We had kinda planned to do this, but just didn't have time.
It was hard enough calling everybody back from top secrets missions, the casinos, the nuclear submarine and whatnot to get 'em to answer these questions.
l0pht spent a FULL DAY being interviewed by MTV, which was edited down to the 50 seconds or so you see in the final piece. I'm sure they said a lot more, and I'm sure a lot of it was extremely interesting and relevant, but there's not much they can do about the heavy hand of the MTV editor, is there?
"It may have been irritating to some of the cDc folks that I asked some more difficult questions than the rest."
No. I like difficult technical questions just fine. The problem was that you asked the SAME question TIME and TIME AGAIN, and not only THAT, but it's a question which has no answer... when you asked me 4 or 5 times if there was a backdoor in the source for bo2k, did you expect me to say anything other than "no there isn't. Read the source and see for yourself"? What other answer could I have given to that question "Yes, we backdoored it! You got me, you sneaky, technically aware amateur reporter" There were 40 or so people in that room. If I was irritated, it's because I had to answer the same stupid question over and over again when others clearly had questions that hadn't already been asked
As for my use of the word "infected"... well, that's cool, you think what you want. But generally real reporters base their coverage on facts, not half-baked pop psychiatry readings of people's answers to questions. You could probably make a pretty ok case that our intent was malicious without reverting to paranoid interpretations of slips of the tongue. It still wouldn't be even remotely true, but it would surely be more convincing that your attempt.
About CIH: I, PERSONALLY, as well as every other member of cDc, know EXACTLY what happened with those CDs that CIH ended up on them, and EXACTLY who was involved. ALL of the people involved are people I've known for years - in real life and online - and I'm perfectly comfortable with their version of what happened. You are completely welcome to go on believing we have a traitor in our midst, but understand that you are spreading verifiably false, undocumented rumor in the guise of news. If you have any intention of ever being taken seriously in your reporting, that might not be the swiftest idea.
As far as your theories on ethics: If somebody tells you their (presumably real) name, and gives you a piece of open source software with a nice, non-offensive name, you can be confident that it has NO backdoors in it? What if we changed our name to the University of Michigan and called our software wu-ftpd... OH WAIT, THAT WAS BACKDOORED. The whole argument that you can't trust us because we have a stupid sense of humor is anathema to a logical, real world method of establishing trust relationships.
As far as taking responsibility for backdoors and security issues that might arise in our software... YOU GOT IT. If you, after downloading the source from www.bo2k.com, can find a verifiable and repeatable security flaw or backdoor in our software, we will fix it inside of a week, even though we all have day jobs and don't make millions of dollars off of bo2k the way - for instance - Microsoft does off of their software.
I'm curious about your theory that Microsoft takes FULL PERSONAL RESPONSIBILITY for any security flaws in their software. Last I checked they do not, in fact, release the names of the programmers responsible for security holes, which means the "personal" part is pretty much out. As far as "full", I would say that we've been a lot more responsive to issues with our software than Microsoft has. Except, of course, when they're imaginary issues like the ones you discuss.
I remember being interviewed by this guy at the post BO2K launch press conference. He was the one who was TOTALLY convinced that we MUST have hidden a backdoor in BO2K. "You can hide trojans in the source!" he said, over and over again. I tried to get him to tell me what HE would have us do to convince people that BO2K was not backdoored, but he didn't have any answers. He refused to acknowledge that making bo2k open source was anything but a massive conspiracy to make people THINK we hadn't put a backdoor into the code. Finally I said "well, if you're that worried about it, you don't have to use it. anybody who does can read the code"
He also JUMPED on the fact that I slipped and said "infected"... yeah, that MUST be a sign that I REALLY think bo2k is a virus, 'cuz otherwise - after correcting literally dozens of media who used that (incorrect) terminology - I wouldn't have made that slip EVEN ONCE. Never mind that even if BO2K were a purely malicious trojan horse (it's not any of those things) a machine still wouldn't be INFECTED with it, because it STILL wouldn't be a VIRUS.
Finally, I'm not sure where his whole theory about one of us secretly putting CIH on those CDs... why would ANY of us want to make cDc look that stupid? Has anything else we've ever done indicate that we operate that way? Clearly not, but just as clearly, this loser didn't pay much attention to how we do things, choosing instead to feature the conspiracies he chose to see before even talking to any of us.
This isn't reporting. It's paranoid ranting based on a weak, unsubstantiated, and indeed, already disproven version of the facts.
I mean, really. We fucked up and let somebody burn CDs from a machine infected with virii, and then we fucked up doubly by refusing to believe that could have happened. We admitted as much on cultdeadcow.com a couple weeks after defcon... If we could have possibly laid the blame anyplace besides our own slipups, don't you think we would have?
I wish everybody who read this column, Hemos, and everybody on slashdot, could have seen how consummately unprofessional this "reporter" was at the press conference he attended.
Given what we have to say, I think a lot of people would suggest that not taking us seriously is done at your own peril.
I am astonished at the number of people who claim to know our motives, age, and level of commitment to what we have to say through no more facts than what we choose to call ourselves.
I can only pray that, should you get a life-threatening illness, the doctor who recommends the drugs that could save you doesn't have a silly name.
>1. It's called Back Orifice. "Yes sir, I'd like to submit an expense report for...umm... Back Orifice"
A couple of points here: first of all, it's free, so it seems unlikely that anybody would have to submit an expense report for it, unless they really WERE doing something nefarious, like embezzling. Second, you can feel free to call it BO2K if it makes you feel better about using it to administer a network. From what we hear, that's what Pat Robertson called it, and if it's clean enough for him, I would imagine it's clean enough for anybody. We chose a name like Back Orifice partly because we believe that if you are developing free, useful software entirely as a hobby, and you know you're going to get blasted by critics no matter what you do then, well, you're allowed to have some fun once in a while.
>2. The cDc claims that both that BO2K is a legitimate remote network administration tool, and that it is releasing BO2K to force Microsoft to plug (intrinsic design-related) security holes in NT. That's a contradiction. Imagine the press release for pcAnywhere 2000: "This version contains all kinds of all-new features, primarily designed to force Microsoft to plug security holes." And maybe Symantec will rename itself the Cult of the Norton Commander (cNc).
While I do like the idea of Cult of the Norton Commander, I don't honestly see a contradiction. If you read our press releases and bo2k.com, you will hopefully see a slightly different take on things. We believe that an operating system should be robust and secure enough that a powerful and useful tool such as bo2k will not be an enormous security threat. Every feature of bo2k has administration uses, and the program itself is extremely efficient and modular, things that I've always been taught are a hallmark of good software design. However, because of this very effectiveness, the bloated hulk that is Windows is unprepared to deal with the control users have been given. We developed bo2k because people should have it, and because they shouldn't be scared of it; if they are, maybe that will make people think about the real issues involved.
>BO2K has *only* a stealth mode, and stealth seems to have been a major design consideration. (Correct me if I'm wrong here, I didn't actually download it as I don't want to be sifting through my registry to get rid of it.)
Okay, I'll correct you. You are 100% wrong about this. BO2K by default has stealth mode OFF, and will show up in the process list just like any other application. And as far as that crack about sorting through your registry to get rid of it, there is a function in the client - shutdown server - which can very easily be used to completely uninstall the server from the machine it is running on. No need to hunt through the registry or anything else.
BO2K IS just a useful program for remote administration. The fact that it can be portrayed as anything else, by us or by anyone, is a sad comment on the current state of operating system and application security, at least as far as Microsoft operating systems are concerned.
Back Orifice, and Back Orifice 2000, can NOT attach to another executable fro a "stealthy" delivery on their own. In order to install an "out of the box" BO2K client, you have to click on the icon for the bo2k server, which then installs and begins running.
A third party (Brian Enigma of netninja.com) has produced a series of plugins which allow this functionality, but they are neither developed nor endorsed by the Cult of the Dead Cow.
Before you talk with such certainty, check the urls supplied in our press release. There is, in fact, an option to install SMS silently, I believe it's install/i.
As far as requiring Windows NT, a login to a domain controller, and a SQL server login... well, no, we don't require any of those, because we don't think that people should have to buy NT, a machine to act as PDC, OR SQL Server in order to effectively administer their network. We think it should be FREE.
I"m sure you won't actually get around to reading this, but:
Back Orifice 2000 was designed and tested on Windows 95, 98, NT and 2000. There was a bug in the first version which caused it to crash on older win95 systems. That bug has been fixed.
Even in the original Back Orifice you could specify a port and password. While you cannot mask out certain IPs (which you should be doing at a firewall/gateway anyhow), strong encryption and authentication are probably a better solution for protecting your BO installs from unauthorized users.
VNC isn't bad... because of it's model, it tends to be bandwidth intensive and pretty slow. Back Orifice 2000 is a much more efficient (if less pretty) model for networked remote admin.
As far as turning to other OS's, well, that's a possibility. This is sure a hell of a lot of fun, though, and *nix users, at least, tend to already know what their system is doing at any given time ( or at least, they can figure it out), and thus don't need the particular variety of help the cDc has been providing.
Okay. 1) if we really were only writing "script kiddie visual basic junk", would you really WANT us to turn out programming skills towards trying to help people? BO and BO2K are both non-trivial aoftware products, and BO2K is one of the single most elegant pieces of software design I've ever seen. I'm sure you don't believe me, but, by all means, check out the source when we release it.
2) I would love some clarification on why you think that BO2K (and for that matter, BO) is NOT a remote administration tool... with features like registry and file access, network.exe spawning, and process management, I fail to see your point.
For those who believe that Back Orifice 2000 is some malicious tool that may or may not cause untold havoc for win32 consider this:
If you had a comprehensive remote control application that ran unobtrusively and efficiently on any win32 system, was released absolutely free and open source, and came with a comprehensive SDK for developing your own modules, plugins and clients for whatever platform you choose to use for administration, and it was released by somebody more "respectable" than us louts at the Cult of the Dead Cow, would you call it a threat?
Back Orifice 2000 is a tremendously useful tool for any administrator, and will only become more valuable as hackers around the world (please note that I understand that word, and I do mean hackers) modify and extend it. Managing windows networks is a far easier and richer experience when you have something like BO2K to work with. Is it a mixed blessing? Possibly so. But the best way to make BO2K work for you is to use it, and understand it.
The Cult of the Dead Cow isn't just about scaring people into wanting real security. We want computers to be fully under the command of the people who use them, not the vendors who sell them. One way to make that happen is by convincing major vendors that they need to tighten up their products and make SURE that customers understand how to keep themselves secure, and that the products help them do that. The other way is by letting those same users get at the functional guts of the systems they use, without the layers of obfuscation and abstraction that characterize a modern operating system. Hopefully, BO2K will achieve both these goals.
I think you overestimate Microsoft's proactivness when it comes to security issues. I'm sure they're interested, but a prerelease copy? Maybe we're a little better at keeping a handle on our betas than some people are.
First of all, if your campus network was NT, you would have had >0 problems with Back Orifice, because it didn't run on NT.
Second of all, the tool we are releasing is an incredibly useful and powerful remote administration tool, much better than anything else currently available from Microsoft, Symantec or anybody else. If Microsoft didn't make it so irritatingly difficult to figure out what your server is actually doing at any given moment, the security concerns would be a moot point.
Heh, that's a mighty nice compliment from you... I must say, though, that both cDc and l0pht have great respect for the work that PacketStorms's been doing. There's been a real need for a comprehensive vulnerabi9lity database, and the fact that Ken was doing that non-commercially is real service to the computer security community. Indeed, the site was so well respected that it was mentioned in InfoWorld's Security Watch column not two weeks ago.
I, at least, hope that Packetstorm will find a backup and a new home, or that somebody new like www.securityfocus.com will step in to fill the gap. Otherwise we might go back to the "bad old days", where the only people who know about certain vulnerabilities are small groups of hackers and irresponsible vendors with no incentive to fix problems.
Slashdot Mirror
Damn, taken down a notch by Jaco Pastorius!
"There is a difference between a funky bassline and pretentious musical wanking"
-- Tweety Fish, Cute Kid
We had kinda planned to do this, but just didn't have time.
It was hard enough calling everybody back from top secrets missions, the casinos, the nuclear submarine and whatnot to get 'em to answer these questions.
-tf
l0pht spent a FULL DAY being interviewed by MTV, which was edited down to the 50 seconds or so you see in the final piece. I'm sure they said a lot more, and I'm sure a lot of it was extremely interesting and relevant, but there's not much they can do about the heavy hand of the MTV editor, is there?
-tf
"It may have been irritating to some of the cDc folks that I asked some more difficult questions than the rest."
No. I like difficult technical questions just fine. The problem was that you asked the SAME question TIME and TIME AGAIN, and not only THAT, but it's a question which has no answer... when you asked me 4 or 5 times if there was a backdoor in the source for bo2k, did you expect me to say anything other than "no there isn't. Read the source and see for yourself"? What other answer could I have given to that question "Yes, we backdoored it! You got me, you sneaky, technically aware amateur reporter" There were 40 or so people in that room. If I was irritated, it's because I had to answer the same stupid question over and over again when others clearly had questions that hadn't already been asked
As for my use of the word "infected"... well, that's cool, you think what you want. But generally real reporters base their coverage on facts, not half-baked pop psychiatry readings of people's answers to questions. You could probably make a pretty ok case that our intent was malicious without reverting to paranoid interpretations of slips of the tongue. It still wouldn't be even remotely true, but it would surely be more convincing that your attempt.
About CIH: I, PERSONALLY, as well as every other member of cDc, know EXACTLY what happened with those CDs that CIH ended up on them, and EXACTLY who was involved. ALL of the people involved are people I've known for years - in real life and online - and I'm perfectly comfortable with their version of what happened. You are completely welcome to go on believing we have a traitor in our midst, but understand that you are spreading verifiably false, undocumented rumor in the guise of news. If you have any intention of ever being taken seriously in your reporting, that might not be the swiftest idea.
As far as your theories on ethics: If somebody tells you their (presumably real) name, and gives you a piece of open source software with a nice, non-offensive name, you can be confident that it has NO backdoors in it? What if we changed our name to the University of Michigan and called our software wu-ftpd... OH WAIT, THAT WAS BACKDOORED. The whole argument that you can't trust us because we have a stupid sense of humor is anathema to a logical, real world method of establishing trust relationships.
As far as taking responsibility for backdoors and security issues that might arise in our software... YOU GOT IT. If you, after downloading the source from www.bo2k.com, can find a verifiable and repeatable security flaw or backdoor in our software, we will fix it inside of a week, even though we all have day jobs and don't make millions of dollars off of bo2k the way - for instance - Microsoft does off of their software.
I'm curious about your theory that Microsoft takes FULL PERSONAL RESPONSIBILITY for any security flaws in their software. Last I checked they do not, in fact, release the names of the programmers responsible for security holes, which means the "personal" part is pretty much out. As far as "full", I would say that we've been a lot more responsive to issues with our software than Microsoft has. Except, of course, when they're imaginary issues like the ones you discuss.
-tf
I remember being interviewed by this guy at the post BO2K launch press conference. He was the one who was TOTALLY convinced that we MUST have hidden a backdoor in BO2K. "You can hide trojans in the source!" he said, over and over again. I tried to get him to tell me what HE would have us do to convince people that BO2K was not backdoored, but he didn't have any answers. He refused to acknowledge that making bo2k open source was anything but a massive conspiracy to make people THINK we hadn't put a backdoor into the code. Finally I said "well, if you're that worried about it, you don't have to use it. anybody who does can read the code"
He also JUMPED on the fact that I slipped and said "infected"... yeah, that MUST be a sign that I REALLY think bo2k is a virus, 'cuz otherwise - after correcting literally dozens of media who used that (incorrect) terminology - I wouldn't have made that slip EVEN ONCE. Never mind that even if BO2K were a purely malicious trojan horse (it's not any of those things) a machine still wouldn't be INFECTED with it, because it STILL wouldn't be a VIRUS.
Finally, I'm not sure where his whole theory about one of us secretly putting CIH on those CDs... why would ANY of us want to make cDc look that stupid? Has anything else we've ever done indicate that we operate that way? Clearly not, but just as clearly, this loser didn't pay much attention to how we do things, choosing instead to feature the conspiracies he chose to see before even talking to any of us.
This isn't reporting. It's paranoid ranting based on a weak, unsubstantiated, and indeed, already disproven version of the facts.
I mean, really. We fucked up and let somebody burn CDs from a machine infected with virii, and then we fucked up doubly by refusing to believe that could have happened. We admitted as much on cultdeadcow.com a couple weeks after defcon... If we could have possibly laid the blame anyplace besides our own slipups, don't you think we would have?
I wish everybody who read this column, Hemos, and everybody on slashdot, could have seen how consummately unprofessional this "reporter" was at the press conference he attended.
And no, we didn't invite him to our party.
- tf
Given what we have to say, I think a lot of people would suggest that not taking us seriously is done at your own peril.
I am astonished at the number of people who claim to know our motives, age, and level of commitment to what we have to say through no more facts than what we choose to call ourselves.
I can only pray that, should you get a life-threatening illness, the doctor who recommends the drugs that could save you doesn't have a silly name.
>1. It's called Back Orifice. "Yes sir, I'd like to submit an expense report for...umm... Back Orifice"
A couple of points here: first of all, it's free, so it seems unlikely that anybody would have to submit an expense report for it, unless they really WERE doing something nefarious, like embezzling. Second, you can feel free to call it BO2K if it makes you feel better about using it to administer a network. From what we hear, that's what Pat Robertson called it, and if it's clean enough for him, I would imagine it's clean enough for anybody. We chose a name like Back Orifice partly because we believe that if you are developing free, useful software entirely as a hobby, and you know you're going to get blasted by critics no matter what you do then, well, you're allowed to have some fun once in a while.
>2. The cDc claims that both that BO2K is a legitimate remote network administration tool, and that it is releasing BO2K to force Microsoft to plug (intrinsic design-related) security holes in NT. That's a contradiction. Imagine the press release for pcAnywhere 2000: "This version contains all kinds of all-new features, primarily designed to force Microsoft to plug security holes." And maybe Symantec will rename itself the Cult of the Norton Commander (cNc).
While I do like the idea of Cult of the Norton Commander, I don't honestly see a contradiction. If you read our press releases and bo2k.com, you will hopefully see a slightly different take on things. We believe that an operating system should be robust and secure enough that a powerful and useful tool such as bo2k will not be an enormous security threat. Every feature of bo2k has administration uses, and the program itself is extremely efficient and modular, things that I've always been taught are a hallmark of good software design. However, because of this very effectiveness, the bloated hulk that is Windows is unprepared to deal with the control users have been given. We developed bo2k because people should have it, and because they shouldn't be scared of it; if they are, maybe that will make people think about the real issues involved.
>BO2K has *only* a stealth mode, and stealth seems to have been a major design consideration. (Correct me if I'm wrong here, I didn't actually download it as I don't want to be sifting through my registry to get rid of it.)
Okay, I'll correct you. You are 100% wrong about this. BO2K by default has stealth mode OFF, and will show up in the process list just like any other application. And as far as that crack about sorting through your registry to get rid of it, there is a function in the client - shutdown server - which can very easily be used to completely uninstall the server from the machine it is running on. No need to hunt through the registry or anything else.
BO2K IS just a useful program for remote administration. The fact that it can be portrayed as anything else, by us or by anyone, is a sad comment on the current state of operating system and application security, at least as far as Microsoft operating systems are concerned.
- Tweety Fish
A little clarification...
Back Orifice, and Back Orifice 2000, can NOT attach to another executable fro a "stealthy" delivery on their own. In order to install an "out of the box" BO2K client, you have to click on the icon for the bo2k server, which then installs and begins running.
A third party (Brian Enigma of netninja.com) has produced a series of plugins which allow this functionality, but they are neither developed nor endorsed by the Cult of the Dead Cow.
Before you talk with such certainty, check the urls supplied in our press release. There is, in fact, an option to install SMS silently, I believe it's install /i.
As far as requiring Windows NT, a login to a domain controller, and a SQL server login... well, no, we don't require any of those, because we don't think that people should have to buy NT, a machine to act as PDC, OR SQL Server in order to effectively administer their network. We think it should be FREE.
All in all a relevant post, but I want to point out that IBM once shipped copies of OS/2 with a virus on the CD.
This whole incident made us look a little TOO much like "professional" software developers for my taste.
I"m sure you won't actually get around to reading this, but:
Back Orifice 2000 was designed and tested on Windows 95, 98, NT and 2000. There was a bug in the first version which caused it to crash on older win95 systems. That bug has been fixed.
We are taking steps to make absolutely sure that our distribution of BO2K violates no state or federal laws.
We also strongly believe that people should be able to use the software with strong encryption.
Even in the original Back Orifice you could specify a port and password. While you cannot mask out certain IPs (which you should be doing at a firewall/gateway anyhow), strong encryption and authentication are probably a better solution for protecting your BO installs from unauthorized users.
VNC isn't bad... because of it's model, it tends to be bandwidth intensive and pretty slow. Back Orifice 2000 is a much more efficient (if less pretty) model for networked remote admin.
As far as turning to other OS's, well, that's a possibility. This is sure a hell of a lot of fun, though, and *nix users, at least, tend to already know what their system is doing at any given time ( or at least, they can figure it out), and thus don't need the particular variety of help the cDc has been providing.
Okay. 1) if we really were only writing "script kiddie visual basic junk", would you really WANT us to turn out programming skills towards trying to help people? BO and BO2K are both non-trivial aoftware products, and BO2K is one of the single most elegant pieces of software design I've ever seen. I'm sure you don't believe me, but, by all means, check out the source when we release it.
.exe spawning, and process management, I fail to see your point.
2) I would love some clarification on why you think that BO2K (and for that matter, BO) is NOT a remote administration tool... with features like registry and file access, network
For those who believe that Back Orifice 2000 is some malicious tool that may or may not cause untold havoc for win32 consider this:
If you had a comprehensive remote control application that ran unobtrusively and efficiently on any win32 system, was released absolutely free and open source, and came with a comprehensive SDK for developing your own modules, plugins and clients for whatever platform you choose to use for administration, and it was released by somebody more "respectable" than us louts at the Cult of the Dead Cow, would you call it a threat?
Back Orifice 2000 is a tremendously useful tool for any administrator, and will only become more valuable as hackers around the world (please note that I understand that word, and I do mean hackers) modify and extend it. Managing windows networks is a far easier and richer experience when you have something like BO2K to work with. Is it a mixed blessing? Possibly so. But the best way to make BO2K work for you is to use it, and understand it.
The Cult of the Dead Cow isn't just about scaring people into wanting real security. We want computers to be fully under the command of the people who use them, not the vendors who sell them. One way to make that happen is by convincing major vendors that they need to tighten up their products and make SURE that customers understand how to keep themselves secure, and that the products help them do that. The other way is by letting those same users get at the functional guts of the systems they use, without the layers of obfuscation and abstraction that characterize a modern operating system. Hopefully, BO2K will achieve both these goals.
Back Orifice 2000. Show some control.
I think you overestimate Microsoft's proactivness when it comes to security issues. I'm sure they're interested, but a prerelease copy? Maybe we're a little better at keeping a handle on our betas than some people are.
First of all, if your campus network was NT, you would have had >0 problems with Back Orifice, because it didn't run on NT.
Second of all, the tool we are releasing is an incredibly useful and powerful remote administration tool, much better than anything else currently available from Microsoft, Symantec or anybody else. If Microsoft didn't make it so irritatingly difficult to figure out what your server is actually doing at any given moment, the security concerns would be a moot point.
Heh, that's a mighty nice compliment from you... I must say, though, that both cDc and l0pht have great respect for the work that PacketStorms's been doing. There's been a real need for a comprehensive vulnerabi9lity database, and the fact that Ken was doing that non-commercially is real service to the computer security community. Indeed, the site was so well respected that it was mentioned in InfoWorld's Security Watch column not two weeks ago.
I, at least, hope that Packetstorm will find a backup and a new home, or that somebody new like www.securityfocus.com will step in to fill the gap. Otherwise we might go back to the "bad old days", where the only people who know about certain vulnerabilities are small groups of hackers and irresponsible vendors with no incentive to fix problems.
In praise of full disclosure,
Tweety Fish, cDc
Oh, this is fully exploitable.
Perhaps the people who released the advisory wanted to wait for a patch from MS before releasing their exploit...
It's going to be a very scary couple of days. I would suggest that any IIS admins fix things right away...
This kind of hole could be used very easily to run an "egg" that would open a remote command shell, or install NetBus or Back Orifice 2000
http://www.bo2k.com
Watch that space, and remember DefCon is July 9-11 in Las Vegas.