The problem with Microsoft's statement was that when Microsoft said that, they were rationalizing not fixing something. OpenBSD most certainly will fix this.
FWIW, I seem to remember the crash as being a local one. OpenBSD doesn't allow programs to do such things, since crashing another process may be part of exploiting it (e.g. salvaging something from a core dump or whatever).
We usually call such a thing a secret, not "obscurity"... at least, when talking about a password.
So this just makes part of the protocol secret, and one of our assumptions about security protocols is that the protocols are known.
Yes, it's an interesting and reasonably clever little hack (it is not, however, new), it does tend to hide some information (e.g. that the ports are even open) but if you're going to make the port look closed, anyhow, why not just listen on that port for something that would cause the service to "wake up"? I guess they thought it seemed a bit more clever the other way, who knows?
With ActiveX, there have been a number of times when visiting a malicious page in IE could have destroyed your computer (e.g. something equivalent to rm -rf/)
It is the only browser wherein I can remember such a hole, and I (try) to keep up with the security mailing lists...
Feel free to search bugtraq if you like.
Now then, I think that there were a few problems in some versions of Netscape/Mozilla, but I don't remember them being nearly as serious as the IE holes.
I even know that they sell Windows with each PC because otherwise the company might under-count the copies of Windows sold (and, hence, short-change Microsoft...).
Still, it's an anti-competetive tactic that may well be illegal for a monopoly... IANAL, but I seem to remember this being one of the complaints against Microsoft...
Warning: The link you have just clicked will take you to: Website: 1.2.3.4 Port: 56
It will log you in with the account: User: www.microsoft.com Pass: 8080?product+activation
Is this what you intended? [ OK ] [ CANCEL ]
Make it an option like all the other security warnings so you can ignore all such URLs, prompt (which gives the above prompt) or give no warning at all, which is what it's like now.
Would this not be a useful feature, if it was set to 'prompt' by default? It would certainly help folks realize just where they're going, especially those who have no idea how to read a URL like that...
There are only a few things we can really do at this juncture, having had nothing whatsoever to do with this virus nor its creator.
1) Help find whoever did this with the same tenaciousness we use when tracking down spammers. Hell, this was apparently written to help spammers install backdoors, so it probably is one. Yet another reason to want this person caught.
2) Remind folks that when we want to attack SCO, we do not attack their servers, nor do we do illegal things--they would be long dead if we stooped to such a low road. Rather, we attack them by investigating every single bit of evidence that is offered, without fail, and reporting all of our findings pubically. It is no wonder that SCO is slow to show its hand considering how weak we've proven the cards they've let slip to be...
3) Remind folks that written communication is best. Why? We should proofread what we write from SCO's perspective. Anything we say can and will be used against us; quite possibly in a court of law. Remember the last IBM press release directly concerning this lawsuit? You don't? Exactly. They don't talk about it, for good reason. They also liberally quote SCO's press releases in their arguements... It's not a coincidence. Read IBM's letters to SCO, too. You could learn quite a lot from them. It's created a great paper trail, is exceptionally clear, and gives the other side no ammunition whatsoever. We should all be so lucky...
I'm not convinced (read: SCO is innocent until proven guilty, and, knowing SCO, they will soon be proven guilty if they actually are guilty...) that SCO did this to themselves, however this is the same company that had an interesting response when picketed.
You see, they came out with their own phony signs (which you can see pictures of in a very old Groklaw story) which said things about supporting communism... Yes, the folks at SCO actually made their own phony signs with a message to the effect of "we support communism!" to mix in with those of the protesters, in order to discredit them.
Now then, the best answer for now is that I hope those responsible are brought to justice. We do not support nor condone this action, and we ought to do whatever we might to catch whatever idiot created this thing.
Besides, imagine if one of us got the $250k and donated it to one of those foundations that were recently created to protect people from allegations that their use of Linux is somehow illegal? I wonder what SCO would say to that? Heh.
Actually, I can guess what they'd most likely say, but I'd rather not repeat it... No, I mean the part after the long string of curse words.
That said, there have been times when I remember listening to someone and almost being sick hearing it, even though it was put rather... diplomatically. Sugar-coated poison, as it were. Gives a rather nasty chill, primaily because you understand it...
"No longer drink only water, but use a little wine for your stomach's sake and your frequent infirmities."
1 Timothy 5:23, New King James version.
Only the Mormons are against all drinking, really, though a few other denominations (e.g. Methodists) did participate in Prohibition, ages ago. The Bible only really condemns being drunk (not just drinking) as parent says.
That may be, but did you see Daniel Lyon's most recent article on SCO (well, it was the last one I saw, at least)? It was little more than quotes of troll posts...
I have no idea how he got it past his editors, either--I could not discern any news at all in it... Probably why most people ignored it (I know that Groklaw didn't mention it at all)...
>>The GPL has never been tested in court, I haven't seen anything indicating that this is 100% reliable.
>Well, admittedly there is a flaky argument prevalent on Slashdot and Groklaw. The arguments runs that if the GPL were "invalidated" it would revert to "no rights to copy", which would kill SCO in punitive damages. Not necessarily. Another possibility is that the court might try to find the "nearest charitable purpose" that is similar to the spirit of the GPL but doesn't break the law.
>So that counter-argument doesn't really work. But the problem with your argument is more fundamental. In order to talk about this sensibly we have to speculate on what precisely the judge might try to strike down. No-one, to my knowledge, has put forward a good argument for why any law or constitutional amendment would invalidate any aspect of the GPL - least of all SCO. ------
[Disclaimer: I am not a lawyer, this is not legal advice. It is, however, a logical arguement a reasonable person might find persuasive.]
Okay, I've seen that a lot. Yes, that's exactly what one lawyer thought of, but one problem is that that's what the courts do for wills and trusts. Why is that important?
The court with the "c'y pres" doctrine is disposing of other people's property because there is no one else to decide what to do with it. Obviously, since it cannot be used for what it was intended for, the court would rather not see it go to waste. Now then, how does this logic apply to the GPL? Well, part of the problem is that most of the copyright holders for Linux are alive and well, and thus able to make their own decisions about how to dispose of their own property.
So, while SCO might try this, they might have a hard time convincing a judge that their property should be given away to SCO, rather than disposed of according to the will of the copyright holders... One of the things courts are there to ensure is that people should not be deprived of their property without due process of law. Linus isn't dead, he knows damn good and well how he intends to dispose of it, and I'm reasonably certain based on what he's said that he doesn't intend to hand it all over to SCO to become their private property--he means for everyone to be able to use it, but only under the GPL.
Imbecile. There's an enormous difference between something being a possibility and being even remotely likely. Sounds like those idiotic news reports networks show to get stupid people to watch "WILL YELLOW STICKY NOTES KILL YOU? FIND OUT HOW YOU CAN PROTECT YOU AND YOUR FAMILY AT SIX!!!!" -----
You might even be glad for that warning if you didn't realize that if, while exploring a remote jungle, you got gangrene from an untreated paper cut from one of those stickies and died!;)
Pity SCO never bothered to use TCP cookies, which are old news. Live and learn.
What no one else has mentioned, however, is how SCO came up with those fake signs when the protesters came--you know, the ones assosciating Linux and communism, which you can find photos of on Groklaw--I mean, I have no proof of anything, nor do I accuse them without proof, but I cannot put self-sabotage beyond them any more. It's not like they haven't done things of this nature before.
Their willingness to use it as PR is also troubling. How ironic, though, that we'd criticize someone for coming clean about an attack when so many who study security wish that companies were more forthcoming about them. On the other hand, this is a DoS attack--no confidential information is at stake--so this is just the sort of attack they probably need not mention...
My guess is that they plan to use this to (attempt) to discredit IBM in the courtroom. First, presume that someone in the OS community did it (proof not required?), associate IBM and OS, then claim that IBM is part of a conspiracy against them (they already have, actually, in their breifs--I could be mistaken, but I thought that it was one IBM moved to strike since they didn't even state it with particularity [e.g. didn't say who IBM had conspired with])
Even so, I'm reasonably sure that SCO cannot prevail in the courtroom, especially given how McBride claimed to be expecting the outcome of the last hearing over discovery. So we're pretty sure that SCO won't prevail in the lawsuit--indeed, the counterclaims from IBM may well be the end of them--and we can be pretty sure that IBM won't just buy them out (bad precident). It could be a Pump & Dump--I've seen others who think that someone is painting the tape (trying to keep SCOX share prices up)--but the SEC, at least so far, doesn't appear to think so.
I just wonder if there's some other "win" scenario wherein SCO doesn't actually win the lawsuit or much of anything else.
Here's a thought--albeit one terrible, completely, utterly and totally speculative unsupported by any solid evidence--what if SCO's entire purpose here is to discredit Open Source? In that scenario, they don't have to "win" anything--just make sure that we suffer as much as possible while they go down...
Oh well, I'm not sure how much Darl can hold on. They postponed the earnings report, which the Motley Fool lists as a textbook showing of internal strife. The lawyers and the banks are jockeying for position over the remains of SCO should it lose, according to their agreements which you can find on Groklaw. The court has gone soundly against them thus far in the discovery hearing. It's practically game over if the share price drops low enough, for any reason, according to more agreements with RBC.
I wonder if Darl can keep it together long enough that SCO even exists for the remainder of the lawsuit, given that it'll take some time?
Someone modded this funny, but it's actually true!
In one of the more bizzare rulings, the courts determined that any tape manufactured for use in the Teddy Ruxpin (but not approved by the original maker) violated the copyright holder's exclusive rights regarding public performance...
The sell them to themselves as a loss. Therefore using them as a tax deduction twice - once for the loss and once for the cost......and if the loss is great enough they might even make a profit! -----
Let me guess: you were an accountant/financial analyst during the.com boom?:]
Slashdot Mirror
The problem with Microsoft's statement was that when Microsoft said that, they were rationalizing not fixing something. OpenBSD most certainly will fix this.
FWIW, I seem to remember the crash as being a local one. OpenBSD doesn't allow programs to do such things, since crashing another process may be part of exploiting it (e.g. salvaging something from a core dump or whatever).
We usually call such a thing a secret, not "obscurity" ... at least, when talking about a password.
So this just makes part of the protocol secret, and one of our assumptions about security protocols is that the protocols are known.
Yes, it's an interesting and reasonably clever little hack (it is not, however, new), it does tend to hide some information (e.g. that the ports are even open) but if you're going to make the port look closed, anyhow, why not just listen on that port for something that would cause the service to "wake up"? I guess they thought it seemed a bit more clever the other way, who knows?
User stupidity is the bigist security hole there is. It is often exploited and east to patch with a ballpen hammer.
;]
-----
It sounds like you need to take another whack at it. Need to borrow a hammer?
With ActiveX, there have been a number of times when visiting a malicious page in IE could have destroyed your computer (e.g. something equivalent to rm -rf /)
It is the only browser wherein I can remember such a hole, and I (try) to keep up with the security mailing lists...
Feel free to search bugtraq if you like.
Now then, I think that there were a few problems in some versions of Netscape/Mozilla, but I don't remember them being nearly as serious as the IE holes.
I meant for Mozilla; I'm well aware of Opera's capabilities.
That may all be true.
I even know that they sell Windows with each PC because otherwise the company might under-count the copies of Windows sold (and, hence, short-change Microsoft...).
Still, it's an anti-competetive tactic that may well be illegal for a monopoly... IANAL, but I seem to remember this being one of the complaints against Microsoft...
Still, why hasn't anyone put up a little warning if you click on a URL to somewhere like:
n @1 .2.3.4:56/activate.php
http://www.microsoft.com:8080?product+activatio
That says:
Warning:
The link you have just clicked will take you to:
Website: 1.2.3.4
Port: 56
It will log you in with the account:
User: www.microsoft.com
Pass: 8080?product+activation
Is this what you intended?
[ OK ] [ CANCEL ]
Make it an option like all the other security warnings so you can ignore all such URLs, prompt (which gives the above prompt) or give no warning at all, which is what it's like now.
Would this not be a useful feature, if it was set to 'prompt' by default? It would certainly help folks realize just where they're going, especially those who have no idea how to read a URL like that...
There are only a few things we can really do at this juncture, having had nothing whatsoever to do with this virus nor its creator.
1) Help find whoever did this with the same tenaciousness we use when tracking down spammers. Hell, this was apparently written to help spammers install backdoors, so it probably is one. Yet another reason to want this person caught.
2) Remind folks that when we want to attack SCO, we do not attack their servers, nor do we do illegal things--they would be long dead if we stooped to such a low road. Rather, we attack them by investigating every single bit of evidence that is offered, without fail, and reporting all of our findings pubically. It is no wonder that SCO is slow to show its hand considering how weak we've proven the cards they've let slip to be...
3) Remind folks that written communication is best. Why? We should proofread what we write from SCO's perspective. Anything we say can and will be used against us; quite possibly in a court of law. Remember the last IBM press release directly concerning this lawsuit? You don't? Exactly. They don't talk about it, for good reason. They also liberally quote SCO's press releases in their arguements... It's not a coincidence. Read IBM's letters to SCO, too. You could learn quite a lot from them. It's created a great paper trail, is exceptionally clear, and gives the other side no ammunition whatsoever. We should all be so lucky...
Err, read more Groklaw.
I'm not convinced (read: SCO is innocent until proven guilty, and, knowing SCO, they will soon be proven guilty if they actually are guilty...) that SCO did this to themselves, however this is the same company that had an interesting response when picketed.
You see, they came out with their own phony signs (which you can see pictures of in a very old Groklaw story) which said things about supporting communism... Yes, the folks at SCO actually made their own phony signs with a message to the effect of "we support communism!" to mix in with those of the protesters, in order to discredit them.
Now then, the best answer for now is that I hope those responsible are brought to justice. We do not support nor condone this action, and we ought to do whatever we might to catch whatever idiot created this thing.
Besides, imagine if one of us got the $250k and donated it to one of those foundations that were recently created to protect people from allegations that their use of Linux is somehow illegal? I wonder what SCO would say to that? Heh.
Actually, I can guess what they'd most likely say, but I'd rather not repeat it... No, I mean the part after the long string of curse words.
MESC? MSCE?!?
Are they printing new certs? Just remember, MCSEs Must Consult Someone Experienced.
It doesn't exist yet--it's on his "todo" list ;]
That said, there have been times when I remember listening to someone and almost being sick hearing it, even though it was put rather ... diplomatically. Sugar-coated poison, as it were. Gives a rather nasty chill, primaily because you understand it ...
It is French. It means "monks."
I have no idea why they named it that, however.
"No longer drink only water, but use a little wine for your stomach's sake and your frequent infirmities."
1 Timothy 5:23, New King James version.
Only the Mormons are against all drinking, really, though a few other denominations (e.g. Methodists) did participate in Prohibition, ages ago. The Bible only really condemns being drunk (not just drinking) as parent says.
It's atheist you insensitive clod!
Unless you hate "thiests" for some odd reason?
I would've found their newest product easier to accept if they were to give out free samples... ;] I mean, with that advertising budget...
That may be, but did you see Daniel Lyon's most recent article on SCO (well, it was the last one I saw, at least)? It was little more than quotes of troll posts...
...
I have no idea how he got it past his editors, either--I could not discern any news at all in it... Probably why most people ignored it (I know that Groklaw didn't mention it at all)
>>The GPL has never been tested in court, I haven't seen anything indicating that this is 100% reliable.
>Well, admittedly there is a flaky argument prevalent on Slashdot and Groklaw. The arguments runs that if the GPL were "invalidated" it would revert to "no rights to copy", which would kill SCO in punitive damages. Not necessarily. Another possibility is that the court might try to find the "nearest charitable purpose" that is similar to the spirit of the GPL but doesn't break the law.
>So that counter-argument doesn't really work. But the problem with your argument is more fundamental. In order to talk about this sensibly we have to speculate on what precisely the judge might try to strike down. No-one, to my knowledge, has put forward a good argument for why any law or constitutional amendment would invalidate any aspect of the GPL - least of all SCO.
------
[Disclaimer: I am not a lawyer, this is not legal advice. It is, however, a logical arguement a reasonable person might find persuasive.]
Okay, I've seen that a lot. Yes, that's exactly what one lawyer thought of, but one problem is that that's what the courts do for wills and trusts. Why is that important?
The court with the "c'y pres" doctrine is disposing of other people's property because there is no one else to decide what to do with it. Obviously, since it cannot be used for what it was intended for, the court would rather not see it go to waste. Now then, how does this logic apply to the GPL? Well, part of the problem is that most of the copyright holders for Linux are alive and well, and thus able to make their own decisions about how to dispose of their own property.
So, while SCO might try this, they might have a hard time convincing a judge that their property should be given away to SCO, rather than disposed of according to the will of the copyright holders... One of the things courts are there to ensure is that people should not be deprived of their property without due process of law. Linus isn't dead, he knows damn good and well how he intends to dispose of it, and I'm reasonably certain based on what he's said that he doesn't intend to hand it all over to SCO to become their private property--he means for everyone to be able to use it, but only under the GPL.
What the hell is this, some kind of thread where you get free karma for posting in it?
:]
Oh wait... I'm max'd out already... heh
Imbecile. There's an enormous difference between something being a possibility and being even remotely likely. Sounds like those idiotic news reports networks show to get stupid people to watch "WILL YELLOW STICKY NOTES KILL YOU? FIND OUT HOW YOU CAN PROTECT YOU AND YOUR FAMILY AT SIX!!!!"
;)
-----
You might even be glad for that warning if you didn't realize that if, while exploring a remote jungle, you got gangrene from an untreated paper cut from one of those stickies and died!
Pity SCO never bothered to use TCP cookies, which are old news. Live and learn.
What no one else has mentioned, however, is how SCO came up with those fake signs when the protesters came--you know, the ones assosciating Linux and communism, which you can find photos of on Groklaw--I mean, I have no proof of anything, nor do I accuse them without proof, but I cannot put self-sabotage beyond them any more. It's not like they haven't done things of this nature before.
Their willingness to use it as PR is also troubling. How ironic, though, that we'd criticize someone for coming clean about an attack when so many who study security wish that companies were more forthcoming about them. On the other hand, this is a DoS attack--no confidential information is at stake--so this is just the sort of attack they probably need not mention...
My guess is that they plan to use this to (attempt) to discredit IBM in the courtroom. First, presume that someone in the OS community did it (proof not required?), associate IBM and OS, then claim that IBM is part of a conspiracy against them (they already have, actually, in their breifs--I could be mistaken, but I thought that it was one IBM moved to strike since they didn't even state it with particularity [e.g. didn't say who IBM had conspired with])
Even so, I'm reasonably sure that SCO cannot prevail in the courtroom, especially given how McBride claimed to be expecting the outcome of the last hearing over discovery. So we're pretty sure that SCO won't prevail in the lawsuit--indeed, the counterclaims from IBM may well be the end of them--and we can be pretty sure that IBM won't just buy them out (bad precident). It could be a Pump & Dump--I've seen others who think that someone is painting the tape (trying to keep SCOX share prices up)--but the SEC, at least so far, doesn't appear to think so.
I just wonder if there's some other "win" scenario wherein SCO doesn't actually win the lawsuit or much of anything else.
Here's a thought--albeit one terrible, completely, utterly and totally speculative unsupported by any solid evidence--what if SCO's entire purpose here is to discredit Open Source? In that scenario, they don't have to "win" anything--just make sure that we suffer as much as possible while they go down...
Oh well, I'm not sure how much Darl can hold on. They postponed the earnings report, which the Motley Fool lists as a textbook showing of internal strife. The lawyers and the banks are jockeying for position over the remains of SCO should it lose, according to their agreements which you can find on Groklaw. The court has gone soundly against them thus far in the discovery hearing. It's practically game over if the share price drops low enough, for any reason, according to more agreements with RBC.
I wonder if Darl can keep it together long enough that SCO even exists for the remainder of the lawsuit, given that it'll take some time?
Only time will tell.
Someone modded this funny, but it's actually true!
In one of the more bizzare rulings, the courts determined that any tape manufactured for use in the Teddy Ruxpin (but not approved by the original maker) violated the copyright holder's exclusive rights regarding public performance...
Personally, I think that's a bit odd.
That's 101b incidents. Did you forget that you were counting from 000b? ;P
I just patented food!
---->
Mind if we cross-license our patents?
I just patented eating said food.
The sell them to themselves as a loss. Therefore using them as a tax deduction twice - once for the loss and once for the cost......and if the loss is great enough they might even make a profit!
.com boom? :]
-----
Let me guess: you were an accountant/financial analyst during the