×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MS Security: On A Path As Clear As It Is Reliable

timothy posted more than 12 years ago | from the snap-crack-crack-crack-pop dept.

Microsoft 360

bobthemonkey13 writes: "It appears that Microsoft's 'secure' E-Book system has been cracked. MIT Technology Review is reporting that an anonymous programmer has figured out how to bypass the 'advanced antipiracy features' in Microsoft Reader. This sounds a lot like what Dmitry did except for two things: The MS E-Book hacker has (wisely) decided to remain anonymous, and he's not publishing his program. God bless the U.S., where moving a book from your home to your office is a federal offence." Along similar lines, an Anonymous Coward indicates this story at USA Today titled "Expert Hacks Hotmail in 1 Line of Code." "I'm in awe! Unless someone can figure out how to execute pseudocode or half a line this isn't beatable. I hope this get's fixed or the whole future of pay-per-view web services could be impacted. :-q" Good thing Microsoft isn't quite sure what to do with all this universal-password stuff. (Thanks to Sacha Prins.)

Jamie adds:

In other news about poor security where you least expect it, Kitetoa informed Veridian a little while ago that: "Any script kiddy can root your web site. And... By the way... Someone already did it (as you should have seen at www.veridian.com/upload/ if you knew anything about internet security)."

I don't know what that URL gives you now, but as of this writing, and for the last several hours, it's read:

fuck USA Government
fuck PoizonBOx
contact:sysadmcn@yahoo.com.cn

This is the same Veridian that the Defense Department picked to track computer network attacks on DoD systems, specifically attacks coming from China.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

360 comments

Test (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2237739)

This is a test of the emergency fp system

Re:Test (-1)

evil_spork (444038) | more than 12 years ago | (#2237907)

You still failed because your fp is unoriginal crap.

Bitch! (-1)

Flarners (458839) | more than 12 years ago | (#2237919)

You stole my sig! Good work. Nice to see people abusing Asscode for the patchwork it is. Here, have some goat sex:


* g o a t s e x * g o a t s e x * g o a t s e x *
g g
o / \ \ / \ o
a| | \ | | a
t| `. | | : t
s` | | \| | s
e \ | / / \\\ -- \\ : e
x \ \/ --~~ ~--| \ | x
* \ \-~ ~-\ | *
g \ \ .--------.__\| | g
o \ \_// ((> \ | o
a \ . C ) _ ((> | / a
t /\ | C )/ \ (> |/ t
s / /\| C) | (> / \ s
e | ( C__)\__/ // / / \ e
x | \ | \\__// (/ | x
* | \ \) `---- --' | *
g | \ \ / / | g
o | / | | \ | o
a | | / \ \ | a
t | / / | | \ |t
s | / / \/\/ | |s
e | / / | | | |e
x | | | | | |x
* g o a t s e x * g o a t s e x * g o a t s e x *

fsck it (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2237742)

oh well, 2nd post. or maybe 3rd or 4th

I believe you mean "offense" (0, Offtopic)

Anonymous Coward | more than 12 years ago | (#2237743)

This is the US, after all. Get it right.

BFD (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2237747)

BFD

cmdrtaco blows goats

Microsoft + "Secure" = BAAADD (0, Flamebait)

lordkuri (514498) | more than 12 years ago | (#2237748)

did anyone *really* think that anything from M$ would ever be "secure"?

I mean, c'mon.... who the hell do they think they're fooling?

Re:Microsoft + "Secure" = BAAADD (1)

WildBeast (189336) | more than 12 years ago | (#2237765)

Let me remind you that Adobe was much worse, hell they didn't even use encryption.

Like it or not, anything digital can be cracked. Live with it.

wtf!? (0)

Anonymous Coward | more than 12 years ago | (#2237784)

"Yet the more convenient and flexible Microsoft and others make the Web..."

Microshaft making the web more convenient and flexible?...I beg to differ.
M$ is to the web (and innovation in general) what a blanket is to a fire - A retarding agent.

Is that what you blame your retardation on? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2237867)

Maybe it was your mom's smoking. Or that big fall down the stairs. Sheesh....

Mod parent up to +5, mindlesslyantimicrosoft.

this is what freenet was made for! (3, Insightful)

ywwg (20925) | more than 12 years ago | (#2237751)

this guy should upload the code to freenet where, hopefully, it is impossible to remove the program or discover the author. This is the exact kind of thing freenet was designed for, so if the author is out there in slashland, go for it! Civil Disobedience ra ra ra!

Re:this is what freenet was made for! (5, Insightful)

danheskett (178529) | more than 12 years ago | (#2237774)

No. No. No.

Civil Disobedience is done in the name of change, and therefore *requires* accountability. Doing this like an anonymous coward, distributing it and not letting yourself be known is lame, and will be seen rightly as an act of cowardice. Granted, the cowardice is justified as a certain russian programmer can tell you.

If the author is out there in slashland email me, and I will publish the app for you publically and with my name. I will accept all responsibility for writing the program and distributing.

I've got nothing better to do than to protect the constitution and help invalidate an evil malformed law. Bring it on.

Re:this is what freenet was made for! (0)

Anonymous Coward | more than 12 years ago | (#2237789)

Fine, so "civil disobedience" is a technical term that doesn't mean what its constituent words suggest. Just call this "disobedience" then. Disobey! Disobey with discretion and guile!

Re:this is what freenet was made for! (1)

ywwg (20925) | more than 12 years ago | (#2237799)

I had a feeling I didn't have the definition quite right, thanks for the correction.

Re:this is what freenet was made for! (0)

Anonymous Coward | more than 12 years ago | (#2237807)

Civil Disobedience is done in the name of change, and therefore *requires* accountability.

Yeah, that's why nobody's ever heard of the Boston Tea Party.

Re:this is what freenet was made for! (5, Insightful)

AntiFreeze (31247) | more than 12 years ago | (#2237839)

Civil Disobedience is done in the name of change, and therefore *requires* accountability. Doing this like an anonymous coward, distributing it and not letting yourself be known is lame, and will be seen rightly as an act of cowardice. Granted, the cowardice is justified as a certain russian programmer can tell you.
You are mistaking cowardice with discretion. One must be very careful under today's laws with what one releases. Not wanting to fight is not cowardice, it is picking your battles. If source is released, or a name is released, there are serious legal reprocussions - which cost millions of dollars to fend off - while, on the other hand, just letting people know it is possible creates the same community sentiment without ending up in jail for the rest of your life.

Re:this is what freenet was made for! (3, Funny)

drift factor (220568) | more than 12 years ago | (#2237855)

If the author is out there in slashland email me, and I will publish the app for you publically and with my name. I will accept all responsibility for writing the program and distributing.

No, don't email to him, he's using hotmail! :)

Re:this is what freenet was made for! (1)

indiigo (121714) | more than 12 years ago | (#2237861)

And your e-mail logs (On MS, you foo') will reveal the location of the original programmer. Slick move, Slick.

Re:this is what freenet was made for! (0)

Anonymous Coward | more than 12 years ago | (#2237922)

"I will publish the app for you publically and with my name. I will accept all responsibility for writing the program and distributing."

Trying to get your 15 minutes of fame for something you didn't do? Smart!

Microsoft Security Model - implemented via DMCA (3, Interesting)

hillct (230132) | more than 12 years ago | (#2237888)

Microsoft's favorite security model - security through obscurity - has vary little to do with Hailstorm and everything to do with the DMCA. Not only does the producer of the security mechanism simply not publish the details of that mechanism, but through the wonders of the DMCA, Microsoft is empowered to enforce their security model by preventing the publication of holes discovered in the security system, thereby maintaining the obscurity.

Sarcasm aside, does it really matter how secure hailstorm really is, ig Microsoft can sue into oblivion anyone who publicizes or even researches security exploits related to the system...?

--CTH

ON Topic (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2237755)

From the Group that brought you
Windows 2000 Corporate Select Editions
Devilsown Proudly Presents:

Microsoft Windows XP Professionaal - ISO
No Activation Required
©Microsoft

Supplied By....: [ DevilsOwn ] Release Type....: [ .iso ]
Cracked By.....: [ ] Protection......: [ MS's Cock in Our Ass]
Packaged By....: [ ] Release Size....: [ 32x15mb ]
Release Date...: [ 08/29/2001 ] Operating System: [ It Is ]

Requirements:
To run Windows XP, it is recommended that computers have at least 128
megabytes of RAM, 1.5 gigabytes of hard disk space, a 233 megahertz
processor and a CD-ROM or DVD drive.

Install Notes & Rip Information

Windows XP is the next version of Microsoft Windows beyond Windows 2000 and
Windows Millennium. Windows XP brings the convergence of Windows operating
systems by integrating the strengths of Windows 2000--standards-based
security, manageability and reliability with the best features of Windows
98 and Windows Me--Plug and Play, easy-to-use user interface, and innovative
support services to create the best Windows yet.

This article provides a broad technical overview of what's new in WindowsXP.
It shows how new technologies and features make it easier to get work done,
share information, manage your desktop, stay productive while traveling with
a mobile computer, obtain help and support, and perform many other computing
tasks.

Windows XP is built on an enhanced Windows 2000 code base, with different
versions aimed at home users and business users: Windows XP Home Edition
and Windows XP Professional. Unless otherwise noted, this article addresses
technologies and features common to both versions of the operating system.

Please Note:
It is final code - all bits are final. There is no activation required and
no timebomb to worry about. Enjoy!!!

Auto run CD or run setup and use this key to install:
FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8

Do you want to be a part of Devilsown?
We are looking for people to help in our ongoing experience, if you are a
courier or a siteop with a reliable fast connection, get in touch with us.
Group greetz : FLT/DVN/KAL/ECH/RZR/TCF/QUEEN/pHASE

Personal Greetz :
stump, DaGon & the ol skool discovery cru hawk,dragon,rcf, thepope, nerd, cal

(join #0-day-dump on irc.devilsown.net:6667)
Remember, SUPPORT THE COMPANIES THAT PRODUCE QUALITY SOFTWARE, if you
enjoyed this product, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT!!

Re:ON Topic....OR IN OTHER WORDS (1)

darkPHi3er (215047) | more than 12 years ago | (#2237850)

unlike *X, which has had peer review, troll review, flameage review, and intense discussional review between Buddha, Allah and God and the largest pool of software talent on the planet (literally)

MS source has been locked away in vaults in Rancho Redmond...doled out sparingly under a NDA that would allow MS to summairily repo your grandchillins

it has been reviewed by a relatively very small pool of some very talented, but frequently inexperienced programmers/developers/architects who are under massive pressure to deliver the next upgrade in MS on schedule or find themselves getting transferred to the code maintainance on MSN if they insist on any QC effort that would slow down delivery....

the "debate" between open source and closed, may well be the race between the tortoise and the hare

security has NEVER been a high priority at MS, more like extra chrome trim on a car....

and the more MS gets deployed in "financially attractive" or "critical" situations, the more exploited its gonna get

Hailstorm should probably be renamed "Hail Mary", for all the praying they'll be doing over its security

Re:ON Topic (2)

Satai (111172) | more than 12 years ago | (#2237853)

Just so we're clear - is this the ISO with the unique identifier that The Reg talked about the other day?

Fermat's last theorem (0)

Anonymous Coward | more than 12 years ago | (#2237756)

Well, I also cracked the MS e-book but this margin isn't wide enough to show proof.

Re:Fermat's last theorem (1)

AntiFreeze (31247) | more than 12 years ago | (#2237808)

Well, I also cracked the MS e-book but this margin isn't wide enough to show proof.
There wasn't enough room in your margin to write printf("%s\n",rot13(MS_ebook->Text));? Maybe you should try rotating that margin by 90 degrees and trying again.

i wanna see the 3 lines (0)

saltyhog (164982) | more than 12 years ago | (#2237758)

not to use it, i'm just curious what he coded it in? perl? shell with netcat or something? java? i must admit i don't know a damn thing about this cross site scripting baloney... ahh for the old days of cgi scripts and html and that's it...

Security: Antonyms: See Microsoft (4, Interesting)

UnknownSoldier (67820) | more than 12 years ago | (#2237760)

The unfortunate thing is, that while it seems "M$ software gets hacked every other month", the general consumer isn't making security (or I should the lack of it? :) a big deal.

big deal about security? (0)

theDEFT (254259) | more than 12 years ago | (#2237864)

cmon it's a huge pain to search the web for a windows cd key when you reformat cause you got h4x0r0ed and need to check outlook express & play solitare

Re:Security: Antonyms: See Microsoft (5, Insightful)

TOTKChief (210168) | more than 12 years ago | (#2237879)

Actually, they are.

The other day, I was on the hall where a good chunk of my professors [uah.edu] have offices. I got into a discussion with a few of them, and the gist was this:

"We've been telling folks around here for a while that we don't like Microsoft products, but because they're the de facto standard, we're forced to use them. Thank God for all the hackers that find holes and the real jerks that exploit them.

Of course, I got to wondering about that; we talk about White Hats and Black Hats, but even the Black Hats serve a purpose, if your goal is to rid the world of Microsoft. I'm not sure that it is for me--I'd be happy to use their products if they would code good stuff. [Posted from IE6 on Win2K, but only because I have to have a Windows box to do my school crap...]

But to the point, the end users are getting frustrated with all the security holes. In this case, these guys don't want their research exposed by something like SirCam, which could very easily happen. I think they'd happily go for a switch if solid interoperability with those Left Behind in the Microsoft world could exist.

And hey, remember that these are aerospace engineering professors, who aren't always at the vanguard of computing technology. I mean, I've had to do research with them using F77...

Re:Security: Antonyms: See Microsoft (2, Insightful)

Telastyn (206146) | more than 12 years ago | (#2237881)

They do, though to the common user viruses are security breaches not hacking. The common user does *not* realise the implications of box rooting. They're used to IT people doing miracle work to recover lost email, and blame them for the little that they lost instead of being spanked for causing the security breach in the first place.

I'm normally not one to hate on Microsoft stories, (2, Troll)

Wakko Warner (324) | more than 12 years ago | (#2237763)

... but that headline is simply hitting way below the belt. There's plenty of security holes in every stock Linux distro too, you know.

- A.P.

Re:I'm normally not one to hate on Microsoft stori (0)

Anonymous Coward | more than 12 years ago | (#2237766)

The difference being, there are things that Microsoft is trying to do that the OS community will never attempt (part because we consider it unethical, part because we consider it impossible).

Re: Linux distros getting *much* better (2, Informative)

peterw (88369) | more than 12 years ago | (#2237801)

...most notably, Red Hat Linux 7.1 and 7.2 (beta) default to setting up a packet filter (albeit a somewhat lame ipchains-based filter even though they could have used iptables/netfilter) at install time. A standard/default RH 7.1 install (even a "full" install) would be in pretty good shape, at least vis-a-vis network attacks. Local/console attacks are another matter, as they are for any system.

A year ago I would have been much more inclined to agree with you... but it's kinda funny. As time goes on, Windows seems to have more network services, and more problems, while Linux distros are becoming more sane and simple, follwoing OpenBSD's lead...

Re:I'm normally not one to hate on Microsoft stori (1)

Pig Hogger (10379) | more than 12 years ago | (#2237930)


There's plenty of security holes in every stock Linux distro too, you know.

But, unlike with M$ products, you can plug them, since you have the SOURCE.

Mommy,I'm Scared (4, Interesting)

notext (461158) | more than 12 years ago | (#2237767)

Everytime I read about hailstorm, I am in shock but at the same time scared.

First, off I can't believe that Mircosoft thinks they should be in control of so much personal information.

Second, that Microsoft thinks they can somehow keep it safe.

Third, and this is what scares me. A lot of John Q. Public will give them all this information.

Better them than me I guess.

Re:Mommy,I'm Scared (3, Interesting)

FlyingDragon (182542) | more than 12 years ago | (#2237885)

Third, and this is what scares me. A lot of John Q. Public will give them all this information.

Indeed. I was helping some neighbors with a computer issue a couple weeks ago and noticed they had a gator.com utility in the toolbar (Slashdot search seems hosed at the moment, but they came up recently). I asked them about it.

Basically you enter all of your details (name, mailing address, phone number, etc) and it will automatically fill them in on web forms. Now, ignoring the cross-site scripting fun you could have with this little toy, I just had to ask...

"So, basically, you give them every marketable piece of information they could want so they can provide it to others automatically?"

"Yup."

No, your wrong (-1)

Dest (207166) | more than 12 years ago | (#2237776)

If there is no program released to do this, and the author is anonymous, this could all be bullshit! I wont believe it until I see it, though it is very possible.

M$ should have two completely different O/S's... (1)

Robber Baron (112304) | more than 12 years ago | (#2237779)

...and/or companies, one for servers and one for workstations, or they should get out of the server market altogether. Whatever is chosen, my point is never the twain should meet. Reason being is most of the security issues with M$ products stem from their desire to give users the so-called usability features that they scream for, usually at the expense of security. These features don't belong in servers, so why use a slightly differently build of what is basically the same O/S for a server as a workstation?

As far as the ebook thing is concerned, so what? Near my home is a place called a library, and in it is a device called a photocopier. I've been able to make copies of books electronically for years. Next please.

What about Linux? (2)

Proud Geek (260376) | more than 12 years ago | (#2237892)

Linux manages to sucessfully use the same OS for both workstation and server purposes. In fact, I'm quite glad that my workstation doubles as a server for testing purposes, and that I am able to work on my servers in a pinch. Linux sucessfully combines all the good aspects of both workstations and servers; why can't M$ do the same?

Re:What about Linux? (2)

dead_penguin (31325) | more than 12 years ago | (#2237913)

Careful! You're using a very high level definition of "Operating System". A decent Linux-based server and a Linux workstation will have most of the kernel, many libraries, and some command-line utilities in common, but the differences end there.

Most Linux servers will probably have very differently compiled kernels to add support for specific hardware and networking protocols (and related things) while excluding such things as all the funky video, sound, and other things you'd want in a desktop. Of course a decent part of this can also be done with modules... It should be obvious too that the actual software running and installed on a desktop will be completely different than on a server.

If I wanted to turn my desktop machine into an efficient and secure (it's currently behind a firewall) server, it would probably take me the better part of a day installing and uninstalling software, and changing configuration settings all over the place.

The MS hack (4, Interesting)

MobyDisk (75490) | more than 12 years ago | (#2237781)

It sounds like they used a well-known technique of adding javascript/java/some other active code that nabs information such as URL & cookies into an email. It then uses that info to do something like sending it to an anonymous collection account.

With new forms of active content being added to web pages all the time, it is amazing that anything with dynamic content. I know that's vague, but that sounds like the gist of it.

Releasing the program is easy. (3, Interesting)

Restil (31903) | more than 12 years ago | (#2237785)

Freenet is not really the only solution if the programmer chose to release the program and not reveal his identity. There are numerous other channels available which will let him preserve his anonymity. The only advantage to freenet is that is at least has a somewhat legitimate charter, where as other methods are typically underground and shady.

But still, if done properly, it could be released and spread without anyone finding out who the author is. The danger is if that person ever told ANYONE about it. If he did, then he's not truely anonymous, and given enough of an incentive, someone might be tempted to talk. At least, without releasing any code, then its technically all heresay and a lot less likely to be in violation of some strange law.

I fear however that this is how it will have to be done in the future if the silly laws don't get overturned. Either that, or some REALLY important sensitive document will have to be cracked and released publicly to the embarrasment of a large organization with a lot of people chanting "we told you so" before those in power might take a second glance and realize that perhaps peer review for security is a good idea after all.

-Restil

Cheap testing... (3, Insightful)

Halster (34667) | more than 12 years ago | (#2237786)

Did anyone ever wonder whether M$ do this deliberately?

Recently they've had some holes (much like this) that you'd have to be out of your head smoking crack to miss.

Quality assurance at Microsoft is better than this when it comes to other areas. Could it just be that it's easier and cheaper to have somebody else find the holes and then, as the mega-funded publicity department goes into top gear issue a patch (where appropriate)?

Either that or Microsoft buys a lot of crack! ;)

Re:Cheap testing... (1)

Jester998 (156179) | more than 12 years ago | (#2237860)

Ya know, I've never thought of that, but it actually makes sense. This has to be one of the more thought-provoking posts I've ever seen on Slashdot.

Maybe we should ALL hack M$' crap, but keep it to ourselves until Code Red XVII hits, then we'll be the only ones who know what's going on. :) Or maybe just demand "ransom" from M$. Hehehe.

- Jester

Re:Cheap testing... (0)

Anonymous Coward | more than 12 years ago | (#2237898)

Security flaws are not generally found by testing. They are found by knowledgeable reviewers. Their most common cause is someone not experienced in considering security issues having designed something critical.

As for the eBook issue, there is simply no correct way to implement content protection without trusted hardware.

Shooting ourselves in the foot? (3, Insightful)

phalse phace (454635) | more than 12 years ago | (#2237788)

Oh, great! Looks like what people have been saying will come true -- The DMCA will stifle innovation, quality, security,.... etc. Now whenever there's a flaw in something, people will be too afraid to report it, for fear of being prosecuted under the DMCA. Back to the Dark Ages for us!

3 == 1 ?! (1, Funny)

gizmo_mathboy (43426) | more than 12 years ago | (#2237791)

I've never liked USA Today as a news source.

The headline clearly reads, "Expert hacks Hotmail in 1 line of code". Then in the second sentence of the first paragraph, "It took just three lines of code for Grossman to breach Hotmail filters..."

Brilliant reporting. Whatever generates page hits I guess...

Re:3 == 1 ?! (5, Funny)

evilquaker (35963) | more than 12 years ago | (#2237805)

The headline clearly reads, "Expert hacks Hotmail in 1 line of code". Then in the second sentence of the first paragraph, "It took just three lines of code for Grossman to breach Hotmail filters..."

And the line after that reads:

The second time it took just one line.

Well, at least you tried to read the article... that's more than most of the Slashbots.

Did you read the article ? (1)

Augusto (12068) | more than 12 years ago | (#2237806)

... you missed this part.

It took just three lines of code for Grossman to breach Hotmail filters and access Passport ID and credit card data. The second time it took just one line. And the former Yahoo security auditor says he could do it again given 8 hours.

Re:3 == 1 ?! (0, Insightful)

Anonymous Coward | more than 12 years ago | (#2237813)

Brilliant reporting. Whatever generates page hits I guess...

Brilliant reading. Why don't you go back and look again, nitwit.

Re:3 == 1 ?! (1)

4n0nym0u53 C0w4rd (463592) | more than 12 years ago | (#2237819)

3!=1. The writer just left out something useful like "Last time." Read it again, with my addition:

Twice this month, Internet security consultant Jeremiah Grossman, 24, poked gaping security holes in Hotmail and Passport, Microsoft's free Web-based e-mail and identity-authentication services. Last time It took just three lines of code for Grossman to breach Hotmail filters and access Passport ID and credit card data. The second time it took just one line.

Re:3 == 1 ?! (2)

jacobm (68967) | more than 12 years ago | (#2237820)

From the article:

... It took just three lines of code for Grossman to breach Hotmail filters and access Passport ID and credit card data. The second time it took just one line.

Re:3 == 1 ?! (-1, Redundant)

Anonymous Coward | more than 12 years ago | (#2237826)

Tell me, how much of an ass did you feel like when you went back to the article and read the very next sentence?

Re:3 == 1 ?! (0, Redundant)

tuj (303347) | more than 12 years ago | (#2237827)

Hey chief, before you go spouting about bad reporting, why don't you read the first four sentences of the article?

"It took just three lines of code for Grossman to breach Hotmail filters and access Passport ID and credit card data. The second time it took just one line."

I'm not sure how this gets mod'd to 2. Sorry to be a bitch, but, well, if you can't read the article you deserve it.

Re:3 == 1 ?! (0, Redundant)

Jester998 (156179) | more than 12 years ago | (#2237833)

Did you actually *read* the article? Oh, wait, this is Slashdot, where less than 1% of users read past the 2nd line. In the third line of the article, it says:

"The second time it took just one line."

Sheesh... could they make it anymore obvious? CHRONOLOGICAL ORDER, people... Not "He cracked it in one line... Oh yeah, and the times before that it only took 3 lines of code."

So, really, (1==1) if the pointer is located far enough into the document.
- Jester

Re:3 == 1 ?! (2)

Mike Schiraldi (18296) | more than 12 years ago | (#2237852)

Pure genuis, gizmo. Pretend to be an idiot, and get lots of people to flame you for not reading the article before posting.

Then after they post the flames, they finally read the other replies to your post, and realize how redundant they are and, more importantly, that they're guilty of the exact thing that they flamed you for.

Brilliant.

Hack hotmail in one line of code (2, Funny)

Mike Schiraldi (18296) | more than 12 years ago | (#2237794)


while true; do telnet www.hotmail.com 80 < /dev/urandom; done


Then just sit back and wait.

On a related note, i'd like to dispel a common myth. Real Programmers don't use 'cat > a.out' or 'cat /dev/audio > a.out' plus some whistling, they type 'chmod +x /dev/urandom' and hope for the best.

Re:Hack hotmail in one line of code (0)

Anonymous Coward | more than 12 years ago | (#2237818)

I don't get it. What does that do?

Re:Hack hotmail in one line of code (1, Informative)

Anonymous Coward | more than 12 years ago | (#2237838)

connet to the hotmail web server and send it a completely random string of bytes. over long enough period of time (like age of universe) it will everntually hit the bytes whioch hack hotmail

like the infinite monkey / typewriters thing

Re:Hack hotmail in one line of code (0)

Anonymous Coward | more than 12 years ago | (#2237843)

OK, you're either a UNIX newbie or you run Windoze. If it's the latter, don't bother, cuz your OS can't do it. If you run UNIX, do a little research, huh?

MS Liability (3, Interesting)

4n0nym0u53 C0w4rd (463592) | more than 12 years ago | (#2237795)

So, let's say that MS Hailstorm is implemented and within a couple of years, a good portion of users have their data and software settings stored on .Net servers, and can access it with their Passport login and password.

Now let's say that someone finds another flaw in passport (I know, hard to believe, but go with me here). Needless to say, Hailstorm users will be left vulnerable. The question is, will the Hailstorm and Passport EULA protect MS when it comes to legal liability for a) lost data, and b) copied or stolen data (loss of intellectual property, etc...)

My guess is that even if they are to blame, MS won't be legally liable. Doesn't sound like a good choice for users...

That's where the DMCA comes into play... (1)

Robber Baron (112304) | more than 12 years ago | (#2237829)

By this time amendments to the DMCA will probably allow them to have potential litigants summarily thrown in jail.

by next year...? (0)

Anonymous Coward | more than 12 years ago | (#2237800)

did I read that cnet article right, or did they say, with a straight face, that Microsoft's big announcement was that they said they'd think of something by 2002?

Um.... wow. :)

Stephen King, author, dead at 54 (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2237802)


I just heard some sad news on talk radio - Horror/Sci Fi writer Stephen King was found dead in his Maine home this morning. There weren't any more details. I'm sure everyone in the Slashdot community will miss him - even if you didn't enjoy his work, there's no denying his contributions to popular culture. Turly an American icon.

without code.. (2)

banky (9941) | more than 12 years ago | (#2237810)

the program doesn't exist.

I understand not wanting to be the next DMCA victim, but really, if the code isn't out there, then, it doesn't exist in my eyes.

What's American Express thinking? (3, Interesting)

krmt (91422) | more than 12 years ago | (#2237811)

I don't really know why any large company would sign on for Hailstorm. No one really wants to be tied to any specific vendor for such an important part of their business. Granted, they're already tethered via their desktop PC's, but incorporating Hailstorm in to your business plan? You're basically putting your chance of profit in the hands of MS, who has a well known history of screwing over its own partners.

The problem, as I see it, is that American Express and others can beat their competitors to the punch by being a part of Hailstorm, providing services no one else does, but that goes with extreme risk. I guess that's why they haven't signed a contract with MS yet. It's a tough one for any company.

Re:What's American Express thinking? (2)

Tachys (445363) | more than 12 years ago | (#2237868)

I was actually thinking about getting a AMEX card. But after seeing this, that is a lot less likely.

Re:What's American Express thinking? (1)

notext (461158) | more than 12 years ago | (#2237902)

Money.

The fact is there isn't much use for stolen credit cards numbers. Now of course there is some use, but the bulk of things require the actual credit card. What are you gonna order something from ThinkGeek and have it delivered to your house? Make a couple long distance phone calls?

The fact is credit cards companies are big business. If they worry too much about securities the cards don't get used enough. Its easier for them to do it this way. Then when the hack occurs, they take the charges to the cards before they were cancelled as a loss and I am sure it's deductable.

What is anyone who gets a credit card thinking? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2237909)

Credit cards are a bad proposition altogether, encouraging people to spend money they don't have and end up paying off huge amounts of interest on their debts while destroying your credit rating. If you want the convenience of a money card, get a debit card. If you need to spend more money than you have, get a loan. If the bank won't give you a loan for the purpose, chances are it's not worth spending the money on. Credit cards aren't worth it.

It'll keep happening... (1)

grunby (90338) | more than 12 years ago | (#2237812)

As soon as the data leave the server and digitally lies on the client machine, it'll get cracked. We've seen and heard it a thousand times before (ie. don't trust client side data in any cgi)...
Any when you've got thousands of crackers, who want to be the first to crack the next latest thing, it's only a matter of time. I guess the only way around something like this is to have the data reside on the merchant's server and out of the hands of the client, but until we all can access the internet from everywhere, that won't happen.

- [grunby]

Public Domain E-Books (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2237817)



Hell, there's so many novels in the public domain that you can transfer to MS Reader, why bother with the pay ones? Grab a slew of them here. [128.121.12.52] The Bible, Moby Dick, even a dictionary ... I have quite an impressive library, all electronic.

Warning! No link to Project Gutenberg here! (-1)

Anonymous Coward | more than 12 years ago | (#2237835)

just a pic of some guy's scary bunghole!

Worm at Cracked Veridian? (5, Interesting)

Ferd Lamarche (463454) | more than 12 years ago | (#2237824)

Well, this is strange. I'm sitting on a Windows 98 box with McAfee VShield v4.0.3 installed and virus definition files from 2001/06/13. Whenever I try to go to http://www.veridian.com/upload/ with either IE 4.01 or Netscape 4.70, McAfee pops a warning dialogue saying I have just downloaded a worm called "SunOS/BoxPoison.worm". I also have a small Perl program I can use to perform command-line HTTP downloads, and with it, I can download the page at http://www.veridian.com/upload/ without any problems.

I'm probably getting the warning because something in the HTML code matches the signature for a known worm. But still, if the message on the site isn't enough to scare people, the warning from their virus scanner certainly will!

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Content-Location: http://www.veridian.com/upload/index.htm
Date: Fri, 31 Aug 2001 03:51:47 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Wed, 09 May 2001 12:53:30 GMT
ETag: "6a8163c87d8c01:943"
Content-Length: 289

(Slashcode has inserted a few spaces into the following HTML... I hope this doesn't trip your virus scanner...)

<html><body bgcolor=black><br><br><br>&lt ;br><br><br><table width=100%><td><p align ="center"><font size=7 color=red>fuck USA Government</font><tr><td><p align="cen ter"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</htm l>

Re:Worm at Cracked Veridian? (0)

Anonymous Coward | more than 12 years ago | (#2237865)

I've seen that exact screen at a client site I've worked for - the default.asp got replaced with it (BTW, I started AFTER this happened, but the evidence was still there. ) The "new/modified" page was nothing but that HTML; I didn't see any trace of anything active happening. At least, not at that site. I'll be very curious to see if anyone reports seeing anything else from it tho.

What tripped your virus scanner... (2, Interesting)

moogla (118134) | more than 12 years ago | (#2237887)

...was the actual content of the page, which coincides with strings in the actual virus itself that VirusShield is looking for. The virus that infected the machine must carry a copy of the page verbatim inside itself, and that is one of McAffee's clues to finding it.

close your tags! (was:Worm at Cracked Veridian?) (1)

MavEtJu (241979) | more than 12 years ago | (#2237925)

Damned, close your tags! Netscape Navigator doesn't show unclosed tables!

Proper HTML in your viri and hacks please!

old veridian hack? (1, Offtopic)

4n0nym0u53 C0w4rd (463592) | more than 12 years ago | (#2237842)

Among the headers from the veridian server when I retrieved the hacked page [veridian.com] was

Last-Modified: Wed, 09 May 2001 12:53:30 GMT

I'm sure they'll get to it in due time...

Why does anyone bother with e-book encryption? (3, Insightful)

The Milky Bar Kid (411137) | more than 12 years ago | (#2237848)

I thought one of the golden rules of any sort of engineering is that before you try to do something, work out whether you can do it or not. Then try. Otherwise, it's all just wasted effort.

Am I the only person who thinks the whole concept of e-book encryption with the goal of stopping dedicated piracy is pointless?

Encrypting the contents of a transmission between two parties so that no 3rd party can read it is do-able, and has always been the main thrust of encryption. But what people like Adobe and Microsoft are essentially trying to do is make it impossible for the second party to read the message - because as soon as you read the message, you can reproduce it.

Assume that Adobe/Microsoft encrypt this with something that will provably take an untenable amount of time to crack - say 1024-bit public key encryption (sorry, IANACryptologist, I don't know the proper term.). I won't be able to crack the book itself, but since it appears on the screen at some point, I'm going to be able to read it sooner or later - and I can copy it.E-book encryption is the equivalent of the club lock - it'll stop casual copiers, not the dedicated copier - and this approach will only work until the first dedicated copier writes a program to let everyone else do it.

The same is true of sound files, though maybe not to the same level, as the concept of digital watermarking can be applied. I still think the same rules apply. As a result, I can't help but think of the whole e-book and sound-file encryption push as smoke and mirrors, meant to convince people that bits can be made uncopyable.

Re:Why does anyone bother with e-book encryption? (0, Troll)

Richard M. Waite (338871) | more than 12 years ago | (#2237874)

Why don't you suck me off you dirty cunt? Fuck! You people just piss me off sometimes.

Re:Why does anyone bother with e-book encryption? (1)

J'raxis (248192) | more than 12 years ago | (#2237875)

Nope, digital watermarking would be quite useless if the device playing the sound is not designed to recognize the watermark and act upon it. The watermark makes the data trackable but nothing more.

Re:Why does anyone bother with e-book encryption? (1)

The Milky Bar Kid (411137) | more than 12 years ago | (#2237891)

Yeah - I agree. That's why I said the same is true of these systems. They're maybe just a teeny bit less pointless.

God bless the US (0)

Anonymous Coward | more than 12 years ago | (#2237876)

where saying racist and hateful (and even advocating murder and other violence) against white males is not only tolerated but encouraged through society and by law, yet if someone hires the most qualified 'person' regardless of race or whatever you bigots use to hypocritically discriminate with and against, he/she is seen as "racist"

Or.... God bless the US, where I can make something new and exciting and have it stolen from me, and with people like Stallman, actually turn around and point some moral wagging finger at ME!

Or... God bless the US, where picketers and protesters fight with hatered, anger, bigotry, intollerance and violence against things that they claim are bigoted and against human rights? The USA, country of illogical and irrational people that would sell their own mothers for the right price and then turn around and point their hypocritical fingers at someone else. The country where processes are loved to the point that results are ignored and facts are shunned.

This is what slashdot is for! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2237890)

Post the source code HERE beacuse a judge said you don't have to reveal the identity of posters!

Internal MS security problems (3, Interesting)

jon_c (100593) | more than 12 years ago | (#2237896)

I used to work as Microsoft, MS Press and MS Research. While at research I needed to hack IE so it would forget about ActiveX security, I managed to reckon the registry settings but still had some questions.

The place to ask questions to other developers internally is via Outlooks groups (like usenet), it's surprising there isn't a better channel to converse with other Microsoft developers, maybe there is, but that's all I knew about. Anyway, so I posted a question to the IE-dev group about my problem. The response was surprising, the lead PM of IE started flaming me, telling me about how Microsoft can not have any more exploits in IE, how I my manager would be informed etc..

I guess I should have mentioned that what I was doing was only going to go out to a few select terminal ill users.

The point I'm trying to make is that Microsoft is a large company made up many small groups which don't necessarily talk to each other, I'm not saying this in there defense, but it helps explain how so many problems can arise over and over again. Even if I had just went ahead and implemented this IE hack into something major I don't who would have held me accountable, as far as I know software does not need to go through a standard security audit, each group has there own QA which will vary wildly.

-Jon

Re:Internal MS security problems (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2237903)

Microsoft loving bitch. Eat a large penis.

Re:Internal MS security problems (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2237910)

MMMMMMMMMMMMMMM, LARGE PENIS!

i love eating large penis it is so tasty

The thought of large penis makes me want to (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2237942)

+* j a c k * o f f * j a c k * o f f * j a c k * o f f *+
* \ \ \ *
j / \ \ j
a \ \ a
c \ \ c
k / \ \ \/,,..---v--. k
o ,,\.--"""\/ \ o
f \ > f
f / f
* /vvv\..---""'`-' *
j ,,. j
a / \ \hhh/ a
c c
k k
o \ \ o
f \ \/ f
f \ f
* \ *
j j
a a
c c
k k
o o
f f
f f
* *
+* j a c k * o f f * j a c k * o f f * j a c k * o f f *+

Important Stuff: * Please try to keep posts on topic. * Try to reply to other people comments instead of starting new threads. * Read other people's messages before posting your own to avoid simply duplicating what has already been said. * Use a clear subject that describes what your message is about. * Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Problems regarding accounts or comment posting should be sent to CowboyNeal.

Yo Commander Taco! (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2237901)


Is your sister a Tuna Taco?

har har hahaha ha hee hee whooo! *snort* chuckle ohmigod ha ha ha hee hee HA heh

A way to make a person in jail...? (2, Interesting)

frleong (241095) | more than 12 years ago | (#2237904)

Suppose a company hates someone. It can invent a kind of "e-book" security using, say, a modified ROT-13 algorithm. Then challenge openly the guy to crack it. He does that and publishes his results. Now, can the company can use DMCA to put that person in jail?

"Advanced Anti-piracy" (1)

shankark (324928) | more than 12 years ago | (#2237906)

an anonymous programmer has figured out how to bypass the 'advanced antipiracy features' in Microsoft Reader

That's easy. I can do that too. Type GOD on your Run Command dialog-bar in the StartUp menu.

Cross-site scripting?? (3)

phutureboy (70690) | more than 12 years ago | (#2237911)

Can anyone clearly explain cross-site scripting?

I've seen a few explanations of it but they didn't make any sense. I'm slow like that.

Not the only thing thats clear... (-1, Offtopic)

WetKittyKat (518667) | more than 12 years ago | (#2237912)

My cotton panties are see-through clear because I press my hello kitty vibrator against my 16 year old japanese clit while they are still on.

virus (0)

Anonymous Coward | more than 12 years ago | (#2237914)

or a message from microsoft?

what if I post the source code as AC? (0)

Anonymous Coward | more than 12 years ago | (#2237918)

Would /. submit my ID and collaborate with the FBI? or would /. lead the civil disobedience to fight these stupid laws?

Sheesh. (0)

Anonymous Coward | more than 12 years ago | (#2237920)

This is really boring.

Thank God we have Adequacy.org [adequacy.org]! Adequacy.org [adequacy.org] is the internet's most controversial site! Check out Adequacy.org [adequacy.org] today!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...