AP Story on Linux and W2k Cracking Contests

StirFry writes "The AP Wire has this story about the whole crack Windows 2000/crack LinuxPPC situ. And they even use and define the term 'crackers'. Best bit: 'But a log posted on the computer showed at least nine crashes caused by problems with Microsoft software, not the weather. Questioned about that, the spokeswoman said the computer was expected to be off line for some periods of time ``as customer feedback is assessed and integrated into the system.'' " Apparently the Linux box is still standing.

Yes!

[Mawbid]

nth post!
--

Re:uhhhhh

[just+someone]

Services froze.
For three hours this morning. 6:04-9:20. No guest page entries.

Not delivering web pages when all it does is deliver web pages is pretty close to a crash.

Seems to ignore the real problem. How much is it not serving pages?

And if the logs can be sent to another computer (perhaps over a second interface), why does one need to stop the computer to analyze logs?

Re:Not any apology for M$...

[dillon_rinker]

What we should look for here is MS' marketing message: We can't cope with managing one machine receiving high traffic while enduring a little foul weather? We hired tech people who can't configure a server to stay up reliably. We are unprepared.

Yeah, I agree. Some people at MS are going to lose their jobs over this. Perhaps then they'll be able to come in from the cold...

Re:Windows 2000 working, I don't think so...

[Ralph+Wiggam]

Did you get a copy with a MSDN Universal Subscription? I got "Windows 2000 Professional, Beta 3 Release Candidate 1 (x86) Build 2000" a while ago and it completely ate a hard drive. This was a test machine with a blank hard drive and I couldn't even make the 4 install disks (disk inflation from NT 4.0). When I tried to boot from the first disk, it completely screwed up the boot sector of the HD and quit. I went so far as reading the directions and I was doing it exactly right (having installed NT about 20 times on our 7 servers). Did you have to do anything fancy to get the install disks to work?

Before the Open Source police scorch my mailbox, the $1000+ MSDN subscription is paid for by my company, so it's free to me. I ran Linux when I was at school, back in the day.

-Barry

This is my .sig....or something

you should be writing for Segfault.org Shoeboy!

[maphew]

you should be writing for Segfault.org Shoeboy!

(or are you? I must admit I haven't been over
there for awhile...

-matt

Post this on segfault!

[digitalboy]

This story is good enough to make it on degfault.org

Hey, cool!

[Chris+Johnson]

_I_ have a Power Mac 9500 running linuxppc!
Coooool :) :) :)
Getting one will cost you under a grand, somewhat more to trick it out with lots of RAM and stuff. Is it upgraded with, say, a 200Mhz 604e like mine, or is it the original 132mhz 604 running it?
9500 has 12 ram slots, 6 PCI slots, and two entire plain SCSI busses built right in. Whee! Now if I had lots more drives I could actually start using it to its capacities.
I take it the linux 9500 has been handling slashdotting gracefully? That's very interesting to know.
Final note- the power supply on these kicks ass. I've had brownouts knock my (separate, wall-wart powered) modem offline and make the monitor hiccup and not even cause the powermac to blink. So the linux box up against W2K is probably even better at being hit by lightning ;)

Re:uhhhhh

[dattaway]

Thank you for wishing me a better life as I enjoy opening documents and not having to worry about viruses. I enjoy a better life without rebooting and downtime every time I wish to install something. Thank you for understanding.

we should take up a collection

[pohl]

Pass the hat: buy a UPS for MS. 8^)

Weather Hacking

That old lightning storm attack never fails... must have taken a hell of a lot of work by the hackers though.

Re:Weather Hacking

[dr_strangelove]

Those 100 farad caps are tough to come by...

Re:uhhhhh

[Beached]

Why shouldn't it coun't. If i am running a production system, it should not go down for any reason. I'm sure MS has the knowledge to setup a Win2K box properly. It must come down to my second pet peive of Windows, you have to reboot to change anything; number one being that it crashes so often.
The Linux box, on the other hand, has had services turn on and off but it remains up and strong. They are actually turning on services until someone cracks one (if that happens).

my 2 cents

Re:uhhhhh

[dattaway]

Reboot? Crash? What's the difference? Its all downtime to me. So much for increased stability. That's what you get for selling yourself to closed source.

Re:uhhhhh

[SoftwareJanitor]

I wish reporters would read the fsck'ing logs. The Win2K box crashed once (but it had reboots and service restarts).

I still wouldn't consider that acceptable for the small amount of time that server has been up. If Microsoft is going to issue a challenge, then they should have done their homework and had that server ready to handle anything conceivable including power outages and SYN flood attacks.

Once again, the anti-MS FUD spreads....

Oh please, the amount of MS favored (if not outright sponsored) FUD outweighs any anti-MS FUD by several orders of magnatude.

The double standard that the industry, Slashdot and the media has with Microsoft is sickening.

Yes, it is, the media is still far too biased towards Microsoft. And as long as Microsoft is one of the largest advertising dollar spenders, that probably won't change. What is (pleasantly) surprising is that there is still enough journalistic integrity out there that any news unfavorable to Microsoft ever gets reported.

Why can't we get back to doing what's important: improving people's lives through software/hardware?

I wish that Microsoft couldn't be described by replacing 'improving' with 'controling' above.

Linux has improved my life, my life would be greatly improved if I didn't ever have to deal with the agony resulting from Microsoft software. I've managed to get rid of most of it, but I still occasionally have to deal with it at work.

Re:uhhhhh

[eriko]

I tried to read the log-but I can't get in.

Furthermore, a reboot or a service restart is, in a production box, exactly the same as a crash. If a service stops working, it's the same as crash, as far as the user is concerned. A web server that cannot serve webpages is USELESS. A ecommerce site that cannot present a catalog or take a transaction is more that useless-it loses customers. Why is it that this wonder-fscking-ful operating system of yours hasn't been able to show me a page since tuesday..

-flips over, checks w2ktest-still dead-
-checks crackppc, sees this in log-
>Aug 7 1999 11:38AM CDT:
>Machine up 3 days. 0 min. Well this is >ridiculous now isn't it.

This lousy PowerMac 9500-a 18 month old box, has been beaten on for 3 days, is showing more services that the win2k box, and hasn't died yet.

Hasn't had a service that needed to be restarted yet.

Hasn't had a reboot yet.

Oh yeah-hasn't been broken into yet, either.

This isn't FUD. This is simple fact. www.windows2000test.com has shown that Windows 2000 and IIS 5.0 are not suitable for production use. So far, it seems that LinuxPPC is much closer to ready that Win2k.

So, why don't you go tell Bill that his OS ain't ready-and why don't you get back to work and fix the problems that Win2k has?

apparently life is really boring for a lot of you

[jhoffmann]

if you need something like this to work yourself up over, i feel sorry for you.

this is just another in a long line of publicity stunts that MS is trying to pull off. remember "scalability days" (i think that's what they called it)? terraserver? now this cracking test?
it's astounding that people have such short memories, but that's the way things works. each of these three displays fizzled at first, then they got swept under the carpet. the problem is that if it's a win for MS, it's a _big_ win because they can market the hell out of it. if not, somehow they make everybody forget about it. (maybe they have one of those memory-eraser things from "Men In Black" - heck, all those billions of R&D have to go somewhere. i don't thing they've ever actually pulled a product out of R&D, it's all copying/embrace & extend).

anyway, some things:

1) the contention that it's beta software -- if it's beta, then don't expose it to a huge media frenzy. if you jump into the fire without an asbestos suit, you're going to get burned.

2) this is such an invalid test, i wouldn't be surprised if was being administered by mindcraft. i mean, come on, who thinks they're actually going to see any valid test results from this. i feel sorry for anybody who actually takes this test to be a test and not a stunt.

3) the volume of attempts on NT vs the LinuxPPC box have got to be skewed so horrendously that this comparison shouldn't even be brought up by any respectable reporter without finding out what that difference is and reporting it.

Re:Not any apology for M$...

[Tincan]

Are you kidding? There is zero chance that they are having weather-related problems that would cause a server to go down. I can understand a breach of connectivity, but this is Microsoft... they probably have UPSs.

Customer feedback

[Frank+Sullivan]

Dear Microsoft:

I want an operating system that can run under significant load without crashing. Until you can produce that, you can kiss my assessment.

Sincerely,
dave

---

Re:Are the "software-related" crashes meaningful?

[Stonehand]

Please, don't use automatic log clearing. *BAD* idea if you'd like to know how crackers got into a system, or even tried to.

Some would rather have a box go down, but be able to analyze the results, than let a cracker attack it and then be able to hide the results even if he failed to get full admin rights.

Not any apology for M$...

[InThane]

...but the weather here on Tuesday and Wednesday was spectacular. At some points the lightning bolts were coming so fast and furious that instead of hearing individual blasts of thunder, they were coming down in a continuous roar that never faded out. Scary, exhilarating, exciting, and my power never went out. We NEVER get weather like this in Seattle - supposedly over 1000 bolts touched down Tuesday night alone!

This is no apology, though - 9 unscheduled non-weather related downs, and they blame it on the weather? Morons.

Re:Not any apology for M$...

[remande]

To those at MS who set up this test: Linux is currently (in fact, always) accepting converts. It is never too late.

Re:Not any apology for M$...

[NtG]

Other way around. Satan sold out to MS like everyone else.
But why not? he gets his own homepage and free copy of win2k.. and best of all, he gets to change his name to SatanMSN

Re:Not any apology for M$...

[SmileyBen]

Even if it were true that the weather affected the test, I don't think this is any excuse for Microsoft - Message from God more like!

Re:Not any apology for M$...

[My_Favorite_Anonymou]

Not from God, satan. The Devil is coming back to claim the other end of the deal that he made with BillG 15 years ago in which BillGa~1 sold his soul to satan.


CY

Re:Not any apology for M$...

[lisa]

The weather was spectacular. Although for me, being from out of state, it wasn't a new thing. It was interesting to see how Seattlites reacted-like it was the end of the world or something. Apparently, not even Microsoft was prepared....


-Lisa

Re:Not any apology for M$...

[Scott+Francis[Mecham]

Heh, while I'm stuck down in Portland working, my mom emails me from home in Redmond to tell me that the family dog exhausted himself barking at all the thunder.
Although Portland didn't have too bad of a lightning show the other night--it reminds me of when I was travelling through New Mexico and saw a lightning storm that reset the arcade game a few friends of mine were playing. ;)

Check out the site...

[jammer+4]

Just checked in on http://crack.linuxppc.org. It's getting quite a few hits. I love the one status update though:

Aug 6 1999 part 4 12:38AM CDT:
At a rate of 2 million packets per hour/ someone appears to be using a brute force method to guess the passwords. Does this kind of attack count? Unfortunatly, they are trying to telnet in as root :) D'oh!

Gotta love it...

Re:Check out the site...

[grmoc]

Ohh Ohh.. that REALLY cracks me up..
I wonder if its some NT admin...?

Re:Check out the site...

[just+someone]

Enable the guest account.
Oops wrong OS.
Brute force a jcarr is a better solution.

Re:I can't believe its not BETA!

[HiThere]

Once they started taking money for it, it stopped earning any slack for being "beta". Or isn't this the version they were "selling"?

Re:windows 2000 not even finished

[Stonehand]

?

Is untested software ever considered finished?

Good LinuxPPC publicity, any other PPC distros?

[Ben+Smith]

Sounds like alot of good linuxppc publicity, though I kinda feel that the distro is 'dumbed down' a bit for old mac users new to linux.

I'm gunna get my hands on TurboLinux for PowerPC, it seems like it would be more in my arena. Or possibly Debian. I really wanna try out Yellow Dog.

Anyone know of any other Distros for PowerPC?

Re:Good LinuxPPC publicity, any other PPC distros?

[AArthur]

huh? And your same thoughs apply to Red Hat Linux 6.0 on x86?

LinuxPPC isn't really dumbed down, it's about as hard or as easy to work with as Linux x86. It has the standard RedHat 6.0 installer that we all know and love (and can use in your sleep), or a new X Linux installer which lets you use a graphical gtk-perl based installer.

Installation is much like RedHat Linux 6.0, the installer has virtually everything the same, including Xconfigurator, and all of the other standard tools. You can boot Linux via either Quik (sorta like LILO for PowerPC systems -- it uses OpenFirmware which is about the equvalant to x86 BIOS) or using the handy BootX utility that allows booting from the Mac OS, is easy to use, etc.

Yellow Dog Linux is much like LinuxPPC, since they are both RedHat-Linux based, so they share installers that look and feel the same and quite similar pakcages. I might mention that parts of Yellow Dog Linux Champion Server 1.1 are higher quality then LinuxPPC, and seem to work better.

Debian/PPC is still an unstable version of Debian, it doesn't yet have a PowerPC installer (you install RedHat-type Monolithic PowerPC Linux and then replace it with Debian).

TurboLinux/PPC is quite dated, the last time I checked it was still using glibc 1.99, instead of glibc 2.1, but that may have changed, since TurboLinux/PPC is more of an far east distro then other PowerPC ones. Again, RedHat-Linux based.

Lets, not forget MkLinux Release 1, which is another RedHat-based PowerPC distro, which is currently in developement. It uses MkLinux Genric 8 alpha something for a kernel, and well it should be released this fall if all goes well.

Re:Good LinuxPPC publicity, any other PPC distros?

[Hollis]

Yellow Dog *is* LinuxPPC. Different packaging. Whenever people ask them the differences between YDL vs MkLinux and LinuxPPC, they're always very careful to compare only to MkLinux.

I think TurboLinux is working on an up-to-date version for PowerPC, but it's not done yet. They did have something older, but I don't think I've ever heard of anyone using it.

Debian for PowerPC lacks an installer and requires a LinuxPPC bootstrap process.

Re:IIS doesn't handle HTTP properly...

[PrinceOfChaos]

Try:
HEAD / HTTP/1.1^M
Host:www.windows2000test.com^M
^M

According to HTTP/1.1 standard you MUST include Host header in the request.

BETA?

[magnetx]

Is the Linux box software still in Beta? Like the Win2k box?
For some reason when Free Software bugs come up on SlashDot, BETA or PRERELEASE is always the excuse.
Just something to think about...

Re:BETA?

[jammer+4]

I don't think "beta" is the issue. Supposedly Redmond is running all their internal services on W2K so it's pretty much production anyway.

Re:BETA?

[mjankows]

its really ALWAYS in beta. There is not a finished product. Its just that the "beta" is a lot more usable than what proprietary calls "beta".
-Matt Jankowski

Re:BETA?

[nerv]

i understand what you are saying, but i think the whole point of the LinuxPPC deal is to show that Linux (maintained by a loose knit team of hackers), kicks windows2000 (an OS made by the biggest and most powerful software company). But even when Windows2000 comes out of Beta, it'll still crash on its own cause its NT based. You still have to admit, Win2K crashing while ONLY running httpd on port 80 and nothing else is quite sad, even in Beta Testing.

Re:BETA?

[oddjob]

One of the nice things about Open Source software is there is no _need_ to make excuses for bugs. There will always be bugs, but when you have the source and things are in the open, they are easier to find and fix. In the MS world, on the other hand, bugs are viewed as something that must be denied, covered up, blamed on someone else, or passed off as a feature until they can be fixed in a "service release".

New use for d.net: Site cracking in under 20 sec.

[Rocket+Boy]

Use d.net to crack passwords and you have a real purpose :)

Re:Interesting Take on the Story

[SoftwareJanitor]

I saw it more as Microsoft trying to tap a little bit of the Bazzar for debugging Win2k

I saw it as Microsoft trying a publicity stunt, and getting out-maneuvered by the LinuxPPC guy.

Here's a mention of slashdot

[K-Man]

Here is a story about the stunt from the Korea Times, with a mention of you-know-who. Darn it, there must be a lot of nerds in Korea.

I also spotted this article about a "Hacker's Lab" that allows crackers to work their way up to something like a "black belt" in cracking, by undertaking a series of canned cracks. It might be cool, might be lame, but it's kind of funny.

Re:uhhhhh

[dattaway]

People don't seem to understand why I hate Microsoft so much. They always insist its the hardware or user problem. Bad motherboards, network cards, or a clueless administrator. Well, if that's the MS way of putting the blame on perfectly good resources, they need to wake up. Seems like when you deal with NT, you make a deal with the devil and have hell to pay when things go south...

Re:windows 2000 not even finished

[rumba]

grow up

Its excellent

[macdaddy]

LinuxPPC 1999 (R5) dumb? Not at all. They turn off a couple of daemons by default and have a nice little X installer to simplify things for general users. Hell we have a pretty installer for the MacOS X Server and its as far from dumb as you can get. LinuxPPC is about as good as it can get. They've done a hell of a job or getting things out the door and into our hands. They are always quick to help solve problems too. If Jason and the rest of the crew were here right now I would definetly buy them a round of beers. They've worked their asses off and deserve it. Keep up the great work guys!

The w2k crack contest won't last too much longer

[agtofchaos]

I seriously doubt that w2k will last even half as long as LinuxPPC

Re:Are the "software-related" crashes meaningful?

[Barn_Owl]

Agreed. But they still could have the logs dumped to back up THEN cleared the orginals

Re:lightning in seattle?

[berniecase]

The lightning excuse was the worst one I've ever heard.

Alright -- yes, there has been some pretty strange weather this week in Seattle (I work in downtown, and I live just north of downtown), but I work with 3 computers all of which have been working without problems.

Ever hear of a surge protector, M$?

Apparently not.

Bernie

3 important men

[FunkflY]

I had to post relevant this forward email going around...

Yeltsin, Clinton and Bill Gates were invited to have dinner with
God. During dinner God told them, "I need three important people to
send my message out to all people. Tomorrow I will destroy the earth."

Yeltsin immediately called together his cabinet and told them, "I have
two really bad news items for you: [1] God actually exists, and [2]
tomorrow He will destroy the earth."

Clinton called an emergency meeting of Congress and told them,
"I have good news and bad news: [1] God really exists, and [2] the bad news
is tomorrow He's destroying the earth."

Bill Gates went back to Microsoft and happily announced, "I have
two fantastic announcements: [1] I am one of the three most
important people on earth, and [2] The Y2K problem is solved."

There's another W2K challenge out there.

[Shoeboy]

Managers challenge developers to get work done using Windows 2000
SEATTLE In a move that sent tremors of fear through the programming community, project managers across the country have begun challenging their developers to write code on Microsofts new flagship operating system, Windows 2000. The challenge has not been well publicized - most developers only find out about it after being shown a box running Windows 2000 and being encouraged to get to work. The prize for victory is continued employment. So far nobody has successfully completed the challenge, although there have been several notable failures.
"It was awful," complained unemployed programmer Greg Andrews, "I couldn't do anything. I slipped further and further behind schedule until my PM decided I wasn't up to the challenge and gave me the axe."
Several industry analysts blamed these failures on one of the ground rules laid out in the challenge - PMs refuse to allow hardware upgrades for W2K users despite the fact that it requires at least 256Mb of ram and a PIII-500 for reasonable performance. The analysts speculate that the challenge could still be completed if not for a few 'features' Microsoft included in order to make the challenge more, well, challenging. First off, is the extensive use of wizards, wizards are programs that require the user to navigate through a dozen dialog boxes in order to change even the most trivial of settings. Secondly, W2K makes extensive use of MMC a specialized tool designed to aggravate users accustomed to keyboard shortcuts.
"We aimed these inovations at administrators mainly," admitted a Microsoft spokesperson, "but we're pleased to note that all users of W2K have found their productivity reduced by these tools. Wizards and MMC are part of our Zero Administration Windows initiative whereby we make administration of windows such a nuisance that nobody tries it."
Still, many developers are hopefull that they will be able to complete the W2K challenge. Observered one developer, "I'm three weeks behind schedule right now, but I just discovered that if I disable the networking services and everything that depends on them, I free up just enough memory to allow me compile my 2500 line program in under 10 minutes. I might still have a job next week."
--Shoeboy

Re:windows 2000 not even finished

[slacker990]

...but it is finnish...

sorry couldn't help myself.

Re:Weather & power

[DrMaurer]

No shit, we got enough ups' on my work's server to power the city, not to mention the ones on individual PC's.

Yeah, we run novell here. We tried to impliment exchange server (so no-one would have to change e-mail clients), but, shit, all sorts of troubles. Groupwise (what we use now) has it's issues, but it works . . .

My next pet project: put a linux box on a novell based network. Should be fun . . .

thanks for the time

Or maybe God is a "cracker"

[nevets]

Maybe God decided to get into. And succeeded in cracking the system.

So is God the winner?

Re:windows 2000 not even finished

[Soggy_Man]

Kenya stop it. There's Norway I'm going to read any more of these.

proprietary software

[RoLlEr_CoAsTeR]

I recently noticed how Win95 would make this rapid flashing thing during bootup, right after the screen that says...hmm, can't seem to remember exactly what it says. Hmpfh, I'll get back to that later. Right now I've got this irresistible urge to buy proprietary software'n'stuff...
I'd say that I've experienced the same before.. but.. I can't ... seem.. to remember.....

Re:windows 2000 not even finished

[Malcontent]

Didn't I read a press release saying W2K was so finished and so stable that a huge number of them had been deployed at M$. Oh yea maybe they were lying they tend to do that don't they.

And this is *news*?

[RallyDriver]

Well, what did you expect? ;-)

"Beta"

[BugMaster+ChuckyD]

The whole point of Beta testing is to find flaws and bugs so you CAN finish the software

Realisticly

[BadlandZ]

The second they turn on fingerd (which they might if all other cracking attempts fail), someone can grab some usernames. At that point, there is hope at something like this, but not until then. But even still, if you assume a 7 charcter password that is all lower case text (24 possable characters), ther is still something like 200,000,000,000,000,000,000 possable combinations for passwords, isn't there? (what is the statistical calculation here, I forget, 7^24? or 24^7 or something, which would still be 4,500,000,000 combinations...)

I should dig out my statistics book, and count up how many usable characters there are for passwords... Then maybe time a login attempt from a fast connection... Hmm. Well, as long on the up side, I suppose you could run a mulitple attempts to login at once and cut the time needed down drastically. Anyone actually know what the right calculation is, and what the results are for number of possable passwords and potential time required is?

Re:Realisticly

[NotZed]

Read the manpage, there are 64.

Upper/lowercase alphanumerics (26+26+10=62) plus / and . (+2=64)



__// `Thinking is an exercise to which all too few brains

Re:Realisticly

[Chainsaw]

>Read the manpage, there are 64.

Whoa. 64^7 gives about 4398046511100 possible combinations, while 64^8 something like 281474976711000 (yes, near 262144 gigakeys).

Re:Realisticly

[jocknerd]

I'm 99.999% sure it is 24^7 which comes to 4,586,471,424 possible combinations. My question is why do you say 24 possible characters. Why aren't there 26? If its 26 then there are 8,031,810,176 possible combinations.

Re:Realisticly

[Stonehand]

With even the stock fingerd, you should be able to turn off the "finger @host" (namely, reject all requests that don't have a valid user name). That means that most telnettable user IDs would have to still be guessed.

I'm assuming that...
* They blocked direct remote root logins. 'course.
* The standard userids that don't ever log in, are blocked ('*'), and have non-valid shells.
* They didn't leave 'round a joke UID (like 'haX0r') just for the heck of it. :-)

In addition, even with a normal uid, they could have implemented access controls that forbid su-ing except for those in the wheel group, and then relegated those logins to only console. Or used S/Key, or other fun.

Probably not an effective attack other than its DoS aspects.

Re:Realisticly

[BadlandZ]

Actually, there are upper, and lower case characters, and numbers, and symbols, so, there are definately over 50, maybe somewhere around 75?

core dump

[Ross+C.+Brackett]

...the spokeswoman said the computer was expected to be off line for some periods of time ``as customer feedback is assessed and integrated into the system...''

I love it when marketroids encounter an unexpected directive. They seem to revert to their native dialect, marketspeak. I mean, c'mon - "feedback is assessed and integrated into the system?" What the hell does that even mean? She might as well have said "Beep. Marketshare. Assessment. Issue. Beep."

Some day, we may even need translators just to understand those guys. It'll be like that scene in Star Wars:


Uncle Owen: What I really need is a droid that understands the binary language of my marketing department.

C3PO: Marketroids! Sir -- My first job was programming apologists... very similar to your marketroids. You could say...

Owen: Do you speak technobabble?

C3PO: Of course I can, sir. It's like a second language for me...



Yeah, just like that.

Re:core dump

[chromatic]

I mean, c'mon - "feedback is assessed and integrated into the system?" What the hell does that even mean?

Well, we know it doesn't mean that customers are submitting patches and bugfixes that make it into the code.

They're probably just changing desktop themes or something like that.

--
QDMerge -- data + templates = documents.

This is scarcely a fair comparison

[konstant]

Not to defend Windows2000, which I know by experience to be pretty crashy and unreliable, but citing this as proof that Linux is more stable than NT5 is far from reasonable.

To begin with, as several other Northwesterners have mentioned, the weather on the day of the Win2k crash test was incredible. My girlfriend was practically struck by a lightning bolt on her way across the 520 bridge and when I made it home my cats were shivering in a dark corner, terrified of the incessant thunder. Very odd weather. Perhaps the Almighty was displeased with Microsoft.

And secondly, do not even try to suggest that the tidal wave of 3l337 d000dz breaking themselves bodily against the walls of that Win2k box were in any way duplicated in the case of the LinuxPPC. Judging from the volume of vitriolic comments on /., just a single ping from each of the would-be crackers would have been enough to constitute a DoS attack. Everybody hates Microsoft. Very few people hate LinuxPPC. The savagery of the attacks bear no comparison to one another. -konstant

Re:This is scarcely a fair comparison

[Foamy]

Blame it on the weather. Yeah right. I live in Seattle and yeah, there was some lightning (1000 strikes *StateWide* in 24 hours). After living in here for three years this seemed like a lot, but remember it is only because we never get lightning. Living in New Mexico and Arizona I can say that 1000 strikes per storm cell is not uncommon. And besides, many places in the world get many more strikes on a continual basis and yet their services don't stop... even when the power actually goes out. So don't blame it on the weather.

Your second argument may hold some water (some), but the server shouldn't crash. The worst it should do is tell you it's too wimpy to cope and to try again later. Plus the LinuxPPC is running on a 132MHz PPC 604, not exactly a mighty processor.

Just pointing out the ovious

Yo

The root password is "linuxppc"

[mmontour]

>Aug 6 1999 01:15PM CDT:
>In response to the brute force attempt, we have
>decided to save him the trouble: linuxppc :)

I guess the flood of ignorant packets got boring. :-)

Re:Sad.

[Syslevel]

The number of people you say are 'working on bug fixes and patches worldwide for Linux' is a rather uncountable number. Yes, that's by the nature of the development model it uses. But it's far fewer people than you imply. I would bet that less than 1 in 500 people using Linux these days has ever done more than rebuild the kernel source after a 'make xconfig'.

Some figures on the total number of different people who have submitted kernel patches would be in order. Plus maybe a list of the average number of people who have done so each month over the last six months.

I suspect it will end up being fewer individuals than are employed at Microsoft(~1) on Windows 2000.

In Seattle and Tacoma we all have UPS

[WillAffleck]

Seriously, what's with MSFT putting up a server without a decent UPS? I checked with some buds and they all have UPS and they just flickered the UPS lights a few times as they handled the lightning strikes.

So, no, this is NOT reasonable as an excuse. Operating a server, especially a web server, without a UPS in the Seattle region is sheer incompetence. A webmaster who did that without orders from above forcing him/her to not use a UPS would be fired.

'Nuff said!

Re:Gee, go figure

[Syslevel]

No Linux isn't a fluke. It's a fairly stable operating system for a lot of people. It has it's admirable qualities.

Wether the much vaunted Open Source Development Model is a fluke is still a matter up for debate, of course. We'll see, and of course if it is "The One True Way (TM)" we can deal with it then. Right now it's somewhat of a religious crusade.

Re:apparently life is really boring for a lot of y

[Kismet]

One unignorable thing, though, is that this provides us with entertainment. Something to read. Something to chuckle about.

Who cares if the world forgets about it? I, for one, view Microsoft as a sort of permanent circus, and find it even more hilarious that respectable people actually take them seriously.

It is good there are companies like Microsoft out there to alleviate our boredom.

Re:apparently life is really boring for a lot of y

[The+Original+Bobski]

maybe they have one of those memory-eraser things from "Men In Black"

"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Click
"I guess we'll never know, the batteries are dead."

Idiocy

[Shoeboy]

Observered? Yikes. I meant Observed. All other spelling and grammar errors are intentional.
--Shoeboy

Re:Gee, go figure

[Tau+Zero]

Check your sarcasm detector, I think you left it off.

Re:Slow down the server

[SamIIs]

I get 'no response from the server.'

You /.ed?

You didn't happen to put a counter on that page, did you? Heh heh.

More than 64^8 actually

[BadlandZ]

I don't think that is accurate... I think you can use the symbols too now, like !@#$%^&*() in your passwords, so that's another ten at least. So, maybe fingerd won't matter much if the password is creative enough.

Re:More than 64^8 actually

[ph43drus]

Guess what, there are even more than that.

Try looking at man iso_8859_1 (for US and most of western Europe I do believe), all those characters should be usable. There are also control characters allowed, say for instance ^F is legal, as well as a bunch more, I'm pretty sure that only three out of the control characters (^M, ^? & ^H) aren't usable (but don't quote me on that)... which would make the score much much closer to 200+ possible characters.. ouch. d.net would be strained to guess one of these passwords.

10E95 potential passwords.

[BadlandZ]

rob@water:~/ $ wc file.txt
1 1 95 file.txt
rob@water:~/ $ more file.txt
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV WXYZ1234567890-=`[]\;',./~!@#$%^ &*()_+{}|":?

So, that's 95, and I just tested something, I can easily set a 10 character password, so... 10^95 potential password possabilities, assuming you stay under 10 characters.

Hmmm.... I just decided to change all my passwords to a really long string!

/etc/securetty

[coyote-san]

For all the NT Admins breathlessly reading Slashdot to learn about The Opposition....

This is a major "D'oh!" since most (all?) distributions are configured so that telnetd *won't* allow "root" to log in over the network. Knowing the root password and a couple bucks will still only get you a cup of Starbucks coffee. "Root" is only permitted to log into a system from ports listed in the /etc/securetty file, and someone would have to be unusually braindead to add network ports to that file. (The normal procedure is to log in as a regular user, then 'su' to "root.")

Bottom line: a brute force attempt to telnet in as "root" has absolutely no chance of succeeding. The fact that someone is trying it simply highlights their own ignorance.

Re:uhhhhh

[Syslevel]

Oh, some of us understand.

We shake our heads sadly and wish a better life for you, but we understand.

Re:yahoo gives "Full Coverage" to linux (WOW!)

[WillAffleck]

Cool! Can someone moderate this up a few points?

Do I need to learn Korean first?

[Saadhaka]

I can't make much since of that site... HackersLab. I was amped about geting my orange belt in ping bombing. Guess I need to hit the books first. ÀüÅõ. ½Ã ÄÄÇÅÍ ÃßôÇÏÙ æ±â.

Re:uhhhhh

[Spazmoid]

Remember the Press Conference blue screen of death fiasco? Bill demonstrating 98 BETA's plug n pray usb support and it crashes. What did he say? "I guess thats why its still a beta"... DOH then W98 released and has had to be patched and re released like 95 did. The same shit will happen with W2k. What NOONE here seems to grasp is that any OS robust enough to handle all the various hardware and tasks we can throw at it is going to have problems here and there. The question becomes do you want an OS that you have to BUY the fixes for or do you just want to be able to scan the newsgroups and the dist's ftp to patch it up or add support for some new hardware? Do you want an OS that says well it should work with your equipment but if it doesn't your SOL untill we feel like developing/releasing a fix? Or, do you want an OS that outline right out.. this is what it works well with.. this is iffy... and this well.. good luck but check back later and it'll probably work... Geez....

Re:Looks OK to me

[punkass]

Check the bottom of crack.linuxppc.org...

Was crack crack win crack there previously? I don't remember it...

Makes you wonder if they even load it

[WillAffleck]

Haven't dropped by their site, but one wonders if they even have a load on it, with multiple groups of users sending different requests. Or is it just a one trick pony port 80 web server?

I don't blame them for shutting down telnet, if they expect hacks.

not to beat a dead horse

[mackga]

but it really seems to me that MS thought that it was asking for a nice gentlemanly round of fisticuffs w/ the crackers out there, but what it got instead was an alley fight. Quite a different thing when you're down and the fight doesn't stop.

Sure the weather must have been out-of-the-ordinary, but that really doesn't mean dick if you're serious about servers, at least in the real world outside of the MS campus.

Once again MS proves beyound a shadow of a doubt that it is basically a rank amature(sic) technology company that makes a Chinese fire drill look positively organized.

unprepared is as unprepared does

[xeno]

Not that this should devolve into a "My macho hardware has longer uptime than yours" thing, but it's just plain dumb to issue a public challenge when you're clearly not prepared even to support the event, much less the actual responses to the challenge.

The lights were flickering all evening at my place (in Seattle proper), and my UPS' kicked in several times. But none of the systems even hiccupped. One of the modems needed the power cycled after lightning hit a pole 1 block away (nice fireworks when the City Light transformer blew up), but for the most part, everything was as it should be. It just boggles me that my basement is better prepared for such events than the MS production server staging network.

Or maybe She-Who-Hurtles-Lightning just wanted to twist Bill's undies into a wee bit tighter bunch than they already were. Heh.

Re:apparently life is really boring for a lot of y

[umoto]

You're right--it's easy for technology buyers to forget Microsoft's failure incidents. The best example IMHO is the security breach discovered a month or two ago that lets anyone, anywhere break into any NT server. Notice how the news sites don't give this bug the attention it deserves. Reporters need to say that such a breach left open is probably the worst thing that's ever happened to an "enterprise class" OS. Yes, other OS's have had incidents, but the bugs were fixed expeditiously. Microsoft, like the software they produce, keeps getting bigger and slower.

However, general attitudes appear to be shifting toward alternative operating systems because they are becoming viable. (To some degree, they always were viable, it's just that people weren't aware of them.) Hopefully the attitude shift is not temporary.

Hey, what does that mean anyway?

[RawkettPenguiN]

"...the spokeswoman said the computer was expected to be off line for some periods of time 'as customer feedback is assessed and integrated into the system...'"

Perhaps I'm ignorant or merely excessively curious, but what the /heck/ does that mean anyway? Customer feedback assessed and integrated? What, they're going to release a service pack for it (in several months) because so many people found it completely ridiculous?

IMHO, Microsoft just shot themselves in the foot again. Let's laugh at them and move on. ;]

Windows 2000 working, I don't think so...

[nextreme]

Yeah, I had a chance to test my own copy of Windows 2000. The first thing I have to say about that is that it really sucked, it never crashed (BSOD) on me, but plenty of weird things happened that made me reboot. All I have to say is that Windows 2000 sucks. I am surprised that Microsoft even thought that it would stay up for even a day. Linux rocks windows, that's my 2 cents.

Re:Windows 2000 working, I don't think so...

[rhinoX]

What really bugs me about it are processes that WON'T DIE.
This happens especially often with explorer.exe. A directory window freezes, so you pop up the task manager to kill it - and windows tells you that it can't kill the process!

What a bunch of BS. You can manage to reset explorer, but when this happens to other programs the only solution is to reboot to kill it off. What a piece of shit.

Are the "software-related" crashes meaningful?

[Stonehand]

That is, are any of them not due to filled event logs, or very similar DoS's?

Non functional feedback page

[Slak]

Now the feedback page is saying that the comments field is required. Duh; where do you think I typed in my comments. M$ doesn't know HTML or validation, methinks.

Re:Non functional feedback page

[chazR]

It doesn't like it if you enter a large comment. It should either say 'Comment too long - try again' or 'Comment truncated'. 0/10 for web application development ability.

I suspect they're storing this in SQL Server. I wonder if it's on the same box, or another one 'outside' the firewall? Might be fun to play with some adjacent IP addresses....(It's M$, they could have been stupid - they have been before ;-))

Or is it 95^10 = 5.98E19?

[BadlandZ]

Hmm that sounds more realistic, 5.19E19... Still would take a while to brute force it, even with a username.

A little off topic

[DanaL]

I don't mean to go off on a tangent, but it's great to see that Linux reporting seems to be getting more and more accurate. You used to have to wince a lot at the misconceptions and errors that showed up in news articles about Linux, but this one summarized things well and I didn't see any glaring mistakes.

It's nice to see!

Sad.

[Matt2000]

The sad thing about this is that it seems Microsoft has spent so much on Windows 2000 that they can no longer afford to a UPS to avoid things like power fluctuations.

Thats what you get when you let a marketing person field technical questions, "Umm, my kid put a peanut butter sandwich in the disk drive and it crashed. Therefore my kid is the winner of the contest."

Re:Sad.

[edgy]

You're still missing the point. The fact that you have source means you're never dependent on a vendor (i.e. Microsoft) to fix a problem with the code. You don't have to wait for a service pack. You can hire someone to fix it yourself if it's not important enough to anyone else.

And that's one of the biggest benefits of open source in this case.

Re:Sad.

[j-p.s]

There's only so much money you could spend on Windows 2000, though, and after that you get no returns. Why? Because the number of people working on bug fixes and patches worldwide for Linux have far, far exceeded the number of people in Microsoft's software "engineering" department.

Linux has been tested to destruction by so many people, all of whom could have a good poke around in the code and say, hey! this bit doesn't work under this condition, so let's change it. Microsoft software has been tested in that way just by the people who wrote it. What do they expect?

Re:Sad.

[eoghann]

While I accept that having the code may mean that a significant number of people are able to fix problems themselves or hire someone to do it, that isn't the case for everyone.

Open source is not osme sort of magical cureall.

In some cases it might even be easier to get a company to fix their closed source than persuade someone to mofify open source code.

Re:IIS doesn't handle HTTP properly...

[TheHornedOne]

Yeah but he tried requests conforming to HTTP/1.0 and HTTP/0.9 standards, too. According to the latest RFCs, and all RFCs on HTTP, when possible, you should always be backwards-compatible.

needs more details

[nerv]

what I would like to be posted in the news is the fact that windows2000test has ONLY httpd running on port 80. That would not even make a practical server. The LinuxPPC server has enabled telnet to make it fair. Oh well, at least the story used the word 'crackers' correctly.

Average Win2kTest server uptime

[kspett]

The average uptime before reboot onw www.windows2000test.com was 14.4 hours as of 12:00 lst night. This does not even count the nameserver problems, etc.


Kspett

Just a Pokemon

[WillAffleck]

Nah, just took a spare pokemon with an energy card.

Re:uhhhhh

[Stonehand]

Because you don't have infinite storage: the best you could possibly do is probably use a separate system, burning to write-once mass storage (separate and write-once to preserve integrity), and even then you'll run out of media. There is a fundamental compromise with any logging system.

You can either:
* Let the machine continue to run when you're out of log space. This means that either you cull the old log, or preserve it but nothing further is logged until the space problem is resolved. If you choose the latter, a malicious cracker can attack your machine, and then flood it with event-causing occurrences to erase logs of the attack; if the former, he simply switches the order.

Either way, it is going to be possible for a malicious cracker to act in a way that is *not* logged, which means that you will have a far more difficult time preventing a repeat attack -- or possibly even detecting such. For many, this is unacceptable.

* Or, you can shut down the machine so no lamer/cracker can do further damage to it, and you are ensured the ability to analyze the logs.

Since you cannot prevent a full DoS (e.g. simple packet floods. If you block those alleged originating networks, then you've lost some service. That's why the rules don't count DoS attacks.) anyway, some security guidelines require that the machine be shut down instead.

IIS doesn't handle HTTP properly...

[MS]

I tried to telnet to www.microsoft2000test.com on port 80, and this is what I got:

/home/markus> telnet www.windows2000test.com 80
Trying 207.46.171.196...
Connected to www.windows2000test.com.
Escape character is '^]'.
HEAD / HTTP/1.1


Terminated
/home/markus> telnet www.windows2000test.com 80
Trying 207.46.171.196...
Connected to www.windows2000test.com.
Escape character is '^]'.
HEAD / HTTP/1.0


Terminated
/home/markus> telnet www.windows2000test.com 80
Trying 207.46.171.196...
Connected to www.windows2000test.com.
Escape character is '^]'.
HEAD /


Terminated

I had to terminate all connections by killing the telnet session to Microsoft's server. Shouldn't the server have returned me some info? Was HEAD disabled? I think this is a crippled down implementation of IIS.

:-)
ms

Re:windows 2000 not even finished

[Tau+Zero]

I don't Bolivia had the guts to post that.

Linux PPC box

[generic]

I think we should beat on that LinuxPPC box. I think they should open up DoS attacks also just to prove a point. They should open sendmail and ftp ports also. I mean they have posted the root password on the website already. That is pretty confident if you ask me.

Re:Gee, go figure

[SamIIs]

No Linux isn't a fluke. It's a fairly stable operating system for a lot of people. It has it's admirable qualities.

Dude, it was a joke.

Post less, think more.

Re:uhhhhh

[mmontour]

I finally got through to w2k, and clipped from the status page:

8/6/99
9:00am - Reset TCP to handle SYN attacks, and rebooted.

8/5/99
1:00pm - Tuned IIS' performance options reset application protection to Medium, and rebooted.
8:54am - Changed IIS' application protection to Low and rebooted, site back up

8/4/99
6:58pm - IIS stopped sending pages. Restarted service.
6:00pm - Morning crash dump due to known bug in Rdr in our build, shutdown Workstation service
9:42am - Crash dump - investigating causes turns out to be Rdr erro

8/3/99
3:22pm - Network connections down due to router failure, possibly related to thunderstorms and power failures in the area

It looks like Micros~1 is reading from a BOFH excuse-of-the-day calendar as they struggle to tune their flagship product toward a state of adequacy. It will be interesting to see how many holes have to be opened up on the LinuxPPC system before it reaches a break-even point with w2k.

I can't believe its not BETA!

[_Sprocket_]

I kind of brushed on this in a previous post. Allow me to re-hash the main points...

It's not your father's Beta.
The term 'beta' has been dilluted, if not completely nullfied, by current industry actions. Commercial software these days never actually stops being developed. The progect just gets published and sold (sorry, 'licenced') to consumers; even with known "issues" (read: bugs). As a consumer, you hope that the software house you purchase products from is willing and able to put out fixes for these bugs at a, hopefully not-so, later time. Microsoft does it. Netscape does it. It's standard practice. Now, in a more development-centric environment (where Marketing doesn't control the progect) such as your favorite Open Source progect... "Beta" might actually mean "there's known bugs here that we want to fix before we say it is 'ready'".

Breathe in... release.
Microsoft's W2k progect is now in its final stages. They've released a "release candidate" to their testing public. I would hope this means they're pretty sure they are close to a finnished product. Baring any suprises the massive amount of testers might find... its close to a done product. MS says this product is stable. Shouldn't it be?

It's my party...
This is Microsoft's show. They're the ones who went for the publicity stunt. Let's not forget that MS, for the most part, are greatly skilled at PR. So if they didn't think W2K was ready... if they suspected that it was still buggy and 'beta'... why did they pull a stunt to bring attention to this fact? And, again, if they knew it was unstable why do they not simply state that the product is 'beta'?

...and I can configure as I want to.
An even better point is that Microsoft controlled the configuration of this test. They picked the hardware. They picked the software (including access to the world's best information source in the world on how to tweak a W2K installation- themselves). This was not some unskilled admin setting up a shaky configuration on obscure hardware. If MS, with their resources, can't keep W2K stable... who can?

I said it before - MS tried to pull a quick publicity stunt and got stung by it. Badly. "Beta" hardly explains this one away.

MiB tactics

[Rollo]

> (maybe they have one of those memory-eraser things from "Men In Black" - heck, all those billions of R&D have to go somewhere. i don't thing they've ever actually pulled a product out of R&D, it's all copying/embrace & extend)

Heh. Could be, I recently noticed how Win95 would make this rapid flashing thing during bootup, right after the screen that says...hmm, can't seem to remember exactly what it says. Hmpfh, I'll get back to that later. Right now I've got this irresistible urge to buy proprietary software'n'stuff...

Weather & power

[SoftwareJanitor]

Does Microsoft expect us to believe their server was down due to power outages? Haven't they ever heard of a UPS? Microsoft certainly can't claim they can't afford to put something nice like an APC 1400 on a server.

Does Microsoft really expect us to take them seriously as an enterprise-capable vendor if they would consider putting up a publicly accessable web server (even for a test) without putting it on a UPS?

Seems like some pretty lame attempts at PR spin to me. With what Microsoft pays for advertising and PR, they can certainly do better.

Re:Weather & power

[GNUCyberKat]

I agree here. Whenever we purchase or commission a server, we always ensure that a UPS is present. It is mandatory for a server. I suspect that Microsoft is either pulling a fast one here or was completely stupid about the UPS issue!

makes you wonder...

[bonk]

If Microsoft themselves weren't the cause for some of that reportedly intense weather. BillG: I summon you, lord of darkness and master of the regions of hell and keeper of the dark abyss. I summon you forth to do my bidding! Satan: Hi bill! What's up? BillG: Umm, we're having trouble with this contest thing, can you help us out? Satan: Sure thing old pal! KRACK! BOOM! THUNDER!

Damn Straight (Redundant)

[ph43drus]

That's right, I have a small UPS too (down in Olympia), it buzzed at me when the lights flickered, but my cablemodem didn't even have to reset (it can't be on the UPS). It is strange that my bedroom and your basement are better equipped than them...

(In fact, I was running an IRC server during the end of the storm, and role playing with people across the country, the GM lives in Seattle proper, and all that happened was my power flickered twice. The game went smoothly for the entire 3 hours... heh).

we all missed the best quote!!

[cmcintos]

from the abqjournal:

Carr called Microsoft's challenge "the lamest thing we'd ever heard of."

Re:UPS != lightning protection

[SoftwareJanitor]

About as seriously as someone who suggested an APC 1400 for enterprise-capable server protection

I didn't intend to suggest that particular model as the be-all-end-all of UPSs, I threw that out because it is a model I am familiar with, and it is sufficient to power a typical Wintel through at least a couple of hours of outages.

In this case something like an APC 1400 should have been more than adequate to have kept the server running since they didn't note any long term power outages or permanent hardware damage due to lightning. You can bet if they had legitimate hardware damage they would be holding that out as an excuse.

The fact that they didn't even seem to take basic, simple precautions that you would do even for a 'departmental server' in a case with such importance from a PR standpoint is the thing that I find most damning.

I just can't help but wonder if this server is sitting on some marketing droids desk somewhere in Redmond...

Microsoft's ® excuses...

[ch-chuck]

sound more and more like baseless, groundless media 'spin' and public relations damage control from a professional handler who's clueless about the actual details of the situation.

This gratuitous bashing of ye' olde software hegemony was brought to you by:

Chuck

God is a Hacker

[johnrpenner]

| Microsoft's Windows 2000 hacker challenge was taken offline | by a router failure (caused by an "act of God"), it was struck | by lightening... heh heh, so even god thought it would be fun to hack MSIIs. ;-^

Better version of same article

[Weasel+Boy]

A longer, more detailed (possibly the original?) version of the same article can be found at:
http://www.abqjournal.com/scitec h/1sci08-06-99.htm.

Re:uhhhhh

[nerv]

amen. finally, someone who has it right. MS needs to be taken down and bashed because of how they have ****ed up the industry all these years.

Not beta.

[FascDot+Killed+My+Pr]

Yes, W2k is still in beta.

But MS specifically said that they thought W2k was ready for the real Internet security world, so I consider that non-beta.
---
Put Hemos through English 101!
"An armed society is a polite society" -- Robert Heinlein

If it's not Mindcraft, it's CRAP!

[Wah]

Let them set up two servers, and we'll benchmark cracking protections. Wonder who would win?

(crashing 9 times, laugh, laugh, laugh, cough, laugh)

I've said it before and I'll say it again.

[rjforster]

The best thing about Microsoft products is that they come with a 'best before' date.