Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Admits To Being Hacked Too

samzenpus posted about a year and a half ago | from the join-the-crowd dept.

Microsoft 92

colinneagle writes "Once upon a time, Microsoft claimed that falling prey to social engineering tactics and then being hacked was a 'rookie mistake.' But now is the time for companies to jump on the bandwagon, to admit they were targeted by cyberattacks and successfully infiltrated. The stage is so crowded with 'giants' at this point, that there are fewer 'bad press' repercussions than if only one major company had admitted to being breached. Microsoft now admitted, hey we were hacked too. 'As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion,' wrote Matt Thomlinson, General Manager of Microsoft's Trustworthy Computing Security. Unlike the New York Times and the Wall Street Journal there was no mention of Chinese hackers."

Sorry! There are no comments related to the filter you selected.

It was Macs at Microsoft (-1, Flamebait)

recoiledsnake (879048) | about a year and a half ago | (#43007125)

The Macs at the Mac Business Unit were affected.

Troll more, submitter.

Re:It was Macs at Microsoft (3, Informative)

Anonymous Coward | about a year and a half ago | (#43007229)

The Macs at the Mac Business Unit were affected.

FTFA:

During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations.

It wasn't just the Macs. This was an attack on the Oracle java browser plugin, not an attack on a specific platform.

Troll less, recoiledsnake.kthxbai.

Re:It was Macs at Microsoft (2, Interesting)

mystikkman (1487801) | about a year and a half ago | (#43007295)

The Macs at the Mac Business Unit were affected.

FTFA:

During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations.

It wasn't just the Macs. This was an attack on the Oracle java browser plugin, not an attack on a specific platform.

Troll less, recoiledsnake.kthxbai.

That can imply that Macs are being used elsewhere in Microsoft apart from the Mac Business Unit. The malware was hosted on an iPhone dev site, and Microsoft has a lot of iPhone app development going on with Bing, Photosynth, Xbox etc. which are not part of the Mac Business Unit.

The computers hacked at Facebook were Macs. (Facebook devs pretty much use Macs exclusively). The ones at Apple were pretty obviously Macs. So the implied assumption in the absence of concrete information is that it was pretty much all Macs even at Microsoft targeted by this particular hack(although the exploit itself was cross platform).

Re:It was Macs at Microsoft (2)

cbiltcliffe (186293) | about a year and a half ago | (#43010457)

Why are the computers at Apple "obviously" Macs?
iTunes, QuickTime, Safari, and other Apple software is all available for Windows. Do you think Apple does all that Windows development without any Windows machines?

Someone else stated that if it was only Macs infected, Microsoft would have made sure to state that. They didn't state that *any* of the computers were Macs, despite the implication with the "Mac Business Unit" bit, so it's safe to say that at least some of them were runnimg Windows.

Re:It was Macs at Microsoft (1)

jjjhs (2009156) | about a year and a half ago | (#43012133)

Windows can run on Macs since Macs are just another brand of PC made by Apple, so no need to buy Dells or whatever. Or just have virtual machines, which would make it easier to rollback to a clean slate when testing the programs.

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43010469)

Who cares?

Apple got hacked, so Microsoft OBVIOUSLY had to copy them, it's a core tenet of their business plan.

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43007377)

"including some in our Mac business unit"

That doesn't necessarily mean they were macs, it just means they were computers in the Mac business unit. Still, they may have been macs.

Also notice how none of their Linux pcs got hacked?

Re:It was Macs at Microsoft (2)

ILongForDarkness (1134931) | about a year and a half ago | (#43007735)

Yes none of their Linux PC got hacked.

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43010647)

What - none of the 5?

Re:It was Macs at Microsoft (5, Informative)

benjymouse (756774) | about a year and a half ago | (#43007873)

It wasn't just the Macs. This was an attack on the Oracle java browser plugin, not an attack on a specific platform.

Troll less, recoiledsnake.kthxbai.

Yes, it was just the macs. The attack vector was a Java vulnerability, but the payload is always OS specific. Some attacks have been known to serve different payload after sensing the OS. But not this one. This payload was Mac specific, and Mac computers were the only one affected.

Coincidentally, the Java vulnerability exploited in the attack had been patched by Oracle several weeks before. But the vulnerability was still in the Apple maintained Java 6 (Apple still maintains their own Java 6 until EOLed - Oracle has only committed to maintain Java 7 on OS X).

This is all Macs and all Apple.

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43009611)

Apple still maintains their own Java 6 until EOLed

FYI, Java 6 EOLed now, Feb. 2013, no longer supported by Apple

This payload was Mac specific, and Mac computers were the only one affected.

Well, that's not what TFA says, nor any article I've read about it... but what possible reason would you have for making shit up?

Re:It was Macs at Microsoft (1)

benjymouse (756774) | about a year and a half ago | (#43012109)

Apple still maintains their own Java 6 until EOLed

FYI, Java 6 EOLed now, Feb. 2013, no longer supported by Apple

For your information: http://support.apple.com/kb/HT5666 [apple.com] :"Multiple vulnerabilities existed in Java 1.6.0_37, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues were addressed by updating to Java version 1.6.0_41. For Mac OS X v10.6 systems, these issues were addressed in Java for Mac OS X v10.6 Update 13"

Apple patched this vulnerability on feb 19th 2013. After systems had been compromised. Macs which had been upgraded from previous versions where Java was installed *still* has Java installed. Apple obviously felt obliged (as in "egg on their heads obliged") to patch this one. OS X systems all over the world have been compromised because of Apples approach to security, especially Java security.

This payload was Mac specific, and Mac computers were the only one affected.

Well, that's not what TFA says, nor any article I've read about it... but what possible reason would you have for making shit up?

Oh? Try read this one (or just the excerpt):

http://news.yahoo.com/microsofts-macs-hacked-java-attack-045502922.html [yahoo.com] : "Even more significantly, it wasn't Microsoft's Windows computers that were hacked so much as it was Microsoft's Macs."

Glad I could help.

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43019509)

Hey dipshit, your citation does not support your claim. Care to try again?

Re:It was Macs at Microsoft (-1, Flamebait)

mystikkman (1487801) | about a year and a half ago | (#43007235)

I thought Macs were immune to being hacked?

Didn't thousands of +5 insightful posts on Slashdot tell us over the years that the Mac and Linux were immune to malware because of the superior "UNIX design" etc. ?

And now we have the huge malware problem on Android and Macs are increasingly being targeted despite the superior design or whatever.

Yet this place refuses to acknowledge it and the prolific posters all jump on the anti-MS bandwagon to whore karma, like the submitter and the editors with just about every Microsoft story.

No wonder this place is turning into a empty echo chamber and getting hugely less popular by the day.

Last one out, turn the lights off.

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43007291)

I thought Macs were immune to being hacked?

Not sure where you got that. The claim is that Macs don't get virus', and don't need virus protection unless you have PC's on your subnet or interact with PC's, in which case, to protect the Windows machines, you may have to cripple Macs with AV software. It's actually quite anathema. If only Windows wasn't broken...

Re:It was Macs at Microsoft (1)

amicusNYCL (1538833) | about a year and a half ago | (#43007891)

The claim is that Macs don't get virus'

Which is obviously BS, because that's what just happened to Facebook, Twitter, Microsoft, and Apple. Macs got infected via Java. The payload was targeted for OSX.

Re:It was Macs at Microsoft (1)

DaHat (247651) | about a year and a half ago | (#43008611)

It also depends on how the "don't get viruses" comment is made.

A few years back my (then) girlfriend was in need of a new laptop, so we opted to cast a wide net which included a local Apple store and during the sales pitch the 'genius' had said "and these can't get PC viruses".

While technically true (when not running Windows)... I found it a rather deceitful way to try to brag about their security as I could have listed a few recent cases were Macs were in fact hacked... such as them being the first thing taken in most Pwn2Own contests... instead I bit my tongue and bought her a Samsung at Best Buy the next week.

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43009701)

such as them being the first thing taken in most Pwn2Own contests

As it always goes with these contests where hardware is the prize: the most desired hardware is the first to fall. Thus, it's surprising that Windows was hacked at all in these contests. This has nothing to do with virus or even malware. Any system can be hacked. But OS X has been free of virus, with only proof of concept Trojan horses, or compromised by a vulnerability in third party software, such as java. You truely have to be completely irrational to think that OS X is just as insecure as Windows. You can spend many hours setting up protections on Windows, and still have a really good chance of being compromised, and spend zero hours protecting your Mac, and your Mac getting compromised is still quite exceptional.

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43009639)

no... you just have a loose relationship with the definitions of words. All virus is malware, not all malware is virus. There are no known virus on Macs. Only malware I've heard of is Trojan Horses, which require the user to enter admin creds... historically, far more easy to detect and thwart even if you do come across one of the proof of concepts... unlike other, OS's based on Digital Equipment Corporation's NT kernel.

Re:It was Macs at Microsoft (1)

amicusNYCL (1538833) | about a year and a half ago | (#43009947)

There are no known virus on Macs.

Since that statement is easily disprovable with a single example, here's the word from Sophos from 2006 [sophos.com] , for OS X specifically. There's even a nice section labeled "Is Leap-A a virus or a Trojan?" to counter your next rebuttal. If you disagree with their assessment, argue with them, not me.

If you look at the Mac virus timeline on that page, you can see the first one in 1982, which predates the first IBM PC virus by 4 years. There have been several viruses written to target various Mac operating systems, and you can even credit Microsoft with a working cross-platform macro virus.

Only malware I've heard of is Trojan Horses

Then you aren't really in a position to make any definitive claims regarding the history of viruses on Macs, are you?

Re:It was Macs at Microsoft (1)

Junta (36770) | about a year and a half ago | (#43008275)

Sadly, another false interpretation of the state of affairs.

Windows historically was a victim of both their poor security practices and their own success. They've actually done a lot in the Vista and up days to mitigate the need for users to 'run as administrator' to essenitally get anything done and acheive a fundamental security model roughly on par with modern Unix and Unix-like systems.

They are left with being a victim of their own success, malware authors target platforms of high popularity. Frankly, any system designed to empower the user has a damn near impossible time trying to distinguish behavior the user truly desired and intended from behavior the user was tricked into authorizing on behalf of a malware vendor (either saying yes to UAC/sudo prompt or just having their own account data compromised without even bothering to do things to the 'system' software). iOS takes the approach of forbidding any interpreted languages capable of loading more payloads and a whitelist of allowed applications to run, with the natural consequence of severely limiting what power users can 'legitimately' do with their device. In the Windows ecosystem, a tedious code blacklist approach has been adopted to try to mitigate things (aka 'anti-virus'). Formerly, anti-virus on OSX and Linux was about protecting windows systems from getting malware propogated to them, increasingly it is about blacklisting content that actually could run on OSX and Linux.

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43007657)

Isn't Insightful what people get for making jokes? It always seemed that way.

Re:It was Macs at Microsoft (1)

X0563511 (793323) | about a year and a half ago | (#43007767)

I don't know about you, but the rest of us realized that was all sarcasm and that saying anything was immune was stupid.

Re:It was Macs at Microsoft (4, Interesting)

ILongForDarkness (1134931) | about a year and a half ago | (#43007833)

I got into a bit of a flame war back and forth with a guy when the Java vulnerability first appeared. He said it would only affect PCs since viruses don't work on Mac or Linux. I called bs he responded with "they use different filesystems, learn something before spewing off at the mouth." To which I replied: 1) this is a browser based attack and 2) do you think a hacker can't figure out /home/bob rather than \Users\bob? My God the things people come up with. All three platforms now have a request for elevation kind of mechanism that is supposed to protect you. The problem is for 90% of users a UNC prompt or its mac/linux equivalent pops up and they click ok. To most users the fingers go in the ears as soon as you try to explain the risks and what is happening and they just ask "So what do I need to click to continue?" This is more a mental problem then a technological one and I don't see any likely solution. Sandboxing like Win 8 Modern can help where you at least in theory make no app able to see each other directly or even the whole of the filesystem but there are just too many use cases where being able to browse all the filesystem, one app needs to get something from anothers space etc that are needed.

Re:It was Macs at Microsoft (1)

nabsltd (1313397) | about a year and a half ago | (#43008367)

The problem is for 90% of users a UNC prompt or its mac/linux equivalent pops up and they click ok. To most users the fingers go in the ears as soon as you try to explain the risks and what is happening and they just ask "So what do I need to click to continue?"

If common tasks didn't require the user to answer these pop-ups, then they would see them as "unusual" and wouldn't be as likely to just "click to continue".

There are quite a few control panel settings in Windows 7 that require answering a UAC prompt just to see the settings. Any software that tries to make a network connection and isn't on the Windows firewall "approved" list generates a UAC prompt. Then there are some settings (like "Adjust Visual Effects" in the "Perfomance Information and Tools" control panel page) that shouldn't require UAC at all, as they are merely personal preferences that are no different from desktop wallpaper as far as security or system stability is concerned.

Re:It was Macs at Microsoft (1)

ILongForDarkness (1134931) | about a year and a half ago | (#43009311)

Good points on a lot of it. I can get the UAC for network connection though. If you download a office suite say and it tries to connect to the internet you might be suspicious. I think it is a good idea for users to know what applications use the network especially since a lot/most people have metered internet connections so you are paying for that traffic.

Visual settings: agreed and should be per login based (not sure if they are or not). Apple has a better solution here for preferences: show the preferences and make the user click on the lock to unlock the particular setting for changes. users don't accidentally change things, settings that you need to know even if you aren't an administrator can be shown etc. Heck I have work PCs I can't double click on the time on the desktop to see the calendar because I don't have sufficient privileges to change the time. It is assumed that you want to change the time when you can have other reasons for wanting to see the calendar (or the second hand on the clock for example). Generally unless things are changing don't prompt the user.

Re:It was Macs at Microsoft (1)

nabsltd (1313397) | about a year and a half ago | (#43011519)

I can get the UAC for network connection though. If you download a office suite say and it tries to connect to the internet you might be suspicious.

Since there is now a lot of legitimate software that requires a network connection to "phone home", it just gets to the point that a user will blindly click the "make this dialog go away" button without reading. In addition, all the dialog gives you is the program name, and malware can have names that seem legitimate, while I sometimes have to google an EXE or DLL to see if it is OK or not.

Also, Internet Explorer is whitelisted, so if the malware creates an IE instance (which doesn't require a visible window), then the user will never know. Between being annoyed by UAC for permissions to open the firewall plus the fact that the firewall isn't really useful against much of what a user should be concerned about (things like a keylogger phoning home where a POST to some random control server somewhere probably wouldn't raise a red flag in IE) makes UAC just more security theater...it's annoying, doesn't really protect you, but allows Microsoft to say "we did something".

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43009747)

Apparently the trouble is you don't know what a computer virus is, or isn't. A computer virus is a computer program that can replicate itself and spread from one computer to another. There are no virus on Macs with OS X that can affect OS X... nor on AIX, or FreeBSD, nor Linux. The only computer virus that exist today affect Windows. The only reason to run AV on any *nix is to protect Windows.

Re:It was Macs at Microsoft (1)

ILongForDarkness (1134931) | about a year and a half ago | (#43010357)

Okay so malware might be more appropriate. See for example: http://www.kernelthread.com/publications/security/vunix.html [kernelthread.com] though (albeit a bit old). Vulnerabilities exist in UNIX and a large set of things can be expected to be on a lot of other systems (eg. Apache, Perl, bash etc), so find an open interface to something and a corresponding vulnerability and away you go. Malware doesn't have to rely on peer to peer replication: they effect a server and the visitors "do it to themselves" afterwards.

Also: the dude that coined the term for virus did his research on UNIX so viruses are clearly possible on UNIX if rare.

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43011287)

Ironic to tout the benefits of sandboxing in Windows 8... when Java was supposed to be sandboxed. Oops.

Re:It was Macs at Microsoft (0)

Anonymous Coward | about a year and a half ago | (#43008377)

The malware on android (which is not the same as Linux) is from side-loading apps that people download to their phones from who-knows-where and installs them themselves. It's not the result of some drive-by download or OS exploit.

Re:It was Macs at Microsoft (2)

cheater512 (783349) | about a year and a half ago | (#43008609)

Oh sure. Everything that has been said about Macs and Linux still stands.

Now we all knew Java was riddled with holes. That too still stands.
Macs and Linux just happen to be able to run Java.

Re:It was Macs at Microsoft (1)

NoNonAlphaCharsHere (2201864) | about a year and a half ago | (#43007279)

...we found a small number of computers, including some in our Mac business unit...

Something tells me that had these "some" actually been Macs, they (Microsoft) would have mentioned it. But then I have a suspicious nature when it comes to press releases.

Re:It was Macs at Microsoft (5, Interesting)

ThomasBHardy (827616) | about a year and a half ago | (#43007647)

"During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations."

Let's disect this, shall we?
"A small number of computers" of OS type undisclosed, therefore it included Windows machines or else MS would have specifically called out the faults of others to safe face and made it clear that none were running it's flagship operating system.

"including some in our Mac business unit" of OS type undisclosed, therefore it included Windows machines or else they would have called out OSX by name.

For all we know there were 78 machines compromised (a small number compared to the number of machines at all of Microsoft, and of those only 2 were in the Mac business unit. the statement reads as true but deflects the maximum amount of blame away by implying that it's a Mac issue. .

Re:It was Macs at Microsoft (1)

ILongForDarkness (1134931) | about a year and a half ago | (#43007945)

Or a less evil way of thinking about it is that MS didn't want to say "yeah we have the problem too" without pointing out that it isn't just them having the problem but it is Apple products too. Keep in mind every time a company discloses things they lose control over how it will be presented. If their statement doesn't include that it is Apple hardware/software too (or at least implies that it might have been) what might end up as the head line is "MS hacked" with no mention of Apple at all leaving MS looking like crap and a lot of people that don't give to turds about OS X saying "man when will MS learn". It could be evil (might even likely be evil) trying to deflect the blame but it can be the opposite too making sure you don't get tainted with all the blame for something that is a common problem.

Re:It was Macs at Microsoft (2)

ThomasBHardy (827616) | about a year and a half ago | (#43011395)

The reason I'll have to disagree with you is that the press release does not say it was Macs that were compromised. It said in the Mac business unit. For all we know, it was 100% Windows machines that were compromised, but the press release is carefully designed to throw blame and obfuscate the facts so that when the general press gets a hold of it, the damage is as minimized as possible.

The problem with Chinese hackers... (5, Funny)

Chris Mattern (191822) | about a year and a half ago | (#43007137)

...an hour later and you're losing data again!

Goddamn chinks (-1)

Anonymous Coward | about a year and a half ago | (#43007139)

Fuuuuck

fascist bs (0)

Anonymous Coward | about a year and a half ago | (#43007157)

For profit corporations security problems are always attacked by the latest "terrorist state", however it's just a lie which diddles away in the mind of those who do not understand tcpip and networking well enough to see right through the bs.

Re:fascist bs (0)

Anonymous Coward | about a year and a half ago | (#43007519)

Then, O great wise one, tell us what we do not know about networking and TCP/IP to where we can't see through the BS

Re:fascist bs (1)

NoNonAlphaCharsHere (2201864) | about a year and a half ago | (#43007917)

Then, O great wise one, tell us what we do not know about networking and TCP/IP to where we can't see through the BS

You fool! You've invoked APK! Woe! Woe unto all of us!

Re:fascist bs (0)

Anonymous Coward | about a year and a half ago | (#43008029)

I don't see you sharing any info about this...

Re:fascist bs (0)

Anonymous Coward | about a year and a half ago | (#43010293)

zombie boxen in foreign countries

proxies in foreign countries

Un-named Government official said..."china attacked the..."

For Profit CEO of XYZ Anti-Virus said... "china attacked the..."

For profit security team said..."china attacked the.."

When is the last time you saw the NYTimes, sfgate, boston, the herald, or any of these fake mainstream journalists talk about packet sequencing in depth? Or the NSA fios splitters, or iptables rules or pf rules or anything at all in depth about proxies, zombies, or tor?

How often to they talk about managed security?

The lies year after year about geopolitics. yellow cake, WMD, bla fuckin bla. How come they didn't go back an destroy the source of the lies?

How well have they explained anyone can make an anonymous message/video. (anyone can call themselves a member of anonymous, ain't like there's a list of members)

How well have they explained anyone can take over a zombie box in a foreign country and make it look like that country is attacking others.

Who's the one who really released stuxnet? And why didn't the so-called news, make it clear that it had to be HAND CARRIED in, instead they make it sound like the most dangerous scada shit is connected to nukes for fuck sake. A complete deception on people that can't see through the bullshit, at the same time it protects the fascist SCADA whiners from hiring a real fucking person to TURN that knob, open that valve, or manually do the job the SCADA lets them lazily sit in their warm truck seats in the winter.

You can't pull the wool over the eyes electronics techs, and programmers who actually do this shit. Some sell out and go with the establishment flow. If you can blame China, then you are going to sell a lot of shit.

Other's like Kasper openly call for internet ID

I'm not that fucking wise, but I am adept to electronics, and programming. I know what the fuck happens when you put 5v on pin #32 on zilog chip bla, or motorola, or TI, or NCE, or.... analog devices, discreet, sensors, uP's, cmos, mosfet, I have every fucking set of tech books motorola put out since the BROWN ones. I have intel, zillog, amd, etc.

I don't care which programming language something is in, if it get's the job done, I'll learn or master it.

SO when I see network security played off as geopolitics yes I have a big fucking problem.

I don't give a fuck who you are, one day some bad shit will happen with your network. But you don't go broadcasting your whining that IRAQ or IRAN did it on pro establishment news. Remember the little boy who cried wolf.

When the wolf finally came for real, NOBODY cared. That's the danger.

Furthermore, a lot of these organizations security is complete fucking bullshit, an after thought.

Let's be honest (0, Flamebait)

ryanw (131814) | about a year and a half ago | (#43007169)

Microsoft wants to join in because OSX is in the spotlight. Other companies have already admitted infiltration with the hack, so this gives them an opportunity to shine a bright light on OSX' security issues away from their own for a brief minute.

Re:Let's be honest (5, Informative)

catmistake (814204) | about a year and a half ago | (#43007373)

Except that it has NOTHING to do with OS X security. This is all Oracle software that has the issue, software that Apple no longer distributes nor supports. If you don't run Oracle software, you won't be affected. Interestingly, even if you do have the software installed, and it isn't used after 31 days, OS X automatically disables it.

Again, this has zero to do with OS X security. This is all about end user installed software, provided and supported by Oracle.

Re:Let's be honest (3, Insightful)

x_t0ken_407 (2716535) | about a year and a half ago | (#43007667)

While your statement is completely true, perception is reality for a large segment of the population, unfortunately.

Re:Let's be honest (2)

rtfa-troll (1340807) | about a year and a half ago | (#43007699)

Except that it has NOTHING to do with OS X security.

No; bullshit. There is a whole load of security stuff that could have protected against that. The SELinux stuff that came from the NSA, that RedHat has been working on for years; that is present in Fedora; is exactly what could protect against this kind of user level stuff. There was a choice made by a number of computer manufacturers to put in ease of use without thinking through how to do that securely. Apple and Microsoft both, together, chose to push out alternative more secure solutions by trying to fool the users into thinking things could be easier. Without click to install there could never have been email viruses (did you youth know that we used to think these were an impossible joke). Even today, iOS, Android, Bada, BB(?) and Windows Phone come with fixed app permissions which don't allow you to reduce privilages. This is a choice of convenience over security, yet again.

Anyway; stupid article. I don't know if Microsoft did it for legal reasons, however no matter what, coming clean about a security breach is not something to be criticised. Well done Google, Apple and Microsoft. Shame on the ones who haven't yet discovered or admitted to it. Now you have admitted you have a problem start to give the users the ability to secure their own systems.

Re:Let's be honest (1)

rmdingler (1955220) | about a year and a half ago | (#43007999)

Your essay is both good and original; however, the part that is good is not original, and the part that is original is not good.

Re:Let's be honest (1)

rtfa-troll (1340807) | about a year and a half ago | (#43008381)

Just as long as you don't seem to be able to tell which is which I will be happy.

Re:Let's be honest (1)

X0563511 (793323) | about a year and a half ago | (#43007773)

The core truth doesn't matter, it's all about appearances.

Put yourself in the shoes of a PHB (I know, i know... it's only temporary) - what would your take be?

Re:Let's be honest (5, Insightful)

mystikkman (1487801) | about a year and a half ago | (#43007959)

By the same token, a huge section of "Windows Malware" also has nothing to do with Windows Security. Yet we see hundreds of modded up posts on Slashdot bashing Microsoft over it regularly, yet Apple seems to be getting a free pass just like Android.

Re:Let's be honest (0)

Anonymous Coward | about a year and a half ago | (#43008415)

Indeed, and it's nonsense.

Just look at pwn2own. In both 2007 and 2008 competitions, neither operating system was breached on the first day (via remote access over the network only). It was only when browsers and other interaction was permitted. Both OS X and Windows 7 are great, secure operating systems. Usually it's a combination or Oracle, Adobe and PBCAK.

Re:Let's be honest (0)

Anonymous Coward | about a year and a half ago | (#43114451)

By the same token, a huge section of "Windows Malware" also has nothing to do with Windows Security. Yet we see hundreds of modded up posts on Slashdot bashing Microsoft over it regularly, yet Apple seems to be getting a free pass just like Android.

Interesting how you are exactly wrong. You are equating flaws in Windows OS that allows malware to install and execute with flaws in third-party software that allows the same. This is the problem with your metaphor. Valid software that if not for flaws would be beneficial is not the same as invalid software where the only intent is detriment to the system or the user. Windows and Microsoft deserve to be bashed because the product is and has always been broken enough to allow it, esp. in the cases where no user interaction is required, and it is only "in the same token" if compared to Oracle's platform. Windows malware has everything to do with Windows security (how could it not?). Insightful? Hardly. "Dishonest" is far more descriptive.

Re:Let's be honest (3, Insightful)

amicusNYCL (1538833) | about a year and a half ago | (#43007969)

Again, this has zero to do with OS X security. This is all about end user installed software, provided and supported by Oracle.

Just so we're all on the same page, when computers get infected with malware it is not the fault of the OS, it is the fault of the third-party software, right? It seems like I heard a different tune when people were talking about Windows machines getting infected through third-party software.

Re:Let's be honest (3, Insightful)

ILongForDarkness (1134931) | about a year and a half ago | (#43008045)

Well something like 80% of BSOD issues were driver based (talk from a while back in XP days) but that didn't stop MS from getting the blame. A company can encourage other vendors to make good stuff but they can't force customers to apply the blame correctly when 3rd parties fail. It is fair game for MS to say "we've been hacked and yeah our Macs got hacked too" if it is true. It is also in their best interest to make sure that their competitors get included in the sound bits about the problem (and the source of the problem too of course) so that they don't get stuck with all the blame.

Re:Let's be honest (0)

Anonymous Coward | about a year and a half ago | (#43008231)

Again, this has zero to do with OS X security. This is all about end user installed software, provided and supported by Oracle.

Oracle should follow Apple and post the following statement in their web site: As you might imagine, we are upset at OS X for not being more hardy against such viruses, and even more upset with ourselves for not catching it. [apple.com]

Re:Let's be honest (0)

Anonymous Coward | about a year and a half ago | (#43009301)

If java on apple was the same as it is on linux or windows you would have an argument. Unfortunately the version of java on apple os's is not user upgradable. It comes as a part of your os patch and apple tends to take longer than you might think to push out the patches.

Re:Let's be honest (0)

Anonymous Coward | about a year and a half ago | (#43011785)

Apple still maintains Java 1.6 on Mac OS X. Also, this particular vulnerability was patched by Oracle weeks ago, and Apple only recently applied it to Mac OS X - the Monday after all the reports on compromised computers at Facebook, etc. Reminds me of what happened with Flashback last year, especially where everyone wants to put all the blame on Oracle, and none of it on Apple.

Just to be clear - while Oracle is the upstream maintainer and distributer of Java, Apple does repackage and release Java updates through the Mac OS supplied Software update process. Thus, Apple is culpable, especially given the fact that Oracle had a fix for this vulnerability upstream for a while. Once again, just like Flashback last year. I'm not saying it's all Apple's fault, but they do have part of the blame here as a downstream distributer and primary maintainer of the Mac OS X port of Java 6.

Re:Let's be honest (0)

Anonymous Coward | about a year and a half ago | (#43013761)

Same excuse for Microsoft issues. "It's the user's or 3rd party's fault"

Re:Let's be honest (2)

BenSchuarmer (922752) | about a year and a half ago | (#43007553)

They want to look relevant. If they weren't hacked, it's because the hackers didn't think they were important.

Wait, what? (0)

Anonymous Coward | about a year and a half ago | (#43007579)

Microsoft wants to join in because OSX is in the spotlight.

Wait, so you're saying that Apple getting hacked made it cool, so now Microsoft is admitting to being hacked so they can be cool too?

Dude, Apple being cool by being hacked ..... I don't think the Fanboys are THAT far gone!

Re:Let's be honest (0)

Anonymous Coward | about a year and a half ago | (#43007635)

It's far more suspect if a big company like Microsoft say they weren't hacked.

Honestly, for all big tech companies (Sony, Microsoft, Apple, Google, insert-even-remotely-computing-based-company-here), it's relatively safe to assume that they're in a constant state of being hacked and having all the data stolen from them. In my mind, that's a far, far more likely scenario then them actually being secure. Hell, the elite hackers are so ridiculously far ahead of the companies themselves that it's a joke.

I just assume that any data given to any large corporation, bank, or anything else that's somehow online is in the hands of hackers. The single only thing that we have as individuals (unless you plan on living entirely off the grid with no use of banks or any other financial or realty company) have is simply being lost in the jumble of data, and praying that we're not the unlucky bastard that's used as a fake identity at the moment.

But generally, I assume any legal information on me has for decades been in the hands of the corrupt. I'm just not rich enough, interesting enough, or unlucky enough to have had my life ruined yet (emphasis on yet).

Re:Let's be honest (0)

Anonymous Coward | about a year and a half ago | (#43008833)

They could have mitigated this by banning IE (and Safari?) and enabling click-to-play by default for Firefox, Chrome and Opera.

It won't help much against targeted attacks, but it reduces the attack surface for drive-by exploits.

Ironic isn't it? (2)

PhreakinPenguin (454482) | about a year and a half ago | (#43007381)

Kind of ironic that at a time when the federal government is wanting a bigger part of Fortune 500 technology departments, that some of the top companies in the world who've recently met at the White House, are now claiming they were hacked. With all these companies being hacked, our only hope is federal goverment stepping in and securing everything.

Re:Ironic isn't it? (1)

x_t0ken_407 (2716535) | about a year and a half ago | (#43007679)

Would not surprise me in the slightest. Unfortunately my curse is that I'm not a huge believer in coincidences on such a scale...

As expected (3, Interesting)

Cyrano de Maniac (60961) | about a year and a half ago | (#43007433)

The U.S. government has recently been saber-rattling about the NSA/DOD/whoever taking on the role of protecting vital national computer interests, particularly against the hacking efforts of China. And now, very atypically and with very little rationale for publicly admitting as much, a number of major technology/web companies have started admitting they've been hacked, allegedly from China.

So, was the U.S. government recognizing a real trend ahead of time, or maybe they had non-public information regarding these activities? Or are the companies being pressured to help create a story that will justify a government takeover of the network security infrastructure?

I distrust coincidences and the timing of these initiatives and disclosures smells a bit odd to me. Expect congressional inquiries into the "growing cybersecurity threat" to be covered on C-SPAN within the next few weeks.

Re:As expected (0)

Anonymous Coward | about a year and a half ago | (#43007607)

They had non-public information regarding these activities.

Source: I had non-public information regarding these activities, so I figure they do too.

Re:As expected (0)

Anonymous Coward | about a year and a half ago | (#43008321)

Source: I had non-public information regarding these activities, so I figure they do too.

Anyone with a Linux server had information regarding these activities.

Look at your SSH logs, and you'll find 99.99999% of brute force attempts these days are coming from China.

One can argue the 'military' part of 'ZOMG CHINA!' is novel, but honestly, it's China. It doesn't take Netcraft to confirm who's behind the port marauding.

Re:As expected (3, Insightful)

cbiltcliffe (186293) | about a year and a half ago | (#43009481)

Anyone with a Linux server had information regarding these activities.

Look at your SSH logs, and you'll find 99.99999% of brute force attempts these days are coming from China.

Who the heck still has SSH open to the Internet? I haven't been set up this way for years, so I have no brute force attempts in my logs, on any of the dozens of Linux servers I maintain. Everything requires an OpenVPN connection first, then SSH over that.
As far as I'm concerned, an open SSH port is barely better than an open telnet port. The only improvement is that it prevents cleartext traffic sniffing.

Re:As expected (1)

andydread (758754) | about a year and a half ago | (#43007611)

the government had non-public information based on many companies reporting these intrusions to the feds way back from the time that Google was hacked and they closed up shop in China.

Re:As expected (1)

rtfa-troll (1340807) | about a year and a half ago | (#43007739)

Both

There is something real going on; there are always hackers from all Nations and there are probably more from China right now and also there is a conspiracy to take advantage of that.

Re:As expected (2)

rtb61 (674572) | about a year and a half ago | (#43009459)

The real problem here is all those technology trying to sell the lie of being able to secure the internet completely. The reality is, if you want it secure then don't bloody connect it to the internet. It only takes one mistake, in set up, in maintenance, in updating and of course in end user use and you security will fail.

So these companies in seeking billions of taxpayer dollars to fill their coffers and trying to sell something they know will fail and of course they will be able to sell upgrades for.

Real security is, if it absolutely doesn't have to be connected to the internet, then don't connect it to the internet. Parallel networks are safer, internal and external, with only vetted data entering and exiting the internal secure network. The external network is of course readily repairable.

New people (0)

Anonymous Coward | about a year and a half ago | (#43007439)

You know how it goes. Old people who knew how things ran left and new people came in that really didn't know the systems. So things happen. *cough* Sinofsky *cough* Larson-Green *cough* Just kidding...

hope the hackers (2)

ozduo (2043408) | about a year and a half ago | (#43007463)

went on a bug hunt.

You are already hacked. (2)

PlusFiveTroll (754249) | about a year and a half ago | (#43007573)

I think the point of this story is.

You are already hacked. Doubly so if you use Java in the browser or anything else that's had any number of security flaws in the past year.

Make sure your IDS is up and running and stick it between your developers and your servers.

Oh, and make your developers run their updates. They have to be the worst at ignoring the java, adobe, and microsoft warnings from the task bar.

Re:You are already hacked. (1)

x_t0ken_407 (2716535) | about a year and a half ago | (#43007807)

Even worse are bosses who don't want to push updates because "it can break our systems." Surely being cracked is orders of magnitudes worse than having to do some extra work to fix bugs, no?

Re:You are already hacked. (1)

FirephoxRising (2033058) | about a year and a half ago | (#43008797)

This. A thousand time this! I was doing something for my boss's boss and there were update notifications everywhere, I asked him why they we not being applied and he said they cause problems and slow the machine down! I see it all the time. The other good one is one of our managers who moved GB of photos onto an external HDD to "speed up" her machine, then dropped the HDD onto concrete........

depends. (0)

Anonymous Coward | about a year and a half ago | (#43008799)

If the update causes the business to shutdown, then the business may go out of business before the "some extra work to fix bugs" can be completed against some third party proprietary application that the busness cannot fix....

So no. bosses that don't want push updates because "it can break our systems" are correct. Pushing the update could put the company out of business.

Re:depends. (1)

PlusFiveTroll (754249) | about a year and a half ago | (#43009045)

>can be completed against some third party proprietary application that the busness cannot fix....

Live by the black box, die by the black box.

Re:depends. (1)

x_t0ken_407 (2716535) | about a year and a half ago | (#43010395)

If the update causes the business to shutdown, then the business may go out of business before the "some extra work to fix bugs" can be completed against some third party proprietary application that the busness cannot fix....

So no. bosses that don't want push updates because "it can break our systems" are correct. Pushing the update could put the company out of business.

Hey, I'm all for this as long as when the inevitable occurs, I'm not held responsible. We all know how that will go though, don't we?

Re:You are already hacked. (1)

robmv (855035) | about a year and a half ago | (#43008019)

and stop allowing access to production databases from developer workstations. If you have a bug that requires a developer to read the production database, it must be done from an isolated machine with access to it, developers should not have direct network connectivity to it

Re:You are already hacked. (1)

PlusFiveTroll (754249) | about a year and a half ago | (#43009083)

Depends how big the company is. If there are not enough code checks, hacking the developer box is eventually hacking the production database no matter how isolated the two are.

Better to admit to being hacked (3, Insightful)

goffster (1104287) | about a year and a half ago | (#43007727)

Than to admit to certificate management incompetence.

Well duh (0)

Anonymous Coward | about a year and a half ago | (#43007805)

It's kind of funny to think that folks would be trying to hack government agencies, private companies, public utilites, etc and see no value in hacking the OS software vendor with the most marketshare. Seems like a perfect spot for a bot plant. Via Windows Update they'd even have a mass distribution mechanism at their disposal on a global scale.

do you remember when ms sold it's source to china? (0)

Anonymous Coward | about a year and a half ago | (#43009143)

who'd a thought.

scanned by MS IPs (1)

Phusion (58405) | about a year and a half ago | (#43009197)

I don't know how many of you noticed in the last few weeks that the usual round of default password scans had a few Microsoft IPs in them. I have several event logs with MS IPs scanning my network with default logins. I didn't think much of it, thought maybe it was a spoof--- but hey, it looks like it really was from inside of MS's network. Crazy shit, and how ironic is it that they got their Macs?

The Microsoft Disease (0)

Anonymous Coward | about a year and a half ago | (#43009423)

what's with the sickness of posting a Microsoft article nearly every day? Does MS own /. ?

NUKE EM !! NUKE EM NOW !! (0)

Anonymous Coward | about a year and a half ago | (#43009435)

NUuuuuuuKE EmmmmmmM !! Noooowwww !!

It must have been Chinese hackers (0)

Anonymous Coward | about a year and a half ago | (#43011061)

It must have been Chinese hackers, apparently they are the only ones with the capability to hack into major Corporates.

it's like a self help group (1)

Anonymous Coward | about a year and a half ago | (#43012221)

It's like a self help group for non-recovering corporate assholes.

"Hi, I'm Microsoft, and I was hacked"

everyone: "Hello, Microsoft"

Safe boot (0)

Anonymous Coward | about a year and a half ago | (#43012291)

Why are you all concerned aren't you using MickeySoft safe boot???? They must be......mustn't they????

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?