Is most likely Microsoft Agent technology. It's built into to Win2k (it's used by office2k+) and it's trivial, if not time-consuming, to create new characters for it.
Just a thought, but with the climate of "our society is crumbling, lets blame computer games", we (as computer game players) always had the retort that it wasn't "real" per-se, e.g. noone actually suffers as a result of actions carried out upon/to them in any virtual world.
However, this no longer holds with this game. You steal Etropian money from them, you are taking real hard cash from them. Where does this stand in the eyes of the law? Must you sign a waiver to play? Surely in the excessively litigious world of the US of A, someone is gonna get mauled? Also, the anti computer game lobby now have a real reason to start banning games. Frankly I'm fascinated by the concept, but I don't think I want to go down that road.
IMO there is no longer a stark line drawn between criminality in the real world and the virtual one. It's no longer a moral issue, it's an issue, period. Kids (or adults) who start to f*ck ppl over in this game have a real danger of getting a feel for this "free money" lark and may well bring this behaviour into the real world. No?
Simply put, they are doing this because you gave them permission to do so when you clicked on 'Finish' without reading the EULA.
The 'hacker' who hacks into machines and destroys things etc. did NOT receive permission from the owner.
Of course, noone reads EULAs these days and that is what they took advantage of. Now, who's fault is that? It's not theirs. Perhaps this will go a little towards waking people up a little.
Klez isn't based on any embedded java/vb scripts in the email. It's just an executable attachement that may get automatically executed using an old MIME exploit (similar to one at least one *nix mail client had, PINE 3.92 I believe?). If it isn't run automatically on a patched client, the god damn muppet m$ user will run it anyway. you can't win.
c:\linux\src\kernel>nmake Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 13.00.9466 for 80x86 Copyright (C) Microsoft Corporation 1984-2001. All rights reserved.
Ah, you know about the secret.LOG function too? Open notepad, make the first line.LOG -- save it, and voila, everytime you open it, it inserts a timestamp! beat that EMACS in under 85 lines of lisp!
>In fact, if I recall right, the sauthor of the >book "the Mythical Man-Month" came to the >conclusion that the more people you throw at a >software project, the slower the project goes.
Not quite, Brooks asserts that this applies to software projects that are already _late_ where the optimum amount of people have already been assigned to various tasks.
It's not a single click to execute attachments, it's double click; ergo you need to be twice as stupid as some to run an executable attachment sent to you unannounced.
Why does everyone presume that Outlook runs attachments automatically?
It does not.
What ppl are referring to is a MIME related bug that has since been patched. But in a typical fashion, they read it somewhere and presume that it is a feature, a dumb stupid feature. Why in God's name would you want an email client that automatically ran any executables it received?
And for reference, PINE also had a similar bug a while ago where you could embed shell metacharacters into the MIME header and it could execute shell commands. This was also fixed, but I ain't heard anyone mention that since.
1) The source display should allow any administrator to verify if he is vulnerable, and, after patching, that he is no longer vulnerable.
This is silly. Most exploits are damaging to the target systems and if you decide to run it against your boxen to "test", you are an either a) an idiot, or b) you are wearing a black hat. Yes, in the past m$ have released a patch that didn't _appear_ to work, but actually revealed/enabled a related exploit instead. 99.9% of the time their patches work as intended, again, like any other vendor's. If you want to see if it [the patch] is installed, check the version numbers of the components affected.
2) The source code should demonstrate the exact nature of the problem for the coders who wish to fix it. They would otherwise need to write their own exploit to test their fixes.
In the context of the current argument (e.g. Microsoft and bugs/exploits), this is an invalid point. Microsoft do not release source code, and thus you cannot patch their systems.
3) The source code should apply pressure to the software maker. It is akin to being flogged in public. The whole world knows you are vulnerable, and you ought to fix it.
Microsoft is flogged every second of every day in a lot more channels than you can imagine. I don't think they really need any more pressure to fix things. They are fully aware that they write imperfect software (just like the rest of the world). It is trendy to get on their backs, and it always will be. Microsoft itself is a excellent vehicle for free publicity and there is no easier way to get publicity for your company than publicly announcing a software flaw and making sure that it is spread far and wide and makes every news medium in the world. Sad, but true.
4) The source code of the exploit should make the exploit obvious but not damage the system.
Yeah, right. Most exploits might make an effort to function like this in the manner of trying to preserve system integrity, but exploits are badly written and regardless, someone f*cking around with your system is using up time, your time, and time is money. This is damaging to someone, maybe not you, but someone.
Source code exploits will ALWAYS be published in places where some crackers can get them. The challenge is designing an updating system that allows all users to apply patches in a timely fashion. I think Debian is actually closest on this one.
Yes, we're all for publishing source code to exploits. I am, and I have done in the past. But the point is to not to make so easy for 12 year old muppets to get their hands on it. "Apply patches in a timely fashion?" How much easier could clicking "Windows Update" be, for God's sake? No messing around with RPMs and tars/tgz, dodgy makefiles, incompatible libs etc. M$ are pissed off because they are targeted. Plain and simple, they are targeted by disgruntled *nix using kids who don't even know why they hate m$. it's just what every other *nix kid does. M$ are pissed off because *nix kids are more tech savvy than M$ kids. Most m$ kids wouldn't have a clue how to compile an exploit script, whereas the *nix kids can, hence M$ get targetted more than *nix. It's easy to blame m$, because they make the whole package. You never hear anyone saying Linux has bugs/exploits, because ppl will say, no, no it's not linux, that's Apache's fault.
Microsoft is really going to get nowhere on this one. I've read accounts of people who send exploits to Microsoft in secrecy, and then HAVE to publish the code so that Microsoft is forced to fix the problem. If it doesn't impact Microsoft's marketing, Microsoft doesn't care.
Like every other software company in the world -- this is old news.
The other issue that relates to this one is secure as possible by default. This principle applies to all Internet usage of computers. Yet Microsoft blatantly violated it in the following: Office Macros, email attachments, NT/Windows 2000 Server config (running IIS by default), Hotmail...
This is as ignorant broad sweeping generalisation. It barely needs replying too, but I'm sick of reading this sh*t.
a) Office Macros.
Yes, they are a problem. They make life easy for you, but of course if you've spent your life writing Perl scripts in VI, you're never going to understand it. There is a problem inherent in the macro system, but it is more complicated than just disabling a few features.
b) Email attachments.
Yes, well spotted! M$ software allows you to send attachments in email, isn't that innovation at it's best. Oops, so does every other email program pretty much on any platform. What's that? You can save the attachments and run them? My God! What's your point? I can send you a Tcl script or an ELF binary via email, but will _you_ save it and run it without checking? Where is the real problem here?
c) NT/2000 Server config
I'll cede to this point. The default installations need to be secure. Presently they are not. Of course most default installs of any O/S are not secure, and you can secure a default installation using the SCM/MMC package that comes with 2000, but NT admins are generally less clued in than *nix admins. We know this.
Does anyone at all think before they post stuff like this? Just for once can we please not be subjected to the usual moronic childish chants of "microsoft sucks" and "see what happens when you don't run linux" ?
This incident is a simple case of social engineering when you look at it -- it's nothing to do with windows, nt nor any OS security. Some muppet ran an executable program that was sent to him/her and the program emailed some user-priviledge data _legally_ available to any program running in that user's context.
IMO the problem lies in their staff training -- don't run crap in work on a sensitive machine, especially if you've got high-level access via an extranet. Now that isn't too hard to understand, is it?
--
Writing a Haiku
in seventeen syllables
is very diffic
Slashdot Mirror
...
It's a new way of doing business. I like it.
Nonsense! hitmen, crack dealers and major crimelords have worked this way for years!
- Oisin
Is most likely Microsoft Agent technology. It's built into to Win2k (it's used by office2k+) and it's trivial, if not time-consuming, to create new characters for it.
see: http://www.microsoft.com/msagent/
- Oisin
It's obvious, I could consume that many lines of code too writing a browser:
If Instr(html, "<B>", i) -1 Then ...
bold = True
i = i + 3
Else If Instr(html, "<I>", i) -1 Then
italic = True
i = i + 3
Else If
If anyone tries to optimize/correct the above, they're missing the point.
- Oisin
Puerile, yes, but funny: searching for "goatse" yielded "Ananova - Man jailed for goat sex attack" near the bottom of the first page of results. Lol!
Just a thought, but with the climate of "our society is crumbling, lets blame computer games", we (as computer game players) always had the retort that it wasn't "real" per-se, e.g. noone actually suffers as a result of actions carried out upon/to them in any virtual world.
However, this no longer holds with this game. You steal Etropian money from them, you are taking real hard cash from them. Where does this stand in the eyes of the law? Must you sign a waiver to play? Surely in the excessively litigious world of the US of A, someone is gonna get mauled? Also, the anti computer game lobby now have a real reason to start banning games. Frankly I'm fascinated by the concept, but I don't think I want to go down that road.
IMO there is no longer a stark line drawn between criminality in the real world and the virtual one. It's no longer a moral issue, it's an issue, period. Kids (or adults) who start to f*ck ppl over in this game have a real danger of getting a feel for this "free money" lark and may well bring this behaviour into the real world. No?
- Ois
The $ sign is used as end of line marker for function 09h of int 21h (print string), e.g.
;)
TXT db 'hello, world!$'
mov ah,09h
mov dx, TXT
int 21h
int 20h
My x86 ain't what it's used to so I'm awaiting endless corrections to this, but don't miss the point people
Simply put, they are doing this because you gave them permission to do so when you clicked on 'Finish' without reading the EULA.
The 'hacker' who hacks into machines and destroys things etc. did NOT receive permission from the owner.
Of course, noone reads EULAs these days and that is what they took advantage of. Now, who's fault is that? It's not theirs. Perhaps this will go a little towards waking people up a little.
- Oisin
Klez isn't based on any embedded java/vb scripts in the email. It's just an executable attachement that may get automatically executed using an old MIME exploit (similar to one at least one *nix mail client had, PINE 3.92 I believe?). If it isn't run automatically on a patched client, the god damn muppet m$ user will run it anyway. you can't win.
Nope, it definitely doesn't work.
c:\linux\src\kernel>nmake
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 13.00.9466 for 80x86
Copyright (C) Microsoft Corporation 1984-2001. All rights reserved.
kernel.c
kernel.c(3) : error : Invalid token : expecting "(C)", found "GPL".
compile aborted.
c:\linux\src\kernel>
bugger.
Eh? explain? .LOG does not work in any other text editor in windows.
OT, yes, but:
Writing a Haiku
In seventeen syllables
Is very easy.
If this is a "blatant attempt" to start a flamewar, then you my friend, are guilty of putting the first match to the kindling.
;)
You could have just ignored it
Ah, you know about the secret .LOG function too? Open notepad, make the first line .LOG -- save it, and voila, everytime you open it, it inserts a timestamp! beat that EMACS in under 85 lines of lisp!
- Ois
"HTML is supposed to be a content distribution language, not a page layout language"
Isn't that a bit backwards? HTML is very much a "page layout language", and wouldn't you say XML is more for "content distribution", e.g. raw data?
- Oisin
>In fact, if I recall right, the sauthor of the
>book "the Mythical Man-Month" came to the
>conclusion that the more people you throw at a
>software project, the slower the project goes.
Not quite, Brooks asserts that this applies to software projects that are already _late_ where the optimum amount of people have already been assigned to various tasks.
You have front-mounted protruding penile haemorroids too then? sucks, doesn't it?
It's not a single click to execute attachments, it's double click; ergo you need to be twice as stupid as some to run an executable attachment sent to you unannounced.
"Users are used to ms-windows. they are all old dogs and refuse to learn new tricks."
From a pure desktop / application interoperability point of view, what "new tricks" can "old dogs" Gnome/KDE seriously teach Windows?
Can I have a common clipboard, please? pretty please?
Why does everyone presume that Outlook runs attachments automatically?
It does not.
What ppl are referring to is a MIME related bug that has since been patched. But in a typical fashion, they read it somewhere and presume that it is a feature, a dumb stupid feature. Why in God's name would you want an email client that automatically ran any executables it received?
And for reference, PINE also had a similar bug a while ago where you could embed shell metacharacters into the MIME header and it could execute shell commands. This was also fixed, but I ain't heard anyone mention that since.
- Bill's Beeatch.
1) The source display should allow any administrator to verify if he is vulnerable, and, after patching, that he is no longer vulnerable.
This is silly. Most exploits are damaging to the target systems and if you decide to run it against your boxen to "test", you are an either a) an idiot, or b) you are wearing a black hat. Yes, in the past m$ have released a patch that didn't _appear_ to work, but actually revealed/enabled a related exploit instead. 99.9% of the time their patches work as intended, again, like any other vendor's. If you want to see if it [the patch] is installed, check the version numbers of the components affected.
2) The source code should demonstrate the exact nature of the problem for the coders who wish to fix it. They would otherwise need to write their own exploit to test their fixes.
In the context of the current argument (e.g. Microsoft and bugs/exploits), this is an invalid point. Microsoft do not release source code, and thus you cannot patch their systems.
3) The source code should apply pressure to the software maker. It is akin to being flogged in public. The whole world knows you are vulnerable, and you ought to fix it.
Microsoft is flogged every second of every day in a lot more channels than you can imagine. I don't think they really need any more pressure to fix things. They are fully aware that they write imperfect software (just like the rest of the world). It is trendy to get on their backs, and it always will be. Microsoft itself is a excellent vehicle for free publicity and there is no easier way to get publicity for your company than publicly announcing a software flaw and making sure that it is spread far and wide and makes every news medium in the world. Sad, but true.
4) The source code of the exploit should make the exploit obvious but not damage the system.
Yeah, right. Most exploits might make an effort to function like this in the manner of trying to preserve system integrity, but exploits are badly written and regardless, someone f*cking around with your system is using up time, your time, and time is money. This is damaging to someone, maybe not you, but someone.
Source code exploits will ALWAYS be published in places where some crackers can get them. The challenge is designing an updating system that allows all users to apply patches in a timely fashion. I think Debian is actually closest on this one.
Yes, we're all for publishing source code to exploits. I am, and I have done in the past. But the point is to not to make so easy for 12 year old muppets to get their hands on it. "Apply patches in a timely fashion?" How much easier could clicking "Windows Update" be, for God's sake? No messing around with RPMs and tars/tgz, dodgy makefiles, incompatible libs etc. M$ are pissed off because they are targeted. Plain and simple, they are targeted by disgruntled *nix using kids who don't even know why they hate m$. it's just what every other *nix kid does. M$ are pissed off because *nix kids are more tech savvy than M$ kids. Most m$ kids wouldn't have a clue how to compile an exploit script, whereas the *nix kids can, hence M$ get targetted more than *nix. It's easy to blame m$, because they make the whole package. You never hear anyone saying Linux has bugs/exploits, because ppl will say, no, no it's not linux, that's Apache's fault.
Microsoft is really going to get nowhere on this one. I've read accounts of people who send exploits to Microsoft in secrecy, and then HAVE to publish the code so that Microsoft is forced to fix the problem. If it doesn't impact Microsoft's marketing, Microsoft doesn't care.
Like every other software company in the world -- this is old news.
The other issue that relates to this one is secure as possible by default. This principle applies to all Internet usage of computers. Yet Microsoft blatantly violated it in the following: Office Macros, email attachments, NT/Windows 2000 Server config (running IIS by default), Hotmail...
This is as ignorant broad sweeping generalisation. It barely needs replying too, but I'm sick of reading this sh*t.
a) Office Macros.
Yes, they are a problem. They make life easy for you, but of course if you've spent your life writing Perl scripts in VI, you're never going to understand it. There is a problem inherent in the macro system, but it is more complicated than just disabling a few features.
b) Email attachments.
Yes, well spotted! M$ software allows you to send attachments in email, isn't that innovation at it's best. Oops, so does every other email program pretty much on any platform. What's that? You can save the attachments and run them? My God! What's your point? I can send you a Tcl script or an ELF binary via email, but will _you_ save it and run it without checking? Where is the real problem here?
c) NT/2000 Server config
I'll cede to this point. The default installations need to be secure. Presently they are not. Of course most default installs of any O/S are not secure, and you can secure a default installation using the SCM/MMC package that comes with 2000, but NT admins are generally less clued in than *nix admins. We know this.
Anyway rant over,
- Oisin
Does anyone at all think before they post stuff like this? Just for once can we please not be subjected to the usual moronic childish chants of "microsoft sucks" and "see what happens when you don't run linux" ?
This incident is a simple case of social engineering when you look at it -- it's nothing to do with windows, nt nor any OS security. Some muppet ran an executable program that was sent to him/her and the program emailed some user-priviledge data _legally_ available to any program running in that user's context.
IMO the problem lies in their staff training -- don't run crap in work on a sensitive machine, especially if you've got high-level access via an extranet. Now that isn't too hard to understand, is it?
-- Writing a Haiku
in seventeen syllables
is very diffic