is the first program to do this. What CDC did *for* innocent Windows admins is shine a bright light on the problem.

Do you really think CDC are the first to use a tool like this? Its's not. It is well known. The other tools that do this will not be found by a virus checker.

Re:But what, exactly, makes BO2K a cracker tool...

[algae]

Or is there some technical reason to make BO2K a cracking tool and SMS not one?

Actually, for all practical purposes, what makes SMS not a cracking tool is its cost and its bloat. The average script kiddie (obviously) could not afford a legit copy of SMS, and probably wouldn't be able to figure it out if he/she did have it. Ironically, what makes BO2k a "cracking tool" is its price and ease-of-use. I'm sure that if MS made SMS small, easy, and free, crackers would have a field-day with it, too.

Re:Hmm.

[dangermouse]

Windows systems are all single user, and have adequate security for single user systems.

The hell they do.

CORP hidden surveillance - Is LEGAL

[DAldredge]

>Without my knowledge this would be a grave >ntrusion, certainly worth suing

I am not sure if this applies outside of the US or not. No, it is not. The system is not yours it is the companies and they are free to do anything with it the like. They can monitor/log keystrokes, watch what you are doing, ANYTHING!

Re:CORP hidden surveillance - Is LEGAL

[hasse]

People living in real free democracies haven't got this problem. (ok, they might. but it's illegal)

Re:CORP hidden surveillance - Is LEGAL

[__aahyzr9271]

Any PHBs who take the arguement to any business effics(sp?) site or newsgroup that they can spy on thier employies, on a whilm, because it's the company's system and they can do anything they want with it, will loose that argument quickly. It may be legal, but many business poeple consider that practice to be uneffical(sp?).

Marc, find out if your company has a policy on servalance(most do), and what it is. I'm not an expert, and IANAL, but usialy it says the your company can use servalance in areas where security/safty are a concern, and if wrongdoing is suspected.

Re:SMS for Linux

[Tet]

Arse! Don't know how that space in the URL got there. I didn't even notice it in the preview. Ho hum... The link itself works OK, just not the one you get to see!

SMS for Linux

[Tet]

Well, there's now an SMS client for Linux, too: http://www.entmag.com/dis playarticle.asp?ID=72199114226AM

My only experience of SMS was when we were evaluating Amdahl's awful A+EDM. SMS was slightly better, but both were hampered by NT's design flaws. In the end, we went for SMS for NT, and stuck with rdist for Unix. I haven't been able to check out their web site, to find exactly what features the Linux client has, but I'm betting it's run either as root, or with setuid root privileges, and I'll pretty much guarantee it'll be closed source, and users won't be able to fix the security holes that I'm sure it'll introduce...

boclient

[way_out]

Search freshmeat.net for it. It's called boclient.
I use it to check my fakebo server.

And why the port? Isn't ssh enough?

Discovering hidden surveillance

[mvw]

I would like to know if there are tools that allow me to discover if some BOFH is watching my NT box screen via some remote tool.

Without my knowledge this would be a grave intrusion, certainly worth suing.

Re:Discovering hidden surveillance

[ink]

"Access this computer from the network" field to only include your local and domain accounts

That only changes the Microsoft networking (ie, smb and others who use it's authentication like IIS/domain) and not any old port that is open on the machine.

The wheel is turning but the hamster is dead.

Re:Discovering hidden surveillance

[ink]

Actually you can do a 'netstat -a' in Win9x prompt and show listening sockets.

bo2k can be set up to run at different times of the day. Netstat won't help you out there unless you repeatedly run it.

The wheel is turning but the hamster is dead.

Re:Discovering hidden surveillance

[ink]

For detection, Download and run the program WinTOP. This is the Windows equivalent of the Unix TOP program, which shows all processes listed in order of used processor time...It ought to be able to track the resources being used by BO2K.

That won't work. If a "process" like bo2k is running as a thread under some other program (like EXPLORER.EXE, for example...) then it will not show up on any process task you care to use.

For removal, you should be able to find BO2K's registry entry in RegEdit, under HKEY Local Machine>Software>Microsoft>Windows>Run or a similar directory either under windows her, or under the HKEY current user.

That will catch the default install of bo2k, but that is not the only way it can function. There are several other attacks (like the one above coupled with the default search path of Windows NT which searches $HOME before anything else).

The only reliable way of seeing if someone is monitoring you is to run a network snooper on some other machine on the same non-switched subnet as your machine. That only works if you can guarantee the security of the auditing machine (like turn off *all* network services on a Linux box and just have it snoop your NT machine's traffic). With that kind of setup you can see all the connections your machine is making and recieving.

The wheel is turning but the hamster is dead.

Re:Discovering hidden surveillance

[forkboy]

There are several methods of removing Bo, NetBus, etc, but nothing yet for BO2K as far as I know, nothing for SMS either. I believe if in the permissions in User Manager on your box, if you have local admin rights, you change the "Access this computer from the network" field to only include your local and domain accounts, that'll keep the weenies out, but any NT admin who has the smallest clue can change it back on you via remote registry changes or SMC.

Re:Discovering hidden surveillance

[Speed+Racer]

It would probably cause an access violation. I don't believe Bill has discovered pipes yet.

Re:Discovering hidden surveillance

[MattTC]

You have a couple options that would work with the original Back Orifice, and ought to work with BO2K...

For detection, Download and run the program WinTOP. This is the Windows equivalent of the Unix TOP program, which shows all processes listed in order of used processor time...It ought to be able to track the resources being used by BO2K.

For removal, you should be able to find BO2K's registry entry in RegEdit, under HKEY Local Machine>Software>Microsoft>Windows>Run or a similar directory either under windows her, or under the HKEY current user.

Anyone who knows differently, please post a correction.

Email: MattTC(at)Yahoo(dot)com

Re:Discovering hidden surveillance

[rednek1]

From a win9x or nt command prompt you can enter:

netstat -an | more

This will show all listening ports - I believe the old BO by default listened on 2004...but that could be changed by the person who installed the client. It was always listed as a UDP port. Note that ICQ and other messaging programs will show up as UDP ports as well...don't mistake them for BO.


---------------
There's several theories to arguin' with a woman...none of them work.

Re:You didn't already know?

[mvw]

I can't believe people are just realizing this now... as soon as all the negative talk that came up about BO2K generated by M$, I was thinking "What about SMS?".

I suspected that such stuff exists but was not aware of it being sold by Microsoft. So I am thankful to cDc, as they rose my awareness
- Thanks, cow woreshippers!

With the current video surveilance craze (nah, not only in Great Britain, here in Germany it started too) it is not a big surprise that they start to monitor your PC.

Things to be watchful:

• Did your boss donate a soundcard plus microphone to your work station?
• What about that new web cam sitting on your monitor?

SMS 2.0 Beta 3 (sucks)

[Squeeze+Truck]

SMS 2.0 is not only a virus, it's a hellaciously virulent one. Like HP openview it does automatic network discovery, but unlike openview it uses the map it generates as the default list of clients that it will automatically install itself to.
I was SMS administrator at an insurance company and tried testing it out (one server, 2 clients). It was physically connected to the rest of the network, but I denied it access to the production network by setting up a completely different subnet and not adding a route. Since SMS 1.2 couldn't find machines sometimes in its OWN subnet, I assumed I was safe. I turned on discovery (and *only* discovery) and let it run overnight. When I returned the next morning, users were complaining of crashes and odd messages. Not only had SMS 2 managed to find the production network (by trying every combination of IP addresses and thus circumventing the router) and install itself onto 700-odd machines, the client was unstable and was causing many of them to crash.
Frantically I tried to undo what I had done. Chapter 13 or so of the Big Green SMS Beta Book titled "uninstalling clients" read simply: "this feature not yet implemented".
So it was back to SMS 1.2. I wrote a very ugly script designed to clean out the registry (5000+ entries) and remove all the files, but like usual most clients had problems (like 2.0-induced crashes) that prevented the script from running. I ended up having to repair 300+ workstations by hand.

Some of them are still broken actually...

Re:SMS 2.0 Beta 3 (sucks)

[Speed+Racer]

That is one of the funniest things I've heard about in a long time. You aren't coming near my subnet!

Let this be a lesson to look before you leap, especially when the leap is right, smack dab in the middle of a pile of sh^h^h^h beta software from Microsoft.

Another point:

[Squeeze+Truck]

Yes, the PC belongs to your company (usually), but it gives IS power to monitor more than just the PC's maintenance and welfare. It can read your email as you write it, and automatically extract filter and collate any document on your system. I wrote a SMS batch that scanned all txt and word documents for the word "handcuffs", and returned a copy of the document to the server with the PC owner's name attached. (to show my boss it could be done).

There is also the issue that SMS has a tendency to install itself to the PC's of employees who dial in from home and run all administrative jobs on it as if it were corporate property. The SMS client(s) run as a domain administrator, so by logging in to the corporate domain you automatically give up all ability to stop SMS from doing its thing, short of powering off or disconnecting.

This happens, BTW. Not hypothetical.

Re:Another point:

[mindstrm]

Yes, an in a corporate environment, so long as you are made aware that your actions are for work only, and that your stuff can be monitored, and that personal work/correspondence is not acceptable, then the company is in the right.
As to the login script causing stuff to be installed when you log in remotely with your home PC, that is YOUR fault, as you LET the remote machine execute whatever it wanted on your PC.

Re:Another point:

[jfunk]

Wow, let's install cameras on the workers all over the world. Let's monitor every little thing they do, but hide away whilst doing it, so that most people don't know they're being watched.

Sounds familiar to me...

Desktop Nazis

[Squeeze+Truck]

I was one of these IS people. Of COURSE it's a tool of control.

I wouldn't be too concerned though. SMS collects a lot of information, but unless the admin knows *exactly* what he's looking for he won't find it. SMS is very difficult to administer well, it breaks frequently, it is easy to confuse, and it is VERY slow.

If you want to hide something from SMS, get partition magic and change your partitioning slightly from week to week. Eventually SMS will fill up it's MS-SQL (slogan: "just like daddy's") database with 100-some entries on your machine and its contents and cease to be useful.

Wow! Looks like you have 362 copies of Netscape installed!

Re:But what, exactly, makes BO2K a cracker tool...

[smkndrkn]

Does SMS allow you to controll a PC over the internet? I'm not familiar with its features. If not then there is a HUGE difference between BO2K and SMS
Gary

Hmm.

[Z0z]

After thinking about my reply on yesterdays story of BO2K, I came to this conclusion:

No, BO2K or any other remote admin tool do not expose any security flaws. Windows systems are all single user, and have adequate security for single user systems. (Granted of course, you don't have machines that need security running Windows 9x, since the level of security in Windows 9x is effectively NONE).

However, single user machines have no business being attached to a network of any kind, and if you are fool hearty enough to trust sensitive data to a networked single user machine, god help you.


P.S. Any misspellings or faults of grammar you think you detect are mearly transmition errors, and probably your fault anyway.

Re:Hmm.

[craven]

Single user machines shouldn't be attached to a network?
What are the other people on my office going to type on then, especially if they print on a networked printer.

I think what you mean is that the 1-user machines should be treated like terminals. They should store their sensitive data on a server machine, and grab it over the network as needed (encrypted so it can't be sniffed).

Di[sc]kless Workstations!!

Re:Hmm.

[tlhIngan]

>>Another thing that persistently cracks me up about windows - the login. Press ESCape and, gee, you're in Windows.

Yeah, but I've tried it, and depending on which one you get (you can have two login screens show), they are:

1) Login to the network - and setup mounted drives etc.

2) "login" to windoze. It's to find your password file so if you needed any 'special' logins (i.e., Dialup networking), it lets you check "save password".

Yes, you're in windoze. But it can be a pain if you've lost network access (I hate rebooting 95 machines... either I have to supply my own login to get the machine to fileshare, or use administrator, or guess last password used).

Re:Hmm.

[cdlu]

Another thing that persistently cracks me up about windows - the login.

Press ESCape and, gee, you're in Windows. So much for the "identify yourself to windows" login&pass system. ctl+alt+del doesn't kill winscreensavers any more, fortunately. But win95a accepted the *windows button* to get around the screen saver. And almost all windows security (even in some NT systems) can be bypassed on boot with a floppy drive (set boot to A in BIOS if necessary) and/or the F8 key.

A small difference

[RattRigg]

SMS allows an authorized person to control/observe your system.
BO2K allows a script kiddie to control/observe your system.
I think MS is right on this one.

How many tool kits are out there to let you build trojan horse programs for SMS?

CDC can play with words and semantics all they want. They created a hacking tool and thats that.

Re:Both Right, Both Wrong

[Tweety+Fish]

All in all a relevant post, but I want to point out that IBM once shipped copies of OS/2 with a virus on the CD.

This whole incident made us look a little TOO much like "professional" software developers for my taste.

Re:I know we all hate M$ but... but what?

[Tweety+Fish]

A little clarification...

Back Orifice, and Back Orifice 2000, can NOT attach to another executable fro a "stealthy" delivery on their own. In order to install an "out of the box" BO2K client, you have to click on the icon for the bo2k server, which then installs and begins running.

A third party (Brian Enigma of netninja.com) has produced a series of plugins which allow this functionality, but they are neither developed nor endorsed by the Cult of the Dead Cow.

Re:Legitimate Anal Remote Administration

[Tweety+Fish]

>1. It's called Back Orifice. "Yes sir, I'd like to submit an expense report for...umm... Back Orifice"

A couple of points here: first of all, it's free, so it seems unlikely that anybody would have to submit an expense report for it, unless they really WERE doing something nefarious, like embezzling. Second, you can feel free to call it BO2K if it makes you feel better about using it to administer a network. From what we hear, that's what Pat Robertson called it, and if it's clean enough for him, I would imagine it's clean enough for anybody. We chose a name like Back Orifice partly because we believe that if you are developing free, useful software entirely as a hobby, and you know you're going to get blasted by critics no matter what you do then, well, you're allowed to have some fun once in a while.

>2. The cDc claims that both that BO2K is a legitimate remote network administration tool, and that it is releasing BO2K to force Microsoft to plug (intrinsic design-related) security holes in NT. That's a contradiction. Imagine the press release for pcAnywhere 2000: "This version contains all kinds of all-new features, primarily designed to force Microsoft to plug security holes." And maybe Symantec will rename itself the Cult of the Norton Commander (cNc).

While I do like the idea of Cult of the Norton Commander, I don't honestly see a contradiction. If you read our press releases and bo2k.com, you will hopefully see a slightly different take on things. We believe that an operating system should be robust and secure enough that a powerful and useful tool such as bo2k will not be an enormous security threat. Every feature of bo2k has administration uses, and the program itself is extremely efficient and modular, things that I've always been taught are a hallmark of good software design. However, because of this very effectiveness, the bloated hulk that is Windows is unprepared to deal with the control users have been given. We developed bo2k because people should have it, and because they shouldn't be scared of it; if they are, maybe that will make people think about the real issues involved.

>BO2K has *only* a stealth mode, and stealth seems to have been a major design consideration. (Correct me if I'm wrong here, I didn't actually download it as I don't want to be sifting through my registry to get rid of it.)

Okay, I'll correct you. You are 100% wrong about this. BO2K by default has stealth mode OFF, and will show up in the process list just like any other application. And as far as that crack about sorting through your registry to get rid of it, there is a function in the client - shutdown server - which can very easily be used to completely uninstall the server from the machine it is running on. No need to hunt through the registry or anything else.

BO2K IS just a useful program for remote administration. The fact that it can be portrayed as anything else, by us or by anyone, is a sad comment on the current state of operating system and application security, at least as far as Microsoft operating systems are concerned.

- Tweety Fish

Re:"The Deth Vegetable" ???

[Tweety+Fish]

Given what we have to say, I think a lot of people would suggest that not taking us seriously is done at your own peril.

I am astonished at the number of people who claim to know our motives, age, and level of commitment to what we have to say through no more facts than what we choose to call ourselves.

I can only pray that, should you get a life-threatening illness, the doctor who recommends the drugs that could save you doesn't have a silly name.

Re:This is so NOT true, its not even funny.

[Tweety+Fish]

Before you talk with such certainty, check the urls supplied in our press release. There is, in fact, an option to install SMS silently, I believe it's install /i.

As far as requiring Windows NT, a login to a domain controller, and a SQL server login... well, no, we don't require any of those, because we don't think that people should have to buy NT, a machine to act as PDC, OR SQL Server in order to effectively administer their network. We think it should be FREE.

Re:surpise, surpise, surpise

[clawson]

Why run remote admin tools stealtily?

Hmm... work situations come to mind.

User is suspected of doing bad things with PC at work. Install BO and watch undetected what he/she is doing. Why undetected? Say user is pretty knowledgable about his work system, and has subverted previous attempts at this kind of thing...

Granted, I don't want to work in a place like that. As far as network traffic goes, it is easy enough to monitor what people do via the net unobtrusively, so that doesn't really count...

The "keyboard" watching stuff is pretty easy. Every keystroke in Windows generates a "message", that Windows then routes to the appropriate application. It is not too hard to watch this global message queue for keyboard messages. You can do it from Word, Access, Excel, VB or Powerpoint, in fact (it's a couple of API calls). It shouldn't be too hard, then, either, to write a little net app that blasts these messages to the net for clients to listen for...

Re:Uhm...

[clawson]

I think the "client" is the software that "enables" the system to be managed by an SMS server.

To Trojan, or not to Trojan?

[billn]

Following the links of the cDc posting, to the 'interview' with Garms of MS, they classify any trojan as software that can damage the system in any way. The nature of trojans require some social engineering, of course, to install.

By it's own definition, MS is guilty of the distribution of the largest trojan ever made.

When was the last time you had Windows eat itself?
Wipe a drive lately? Lose some documents?

Re:I wonder how many law enforcement agencies use

[Richard]

here in Canada illegally obtained evidence is not as important as getting the person behind bars

This was the case in America for a long time...completely making the 4th amendment (against unreasonable search and seizure) worthless. The cops could kick down your door, and if they found something illegal all they would get would be a "bad cop" slap on the wrist.

Today, if evidence is obtained illegally, it must be thrown out.

Of course, there are exceptions. If the police officers were "acting in good faith", they get to use whatever they found.

-Richard.

Disclaimer: I am not a lawyer and all that.

SMS required for sane word installations?

[Nemesys]

I've heard that the only sane way to
install MS Word in a networked environment
is to use SMS, and that this is achieved
with secret API calls. Can anyone confirm
this?

Re:SMS required for sane word installations?

[Nemesys]

Yes - that's why I was asking!

Re:SMS required for sane word installations?

[Rombuu]

Yes, I can confirm you don't know what you are talking about.

Re:U can just disable SMS

[poink]

Well...

If your NT orkstation is attached to a domain, then domain admins can still play with your services. And your "admins" need to have their heads smacked for not having NTFS and leaving things like the sms.ini file open for putzs (putzes?) to play with.

Re:May not be exactly the same....

[poink]

*cough*

echo if exist c:\sms.flg goto alreadydone >> login.bat
echo net start service \"SMS Client\" >> login.bat
echo copy c:\boot.ini c:\sms.flg >> login.bat
echo :alreadydone >> login.bat

Ah, that brings back memories of netware login scripts...

ababahehaeh

[juuri]

Ahhh I must say Veggie must have had some fine corn whiskey this last weekend to have such a brilliant stroke of vision.

My shower curtain is proud to be "Owned by the cDc".

---
Openstep/NeXTSTEP/Solaris/FreeBSD/Linux/ultrix/OSF /...

Well, they're sorta the same

[forkboy]

Yes, both can be used as remote administration tools, but there are a few primary differences. BO2K has functions they can pretty much only be used maliciously with are not contained in SMS. Examples, piping microphone input to a BO client, logging keystrokes, scanning for BO servers, etc. I don't know EVERYTHING SMS can do because, well, I try to avoid most Microsoft contact, but some of it is unavoidable in my job. Also, BO hides itself by making it's executables and registry entries look like system files/keys, which makes it a pain should you decide it's time to uninstall. Most legit remote managment tools can be removed with a minimal effort.

I'm not trying to defend MS here, but if cDc claims that BO2K is anything but a hacker tool, they're only kidding themselves. I want to see Gates eat a big steaming turd as much as the next guy, but I think cDc is going about it entirely the wrong way, and I think they're doomed to failure.


Wow, did I just play devil's advocate for M$? What IS this world coming to?

Re:Well, they're sorta the same

[Seth+The+Man]

>>Also, BO hides itself by making it's executables and registry entries look like system files/keys, which makes it a pain should you decide it's time to uninstall. Most legit remote managment tools can be removed with a minimal effort.


Actually, there is a fairly easy way to remove the registry entries w/ bo2k. It's an option when you disconnect from the server, to delete the installation. The bo2k site is very informative, you might actually look at the product before you start making comments on it.

Uhm...

[Barbarian]

Isn't the "client" the program you use to control the "server"?

So the "client" here for LINUX is just for controlling SMS-installed Windows PC's?

Re:Uhm...

[DavidTC]

Good thing we don't have any confusing usages of client and server in the Unix world.

/me looks at X Windowing System.

Nevermind. :)

Re:Lock-up Machine

[chromatic]

I'm not thrilled with Outlook's performance in general, but I blame Exchange for the woes I've seen.

Not that there's any excuse for Outlook being such a pig when it can't connect to the server. *sigh*
I should probably also say that I see nothing but a philosophic difference between malicious code and buggy, showstopping code, just to stay on topic.

I am kinda surprised cDc compares itself to Microsoft, though.

--
QDMerge -- data + templates = documents.

Lock-up Machine

[chromatic]

I believe all that command does is actually execute OUTLOOK.EXE.

--
QDMerge -- data + templates = documents.

Re:Lock-up Machine

[dillon_rinker]

...Outlook can't crash NT...
It's funny because it's true. Ahahaha.

[Actually Outlook CAN crash NT. But it's funny because most MS nerds THINK it's true!]

P.S. Outlook can't crash NT the same way that a cat can't crash your car. Put a cat into a box to take it to the vet to be neutered and then don't tape the lid down and drive down the road at 55 mph and tell me Outlook can't crash NT.

Re:Lock-up Machine

[cdlu]

heheheheh

I was thinking, though, it probably runs DOSEMU's d:\exitemu.com (which when tried in dos w/o linux underneathe completely and irrevocably crashes the system, so that not even ctl-alt-del works.) Its only 12 bytes long. :)

Re:Lock-up Machine

[G3nius]

Like a mime... sad, hilarious, but true.

ahh the good old ms two step

[caffiend]

So because something was developed with 'malicious intent' it's bad, but a product that has the same capabilities and was developed by benign programming gnomes is fine, veriliy.

SMS used to be cheap, something like $20 per client or less compared to guys like Novadigm who're charging over $100 per client. And why wouldn't ms want to keep it that way, it makes software auditing for them that much easier.

Re:ahh the good old ms two step

[mindstrm]

Yes. Just like the Vx bbs scene.
We had two sides.
1) Virus Exchange BBS systems, who offered access to all who wanted it, and catalogued and provided source and binaries of viruses, and provided for discussion and analysis of viruses.

2) Anti-virus companies, running 'commercial' Anti-virus BBS systems, who offered access to those who both PAID and proved they had a LEGITIMATE USE for public domain software (as viruses are...)(please don't nit-pick about the exact definition of public domain.. you know what I mean). These people said 'those other boards are bad, because they have virus source. But we have virus source, and we are good.

See, the thing is, they aren't a police organization. Virii were (are) legal, authors provided source.
Hypocricy in action.

Trust issues

[Rozzin]

If you don't trust an administrator, why is he an administrator?

What?

[Dast]

By that logic, you might say that only script kiddies use Linux, because anyone legit would have the cash to spring for NT.

That doesn't make any sense.

I wonder how many law enforcement agencies use BO.

[Pig+Hogger]

I wonder how many law enforvement agencies use Back Orifice to assist them in their investigations...
-- ----------------------------------------------
Vive le logiciel... Libre!!!

As well they should

[Knight]

Microsoft needs to take a true stand on the issue. Either hidden remote control software is malicious or it is not. If they claim BO2K is malicious, they need to pull SMS from the shelves, because their functionality is nearly identical. I don't think it really matters what a person thinks of cDc, or what they are doing. It's a simple matter of blatant hypocrisy, and, in my opinion, they are breaking the law by slandering a competing product. If cDc had the money, they could probably win a lawsuit.
---------------------------------------- ---------------
If you need to point-and-click to administer a machine,

Re:As well they should

[HiThere]

How long was MS Office tagging everything (including mail?) with the GUID before it was noticed? 3-4 years? Something like that. I started with Office 95 and wasn't noticed until last year.
Think I've got that right. Sniffers don't help too much if the message piggybacks when you are intentionally sending a message.

Re:As well they should

[HiThere]

Sorry. Typo.
Should have read:
...It started with Office 95...

Re:As well they should

[Captain+Teflon]

No the point is that SMS is installed and authorized by the System adminstrators who have all legal rights to do so whereas the BO2K is not an administration tool and is installed without authorization.

That's not logical. B02k could be installed by a legit sysadmin, an unlicensed SMS (shock! horror!) by an unauthorised hacker.

MS may be hypocrites on this issue, but it doesn't logically follow from that that the cDC people are angels. They portray themselves as on a computer security mission from God, to me they appear as self-publicising smartasses with programming talent which could be put to better use.

Look at VNC. That's my idea of a open source remote admin tool. And it doesn't just run on Win32.

Re:As well they should

[dillon_rinker]

No if you deplyoyed BO2K into a real enviorment you would probably get tagged for privacy invasion or worse.
Why do you want to take away my rights?
I have the right to install any software I want to on any computer I own.
If I want to install BO2K on my computer, I have the right to do this.
If I own 100 computers and want to install BO2K on all of them, I have the right to do so.
If you want to walk into a building I own, and tell me what software I can put on computers I own, I'll be happy to show you the door.

I think the courts would agree that if you are sitting at my desk in my building using my computer and I am giving you money, and I can walk up to your desk at any time and see and hear what you are doing, then you don't have a reasonable expectiation of privacy. If you don't like that, then you are free to leave.

Re:As well they should

[dillon_rinker]

bo2k is promoted as a SA tool...
yeah, that's why it was released at def con...

Re:As well they should

[dillon_rinker]

Despite similarities, there is a BIG difference.

Right. That difference is that one group says "Here's this powerful tool - but be careful cause hackers could use it against you!" The other group says "Here's this easy-to-use tool. Nobody can use it against you!" As a result, you can defend against BO2K; you can't defend against SMS. Does Norton bother to check that SMS is running on your machine? How about McAfee? Funny, isn't it...

Re:As well they should

[dillon_rinker]

So the evil terrorist could use the good .22 if he didn't have the evil"AK-47?
The intention of the creator determines whether a tool is good"or evil? Liquid fuel rockets (the V2) were invented to kill Londoners - that would make the Saturn V evil. Tracked vehicles (tanks) were invented to kill people - that would make bulldozers evil. Nuclear bombs were invented to prevent a million American soldiers from dying - that would make them good.

A tool is a tool. Good people do good things with them. Bad people do bad things with them.

Re:As well they should

[dillon_rinker]

The cDc people are hard-core hackers, creating tools for crackers, and covering all their legal bases.

Re:As well they should

[dillon_rinker]

The reason its not considered a remote admin tool is not the fact thats its "stealthy" but has the ability to do serious damage to an endusers computer.

Ever hear of file sharing? Windows NT will let you share all the drives and files on a system. It's not stealthy, since you get this little hand holding the object that's shared.

So, is file sharing a hacking tool? I could secretly go to your computer and share everything on it, then go back to my computer and delete everything on your computer, or change it slightly, or just watch how it changes over time.

Re:As well they should

[dillon_rinker]

I know this because I worked on the SMS team for 3.5 years from well before 1.0 shipped to a year before 2.0 shipped. They were very concerned about admins using the software to do things the user did not want them to do.

If what you say is true, then the SMS team is TRULY one messed up group. The WHOLE POINT of being a sysadmin is that I am responsible for the network. It goes down, I get nailed. It stays up 24/7/52, I get a nice bonus. My job - my paycheck - my ability to feed my family depends on my control of the network . If SMS were TRULY an admin tool, its programmers would be concerned not with users, but that maybe I can't do everything I want to on my network. They'd put a menu option somewhere labeled "Wipe MBR of and reboot remote system NOW!"

Real power tools don't have blade guards and safety locks. They assume that trained professionals will use them and will be responsible for their use. A chainsaw can be used to murder people, but that doesn't make lumberjacks murderers. Unless you're a tree-hugger :)

Re:As well they should

[Hangtime]

Yada Yada Yada, welcome to the wonderful world of corporate remote administration. While SMS and may BO2k both can be stealthiy, I would add the leader in the field Intel's LANdesk to the mix. Each of the three allows remote administration, but SMS and LANdesk also allow cataloging of inventory both hardware and software which BO2K lacks. Also I would might add they dont add the convienent features of BO2K of endless looping of sound, locking out keyboards and mice, spying through perpherials, locking up systems and so on. The reason its not considered a remote admin tool is not the fact thats its "stealthy" but has the ability to do serious damage to an endusers computer. No if you deplyoyed BO2K into a real enviorment you would probably get tagged for privacy invasion or worse. Something to think about as everyone jumps on the Microsoft hate bandwagon.

Hangtime

Re:As well they should

[MindStalker]

Yes you are paranoid.. There are enough people out there who consitently use sniffers on their home computers that such blatent abuse by microsoft would quickly be noticed. Anybody remember the thing with blizzard and that was a tiny explotation. I could only imagine the legal backlash if microsoft was accually caught doing something like that. HMM I can't wait!!

Re:As well they should

[MindStalker]

I started with Office 95 and wasn't noticed until last year.

Damn thats impressive, I think the cDc needs to look into hooking up with you, definate asset!

(note: this was intended simply as satire, not meant to insult HiThere, or any or persons dead or alive, except your mom)

Re:As well they should

[mrex]

No the point is that SMS is installed and authorized by the System adminstrators who have all legal rights to do so whereas the BO2K is not an administration tool and is installed without authorization.

Wow. Thats some crystal ball you have there.

What keeps SMS from being installed covertly? And what keeps anyone from using BO2K as you claim SMS is intended to be used for? I can think of several benefits, the primary one being that while SMS is commercial, closed source software, BO2K is free and open! Modify it the way you want, use it the way you want.

To say that nobody will use BO2K for legitimate things is silly. To say that nobody has ever used SMS for nefarious purposes is equally silly. To claim that you know exactly who, when, and how an admin will use a piece of software is just downright foolhardy. I can definately see small companies on tight budgets who need remote Windoze administration capability taking advantage of a free program like BO2K.

A question for you. You say that "BO2K is not an administration tool". Can you tell me precisely what aspect of its design precludes its use as an administration tool?

Re:As well they should

[aithien]

bo2k is promoted as a SA tool...

Re:As well they should

[Omar+Djabji]

Tracked vehicles (tanks) were invented to kill people


Tanks borrowed track technology from civilian use. They are just the most well known early application of the technology.

Re:As well they should

[Manax]

The claim was that BO2K was malicious because it "includes stealth behavior". Presumably (although I don't know this first hand) BO2K could be used for legitimate purposes regardless of cDc's "intention" for the use of their product. A sysadmin COULD install it for purposes of administration, particularly if it is open source.

Also, I would guess the SMS's remote control facility can only be turned off by an ADMIN on the local machine, not by just any user... but as I said this is just a guess.

Re:As well they should

[Chasuk]

Some people need to learn to read. M$ does not say that "hidden remote control software is malicious." In fact, M$ states, and cDC quotes: "Remote control software is not malicious in and of itself." M$ criticizes BO2K because, they maintain, "it is intended to be used for malicious purposes."

You know and I know that of the 128,776 boasted downloads of BO2K (from cDc's servers alone), very few were for benign purposes. Most of the downloads, protestations aside, were by pimpled teenage boys who thought it would be "kewl" to remotely fuck with the hardware of innocent users. In some misguided way it made them "l33t" and one of the "hackerz." I know, that's not why YOU downloaded it, of course (and you don't subscribe to Playboy to look at the pictures, either).

Re:Legitimate Anal Remote Administration

[Shadowlore]

>>Okay, I'll correct you. You are 100% wrong about >>this. >Sorry about that. I DID try out the original BO, >though, and it was certainly like that. >The truth is that no matter what the press >releases say, you know that you're not going >find any large networks administered by Back >Orifice soon. There's no need to go into >details; that knowledge is enough to prove that >it isn't legitimate network management software.

Sorry, but that is an assumption you are making, or at best, a prediction. Besides, whether or not something is used for a purpose is not the deciding factor (nor even relevant) to whether or not it is a legitimate use of it.

Re:visibility of SMS

[FigWig]

In our office it is easy to tell if you have the SMS client installed. Half your apps don't work!!! We are in the process of removing SMS from everyone's computer. Can SMS remove itself, or will it protest like HAL?

Re:visibility of SMS

[FigWig]

And remember folks, HAL + 111 = IBM

What BS....I mean MS said

[F1reF0x]

This whole thing is kinda funny, but the fact is that MS can't call Bo according to their site:
"Back Orifice 2000 (BO2K) is a remote-access tool that was developed with the intent of harming users...it is a tool that has no legitimate purpose other than exposing users' machines to people on the Internet."
How can they say that, if their software does the same thing! I have been waiting for this to get noticed, it just shows how microsoft does the same things it curses. I wonder how MS will respond.

Re:What about Linux BO2K *client*?

[F1reF0x]

yes of the current product....but you could have something similar.....depending on what you want it's called a remote X-Session :-)

Re:and I

[F1reF0x]

Well maybe you should think a bit more...Sure it can be used as a cracking tool, but it can also be used justifiably, in the work place...The program is essentially a remote administration tool.
Plus remeber a bit back when that little HTML tag could crash all ver. of netscape, that was not made to be used maliciously, but was. All this is not the point the point is MS' software does the same thing as BO and SMS is not checked by VirusScaners.

Re:Something to bear in mind

[MSG]

You haven't gotten around to using BO2K have you? Your description applies to the original BO, but not the new one. It's important to recognise that BO2K can't be installed without a user specified port and password, no less than 14 characters! (Like ByTemyS00percRank) We admins aren't going to see widespread distribution or network scans. It could still be used for attacks, but it's not really more of a problem than anything else.

detecting B02K

[dark3r]

Does anyone know if B02K behaves the same way as BO did? Eg. by default, putting a registry setting in the RunOnce or RunOnceEx to start BO without a user noticing?

As a side note, I think it would have put cDc in a better light if they had included a method of detection as well. Of course that would fly in the face of this being a SA tool because every user knows how to scan a registry or check for remote administration tools.

Re:But what, exactly, makes BO2K a cracker tool...

[Quikah]

Uhh, yeah...ever heard of warez? All of the script kiddies have, and since crackers are genrerally immoral jackasses they will have no problem stealing SMS.

Re:Funny that....

[griffjon]

Funny NT sidenote-- a user can hack the registry, but can't install programs.

Which is more dangerous...?

Re:Depends on how you look at it.

[griffjon]

The security flaws BO2k exposes are not hacking-in flaws, though these abound, but basic flaws in the lack of security in the OS. The thing with BO2k is that it isn't hacking programs or fragging with the system to do its deeds, it's using MS-created and supported programming calls that any legit or non-legit program could use with no problem. Stealthmode? supported. IBM's NEtfinity does it, too. Folders that are remotely accessible w/o telling the user? That's supported in MS code as well.

Sure, you can hack into any computer, but most systems don't serve you drinks and snacks once you get inside...

SMS vs BO2K

[Felinoid]

There is a diffrence... a very small one...
SMS is made to be an admin tool... the fact that it can be abused is an oversite...
BO2K is made to be abused the fact that it is an admin tool just shows how sereous the situation is.

cDc set out to rase awareness and they have done that.

It's not like Windows is the only operating system with holes you could drive a truck through.. Mearly that Microsoft pretends they don't exist...

damn proxies....

[UM_Maverick]

anybody got a mirror for this? I hate being behind proxies...

that's blocked too!

[UM_Maverick]

I tried anonymizer, but that's blocked too....looks like I'm gonna have to wait until I get home to find out what all the fuss is about :)

Re:U can just disable SMS

[Alfthemack]

If it's the *largest* (not most valuable) company in the world, he's at GE (General Electric). Misguided types may think he's at Exxon, Phillips, Shell, BP, BT, AT&T, Bell Atlantic, Southwestern Bell, Merck, IBM, Pfizer or Gillette. However, to my recollection, GE is still the largest.

Something to bear in mind

[rde]

Like most people, I laughed. I even downloaded the word document (I'll be sure to scan it before using it).
This does show Microsoft to be hypocrites, but that's hardly news to anyone.
One thing to remember, though, is that this doesn't make CDC angels.
BO2K is, to all intents and purposes, a cracker tool. It has valid uses, but the vast majority of people who download it are not sysadmins. BO2K remains a monumental pain in the nuts for innocent Windows administrators.
I'm not against CDC or BO2K; that doesn't mean we should paint CDC as saints.

Re:Something to bear in mind

[Mike+Schiraldi]

While i feel you've got a point there, and i'm not sure where i stand on the issue, no command is inherently evil. (if prockill and lockup have no legitimate uses, why does Unix have the kill and halt commands?)

For example, while this is unlikely, it's certainly possible that the person in the logfile was a good samaritan who found a BO server running on your machine and didn't want any evil samaritans to compromise your system - so he tried to lock your machine up, which would prevent anyone else from using BO to do permanent damage. When the lockup failed, he looked at a process list and tried to kill the BO server directly. When that didn't work, he tried to reboot your machine, hoping that BO wouldn't start back up again the next time.

Unlikely? Sure. But it shows that there ARE valid reasons for such a command to exist.

Re:Something to bear in mind

[opencode]

... nor is cDc actively and eagerly PURSUING the "saint" label .... we're talking about CULT OF THE DEAAAAAAAAAAAD COOOOOOOOOOOW ... I'm not at all sure where their name came from, but I don't believe it's a savior relec.

Notwithstanding my personal feelings that the mischief is best caught by the cunning and mischevious, it seems that this comparison of SMS and BO2K is perhaps the most objective criticism cDc has ever published against MicroSoft (or anyone else). It certainly falls under the "cunning" category, which is probably a reputation cDc aspires for.

Re:Something to bear in mind

[hab136]

It's open-source; should be simple enough to change the 14-character and port restriction.

Or use "SMS Installer" or whatever to repackage it after installing, if you're lazy.

Re:Something to bear in mind

[AaronW]

BO2K may have legitimate uses, but it seems to be most widely used for breaking into other computers or causing trouble. I'm running a Perl script called booby (available at http://members.home.com/lazyx/booby. This script simulates a BO infected system and logs all activity. BO seems to be a favorite for script kiddies. As a cable modem user I see a lot of BO activity. Here's some recent log entries (IP address and host name have been X-ed out):

Jul 21 21:56:04: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
Jul 21 21:56:05: ...reply sent
Jul 21 21:56:22: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
Jul 21 21:56:22: ...reply sent
Jul 21 21:56:29: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>info
Jul 21 21:56:30: ...info sent
Jul 21 21:56:39: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>passes
Jul 21 21:56:39: ...passwords sent
Jul 21 21:57:00: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>reboot
Jul 21 21:57:00: ...reply sent
Jul 21 21:57:07: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>passes
Jul 21 21:57:08: ...passwords sent
Jul 21 21:57:11: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>reboot
Jul 21 21:57:12: ...reply sent
Jul 21 21:57:28: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
Jul 21 21:57:29: ...reply sent
Jul 21 21:57:38: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
Jul 21 21:57:38: ...reply sent
Jul 21 21:57:42: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
Jul 21 21:57:42: ...reply sent
Jul 21 21:57:43: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>lockup
Jul 21 21:57:43: ...reply sent
Jul 21 21:57:46: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>info
Jul 21 21:57:47: ...info sent
Jul 21 21:57:59: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist
Jul 21 21:58:00: ...reply sent
Jul 21 21:58:12: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>prockill 4291797281
Jul 21 21:58:13: ...reply sent
Jul 21 21:58:16: xxxxxxxxxx.xxxxxx.xx.wave.home.com(24.xxx.xxx.xx): 1641 >>proclist 4291797281
Jul 21 21:58:17: ...reply sent

As you can see, no useful tool would have commands like "lockup". I have seen more malicious attempts than this as well, such as one person who often launches DOS ping attacks against other users from BO infected machines.

As much as I hate Micro$loth, I must agree with them on this one. If there were a BO without all of the malicious features then perhapse it would be taken seriously, but with the stealth features and the crash features I think it's main purpose is fairly clear (at least to the script kiddies).

Re:Something to bear in mind

[Hobbex]

No, you are the stupid one, you are the looser. If you got hacked by a "script-kiddie" then you were the one who's computer security was fucked up, and you should take responsibility for it like a man instead of falling back of some quasi-Fascist law enforcement so afraid of technology they are happy to fuck just about anybody over if it could be deamed "computer crime related."

Whatever "bussiness to run" it is you have, it is neither the beginning or the end of the world for anybody else, but our basic freedoms are. And one of those basic freedoms, is that the network packets I create on my computer, just like all other information (or thought, or speech) that I create, should be allowed to contain whatever the fuck I want.

I've never tried running a maliscious script or exploit in my life, and I don't find it the slightest bit "cool", but attitudes like yours work very hard towards changing my minds in that area...

Re:U can just disable SMS

[dillon_rinker]

What's your metric for size? Assets, number of employees, annual sales, annual revenues, physical size of buildings, what?

Re:Wouldn't it be sweet...

[dillon_rinker]

yeah - that's like ignoring cancer until it goes away - it happens eventually - you die...

Re:Inbreeding was Re:Hyppocritical War

[dillon_rinker]

OK, kid, before you get too carried away with your own brilliance, tell me why practical geneticists - the people who develop new breeds of animals and new varieties of plants - cross offspring with parents and with each other when trying to get a trait to breed true. I took the original poster to mean "They are increasing one trait, but they are doing it through inbreeding, so eventuallky they will be a bunch of musclebound hemophiliac morons".

Re:Responses to both Dillon

[dillon_rinker]

Obviously I wasn't clear. In replying to the previous poster, I simply meant to point out an error in the previous poster's logic, who said something to the effect that BO2K is inherently bad because it lets you damage a computer. My point was that file sharing also lets you damage a computer. BO2K is just a tool. A powerful, potentially dangerous tool, one that can be used for illegal and unethical purposes, but still a tool.

The simple act of sitting at someone else's computer and deleting a file without permission is potentially a crime and could certainly subject you to civil penalties.

May not be exactly the same....

[mmoore]

I have used SMS for a corporation before-They pushed the install to all the machines, and yes they could control the machines with/without the users knowledge...BUT, one thing we always had to do was call the person up to have them manually activate all the services the first time (after that it saved the config)...I'm not really sure how this can be compared as the same thing. Also, the SMS software had to be installed, and without admin access to the domain-there was no way to do this unless we wanted to step around to each of the 750 machines on the network....So yes, SMS and BO2K do have similiar working features...with the exeption of how they are implemented (and in my book that is a big exception)...

Re:May not be exactly the same....

[Winged]

Not only this, but if the workstations are members of a domain with domain trust: Server Manager is able to see -all- computers in the domain (any domain connected to the network, actually), and is able to access the Services control panel (if the current login has either Domain Admins group, Administrators group, or the Administrator password for the remote system). Which can just change the startup for the service on the remote system anyway. And let's not forget remote registry editing capability! Change the startup for SMS Client to 0x0010 (I think), and it gets set to start Automatically. There -is- no definitive guide to how Microsoft security interacts in networked environments. PLUS: SMS offers the capability to run commands on the remote system as though they were run locally!!! No need to have 'lockup' and 'reboot' as integral parts of the service, since anything can be run anyway -- and anything can be copied, and anything can be marked executable. Whee. Microsoft, you're gonna have to eat crow on this one. -Winged

surpise, surpise, surpise

[hackman]

I must have read the article when it was still up..

I'm sure we're all surprised that MS is trying to take down their competition with unfair tactics. At a risk of sounding stupid, what's the need to run remote control software undetected - cracking aside? I can't think of a good legidimate use.

I've used several remote control products at different times, and as a simple user they can be wonderfully convienent. However the security hole they open up seems quite risky.. especially when software that can stealth (MS or otherwise) is used.

I'm not trying to be a MS advocate, but sounds to me like both sides have some 'splaining to do.

Just my $.02
Brett

Re:surpise, surpise, surpise

[hackman]

Ok, points well taken. Definately the point about the users being more dangerous than the attackers. I know many people that I work with who definately are that way.. maybe including myself.

Nevertheless you have to admit it's well oriented toward the "spying" realm - which is considered ok when it's an employer (to some extent) but not ok when it's someone else. I bet the Feds/spooks like this tool - prolly had it for ages already.

B

Re:surpise, surpise, surpise

[Seth+The+Man]

The best reason I can think of for using a 'stealth' mode administration utility is avoiding the phone call. I don't want to disrupt a secretary in the middle of keying in a report. If I can get in, change some .ini files or delete some temporary files without leaving my desk, AND without having to call up the user, stop whatever they were doing and then confuse them by explaining software maitenance, I'm all for it.

Hell, w/ bo2k you could even pop up a message for them to reboot when you get done. I think it's a great program, from a group w/ a slightly odd sense of humour.

cDc as crackers is a joke.
"It's allabout style, Jackass."

Re:surpise, surpise, surpise

[Keeper]

Hmm... I know of a few cituations where it is extremely helpful. The business I work for puts a program called TimBukTwo (or something that sounds like that) on all of the machines shipped out to sites.

It aids the helpdesk people, because they can dial in and watch what the associate is doing. So the "I can't print" problem can be fixed relatively easy. You call up the site, turn on observe, tell them to try again, and see a dialog box appear saying the printer is out of paper. "Put paper in the printer." (Yes, stupid things like this do occure; you don't get the brightest people at $5.50/hr).

It get exponentially handier when you need to investigate a problem. For example, say some associate walks into their store in the morning to a blue screen. Now say this happened at 500 other places that same day (at the same time nonetheless...apparently while "rebooting").

(NT BITES!!!! :)

It also happens on these machines that you have to have EVERYTHING turned off, because people who go "hey, I've got a computer at home I can fix this myself" tend to really Fck things up... The few weeks where it was possible to turn the software off about half the sites had it off...

Responses to both Dillon

[Hangtime]

First: File sharing

Yes you make the argument that perhaps file sharing can be used for evil but so can guns, knives, tape recorders, large sticks, etc. However, I dont believe locking up a computer remotely or looping a sound so that it plays repeatedly can be construed as having redeeming value where as file sharing can. Of course file sharing could be dangerous but more then often then not its a helpful application that saves many floppy disks, playing with people's minds is not a redeeming social value.

Second: Privacy

I will use a scenario here it makes it easier to explain. Here at the school, we are putting out onto campus the Dell M770MM, a monitor with speakers and microphone built in. You have chosen BO2K as your remote tool of choice. One day either you or someone you work with is bored so they decide to turn the microphone on and listen to some conversations in the President's office. Oops. That is a crime punishable by jail time and you are libel because it's your software you installed. No U.S. State will allow you to record or listen to a conversation without knowledge of at least one party (in a few states) and all parties (in the majority of states). That's why it takes a court order for a wire tap. Do not fall into the trap of thinking listening to conversations and delving into the computers of employees is a right of every network admin. Yes, the Supreme Court has said that you can look at people's email but once you start going further from there protection for you becomes a lot murkier.

Quick Sidenote:

By default, LANdesk will let the user know when the computer is being audited, which is just a better overall strategy. Even if you don't want your users to know when there being watched its still a wonderful idea to put into a place a written Information Systems usage policy. This can save a lot of court costs, the policy here on campus has been used to terminate employees and since everyone signs it, it makes you a little safer.
Take care and take it easy.

Hangtime

Guess what

[Hangtime]

Guess what? We all cant be absolute security gods. You know what, the kid broke the LAW!!! To be honest, I dont like security work. Its mundane and tedious work, ie not the movies. Instead of doing things that I like to do and better serve the customers out on campus I have to devote time to defending against script kiddies. No its not the man's fault that someone broke into his computer its the Script kiddie. Just because you leave your door open doesnt give somebody the right to come through it and clean your house of belongings. We all cant be security gurus so lay off.

Soapbox Time

[Hangtime]

Unix admin vs NT admin
(Security: General situations - workstations, server lockdowns)

Unix admin: Defends his or her castle against a small band of extremely skillful ninjas that go around his network (Unix still has less marketshare then Apple which was 5%). However, he or she has a team of fighters at their fingertips to help with any situation (ie mailing lists, Slashdot, etc.)

NT admin: Defends his or her castle against that same band because they dont like his or her choice of OS (same 5%). Also he or she has to defend against the rampaging hordes of STUPID endusers and script kiddies that want to make a mockery of their computers (remember the statistic 1 virus for Unix in the past year something like 4000 for Windows) add 85% of general computing population. So the WinNT has to defend against the best of the best (those that right exploits) and also the shear volume of users (those that like to use exploits and those dumb enough to use them). On top of that are belittled by the group above because its easier to learn their system. (There's a reason that Windows and Apple own 90% of the worldwide market for Operating Systems, its user friendliness ;) ).

If you compare the two yes the Unix admin has most of the time more responsiblitity because they have more experience and he or she is in a more mission critical area. However, The NT admin is more then likely going to hear from an enduser and going to have to deal with way more shit then a Unix admin will because unlike the Unix admin EVERYBODY knows and can use Windows and the admin is the guy to call. I dont know everything but I do know some pretty damn talented NT admins and MCSEs.

One final note:
Just because you dont like Microsoft products doesnt mean that everyone that uses them is stupid when it comes to computers. I work with some exceptionally bright admins everyday, we have an NT Server running on a Dell Poweredge 6300 that handles all the networked printers on campus along with all network installations of software and hasnt gone down once in the 8 months since they set it up. The Unix admin most of the time will have the more important job but the NT guy puts up with a lot more shit.
Take care and take it easy.

Hangtime

Here's an idea:

[Salgak1]

. . .port BO2K to Linux: jazz up the interface, remove all references to cDC. . .then release it as a Remote Administration tool, just like SMS, etc. After getting reviews, accolades, etc., THEN reveal that it's a BO2K variant. . .
After all, MS-DOS was once a hacker-built tool, too. . .until Bill et al bought it, and built an empire on it. . .

Re:HAHAHAHA

[toolie]

Thats evidently the way our company thinks also. We need to spend $1500 and 3 weeks per license for compilers because we are not allowed to download free compilers from the 'net.

If its free, it can't nearly be as good as something you could pay copious amounts of $$$ for. Productivity be damned, we want to waste money.

If the company managers/CEOs/and government officials were in charge from the beginning, I'm surprised we ever climbed down from that first tree.

Re:Legitimate Anal Remote Administration

[mulley]

> A couple of points here: first of all, it's free, so it seems unlikely that anybody would have to submit an expense report for it, unless they really WERE doing something nefarious, like embezzling.

Nitpick! My point was that software designed for use adminstering networks would not have a name like Back Orifice.

>I don't honestly see a contradiction.
Well, let me restate my point. Legitimate network administration software does not claim to exploit security holes, design-related or not.

>Okay, I'll correct you. You are 100% wrong about this.

Sorry about that. I DID try out the original BO, though, and it was certainly like that.

The truth is that no matter what the press releases say, you know that you're not going find any large networks administered by Back Orifice soon. There's no need to go into details; that knowledge is enough to prove that it isn't legitimate network management software.

Still, it is a very nice piece of software. Also, it's open source. So, if someone whose programming skills extend beyond Perl (unlike mine), here's a job for you:
- rename the program
- get rid of some of the more dubious features, i.e. lockup and redirect mic (while that is certainly in some commercial products, it's just scary, dammit! I can live with someone looking through my files, but they can't listen to me!)
- make it less stealthy on the server side
- change it so that existing antivirus definitions won't detect it, and slashdot-effect mcafee.com and the cNc if they put the changed version into their software.

By the way, does the Cult have any lawyers among its members? (I can see it already... "Approach the bench, Tweety Fish!") I'm sure that there is an excellent case to sue anti-virus software makers, as their "protection" against BO certainly will prevent people from using it, and it could certainly be argued that the program, legitimate or not, is not in of itself malicious.

Legitimate Anal Remote Administration

[mulley]

A couple of reasons why BO2K is NOT a legitimate remote network administration tool.

1. It's called Back Orifice. "Yes sir, I'd like to submit an expense report for...umm... Back Orifice"

2. The cDc claims that both that BO2K is a legitimate remote network administration tool, and that it is releasing BO2K to force Microsoft to plug (intrinsic design-related) security holes in NT. That's a contradiction. Imagine the press release for pcAnywhere 2000: "This version contains all kinds of all-new features, primarily designed to force Microsoft to plug security holes." And maybe Symantec will rename itself the Cult of the Norton Commander (cNc).

Also, it's quite obvious that use as a cracking tool was a consideration in the design of BO2K. While SMS and other remote administration systems do have "Stealth modes", BO2K has *only* a stealth mode, and stealth seems to have been a major design consideration. (Correct me if I'm wrong here, I didn't actually download it as I don't want to be sifting through my registry to get rid of it.)

Still, it is NOT a trojan. Trojans don't have install programs. I think anti-virus programs scanning for it is a bit of a joke. For that matter, I think anti-virus programs should stick with viruses (which, of course, BO2K is not by definition) - the only true protection against trojans is to be careful what software you run.

BO2K is certainly a useful program for remote administration. It's small, fast, etc. But claiming that it's just a useful little open source administration tool is engaging in a Microsoft-style bending of facts. For those of you who still claim this, think about who most of the future users of BO2K will be. Will they be script kiddies and people who just want to try it out, or will they be sysadmins of large networks? If it will very rarely be used to administer large networks ("Help Desk? I'm having trouble with Word." "OK, just let me Orifice into your system. Our custom BUTTplugs should help with this one") but rather used by the kind of people who haven't yet mastered the concept of digits being used in numbers and letters being used in words, and as such think that the program is l33t, then it isn't a legitimate remote administration tool.

Re:Legitimate Anal Remote Administration

[Kymermosst]

I am using BO2K at work for remote administration.

It's a highly reliable product that gets the job done in the simplest way.

And guess what else? I have it listed in the task list as BO2K, and it's executable is named BO2K. Doesn't matter. The average user is too ignorant/stupid/apathetic to realize what it is anyway.

Re:Legitimate Anal Remote Administration

[Chandon+Seldon]

Sorry about that. I DID try out the original BO, though, and it was certainly like that.

And this is where you make your mistake, assuming that this is anything like the origional. BO2K is a very nice, easily used remote admin tool with a feature set beyond most of it's commercial compeditors, before you critisize, look for your self.

Re:SMS is a virus

[Weerdo]

I guess that you installed SMS on a production-server. That's NOT cool at all..

SMS is a virus

[towster]

I was testing SMS on our NT box because we were contemplating utilizing it for administration. I installed the client on one box to see how it would be. Lo and behold.. the next day.. it had installed itself on ALL of our computers. It had gone in and made changes to my login.bat script own its own. This was TOTALLY not cool.

Re:SMS is a virus

[danimal;]

What's really a bitch is when you try to install the client on a machine and it doesn't work, you come back the next day and it has installed itself on all of the machines that you don't want it to install on (servers), and it misses the one you tried to install it on (lowly workstation). I already control the servers! Dang it!

If you were thinking about buying SMS save yourself the hastle and replace all the PCs with terminals. The cycle continues:
centralize -> decentralize -> centralize -> ...

DS

that seems kind of harsh

[delmoi]

I'm not familiar with BO, but I'v used a program called "netbus" that basicaly does the same thing. In netbus there's a way to just print somthing to the screen in a diolog box, and I'd be willing to bet that that exsists in BO as well. if they really wanted to protect you, they could just load up a URL with info on removing and detecting BO. not that anyone with half a brain would put BO on the default port, unpassworded anyway.
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"

Re:that seems kind of harsh

[James+Lanfear]

"if they really wanted to protect you, they could just load up a URL with info on removing and detecting BO"

I actually tried this once. Occasionally I do a quick sweep of my ISP[1] to make sure no copies of BO are present. (Good reason to do this: my *ISP* had an infected machine and didn't do anything about it; they weren't about to help the customers.) I found one and proceeded to get into a 3+ hour discussion, via dialog boxes, with the owner of the machine. When it all over she *still* didn't believe that she had BO, and she refused to go to download.com(!) to get an antivirus because she didn't trust my URL's. I finally pushed her enough that she contacted her ISP (which either shares one of our class-C's, or I typoed the address) and they took care of it.

Moral: don't rely on users to fix their problems.

1: Before anyone accuses me of being a cracker, I don't do anything evil if I find a copy. I just flash an error on screen to get the users attention and note the IP. If they don't fix it within a reasonable amount of time, I try to kill it myself. The only exception is the High School I (kinda) work at, where BO was purposely placed on a few machines by the sysadmins to play with the users--I don't interfere with their fun. (I never said I wasn't evil; I just don't crack ;-)

MS and MJ

[Darth+Hubris]

It's a fireable offense to use SMS on the MS campus without a valid business reason.

However, on a completely unrelated topic, I have a few comments. Hemp is a miracle plant. You can use it's fibers to produce paper, saving countless trees. It can be made into clothing. Hemp seed oil can be used as an alternate fuel source. Hemp seed oil has more protein that soy bean oil. Hemp is a readily renewable resource, and could be the start of an incredibly profitable and environmentally friendly industry.

Oh yeah, you can smoke it, too [he says tongue-in-cheek].

Nice Thoughts

[powerlord]

Hmmm considering how many remote control programs are out there, and considering how none of them (except of for BO or BO2k) are viewed as virii (expecially by McAfee, Norton, Etc.), it would be nice to have a Win32 program that could run and informs you if it detects one of these 'malicious' programs or (even better), gives you the option of terminating them.

Of course a package that allows you to de-install, or hack apart SMS would also be nice (replace it with a program that would let the user audit its activity or confirm its actions).

Of course I'm not a serious programmer so I don't know how tough either of these ideas would be to impliment, but they sure would make for interesting projects. (grin)

Funny that....

[blixco]

I actually got busted this morning for running NetBus on my system...NAV had picked it up and notified my admins, who use both SMS and PC Anywhere to "spy" on our systems. The really funny thing: as local administrator, I can uninstall NetBus Pro (actually has an uninstall routine) but I cannot uninstall SMS.

Hrm. Wonder which one acts more like a virus.

Re:Funny that....

[piffy]

actually, the only viruses that can propogate themselves are macro viruses or ones of that nature. viruses are just programs running on a system unwanted by the user, normally malicious in their design.

remember back in the day of dos, mbr viruses couldn't spread from one machine to the next, it had to be spread by the user through the transfer of files and information. the viruses were normally just memory-resident programs, waiting to do something.

piffy

Re:Funny that....

[Syslevel]

Neither acts like a virus. Unless you can show that either can spread from machine to machine without human intervention and control. Computer viruses propogate on their own.

Re:Inbreeding was Re:Hyppocritical War

[debrain]

OK, kid, before you get too carried away with your own brilliance, tell me why practical geneticists - the people who develop new breeds of animals and new varieties of plants - cross offspring with parents and with each other when trying to get a trait to breed true. I took the original poster to mean "They are increasing one trait, but they are doing it through inbreeding, so eventuallky they will be a bunch of musclebound hemophiliac morons".

Thank you. I'm glad that not only somebody was listening, but that somebody understood. lol. The whole point is not in the seriousness of the analogy, as comparing billygoats to multibillion dollar corporations lacks the implicit parallelism necessary for a good analogy (for obvious reasons), and should be taken only on a whimsical note, with a sense of humour. The analogy I meant to bring out was between that of the animal kingdom and that of the competitive corporate market.

Albeit possible that I sorely failed in this, I'm sure that some of the messages intended were blatently obvious, whereas others were a little more subtle. I'm quite glad that you understood, and brought out, this one.

Strange how it is generally the anonymous coward that tends to miss the really interesting points, only to harp on what is (often inaccurately) obviously wrong. lol.

It takes all kinds ...

Hyppocritical War

[debrain]

We need only look to animals to understand this phenomenon. It is the ritualistic king of the hill. In terms of the analogy, let's go with billy goats. They wander in herds. And think of Microsoft as being a pack of unsavory billy goats, at the top of the mountain. They are big goats, and genetically they are becoming more and more superior (through inbreeding ...), and claiming more of the terrain around them.

Nature provides two forces against these kings of the hill: better billygoats, who can sneak past the big buggers, and the slow grinding away of the hill upon which they sit, which is so difficult to climb because of a steep monopoly. These may be thought of as Linux and the erosion of the computer operating system monopoly mountain-peak. Together, the mountain is getting harder to defend against something like Linux, and the faster, nimbler billygoats are winning more of the battles for the hilltop.

The inevitable conclusion is undetermined as of yet; the smaller, nimbler billygoats may yet force the hefty one off the top, the hefty kings of the hill may yet defend their mountain, or while the dual continues against each other, the mountain may just dissappear, and we all buy appliances.

To make the analogy more fun, we must look at what happens to the hefty billygoats. They do not control one mountain; they have a say in several mountains -- from software through to webTV to all kinds of fertile grazing lands. These mountains do not all dissappear, and so the hefty billygoats, with their limited company immortality, can cling to many unconnected lands.

One can see the faults in the billygoats at the top of the hillside, where they are forced to give way to things like Apache for MSN and HotMail. They are not superior. Just in greater numbers, and more aggressive. Outside of the analogy, one might think that the sun shines brighter on the Microsoft soil, because their lands are so fertile. It's more likely that it's fertilized with perfume-smelling dung to bring the birds and the bees. It's still dung, though, where it would not normally be fertile land.

SMS vs BO2K arguments are one field on the mountain range that must be debated. BO2K does not possess the awe of the Open Source billygoats, but does have the potential to offset the balance in yet another area controlled by a bloated pack of oversized goats.

Packs of animals are forced to maintain a certain size to compete. Microsoft is well beyond this size, and, outside the analogy, their interdependancy may be the end of them.

The lesson? Polygomy and inbreeding will not necessarily lead to better goats.

Re:Hyppocritical War

[dickens]

a somewhat apt analogy...

But you know, in any in-bred population, a negative-survival-value trait may also be amplified.

Re:Hyppocritical War

[HSinclair]

Yes, but in the animal kingdom the "better billygoats" don't go sneak around the dominant billygoats and rape their she-goats (users) just for the hell of it. Real billygoats challenge the head male, and if they lose they go away, and if they win they get the she-goats (users).

cDc and Back Orifice is more like a tick, that is set out to harm the head billygoats, but does it by infesting all the she-goats. Sure, the head billygoat is hurt, but the she-goats are hurt even more, and if they come to the conclusion that the head billygoat is bad, they are left with no replacement billygoat. More likely, they will think the ticks are bad and will try to get rid of them.

The only real way to challenge microsoft and win it's "she-goats" is as a competitor (Linux, BeOS, whatever), not as a parasite.

Hey! What about porting BO2K to Linux?

[wiggles]

I have a great idea. Since BO2K is open source, why not port it to Linux to run SMS capabilities from a Samba server? Sounds like a great project to me, if only I could program.....

Wiggles (the pathetic Linux luser)

Isn't it the OSs responsibility?

[Kukester]

My complaint is that the OS allows this to happen (in the case of BO2k), and that the OS maker is doing very little to help.

You ask "How many checks like this does BO2K do?" shouldnt we ask why dosnt Windows do any checks like this?

"The Deth Vegetable" ???

[Skorzeny]

How can anyone take these people seriously?

Re:"The Deth Vegetable" ???

[Kymermosst]

I can only pray that, should you get a life-threatening illness, the doctor who recommends the drugs that could save you doesn't have a silly name.

Well spoken. Though was sure I could give an example, my mind seems to have drawn a blank. Oh, well.

Re:Depends on how you look at it.

[Restil]

This is so true. The difference between a trojan running on a Unix/Linux system is that to be truely effective, root needs to execute/install it. MOST of the time, anyone with root access is a competant administrator and would know better to trust an unconfirmed program under root.

Your average windows user, however, is not nearly as experienced in this area, as well as having full control of their system. This gives trojans on a windows platform a better chance.

-Restil

Re:They're missing the point....

[Kymermosst]

Exactly... to bring up the old quote: It's not the gun that kills, it's the person with their finger on the trigger.

Re:U can just disable SMS

[...+James+...]

Yep, but all I would have to do is re-enable it using Server Manager. I do it all the time. And if someone has 'chosen' to disable the remote control, all I have to do is edit the sms.ini on their pc and then restart the SMS service remotely. Viola!

James

Re:U can just disable SMS

[...+James+...]

Then your sys. admin has already given you too much control and it serves him right if he can't access your pc.

James

What's the deal with the ?

[MarNuke]

"It?s incomprehensible why a tool like this would be created. [...] [T]here?s no pur.......

What is the ? for????????????
Can't the mircosoft.com servers handle ' ????
What sort of crap is that!!!


Oh, um, BO2k, um, Don't use Windows ALL PROBLEM SLOVED!!!!

We need an opensource win32 management system!

[poopie]

We need to replace SMS with an opensource alternative that is cross-platform and can be administered from unix.

Is BO2k a good or bad tool? Hmm... Are crack, nmap, and saint good or bad? Depends on who uses them for what...

How much is an enterprise license for SMS and 10,000 users? What would be the impact on Micros~1 if fortune 1000 companies dumped SMS for free software?

Micros~1 doesn't want to buy into the idea that their loyal users could/would use opensource enterprise software for systems management.

I'm sure that some of these vulnerabilities in Win32 are there by design

Re:MS Domain foo & VNC

[poopie]

Umm... your comment assumes that you made the mistake of using Micros~1's I'll fated Domain setup. (it's going away when the vapour clears from Windows 2001's inActive Directory)

Can't we all agree to us LDAP and get on with enterprise computing architecture? (forgot -- there's no MSLDAP, Visual LDAP, or DirectLDAP-DNS-for-datacenters yet ;)

Oh, by the way, what about VNC? If an email attachment started a VNC server and set the password, would that make vnc a virus?

I couldn't live without VNC to tame Windows boxes. If anti-virus software started uninstalling VNC, I'd find new anti-virus software.

What if vnc development forked and one branch was driven by some teenagers who were branded as hackers? Does vnc become a bad tool?

*DANGER* Re:Something to bear in mind

[ajs]

I checked this software out, and while it's a cool idea, and one that I might take the time to fully develop, I came up with some pretty SERIOUS security holes in this. It's not as bad as BO, but close, and it's multi-platform.

At the very least, PLEASE don't run this without changing the falsepath function in response.pl so that it never returns anything but a non-existant filename. This program will happily transfer all of your files to remote systems (yes, I know that falsepath tries to prevent this, but think about it for a bit, and you can get around this).

Umm... No...

[???]

This is a tool that needs to be run and installed (server-side) juts like anything else. It does not just "allow anyone to remote control a computer." The only security holes that it takes advantage of is the ability to hide itself (a hole that SMS apparently exploits as well) and the ignorance of the users. SMS or pcAnywhere could just as easily be used by someone for inappropriate/illegal purposes...

You stole my thunder

[The+Silicon+Sorceror]

I reported this two days ago in a post to the BO2K/Open Source thing. It stayed at a score of 1, though. Now watch them moderate this one to -2 for being off-topic. Just you watch. They're all against me.

But what, exactly, makes BO2K a cracker tool...

[Sun+Tzu]

...and SMS not one (assuming SMS not being one is part of your point)? Is it based on the intent, background, reputation, or nicknames of the developers? Or is there some technical reason to make BO2K a cracking tool and SMS not one?

Re:But what, exactly, makes BO2K a cracker tool...

[TheTomcat]

While I don't disagree that SMS could be used as a cracking tool, it is less likely a hacking tool. How many causal hackers do you know that have an extra $1000USD to spend on software they could get for free. This, realistically, makes BO2k much more of a hacking tool. My guess is that most people who 'crack' for a living wouldn't be willing to pay $1000 to do so..

Re:But what, exactly, makes BO2K a cracker tool...

[Procyon101]

Legit use: I had to lock up a rouge DHCP server that was spewing out bad address to machines and noone could get net access... Couldn't find the physical machine so we just locked it up... didn't use BO2K for it, some other script, but it saved the day.

Re:But what, exactly, makes BO2K a cracker tool...

[Cebert]

Actually, most people who 'crack for a living'
wouldn't give a pair of old man's kidneys about
actually paying for it, when w@r3zl0rD can grab
'em a copy for nothing, hence putting SMS (which
constantly makes me think Sega Master System) and
BO2k on the same playing field. ;)

Re:But what, exactly, makes BO2K a cracker tool...

[ufdraco]

Well, the fact that there is a "Lock-up Machine" command probably doesn't help very much. From the BO2K web site:

Lock-up Machine

Makes the server machine completely unresponsive. The mouse will not move, and the keyboard will not work. Grinding halt. Also makes the BO2K server unresponsive and will kill your connection to the server after the protocol times out.

Keep in mind, they didn't say temporarily lock out--it completely kills the machine! So that might be a bit of ammunition for M$. Or is there actually a legitimate use for this?

Of course, I still think it's a great program! I intend to use it on my own machine at school once I get back.

Re:But what, exactly, makes BO2K a cracker tool...

[ufdraco]

You've actually caught a cracker in the midst of doing something nefarious on your network. You want to preserve evidence of his crack-in-progress, while preventing any further damage.

The user would probably curse NT for crashing for no good reason and seeing that he couldn't shut it down properly, would simply flick the power switch. There goes your evidence. But you do have a point, as long as the admin makes sure to log (perhaps through a series of screenshots) what he was doing before halting the system that would work out well. Of course, calling security might be more effective. :-)

Re:Depends on how you look at it.

[drudd]

I agree that trojans aren't really the fault of the operating system... to a point.

If an admin is stupid enough to install something like this, then they deserve what they get.

The real question is whether joe user, who barely understands the difference between a computer and their toaster can install this and have it provide access to sensitive files.

It is the job of the operating system (especially one in a networked environment) to limit the ability of users, and programs run by users, to modify, delete, view, or execute certain files. Otherwise the operating system is wide open if someone can get ahold of a simple user account.

Doug

BO2K to be used in Public High School

[Chandon+Seldon]

The network admin at my town's public high school intends to use BO2K as a remote admin tool. This is because it is has the best useability/cost ratio out there, the fact that it has "supurfolus features" that he doesn't intend to use doesn't make it any less a verry good remote admin tool.

BTW: BO2K IS intended as a legit remote admin tool

[Chandon+Seldon]

Check out the BO2K website at http://www.bo2k.com/ if you don't belive me.

14 charactor min only for 3DES

[Chandon+Seldon]

If you are using XOR "Encription" then the password min is 4.

If you leave open your door . . .

[Chandon+Seldon]

then it isn't breaking and entering if someone comes in and takes your stuff or messes up your stuff. It should work the same with computers.

There's a couple good console locking proggies.

[Chandon+Seldon]

lockvc
and another one that I don't remember the name of.

Re:There's a couple good console locking proggies.

[Chandon+Seldon]

You'd have to intentionaly switch back to a VC, get a shell prompt, and type "lockvc" or "vlock". These programs, AFAIK, compleatly lock out keyboard input.

I think that the only way to get xlock to fully lock a user out of the system would be to eithor fix the hotkey bugs or to have logged in with XDM or equiv.

He could be doing it as the lab admin,

[Chandon+Seldon]

or with permission.

I fully intend to install BO2K on all My school's computers when I return to school, with the help of our network admin.

Nak

[Chandon+Seldon]

Be understanding that BO2K is a perfectly good remote admin tool, just like any commercial product (except is GPL, not commercial)

Be reading entire site at www.bo2k.com before you make judgement on what is BO2K and what it is intended for/good for.

Yea, he can be shot, but . . .

[Chandon+Seldon]

it's still second degree murder.

I wouldn't do that if I were you. It's only legal to shoot an intruder in self defense, at least in MA, US where I live.

Down with spelling flamers!!

[__aahyzr9271]

You need to remeber that there are people on the net who use english as a second language, and that there are also people who have phyical and mental disablities.

I will never be able to spell well enough to win a spelling constest, or to be a professional profreader. Sure, there are spell checkers, but those things are far from perfect, or even close to perfect. For example, when I put "efics" into a spell checker, it came out with a few correctly spelled words, that had diffrent meanings from what I whated to say. If the word "ethics" was spelled, for example, "effects" in my previous post, that part of the post would not have made any sense.

FYI, spelling flames are considered to be a major violation of netiquite. Also, if you have a real disagreement with someone, take it up with the person through privite email. A public fourm is not a good place to carry on a disagreement with someone. Another thing, the (sp?) means "I know that this is the wrong spelling, but I don't know of a better spelling at the moment, so this will have to do".

I don't usially bother with dumbass flamers, but, demon, I'm going to assume that you are a newbee who doesn't know, or fully understand, the ropes. If your not, then you really need to get your head out of your ass.

Demon, if you are a college graduate, then I feel sorry for other college graduates who will now have to put up with the reputation, that you just single-handedly give them, as analy-retentive blow-hards who have nothing better to do than post spelling/grammer flames. If you're so analy-retentive that you think that a mispelled word is the end of the world as we know it, then I strongly suggest that you learn to relax, grow up, and get a life. Your own. :P

Re:Down with spelling flamers!!

[__aahyzr9271]

If you were from a foreign domain that was obviously from a non-English-speaking country, I'd buy this excuse. I don't think that 'wvsc.edu' falls under that particular area, however.

You're forgetting that there are people in the US who use english as a second language. There are also people who have only been in the US a short time, and do not yet have a good grasp of the english language.

You obviously haven't fully read my post, or you would have picked up on the fact that there are poeple who have phyical and mental disabilties, and where I mention (I souldn't have to spell it out) that I will allways be a poor speller because of a learning disabilty. FYI, a learning disabilty is not the same as mental retardation, those are two very diffrent things.

Ethics is a major class in most colleges that I know of. I just find it quite amazing that someone who is (obviously) going to college wouldn't know that.

I do, but I don't see what, if anything, this has to do with your spelling flame, or my responce to it.

I'm not a "newbee" (newbie), but thanks for playing anyway.

AWW, now who would've known. ;)

I read through some of your earlier posts, and you don't seem to be the type of guy who flames poeple just for kicks, so I don't know why you suddenly decieded to start now. At least as a newbie you would have had an excuse, but as someone who has passed the newbie stage, you really should've known better. Most people who have passed the newbie stage allready know that spelling/grammer flames are considered to be very rude, and as unnecessary and unwelcome, to say the least. They also know that there are more importaint things to flame about than spelling/grammer errors.

I'm not that anally retentive. Or maybe I am. I've never bothered to check. :p

Could of fooled me. :P

At first I thought you were an arrogent newbie, now I know you're just arrogent, with a large ego to boot. In fact, I take it back about your head being up your ass, I now know that it would never fit. ;)

And I'm glad you love me so much as to reply to me. If I'm just a "newbee flamer" who isn't worth your time... I'm just so glad you care so much! ;)

I don't. As far as I'm concerned, you can go play with yourself. I only bothered because I wanted to make a point: you keep flaming people for the wrong reasons, espcialy for something as trivial as a spelling error, sooner or later someone's goinng to flame back. Now, I would have been nicer about it had you not came off as such an arriogant, self-rightious, nit-picking jackass with an oversize ego, but if you thought my responce was harsh, just wait untill you tick off someone who really knows how to flame. In fact, there are newsgroups and websites avaible that are devoted to teaching people how to flame properly, a skill you could use if you want to contunue playing your flame "game".

You prolibtly will read this, and choose not to listen to what I said. Too bad. Reply to this, or not, I couldn't care less. If you don't want to listen to me, fine with you. But, if that's the case, I'm not going to be interested in hearing what you have to say. :P

I'm going to go on with my own life now, thank you. I suggest that you do the same. You may think this is a game, fine with you. But, I'm not going to play your lame game anymore.

Have a nice life pal, whenever you get one.

Re:Down with spelling flamers!!

[__aahyzr9271]

By the time I saw your message, I had allready posted a reply to your previous message. You may want to read it anyways as it makes an importiant point.

I'm sorry for any hurt feelings, but that's just the way I see it.

Apollagy accepted, damon, now lets get on with our lives.

Re:Down with spelling flamers!!

[slimharpo99]

You're an idiot, demon. This guy is obviously smart, as evidenced by the coherence and acuity of his posts. I know several people of well above-average intelligence who can't spell to save their lives. Who makes the world worse, bad spellers, or prissy little dried-up geeks like yerself?

Re:Both Right, Both Wrong

[Kool+Moe]

The distribution with the virus was a lame oversight- and I'm sure they won't happen again. Someone already pointed out IBM's error. Here's a somewhat similar one just made by MS (granted not a virus, but shows any company can slip up- then again, how could they do not write a basic javascript function correctly when they have the steps/keys RIGHT IN FRONT of them?).
---

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin MS99-025
(http://www.microsoft.com/security/bulletins/MS9 9-025.asp), which was
released on July 19, 1999, discussed a vulnerability associated with
Internet Information Server and Microsoft Data Access Components. The
Frequently Asked Questions (FAQ) page for this bulletin
(http://www.microsoft.com/security/bulletins/MS9 9-025faq.asp) provided
instructions on how to manually change the registry in order to protect
vulnerable systems, and also provided an automated method for making the
changes. However, we have discovered that the automated method is
incorrect.

If you manually changed the registry entries as discussed in the bulletin,
you do not need to take any further action. All of the information in the
bulletin and FAQ regarding registry keys is correct. However, if you
downloaded HANDUNSF.REG and used it to automatically change the registry,
you should download the corrected file and run it on all affected systems.
The corrected file is named HANDSAFE.REG, in order to make it easy to tell
that you are using the right file. The file can be downloaded from the FAQ
page; the link to the file is contained in the answer to "I have MDAC 2.x
installed, what should I do?".

what you're all missing

[mystyx]

My job runs SMS, and I hate it. When a sysadmin can tell me to get back to work, that's bs. Fortunately, I'm cool with the admins, so it's just a joke. I'm amazed that no one else has pointed this out yet (and my apologies if you have), but if B02K is OpenSource, and has the same functionality as SMS, why not do an OpenSource SMS client? Then, even if you got sued by M$, you could state BO2K as your code base, which would then have to refer to BO2K being like SMS, and making M$ admit they have a $1000 hacking tool.

What really IS going on here?

[PhaseBurn]

I personally think that Microsoft is attacking BO2k so much because cDc is not exactly a so called company like Netscape or Sun... They have no choice in the matter with eithe rof them as both companies have public support as well as an established business... cDc however is a small group of internet hackers who threw together a remote admin tool which challenges one made by Microsoft. It's not that they believe it's a hacker tool, it's that they're trying to knock out competition before it even starts, reguardless of how it's done.

HAHA.

[FunOne]

That is the FUNNIEST thing I ever seen!!!

FunOne

Who cares/What's the point?

[cyphunk]

Why does it even matter what MS thinks or says? So they say your tool is a "Hacker Tool". Considering the Fact that the cDc is not selling BO2K I don't see why it matters. I mean, do we really care about market share when it comes to BO2K vs SMS? Or are we just trying to, ahem, Bitch as much as we can about a stupid issue. What is the point?

visibility of SMS

[PinkFreud]

On my NT Workstation box, I can see SMS client - the prcess has SMSAPM32.exe and smss.exe listed, as well as a Systems Management icon under Control Panel. However, this visibility is probably due to my adminstrator access, both locally, and in the domain.

One interesting thing to note about SMS, though - we applied SP 1 to it, and a previously unknown bug appeared (something to do with a certain configuration), where the client began to cause errors on seemingly random machines.

We're now in the process of removing the client.

Ahh, how I love Open Source...


PinkFreud

MS is right...this time

[MooseMunch]

YEs both Back Oficife 2000 and SMS can run without detection. You have to look at the midset of publication though. SMS is a valuable tool that is used more for standardization of settings and volume deployments of software. The cult of the dead cow specificaly states in a press release that their package is written because windows has no security... So they say they are exploting security holes, yet helping administrators...Maybe someone can clear this up for me. You can't charge someone with somehting you are guilty of. Of course I run linux anyway, so it really doesn't matter much to me :)

U can just disable SMS

[dacodo]

We have it here at work too. All you have to do to disable it is go into the "services" section of the conrol panel.

Re:U can just disable SMS

[dacodo]

No access is avalible on my PC from remote. I have removed all shairs and there is no any other way in from remote that I know of. Pluss I have already played with that ini.

Re:U can just disable SMS

[dacodo]

were on NT running in fat. No security hardly at all. Pretty pethetic for the larest company in the world. :)

Re:U can just disable SMS

[NtG]

I thought (at least here in Australia, anyway) that GE was either bought out, or bought a heap of companies out, and is now known as LG? On the other hand, I probabely have no idea what im talking about.

Re:U can just disable SMS

[msm1th]

GM is the largest, according to Fortune 500.

Who needs to check for SMS?

[MythoBeast]

If SMS is like other Microsoft products, then there is no need to run a virus check for it. It would have the patented Microsoft trait of gobbling down your resources and bringing the system to its knees. of course, if you run too many other MS products there will be no telling which one is doing it at any one time...

Yeah right

[Keeper]

So because MS writes software to perform a certain function, then I can't write software that performs a similar function.

People like you are why Apple sued Microsoft over "look and feel"...

No one has mentioned...

[Spyky]

I can write a malicious Macro Virus in Micro$oft Word just as I can use BO2K or even SMS to maliciously tamper with someone's machine. I argue that M$ security problems with Visual Basic in its Office apps are far more of a security problem then trojans like BO2K. Windows has a LOT of security problems, least of which is the "features" that cDc took advantage of to hide the trojan in other processes threads. Micro$oft needs to shut up and start fixing holes and stop pointing its fingers at people who exploit them. That's what people do, it might be wrong, but people are going to do it anyway. Shut your hole and start fixing security issues Bill.

Spyky

Re:I wonder how many law enforcement agencies use

[norm_bone]

Funny you should say that. I read this article on Yahoo just today. It talks about a similar "Law enforcement only" program called DIRT. It mentions BO, too, but was just a little condescending. Scary to think of law enforcement using this on a regular basis.

Depends on how you look at it.

[kgasso]

This one's quite simple, BO was _not_ the first trojan for Windoze - they just got so much fame because CDC released it at Defcon, to get the "ooh"'s and "aah"'s from the script kiddies and the wanna-be hacker community.

I'm sure if you look hard enough, you'll find older trojans that were released long before BO was a twinkle in CDC's eyes. PC-Anywhere has been around for quite some time, and it's a remote-administration tool - if someone's tricked into setting it up, their computer can be controlled remotely. That's all there is to it.

BO is not a security flaw in m$ windoze, as they claim it is. A trojan can be written for BSD, or Linux, or any other OS for that matter. User stupidity (running a trojan) isn't the operating system's fault.

That's my $.02

Re:Depends on how you look at it.

[kgasso]

This reminds me of how NT and UNIX admins differ in their views on security.. So many times I see NT admins always using administrative logins to do stupid, simple things - including downloading/installing third-party software, even when much of the software did NOT need the installer to have administrative privileges.

When dealing with a UNIX admin, however, I notice that they almost always use their non-root account for installing, and only 'su' to do one task.

While most O/S's deal with how to differentiate between a uid0/administrative account and a lowerlevel/user account, the user has the reponsibility for using this. Unfortunately, most home users' operating systems do not support a true multiuser envorinment. (e.g. windoze 95/98 - everyone has administrative power)

-k

Re:micro$haft needs a life (far away)

[kgasso]

Saying something like this PROVES that BO is abused by people... sure, it could be a legitimate "remote administration utility", but when I hear this, I'm reminded of the millions of script kiddies rejoicing at Defcon when it was released.

The only "obvious" weakness in Windows (95/98) is the lack of powers per user (i.e., everyone has administrative power). In my opinion, the only thing BO ever exploited was user stupidity.

On another note, adding "open source all the way" makes me sick. This is NOT what open source was made for.. script kiddies copying/compiling/running lame little backdoors and explioits. Yes, I support full disclosure with security issues, but you're looking at open source from the wrong perspective.

I'm sure your school's lab admin would really appreciate this. If you were caught, you'd probably get expelled.

Have a nice day.

Re:Security Geniuses at Microsoft

[jflynn]

I don't know... the security at Black Mesa didn't seem that hot either -- didn't slow Freeman down much anyway :).

Jim

EASY

[ffatTony]

nope it's really easy to mess with an NT machine. Just boot off a floppy with linux and NTFS read/write support. I am using kernel 2.3.11 and copying to and from ntfs works fine, but deleting is a little weird. Files I delete on the NT machine seem to be changed to 0kb (effectively deleting them), but remain.

After doing this you are free to play with whatever you like. BTW c:\winnt\repair\SAM._ is a file of the winnt passwd hashmarks. You can import this into a tool such as l0phtcrack and with a little time attain passwds for all accounts on that machine.

Linux is equally vulnerable should the user have access to the actual machine. This is a great flaw in my opinion. My school has circumvented the problem by not allowing the Lab machines to boot off floppies, but users could still physically damage the machines.

Re:HAHAHAHA

[ffatTony]

I am a registered user and I agree with the AC. Although I'll try to make a less flamable comment.

IE5, probably because of its integration with windows, voodoo magic, and the nerve gas MS had reportedly released on the Netscape compound renders faster and appears to be a better contender than Netscape 4.61 and with AOL as its adopted parent I have little hope for netscape's future. Mozilla is in an equally poor condition. My hope lies in opera or a clone of that technology. I also really like Lynx.

BO and NT?

[ffatTony]

Shadow Passwds help and all distributions I can think of use them by default, thus only with root access could a malicious cracker have acces to your passwd and by then he would not really need to.

I have little NT experience, but there are various user-levels and permissions, right? As i understood, unless the user was set to power user or admin he/she could not really do much to change the system. BO could be installed, but would it not only work for that user? I don't see how it would compromise the entire machine. It would only allow the cracker to remove files the user had permission to delete (right?)

I would be curious to know if a cracker who was using BO on an NT machine and a user of that machine with limited permissions and BO infecting their Profile could still restart/shutdown/lockup the machine. I'm guessing not as the user cannot normally do these things.

win 9x is another story..

Re:Who cares?

[fr0g]

CDC have been around for how long?

(at least over 10 years afk)

doubt they work at taco bell. With their skill sets they could work anywhere they wish)

Re:Not quite the same ... what about PCanywhere

[fr0g]

Well, I could wrap up pcanywhere in a *.exe and let you run it without knowledge. Would you then put pcanywhere in the same group as bo2k?

Re:HAHAHAHA

[cdlu]

Oh how true dilbert rings in the corporate world.

Re:Probably used frequently

[cdlu]

http://www.defcon.org/html/defcon-2.html

The sound file is a broken link.

Re:I wonder how many law enforcement agencies use

[cdlu]

I know I'm posting this kind of late - I hope someone reads it anyhow.

Can someone possibly get themselves DIRTed, then use tcplogd, wine and linux's netstat to see exactly how this soil works? Perhaps those of us who are unfond of that level of privacy-violating software who live _outside_ the States, where US cops (corrupt official policing services?) have no jurisdiction, can work together to fight back against DIRT and write detection software for the trojan.

Re:Who cares?

[cdlu]

Heheh, over 10 years away-from-keyboard? :)

They claim to have been around since '84.

Re:MS Domain foo & VNC

[jecpwx]

Aha, someone else who has discovered VNC! A top tool.

Aren't MS implementing a 'broken' version of LDAP in W2K? You aouldn't expect anything else really, could you? It would be too much to ask for them to just follow a standard...

j.

Re:HAHAHAHA

[Kisc]

For the record, cDc isn't a bunch of 16 year olds :)

cDc has been around since 1984, I believe.

also, it isn't the same thing, B02k works better. But you knew that. What doesn't work better than anything microsoft built?

You didn't already know?

[NoWhere+Man]

I can't believe people are just realizing this now... as soon as all the negative talk that came up about BO2K generated by M$, I was thinking "What about SMS?".
The only reason why this is happening is because it was created by a hacker group; people always believe that hackers are out to destroy. And M$ doesn't consider them professionals (and we all know how professional M$ is) and that the result is a crappy piece of software. But in my opinion BO2K is alot better then SMS, hell, there are tons of programs out there better then Microsoft's...

Cause you can't...

[NoWhere+Man]

It wouldn't be the same program. BO2K is a program that takes advantage of the fact that there are some secuirty issues with Windows...issues that are not present with Linux...

Re:What about Linux BO2K *client*?

[NoWhere+Man]

There is a Unix port already for the client portion of the program. I answered as if he was asking for a port of the whole program, which isn't possible.

Wouldn't it be sweet...

[NoWhere+Man]

Either Microsoft has to admit that they have the same program and recall it...or anti-virus software has to scan for it...if either of the 2 happen people are going to be laughing for days....

But Microsoft will probably ignore the problem until it goes away

Re:HAHAHAHA

[Tiro_Dianoga]

heh, true, once, but I just got Communicator 4.61 for my Debian box and its both solid and handy.

before I got it I used the Mozilla browser included with version 2.1 of the distro. what a piece of crap! I'll take Communicator any day, I don't care how much Mozilla has grown up, the version I was stuck with was so buggy it never should have seen the light of day, or a "stable" Debian release.

but the topic today is Microsoft, and I have to be amused at how almost all of the MS defenders are posting anonymously. Every time a story about them comes up. Of course I would assume someone at HQ is going to read this, and tell them all to start logging in before posting for Bill's causes...

on the issue of cDc, all I will say is they certainly have a certain flair for style :D

micro$haft needs a life (far away)

[n3k0]

okay, ill admit it, BO2K does have its "evil" qualities but it should NOT be concidered a trojen horse nor should cDc be shot down just b/c they are pointing out the obvious weknesses in windows. i am in no way defending cDc, but i hate to see the underdog(a.k.a. everyone but microsoft) keep getting kicked. if one is going to list BO2K as a virus, then SMS should be right next to it on the list (unless the list is alphabetical that is). Far as im concerned, BO2K is going on every machine in the lab as soon as i get back to school. open source all the way! i didnt think microsoft could get much greedier, guess i was wrong. so, is everything non-microsoft a viurs in their eyes?

This is so NOT true, its not even funny.

[egentry]

This is obviously just a ploy by cDc to legitimize a trojan horse app, that in 99% of all cases will be used to break into an unsuspecting user's machine.

I have been involved in dozens of SMS rollouts. SMS is a network analysis tool, that has the capability to remote control client workstations on the network.

In order for SMS to do this, you must install the SMS Client on a machine in the same Windows NT domain. This installation process will *not* run in the background, and will pop up several boxes to the user. Once the client is installed, the client configuration app must be opened, and the machine must be set to allow remote control. You also have the option of a dialog box show up informing you that someone is connected.

Along with these settings, every user that logs on to a network that is SMS aware, knows that the client is installed, because it pops and SMS configuration dialog box during every logon.

This remote control feature of SMS is used primarily for network admins that need to remote control servers than client desktops. In fact, out of all the installations I have done, the only machines that have this option turned on are the servers.

BTW, the SMS Admin tool that allows you to connect to the clients requires Windows NT, a valid logon to the Windows NT Domain that you want to administer, and a SQL server logon with appropriate rights to administer SMS.

How many checks like this does BO2K do?

Regards,
eg

Stealth and Administration

[Limbo]

I can't say that I care much for SMS. It always seems to cause plenty of problems. And yes, it definately has some "Orwelian" overtones. The remote administration application I have had the most experience with is Timbuktu. It allows full access of the target computer, including behind the scenes file transfer. However, it lets the end user know when people are connected and who is connnected. When someone connects there is an icon alerting the user to the connection, and an icon that alerts them that there has been a connection. And finally there is a log that keeps track of all connections by computer name and network address as well as by login name.

For an administrator this is actually a good thing. That way you have proof if the user claims you were tampering with their machine. And believe me, I've gotten those accusations.

I don't know why users thing we have time to go through their hard drives and throw away random files....

As for Back Orifice, I think the most impressive aspect is the small memory footprint. That is something the large companies need to emulate. And I think the biggest drawback of using it as a support tool is the lack of support and the skimpiness of the documentation.

And yes... the lockup feature is really of little use to a System Administrator. Unless that user REALLY pissed you off. But then that would be childish. :-)

Re:Very stupid question

[FynadGaelica]

SMS = Systems Management Server. It's Microsoft's "Big Brother" Software. Pretty cool - if you are a netadmin and don't mind running a 16 bit app in realmode across your workstations.

SMS Limitations...

[FynadGaelica]

From my understanding, SMS only works on workstations of an NT/LM domain, and requires a domain login. When a user is a member of a domain, they are giving up certain "Rights" or "freedom" for the sake of central administration and access to shared resources. Typically, this is backed up by a corporate contract which states that anything on an employees machine is owned by the employer. That said, despite the fact that SMS is indeed a Big Brother tool, it is up front as such and it's security threshold limited to the scope of the domain and backed up by the user's decision to log into the domain.

Re:SMS

[ufdraco]

SMS allows remote controlling of other computers. But in order to do this, the client has to be running the Remote Control program, which sits on the taskbar and blinks very clearly when someone is controlling your computer.

Only if the sysadmin set it up that way. This can be turned off so the user isn't even aware that it is in use.

This isn't exactly stealth. The person could easily close out the program which resides unhidden on the taskbar like a minimized program.

Assuming they can see it (see above) and assuming they have the know-how and the rights to kill the program (it probably runs as an admin/the system, so the user wouldn't have the rights to kill the process--it isn't theirs!).

There is also a line in autoexec.bat you need (something like SMS_SETUP=NT) which could be taken out.

It can't be taken out if the machine uses NTFS and you don't have permission to even touch the file.