Forgot your password?
typodupeerror
News

AP Story on Linux and W2k Cracking Contests 205

Posted by CmdrTaco
from the stuff-to-read dept.
StirFry writes "The AP Wire has this story about the whole crack Windows 2000/crack LinuxPPC situ. And they even use and define the term 'crackers'. Best bit: 'But a log posted on the computer showed at least nine crashes caused by problems with Microsoft software, not the weather. Questioned about that, the spokeswoman said the computer was expected to be off line for some periods of time ``as customer feedback is assessed and integrated into the system.'' " Apparently the Linux box is still standing.
This discussion has been archived. No new comments can be posted.

AP Story on Linux and W2k Cracking Contests

Comments Filter:
  • by Mawbid (3993)
    nth post!
    --
  • Services froze.
    For three hours this morning. 6:04-9:20. No guest page entries.

    Not delivering web pages when all it does is deliver web pages is pretty close to a crash.

    Seems to ignore the real problem. How much is it not serving pages?

    And if the logs can be sent to another computer (perhaps over a second interface), why does one need to stop the computer to analyze logs?
  • What we should look for here is MS' marketing message: We can't cope with managing one machine receiving high traffic while enduring a little foul weather? We hired tech people who can't configure a server to stay up reliably. We are unprepared.

    Yeah, I agree. Some people at MS are going to lose their jobs over this. Perhaps then they'll be able to come in from the cold...
  • Did you get a copy with a MSDN Universal Subscription? I got "Windows 2000 Professional, Beta 3 Release Candidate 1 (x86) Build 2000" a while ago and it completely ate a hard drive. This was a test machine with a blank hard drive and I couldn't even make the 4 install disks (disk inflation from NT 4.0). When I tried to boot from the first disk, it completely screwed up the boot sector of the HD and quit. I went so far as reading the directions and I was doing it exactly right (having installed NT about 20 times on our 7 servers). Did you have to do anything fancy to get the install disks to work?

    Before the Open Source police scorch my mailbox, the $1000+ MSDN subscription is paid for by my company, so it's free to me. I ran Linux when I was at school, back in the day.

    -Barry

    This is my .sig....or something

  • you should be writing for Segfault.org Shoeboy!

    (or are you? I must admit I haven't been over
    there for awhile...

    -matt
  • This story is good enough to make it on degfault.org
  • _I_ have a Power Mac 9500 running linuxppc!
    Coooool :) :) :)
    Getting one will cost you under a grand, somewhat more to trick it out with lots of RAM and stuff. Is it upgraded with, say, a 200Mhz 604e like mine, or is it the original 132mhz 604 running it?
    9500 has 12 ram slots, 6 PCI slots, and two entire plain SCSI busses built right in. Whee! Now if I had lots more drives I could actually start using it to its capacities.
    I take it the linux 9500 has been handling slashdotting gracefully? That's very interesting to know.
    Final note- the power supply on these kicks ass. I've had brownouts knock my (separate, wall-wart powered) modem offline and make the monitor hiccup and not even cause the powermac to blink. So the linux box up against W2K is probably even better at being hit by lightning ;)
  • Thank you for wishing me a better life as I enjoy opening documents and not having to worry about viruses. I enjoy a better life without rebooting and downtime every time I wish to install something. Thank you for understanding.
  • Pass the hat: buy a UPS for MS. 8^)
  • by Anonymous Coward
    That old lightning storm attack never fails... must have taken a hell of a lot of work by the hackers though.

  • Why shouldn't it coun't. If i am running a production system, it should not go down for any reason. I'm sure MS has the knowledge to setup a Win2K box properly. It must come down to my second pet peive of Windows, you have to reboot to change anything; number one being that it crashes so often.
    The Linux box, on the other hand, has had services turn on and off but it remains up and strong. They are actually turning on services until someone cracks one (if that happens).

    my 2 cents
  • Reboot? Crash? What's the difference? Its all downtime to me. So much for increased stability. That's what you get for selling yourself to closed source.
  • I wish reporters would read the fsck'ing logs. The Win2K box crashed once (but it had reboots and service restarts).

    I still wouldn't consider that acceptable for the small amount of time that server has been up. If Microsoft is going to issue a challenge, then they should have done their homework and had that server ready to handle anything conceivable including power outages and SYN flood attacks.

    Once again, the anti-MS FUD spreads....

    Oh please, the amount of MS favored (if not outright sponsored) FUD outweighs any anti-MS FUD by several orders of magnatude.

    The double standard that the industry, Slashdot and the media has with Microsoft is sickening.

    Yes, it is, the media is still far too biased towards Microsoft. And as long as Microsoft is one of the largest advertising dollar spenders, that probably won't change. What is (pleasantly) surprising is that there is still enough journalistic integrity out there that any news unfavorable to Microsoft ever gets reported.

    Why can't we get back to doing what's important: improving people's lives through software/hardware?

    I wish that Microsoft couldn't be described by replacing 'improving' with 'controling' above.

    Linux has improved my life, my life would be greatly improved if I didn't ever have to deal with the agony resulting from Microsoft software. I've managed to get rid of most of it, but I still occasionally have to deal with it at work.

  • I tried to read the log-but I can't get in.

    Furthermore, a reboot or a service restart is, in a production box, exactly the same as a crash. If a service stops working, it's the same as crash, as far as the user is concerned. A web server that cannot serve webpages is USELESS. A ecommerce site that cannot present a catalog or take a transaction is more that useless-it loses customers. Why is it that this wonder-fscking-ful operating system of yours hasn't been able to show me a page since tuesday..

    -flips over, checks w2ktest-still dead-
    -checks crackppc, sees this in log-
    >Aug 7 1999 11:38AM CDT:
    >Machine up 3 days. 0 min. Well this is >ridiculous now isn't it.

    This lousy PowerMac 9500-a 18 month old box, has been beaten on for 3 days, is showing more services that the win2k box, and hasn't died yet.

    Hasn't had a service that needed to be restarted yet.

    Hasn't had a reboot yet.

    Oh yeah-hasn't been broken into yet, either.

    This isn't FUD. This is simple fact. www.windows2000test.com has shown that Windows 2000 and IIS 5.0 are not suitable for production use. So far, it seems that LinuxPPC is much closer to ready that Win2k.

    So, why don't you go tell Bill that his OS ain't ready-and why don't you get back to work and fix the problems that Win2k has?
  • if you need something like this to work yourself up over, i feel sorry for you.

    this is just another in a long line of publicity stunts that MS is trying to pull off. remember "scalability days" (i think that's what they called it)? terraserver? now this cracking test?
    it's astounding that people have such short memories, but that's the way things works. each of these three displays fizzled at first, then they got swept under the carpet. the problem is that if it's a win for MS, it's a _big_ win because they can market the hell out of it. if not, somehow they make everybody forget about it. (maybe they have one of those memory-eraser things from "Men In Black" - heck, all those billions of R&D have to go somewhere. i don't thing they've ever actually pulled a product out of R&D, it's all copying/embrace & extend).

    anyway, some things:

    1) the contention that it's beta software -- if it's beta, then don't expose it to a huge media frenzy. if you jump into the fire without an asbestos suit, you're going to get burned.

    2) this is such an invalid test, i wouldn't be surprised if was being administered by mindcraft. i mean, come on, who thinks they're actually going to see any valid test results from this. i feel sorry for anybody who actually takes this test to be a test and not a stunt.

    3) the volume of attempts on NT vs the LinuxPPC box have got to be skewed so horrendously that this comparison shouldn't even be brought up by any respectable reporter without finding out what that difference is and reporting it.
  • Are you kidding? There is zero chance that they are having weather-related problems that would cause a server to go down. I can understand a breach of connectivity, but this is Microsoft... they probably have UPSs.
  • Dear Microsoft:

    I want an operating system that can run under significant load without crashing. Until you can produce that, you can kiss my assessment.

    Sincerely,
    dave

    ---
  • Please, don't use automatic log clearing. *BAD* idea if you'd like to know how crackers got into a system, or even tried to.

    Some would rather have a box go down, but be able to analyze the results, than let a cracker attack it and then be able to hide the results even if he failed to get full admin rights.
  • ...but the weather here on Tuesday and Wednesday was spectacular. At some points the lightning bolts were coming so fast and furious that instead of hearing individual blasts of thunder, they were coming down in a continuous roar that never faded out. Scary, exhilarating, exciting, and my power never went out. We NEVER get weather like this in Seattle - supposedly over 1000 bolts touched down Tuesday night alone!

    This is no apology, though - 9 unscheduled non-weather related downs, and they blame it on the weather? Morons.
  • To those at MS who set up this test: Linux is currently (in fact, always) accepting converts. It is never too late.
  • by jammer 4 (34274) on Friday August 06, 1999 @08:05AM (#1760955) Homepage
    Just checked in on http://crack.linuxppc.org. It's getting quite a few hits. I love the one status update though:

    Aug 6 1999 part 4 12:38AM CDT:
    At a rate of 2 million packets per hour/ someone appears to be using a brute force method to guess the passwords. Does this kind of attack count? Unfortunatly, they are trying to telnet in as root :) D'oh!

    Gotta love it...
  • Once they started taking money for it, it stopped earning any slack for being "beta". Or isn't this the version they were "selling"?
  • ?

    Is untested software ever considered finished?
  • Ohh Ohh.. that REALLY cracks me up..
    I wonder if its some NT admin...?
  • Sounds like alot of good linuxppc publicity, though I kinda feel that the distro is 'dumbed down' a bit for old mac users new to linux.

    I'm gunna get my hands on TurboLinux for PowerPC, it seems like it would be more in my arena. Or possibly Debian. I really wanna try out Yellow Dog.

    Anyone know of any other Distros for PowerPC?
  • Try:
    HEAD / HTTP/1.1^M
    Host:www.windows2000test.com^M
    ^M

    According to HTTP/1.1 standard you MUST include Host header in the request.
  • by magnetx (33177)
    Is the Linux box software still in Beta? Like the Win2k box?
    For some reason when Free Software bugs come up on SlashDot, BETA or PRERELEASE is always the excuse.
    Just something to think about...
  • Use d.net to crack passwords and you have a real purpose :)

  • Enable the guest account.
    Oops wrong OS.
    Brute force a jcarr is a better solution.
  • I saw it more as Microsoft trying to tap a little bit of the Bazzar for debugging Win2k

    I saw it as Microsoft trying a publicity stunt, and getting out-maneuvered by the LinuxPPC guy.

  • Here [koreatimes.co.kr] is a story about the stunt from the Korea Times, with a mention of you-know-who. Darn it, there must be a lot of nerds in Korea.

    I also spotted this article about a "Hacker's Lab" [koreaherald.co.kr] that allows crackers to work their way up to something like a "black belt" in cracking, by undertaking a series of canned cracks. It might be cool, might be lame, but it's kind of funny.

  • People don't seem to understand why I hate Microsoft so much. They always insist its the hardware or user problem. Bad motherboards, network cards, or a clueless administrator. Well, if that's the MS way of putting the blame on perfectly good resources, they need to wake up. Seems like when you deal with NT, you make a deal with the devil and have hell to pay when things go south...
  • LinuxPPC 1999 (R5) dumb? Not at all. They turn off a couple of daemons by default and have a nice little X installer to simplify things for general users. Hell we have a pretty installer for the MacOS X Server and its as far from dumb as you can get. LinuxPPC is about as good as it can get. They've done a hell of a job or getting things out the door and into our hands. They are always quick to help solve problems too. If Jason and the rest of the crew were here right now I would definetly buy them a round of beers. They've worked their asses off and deserve it. Keep up the great work guys!
  • I seriously doubt that w2k will last even half as long as LinuxPPC
  • Agreed. But they still could have the logs dumped to back up THEN cleared the orginals
  • Those 100 farad caps are tough to come by...
  • The lightning excuse was the worst one I've ever heard.

    Alright -- yes, there has been some pretty strange weather this week in Seattle (I work in downtown, and I live just north of downtown), but I work with 3 computers all of which have been working without problems.

    Ever hear of a surge protector, M$?

    Apparently not.

    Bernie
  • huh? And your same thoughs apply to Red Hat Linux 6.0 on x86?

    LinuxPPC isn't really dumbed down, it's about as hard or as easy to work with as Linux x86. It has the standard RedHat 6.0 installer that we all know and love (and can use in your sleep), or a new X Linux installer which lets you use a graphical gtk-perl based installer.

    Installation is much like RedHat Linux 6.0, the installer has virtually everything the same, including Xconfigurator, and all of the other standard tools. You can boot Linux via either Quik (sorta like LILO for PowerPC systems -- it uses OpenFirmware which is about the equvalant to x86 BIOS) or using the handy BootX utility that allows booting from the Mac OS, is easy to use, etc.

    Yellow Dog Linux is much like LinuxPPC, since they are both RedHat-Linux based, so they share installers that look and feel the same and quite similar pakcages. I might mention that parts of Yellow Dog Linux Champion Server 1.1 are higher quality then LinuxPPC, and seem to work better.

    Debian/PPC is still an unstable version of Debian, it doesn't yet have a PowerPC installer (you install RedHat-type Monolithic PowerPC Linux and then replace it with Debian).

    TurboLinux/PPC is quite dated, the last time I checked it was still using glibc 1.99, instead of glibc 2.1, but that may have changed, since TurboLinux/PPC is more of an far east distro then other PowerPC ones. Again, RedHat-Linux based.

    Lets, not forget MkLinux Release 1, which is another RedHat-based PowerPC distro, which is currently in developement. It uses MkLinux Genric 8 alpha something for a kernel, and well it should be released this fall if all goes well.
  • I had to post relevant this forward email going around...

    Yeltsin, Clinton and Bill Gates were invited to have dinner with
    God. During dinner God told them, "I need three important people to
    send my message out to all people. Tomorrow I will destroy the earth."

    Yeltsin immediately called together his cabinet and told them, "I have
    two really bad news items for you: [1] God actually exists, and [2]
    tomorrow He will destroy the earth."

    Clinton called an emergency meeting of Congress and told them,
    "I have good news and bad news: [1] God really exists, and [2] the bad news
    is tomorrow He's destroying the earth."

    Bill Gates went back to Microsoft and happily announced, "I have
    two fantastic announcements: [1] I am one of the three most
    important people on earth, and [2] The Y2K problem is solved."
  • by Shoeboy (16224) on Friday August 06, 1999 @08:50AM (#1760987) Homepage
    Managers challenge developers to get work done using Windows 2000
    SEATTLE In a move that sent tremors of fear through the programming community, project managers across the country have begun challenging their developers to write code on Microsofts new flagship operating system, Windows 2000. The challenge has not been well publicized - most developers only find out about it after being shown a box running Windows 2000 and being encouraged to get to work. The prize for victory is continued employment. So far nobody has successfully completed the challenge, although there have been several notable failures.
    "It was awful," complained unemployed programmer Greg Andrews, "I couldn't do anything. I slipped further and further behind schedule until my PM decided I wasn't up to the challenge and gave me the axe."
    Several industry analysts blamed these failures on one of the ground rules laid out in the challenge - PMs refuse to allow hardware upgrades for W2K users despite the fact that it requires at least 256Mb of ram and a PIII-500 for reasonable performance. The analysts speculate that the challenge could still be completed if not for a few 'features' Microsoft included in order to make the challenge more, well, challenging. First off, is the extensive use of wizards, wizards are programs that require the user to navigate through a dozen dialog boxes in order to change even the most trivial of settings. Secondly, W2K makes extensive use of MMC a specialized tool designed to aggravate users accustomed to keyboard shortcuts.
    "We aimed these inovations at administrators mainly," admitted a Microsoft spokesperson, "but we're pleased to note that all users of W2K have found their productivity reduced by these tools. Wizards and MMC are part of our Zero Administration Windows initiative whereby we make administration of windows such a nuisance that nobody tries it."
    Still, many developers are hopefull that they will be able to complete the W2K challenge. Observered one developer, "I'm three weeks behind schedule right now, but I just discovered that if I disable the networking services and everything that depends on them, I free up just enough memory to allow me compile my 2500 line program in under 10 minutes. I might still have a job next week."
    --Shoeboy
  • ...but it is finnish...

    sorry couldn't help myself.
  • No shit, we got enough ups' on my work's server to power the city, not to mention the ones on individual PC's.

    Yeah, we run novell here. We tried to impliment exchange server (so no-one would have to change e-mail clients), but, shit, all sorts of troubles. Groupwise (what we use now) has it's issues, but it works . . .

    My next pet project: put a linux box on a novell based network. Should be fun . . .

    thanks for the time

  • Maybe God decided to get into. And succeeded in cracking the system.

    So is God the winner?
  • Kenya stop it. There's Norway I'm going to read any more of these.
  • I recently noticed how Win95 would make this rapid flashing thing during bootup, right after the screen that says...hmm, can't seem to remember exactly what it says. Hmpfh, I'll get back to that later. Right now I've got this irresistible urge to buy proprietary software'n'stuff...
    I'd say that I've experienced the same before.. but.. I can't ... seem.. to remember.....
  • Didn't I read a press release saying W2K was so finished and so stable that a huge number of them had been deployed at M$. Oh yea maybe they were lying they tend to do that don't they.
  • Well, what did you expect? ;-)
  • Other way around. Satan sold out to MS like everyone else.
    But why not? he gets his own homepage and free copy of win2k.. and best of all, he gets to change his name to SatanMSN
  • The whole point of Beta testing is to find flaws and bugs so you CAN finish the software
  • Even if it were true that the weather affected the test, I don't think this is any excuse for Microsoft - Message from God more like!
  • The second they turn on fingerd (which they might if all other cracking attempts fail), someone can grab some usernames. At that point, there is hope at something like this, but not until then. But even still, if you assume a 7 charcter password that is all lower case text (24 possable characters), ther is still something like 200,000,000,000,000,000,000 possable combinations for passwords, isn't there? (what is the statistical calculation here, I forget, 7^24? or 24^7 or something, which would still be 4,500,000,000 combinations...)

    I should dig out my statistics book, and count up how many usable characters there are for passwords... Then maybe time a login attempt from a fast connection... Hmm. Well, as long on the up side, I suppose you could run a mulitple attempts to login at once and cut the time needed down drastically. Anyone actually know what the right calculation is, and what the results are for number of possable passwords and potential time required is?

  • ...the spokeswoman said the computer was expected to be off line for some periods of time ``as customer feedback is assessed and integrated into the system...''

    I love it when marketroids encounter an unexpected directive. They seem to revert to their native dialect, marketspeak. I mean, c'mon - "feedback is assessed and integrated into the system?" What the hell does that even mean? She might as well have said "Beep. Marketshare. Assessment. Issue. Beep."

    Some day, we may even need translators just to understand those guys. It'll be like that scene in Star Wars:


    Uncle Owen: What I really need is a droid that understands the binary language of my marketing department.

    C3PO: Marketroids! Sir -- My first job was programming apologists... very similar to your marketroids. You could say...

    Owen: Do you speak technobabble?

    C3PO: Of course I can, sir. It's like a second language for me...



    Yeah, just like that.
  • Not to defend Windows2000, which I know by experience to be pretty crashy and unreliable, but citing this as proof that Linux is more stable than NT5 is far from reasonable.

    To begin with, as several other Northwesterners have mentioned, the weather on the day of the Win2k crash test was incredible. My girlfriend was practically struck by a lightning bolt on her way across the 520 bridge and when I made it home my cats were shivering in a dark corner, terrified of the incessant thunder. Very odd weather. Perhaps the Almighty was displeased with Microsoft.

    And secondly, do not even try to suggest that the tidal wave of 3l337 d000dz breaking themselves bodily against the walls of that Win2k box were in any way duplicated in the case of the LinuxPPC. Judging from the volume of vitriolic comments on /., just a single ping from each of the would-be crackers would have been enough to constitute a DoS attack. Everybody hates Microsoft. Very few people hate LinuxPPC. The savagery of the attacks bear no comparison to one another. -konstant

  • >Aug 6 1999 01:15PM CDT:
    >In response to the brute force attempt, we have
    >decided to save him the trouble: linuxppc :)

    I guess the flood of ignorant packets got boring. :-)



  • The number of people you say are 'working on bug fixes and patches worldwide for Linux' is a rather uncountable number. Yes, that's by the nature of the development model it uses. But it's far fewer people than you imply. I would bet that less than 1 in 500 people using Linux these days has ever done more than rebuild the kernel source after a 'make xconfig'.

    Some figures on the total number of different people who have submitted kernel patches would be in order. Plus maybe a list of the average number of people who have done so each month over the last six months.

    I suspect it will end up being fewer individuals than are employed at Microsoft(~1) on Windows 2000.
  • Yellow Dog *is* LinuxPPC. Different packaging. Whenever people ask them the differences between YDL vs MkLinux and LinuxPPC, they're always very careful to compare only to MkLinux.

    I think TurboLinux is working on an up-to-date version for PowerPC, but it's not done yet. They did have something older, but I don't think I've ever heard of anyone using it.

    Debian for PowerPC lacks an installer and requires a LinuxPPC bootstrap process.
  • Seriously, what's with MSFT putting up a server without a decent UPS? I checked with some buds and they all have UPS and they just flickered the UPS lights a few times as they handled the lightning strikes.

    So, no, this is NOT reasonable as an excuse. Operating a server, especially a web server, without a UPS in the Seattle region is sheer incompetence. A webmaster who did that without orders from above forcing him/her to not use a UPS would be fired.

    'Nuff said!

  • No Linux isn't a fluke. It's a fairly stable operating system for a lot of people. It has it's admirable qualities.

    Wether the much vaunted Open Source Development Model is a fluke is still a matter up for debate, of course. We'll see, and of course if it is "The One True Way (TM)" we can deal with it then. Right now it's somewhat of a religious crusade.
  • One unignorable thing, though, is that this provides us with entertainment. Something to read. Something to chuckle about.

    Who cares if the world forgets about it? I, for one, view Microsoft as a sort of permanent circus, and find it even more hilarious that respectable people actually take them seriously.

    It is good there are companies like Microsoft out there to alleviate our boredom.
  • maybe they have one of those memory-eraser things from "Men In Black"

    "What the heck is that thing?"
    "I don't know, push the button"
    Zzzzzt!
    "What the heck is that thing?"
    "I don't know, push the button"
    Zzzzzt!
    "What the heck is that thing?"
    "I don't know, push the button"
    Zzzzzt!
    "What the heck is that thing?"
    "I don't know, push the button"
    Zzzzzt!
    "What the heck is that thing?"
    "I don't know, push the button"
    Zzzzzt!
    "What the heck is that thing?"
    "I don't know, push the button"
    Zzzzzt!
    "What the heck is that thing?"
    "I don't know, push the button"
    Zzzzzt!
    "What the heck is that thing?"
    "I don't know, push the button"
    Click
    "I guess we'll never know, the batteries are dead."
  • by Shoeboy (16224)
    Observered? Yikes. I meant Observed. All other spelling and grammar errors are intentional.
    --Shoeboy
  • Check your sarcasm detector, I think you left it off.
  • I get 'no response from the server.'

    You /.ed?

    You didn't happen to put a counter on that page, did you? Heh heh.

  • Read the manpage, there are 64.

    Upper/lowercase alphanumerics (26+26+10=62) plus / and . (+2=64)



    __// `Thinking is an exercise to which all too few brains
  • >Read the manpage, there are 64.

    Whoa. 64^7 gives about 4398046511100 possible combinations, while 64^8 something like 281474976711000 (yes, near 262144 gigakeys).
  • I don't think that is accurate... I think you can use the symbols too now, like !@#$%^&*() in your passwords, so that's another ten at least. So, maybe fingerd won't matter much if the password is creative enough.

  • rob@water:~/ $ wc file.txt
    1 1 95 file.txt
    rob@water:~/ $ more file.txt
    abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUV WXYZ1234567890-=`[]\;',./~!@#$%^ &*()_+{}|":?

    So, that's 95, and I just tested something, I can easily set a 10 character password, so... 10^95 potential password possabilities, assuming you stay under 10 characters.

    Hmmm.... I just decided to change all my passwords to a really long string!

  • I'm 99.999% sure it is 24^7 which comes to 4,586,471,424 possible combinations. My question is why do you say 24 possible characters. Why aren't there 26? If its 26 then there are 8,031,810,176 possible combinations.
  • With even the stock fingerd, you should be able to turn off the "finger @host" (namely, reject all requests that don't have a valid user name). That means that most telnettable user IDs would have to still be guessed.

    I'm assuming that...
    * They blocked direct remote root logins. 'course.
    * The standard userids that don't ever log in, are blocked ('*'), and have non-valid shells.
    * They didn't leave 'round a joke UID (like 'haX0r') just for the heck of it. :-)

    In addition, even with a normal uid, they could have implemented access controls that forbid su-ing except for those in the wheel group, and then relegated those logins to only console. Or used S/Key, or other fun.

    Probably not an effective attack other than its DoS aspects.
  • For all the NT Admins breathlessly reading Slashdot to learn about The Opposition....

    This is a major "D'oh!" since most (all?) distributions are configured so that telnetd *won't* allow "root" to log in over the network. Knowing the root password and a couple bucks will still only get you a cup of Starbucks coffee. "Root" is only permitted to log into a system from ports listed in the /etc/securetty file, and someone would have to be unusually braindead to add network ports to that file. (The normal procedure is to log in as a regular user, then 'su' to "root.")

    Bottom line: a brute force attempt to telnet in as "root" has absolutely no chance of succeeding. The fact that someone is trying it simply highlights their own ignorance.
  • Oh, some of us understand.

    We shake our heads sadly and wish a better life for you, but we understand.
  • Blame it on the weather. Yeah right. I live in Seattle and yeah, there was some lightning (1000 strikes *StateWide* in 24 hours). After living in here for three years this seemed like a lot, but remember it is only because we never get lightning. Living in New Mexico and Arizona I can say that 1000 strikes per storm cell is not uncommon. And besides, many places in the world get many more strikes on a continual basis and yet their services don't stop... even when the power actually goes out. So don't blame it on the weather.

    Your second argument may hold some water (some), but the server shouldn't crash. The worst it should do is tell you it's too wimpy to cope and to try again later. Plus the LinuxPPC is running on a 132MHz PPC 604, not exactly a mighty processor.

    Just pointing out the ovious

    Yo
  • Cool! Can someone moderate this up a few points?


  • I mean, c'mon - "feedback is assessed and integrated into the system?" What the hell does that even mean?

    Well, we know it doesn't mean that customers are submitting patches and bugfixes that make it into the code.

    They're probably just changing desktop themes or something like that.

    --
    QDMerge [rmci.net] -- data + templates = documents.
  • Not from God, satan. The Devil is coming back to claim the other end of the deal that he made with BillG 15 years ago in which BillGa~1 sold his soul to satan.


    CY
  • I can't make much since of that site... HackersLab. I was amped about geting my orange belt in ping bombing. Guess I need to hit the books first. ÀüÅõ. ½Ã ÄÄÇÅÍ ÃßôÇÏÙ æ±â.
  • Remember the Press Conference blue screen of death fiasco? Bill demonstrating 98 BETA's plug n pray usb support and it crashes. What did he say? "I guess thats why its still a beta"... DOH then W98 released and has had to be patched and re released like 95 did. The same shit will happen with W2k. What NOONE here seems to grasp is that any OS robust enough to handle all the various hardware and tasks we can throw at it is going to have problems here and there. The question becomes do you want an OS that you have to BUY the fixes for or do you just want to be able to scan the newsgroups and the dist's ftp to patch it up or add support for some new hardware? Do you want an OS that says well it should work with your equipment but if it doesn't your SOL untill we feel like developing/releasing a fix? Or, do you want an OS that outline right out.. this is what it works well with.. this is iffy... and this well.. good luck but check back later and it'll probably work... Geez....
  • Check the bottom of crack.linuxppc.org...

    Was crack crack win crack there previously? I don't remember it...
  • Haven't dropped by their site, but one wonders if they even have a load on it, with multiple groups of users sending different requests. Or is it just a one trick pony port 80 web server?

    I don't blame them for shutting down telnet, if they expect hacks.

  • but it really seems to me that MS thought that it was asking for a nice gentlemanly round of fisticuffs w/ the crackers out there, but what it got instead was an alley fight. Quite a different thing when you're down and the fight doesn't stop.

    Sure the weather must have been out-of-the-ordinary, but that really doesn't mean dick if you're serious about servers, at least in the real world outside of the MS campus.

    Once again MS proves beyound a shadow of a doubt that it is basically a rank amature(sic) technology company that makes a Chinese fire drill look positively organized.

  • Not that this should devolve into a "My macho hardware has longer uptime than yours" thing, but it's just plain dumb to issue a public challenge when you're clearly not prepared even to support the event, much less the actual responses to the challenge.

    The lights were flickering all evening at my place (in Seattle proper), and my UPS' kicked in several times. But none of the systems even hiccupped. One of the modems needed the power cycled after lightning hit a pole 1 block away (nice fireworks when the City Light transformer blew up), but for the most part, everything was as it should be. It just boggles me that my basement is better prepared for such events than the MS production server staging network.

    Or maybe She-Who-Hurtles-Lightning just wanted to twist Bill's undies into a wee bit tighter bunch than they already were. Heh.
  • You're right--it's easy for technology buyers to forget Microsoft's failure incidents. The best example IMHO is the security breach discovered a month or two ago that lets anyone, anywhere break into any NT server. Notice how the news sites don't give this bug the attention it deserves. Reporters need to say that such a breach left open is probably the worst thing that's ever happened to an "enterprise class" OS. Yes, other OS's have had incidents, but the bugs were fixed expeditiously. Microsoft, like the software they produce, keeps getting bigger and slower.

    However, general attitudes appear to be shifting toward alternative operating systems because they are becoming viable. (To some degree, they always were viable, it's just that people weren't aware of them.) Hopefully the attitude shift is not temporary.
  • Actually, there are upper, and lower case characters, and numbers, and symbols, so, there are definately over 50, maybe somewhere around 75?
  • "...the spokeswoman said the computer was expected to be off line for some periods of time 'as customer feedback is assessed and integrated into the system...'"

    Perhaps I'm ignorant or merely excessively curious, but what the /heck/ does that mean anyway? Customer feedback assessed and integrated? What, they're going to release a service pack for it (in several months) because so many people found it completely ridiculous?

    IMHO, Microsoft just shot themselves in the foot again. Let's laugh at them and move on. ;]

  • Yeah, I had a chance to test my own copy of Windows 2000. The first thing I have to say about that is that it really sucked, it never crashed (BSOD) on me, but plenty of weird things happened that made me reboot. All I have to say is that Windows 2000 sucks. I am surprised that Microsoft even thought that it would stay up for even a day. Linux rocks windows, that's my 2 cents.
  • That is, are any of them not due to filled event logs, or very similar DoS's?
  • Now the feedback page is saying that the comments field is required. Duh; where do you think I typed in my comments. M$ doesn't know HTML or validation, methinks.
  • Hmm that sounds more realistic, 5.19E19... Still would take a while to brute force it, even with a username.
  • I don't mean to go off on a tangent, but it's great to see that Linux reporting seems to be getting more and more accurate. You used to have to wince a lot at the misconceptions and errors that showed up in news articles about Linux, but this one summarized things well and I didn't see any glaring mistakes.

    It's nice to see!

  • by Matt2000 (29624)
    The sad thing about this is that it seems Microsoft has spent so much on Windows 2000 that they can no longer afford to a UPS to avoid things like power fluctuations.

    Thats what you get when you let a marketing person field technical questions, "Umm, my kid put a peanut butter sandwich in the disk drive and it crashed. Therefore my kid is the winner of the contest."
  • Yeah but he tried requests conforming to HTTP/1.0 and HTTP/0.9 standards, too. According to the latest RFCs, and all RFCs on HTTP, when possible, you should always be backwards-compatible.
  • what I would like to be posted in the news is the fact that windows2000test has ONLY httpd running on port 80. That would not even make a practical server. The LinuxPPC server has enabled telnet to make it fair. Oh well, at least the story used the word 'crackers' correctly.
  • The weather was spectacular. Although for me, being from out of state, it wasn't a new thing. It was interesting to see how Seattlites reacted-like it was the end of the world or something. Apparently, not even Microsoft was prepared....


    -Lisa
  • by edgy (5399)
    You're still missing the point. The fact that you have source means you're never dependent on a vendor (i.e. Microsoft) to fix a problem with the code. You don't have to wait for a service pack. You can hire someone to fix it yourself if it's not important enough to anyone else.

    And that's one of the biggest benefits of open source in this case.
  • The average uptime before reboot onw www.windows2000test.com [windows2000test.com] was 14.4 hours as of 12:00 lst night. This does not even count the nameserver problems, etc.


    Kspett
  • Nah, just took a spare pokemon with an energy card.

  • Because you don't have infinite storage: the best you could possibly do is probably use a separate system, burning to write-once mass storage (separate and write-once to preserve integrity), and even then you'll run out of media. There is a fundamental compromise with any logging system.

    You can either:
    * Let the machine continue to run when you're out of log space. This means that either you cull the old log, or preserve it but nothing further is logged until the space problem is resolved. If you choose the latter, a malicious cracker can attack your machine, and then flood it with event-causing occurrences to erase logs of the attack; if the former, he simply switches the order.

    Either way, it is going to be possible for a malicious cracker to act in a way that is *not* logged, which means that you will have a far more difficult time preventing a repeat attack -- or possibly even detecting such. For many, this is unacceptable.

    * Or, you can shut down the machine so no lamer/cracker can do further damage to it, and you are ensured the ability to analyze the logs.

    Since you cannot prevent a full DoS (e.g. simple packet floods. If you block those alleged originating networks, then you've lost some service. That's why the rules don't count DoS attacks.) anyway, some security guidelines require that the machine be shut down instead.
  • I kind of brushed on this in a previous post [slashdot.org]. Allow me to re-hash the main points...

    It's not your father's Beta.
    The term 'beta' has been dilluted, if not completely nullfied, by current industry actions. Commercial software these days never actually stops being developed. The progect just gets published and sold (sorry, 'licenced') to consumers; even with known "issues" (read: bugs). As a consumer, you hope that the software house you purchase products from is willing and able to put out fixes for these bugs at a, hopefully not-so, later time. Microsoft does it. Netscape does it. It's standard practice. Now, in a more development-centric environment (where Marketing doesn't control the progect) such as your favorite Open Source progect... "Beta" might actually mean "there's known bugs here that we want to fix before we say it is 'ready'".

    Breathe in... release.
    Microsoft's W2k progect is now in its final stages. They've released a "release candidate" to their testing public. I would hope this means they're pretty sure they are close to a finnished product. Baring any suprises the massive amount of testers might find... its close to a done product. MS says this product is stable. Shouldn't it be?

    It's my party...
    This is Microsoft's show. They're the ones who went for the publicity stunt. Let's not forget that MS, for the most part, are greatly skilled at PR. So if they didn't think W2K was ready... if they suspected that it was still buggy and 'beta'... why did they pull a stunt to bring attention to this fact? And, again, if they knew it was unstable why do they not simply state that the product is 'beta'?

    ...and I can configure as I want to.
    An even better point is that Microsoft controlled the configuration of this test. They picked the hardware. They picked the software (including access to the world's best information source in the world on how to tweak a W2K installation- themselves). This was not some unskilled admin setting up a shaky configuration on obscure hardware. If MS, with their resources, can't keep W2K stable... who can?

    I said it before - MS tried to pull a quick publicity stunt and got stung by it. Badly. "Beta" hardly explains this one away.


  • Let them set up two servers, and we'll benchmark cracking protections. Wonder who would win?

    (crashing 9 times, laugh, laugh, laugh, cough, laugh)

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...