Back Orifice 2000 on CNN.COM 339
LLatson writes "CNN.COM is running an article about Sir Distic
releasing Back Orifice 2000. Sounds like this
time it will run on NT..." Comments on why this
is being done, as well as a source release and a few
changes to the 2k system.
Re:NT *is* horrible - Maybe it's you (Score:1)
Nay (Score:1)
1. On UNIX systems telneting and trying to log in as root will not work
2. Telnet has security measures and can be disabled by the server at will.
It's NOT bullshit (Score:1)
CIH virus (Score:1)
as for the mellisa virus writer, well since he uploaded it himself (and it had the same GUID as the 'samples' on his virus writing site, and he did it from his home phone) he acted in a wonton act of distruction.
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
Re:But wait, could it be... USEFUL? (Score:1)
Bravo! Hats off! (Score:3)
We all remember the stink that went up after Farmer and Venema (sp?) released SATAN. (COPS before that)
Anyone out there remember Asmodeus?
Any sysadmins here ever use a rootkit on their boxen to see what it did, and what to watch for? Without port scanners there wouldn't be firewalls, and without sniffers there wouldn't be encryption.
I know tfish is looking even farther than the benefits of reacting to a security threat. And a good thing too. Something like BO, designed to have such a low activity signature as to be undetectable by a casual user, is a huge accomplishment for a Windows product.
There are benefits for network admin tools, from having the BO code available. And if M$ doesn't learn, at least the rest of us will.
Re:??? (Score:1)
Frankly, I prefer not to have any uninvited guests.
Re:Fun Stuff (Score:1)
Just to be clear, I'm not a member of the CDC. Nonetheless, your responses aren't great.
0: Microsoft SUX!!! (0 because it's the _true_ motivation for all of the following arguments) Response: Yeah whatever. Nobody likes M$, but millions of us rely on their products in our homes and our workplaces. Some of us don't have a choice in the matter. If you want us to use something else, make something better.
While its true that many don't have a choice in the OS used in their office, or by default because they're unable to install another, there are still lots of better, or at least different choices out there. Your crack about 'make something better' is probably the most succinct description of the motivation behind hacking, and all it's produced, that I've ever seen.
1: It's just an administration tool. Response: [snip] If this is just a tool why not create a shortcut on the desktop called 'Uninstall Back Orifice'?
One reason is to protect the administration tool. The network admin at my company is constantly telling people to enable Norton Antivirus; every time she has to clean their system manually, in fact.
You're right that BO is more than an administration tool: it's a political point that, for all the damage and heartache, is a valid point. See your reponse about leaving your house unlocked...
2: It's MS' fault for having the security holes in the first place. Response: [snip] If I leave my door unlocked that doesn't make it my fault when you steal my things. You're still the criminal.
I'm still a criminal, and you're still stupid for having left your door unlocked. Moreover, your home insurance won't cover you because you left your door unlocked; if you won't take known security measures to protect yourself, then you bear part of the blame.
3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?
My understanding of the release of the first BO is that Microsoft was offered an advance copy, and turned it down, while denying there was any security problem at all. Microsoft is a business, and what a business can get away with, it will. It's as simple as that, and if you disagree, you've never had the privilege of riding a cubicle in corporate America.
4: We're helping the community by bringing these problems to the attention of the public. Response: Clearly the only community CDC is concerned with is the script-kiddie community. Their program is extremely destructive to the common user and is most effective when used against inexperienced users. All they have done for the community is reinforce the atmosphere of distrust that pervades the internet today.
All they've done is force people to confront the problem. They've made a deliberate public showing of it because it wasn't to impress the script kiddies, it was to force a resolution to the issue. Yes, people may suffer because of it, but it takes a hard lesson sometimes. As for the atmosphere of distrust, which is better: suspicion all around or blissful ignorance?
Eternal Vigilance and Careful Security (Score:1)
Some friends of mine thought that it would be cool to setup a redhat box with at their school district. Zipity fast line and an administrator who was interested in samba made it seem both fun and possible.
So the machine sat there and was played with, and various stuff. Then some script kiddie found his way in. With a 'Rewt' kit and some time all of a sudden the machine no longer was under the control of my friends but someone who was creative enough to pick a uid of 420.
The point: Even a linux box can be filled with security holes and even on a linux box something like bo can run (port 31337 now allows anyone to telnet in and doesn't even require a login for root access).
I don't really mind people developing these root kits or bo or whatever exploits they care to come up with, but I don't like people screwing around with other peoples machines as these exploits invariably lead to. Now that my friends know about the various holes they are ready to reinstall and start patching holes, but if the machine were something serious they'd be screwed.
With various holes know, we (the comunity of computer users, and the comunity in general) should make sure that they are fixed. As well we should make sure that these exploits are not exploited by the corporations or anyone else.
peace
watch out for the conspirisy of tall men
Kernel modules (Score:1)
This is sad. (Score:1)
I do not even know why they are making such a big deal out of this. It is the same as the original Back Orifice + NT capabilities which requires that the infected program be run by Administrator. One could say that this could be done the same for UNIX or BeOS provided that the "Super User" is the one who will be running the infected program. Most large corporations are very careful about running unsupported software (i.e. stuff that's downloaded from the internet) anyway so I doubt this would make a big impact to most people. I see the target of Back Orifice 2k as Warez kiddies who probably didn't pay for their WinNT licenses anyway.
Re:heh, they're releasing the source code too... (Score:1)
Re:what is with people (Score:1)
In the hours,days,weeks and months to come as we see dozens (possibly hundreds) of slight variations, total modifications and custom built worms come out of that source code I doubt you will still believe that.
This program is a serious threat to NT security. As others have pointed out the problem isnt so much that NT is "insecure" (though ther are definitly problems in that department), its that the users and quite a few of its admistrators are just plain dumb wher security is concerned. And as I heard someone say in a previous thread: All it will take is one stupid user/admin to compremise the entire network. It will just make the process easy. Really easy.
Of course, yes all of this and more is possible on a unix system. The difference is unix is a diverse set of operating systems. Porting code to different Unices takes time and some skill. BO2k will run flawlessly on any target machine making it extremly easy for anyone to use (no coding experiance required) and therfor that much more dangerous.
However I dont think Its all bad. Its just like any other peice of software: It can be used for bad things or for good things. Dont blame it on the software or the authors (anyone who says writting software is in itself 'evil' is a total dope) - blame it on the assholes that actually use it maliciously.
And hey: If you THAT worried about it take that WinNT CD and chuck it out the window. Order a copy of Linux, FreeBSD or Solaris7 and put that PC to real use.
Re:cDc justified (Score:1)
for granted that NT is insecure. NT has a solid
security architecture that is more fine-grained
than that of Linux. This means it COULD be better.
The real problem is that MS Office is designed for
a single user and requires you to have the equivalent
of ROOT access to run it (OK, I'm exaggerating and
I've never had office on my computer so I wouldn't
know, but disprove me). You could do exactly the
same with Linux (pop up a box in netscape, make the user type their password, mail it home), only that a user has less rights on Linux.
Re:AMA polluting meat (Score:1)
Who would've thought we could use cows as an analogy for OS secuity designs?
Re:AMA polluting meat (Score:1)
Sure, a security problem is a security problem only if someone decides to exploit it.
In my world, people exercise reasonable measures to protect their valuables. The measures of protection are proportional to the worth of the object/valuables. That's why banks have vaults and safety deposit boxes.
If Microsoft is going to claim that their operating systems are secure, I don't think they're the victim when people realize that their doors are wide open. The victims are the people who rely on Microsoft products for security. Microsoft should take responsability for their marketing claims and engineering blunders.
Re:Nay (Score:2)
No, the AC is correct here. BackOrifice is just a remote control program (think PC Anywhere or any of the others in the Windows world). Do programs exist like this for Unix? How about X Windows?
If I tricked a UNIX user into running a modified telnet or something that would give me remote root access, it wouldn't matter if telnetd was disabled. The only reason UNIX is less vulerable to something like this is that users spend less time logged in as root and are more careful. But that's more of a human issue than a technical one.
--
Surfing at -1 is fun! (Score:1)
Just imagine, if I wasn't surfing
(LOL!)
--
- Sean
Because (Score:1)
I won't say first, even though i am.
Re:Back Orifice for Linux... (Score:1)
What are you talking about? This is certainly
not the only way to "prevent things like this".
First, all trojans take advantage of capabilities
offered by the systems they infect. Kernel trojans
take advantage of device drivers and context
switching code. In this respect, all operating
system functionality is subject to misuse by
malicious code (such as BO2K). Obviously, this
is not the problem that needs to be "fixed".
Next, the issue being discussed with respect to
trojans that affect OS kernels is detectability.
It simply is HARDER to detect a well-written NT
trojan. The security community does not have
the detailed information about the NT OS internals
needed to develop good detection schemes for
kernel trojans.
This stands in stark contrast to Linux trojans,
which must in some manner be based on and affect
the operation of the Linux kernel. The difference
here is that the effect of a Linux kernel trojan
is made measurable by the amount of information
publically available on the Linux kernel.
Unlike NT.
Finally, the point you're making ("the only fix
is to remove the functionality") is completely
bogus. The problem is that NT is configured and
used in a way that makes the distribution of BO
and it's siblings trivial. That is not a hard
problem to solve. "Don't run unverified code
inside of mail attachments". "Don't run programs
you get from suspicious sources." "MD5 binaries
you distribute to the public."
This isn't rocket science.
Re:Fun Stuff (Score:1)
I believe that there has ALWAYS been something better. The mac was better than win 3.1, people were just too cheap to pay the extra money for one. You get what you pay for.
1: It's just an administration tool.
If this is just a tool why not create a shortcut on the desktop called 'Uninstall Back Orifice'?
Because if you are a network system admin, you don't really want people changing the software on their machines. Especially removing the program that you use to take care of said machines. To that end, if your client is scriptable, then you could run periodic, scheduled checks on all of your MS workstations to check for unwanted system changes. Thats a great and wonderfull thing.
2: It's MS' fault for having the security holes in the first place. There may be defects in the product, but that gives you no right to write a program whose primary purpose is to punish those who use it.
My responce: bull. If you want to give BO a purpose other than that stated, then it is perhaps a good argument for designing/using systems with security in mind. At least if you value your privacy and data. If BO didn't expose the basic flaws in such designs some other program would. It's only a matter of time. By releasing BO very publicly, both the users and the engineers of those systems get a good reason for using a better design. The idea is not to punish users, but to convince them that they need to demand better design from their vendors. Let me say that again: If such a program were not released publicly, then it would be released quietly. If it were done in that manner, then consumers would not worry about their systems, and continue to live in a deluded blissful belief that they were safe. The design would not improve.
3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?
First, when was the last time that MS fixed anything that wasn't demanded of them. If a problem exists, but isn't being exploited, they usually ignore it untill it is being exploited. Second, and most unfortunate is that these problems are inherent to the design of Windows. I don't think that MS could "fix" them if they wanted to. It would break too much existing software. BO is written with standard Win32 api calls. What's that? Yes, Microsoft DESIGNED WINDOWS TO ALLOW PROGRAMS TO DO THIS.
All they have done for the community is reinforce the atmosphere of distrust that pervades the internet today.
Who do you trust?
No, I'm not a member of cDc. I don't know if they want new members. I have, however, been very pleased with BO. I gained 100% access to my own place of business's network without any physical access. By doing so, I made the argument that security in the office was of prime importance. It held water, and we took some steps to make our Windows machines more secure. That's right, BO had exactly it's described effect. Is that so surprizing?
Are they attacking MS or stealing their niche? (Score:4)
Looks like Micros~1 has some serious competition from cDc.
Microsoft as martyr? (Score:2)
"Excuse me, but you realize, of course, that you're just helping to make Windows `better' in the long run?"
Has anyone ever heard of a major user or someone in a business setting abandoning Windows mainly over security/virus fears?
Re:Back Orifice for Linux... (Score:1)
It doesn't hide processes. man kill(1).
I'm sure comparable problems exist in the
manner it hides files.
Re:cDc justified (Score:2)
MS Office 97 doesn't quite need Administrator/root, but it does require write access to a few files in \WINNT\SYSTEM32 and much of it's program directory, as well as in odd places in the Registry.
MS Office and other poorly designed programs (Netscape) are one big reason the default permissions on NT4 are so loose. The problem isn't really the OS, it's how the installer sets everything up. That and most workstation users logon as a local adminstrator.
(As a side note Microsoft has taken alot of blows on this from those familiar with unix, as well as their own user community. I'd expect Windows/Office 2000 to be much better in this respect. Win2000 beta appears to ship much tighter, and then includes some scripts to loosen things for compatiblity with certain apps.)
--
Boy my management would love this! (Score:1)
Management would love to have this. They could see what your doing with your time. Right down to the keystrokes.
Actually, if this does what it claims then management should really be worried about security. But noone will do anything until its too late.
PS.
I saw this article a few days ago and tried to submit it, but slashdot wasn't responding
Re:Not a good thing (Score:1)
I'm a sysadmin for a large Us Gov't agency. As such, my machines are a prime target for external attacks. So I can understand the concern for creating tools that "ordinary people" (ie: script kiddies) can use without any real technical knowlege. Keeping up with this kind of stuff can certainly add to my already overloaded schedule. But to be honest, the kind of threat this creates is not my biggest fear.
My biggest fear is the unpublished exploit. Published security holes get fixed. History has shown a tendancy with Vendors to ignore security issues until they become politically embarassing. This leads to vulnerabilities in my system(s) that I am unaware of and, consequently, can be exploited without my knowlege.
Lets not kid ourselves here... people with malicious intent WILL share their knowlege with others of the same inclination. At the same time, they're less likely to take steps towards patching the hole they are taking advantage of.
By bringing security issues to the public eye, people like the cDc are helping ensure the security of our environments improve. It may be additional work to keep up with these improvements. However, I don't know about your environment, buy mine demands a hell of a lot of hassle whenever one of our machines is compromised.
Re:Fun Stuff (Score:1)
While sir dystic might say he wants MS to boast its security, I think it is clear that this is a thinly disguised one. How is this different from releasing the source code to a virus and then letting the script kiddies actually send it out?
Excellent. (Score:2)
--Shoeboy
Analogies (Score:2)
The Cult of the Dead Cow has no such responsibilities, and no trust is betrayed. If you really want a tainted meat analogye, compare them with ecoterrorists, poisoning meat to prove that McDonalds doesn't follow proper hygiene procedures. Even that's not a great analogy, since the cDc's programs don't have the potential loss of life that a meat poisoning scheme would.
Why is it bad? (Score:1)
--
"take the red pill and you stay in wonderland and I'll show you how deep the rabitt hole goes"
AMA polluting meat (Score:5)
Anyway, that's my two cents- I'd love to find the author's email to let him know, but I can't find it. Any clue?
-Luge
Re:Imagine (Score:1)
You forget, mon ami, that cDc is releasing the source. That means that people are free to modify the program as they desire (a phonomenon very familiar to us of the Free Software/Open Source persuasion).
Who's to say what "signature" these modified BO2K variants will have? Who's to say how identifiable they will be?
--
- Sean
Re:WHY exactly is it.... (Score:1)
Microsoft frequently makes claims as to the security of their products without making any efforts to actually prove it to the security community. An example of this is the virtual private network scheme - the algorithm and implementation is untested, untried, and unproven. If one uses it, one must take MS's word as to its efficacy.
MS compounds the error of their ways by placing the blame on the cracker/hacker who exploits their security holes. If you wish to continue with the gun metaphor, perhaps this would be analogous to a claim that guns don't kill people, people kill people.
"Self-Appointed Security Watchdogs" (Score:1)
Apparently some of you are under the impression
that the security community is some sort of
professional organization, like the IEEE, that
you have to obtain membership from to participate.
You are wrong. What we know about security in
1999 is 90% the result of independant research
work done by people trying to find new ways to
break into computer systems.
The security community is aware of stack overflow
vulnerabilities in large part due to a successful
attack on the Internet that happened in the 80s.
The relevance of the attack on modern Unix systems
was underscored by the 8lgm (with the Sendmail
8.6.12 advisory), a group that did nothing but
post exploit code for new security problems they
discovered. And immense code audits that Linux
and 4.4BSD went through to overflows were the
direct result of Mudge and Aleph One posting
detailed "how-to-write-an-exploit" cookbooks for
hackers.
Nobody of any repute in the security community
criticizes any of these people for what they've
done. To do so would be silly; we know that our
software would be less secure without these
people, as well as we know that crackers had
access to the information long before we did.
The entire security community is BASED on the
concept of PEER REVIEW, where anonymous strangers
(preferably scruffy college kids, for theatric
effect) scour published code and design documents
and find flaws. We wouldn't have Blowfish and
IDEA if it weren't for Biham and Shamir ripping
up DES.
cDc is following along in the same tradition,
and it's a tradition that we need to ensure is
maintained. Nobody is doing the security community
any favors by attempting to villify Sir Dystik.
It is incredibly important that we not set a
precedent for shooting the messenger.
Re:Why all the stealth features then? (Score:1)
And when my boss asks "why did you kill that program?" I just tell them I didn't - it probably crashed by itself or because of some os glitch.
Re:what is with people (Score:1)
No doubt whatsoever? Then I suppose you wouldn't mind placing a wager on that? Meet me at Defcon before Saturday 2:00pm and we will make a bet. Bring money.
Re:Fun Stuff (Score:1)
MS DOS was never intended to be at all secure--it was always a purely single-user system.
Windows 3.1 was never meant to be secure--it was just a single-user, single-instance shell to the single-user, single-task DOS.
Win9x was never meant to be secure--it was just a more powerful utility with pretty much exactly the same purpose as Windows 3.1. The `hit escape to bypass login' thing isn't a mistake or a `security hole'--Win95 logins only exist to maintain multiple sets of settings.
WinNT didn't start out as a multiuser operating system with built-in paranoia, so it hasn't been, and isn't going to be, easy for Microsoft to tack that onto it.
MS Windows is `insecure', but that was initially the point to the OS.
Windows 9x, these days, is a video-game system, and it's pretty good for that, and not much more. Besides, you don't really need a video-game system to be `secure'....
Let's get things all straight, and use the right tools for the job--not all operating systems (or shells) are good for everything (which makes me think of all of the full-screen Windows games--what's the point of a window system when you want to run things full-screen? How much better would the games go if you just didn't load the Windows GUI to begin with?).
good sides and bad sides (Score:1)
The good side is that equally stupid user i.e. the crackers will actualy feel sooooo smart.
The good point of that is that sooner or later they will be caught, thats the punishment for stupid hackers.
Symtops of Closed Source (Score:1)
Re:This is sad. (Score:1)
Do you honestly think there's anything that
Back Orifice does that Microsoft Engineering
doesn't already know? I have met and talked
to Sir Dystik on a number of occasions, and
my impression of him is that he is someone who
knows what a "security advisory" is and what
the conventions are (prerelease to vendor,
publication of a patch/workaround, etc) for
releasing them.
This ISN'T a new security hole. cDc doesn't need
to teach Microsoft ANYTHING. This is a a statement
(IMO, an effective one) to the public about the
security implications of OTHER, WELL KNOWN
Win32 security problems. They are, to co-opt the
motto of the L0pht, "making the theoretical
practical".
This is a good thing. You can show all the scary
press about BO2K to your IT managers and get
resources to properly secure your NT boxes. You
should appreciate (and exploit) this.
what is with people (Score:1)
But this is not a security hole, it is a remote administration program that has to be installed. It doesn't matter what the OS is, if you install a program that was written to give remote admin capabilities, then you have given people that ability.
How does this constitue a security hole on M$ part. It sound more like a security hole in the person using the computer. I can remote admin many differnt OS's does that make them insecure also.
People please think, think before you speak, or politicians will take that away from you also.
Re:Idiocy (Score:1)
The security risk *is* specific to the Windows world. BO/BO2K can be installed by any user, priviledged or not.
To do the same on a Unix-based system, one would need either root access or a poorly configured system (ie. you need to somehow trick a priviledged user into running it for you).
"Any mildly compitant [sic] sys admin would know not to run random files on the server, so as long as the admin isn't dumb, the system is secure."
Thanks for emphasising my point. Your problem is that under Windows, anyone can install BO, not simply the system administrator.
Aside from that, any problems that are discovered in an open-source Unix-based OS have patches released within *hours*. Contrast this with MS's responses to past issues, and come to your own conclusions.
"Designing this program to comprimise [sic] a system that isn't designed to be secure is ridiculous."
I couldn't agree more. But Microsoft claims that its "enterprise-ready" OS *is* secure. Your ridicule should be directed at MS.
Re:Imagine (Score:1)
cDc hasn't invented anything. The source code
is meaningless to the research community as a
document of any new problems.
cDc probably hasn't done anything in the code
for BO2K that wasn't already documented in MSDN.
The source code probably will not convey any
new revelations to the computer underground.
BO2K is not a new concept. The equivalent has
probably been floating around the computer
underground for ages. The idea is simply much
better documented now, and MS has a very
compelling reason to address the issue directly.
It is a fairly well-accepted tenet of the
security community that whenever you hear about
new source code being released, you should assume
it HAS been released to the underground for
quite some time beforehand. What makes you think
that BO2K, or something much worse, hasn't been
available to modify by crackers for years?
This same logic could be applied to Aleph One's
"Smashing the Stack" paper (the harbinger of
31336 different stack overflow exploits). With
the benefit of hindsight, we see that the result
of this exploit cookbook (which was, by the way,
far more dangerous than BO2K source code, given
that it [and it's immediate antecedants] DID
contain revelations to the computer underground)
was the almost complete eradication of stack
overflows from Linux and 4.4BSD.
On a lesser scale, the release of the rootkit
trojans had the same effect for the Unix security
community --- you'd have a hard time hiding the
original rootkit on even a naievely administrated
network these days.
BO2K will have the same effect on NT.
Re:The best thing for BO is to become useful. (Score:1)
Re:bad journalism (Score:1)
NT *is* horrible (Score:1)
Re:Yet more MS bashing (Score:1)
Re:Just twits getting self-excited. (Score:1)
1) Patches releases take to long
2) Stability
3) The UNIX os's have been around for 30 years and poked at longer.
4) Go ahead install that service pack on your critical NT system I dare you.
5) automation.
Re:Not a good thing (Score:1)
you'd also make a shitload of money
(well, after the first BO came out a lot of companys came out with free fixes)
what's really insidious though, is that beacuse the source is open, its posible to modify it just enogh to evade detection....
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
a pain in the ass (Score:1)
_
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
Re:But wait, could it be... USEFUL? (Score:1)
$ diff -u VNC_OR_SOME_GOOD_REMOTE_CONTROL_PROG BO2K
- bloat
+ speed
- tell the user you installed it
I never understood why people thought BO was a security exploit. It's a quiet remote control app. The fact that people have coded silent installers is not a security hole, either. I could probably, in a couple hours, write a little proggie to silently install VNC on someone's computer. Or any other remote control app for that matter (VNC would be easy because it's GPL'd).
Re:analogies suck around here (Score:1)
In an analogy A:B=C:D, there is no implied relationship between individual elements (such as A and C or A and D or even A and B); rather, the relationship between A and B is said to be equivalent or nearly equivalent to that of C and D, even if A(B) has absolutely nothing to do with C(D). Nothing more is implied.
Kyle
NP: Gamma Ray, Sigh No More
--
Kyle R. Rose, MIT LCS
Re:How long has BackOrifice been around? (Score:1)
These things will really pound on companies, who will yell at M$ for making shitty OS's, then the companies, if they are smart, will change. Where I work, _EVERYONE_ uses NT4 and it would take a lot of time to bring everything up to speed after a changeover, so we can't go to Unix/BSD/whatever.
I am not a CDC member, but I have used BO. I got into 3 of my friend's computers by sending them the infected thing and I told them it was a C program I made. They ran it, I took over their system and popped up messages telling them what I had just done to their system.
~Gawyn~
Re:Imagine (Score:1)
Now lets get realistic for a second. If it were worth anything more then a new script kiddie tool why not bring it out at PC expo as opposed to DefCon? Program something good for a change. And I don't mean that in the sense that the program sucks. You know damn well it's intentions are for the losers who wouldn't know how to hack a chicken with an ax point blank. Think of all the data thats going to be destroyed when some 14 year old loser download it and sweeps subnets because his little high school hoe just dumped him and now he wants to DELTREE your whole damn pc.
You and I both know the true purpose behind BO is just a slap in the face to Microcrap and a way to intrude networks and nothing more.
...by the way whats up to the l0pht section of you guys...
Re:AMA polluting meat (Score:1)
So, I guess that you haven't been hearing about all the vegetables that have been getting e.coli as well?
Here's more information [cnn.com].
Relevant quote:
Alfalfa sprouts, the quintessential health food used as garnish on everything from salads to hamburgers, sickened an estimated 20,000 people in the United States in two outbreaks in 1995, researchers say.
Don't be so smug. Vegetarians aren't e.coli free. =)
Bun is neither meat nor cheese.
Dumbing down (Score:1)
But that's only part of the problem. Mass production of MCSEs isnt helping.
I've been admining NT and Linux for quite a while now, but I decided to enroll in (ugh...I know...shaddup) MCSE school to learn the little details I would need to throw back out at the test to be "certified". It was pretty depressing. In the ENTIRE NT wks and svr sections, I only recall seeing "dont stay logged in as the Admin" once. It was never stated in class. I was one of two people in the class who had even installed NT. (They give you a 120 day eval) Several people didnt have computers.
IF you are going to use NT as an important server, you should really set it up with strictly what you need, service pack it as best you can, lock the console, and never log in locally unless there is a problem. I have gone to way too many places seeing people using the server as their workstation logged in as Administrator with IE4 and Outlook (with Word as the editor) both open having no idea what that can do. Getting your hands on people to run your servers intelligently (or for God's sake learn yourself) is the best plan if you must use NT. Dont use IT staffing firms. And the most important rule: If the NT machine matters to you, dont put it on the Internet. If you must put it on the internet, dont browse from it and DAMNIT, DISABLE netbios on the nic that is facing the internet. These cant solve all problems, but it's all you can really do.
This is not taught to the people who really really want to be an admin in MCSE school. People arent learning. I have no idea what the solution to this is. I can make all the noise I want about it, but someone always knows better.
It is pretty silly to see this as some massive threat. IP Masqing or proxying or whatever should stop this from happening to you unless someone makes one that opens control outbound actively to a predefined host instead of passively waiting for a connection. People were scanning clients on IRC for PC-Anywhere connections to look for blank passwords. Why is cDc worse? Open netbios shares, buggy Windows ftp servers, etc are much more of a problem for the people willing to have MS products directly on the Internet, but again, that's user error and they probably didnt know.
Maybe I'm way off track here, but I dunno. Just thought I'd ramble
-True Dork
Re:Open Source, dangers thereof (Score:1)
What about open source OS's? *nix? You are saying that in order to make open-sourcing illegal, you would completely obliderate an operating system which has out-performed the current most-used operating system of windows?
~Gawyn~
Re:Fun Stuff (Score:1)
Somebody should break into the CDC's computers and screw with their files so they can see how 'beneficial' it is.
Go for it! I'm sure you wouldn't be the first to try, and if you succeeded, you would have demonstrated that they should use better software.
2: It's MS' fault for having the security holes in the first place. Response: Bull. Microsoft's engineers have attempted to create a product that will be useful to people. There may be defects in the product, but that gives you no right to write a program whose primary purpose is to punish those who use it. If I leave my door unlocked that doesn't make it my fault when you steal my things. You're still the criminal.
Microsoft's engineers have most likely attempted to create a product that is as profitable as possible; that's how publically traded companies work. Unfortunately, the software market has demonstrated that what is most profitable is not what is most secure, stable, flexible, etc.
Also, I think that analogies to physical things like windows, cars, guns, and cows, are inaccurate. High physical security isn't feasible in our day to day lives; e.g. Kevlar vests are expensive and currently unfashionable. However, decent computer security is both feasible and sexy, so it is acceptable--and I believe beneficial--to create an environment in which it is necessary.
3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?
History has shown that MS drags their feet on fixing security holes that are given to them privately, in advance. Remember the IIS hole that eEye found? (See www.eeye.com [eeye.com] for specifics.) To summarize, Microsoft was given a week of advance notice, but apparently did nothing until exploits were already available. Even then, they called eEye irresponsible for releasing an exploit after others already existed!
However, I don't feel that eEye had any ethical obligation to give Microsoft the advance notice that they did. If everyone always gives Microsoft (or any other company) advance notice about security holes, then Microsoft has little financial incentive to put more effort into releasing a product that is secure to begin with. I think it's shortsighted to look at the actions of a group like cDc in the context of a single exploit; you need to look at the long term effect they have on the market. If Microsoft has to pay dearly for each security hole in their products (in this case, paying in terms of lost revenue from people who decide to use more secure products), they will be more concerned about the security of their products, because it will increase their profitability.
The only way that users win when it comes to security holes is simply to have secure software. If vendors are treated with too much leniency, this will never be achieved.
Idiocy (Score:1)
Any mildly compitant sys admin would know not to run random files on the server, so as long as the admin isn't dumb, the system is secure.
WinNT is just as secure, if not more secure, than most Unix systems. I see hundreds of new exploits for Unix systems every week, but much fewer available for NT.
I obtained a copy of BO 2000, and I was unable to get it to run on NT. I tried it on 3 seperate NT systems including 2 copies of Workstation, and 1 of Server. It gave me the same illegal operation on all three systems.
It did, however, copy it's key to the registry, and move itself to the WinNT directory. Each time I started up, however, I got a blue screen with the error, and after I hit enter, the system booted normally.
I have a feeling that BO 2000 *may* run on NT, but I couldn't get it to work.
BO 2000 ran great on Win98, and 95... and there are some nice improvements.
I personally think that BO is dumb. Designing this program to comprimise a system that isn't designed to be secure is rediculous. It simply shows the childish tendancies of many hackers.
Windows Security Holes (was: Oh please) (Score:1)
I was shocked when many of my NT programs did not run or gave warning/error messages when I protected their directories (i.e. \Program Files) as read only. Unix has it right in this department--protecting the
Re:Why all the stealth features then? (Score:1)
So, to keep it running, you'd want to make sure the users didn't even know it was there. Hence the stealth features.
Re:what is with people (Score:2)
The analogy here is that every NT box has a walking 'root' attack built into it...
Now, would you want a security hole like this in a multi-user system? All it takes is _one_ downloaded email program and your entire network is compromised.
Let's think about this a moment:
BO 2k (and the original BO) is designed so that it can install invisibly after being attached to another program that _executes normally_. This means that Script Kiddie A can attach BO 2k to, say, a copy of the latest version of WinZip. He then sends that copy of WinZip out in a nicely drafted email to several people at an office. The insant one of those people downloads that email and installs the new version of WinZip (which works fine, and is in all ways a 'normal' version of WinZip), they have just infected the entire network with BO2k.
Now tell me this is a 'remote administration' feature and not security vulnerability.
The very nature of remote administration implies that you must have privledged access to the machine in order to administer it. BO2k allow _unprivledged_ users to both install and administer it.
While I disapprove of the cDc's choice of methods, I can at least say that if they had to make this program, they are at least distributing it properly. Making it publicly available and open-source means that nothing is 'hidden' and there are no surprises waiting in store. Patches could conceivably be easily produced by Microsoft, and programs to detect, counteract, and remove it should be easily developed as well.
This IS a security threat people. Take it lightly and I'm sure you'll rapidly change your tune after your network is taken over by Script Kiddie A exploiting known Microsoft security vulnerabilities.
Re:Not a good thing (Score:1)
Its one thing to code this from scratch, run it from a command line, and analyze packets etc. Its an entirely different issue to slap a GUI interface on it, make it self installing, completely user friendly, *and* make it completely hidden from the victim. Not anyone can code or decipher IP packets, but when its so easy to take control and access someone's computer, you're letting the wrong kind of people into the toybox.
Conclusion: BO and BO2000 will not hurt MS. MS will release a patch (maybe) and move on to another software product (definitely). BO and BO2000 will simply hurt the people who use MS.
Its my hope the cDc would release a BO and BO2000 "detector and eliminator" and copyright the hell out of it. This way you're not only exposing MS' security flaws, but you're also protecting the people who might be exploited by them.
Re:Yet more MS bashing (Score:2)
Microsoft is good at making interfaces that appear user friendly. They will claim that they can automatically configure XYZ, and then fail half-way through the process. They offer no details on why it failed
The fact that it takes them 4 revisions to get it right (four revisions they make us pay for)NT 4 is right? (Ok I know the first version of NT was labeled NT 3.1, so 4 should be only 2 or 3)
Conflicting logic (Score:1)
In your post you said both
"WinNT is just as secure, if not more secure, than most Unix systems."
and
"I personally think that BO is dumb. Designing this program to comprimise a system that isn't designed to be secure is rediculous."
Is it just me or do your statements conflict with one another?
Re:Idiocy (Score:1)
~Gawyn~
Re:bad journalism (Score:1)
Re:Fun Stuff (Score:1)
As to your other point, a default install of Linux wouldn't stand up against programs designed specifically to exploit them, that's what patches are for. The difference between patching the holes in Linux (and most unices) and Windows is the time between when the exploit is announced and when the patch is available. Most of the stuff BO is taking advantage of has been known about for quite a while and there is still no patch. Most exploits on Linux are patched within a couple days, often within a few hours.
Cernnunous
Re:But wait, could it be... USEFUL? (Score:1)
Would you agree Virtual Network Computing (http://www.uk.research.att.com/vnc) goes at least some way towards meeting that goal? Without including the stealth features and self promotional posturing as our self-appointed security watchdogs?
You guys in CDC are obviously good programmers. If you're serious about protecting security, I hope you expand to probing other OS's too and not just concentrate on the Gates-bashing which too many here have an obsession about.
Re:Why all the stealth features then? (Score:1)
Besides, why even put it out for a fight if you can just hide it so the user doesn't know any better? Stealth makes it much easier.
back doors and open source. (Score:1)
>available - so I doubt there will be any back
>doors (and if there are any - they will likely
>be caught rather quickly)
Just make sure you compile from the sources and don't just take a binary copy!
I also heard there was a backdoor in the original BO. Has anyone confirmed this? What info did it actually send?
--McFly
Re:Instant poll (Score:1)
Not a good thing (Score:3)
I agree with the CNN article: this cult's motives don't make any sense; it's like a cult from the automobile industry who steals cars to make everyone get car alarms. It does much more harm than good. This is a negative way of getting attention to network security, not a positive way.
Re:Microsoft as martyr? (Score:2)
Yeah, so? Do you have a problem with that? I sure as hell don't use windows when I don't have to, but since it is forced on me as an email machine at work, I would sure like it to be secure.
If you have a problem with MS fixing their own OS due to security concerns I think you need to step back and think about your views. Why do you care so much about it?
/dev
Bad analogy, as usual (Score:3)
The correct analogy in this case would be the AMA infecting cattle with E. coli to make cattle owners produce cattle that are resistant to that bacteria. I'm not surprised he used an incorrect analogy: the right one would undermine the "popular" opinion that virii and hackers are universally bad, instead of good for flagrantly (and typically non-destructively) exploiting security flaws and shoddy programming.
Kyle
NP: Arkhe, S/T
--
Kyle R. Rose, MIT LCS
Re:Not a good thing (Score:2)
Second of all, the tool we are releasing is an incredibly useful and powerful remote administration tool, much better than anything else currently available from Microsoft, Symantec or anybody else. If Microsoft didn't make it so irritatingly difficult to figure out what your server is actually doing at any given moment, the security concerns would be a moot point.
Re:Microsoft seeks BackOrifice warez (Score:2)
Sadly enough... (Score:3)
What's even sadder is that this could all be avoided if M$ was as open as Linux and there was an open envionment for users to say something like "Hey, you gotta problem here, thought you'd like to know." and get a responce. That's not the way it works.
I guess the way I view it is yes, the ethics of giving 'fire' to script kiddeez is somewhat questionable, but as with Melissa and every other stupid hole in M$ software who's more to blame? The person pointing out the way to a wide open back door, or M$ telling everone not to worry, they're getting the most secure system around? Let me tell you that as someone who unfortunately has to put up with an NT network at present, it's a bit disturbing when I read about a hole in NT and see a link to an exploit _days_ before I'm notified by Micro$oft's security mailing list that there's even a problem, and then all they ever do is play it down and point out how rare it is and what little threat it is to my system.
Personally, I say more power to cDc. Somebody has to speak up and sometimes it takes some punk wiping out a network with a keystroke to get the right people to listen. All's fair in code and war. If it's not CNN it looks like somebodies already doing that. Maybe this time they'll learn.
Re:Microsoft seeks BackOrifice warez (Score:2)
I'd like to see the neighborhood traffic on your street. How many are dark vans and limos with dark tinted windows and stay parked close to your house? Have you ever walked up to one of them to say "Hi!" to the occupants? I'm sure there is a vested interest in knowing who you are and watching your residence, friends, and place of work.
Privacy Concerns? (Score:3)
Imagine and IS department making this part of their standard workstation build? They could claim that it is for remote administration but could also use it for spying on everything that an employee does on his/her PC. Granted, users shouldn't be doing anything questionable in the first place but still, there are some things that should be kept private.
Re:It's a tool people (Score:2)
I have.
Re:heh, they're releasing the source code too... (Score:2)
New Disclaimer (Score:4)
It should be legally mandated that any article speaking of upcoming Microsoft products carry a disclaimer similar to this.
.02
But wait, could it be... USEFUL? (Score:5)
If you had a comprehensive remote control application that ran unobtrusively and efficiently on any win32 system, was released absolutely free and open source, and came with a comprehensive SDK for developing your own modules, plugins and clients for whatever platform you choose to use for administration, and it was released by somebody more "respectable" than us louts at the Cult of the Dead Cow, would you call it a threat?
Back Orifice 2000 is a tremendously useful tool for any administrator, and will only become more valuable as hackers around the world (please note that I understand that word, and I do mean hackers) modify and extend it. Managing windows networks is a far easier and richer experience when you have something like BO2K to work with. Is it a mixed blessing? Possibly so. But the best way to make BO2K work for you is to use it, and understand it.
The Cult of the Dead Cow isn't just about scaring people into wanting real security. We want computers to be fully under the command of the people who use them, not the vendors who sell them. One way to make that happen is by convincing major vendors that they need to tighten up their products and make SURE that customers understand how to keep themselves secure, and that the products help them do that. The other way is by letting those same users get at the functional guts of the systems they use, without the layers of obfuscation and abstraction that characterize a modern operating system. Hopefully, BO2K will achieve both these goals.
Back Orifice 2000. Show some control.
A more apropos analogy (Score:2)
All that the Clan of the Deceased Cattle is demonstrating - however effectively - is that M$ doesn't make the best mousetrap. But then who does?
quick demo on/for the author? (Score:2)
It should be noted that PC World Online has no independent confirmation that new Back Orifice 2000 program actually lives up to the claims of Cult of the Dead Cow.
Hmmm, if the author is running NT then perhaps one of you cDc chaps would be good enough to give him a quick demo? *grin*
Re:Fun Stuff (Score:2)
Re:Oh please (Score:2)
Re:Microsoft as martyr? (Score:2)
Yes. The US Army. In a FCW article [fcw.com] (that was referenced by a slashdot article [slashdot.org]), they talk about how the US Army picked Solaris with Lotus Notes for secure communications over WinNT and Exchange due to security concerns with the OS.
The contract was for the Army Battle Command System (ABCS) which apparently deals with secure communications in the battlefield. I'm sure it was a hefty contract. But there's more to it.
An interesting sidenote to all this (and the REAL meat of the article) is that Microsoft is scrambling to make a Unix Exchange client to support the Defense Department's secure Defense Message System (DMS) program. The fear is that if the US Army starts to go this direction with messaging on Unix, they're just as likely to scrap Exchange servers back at home to make everything cross compatible.
e. coli? Back Orifice? (Score:2)
bad journalism (Score:3)
Re:AMA polluting meat (Score:2)
I don't really agree.
If I leave my home unlocked at night, is that a security problem? No, it's only a problem if someone chooses to exploit my (arguable) carelesness. Same with NT.
I wouldn't put a "this house is unlocked" sign on my lawn for the same reason that M$ doesn't publicize their careless design/implementation. The probability of exploitation skyrockets.
The CDC put a lot of effort into BO. Just as distributed.net put a lot of effort into showing that RSA ain't all that secure either. M$ didn't just leave the system wide open. It took someone with savvy and time to write a tool to take advantage of a loose hinge on a basement window. Now the CDC is giving every hooligan in the neighborhood that tool. Now M$ needs to fix the hinge. Next time, the CDC will climb up on the porch roof, and jimmie the bathroom window with a credit card..
Cat and mouse.
I LOVE THIS APPLICATION!!! (Score:3)
It's about time! They promised NT support for Back Orifice last year. Well, their exact words were, "Soon." And I think it's just a delicious pun that they call it "Back Orifice 2000."
I'm sorry if anyone finds this offensive, but I consider NT to be inferior. Microsoft typically buys its way into technology, but it never takes the time to make any true advancements of their own: they bully companies into working only with them, and when these companies do, it becomes almost impossible to get software products or device drivers for non-MS platforms. When Microsoft "embraces & extends" they're only taking someone else's work, adding a few functions so it won't work on anything but Windows, and locking up the changes so no one else can make their product compatible with the MS version. They [Microsoft] then engage the marketing machine and have their minions in the trade press hype the crap out of the product; which many of these publications routinely do despite the fact that MS' product is really just a polluted version of a good idea. The point is, I am offended by Microsoft. It is deceitful for them to engage in the practices that they do. The great irony is that they claim to be leading the world away from weak, bug ridden software, when that is in fact what they produce!
I do a dance of joy every time a new virus is announced for Windows. Like Melissa -- I loved the fact that it only infected people using MS email clients. I believe Chernobly served as a point of awakening for many people who have only used Microsoft systems. Despite the belief to the contrary, Windows is just as difficult to install from scratch as some Linux distributions. It's a lot like "The Matrix" when these people who had spent their entire lives in this fabricated reality wake up. When they first run Linux they discover that this whole time they have been mindlessly sleeping in a pool of goo with their brains hooked up to some interface -- they discover they don't have to play by the System's rules: that they have true power.
This tool also provides something interesting. Imagine a remote administration utility so powerful, that you have more control over someone's computer remotely than they have in front of it. NT doesn't even ship with a telnet server! It's ironic what this tool does, because remote administration utilities are EXACTLY what NT is lacking in. And by the way, NT is supposed to be a "Network Operating System;" but an NOS that is susceptible to viruses? Unforgiveable!
So what's the big solution? I want everyone to be able to have the opportunity to write software without getting unfairly squashed. I'd like to see software companies get behind Linux, or at least the standard Unix binary that all the commercial Unix companies are pushing. This includes Microsoft, they can write their software for Linux if they want. If everyone sticks to an open, universal platform then everyone has a fair chance at making it in the computer business. When I originally heard NT was going to be POSIX compliant I thought, "Well great!" But that changed as Microsoft opted for "proprietary" instead of "open," so they could lock MS drones into using MS only products.
So, if the cracker ethic is a means to an end, let it be. Perhaps that is the true evolution of the [computer] species.
Re:It's a tool people (Score:2)
>vegetarianism for all.
If all you're after is vegetables, why would you use anything bigger than a handgun? Killer turnips? Mutated venus fly traps?
vegetarians for all. preferably grilled.
Re:Not a good thing (Score:4)
A.) Please stop using analogies to communicate.
Read the discussion so far. Do you notice that
people are wasting more breath discussing the
flaws in the analogies than they are the issue
itself? cDc didn't infect meat or steal cars.
They wrote code. I think we're intelligent enough
to discuss that.
B.) cDc didn't create ANY security problems. The
attitude that says they did is called "security
through obscurity", and it doesn't work. The
computer underground is consistantly and blatantly
underestimated by people, most of whom have no
connection to the security research community,
who think that system crackers didn't have tools
prior to their public release.
The functional equivalent of Back Orifice was
already in the hands of people you definitely did
NOT want to have these tools long before Sir Dystik released the first Back Orifice trojan.
Pull your head out of the sand.
Re:bad journalism (Score:2)
1) repeat verbatim that which comes across the wires. It is gospel.
2) There are no two sides to any issue, just the right one. Have polls like, "Are you for the slaughter of children/elderly/disabled/etc, or are you a nice caring, democrat?" Then conclude that 98.32% of the world will vote for Hillary as Master of the Universe and there is no use thinking about anyone else.
3) Never go out and validate what sources say. Again, just repeat. Feel free to mix and match questions and answers to better support rule #2.
I could go on and on. But the media isn't about facts or informing the public. There was a day when saying "mostly teenaged" when talking about a group would be followed up with something like, "Joe Smith, 14, says
The media is just another political outlet, telling you what to think, etc. Believe them, or die. If the kind and benevolent Microsoft isn't tortured by teenagers like cDc, the world would be a happy place.
Re:If it still works Microsoft dident do a good jo (Score:2)
This problem already does affect Linux. There
are published kernel trojans in Phrack magazine.
The issue is that in normal Linux installations,
the only way to actually use a BO-like tool is
to gain root access to the server first. When that
occurs, the means by which root access was gained
is almost IMMEDIATELY published and resolved.
You would "fix this problem" by ensuring that
users who run applications like mail readers that
have the ability to execute content provided by
untrusted sources would NOT at the same time have
the privileges required to install something like
BO2K.
It's not like BO2K can just point at an arbitrary
NT installation and magically infect it.
Fair enough (Score:2)
That brings it closer to the example in the article, and I think that my angle still tracks.
If the (real) CDC taints the fields with new diseases each spring, to check for cattle resistance to the concept of disease rather than a particular one, then how can that be dealt with by the packing plant? They don't know what to fight. And we all know that a computer can only be made truly secure by making it useless. People are the problem, bad design/coding just makes it easier for the bad apple.
The point I was trying to make is that CDC is exploiting newer holes each time. I agree that this is of benefit. It's nice to have someone do your debugging for you (if you're the user or even M$ itself). And if M$ fails to close the hole after it's exposed then poo-poo on them. We have choices - too bad more people don't realize that.
I do, however, take exception to the CDC making the exploit tool available to the prepubescents on AOL. My experience with hackers has been that the good ones, the ones that know what they're doing, don't go around handing guns to children. They'll document it, publicize the weakness, perhaps even provide logic to close the hole; but with their experience comes a sense of responsibility.
Making a skeleton key and leaving it in the key-copy machine is irresponsible.
Re:AMA polluting meat (Score:2)
Seriously though, this is just another example of why computer analogies should be left completely alone.