AP Story on Linux and W2k Cracking Contests 205
StirFry writes "The AP Wire has this story about the whole crack Windows 2000/crack LinuxPPC situ. And they even use and define the term 'crackers'. Best bit:
'But a log posted on the computer showed at least nine crashes caused by problems with Microsoft software, not the weather. Questioned about that,
the spokeswoman said the computer was expected to be off line for some periods of time ``as customer feedback is assessed and integrated into the
system.'' " Apparently the Linux box is still standing.
Yes! (Score:1)
--
Re:uhhhhh (Score:1)
For three hours this morning. 6:04-9:20. No guest page entries.
Not delivering web pages when all it does is deliver web pages is pretty close to a crash.
Seems to ignore the real problem. How much is it not serving pages?
And if the logs can be sent to another computer (perhaps over a second interface), why does one need to stop the computer to analyze logs?
Re:Not any apology for M$... (Score:2)
Yeah, I agree. Some people at MS are going to lose their jobs over this. Perhaps then they'll be able to come in from the cold...
Re:Windows 2000 working, I don't think so... (Score:1)
Before the Open Source police scorch my mailbox, the $1000+ MSDN subscription is paid for by my company, so it's free to me. I ran Linux when I was at school, back in the day.
-Barry
This is my .sig....or something
you should be writing for Segfault.org Shoeboy! (Score:1)
(or are you? I must admit I haven't been over
there for awhile...
-matt
Post this on segfault! (Score:1)
Hey, cool! (Score:1)
Coooool
Getting one will cost you under a grand, somewhat more to trick it out with lots of RAM and stuff. Is it upgraded with, say, a 200Mhz 604e like mine, or is it the original 132mhz 604 running it?
9500 has 12 ram slots, 6 PCI slots, and two entire plain SCSI busses built right in. Whee! Now if I had lots more drives I could actually start using it to its capacities.
I take it the linux 9500 has been handling slashdotting gracefully? That's very interesting to know.
Final note- the power supply on these kicks ass. I've had brownouts knock my (separate, wall-wart powered) modem offline and make the monitor hiccup and not even cause the powermac to blink. So the linux box up against W2K is probably even better at being hit by lightning
Re:uhhhhh (Score:2)
we should take up a collection (Score:1)
Weather Hacking (Score:1)
Re:uhhhhh (Score:1)
The Linux box, on the other hand, has had services turn on and off but it remains up and strong. They are actually turning on services until someone cracks one (if that happens).
my 2 cents
Re:uhhhhh (Score:2)
Re:uhhhhh (Score:1)
I still wouldn't consider that acceptable for the small amount of time that server has been up. If Microsoft is going to issue a challenge, then they should have done their homework and had that server ready to handle anything conceivable including power outages and SYN flood attacks.
Once again, the anti-MS FUD spreads....
Oh please, the amount of MS favored (if not outright sponsored) FUD outweighs any anti-MS FUD by several orders of magnatude.
The double standard that the industry, Slashdot and the media has with Microsoft is sickening.
Yes, it is, the media is still far too biased towards Microsoft. And as long as Microsoft is one of the largest advertising dollar spenders, that probably won't change. What is (pleasantly) surprising is that there is still enough journalistic integrity out there that any news unfavorable to Microsoft ever gets reported.
Why can't we get back to doing what's important: improving people's lives through software/hardware?
I wish that Microsoft couldn't be described by replacing 'improving' with 'controling' above.
Linux has improved my life, my life would be greatly improved if I didn't ever have to deal with the agony resulting from Microsoft software. I've managed to get rid of most of it, but I still occasionally have to deal with it at work.
Re:uhhhhh (Score:1)
Furthermore, a reboot or a service restart is, in a production box, exactly the same as a crash. If a service stops working, it's the same as crash, as far as the user is concerned. A web server that cannot serve webpages is USELESS. A ecommerce site that cannot present a catalog or take a transaction is more that useless-it loses customers. Why is it that this wonder-fscking-ful operating system of yours hasn't been able to show me a page since tuesday..
-flips over, checks w2ktest-still dead-
-checks crackppc, sees this in log-
>Aug 7 1999 11:38AM CDT:
>Machine up 3 days. 0 min. Well this is >ridiculous now isn't it.
This lousy PowerMac 9500-a 18 month old box, has been beaten on for 3 days, is showing more services that the win2k box, and hasn't died yet.
Hasn't had a service that needed to be restarted yet.
Hasn't had a reboot yet.
Oh yeah-hasn't been broken into yet, either.
This isn't FUD. This is simple fact. www.windows2000test.com has shown that Windows 2000 and IIS 5.0 are not suitable for production use. So far, it seems that LinuxPPC is much closer to ready that Win2k.
So, why don't you go tell Bill that his OS ain't ready-and why don't you get back to work and fix the problems that Win2k has?
apparently life is really boring for a lot of you (Score:2)
this is just another in a long line of publicity stunts that MS is trying to pull off. remember "scalability days" (i think that's what they called it)? terraserver? now this cracking test?
it's astounding that people have such short memories, but that's the way things works. each of these three displays fizzled at first, then they got swept under the carpet. the problem is that if it's a win for MS, it's a _big_ win because they can market the hell out of it. if not, somehow they make everybody forget about it. (maybe they have one of those memory-eraser things from "Men In Black" - heck, all those billions of R&D have to go somewhere. i don't thing they've ever actually pulled a product out of R&D, it's all copying/embrace & extend).
anyway, some things:
1) the contention that it's beta software -- if it's beta, then don't expose it to a huge media frenzy. if you jump into the fire without an asbestos suit, you're going to get burned.
2) this is such an invalid test, i wouldn't be surprised if was being administered by mindcraft. i mean, come on, who thinks they're actually going to see any valid test results from this. i feel sorry for anybody who actually takes this test to be a test and not a stunt.
3) the volume of attempts on NT vs the LinuxPPC box have got to be skewed so horrendously that this comparison shouldn't even be brought up by any respectable reporter without finding out what that difference is and reporting it.
Re:Not any apology for M$... (Score:1)
Customer feedback (Score:1)
I want an operating system that can run under significant load without crashing. Until you can produce that, you can kiss my assessment.
Sincerely,
dave
---
Re:Are the "software-related" crashes meaningful? (Score:1)
Some would rather have a box go down, but be able to analyze the results, than let a cracker attack it and then be able to hide the results even if he failed to get full admin rights.
Not any apology for M$... (Score:2)
This is no apology, though - 9 unscheduled non-weather related downs, and they blame it on the weather? Morons.
Re:Not any apology for M$... (Score:2)
Check out the site... (Score:3)
Aug 6 1999 part 4 12:38AM CDT:
At a rate of 2 million packets per hour/ someone appears to be using a brute force method to guess the passwords. Does this kind of attack count? Unfortunatly, they are trying to telnet in as root
Gotta love it...
Re:I can't believe its not BETA! (Score:1)
Re:windows 2000 not even finished (Score:1)
Is untested software ever considered finished?
Re:Check out the site... (Score:1)
I wonder if its some NT admin...?
Good LinuxPPC publicity, any other PPC distros? (Score:1)
I'm gunna get my hands on TurboLinux for PowerPC, it seems like it would be more in my arena. Or possibly Debian. I really wanna try out Yellow Dog.
Anyone know of any other Distros for PowerPC?
Re:IIS doesn't handle HTTP properly... (Score:1)
HEAD / HTTP/1.1^M
Host:www.windows2000test.com^M
^M
According to HTTP/1.1 standard you MUST include Host header in the request.
BETA? (Score:1)
For some reason when Free Software bugs come up on SlashDot, BETA or PRERELEASE is always the excuse.
Just something to think about...
New use for d.net: Site cracking in under 20 sec. (Score:1)
Re:Check out the site... (Score:1)
Oops wrong OS.
Brute force a jcarr is a better solution.
Re:Interesting Take on the Story (Score:1)
I saw it as Microsoft trying a publicity stunt, and getting out-maneuvered by the LinuxPPC guy.
Here's a mention of slashdot (Score:1)
I also spotted this article about a "Hacker's Lab" [koreaherald.co.kr] that allows crackers to work their way up to something like a "black belt" in cracking, by undertaking a series of canned cracks. It might be cool, might be lame, but it's kind of funny.
Re:uhhhhh (Score:2)
Re:windows 2000 not even finished (Score:1)
Its excellent (Score:1)
The w2k crack contest won't last too much longer (Score:1)
Re:Are the "software-related" crashes meaningful? (Score:1)
Re:Weather Hacking (Score:1)
Re:lightning in seattle? (Score:1)
Alright -- yes, there has been some pretty strange weather this week in Seattle (I work in downtown, and I live just north of downtown), but I work with 3 computers all of which have been working without problems.
Ever hear of a surge protector, M$?
Apparently not.
Bernie
Re:Good LinuxPPC publicity, any other PPC distros? (Score:1)
LinuxPPC isn't really dumbed down, it's about as hard or as easy to work with as Linux x86. It has the standard RedHat 6.0 installer that we all know and love (and can use in your sleep), or a new X Linux installer which lets you use a graphical gtk-perl based installer.
Installation is much like RedHat Linux 6.0, the installer has virtually everything the same, including Xconfigurator, and all of the other standard tools. You can boot Linux via either Quik (sorta like LILO for PowerPC systems -- it uses OpenFirmware which is about the equvalant to x86 BIOS) or using the handy BootX utility that allows booting from the Mac OS, is easy to use, etc.
Yellow Dog Linux is much like LinuxPPC, since they are both RedHat-Linux based, so they share installers that look and feel the same and quite similar pakcages. I might mention that parts of Yellow Dog Linux Champion Server 1.1 are higher quality then LinuxPPC, and seem to work better.
Debian/PPC is still an unstable version of Debian, it doesn't yet have a PowerPC installer (you install RedHat-type Monolithic PowerPC Linux and then replace it with Debian).
TurboLinux/PPC is quite dated, the last time I checked it was still using glibc 1.99, instead of glibc 2.1, but that may have changed, since TurboLinux/PPC is more of an far east distro then other PowerPC ones. Again, RedHat-Linux based.
Lets, not forget MkLinux Release 1, which is another RedHat-based PowerPC distro, which is currently in developement. It uses MkLinux Genric 8 alpha something for a kernel, and well it should be released this fall if all goes well.
3 important men (Score:1)
Yeltsin, Clinton and Bill Gates were invited to have dinner with
God. During dinner God told them, "I need three important people to
send my message out to all people. Tomorrow I will destroy the earth."
Yeltsin immediately called together his cabinet and told them, "I have
two really bad news items for you: [1] God actually exists, and [2]
tomorrow He will destroy the earth."
Clinton called an emergency meeting of Congress and told them,
"I have good news and bad news: [1] God really exists, and [2] the bad news
is tomorrow He's destroying the earth."
Bill Gates went back to Microsoft and happily announced, "I have
two fantastic announcements: [1] I am one of the three most
important people on earth, and [2] The Y2K problem is solved."
There's another W2K challenge out there. (Score:3)
SEATTLE In a move that sent tremors of fear through the programming community, project managers across the country have begun challenging their developers to write code on Microsofts new flagship operating system, Windows 2000. The challenge has not been well publicized - most developers only find out about it after being shown a box running Windows 2000 and being encouraged to get to work. The prize for victory is continued employment. So far nobody has successfully completed the challenge, although there have been several notable failures.
"It was awful," complained unemployed programmer Greg Andrews, "I couldn't do anything. I slipped further and further behind schedule until my PM decided I wasn't up to the challenge and gave me the axe."
Several industry analysts blamed these failures on one of the ground rules laid out in the challenge - PMs refuse to allow hardware upgrades for W2K users despite the fact that it requires at least 256Mb of ram and a PIII-500 for reasonable performance. The analysts speculate that the challenge could still be completed if not for a few 'features' Microsoft included in order to make the challenge more, well, challenging. First off, is the extensive use of wizards, wizards are programs that require the user to navigate through a dozen dialog boxes in order to change even the most trivial of settings. Secondly, W2K makes extensive use of MMC a specialized tool designed to aggravate users accustomed to keyboard shortcuts.
"We aimed these inovations at administrators mainly," admitted a Microsoft spokesperson, "but we're pleased to note that all users of W2K have found their productivity reduced by these tools. Wizards and MMC are part of our Zero Administration Windows initiative whereby we make administration of windows such a nuisance that nobody tries it."
Still, many developers are hopefull that they will be able to complete the W2K challenge. Observered one developer, "I'm three weeks behind schedule right now, but I just discovered that if I disable the networking services and everything that depends on them, I free up just enough memory to allow me compile my 2500 line program in under 10 minutes. I might still have a job next week."
--Shoeboy
Re:windows 2000 not even finished (Score:1)
sorry couldn't help myself.
Re:Weather & power (Score:1)
Yeah, we run novell here. We tried to impliment exchange server (so no-one would have to change e-mail clients), but, shit, all sorts of troubles. Groupwise (what we use now) has it's issues, but it works . . .
My next pet project: put a linux box on a novell based network. Should be fun . . .
thanks for the time
Or maybe God is a "cracker" (Score:1)
Maybe God decided to get into. And succeeded in cracking the system.
So is God the winner?
Re:windows 2000 not even finished (Score:1)
proprietary software (Score:1)
I'd say that I've experienced the same before.. but.. I can't
Re:windows 2000 not even finished (Score:1)
And this is *news*? (Score:1)
Re:Not any apology for M$... (Score:1)
But why not? he gets his own homepage and free copy of win2k.. and best of all, he gets to change his name to SatanMSN
"Beta" (Score:1)
Re:Not any apology for M$... (Score:1)
Realisticly (Score:2)
I should dig out my statistics book, and count up how many usable characters there are for passwords... Then maybe time a login attempt from a fast connection... Hmm. Well, as long on the up side, I suppose you could run a mulitple attempts to login at once and cut the time needed down drastically. Anyone actually know what the right calculation is, and what the results are for number of possable passwords and potential time required is?
Re: (Score:1)
This is scarcely a fair comparison (Score:1)
To begin with, as several other Northwesterners have mentioned, the weather on the day of the Win2k crash test was incredible. My girlfriend was practically struck by a lightning bolt on her way across the 520 bridge and when I made it home my cats were shivering in a dark corner, terrified of the incessant thunder. Very odd weather. Perhaps the Almighty was displeased with Microsoft.
And secondly, do not even try to suggest that the tidal wave of 3l337 d000dz breaking themselves bodily against the walls of that Win2k box were in any way duplicated in the case of the LinuxPPC. Judging from the volume of vitriolic comments on /., just a single ping from each of the would-be crackers would have been enough to constitute a DoS attack. Everybody hates Microsoft. Very few people hate LinuxPPC. The savagery of the attacks bear no comparison to one another. -konstant
The root password is "linuxppc" (Score:1)
>In response to the brute force attempt, we have
>decided to save him the trouble: linuxppc
I guess the flood of ignorant packets got boring.
Re:Sad. (Score:1)
Some figures on the total number of different people who have submitted kernel patches would be in order. Plus maybe a list of the average number of people who have done so each month over the last six months.
I suspect it will end up being fewer individuals than are employed at Microsoft(~1) on Windows 2000.
Re:Good LinuxPPC publicity, any other PPC distros? (Score:1)
I think TurboLinux is working on an up-to-date version for PowerPC, but it's not done yet. They did have something older, but I don't think I've ever heard of anyone using it.
Debian for PowerPC lacks an installer and requires a LinuxPPC bootstrap process.
In Seattle and Tacoma we all have UPS (Score:1)
So, no, this is NOT reasonable as an excuse. Operating a server, especially a web server, without a UPS in the Seattle region is sheer incompetence. A webmaster who did that without orders from above forcing him/her to not use a UPS would be fired.
'Nuff said!
Re:Gee, go figure (Score:1)
Wether the much vaunted Open Source Development Model is a fluke is still a matter up for debate, of course. We'll see, and of course if it is "The One True Way (TM)" we can deal with it then. Right now it's somewhat of a religious crusade.
Re:apparently life is really boring for a lot of y (Score:1)
Who cares if the world forgets about it? I, for one, view Microsoft as a sort of permanent circus, and find it even more hilarious that respectable people actually take them seriously.
It is good there are companies like Microsoft out there to alleviate our boredom.
Re:apparently life is really boring for a lot of y (Score:1)
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Zzzzzt!
"What the heck is that thing?"
"I don't know, push the button"
Click
"I guess we'll never know, the batteries are dead."
Idiocy (Score:2)
--Shoeboy
Re:Gee, go figure (Score:1)
Re:Slow down the server (Score:1)
You
You didn't happen to put a counter on that page, did you? Heh heh.
Re:Realisticly (Score:1)
Read the manpage, there are 64.
Upper/lowercase alphanumerics (26+26+10=62) plus / and . (+2=64)
__// `Thinking is an exercise to which all too few brains
Re:Realisticly (Score:1)
Whoa. 64^7 gives about 4398046511100 possible combinations, while 64^8 something like 281474976711000 (yes, near 262144 gigakeys).
More than 64^8 actually (Score:2)
10E95 potential passwords. (Score:2)
rob@water:~/ $ wc file.txt
1 1 95 file.txt
rob@water:~/ $ more file.txt
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTU
So, that's 95, and I just tested something, I can easily set a 10 character password, so... 10^95 potential password possabilities, assuming you stay under 10 characters.
Hmmm.... I just decided to change all my passwords to a really long string!
Re:Realisticly (Score:1)
Re:Realisticly (Score:1)
I'm assuming that...
* They blocked direct remote root logins. 'course.
* The standard userids that don't ever log in, are blocked ('*'), and have non-valid shells.
* They didn't leave 'round a joke UID (like 'haX0r') just for the heck of it.
In addition, even with a normal uid, they could have implemented access controls that forbid su-ing except for those in the wheel group, and then relegated those logins to only console. Or used S/Key, or other fun.
Probably not an effective attack other than its DoS aspects.
/etc/securetty (Score:2)
This is a major "D'oh!" since most (all?) distributions are configured so that telnetd *won't* allow "root" to log in over the network. Knowing the root password and a couple bucks will still only get you a cup of Starbucks coffee. "Root" is only permitted to log into a system from ports listed in the
Bottom line: a brute force attempt to telnet in as "root" has absolutely no chance of succeeding. The fact that someone is trying it simply highlights their own ignorance.
Re:uhhhhh (Score:1)
We shake our heads sadly and wish a better life for you, but we understand.
Re:This is scarcely a fair comparison (Score:1)
Your second argument may hold some water (some), but the server shouldn't crash. The worst it should do is tell you it's too wimpy to cope and to try again later. Plus the LinuxPPC is running on a 132MHz PPC 604, not exactly a mighty processor.
Just pointing out the ovious
Yo
Re:yahoo gives "Full Coverage" to linux (WOW!) (Score:1)
Re:core dump (Score:1)
I mean, c'mon - "feedback is assessed and integrated into the system?" What the hell does that even mean?
Well, we know it doesn't mean that customers are submitting patches and bugfixes that make it into the code.
They're probably just changing desktop themes or something like that.
--
QDMerge [rmci.net] -- data + templates = documents.
Re:Not any apology for M$... (Score:1)
CY
Do I need to learn Korean first? (Score:1)
Re:uhhhhh (Score:1)
Re:Looks OK to me (Score:1)
Was crack crack win crack there previously? I don't remember it...
Makes you wonder if they even load it (Score:1)
I don't blame them for shutting down telnet, if they expect hacks.
not to beat a dead horse (Score:1)
Sure the weather must have been out-of-the-ordinary, but that really doesn't mean dick if you're serious about servers, at least in the real world outside of the MS campus.
Once again MS proves beyound a shadow of a doubt that it is basically a rank amature(sic) technology company that makes a Chinese fire drill look positively organized.
unprepared is as unprepared does (Score:1)
The lights were flickering all evening at my place (in Seattle proper), and my UPS' kicked in several times. But none of the systems even hiccupped. One of the modems needed the power cycled after lightning hit a pole 1 block away (nice fireworks when the City Light transformer blew up), but for the most part, everything was as it should be. It just boggles me that my basement is better prepared for such events than the MS production server staging network.
Or maybe She-Who-Hurtles-Lightning just wanted to twist Bill's undies into a wee bit tighter bunch than they already were. Heh.
Re:apparently life is really boring for a lot of y (Score:1)
However, general attitudes appear to be shifting toward alternative operating systems because they are becoming viable. (To some degree, they always were viable, it's just that people weren't aware of them.) Hopefully the attitude shift is not temporary.
Re:Realisticly (Score:2)
Hey, what does that mean anyway? (Score:1)
Perhaps I'm ignorant or merely excessively curious, but what the
IMHO, Microsoft just shot themselves in the foot again. Let's laugh at them and move on.
Windows 2000 working, I don't think so... (Score:1)
Are the "software-related" crashes meaningful? (Score:1)
Non functional feedback page (Score:1)
Or is it 95^10 = 5.98E19? (Score:2)
A little off topic (Score:2)
It's nice to see!
Sad. (Score:1)
Thats what you get when you let a marketing person field technical questions, "Umm, my kid put a peanut butter sandwich in the disk drive and it crashed. Therefore my kid is the winner of the contest."
Re:IIS doesn't handle HTTP properly... (Score:1)
needs more details (Score:1)
Re:Not any apology for M$... (Score:1)
-Lisa
Re:Sad. (Score:2)
And that's one of the biggest benefits of open source in this case.
Average Win2kTest server uptime (Score:1)
Kspett
Just a Pokemon (Score:1)
Re:uhhhhh (Score:1)
You can either:
* Let the machine continue to run when you're out of log space. This means that either you cull the old log, or preserve it but nothing further is logged until the space problem is resolved. If you choose the latter, a malicious cracker can attack your machine, and then flood it with event-causing occurrences to erase logs of the attack; if the former, he simply switches the order.
Either way, it is going to be possible for a malicious cracker to act in a way that is *not* logged, which means that you will have a far more difficult time preventing a repeat attack -- or possibly even detecting such. For many, this is unacceptable.
* Or, you can shut down the machine so no lamer/cracker can do further damage to it, and you are ensured the ability to analyze the logs.
Since you cannot prevent a full DoS (e.g. simple packet floods. If you block those alleged originating networks, then you've lost some service. That's why the rules don't count DoS attacks.) anyway, some security guidelines require that the machine be shut down instead.
I can't believe its not BETA! (Score:2)
It's not your father's Beta.
The term 'beta' has been dilluted, if not completely nullfied, by current industry actions. Commercial software these days never actually stops being developed. The progect just gets published and sold (sorry, 'licenced') to consumers; even with known "issues" (read: bugs). As a consumer, you hope that the software house you purchase products from is willing and able to put out fixes for these bugs at a, hopefully not-so, later time. Microsoft does it. Netscape does it. It's standard practice. Now, in a more development-centric environment (where Marketing doesn't control the progect) such as your favorite Open Source progect... "Beta" might actually mean "there's known bugs here that we want to fix before we say it is 'ready'".
Breathe in... release.
Microsoft's W2k progect is now in its final stages. They've released a "release candidate" to their testing public. I would hope this means they're pretty sure they are close to a finnished product. Baring any suprises the massive amount of testers might find... its close to a done product. MS says this product is stable. Shouldn't it be?
It's my party...
This is Microsoft's show. They're the ones who went for the publicity stunt. Let's not forget that MS, for the most part, are greatly skilled at PR. So if they didn't think W2K was ready... if they suspected that it was still buggy and 'beta'... why did they pull a stunt to bring attention to this fact? And, again, if they knew it was unstable why do they not simply state that the product is 'beta'?
An even better point is that Microsoft controlled the configuration of this test. They picked the hardware. They picked the software (including access to the world's best information source in the world on how to tweak a W2K installation- themselves). This was not some unskilled admin setting up a shaky configuration on obscure hardware. If MS, with their resources, can't keep W2K stable... who can?
I said it before - MS tried to pull a quick publicity stunt and got stung by it. Badly. "Beta" hardly explains this one away.
If it's not Mindcraft, it's CRAP! (Score:2)
Let them set up two servers, and we'll benchmark cracking protections. Wonder who would win?
(crashing 9 times, laugh, laugh, laugh, cough, laugh)