Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FBI, Pentagon Talk to MS about XP Hole

timothy posted more than 12 years ago | from the step-inside-the-circle-of-trust dept.

News 405

(eternal_software) writes: "The Associated Press is reporting that the FBI and Defense Department are talking to Microsoft about the serious flaws found in the XP operating system. As we all know, the most recent flaw allowed any XP machine to be hijacked simply by connecting it to the internet. The government is getting involved because of growing U.S. concerns about risks to the 'net as a whole." In fact, the FBI would like you to go a bit beyond the MS patch. davecl points out the updated page put out by the National Infrastructure Protection Center about this vulnerability as well.

cancel ×

405 comments

Sorry! There are no comments related to the filter you selected.

First Post As Usual (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2741073)

waiting 20 seconds...

Ok, First post!

Gooooood Morning!

Re:hot or not (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2741121)

girls:
http://www.ratemypicture.com/profiles/64913.shtm l
http://www.ratemypicture.com/profiles/64826.shtm l
http://www.ratemypicture.com/profiles/46433.shtm l
http://www.ratemypicture.com/profiles/78973.shtm l
http://www.ratemypicture.com/profiles/66317.shtm l
http://www.ratemypicture.com/profiles/59441.shtm l
http://www.ratemypicture.com/profiles/18954.shtm l
http://www.ratemypicture.com/profiles/50361.shtm l

guys:
http://www.ratemypicture.com/profiles/38652.shtm l
http://www.ratemypicture.com/profiles/66256.shtm l
http://www.ratemypicture.com/profiles/43530.shtm l

Just a thought (4, Interesting)

peripatetic_bum (211859) | more than 12 years ago | (#2741074)

First we hear rumors that al-queda may have hacked into windows,

now we see the Gov't take a special interest in

the latest XP hole.

Dont know about you, but I am really dont know what to think?

Re:Just a thought (2)

MagikSlinger (259969) | more than 12 years ago | (#2741089)

I'm sure it's just coincidence. The more likely reason is due to the hightened state of security, the FBI is less tolerant of MS's sloppy security holes.

Re:Just a thought (0)

Anonymous Coward | more than 12 years ago | (#2741112)

On the other hand, they're more tolerant of forming a police state, and I'm sure they'd be happy to allow the CIA to continue testing illicit substances on hospital patients.

Re:Just a thought/Microsoft a target? (5, Interesting)

texchanchan (471739) | more than 12 years ago | (#2741160)

MagikSlinger is almost certainly right about this. However, if there is a terrorist group out there which was organized and sophisticated enough to carry out another large-scale, imaginative attack (which I doubt), Microsoft might be on their list for these reasons:
- It's American, and a symbol of American characteristics such as innovation, which is in itself hated by reactionaries.
- It's extremely visible.
- Its market dominance could be perceived as "imperialist" or culturally imperialist by people who think like that.
- It's a center of wealth and therefore, in puritanical minds, of evil decadence.
- It could be thought of as a "vital organ" of the American economy by someone who doesn't realize how decentralized the American economy is.

Arguing against an attack on Microsoft is the idea that it's causing enough trouble for the US by itself, but this concept is probably beyond the reach of most fanatics.

Re:Just a thought (0)

Anonymous Coward | more than 12 years ago | (#2741229)

I love how everyone considers MS so sloppy with security when root exploits are found for flavors of UNIX all the time.

who has 95% desktop monopoly again? (0)

Anonymous Coward | more than 12 years ago | (#2741235)

oh yeah...NOT UNIX you dumbass..and I especially enjoy the part where MS always prefaces ANY news about XP with "our most secure" operating system ever

Re:Just a thought (1)

LordSlakyr (545635) | more than 12 years ago | (#2741243)

The difference generally is that Un*x is generally installed and supported by very intelligent lifeforms, and are probably mostly behind firewalls and part of highly sophisticated systems. Who runs Windows? What is MS target market for XP - general, clueless end users. It's like giving a gun to an infant with instructions not to shoot yourself...

Nonsense (3, Funny)

ackthpt (218170) | more than 12 years ago | (#2741143)

This is the DoJ (FBI) we're talking about, they want to thank Bill personally for keeping them all busy and employed during these uncertain economic times. Also, I'm sure there's a card with a box of chocolates on the way to Redmond from McAfee.

Way to go FBI (0)

Anonymous Coward | more than 12 years ago | (#2741076)

While you're at it, though, you might consider also recommending that whilst people are disabling their Universal Plug and Play feature, they buy themselves a Mandrake install CD???

Re:Way to go FBI (4, Funny)

Anonymous Coward | more than 12 years ago | (#2741227)

Why buy a CD? Using this bug, you can install Mandrake remotely to all Windows XP systems connected to the internet.

What do you like to slather on yourself? (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2741079)

Man feæces? Or monkey feæces?

Printer Friendly Version (1)

Tryfen (216209) | more than 12 years ago | (#2741080)

For everyone with Lynx! Printer friendly version [yahoo.com] .

Wot? No ads?

Tryfen

WARNING (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2741088)

Warning GOAT SEX link! Yahoo GOAT SEX link!

Re:WARNING (0, Offtopic)

cxvx (525894) | more than 12 years ago | (#2741106)

It is NOT a goatse link, don't worry, the parent is just a troll

Re:WARNING - GOATSECX LINK (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2741116)

Bollocks! It is too a bloody GOAT SECX link! I saw it with my own eyes, I did! Big and pink and gapey and all puckered up like a pussy but it warn't a pussy it was a bloody man's anus, it was!

WARNING GOATSE LINK IN PARENT (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2741124)

pls mod accordingly or delete before someone falls afoul of that link. slashdot, please fix filters to take these links into account.

XP Holes.... (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2741081)

Are so big because I fuck MS in the ass with my great big cock! No wonder they're so gaping!

Yeah! 10th post!

hmmm...interesting (4, Insightful)

metrix007 (200091) | more than 12 years ago | (#2741082)

the fact remains, ms code *can* be secure, obviously just not xp, good to see them getting their act togethor

XP patch is broken (5, Funny)

Anonymous Coward | more than 12 years ago | (#2741083)

MS XP patch disabled network card on my computer!

I guess the computer is really safe now.

Re:XP patch is broken (0)

Anonymous Coward | more than 12 years ago | (#2741127)

No, for that you need to pull the power or change OS's.

did anybody notice this.... (3, Interesting)

Merik (172436) | more than 12 years ago | (#2741084)

"Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it. "

thats really messed up that and scary

(Hmmm.. magic latern)

Re:did anybody notice this.... (0)

Anonymous Coward | more than 12 years ago | (#2741144)

Could this new feature be the same 'feature'
that the security guys exposed ;-)

Re:did anybody notice this.... (3, Insightful)

sporty (27564) | more than 12 years ago | (#2741168)

This isn't such a bad feature if you think about it. Well, if it did it like OSX did, I'd be happier, but I can't say that XP does. It should prompt and then dowdnload if affirmative.

But that's my humble opinion, which isn't as scary or so scary or whatever...

Re:did anybody notice this.... (0)

Anonymous Coward | more than 12 years ago | (#2741228)

There's an option to switch this on when you first run it.

Re:did anybody notice this.... (4, Funny)

Alien54 (180860) | more than 12 years ago | (#2741177)

"Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it. "

Nevermind that such an exploit could also be used to do just the same thing and send people off to download a "patch" form a psuedo MS site.

Suddenly people are taking seriously the idea that MS can present a problem for national security, when this was dismissed as a trollish comment before.

The fantasy is the unlikely end result with Bill Gates and buddies being arrested for treason for the software. yes it is just a fantasy. ,p.But isn't Xmas the time of year for dreams? ;)

Re:did anybody notice this.... (0)

Anonymous Coward | more than 12 years ago | (#2741183)

Yes, this will probably be the next major security problem with XP... "system starts downloading malicious fixes by itself"

Re:did anybody notice this.... (3, Informative)

mESSDan (302670) | more than 12 years ago | (#2741186)

No, it is a part of XP, in the system properties, it's called Automatic Updates. It's also available in Win98/ME through the Critical Updates program you can get through Windows Update. You can turn it off at will.

Re:did anybody notice this.... (1)

Merik (172436) | more than 12 years ago | (#2741230)

I guess(sp) the same people who wouldn't care enough to turn off automatic downloading would likely be the same Joe Schmoe user who wouldn't download the patch.

But i still dont like that they gave themselves a backdoor that is enabled by default...

alos.. Has anyone reviewed the security of the auto-update utility?

What DO you like to slather??? (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2741085)

Man feæces?! Or monkey feæces?!

But they don't see MS as the problem, I bet (2)

MagikSlinger (259969) | more than 12 years ago | (#2741086)

How much you want to bet that no one sees this as a problem with Microsoft? One can only hope this emboldens the anti-trust crusaders and their cause.

Re:But they don't see MS as the problem, I bet (1)

ackthpt (218170) | more than 12 years ago | (#2741212)

Oh, absolutely! The AP article should scare the hell out of consumers and urge them to mobilize to get on M$ and the DoJ's case, but it's so soft on them it reads like: "There's a bug but Microsoft assures people there's little to worry about if they just put their trust in us" -- without pointing out that this is how they got into this in the first place.

Sadly, consumers, more than Microsoft and the Government combined, are responsible for this mess for accepting Win*, but tell them that. It's like "Hey, if you don't want all those parking tickets, don't park in the loading zones," to which the average consumer would tell you you have nerve or to go fsck yourself. No helping some people.

happy linux admin (0)

Anonymous Coward | more than 12 years ago | (#2741087)

Who the heck trusts microsoft products anymore....

Trust us! (4, Interesting)

robinjo (15698) | more than 12 years ago | (#2741090)

Microsoft has known for five weeks that XP had a serious security hole. They didn't do anything to warn customers who bought XP during that time. They just kept telling how XP is so secure.

It's unbeliavable what Microsoft can get away with. I don't think the hole and the patch are the important issues here. I'm shocked how Microsoft can lie to the whole world for five weeks and people still trust them.

Microsoft should have withdrawn XP and fixed it. Expecially as they don't even have any serious competitors. What they showed was that they don't care about the safety of their customers. They just want to make money no matter what.

Quick! Mod parent down! (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2741105)

Expecially as they don't even have any serious competitors.

No! He's saying Linux / *BSD / MacOS / whatever isn't a match for XP! Quick! Give the above a couple of flamebait and troll moderations!

Re:Trust us! (5, Interesting)

uchian (454825) | more than 12 years ago | (#2741134)

Microsoft should have withdrawn XP and fixed it. Expecially as they don't even have any serious competitors. What they showed was that they don't care about the safety of their customers. They just want to make money no matter what.

In my opinion they should _STILL_ withdraw it and fix it.

By this, I mean that they should recall every vulnerable CD off of shelves, and send everyone who they know has bought one a new copy that is already patched.

Computers bought with Windows XP preinstalled should have the offer of being recalled to have the patch applied, and everyone should be sent an updated recovery disk.

Why? Because otherwise, 90% of computers out there, run by the technologically clueless population will never get this patch applied.

Re:Trust us! (1)

lseltzer (311306) | more than 12 years ago | (#2741142)

When you set up XP it automatically checks for updates as part of the setup process

Re:Trust us! (2, Insightful)

Toraz Chryx (467835) | more than 12 years ago | (#2741161)

And how exactly will that help all the machines that are already setup? and may quite possibly have the automatic patch checking disabled?

Does it? (3, Informative)

barzok (26681) | more than 12 years ago | (#2741234)

I set up an XP Home Edition box on 12/14 and after installation, went to Windows Update. Found a dozen (4 critical, 4 non-critical) updates waiting for me.

Re:Trust us! (1)

Ken D (100098) | more than 12 years ago | (#2741171)

Exactly, the risks that are posed by unpatched machines, and the odds of a machine being unpatched, pratically require a consumer recall. This might be the first defective product recall ever demanded due to national security issues.

In order to ensure that the recalled software is removed from machines, the fixed version of the software should be called something else. That way "Windows XP" becomes software that shouldn't exist anywhere. Microsoft should be required to advertise the recall heavily, just as most corporations that release defective products are forced to do. Perhaps MS can release the next software as "Windows XP (Fixed)"

Re:Trust us! (4, Funny)

eggz128 (447435) | more than 12 years ago | (#2741188)

Why? Because otherwise, 90% of computers out there, run by the technologically clueless population will never get this patch applied.

Yes they will. Thats what the auto updater is for. It downloads the patch in background while the technologically clueless user is browsing, then prompts them to install it by asking them "We send you this update in order to have your advice".

You can guess what the standard response will be.

Re:Trust us! (2, Interesting)

uchian (454825) | more than 12 years ago | (#2741225)

Hmmm... Great. But we still get a race between the autoinstaller downloading the patch, and the attacks from the all new improved Code Red XP which isn't out yet but which I guess there are at least one or two versions of being written in back bedrooms the world over.

If I recall, on average I was getting one attack every fifteen minutes from Code Red. So how long does this patch take to download? Especially since it's happening in the background, I guess that means it takes a lower priority over a users normal browsing.

Re:Trust us! (1)

Cygnusx12 (524532) | more than 12 years ago | (#2741248)

A Consumer Recall? For what? Something that can be fixed by the end user? That's like recalling tires because they're low on air.

Please, owning a PC comes with a certain amount of responsibility, as well as maintaining an internet connection. MS Couldn't hand hold you any more through their patch process than they do alreayd without actually sending someone to your house to wipe your ass for you.

That being said, MS, IMHO, has a responsibility to, (at the very least) NOTIFY the user by some means. (But yet, we tell them, you CANT know anything about us, we want PRIVACY!.. sort of a catch-22 eh?).. but they can't be exepcted to recall the OS for a single, simple flaw.

Consider, even if there was, some sort of nation wide recall (.. and yes Homer, Germany is the land of chocolate! .. ), You would STILL have your "clueless" users who didn't even know they had a system that needed patching.. and thus, your patch never gets applied.

Re:Trust us! (5, Insightful)

Masem (1171) | more than 12 years ago | (#2741135)

Remember that Microsoft wants to push a security model in which new bugs are reported only to the vendor and possibly a NDA-signed security group, and then in 'sufficient time' ( There's a part of me that says, ok, this type of reporting for a bug with this amount of security implications is probably a good thing, as if the bug was reported before the patch was available, you'd already have 'owned' XP boxes out there before MS had the patch. In the fashion they approached it, the amount of damage to XP (or other OSes) boxes will be minimized.

But I feel there MUST be some preannouncement on such bugs, even if the details are minimal. Whenever you work on something, you cannot expect that someone else in the world is not also working on the same thing, but not for the same purposes. In the case here, eEye, the group that found the bug, was looking for it for purposes of good, but I would not expect that someone else, maybe a malicious group, was also narrowing in on the bug 5 weeks ago when eEye reported it to MS. (And then you have to add cyber-espionge that might have garnered that info for themselves?). In the 5 weeks it took MS to verify the bug and develop and test the patch, that other group might have caught up and started 'owning' boxes already. A preannouncement of the bug, simply outlining the effects, and any short-term security measures, would have prevented that group from having any significant harm on the boxes if they did exist.

I know from a previous discussion that many sysadmins, when a new bug is discovered, want to know all the details up front so they can test the bug before and after fixing on their systems. This is understandable, but I think in the cases of bugs that can affect a significant large number of systems, such as this XP bug, that limited disclousure is better. I think a key step that could be done is institute a small group of trusted security people; bugs that are found are reported to the vendor and to this group. A person(s) from the group verifies the bug and puts out a digitalled signed statement that this bug exists, and that certain steps can be taken to correct it. Because of the status of these people, if they claim to have verified the fix, then that should be considered to be truthful, and thus limiting the need of sysadmins having to have full details to test it themselves. After a short period (no more than 6 weeks), the full details should be released, regardless if a patch from the vendor was available or not. That way, the limited disclosure lets the sysadmins know there's something going on and there's step they can take to prevent problems, and it gives the vendor time to fix the problem before that information falls into the hands of malicious people.

Re:Trust us! (3, Funny)

kresmoi (542683) | more than 12 years ago | (#2741162)

Isn't this the point where the government should be stepping in to do somethi...oh wait. nevermind.

Serious Stuff (2, Informative)

smooc (59753) | more than 12 years ago | (#2741092)

Although I refuse putting a Windows box directly on the internet (and btw neither a linux-box) even for home use, I know a lot of people who do.
Especially all the unaware homeusers like my landlord for example. For systemadmins it already difficult to keep up to date with all the patches even with the various *update programs, at least they are firewalled

And yet they (the homeusers) are the most vulnerable!

And Microsoft proclaimed this was its most secure OS ever.

Re:Serious Stuff (0)

Anonymous Coward | more than 12 years ago | (#2741141)

No, they stated it was "their" most secured OS. Other OSs are far more secured than anything from M$.
BTW, this is their most secured OS. Here it is 2 months and they have only i serious leak. All the others were minor. Of course anybody with a brain should point out that the other serious ones simply have not been found out by M$ yet. Personally, I am quite certain that there is already a cracker running with some serious opening right now.

Re:Serious Stuff (0)

Anonymous Coward | more than 12 years ago | (#2741247)

when you you call microsoft M$, i realize that you are right and i am wrong. it is just so clever.

Why didn't the FBI.... (1)

Kevinv (21462) | more than 12 years ago | (#2741094)

recommend the smart thing - disable Windows XP. Just disabling Universal PnP isn't going to help.

Green Lantern? (1)

cyplex (236267) | more than 12 years ago | (#2741098)

hmmm nobody will support installing or enable their software to detect the government version of "backorfis" so they "recommend" you download one of THEIR patches. Just kidding, but I wouldn't put it past them.

Yet another link to MSNBC (-1, Flamebait)

digitect (217483) | more than 12 years ago | (#2741099)

Funny that despite Slashdot considering Microsoft its favorite punching bag, how many stories link to MSNBC. You'd think if Microsoft really was the evil empire, folks wouldn't actually back up their arguments with stories posted there.

Bill Gates imprisoned (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2741101)

...for revealing information about the CIA/FBI backdoors in Windows XP.
I think it's time for a new European operating system like Linux.
I can't understand why we use still this US stuff with the raise of the new european superpower [euro.gouv.fr] . It's not that this USian things are superior technology, just look at their cars [ford.com] .

Considering the focus on national security.... (1)

Merik (172436) | more than 12 years ago | (#2741102)

Could microsofts dominance now present a great enough danger when its politically important, to cause the initiation of Federal oversight of thier secureity procedures.(sp.. I know)

Wonder how far it could go...

Can they be held responsible in the future, now that they have been warned, if thier bugs allow "terrorist" to wreak havoc.

After what the U.S. did not somalia's telecompany there certainly are no lines drawn for how far they will go to ensure security.

Re:Considering the focus on national security.... (1)

Merik (172436) | more than 12 years ago | (#2741128)

After what the U.S. did **to** Somalia's telecom- company there certainly are no lines drawn for how far they will go to ensure security.

Yeah the gov prolly has a patch alright (1, Flamebait)

HanzoSan (251665) | more than 12 years ago | (#2741103)


One that blocks out everyone except them.

Never trust the government!

It's about time (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#2741104)


Maybe the FBI can get Microsoft to move thier ars on improving all those glaring security flaws.
Let's hope so.

Follow the EEC Lead. (3, Offtopic)

Beautyon (214567) | more than 12 years ago | (#2741107)

The British and German govermnents have both realized that Open Source software is the way to go for many reasons, and are now deploying these superior solutions (or planning to) across all departments.

What the makers of Linux distributions must do is concentrate on usability (and by extension consistency) and further refining their installers so that anyone off of the street can choose and then run Linux as painlessly as they have done with all the different windoze generations.

Ximian are the closest to making easy to use tools that even my Aunt Grace (70) can use. A fully blown distribution from Ximian would be "most welcome" to use parliamentary language.

Re:Follow the EEC Lead. (2)

joebp (528430) | more than 12 years ago | (#2741139)

The British and German govermnents have both realized that Open Source software is the way to go for many reasons, and are now deploying these superior solutions (or planning to) across all departments.
Yeah, it does look that way when the UK government plans to buy 500,000 copies of Windows XP [theregister.co.uk] .

Re:Follow the EEC Lead. (1)

Beautyon (214567) | more than 12 years ago | (#2741199)

I did say "or planning to" didnt I? Now read this:

The UK government has published the first draft of its proposed policy on the use of open source software and is seeking comments from the public.

The policy essentially seeks to increase the use of open source software at all levels of government and public sector IT provision.


Quote taken from: The Register! [theregister.co.uk]

Re:Follow the EEC Lead. (2, Troll)

dbarclay10 (70443) | more than 12 years ago | (#2741146)

I won't comment on the "usability" of the desktops other than to say that almost all desktops under *nix that I've used(KDE, GNOME, plain 'ol Sawfish or IceWM) are extraordinarily easy to use. They're hard to learn(well, maybe not KDE and to a lesser extent GNOME), but they're absolutely amazing to use.

Be sure to seperate "ease of use" from "ease of learning" :) Windows is easy for almost everyone to learn, because almost everyone has had exposure. But it's a bitch to use.

I *will*, however, comment about installations. You're on drugs. It's that simple :) Mandrake is *easier* to install than Windows. Go ahead and try it. The installation is smoother, all hardware is autodetected, everything is just EASY. Windows installation isn't nearly so nice. I'm not saying it's their fault - after all, Windows is almost always preinstalled. They really havn't had much motivation to make a really kickass installer.

Microsoft's in trouble . . . (2, Funny)

Anonymous Coward | more than 12 years ago | (#2741108)

. . . the only backdoors in Windows XP are supposed to be the ones negotiated in the antitrust "settlement."

~~~

all rightey then! (4, Interesting)

Jburkholder (28127) | more than 12 years ago | (#2741110)

Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it.

I must be living under a rock because this is the first I've heard of this. XP just starts downloading files without any action from the user? Does anyone beside me feel uncomfortable about that?

Re:all rightey then! (2, Informative)

lseltzer (311306) | more than 12 years ago | (#2741148)

three options, and it asks you which you want:

1) download updates automatically and ask the user whether to install them
2) notify the user automatically that updates are available and ask them whether to download and install them
3) none of this

Re:all rightey then! (1)

Cortek (165100) | more than 12 years ago | (#2741169)

Actually it's not as bad as it seems.

After installing the user is given the option to manually check for updates or have XP do it automatically.

Re:all rightey then! (2)

Bodero (136806) | more than 12 years ago | (#2741203)

You must be under a rock. Windows ME had Automatic Update Notification too.

Jizz mop (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2741111)

I like to use my tongue as a jizz mop.
Thanks for listening.

DOD is very upset (0)

Anonymous Coward | more than 12 years ago | (#2741114)

In the past, it was CIA who had free and easy access to your data. Now, it is al Qeada, SK's and any idiot out there.

The Blue Nowhere (1)

satanami69 (209636) | more than 12 years ago | (#2741118)

Holy crap! I just download a free e-book from Microsoft.com/reader [microsoft.com] for their MSReader program. It was called the Blue Nowhere ISBN: 0684871270 [barnesandnoble.com] . I just finished it about 2 hours ago.

Basically the story was about a hacker Wizard(not lotr type) who could root your system whenever you went online, and you wouldn't be aware of it. This guy would then use info from your computer to kill you.

Now I here XP can give up System control simply by having you go online!

the arrogance (4, Insightful)

kubla2000 (218039) | more than 12 years ago | (#2741120)

The arrogance of microsoft is astonishing.

I honestly and truly hope that the US government brings them to their knees about this. That's wishful thinking, I know. However, two statements in particular in the Yahoo! article surprised me:

1. Microsoft declined to tell U.S. officials Friday how many consumers downloaded and installed its fix during the first 24 hours it was available.
2. Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch.

The reasons for point 1 are quite clear though. Acting on point 1 would indicate what a fiction the sales figures for XP really are.

Point 2 is more difficult to fathom... perhaps they're hoping people won't notice? Why on earth, other than their disdain for non-corporate users, wouldn't they send out the reminder? Or even a reminder stressing the improtance of installing the auto-updater?

The gaping hole in internet security is... (1, Offtopic)

darkov (261309) | more than 12 years ago | (#2741126)

Microsoft. Someone ought to tell the FBI.

Monopoly has serious security implications (1)

CatherineCornelius (543166) | more than 12 years ago | (#2741129)

This discovery highlights the dangers of the monoculture that comes with the de facto systems monopoly. The danger is not so much in abuse of monopoly (though that assuredly is a danger) as the serious security implications of having a monopoly in the first place.

I hope that the government and the courts will combine to force Microsoft to implement more interoperability in its systems (for instance, publish its file formats) and perhaps even make some key outward-facing components of its operating systems open source. These steps would give the consumer more choice and ensure that system vulnerabilities could be spotted more easily.

Re:Monopoly has serious security implications (1)

WildBeast (189336) | more than 12 years ago | (#2741196)

Yeah sure, and the government wants also to be sure that you're not a terrorist. Maybe you should plug in cameras in every room and make your everyday life open to the public and if you ever do something illegal, they'll make sure to let you know.

While we're at it, the government should also control which games we can and can't buy. After all, it's the government duty to protect people from immoral, violent and evil games.

how old are you?

Huh? (2)

Fat Casper (260409) | more than 12 years ago | (#2741132)

Several experts said they had already managed to duplicate within their research labs so-called "denial of service" attacks made possible by the Windows XP flaws. Such attacks can overwhelm Web sites and prevent their use by legitimate visitors.
Another risk, that hackers can implant rogue software on vulnerable computers, was conidered more remote because of the technical sophistication needed.

Now IANASK (script kiddie), but isn't implanting "rogue software" a critical step in getting a DDOS up and running? It'd be nice if tech journalists knew a little about what they're reporting, especially the ones who get their paychecks from MS. On the other hand, it'd be nicer if coders knew a little more about what they're doing- especially the ones who get their paychecks from MS.

Re:Huh? (2)

jsarek (514608) | more than 12 years ago | (#2741187)

Not in this case. The DDoS attack method they were talking about was using the XP exploit to force MANY replies to a PnP(plug and play)device message, from MANY machines, by simply sending the correct info to specific ports on any XP/Me/98 machines. Spoof the return IP where that info is supposed to go, to the IP of your most hated web page for example, and boom, instant DDoS attack that is amazingly anonymous, and would probably be very effective.

The only "hard" part would be tagging a bunch of XP machines on cable or better to be used for the attack.

This should scare you.

High skill level black-hat types getting system access on all machines running XP worldwide shouldn't scare you quite as much, but that is also THEORETICALLY possible through this hole.

National/International Security Concerns (5, Informative)

ackthpt (218170) | more than 12 years ago | (#2741136)

Utterly fascinating that the DoJ (FBI) is looking into these flaws for the difficulty exploits could cause people, after basically letting M$ off the hook in the monopoly punishment phase. Hope the states prevail, and if you haven't written your opinion in (to the court), here's another reason why monopoly for a universally adoptedand used O/S is bad.

Public comment is invited within 60 days of the date of this notice. Such comments, and responses thereto, will be published in the Federal Register and filed with the Court. Comments should be directed to Renata Hesse, Trial Attorney, Suite 1200, Antitrust Division, Department of Justice, 601 D Street NW, Washington, DC 20530; (facsimile) 202-616-9937 or 202-307-1545; or e-mail microsoft.atr@usdoj.gov. While comments may also be sent by regular mail, in light of recent events affecting the delivery of all types of mail to the Department of Justice, including U.S. Postal Service and other commercial delivery services, and current uncertainties concerning when the timely delivery of this mail may resume, the Department strongly encourages, whenever possible, that comments be submitted via email or facsimile.

After all the blather and FUD from Redmond, they again pushed a product out the door with great media hype which is again unsecure. It would be so ironic if Microsoft were punished for this kind of negligence after getting a slap on the wrist. I don't expect that to happen though.

Windows Update (0)

ColinHolywell (197018) | more than 12 years ago | (#2741138)

XP doesn't just start downloading and installing stuff without your knowelege. There is a feature called "Critical Updater" that has to be enabled first that checks the Windows Update sites daily for new critical patches. You can set it to install them with out prompting you or it can be set to just tell you about them.

Re:Windows Update (0)

Anonymous Coward | more than 12 years ago | (#2741153)

yeah :/

Ok, Let's think about this... (1)

ackthpt (218170) | more than 12 years ago | (#2741194)

Assume you have this service enabled and someone figures out how it works (they will, count on it)

They set up a bogus server to crit update code into your system or just wreck it

They hack DNS to point to it

Yeah, that's a nice feature to have....

They need to mind their own buisness (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2741140)

Who even told the FBI and Pentagon about the Internet? Man, I remember when it was a secret network. They always want to be nosy. It's like, if there was a buffer overflow exploit possible on fedworld.gov, then I could see how they care, but just because of a stupid Microsoft Windows XP but, they want to sit here and say "oh no! blah blah blah blah". They just need to mind their own fucking buisness. The government always gets into people's personal lives, which is an invasion of our constitutional freedoms!

Re:They need to mind their own buisness (2)

ackthpt (218170) | more than 12 years ago | (#2741159)

Who even told the FBI and Pentagon about the Internet?


The DOD was instrumental in forming the basis of the internet, DARPA-NET [darpa.mil]


Man, I remember when it was a secret network.


No. No you evidently don't.

"You guys promised us..." (4, Funny)

Jacco de Leeuw (4646) | more than 12 years ago | (#2741149)

"... that this backdoor would not be found for at least 2 years after this Bin Laden thing blows over!!"

"Yeah, but those eEye guys didn't want to be on our Security-Through-Obscurity team! And we had all these great goodies for them!"

It's to be expected... (3, Informative)

jmichaelg (148257) | more than 12 years ago | (#2741155)

...that security will suffer when you make an os too easy to use. It's an age-old tradeoff: security vs. ease of use. Moreover, with more features comes more complexity and with more complexity come more security holes.

Don't want to check to see if there's a patch needed for your OS? Don't worry, we'll have the OS check for you. We can't guarantee that your computer will be talking to our servers when it downloads the patches but hey! it'll be automatic! Come to think of it, we can't even secure our own servers so we're not too sure what you'll be downloading even if you are talking to our servers but hey! - it's automatic!

I can't think of a better argument for limiting the services an os provides than this fiasco.

FBI might have warned them.. (2)

jsse (254124) | more than 12 years ago | (#2741163)

with all these blackdoors already 'embedded' in the OS...

would make project Magic Lantern useless and idiotic.

UPNP is all about handling NATed devices (5, Informative)

weave (48069) | more than 12 years ago | (#2741175)

I haven't seent his mentioned much, but UPNP is all about handling NATed devices. There is a UPNP SDK developed for Linux, but until someone builds a useful kernel module out of it, Linux users are SOL (or maybe they are fortunate).

Why care? Well, I found out after installing MSN Messenger that most of the features are useless behind a NATed network unless your router/firewall understands UPNP. Of course, Microsoft ICS and Servers understand it. I was getting frustrated since I couldn't use MSN messenger except for messages behind my home linux firewall. ICQ features like file transfer work fine by port forwarding the necessary ports or using a kernel module for it.

So, here's the interesting bit. UPNP works by telling the other client on the other end what your private IP address is. Microsoft's docs say this is necessary for the other client to be able to find out how to talk back to you. I think this is stupid. The other end of an MSN connection just needs to look at the source IP in the packets it receives and just send there and hope the owner of the IP knows what to do.

However, UPNP apparently knows how to handled multiple chains of NAT networks, kinda like I guess an old fashioned UUCP bang path. Problem is, it seems like one can modify that "bang path" to route return packets to false places. Can you say DDOS?

So I sent a rant to my friends about this on December 10, and about how UPNP is a security hole waiting to happen according to posts I read out of google searches...

Here's my rant...

I read the tech article about msn messenger and NAT devices. In order to do pretty much anything beyond chat, you can't be behind a NAT device unless that NAT device is a Microsoft device.

Basically, it suggests installing Windows ICS for home users and corporate users should use a 2000 server for NAT and msn's extra features will work.

Fuckers...

ICQ works just fine behind a NAT. They are basically just trying once again to leverage one product to sell another....

Their explanation is that the client must send its IP address to the other user so it knows where to send files, audio, video, etc, and since it's got a private IP, it screws up. So it needs to query the NAT device for what ITS IP is. But that's really stupid since there is already a connection open for chatting and all the other client has to do is look at that connection for the source IP and use that instead and everything else would just work....

Someone on a newsgroup said this is another security hole waiting to happen. Basically, it's trusting client for security. I send a connection to your msn messenger client and tell it what IP to send its stuff to? What if I send it the IP address of someone I am trying to DOS? Arrgh...

They'll never learn...

Microsoft claims UPNP is a universal open standard. It'd be interesting to learn more about its origins and who is really controlling development of it, security of it, etc. Microsoft claims all manner of peripheral vendors will be supporting it.

Is the concept itself as flawed as it seems, or is this just yet another case of Microsoft's implementation of something being flawed?

Seeing as i-net update is unsafe (1)

A_Non_Moose (413034) | more than 12 years ago | (#2741178)

I want my updated copy delivered by their (MS/FBI's) black helicopters!!!

(sorry, first day of vacation, lack of caffine, new puppy, lack of sleep..I thought it was amusing)

.

OK, M$ is getting stupider (0, Flamebait)

gatesh8r (182908) | more than 12 years ago | (#2741180)

This is amazing! Never in my life would I think that M$ would be as dumb as to be like this.

What really makes M$ asicine is the following:

M$ can't do no wrong.

M$ isn't at fault; the guy/gal that found the exploit is.

"M$ makes good products!" they preach, but in reality they are piss-poor quality that have more problems than their competition. Not to say that the competition has flawless software, but M$ tends to have more bugs and severe issues. So hold back your flame...

M$ doesn't care about their customers, they care about their customer's money. They feel that they don't have to do anything good to secure their computers, just focus on putting a dog on the screen and make it go "Good morning!" This is one reason why I support Linux and their companies.

Finally, M$ doesn't believe in QC. That's right, Quality Control is important. Code audits, testers, secruity audits; whatever -- bottom line: Do a better damn job with QC.

That my friends, will be M$'s demise... lack of QC.

Re:OK, M$ is getting stupider (1, Troll)

WildBeast (189336) | more than 12 years ago | (#2741224)

oh, is this the recipe for success? Maybe I should start a software company now and go with your M$ plan. I'll be sure to succeed.

when did MS say they're not at fault? They published the patch and thanked the guy who found the exploit.

piss-poor quality? Yeah, I guess that's why Windows is used on more than 90% of desktops and that MS Office is so popular.

If you had any notions in marketing you would know that you can't get your customers money without first caring about your customers. that's what MS does, they added features that their customers ask for.

Grow up will ya.

I don't understand how you all think this - (1)

Typingsux (65623) | more than 12 years ago | (#2741184)

is so incredulous.
I think the underlying problem is everyone thinks Microsoft is a technology company.
It is not.
It is a marketing company, and that's all it is.

An analogy with the biological world (5, Insightful)

Ryu2 (89645) | more than 12 years ago | (#2741192)

In epidemiology, one of the mitigating factors of the spread of any disease is simply the diverse genetic makeup of the targeted population.

The opposite to this is what's called a monoculture, where one particular genetic structure is present in the large majority of the population. Such situations will usually not last long, beacuse once something is found that affects that population, it spreads quickly and decisively.

With Windows having such a large share of the market as it is, could this be considered the electronic equivalent of a monoculture? Would one major virus or security flaw cause much more damage to the net than otherwise would have happened, because of the homogenity of the net's computer systems in terms of OS?

Whether the king is Linux or Windows or MacOS, or..., is having a near monopoly market share ofany one OS a good thing in light of this philosophy? Hmm. GFood for thought.

FBI's got their dirty hands in everything now. (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2741193)

Next, the FBI is going to be checking these holes [sexpods.com] . We'll see what they find.

I wonder if XP users can sue... (0)

goldspider (445116) | more than 12 years ago | (#2741200)

Think about this kind of flaw in terms of, say, the automobile industry. If X car company makes a car that (for the sake of an accurate comparison with windows) spontaneously explodes with no warning whatsoever, you could bet the farm that someone would be suing, and probably would win!

Now say an XP user gets his computer trashed by some malicious cracker and loses all of his important personal/business data, should he or she not be able to sue Microsoft for the loss?

I'm guessing a recall by the auto manufacturer would absolve the auto maker, but to do this, the manufacturer must send notification of the recall to EVERYONE who has the defective car. Apparently, Microsoft doesn't feel a similar obligation to notify all of its XP users...

Perhaps I'll go buy XP, leave it unpatched on the 'net, hope someone comes by and fux with it, call Johnny Cochran, and see what happens!

Re:I wonder if XP users can sue... (1)

WildBeast (189336) | more than 12 years ago | (#2741244)

while we're at it, let me sue the cops because my friend died and they failed to protect her. Let me sue the whole earth because it's not a safe place to live in. Let me sue the FBI because they failed to eliminate crime.

Maybe MS and FBI are working together? (1)

Ryu2 (89645) | more than 12 years ago | (#2741207)

With Magic Lantern, etc. it wouldn't surprise me to see that this flaw in XP, if not intentional at the behest of the FBI, was known about by the FBI for much longer than anyone else in the world outside of MS.

And please don't jsut dismiss this with "conspiracy theory" or mod down without a coherent counterargument. Surely at least SOME folks in the law enforcement realm must be thinking how can we take advantage of this monopoly.

After all, Other major companies like petro firms, airlines, etc. all are subject to working with/for the govt and subject to regulation at times because of their strategic important value for national security, whos to say the same couldn't be said for computer software?

Cracking spree holidays? (3, Insightful)

Zarathustra.fi (513464) | more than 12 years ago | (#2741209)

I'm thinking new computers that have been bought this Christmas as presents. I wonder how many of these computers are preinstalled with Windows XP. As we speak, these computers are all wrapped in gift papers; who will patch them? Do people even have time to do anything else except get prepared for the big day? And are people aware of the severe security flaw?

Probably quite many of those computers go to people who are going to have it as their first computer. And what are they going to do first? Turn it on. And probably, go online with it..

And the crackers will be waiting for the easy prey.

Reminds me of the Simpson's episode .... (3, Funny)

wift (164108) | more than 12 years ago | (#2741215)

where Burns and Smithers goes through high security steel doors, scanning stations, gates and end up in the control room that has a old screen door to the outdoors in it allowing a stray dog in. Seems to me that sums up Microsoft's entire security structure.

bonus karma points to anyone who correctly identifies the show number.

"Oh for christ sake"- Montgomery Burns after discovering a stray dog in his XP like high security control room.

You know (3, Interesting)

ASIO (193653) | more than 12 years ago | (#2741219)

This would be a damm good way to get Magic Lantern on a whole lot of systems.

This was mentioned earlier, but now the FBI is pushin it as well, Coincedence??

CSS prosecution defense:"flaw or intended design" (0)

Anonymous Coward | more than 12 years ago | (#2741222)

CSS is essentially a black box. Closed source software hides design, implementation, and the intentions of the software designer. As a result of CSS, the consumer and software engineer is unable and not responsible for distinguishing between flaw or intended design. It simply is a black box.

The successful prosecution for the non-malicious exercising of XP "flaws or intended design" will require convincing the jury that the intentions were to violate the design.

CSS is dying a slow death. Don't expect it to go willingly, however.

frustrated FBI (3, Insightful)

WildBeast (189336) | more than 12 years ago | (#2741233)

They failed to protect the country from terrorists and now they're trying to rebuild their reputation among the population by getting involved in the Internet. Th

Looks like MS isn't the only one with good marketers :)

"Our most secure OS ever" (0)

Anonymous Coward | more than 12 years ago | (#2741242)

And they're probably telling the truth. It's not like they set a high security standard for themselves.

And how will the Microsoft Controlled Slave Elements and other Microsoftistas spin the fact they're the only software vendor that's had this happen to them. What other company's products ever posed "risks to the internet" as a whole?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?