Forgot your password?
typodupeerror
News

Back Orifice 2000 on CNN.COM 339

Posted by CmdrTaco
from the stuff-to-read dept.
LLatson writes "CNN.COM is running an article about Sir Distic releasing Back Orifice 2000. Sounds like this time it will run on NT..." Comments on why this is being done, as well as a source release and a few changes to the 2k system.
This discussion has been archived. No new comments can be posted.

Back Orifice 2000 on CNN.COM

Comments Filter:
  • There is no telling what some people will love.
  • by Aglassis (10161)
    Nay, for two reasons:

    1. On UNIX systems telneting and trying to log in as root will not work
    2. Telnet has security measures and can be disabled by the server at will.
  • BO is hyped, but its not bullshit. The programming model is similiar to VNC and PCA, but the delivery is vastly different. BO is a stealth product designed to lurk and attack, this is precisely why 12 year old kids are getting excited. And if BO version 2 users can change ports/protocols on their own, detection will be difficult and those 12 year olds will certainly be excited about something.
  • Nothing happend to the guy who wrote teh CIH virus, beacuse he didn't ever distribute it, he just showed it to some frends, and I guess it "got out" on its own

    as for the mellisa virus writer, well since he uploaded it himself (and it had the same GUID as the 'samples' on his virus writing site, and he did it from his home phone) he acted in a wonton act of distruction.
    _
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • a little off-topic, and no doubt well-known, but this [netfunny.com] is what folk did in the olden days.
  • by jabber (13196) on Wednesday July 07, 1999 @12:25PM (#1814396) Homepage
    I know that this is mostly a 'me too' type of reply, but Tweety Fish has made an excellent point.

    We all remember the stink that went up after Farmer and Venema (sp?) released SATAN. (COPS before that)

    Anyone out there remember Asmodeus?
    Any sysadmins here ever use a rootkit on their boxen to see what it did, and what to watch for? Without port scanners there wouldn't be firewalls, and without sniffers there wouldn't be encryption.

    I know tfish is looking even farther than the benefits of reacting to a security threat. And a good thing too. Something like BO, designed to have such a low activity signature as to be undetectable by a casual user, is a huge accomplishment for a Windows product.

    There are benefits for network admin tools, from having the BO code available. And if M$ doesn't learn, at least the rest of us will.
  • by fliptout (9217)
    Really, who will be nice enough to break into my system and send me an endearingly personal email telling me how to plug my security holes? Not gonna happen- whoever finds the holes will exploit them to the fullest and fuck me over.

    Frankly, I prefer not to have any uninvited guests.
  • Just to be clear, I'm not a member of the CDC. Nonetheless, your responses aren't great.

    0: Microsoft SUX!!! (0 because it's the _true_ motivation for all of the following arguments) Response: Yeah whatever. Nobody likes M$, but millions of us rely on their products in our homes and our workplaces. Some of us don't have a choice in the matter. If you want us to use something else, make something better.

    While its true that many don't have a choice in the OS used in their office, or by default because they're unable to install another, there are still lots of better, or at least different choices out there. Your crack about 'make something better' is probably the most succinct description of the motivation behind hacking, and all it's produced, that I've ever seen.

    1: It's just an administration tool. Response: [snip] If this is just a tool why not create a shortcut on the desktop called 'Uninstall Back Orifice'?

    One reason is to protect the administration tool. The network admin at my company is constantly telling people to enable Norton Antivirus; every time she has to clean their system manually, in fact.

    You're right that BO is more than an administration tool: it's a political point that, for all the damage and heartache, is a valid point. See your reponse about leaving your house unlocked...

    2: It's MS' fault for having the security holes in the first place. Response: [snip] If I leave my door unlocked that doesn't make it my fault when you steal my things. You're still the criminal.

    I'm still a criminal, and you're still stupid for having left your door unlocked. Moreover, your home insurance won't cover you because you left your door unlocked; if you won't take known security measures to protect yourself, then you bear part of the blame.

    3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?

    My understanding of the release of the first BO is that Microsoft was offered an advance copy, and turned it down, while denying there was any security problem at all. Microsoft is a business, and what a business can get away with, it will. It's as simple as that, and if you disagree, you've never had the privilege of riding a cubicle in corporate America.

    4: We're helping the community by bringing these problems to the attention of the public. Response: Clearly the only community CDC is concerned with is the script-kiddie community. Their program is extremely destructive to the common user and is most effective when used against inexperienced users. All they have done for the community is reinforce the atmosphere of distrust that pervades the internet today.

    All they've done is force people to confront the problem. They've made a deliberate public showing of it because it wasn't to impress the script kiddies, it was to force a resolution to the issue. Yes, people may suffer because of it, but it takes a hard lesson sometimes. As for the atmosphere of distrust, which is better: suspicion all around or blissful ignorance?

  • The parable of the wholy redhat box:

    Some friends of mine thought that it would be cool to setup a redhat box with at their school district. Zipity fast line and an administrator who was interested in samba made it seem both fun and possible.


    So the machine sat there and was played with, and various stuff. Then some script kiddie found his way in. With a 'Rewt' kit and some time all of a sudden the machine no longer was under the control of my friends but someone who was creative enough to pick a uid of 420.


    The point: Even a linux box can be filled with security holes and even on a linux box something like bo can run (port 31337 now allows anyone to telnet in and doesn't even require a login for root access).


    I don't really mind people developing these root kits or bo or whatever exploits they care to come up with, but I don't like people screwing around with other peoples machines as these exploits invariably lead to. Now that my friends know about the various holes they are ready to reinstall and start patching holes, but if the machine were something serious they'd be screwed.


    With various holes know, we (the comunity of computer users, and the comunity in general) should make sure that they are fixed. As well we should make sure that these exploits are not exploited by the corporations or anyone else.


    peace


    watch out for the conspirisy of tall men

  • Doesn't the insertion of a kernel module require root access?
  • If cDc is sincerely concerned with M$ security they would have given M$ and the public suggestions on how to fix the problem but instead they release this dumb program to show that it could be done. I find cDc's analogy quite funny in a sense that it is flawed and no one in the right mind would formulate the same analogy.

    I do not even know why they are making such a big deal out of this. It is the same as the original Back Orifice + NT capabilities which requires that the infected program be run by Administrator. One could say that this could be done the same for UNIX or BeOS provided that the "Super User" is the one who will be running the infected program. Most large corporations are very careful about running unsupported software (i.e. stuff that's downloaded from the internet) anyway so I doubt this would make a big impact to most people. I see the target of Back Orifice 2k as Warez kiddies who probably didn't pay for their WinNT licenses anyway.

  • So if you release BO2K under GPL, does this mean that if you infect someone's machine then you have to offer to give them the source :^)
  • "Making it publicly available and open-source means that nothing is 'hidden' and there are no surprises waiting in store. "

    In the hours,days,weeks and months to come as we see dozens (possibly hundreds) of slight variations, total modifications and custom built worms come out of that source code I doubt you will still believe that.

    This program is a serious threat to NT security. As others have pointed out the problem isnt so much that NT is "insecure" (though ther are definitly problems in that department), its that the users and quite a few of its admistrators are just plain dumb wher security is concerned. And as I heard someone say in a previous thread: All it will take is one stupid user/admin to compremise the entire network. It will just make the process easy. Really easy.

    Of course, yes all of this and more is possible on a unix system. The difference is unix is a diverse set of operating systems. Porting code to different Unices takes time and some skill. BO2k will run flawlessly on any target machine making it extremly easy for anyone to use (no coding experiance required) and therfor that much more dangerous.

    However I dont think Its all bad. Its just like any other peice of software: It can be used for bad things or for good things. Dont blame it on the software or the authors (anyone who says writting software is in itself 'evil' is a total dope) - blame it on the assholes that actually use it maliciously.

    And hey: If you THAT worried about it take that WinNT CD and chuck it out the window. Order a copy of Linux, FreeBSD or Solaris7 and put that PC to real use.

  • There are so many messages here who just take it
    for granted that NT is insecure. NT has a solid
    security architecture that is more fine-grained
    than that of Linux. This means it COULD be better.
    The real problem is that MS Office is designed for
    a single user and requires you to have the equivalent
    of ROOT access to run it (OK, I'm exaggerating and
    I've never had office on my computer so I wouldn't
    know, but disprove me). You could do exactly the
    same with Linux (pop up a box in netscape, make the user type their password, mail it home), only that a user has less rights on Linux.
  • I see your point. If we engineered cows to be resistant to e.coli then we'd have a "more secure" cow. So in effect the problem actually does and does not already exist depending on your perspective. However it isn't a problem until e. coli shows up. Heh, I guess what I said could also be more amusingly applied to humans. We've got lots of design flaws, look at the "common cold!" (I'm joking here)

    Who would've thought we could use cows as an analogy for OS secuity designs?
  • Sure, a security problem is a security problem only if someone decides to exploit it.

    In my world, people exercise reasonable measures to protect their valuables. The measures of protection are proportional to the worth of the object/valuables. That's why banks have vaults and safety deposit boxes.

    If Microsoft is going to claim that their operating systems are secure, I don't think they're the victim when people realize that their doors are wide open. The victims are the people who rely on Microsoft products for security. Microsoft should take responsability for their marketing claims and engineering blunders.


  • No, the AC is correct here. BackOrifice is just a remote control program (think PC Anywhere or any of the others in the Windows world). Do programs exist like this for Unix? How about X Windows?

    If I tricked a UNIX user into running a modified telnet or something that would give me remote root access, it wouldn't matter if telnetd was disabled. The only reason UNIX is less vulerable to something like this is that users spend less time logged in as root and are more careful. But that's more of a human issue than a technical one.


    --
  • Whoooeee! The stuff people come up with!

    Just imagine, if I wasn't surfing /. at -1, I'd never get to read all these absorbing and fascinating insights into the world!

    (LOL!)
    --
    - Sean
  • They do it becasue they can. Most irritating.



    I won't say first, even though i am. :-)

  • What are you talking about? This is certainly
    not the only way to "prevent things like this".

    First, all trojans take advantage of capabilities
    offered by the systems they infect. Kernel trojans
    take advantage of device drivers and context
    switching code. In this respect, all operating
    system functionality is subject to misuse by
    malicious code (such as BO2K). Obviously, this
    is not the problem that needs to be "fixed".

    Next, the issue being discussed with respect to
    trojans that affect OS kernels is detectability.
    It simply is HARDER to detect a well-written NT
    trojan. The security community does not have
    the detailed information about the NT OS internals
    needed to develop good detection schemes for
    kernel trojans.

    This stands in stark contrast to Linux trojans,
    which must in some manner be based on and affect
    the operation of the Linux kernel. The difference
    here is that the effect of a Linux kernel trojan
    is made measurable by the amount of information
    publically available on the Linux kernel.

    Unlike NT.

    Finally, the point you're making ("the only fix
    is to remove the functionality") is completely
    bogus. The problem is that NT is configured and
    used in a way that makes the distribution of BO
    and it's siblings trivial. That is not a hard
    problem to solve. "Don't run unverified code
    inside of mail attachments". "Don't run programs
    you get from suspicious sources." "MD5 binaries
    you distribute to the public."

    This isn't rocket science.
  • If you want us to use something else, make something better.

    I believe that there has ALWAYS been something better. The mac was better than win 3.1, people were just too cheap to pay the extra money for one. You get what you pay for.

    1: It's just an administration tool.
    If this is just a tool why not create a shortcut on the desktop called 'Uninstall Back Orifice'?


    Because if you are a network system admin, you don't really want people changing the software on their machines. Especially removing the program that you use to take care of said machines. To that end, if your client is scriptable, then you could run periodic, scheduled checks on all of your MS workstations to check for unwanted system changes. Thats a great and wonderfull thing.

    2: It's MS' fault for having the security holes in the first place. There may be defects in the product, but that gives you no right to write a program whose primary purpose is to punish those who use it.

    My responce: bull. If you want to give BO a purpose other than that stated, then it is perhaps a good argument for designing/using systems with security in mind. At least if you value your privacy and data. If BO didn't expose the basic flaws in such designs some other program would. It's only a matter of time. By releasing BO very publicly, both the users and the engineers of those systems get a good reason for using a better design. The idea is not to punish users, but to convince them that they need to demand better design from their vendors. Let me say that again: If such a program were not released publicly, then it would be released quietly. If it were done in that manner, then consumers would not worry about their systems, and continue to live in a deluded blissful belief that they were safe. The design would not improve.

    3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?

    First, when was the last time that MS fixed anything that wasn't demanded of them. If a problem exists, but isn't being exploited, they usually ignore it untill it is being exploited. Second, and most unfortunate is that these problems are inherent to the design of Windows. I don't think that MS could "fix" them if they wanted to. It would break too much existing software. BO is written with standard Win32 api calls. What's that? Yes, Microsoft DESIGNED WINDOWS TO ALLOW PROGRAMS TO DO THIS.

    All they have done for the community is reinforce the atmosphere of distrust that pervades the internet today.

    Who do you trust?

    No, I'm not a member of cDc. I don't know if they want new members. I have, however, been very pleased with BO. I gained 100% access to my own place of business's network without any physical access. By doing so, I made the argument that security in the office was of prime importance. It held water, and we took some steps to make our Windows machines more secure. That's right, BO had exactly it's described effect. Is that so surprizing?
  • "Groups of (mostly teenaged) hackers... release nasty computer bugs..."

    Looks like Micros~1 has some serious competition from cDc. ;)
  • While few people here wouldn't like to see Microsoft get a come-uppance, this sounds like the most incredibly juvenile, wise-ass way to do it. While these twits never mention preferring Linux to Windows, maybe someone should forward them the advocacy FAQ anyway.

    "Excuse me, but you realize, of course, that you're just helping to make Windows `better' in the long run?"

    Has anyone ever heard of a major user or someone in a business setting abandoning Windows mainly over security/virus fears?

  • It doesn't hide processes. man kill(1).

    I'm sure comparable problems exist in the
    manner it hides files.

  • MS Office 97 doesn't quite need Administrator/root, but it does require write access to a few files in \WINNT\SYSTEM32 and much of it's program directory, as well as in odd places in the Registry.

    MS Office and other poorly designed programs (Netscape) are one big reason the default permissions on NT4 are so loose. The problem isn't really the OS, it's how the installer sets everything up. That and most workstation users logon as a local adminstrator.

    (As a side note Microsoft has taken alot of blows on this from those familiar with unix, as well as their own user community. I'd expect Windows/Office 2000 to be much better in this respect. Win2000 beta appears to ship much tighter, and then includes some scripts to loosen things for compatiblity with certain apps.)
    --

  • Management would love to have this. They could see what your doing with your time. Right down to the keystrokes.

    Actually, if this does what it claims then management should really be worried about security. But noone will do anything until its too late.

    PS.
    I saw this article a few days ago and tried to submit it, but slashdot wasn't responding :( so I just gave up.

  • I totally see you point, but we have to look at the big picture. That is, ordinary people can download this thing and use it for whatever purpose they wish, whether it be a network admin testing out security, or a person using it maliciously to take advantage of a network without security against it.

    I'm a sysadmin for a large Us Gov't agency. As such, my machines are a prime target for external attacks. So I can understand the concern for creating tools that "ordinary people" (ie: script kiddies) can use without any real technical knowlege. Keeping up with this kind of stuff can certainly add to my already overloaded schedule. But to be honest, the kind of threat this creates is not my biggest fear.

    My biggest fear is the unpublished exploit. Published security holes get fixed. History has shown a tendancy with Vendors to ignore security issues until they become politically embarassing. This leads to vulnerabilities in my system(s) that I am unaware of and, consequently, can be exploited without my knowlege.

    Lets not kid ourselves here... people with malicious intent WILL share their knowlege with others of the same inclination. At the same time, they're less likely to take steps towards patching the hole they are taking advantage of.

    By bringing security issues to the public eye, people like the cDc are helping ensure the security of our environments improve. It may be additional work to keep up with these improvements. However, I don't know about your environment, buy mine demands a hell of a lot of hassle whenever one of our machines is compromised.

  • I hate MS just as much as the next guy, but I still think it is messed up to release a program like this. The end result is that script kiddies will do the only thing they know how to do.

    While sir dystic might say he wants MS to boast its security, I think it is clear that this is a thinly disguised one. How is this different from releasing the source code to a virus and then letting the script kiddies actually send it out?
  • Smaller, nimbler, faster, easily customizable... This sounds like the perfect replacement for SMS Remote Control. Now I just need to sell my boss on the idea...
    --Shoeboy
  • by Gleef (86)
    The big trouble with the Center for Disease Control analogy is that that CDC is a government agency with a public trust to uphold. Similarly, the AMA would like people to think they are a responsible, trustworthy and benign organization. In either case there would be a betrayal of trust.

    The Cult of the Dead Cow has no such responsibilities, and no trust is betrayed. If you really want a tainted meat analogye, compare them with ecoterrorists, poisoning meat to prove that McDonalds doesn't follow proper hygiene procedures. Even that's not a great analogy, since the cDc's programs don't have the potential loss of life that a meat poisoning scheme would.
  • If a cracker tool can be done, I shure prefer that it's done in front of every one eyes like cDc is doing. If BO 2000 weren't created by the cDc it would probable be done by another cracker. Shure, now every kid can use it, but we know what they can do. The most dangerous tool is the one that is not visible.

    --
    "take the red pill and you stay in wonderland and I'll show you how deep the rabitt hole goes"
  • by luge (4808) <slashdot@tiegUMLAUTuy.org minus punct> on Wednesday July 07, 1999 @10:31AM (#1814438) Homepage
    The article makes an interesting analogy, claiming that CDC releasing BO in order to force MS to clean up is the equivalent of the American Medical Association polluting meat with e. coli to force a cleanup by meat suppliers. However, the article ignores the point that the government has created channels by which the meat suppliers can be regulated, and that nature provides regular e. coli outbreaks to check on our precautions. Since the only oversight on MS is the market, and there is no such thing as a "natural" security problem, problems must be highlighted by human groups like the CDC, and the market must be manipulated in order to get a response.

    Anyway, that's my two cents- I'd love to find the author's email to let him know, but I can't find it. Any clue?
    -Luge
  • > ensuring that 99% of all successful NT attacks will have the uniform signature of a BO2K installation to accompany them...

    You forget, mon ami, that cDc is releasing the source. That means that people are free to modify the program as they desire (a phonomenon very familiar to us of the Free Software/Open Source persuasion).

    Who's to say what "signature" these modified BO2K variants will have? Who's to say how identifiable they will be?
    --
    - Sean
  • Correct metaphor: if you bought someone a gun, show them how to use it, and they shoot themself.

    Microsoft frequently makes claims as to the security of their products without making any efforts to actually prove it to the security community. An example of this is the virtual private network scheme - the algorithm and implementation is untested, untried, and unproven. If one uses it, one must take MS's word as to its efficacy.

    MS compounds the error of their ways by placing the blame on the cracker/hacker who exploits their security holes. If you wish to continue with the gun metaphor, perhaps this would be analogous to a claim that guns don't kill people, people kill people.

  • Apparently some of you are under the impression
    that the security community is some sort of
    professional organization, like the IEEE, that
    you have to obtain membership from to participate.

    You are wrong. What we know about security in
    1999 is 90% the result of independant research
    work done by people trying to find new ways to
    break into computer systems.

    The security community is aware of stack overflow
    vulnerabilities in large part due to a successful
    attack on the Internet that happened in the 80s.
    The relevance of the attack on modern Unix systems
    was underscored by the 8lgm (with the Sendmail
    8.6.12 advisory), a group that did nothing but
    post exploit code for new security problems they
    discovered. And immense code audits that Linux
    and 4.4BSD went through to overflows were the
    direct result of Mudge and Aleph One posting
    detailed "how-to-write-an-exploit" cookbooks for
    hackers.

    Nobody of any repute in the security community
    criticizes any of these people for what they've
    done. To do so would be silly; we know that our
    software would be less secure without these
    people, as well as we know that crackers had
    access to the information long before we did.

    The entire security community is BASED on the
    concept of PEER REVIEW, where anonymous strangers
    (preferably scruffy college kids, for theatric
    effect) scour published code and design documents
    and find flaws. We wouldn't have Blowfish and
    IDEA if it weren't for Biham and Shamir ripping
    up DES.

    cDc is following along in the same tradition,
    and it's a tradition that we need to ensure is
    maintained. Nobody is doing the security community
    any favors by attempting to villify Sir Dystik.
    It is incredibly important that we not set a
    precedent for shooting the messenger.
  • If you are the admin of a corporate PC running NT, you tell the user, if you touch this program intentionally your boss will hear about it, and they leave it alone.

    And when my boss asks "why did you kill that program?" I just tell them I didn't - it probably crashed by itself or because of some os glitch.
  • I have no doubt that cDc's great "demo" will consist of someone logging in as Admin (or obviously an account in the administrators) group, running their application, and then smugly smiling as it does exactly what it should do, which is run as a background process. WOW! Tricky!

    No doubt whatsoever? Then I suppose you wouldn't mind placing a wager on that? Meet me at Defcon before Saturday 2:00pm and we will make a bet. Bring money.

  • Windows just makes everything so much easier for the cracker hacker making such programs...

    MS DOS was never intended to be at all secure--it was always a purely single-user system.

    Windows 3.1 was never meant to be secure--it was just a single-user, single-instance shell to the single-user, single-task DOS.

    Win9x was never meant to be secure--it was just a more powerful utility with pretty much exactly the same purpose as Windows 3.1. The `hit escape to bypass login' thing isn't a mistake or a `security hole'--Win95 logins only exist to maintain multiple sets of settings.

    WinNT didn't start out as a multiuser operating system with built-in paranoia, so it hasn't been, and isn't going to be, easy for Microsoft to tack that onto it.

    MS Windows is `insecure', but that was initially the point to the OS.

    Windows 9x, these days, is a video-game system, and it's pretty good for that, and not much more. Besides, you don't really need a video-game system to be `secure'....

    Let's get things all straight, and use the right tools for the job--not all operating systems (or shells) are good for everything (which makes me think of all of the full-screen Windows games--what's the point of a window system when you want to run things full-screen? How much better would the games go if you just didn't load the Windows GUI to begin with?).
  • The good side is that after being hacked by BO stupid users who actually actuvate dubious files will learn. and if they won't - they deserve it.

    The good side is that equally stupid user i.e. the crackers will actualy feel sooooo smart.
    The good point of that is that sooner or later they will be caught, thats the punishment for stupid hackers.



  • I don't think that exploits like this have so much to do with tha fact that Win NT is a crappy operating system but with that fact that it is closed source. If NT was open-source underjust about any meaning of the term we wouldn't just see an exploit like back orifice published, we would see both the exploit and a fix published. Why? because no cracker wants his system to be cracked by another cracker using his own crack.

  • Do you honestly think there's anything that
    Back Orifice does that Microsoft Engineering
    doesn't already know? I have met and talked
    to Sir Dystik on a number of occasions, and
    my impression of him is that he is someone who
    knows what a "security advisory" is and what
    the conventions are (prerelease to vendor,
    publication of a patch/workaround, etc) for
    releasing them.

    This ISN'T a new security hole. cDc doesn't need
    to teach Microsoft ANYTHING. This is a a statement
    (IMO, an effective one) to the public about the
    security implications of OTHER, WELL KNOWN
    Win32 security problems. They are, to co-opt the
    motto of the L0pht, "making the theoretical
    practical".

    This is a good thing. You can show all the scary
    press about BO2K to your IT managers and get
    resources to properly secure your NT boxes. You
    should appreciate (and exploit) this.
  • by Anonymous Coward
    It is incredibly that so many people don't even understand what is going on before they open there mouths, I am in no way saining that MS products are secure.

    But this is not a security hole, it is a remote administration program that has to be installed. It doesn't matter what the OS is, if you install a program that was written to give remote admin capabilities, then you have given people that ability.

    How does this constitue a security hole on M$ part. It sound more like a security hole in the person using the computer. I can remote admin many differnt OS's does that make them insecure also.

    People please think, think before you speak, or politicians will take that away from you also.
  • "This 'security' risk is nothing specific to the Windows world."

    The security risk *is* specific to the Windows world. BO/BO2K can be installed by any user, priviledged or not.

    To do the same on a Unix-based system, one would need either root access or a poorly configured system (ie. you need to somehow trick a priviledged user into running it for you).

    "Any mildly compitant [sic] sys admin would know not to run random files on the server, so as long as the admin isn't dumb, the system is secure."

    Thanks for emphasising my point. Your problem is that under Windows, anyone can install BO, not simply the system administrator.

    Aside from that, any problems that are discovered in an open-source Unix-based OS have patches released within *hours*. Contrast this with MS's responses to past issues, and come to your own conclusions.

    "Designing this program to comprimise [sic] a system that isn't designed to be secure is ridiculous."

    I couldn't agree more. But Microsoft claims that its "enterprise-ready" OS *is* secure. Your ridicule should be directed at MS.

  • cDc hasn't invented anything. The source code
    is meaningless to the research community as a
    document of any new problems.

    cDc probably hasn't done anything in the code
    for BO2K that wasn't already documented in MSDN.
    The source code probably will not convey any
    new revelations to the computer underground.

    BO2K is not a new concept. The equivalent has
    probably been floating around the computer
    underground for ages. The idea is simply much
    better documented now, and MS has a very
    compelling reason to address the issue directly.

    It is a fairly well-accepted tenet of the
    security community that whenever you hear about
    new source code being released, you should assume
    it HAS been released to the underground for
    quite some time beforehand. What makes you think
    that BO2K, or something much worse, hasn't been
    available to modify by crackers for years?

    This same logic could be applied to Aleph One's
    "Smashing the Stack" paper (the harbinger of
    31336 different stack overflow exploits). With
    the benefit of hindsight, we see that the result
    of this exploit cookbook (which was, by the way,
    far more dangerous than BO2K source code, given
    that it [and it's immediate antecedants] DID
    contain revelations to the computer underground)
    was the almost complete eradication of stack
    overflows from Linux and 4.4BSD.

    On a lesser scale, the release of the rootkit
    trojans had the same effect for the Unix security
    community --- you'd have a hard time hiding the
    original rootkit on even a naievely administrated
    network these days.

    BO2K will have the same effect on NT.
  • If it has a legitamite purpose, then MS can't really just "ban" it. :-) They might have to actually fix the security holes.
  • If all anologies are flawed, then aren't all flaws analogies? Or, wait a minute...
  • I do have to disagree with it's "a decent system." I've administered both NT and *nix boxes, and it's just night and day.
  • Please read this [iarchitect.com], then think again if they really make great GUIs.
  • I agree that UNIX distros need work to secure them out of the box, the problem is microsoft has no security model for 98/95. NT can be made much more secure with some work; however, I wont allow our firewall to be built on one for a few reasons.

    1) Patches releases take to long
    2) Stability
    3) The UNIX os's have been around for 30 years and poked at longer.
    4) Go ahead install that service pack on your critical NT system I dare you.
    5) automation.
  • Its my hope the cDc would release a BO and BO2000 "detector and eliminator" and copyright the hell out of it. This way you're not only exposing MS' security flaws, but you're also protecting the people who might be exploited by them.

    you'd also make a shitload of money :)
    (well, after the first BO came out a lot of companys came out with free fixes)

    what's really insidious though, is that beacuse the source is open, its posible to modify it just enogh to evade detection....
    _
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • I think what he ment was that with the source available, it would be simple for somone with resonable skils to hack up a custom version that can avoid virus detection (infact I plan on doing this :P)
    _
    "Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
  • Agreed...

    $ diff -u VNC_OR_SOME_GOOD_REMOTE_CONTROL_PROG BO2K
    - bloat
    + speed
    - tell the user you installed it

    I never understood why people thought BO was a security exploit. It's a quiet remote control app. The fact that people have coded silent installers is not a security hole, either. I could probably, in a couple hours, write a little proggie to silently install VNC on someone's computer. Or any other remote control app for that matter (VNC would be easy because it's GPL'd).
  • Okay, you people are misunderstanding the point of analogies. If I say something like "Ted Kennedy's mouth is to words as a sphincter is to shit," I'm not comparing Ted Kennedy's mouth or his words to either sphincters or shit.

    In an analogy A:B=C:D, there is no implied relationship between individual elements (such as A and C or A and D or even A and B); rather, the relationship between A and B is said to be equivalent or nearly equivalent to that of C and D, even if A(B) has absolutely nothing to do with C(D). Nothing more is implied.

    Kyle

    NP: Gamma Ray, Sigh No More
    --
    Kyle R. Rose, MIT LCS
  • Yes, the new and improved BO might not make them patch things up, but what about its new features? Ability to watch the user's screen in real time? Ability to run on a microphone and hear anything that is going on? A modular version to add even more features? Made to run on NT?


    These things will really pound on companies, who will yell at M$ for making shitty OS's, then the companies, if they are smart, will change. Where I work, _EVERYONE_ uses NT4 and it would take a lot of time to bring everything up to speed after a changeover, so we can't go to Unix/BSD/whatever.
    I am not a CDC member, but I have used BO. I got into 3 of my friend's computers by sending them the infected thing and I told them it was a C program I made. They ran it, I took over their system and popped up messages telling them what I had just done to their system.

    ~Gawyn~
  • by joq (63625)
    Is it going to have yet another backdoor going to cDc?

    Now lets get realistic for a second. If it were worth anything more then a new script kiddie tool why not bring it out at PC expo as opposed to DefCon? Program something good for a change. And I don't mean that in the sense that the program sucks. You know damn well it's intentions are for the losers who wouldn't know how to hack a chicken with an ax point blank. Think of all the data thats going to be destroyed when some 14 year old loser download it and sweeps subnets because his little high school hoe just dumped him and now he wants to DELTREE your whole damn pc.

    You and I both know the true purpose behind BO is just a slap in the face to Microcrap and a way to intrude networks and nothing more.

    ...by the way whats up to the l0pht section of you guys... ;)

  • > -smug vegetarian :)

    So, I guess that you haven't been hearing about all the vegetables that have been getting e.coli as well?

    Here's more information [cnn.com].

    Relevant quote:

    Alfalfa sprouts, the quintessential health food used as garnish on everything from salads to hamburgers, sickened an estimated 20,000 people in the United States in two outbreaks in 1995, researchers say.

    Don't be so smug. Vegetarians aren't e.coli free. =)

    Bun is neither meat nor cheese.

  • I am not a Windows NT fan (nor do I play one on TV), but I admin about 60 Windows machines as workstations at work. What I have noticed is the absolute lack of knowledge that a lot of these users have. In Win9x, there are no levels of admin/poweruser/domain user/guest. People are encouraged everywhere you turn to run this neato exe from a web site with a "~" in the URL. Screen savers that have an install instead of just a .scr file are a perfect example.

    But that's only part of the problem. Mass production of MCSEs isnt helping.

    I've been admining NT and Linux for quite a while now, but I decided to enroll in (ugh...I know...shaddup) MCSE school to learn the little details I would need to throw back out at the test to be "certified". It was pretty depressing. In the ENTIRE NT wks and svr sections, I only recall seeing "dont stay logged in as the Admin" once. It was never stated in class. I was one of two people in the class who had even installed NT. (They give you a 120 day eval) Several people didnt have computers.

    IF you are going to use NT as an important server, you should really set it up with strictly what you need, service pack it as best you can, lock the console, and never log in locally unless there is a problem. I have gone to way too many places seeing people using the server as their workstation logged in as Administrator with IE4 and Outlook (with Word as the editor) both open having no idea what that can do. Getting your hands on people to run your servers intelligently (or for God's sake learn yourself) is the best plan if you must use NT. Dont use IT staffing firms. And the most important rule: If the NT machine matters to you, dont put it on the Internet. If you must put it on the internet, dont browse from it and DAMNIT, DISABLE netbios on the nic that is facing the internet. These cant solve all problems, but it's all you can really do.

    This is not taught to the people who really really want to be an admin in MCSE school. People arent learning. I have no idea what the solution to this is. I can make all the noise I want about it, but someone always knows better.

    It is pretty silly to see this as some massive threat. IP Masqing or proxying or whatever should stop this from happening to you unless someone makes one that opens control outbound actively to a predefined host instead of passively waiting for a connection. People were scanning clients on IRC for PC-Anywhere connections to look for blank passwords. Why is cDc worse? Open netbios shares, buggy Windows ftp servers, etc are much more of a problem for the people willing to have MS products directly on the Internet, but again, that's user error and they probably didnt know.

    Maybe I'm way off track here, but I dunno. Just thought I'd ramble :) Take care.

    -True Dork
  • Ban open-source software for the public? What are you, some kind of M$ neo-nazi or something? Yes, some hackers will open-source their software to their hacker pals will make even nastier versions.

    What about open source OS's? *nix? You are saying that in order to make open-sourcing illegal, you would completely obliderate an operating system which has out-performed the current most-used operating system of windows?

    ~Gawyn~
  • (I'm not a cDc member, but I find the above post to be the best introduction to what I have to say.)

    Somebody should break into the CDC's computers and screw with their files so they can see how 'beneficial' it is.

    Go for it! I'm sure you wouldn't be the first to try, and if you succeeded, you would have demonstrated that they should use better software.

    2: It's MS' fault for having the security holes in the first place. Response: Bull. Microsoft's engineers have attempted to create a product that will be useful to people. There may be defects in the product, but that gives you no right to write a program whose primary purpose is to punish those who use it. If I leave my door unlocked that doesn't make it my fault when you steal my things. You're still the criminal.

    Microsoft's engineers have most likely attempted to create a product that is as profitable as possible; that's how publically traded companies work. Unfortunately, the software market has demonstrated that what is most profitable is not what is most secure, stable, flexible, etc.

    Also, I think that analogies to physical things like windows, cars, guns, and cows, are inaccurate. High physical security isn't feasible in our day to day lives; e.g. Kevlar vests are expensive and currently unfashionable. However, decent computer security is both feasible and sexy, so it is acceptable--and I believe beneficial--to create an environment in which it is necessary.

    3: MS wouldn't fix the holes if we didn't exploit them. Response: If you're so concerned about MS fixing their security holes, why not give them an advance copy of the software so they can attempt to fix them _before_ all the jackass kids exploit them?

    History has shown that MS drags their feet on fixing security holes that are given to them privately, in advance. Remember the IIS hole that eEye found? (See www.eeye.com [eeye.com] for specifics.) To summarize, Microsoft was given a week of advance notice, but apparently did nothing until exploits were already available. Even then, they called eEye irresponsible for releasing an exploit after others already existed!

    However, I don't feel that eEye had any ethical obligation to give Microsoft the advance notice that they did. If everyone always gives Microsoft (or any other company) advance notice about security holes, then Microsoft has little financial incentive to put more effort into releasing a product that is secure to begin with. I think it's shortsighted to look at the actions of a group like cDc in the context of a single exploit; you need to look at the long term effect they have on the market. If Microsoft has to pay dearly for each security hole in their products (in this case, paying in terms of lost revenue from people who decide to use more secure products), they will be more concerned about the security of their products, because it will increase their profitability.

    The only way that users win when it comes to security holes is simply to have secure software. If vendors are treated with too much leniency, this will never be achieved.
  • by CoolAss (62578)
    This 'security' risk is nothing specific to the Windows world. It is not that hard to do the exact same thing on Unix. (There are several programs availble to do this on Linux and BSD...)

    Any mildly compitant sys admin would know not to run random files on the server, so as long as the admin isn't dumb, the system is secure.

    WinNT is just as secure, if not more secure, than most Unix systems. I see hundreds of new exploits for Unix systems every week, but much fewer available for NT.

    I obtained a copy of BO 2000, and I was unable to get it to run on NT. I tried it on 3 seperate NT systems including 2 copies of Workstation, and 1 of Server. It gave me the same illegal operation on all three systems.

    It did, however, copy it's key to the registry, and move itself to the WinNT directory. Each time I started up, however, I got a blue screen with the error, and after I hit enter, the system booted normally.

    I have a feeling that BO 2000 *may* run on NT, but I couldn't get it to work.

    BO 2000 ran great on Win98, and 95... and there are some nice improvements.

    I personally think that BO is dumb. Designing this program to comprimise a system that isn't designed to be secure is rediculous. It simply shows the childish tendancies of many hackers.
  • The biggest security hole with Windows is that it is too easy to run programs that open security holes. It is too difficult to protect a system when your executables are read/write by users and executables have so much control over resources. It's too easy to attach trojan horses to e-mails (aka Melissa).

    I was shocked when many of my NT programs did not run or gave warning/error messages when I protected their directories (i.e. \Program Files) as read only. Unix has it right in this department--protecting the /usr tree from the user!
  • If you were an ordinary user of NT, do you think you would WANT an admin to be able to see what you were doing, etc? No. If they knew it was there, they would kill it (and NT gives you enough power that you CAN do just that).

    So, to keep it running, you'd want to make sure the users didn't even know it was there. Hence the stealth features.

  • "What is with" people is the fact that while BO 2K is a program that must be installed, it does _not_ require Administrator-level access to do so. There are numerous unpatched security holes in Windows 95, 98, and NT that allow unpriviledged users to act as fully priviledged Administrators.

    The analogy here is that every NT box has a walking 'root' attack built into it...

    Now, would you want a security hole like this in a multi-user system? All it takes is _one_ downloaded email program and your entire network is compromised.

    Let's think about this a moment:
    BO 2k (and the original BO) is designed so that it can install invisibly after being attached to another program that _executes normally_. This means that Script Kiddie A can attach BO 2k to, say, a copy of the latest version of WinZip. He then sends that copy of WinZip out in a nicely drafted email to several people at an office. The insant one of those people downloads that email and installs the new version of WinZip (which works fine, and is in all ways a 'normal' version of WinZip), they have just infected the entire network with BO2k.

    Now tell me this is a 'remote administration' feature and not security vulnerability.

    The very nature of remote administration implies that you must have privledged access to the machine in order to administer it. BO2k allow _unprivledged_ users to both install and administer it.

    While I disapprove of the cDc's choice of methods, I can at least say that if they had to make this program, they are at least distributing it properly. Making it publicly available and open-source means that nothing is 'hidden' and there are no surprises waiting in store. Patches could conceivably be easily produced by Microsoft, and programs to detect, counteract, and remove it should be easily developed as well.

    This IS a security threat people. Take it lightly and I'm sure you'll rapidly change your tune after your network is taken over by Script Kiddie A exploiting known Microsoft security vulnerabilities.
  • The issue is not whether MS Win products have security holes; they do. It is a commonly accepted fact. The point is that by releasing Back Orifice and Back Orifice 2000, you're (cDc) opening up anyone unlucky enough to run an attached executable or any other method of delivery crackers may design to a complete loss of privacy and control of their computer to anyone who knows just enough.
    Its one thing to code this from scratch, run it from a command line, and analyze packets etc. Its an entirely different issue to slap a GUI interface on it, make it self installing, completely user friendly, *and* make it completely hidden from the victim. Not anyone can code or decipher IP packets, but when its so easy to take control and access someone's computer, you're letting the wrong kind of people into the toybox.
    Conclusion: BO and BO2000 will not hurt MS. MS will release a patch (maybe) and move on to another software product (definitely). BO and BO2000 will simply hurt the people who use MS.
    Its my hope the cDc would release a BO and BO2000 "detector and eliminator" and copyright the hell out of it. This way you're not only exposing MS' security flaws, but you're also protecting the people who might be exploited by them.
  • Microsoft, if you fault them everywhere else, is extremely good at making user friendly interfaces.

    Microsoft is good at making interfaces that appear user friendly. They will claim that they can automatically configure XYZ, and then fail half-way through the process. They offer no details on why it failed

    The fact that it takes them 4 revisions to get it right (four revisions they make us pay for)

    NT 4 is right? (Ok I know the first version of NT was labeled NT 3.1, so 4 should be only 2 or 3)

  • Wait a sec...
    In your post you said both
    "WinNT is just as secure, if not more secure, than most Unix systems."
    and
    "I personally think that BO is dumb. Designing this program to comprimise a system that isn't designed to be secure is rediculous."
    Is it just me or do your statements conflict with one another?
  • Yes, but if ANYONE who does have the priveleges to do such things gets the BO 2K infection, no matter what, your network is going to get it, and you will spend hours and hours working to clean your network.

    ~Gawyn~
  • How about adding a little bit like needing the user to click a button to say "Yes, you may come in?" Perhaps even making and none of the secret accessing as default. Then you would have a decent argument against all the antivirus companies that will mark it as a trojan, which you know they will.
  • I think it would be safe to say that the majority of exploit programs like this ARE designed to attack "other" operating systems, primarily Unix. Every Unix admin I know hasa copy of Satan at their fingertips, and use it.

    As to your other point, a default install of Linux wouldn't stand up against programs designed specifically to exploit them, that's what patches are for. The difference between patching the holes in Linux (and most unices) and Windows is the time between when the exploit is announced and when the patch is available. Most of the stuff BO is taking advantage of has been known about for quite a while and there is still no patch. Most exploits on Linux are patched within a couple days, often within a few hours.

    Cernnunous
  • If you had a comprehensive remote control application that ran unobtrusively and efficiently on any win32 system, was released absolutely free and open source, and came with a comprehensive SDK for developing your own modules, plugins and clients for whatever platform you choose to use for administration, and it was released by somebody more "respectable" than us louts at the Cult of the Dead Cow, would you call it a threat?

    Would you agree Virtual Network Computing (http://www.uk.research.att.com/vnc) goes at least some way towards meeting that goal? Without including the stealth features and self promotional posturing as our self-appointed security watchdogs?

    You guys in CDC are obviously good programmers. If you're serious about protecting security, I hope you expand to probing other OS's too and not just concentrate on the Gates-bashing which too many here have an obsession about.
  • I only wish that were always so. Unfortunately the real world of corporate politics doesn't work that way. There are often people that should do as the admin says, but don't have to because they are buddy-buddy with somebody more powerful than the admin (or his boss) is. Or maybe this person is more important than the admin is (i.e. this person makes more money for the company than the admin does). Either way, it doesn't work to threaten the user.

    Besides, why even put it out for a fight if you can just hide it so the user doesn't know any better? Stealth makes it much easier.

  • >Well, from what I hear the source will be
    >available - so I doubt there will be any back
    >doors (and if there are any - they will likely
    >be caught rather quickly)

    Just make sure you compile from the sources and don't just take a binary copy!

    I also heard there was a backdoor in the original BO. Has anyone confirmed this? What info did it actually send?

    --McFly

  • Look at the poll results. Do far most people thing BO2K will either help or both help & harm.
  • by StephenJ (61393) on Wednesday July 07, 1999 @10:36AM (#1814552) Homepage
    I dunno. This thing plagued our college campus for a few months until we got it under control. Our network is NT on a UNIX backbone.

    I agree with the CNN article: this cult's motives don't make any sense; it's like a cult from the automobile industry who steals cars to make everyone get car alarms. It does much more harm than good. This is a negative way of getting attention to network security, not a positive way.
  • "Excuse me, but you realize, of course, that you're just helping to make Windows `better' in the long run?"

    Yeah, so? Do you have a problem with that? I sure as hell don't use windows when I don't have to, but since it is forced on me as an email machine at work, I would sure like it to be secure.

    If you have a problem with MS fixing their own OS due to security concerns I think you need to step back and think about your views. Why do you care so much about it?

    /dev

  • by squarooticus (5092) on Wednesday July 07, 1999 @10:39AM (#1814572) Homepage
    I take issue with the following analogy:

    Releasing a hacking tool like Back

    Orifice 2000 in the name of
    safeguarding computer privacy is a bit
    like the American Medical Association
    infecting cattle with the deadly e. coli
    bacteria to inspire food companies to
    sell healthier meats.


    The correct analogy in this case would be the AMA infecting cattle with E. coli to make cattle owners produce cattle that are resistant to that bacteria. I'm not surprised he used an incorrect analogy: the right one would undermine the "popular" opinion that virii and hackers are universally bad, instead of good for flagrantly (and typically non-destructively) exploiting security flaws and shoddy programming.

    Kyle

    NP: Arkhe, S/T
    --
    Kyle R. Rose, MIT LCS
  • First of all, if your campus network was NT, you would have had >0 problems with Back Orifice, because it didn't run on NT.

    Second of all, the tool we are releasing is an incredibly useful and powerful remote administration tool, much better than anything else currently available from Microsoft, Symantec or anybody else. If Microsoft didn't make it so irritatingly difficult to figure out what your server is actually doing at any given moment, the security concerns would be a moot point.
  • We didn't pass any copies to anyone outside of cDc and beta testers. Microsoft will have to wait like everyone else.

  • by WareW01f (18905) on Wednesday July 07, 1999 @10:51AM (#1814596)
    ... BO2K (kinda rolls of the tounge, don't it?) is more pro-WinNT that anti. The people working on it know a lot about the OS and therefore have spent quite a bit of time with it. In the short term it makes M$ look bad, but in the long term it actually improves their product. (That is _if_ they do anything to plug up the holes.)

    What's even sadder is that this could all be avoided if M$ was as open as Linux and there was an open envionment for users to say something like "Hey, you gotta problem here, thought you'd like to know." and get a responce. That's not the way it works.

    I guess the way I view it is yes, the ethics of giving 'fire' to script kiddeez is somewhat questionable, but as with Melissa and every other stupid hole in M$ software who's more to blame? The person pointing out the way to a wide open back door, or M$ telling everone not to worry, they're getting the most secure system around? Let me tell you that as someone who unfortunately has to put up with an NT network at present, it's a bit disturbing when I read about a hole in NT and see a link to an exploit _days_ before I'm notified by Micro$oft's security mailing list that there's even a problem, and then all they ever do is play it down and point out how rare it is and what little threat it is to my system.

    Personally, I say more power to cDc. Somebody has to speak up and sometimes it takes some punk wiping out a network with a keystroke to get the right people to listen. All's fair in code and war. If it's not CNN it looks like somebodies already doing that. Maybe this time they'll learn.
  • Microsoft interested in security issues? Somehow I feel it is more macho they are more interested in offensive measures than defensive.

    I'd like to see the neighborhood traffic on your street. How many are dark vans and limos with dark tinted windows and stay parked close to your house? Have you ever walked up to one of them to say "Hi!" to the occupants? I'm sure there is a vested interest in knowing who you are and watching your residence, friends, and place of work.
  • by KevCo (2333) on Wednesday July 07, 1999 @10:53AM (#1814602) Homepage
    Apart from the possible exploitation by crackers, what about the privacy concerns of an employer using this software?

    Imagine and IS department making this part of their standard workstation build? They could claim that it is for remote administration but could also use it for spying on everything that an employee does on his/her PC. Granted, users shouldn't be doing anything questionable in the first place but still, there are some things that should be kept private.

  • you don't hunt for food with a handgun..


    I have.
  • Exactly one year ago, we released the first version of Back Orifice to the cries of "Make it open source! Make it open source!" We listen to our public and hence the source is completely open, complete with a fully documented SDK. BO2K is industrial strength software for the people, for FREE. It is also clearly better than the competition. If free software is a pain in the ass, why don't you go tell Linus to start charging for kernels?
  • by seppy (2431) on Wednesday July 07, 1999 @11:04AM (#1814634)
    >>It should be noted that PC World Online has no >>independent confirmation that new Back Orifice >>2000 program actually lives up to the claims of >>Cult of the Dead Cow.

    It should be legally mandated that any article speaking of upcoming Microsoft products carry a disclaimer similar to this.

    .02



  • by Tweety Fish (4476) on Wednesday July 07, 1999 @11:05AM (#1814636) Homepage
    For those who believe that Back Orifice 2000 is some malicious tool that may or may not cause untold havoc for win32 consider this:

    If you had a comprehensive remote control application that ran unobtrusively and efficiently on any win32 system, was released absolutely free and open source, and came with a comprehensive SDK for developing your own modules, plugins and clients for whatever platform you choose to use for administration, and it was released by somebody more "respectable" than us louts at the Cult of the Dead Cow, would you call it a threat?

    Back Orifice 2000 is a tremendously useful tool for any administrator, and will only become more valuable as hackers around the world (please note that I understand that word, and I do mean hackers) modify and extend it. Managing windows networks is a far easier and richer experience when you have something like BO2K to work with. Is it a mixed blessing? Possibly so. But the best way to make BO2K work for you is to use it, and understand it.

    The Cult of the Dead Cow isn't just about scaring people into wanting real security. We want computers to be fully under the command of the people who use them, not the vendors who sell them. One way to make that happen is by convincing major vendors that they need to tighten up their products and make SURE that customers understand how to keep themselves secure, and that the products help them do that. The other way is by letting those same users get at the functional guts of the systems they use, without the layers of obfuscation and abstraction that characterize a modern operating system. Hopefully, BO2K will achieve both these goals.

    Back Orifice 2000. Show some control.
  • A more apropos analogy would be that of the CDC (Ctr for Disease Ctrl) periodically releasing new and mutant strains of diseases into municipal drinking water to make sure that major hospitals are making their patients immune to illness in general, rather than innoculating them against many specific strains of many specific diseases.

    All that the Clan of the Deceased Cattle is demonstrating - however effectively - is that M$ doesn't make the best mousetrap. But then who does?
  • From the article:

    It should be noted that PC World Online has no independent confirmation that new Back Orifice 2000 program actually lives up to the claims of Cult of the Dead Cow.

    Hmmm, if the author is running NT then perhaps one of you cDc chaps would be good enough to give him a quick demo? *grin*

  • If you don't believe this program should be so public, then you must be one of the people that put trust in security through obscurity. This is what got Windows in the trap that it is. The problem is that NT is too popular and dominates the workforce already. That means massive security holes waiting to be breached. Would you like to have a position with lots of information waiting to be cracked and have your trust in a company that produces products that leak and crash? Its a terrible problem. What kind of secure encryption does NT enjoy? If you shared a network with disgruntled employees, would you be safe? Think about your job security...
  • Its a trojan waiting to be installed through some email document/application attatchment. Attatching word documents seems to be very popular with people who are trapped in the Windows environment.
  • Has anyone ever heard of a major user or someone in a business setting abandoning Windows mainly over security/virus fears?

    Yes. The US Army. In a FCW article [fcw.com] (that was referenced by a slashdot article [slashdot.org]), they talk about how the US Army picked Solaris with Lotus Notes for secure communications over WinNT and Exchange due to security concerns with the OS.

    The contract was for the Army Battle Command System (ABCS) which apparently deals with secure communications in the battlefield. I'm sure it was a hefty contract. But there's more to it.

    An interesting sidenote to all this (and the REAL meat of the article) is that Microsoft is scrambling to make a Unix Exchange client to support the Defense Department's secure Defense Message System (DMS) program. The fear is that if the US Army starts to go this direction with messaging on Unix, they're just as likely to scrap Exchange servers back at home to make everything cross compatible.

  • Am I the only one who finds it ironic that the Centers for Disease Control and Cult of the Dead Cow have the same acronym?
  • by Sourdough (1889) on Wednesday July 07, 1999 @11:32AM (#1814676) Homepage
    I'm disappointed in the author's use of his own opinion in this article. This is supposed to be a hard news story, not an editorial. He does present the Cult of the Dead Cow's explanation for why they write these programs, but then makes an argument agains them directly. He doesn't even bother to get quotes from anyone, but simply makes the argument himself. (He says something about "computer security experts" but doesn't elaborate.) This is just plain bad journalism. I learned not to do that in high school journalism class. I would imagine that someone who works for a major news organization like IDG would know better.
  • If someone were infectin cattle with e. coli bacteria, they would be introducing a problem that did not exist before hand. Back Orifice exploits problems that already exist.

    I don't really agree.

    If I leave my home unlocked at night, is that a security problem? No, it's only a problem if someone chooses to exploit my (arguable) carelesness. Same with NT.

    I wouldn't put a "this house is unlocked" sign on my lawn for the same reason that M$ doesn't publicize their careless design/implementation. The probability of exploitation skyrockets.

    The CDC put a lot of effort into BO. Just as distributed.net put a lot of effort into showing that RSA ain't all that secure either. M$ didn't just leave the system wide open. It took someone with savvy and time to write a tool to take advantage of a loose hinge on a basement window. Now the CDC is giving every hooligan in the neighborhood that tool. Now M$ needs to fix the hinge. Next time, the CDC will climb up on the porch roof, and jimmie the bathroom window with a credit card..

    Cat and mouse.
  • by Anonymous Coward on Wednesday July 07, 1999 @11:58AM (#1814687)
    Score: -50, Rant

    It's about time! They promised NT support for Back Orifice last year. Well, their exact words were, "Soon." And I think it's just a delicious pun that they call it "Back Orifice 2000."

    I'm sorry if anyone finds this offensive, but I consider NT to be inferior. Microsoft typically buys its way into technology, but it never takes the time to make any true advancements of their own: they bully companies into working only with them, and when these companies do, it becomes almost impossible to get software products or device drivers for non-MS platforms. When Microsoft "embraces & extends" they're only taking someone else's work, adding a few functions so it won't work on anything but Windows, and locking up the changes so no one else can make their product compatible with the MS version. They [Microsoft] then engage the marketing machine and have their minions in the trade press hype the crap out of the product; which many of these publications routinely do despite the fact that MS' product is really just a polluted version of a good idea. The point is, I am offended by Microsoft. It is deceitful for them to engage in the practices that they do. The great irony is that they claim to be leading the world away from weak, bug ridden software, when that is in fact what they produce!

    I do a dance of joy every time a new virus is announced for Windows. Like Melissa -- I loved the fact that it only infected people using MS email clients. I believe Chernobly served as a point of awakening for many people who have only used Microsoft systems. Despite the belief to the contrary, Windows is just as difficult to install from scratch as some Linux distributions. It's a lot like "The Matrix" when these people who had spent their entire lives in this fabricated reality wake up. When they first run Linux they discover that this whole time they have been mindlessly sleeping in a pool of goo with their brains hooked up to some interface -- they discover they don't have to play by the System's rules: that they have true power.

    This tool also provides something interesting. Imagine a remote administration utility so powerful, that you have more control over someone's computer remotely than they have in front of it. NT doesn't even ship with a telnet server! It's ironic what this tool does, because remote administration utilities are EXACTLY what NT is lacking in. And by the way, NT is supposed to be a "Network Operating System;" but an NOS that is susceptible to viruses? Unforgiveable!

    So what's the big solution? I want everyone to be able to have the opportunity to write software without getting unfairly squashed. I'd like to see software companies get behind Linux, or at least the standard Unix binary that all the commercial Unix companies are pushing. This includes Microsoft, they can write their software for Linux if they want. If everyone sticks to an open, universal platform then everyone has a fair chance at making it in the computer business. When I originally heard NT was going to be POSIX compliant I thought, "Well great!" But that changed as Microsoft opted for "proprietary" instead of "open," so they could lock MS drones into using MS only products.

    So, if the cracker ethic is a means to an end, let it be. Perhaps that is the true evolution of the [computer] species.
  • >you don't hunt for food with a handgun..

    >vegetarianism for all.

    If all you're after is vegetables, why would you use anything bigger than a handgun? Killer turnips? Mutated venus fly traps?

    vegetarians for all. preferably grilled.
  • by tqbf (59350) on Wednesday July 07, 1999 @12:06PM (#1814706) Homepage

    A.) Please stop using analogies to communicate.
    Read the discussion so far. Do you notice that
    people are wasting more breath discussing the
    flaws in the analogies than they are the issue
    itself? cDc didn't infect meat or steal cars.
    They wrote code. I think we're intelligent enough
    to discuss that.

    B.) cDc didn't create ANY security problems. The
    attitude that says they did is called "security
    through obscurity", and it doesn't work. The
    computer underground is consistantly and blatantly
    underestimated by people, most of whom have no
    connection to the security research community,
    who think that system crackers didn't have tools
    prior to their public release.

    The functional equivalent of Back Orifice was
    already in the hands of people you definitely did
    NOT want to have these tools long before Sir Dystik released the first Back Orifice trojan.

    Pull your head out of the sand.
  • Journalism does not mean that anymore. To be a journalist, one must:

    1) repeat verbatim that which comes across the wires. It is gospel.

    2) There are no two sides to any issue, just the right one. Have polls like, "Are you for the slaughter of children/elderly/disabled/etc, or are you a nice caring, democrat?" Then conclude that 98.32% of the world will vote for Hillary as Master of the Universe and there is no use thinking about anyone else.

    3) Never go out and validate what sources say. Again, just repeat. Feel free to mix and match questions and answers to better support rule #2.

    I could go on and on. But the media isn't about facts or informing the public. There was a day when saying "mostly teenaged" when talking about a group would be followed up with something like, "Joe Smith, 14, says ..." Now they just throw out whatever they feel (and want you to feel too). In this case, they want you to believe they are immature folks who should not be taken seriously. The same thing was (and still is) said of Linux hackers. Even though that survey was done that found most of the kernel hackers were older, had degrees, etc, it doesn't stop that stereotype.

    The media is just another political outlet, telling you what to think, etc. Believe them, or die. If the kind and benevolent Microsoft isn't tortured by teenagers like cDc, the world would be a happy place. :)

  • This problem already does affect Linux. There
    are published kernel trojans in Phrack magazine.

    The issue is that in normal Linux installations,
    the only way to actually use a BO-like tool is
    to gain root access to the server first. When that
    occurs, the means by which root access was gained
    is almost IMMEDIATELY published and resolved.

    You would "fix this problem" by ensuring that
    users who run applications like mail readers that
    have the ability to execute content provided by
    untrusted sources would NOT at the same time have
    the privileges required to install something like
    BO2K.

    It's not like BO2K can just point at an arbitrary
    NT installation and magically infect it.
  • So if I substitute FDA approved meat processing plants in place of hospitals in my model...

    That brings it closer to the example in the article, and I think that my angle still tracks.
    If the (real) CDC taints the fields with new diseases each spring, to check for cattle resistance to the concept of disease rather than a particular one, then how can that be dealt with by the packing plant? They don't know what to fight. And we all know that a computer can only be made truly secure by making it useless. People are the problem, bad design/coding just makes it easier for the bad apple.

    The point I was trying to make is that CDC is exploiting newer holes each time. I agree that this is of benefit. It's nice to have someone do your debugging for you (if you're the user or even M$ itself). And if M$ fails to close the hole after it's exposed then poo-poo on them. We have choices - too bad more people don't realize that.

    I do, however, take exception to the CDC making the exploit tool available to the prepubescents on AOL. My experience with hackers has been that the good ones, the ones that know what they're doing, don't go around handing guns to children. They'll document it, publicize the weakness, perhaps even provide logic to close the hole; but with their experience comes a sense of responsibility.

    Making a skeleton key and leaving it in the key-copy machine is irresponsible.
  • Wouldn't it be nice if reality was closer to this analogy? Any time I got a nasty bug I could format my entire body... provided I make daily backups of important parts of my brain.

    Seriously though, this is just another example of why computer analogies should be left completely alone.

1: No code table for op: ++post

Working...