[LINK] More Microsoft insecurity

From: hartr@redhat.com
Date: Mon Aug 27 2001 - 16:59:11 EST

Next message: Anthony Healy: "RE: [LINK] NCA Committee recommends more electronic surveillance"
Previous message: Chirgwin, Richard: "RE: [LINK] Another privacy/security concern?"
Next in thread: Tony Barry: "Re:[LINK] More Microsoft insecurity"
Reply: Tony Barry: "Re:[LINK] More Microsoft insecurity"
Reply: Rick Welykochy: "Re: [LINK] More Microsoft insecurity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You may remember that someone got into Microsoft's site last year and
looked at (and maybe even dowloaded) some source code.

Take a look at
http://au.dailynews.yahoo.com/headlines/20010826/nbtech/998784000-2081415222.html

Sunday 26 August 10:00 AM

Windows 2000 Port Invites Intruders

   Exploiting a hole in Windows 2000, a hacker says he penetrated
   Microsoft's corporate network earlier this month and had full
   access to hundreds of the company's computers.

   The security breach, which took place over a six-day period
   beginning August 12, involved a shopping server that was part of
   the Microsoft Network in Europe, as well as scores of workstations
   and servers located overseas, he says. A list of the vulnerable
   machines was provided to Newsbytes by the anonymous intruder, a
   self-proclaimed white-hat hacker who uses the nickname
   "Benign."

<snip>

   The list of vulnerable computers provided to Newsbytes included the IP address,
   machine name, workgroup, username, and password of more than 400
   Microsoft systems on the internal Microsoft network. Among the
   workgroup names were "NT_DEV," "Redmond," "SouthAmerica," and
   "FarEast."

It would appear from this that he had access to development machines.

Microsoft (and other proprietary vendors) continue to claim that open
source is a security risk because crackers can use the source code to
identify security holes, arguing that closed source avoids this problem.

Whilst this particular instance of cracking involved a 'benign' cracker,
how long will people continue to believe that proprietary software is
more secure than open source - how do you know that the software you are
buying does not include backdoors built in by crackers (or even, perish
the thought, by the vendor)?

The only guarantee you have that ANY software is free of such deliberate
exploits is that you can read the source code and check it for yourself!

Security through obscurity is no security!

-- 
Robert Hart						 hartr@redhat.com
Red Hat Asia-Pacific, Unit 15, 23 James St, Brisbane, Qld 4006, Australia
Tel +61 (0)7 3872 4808                             Fax +61 (0)7 3257 4800

Next message: Anthony Healy: "RE: [LINK] NCA Committee recommends more electronic surveillance"
Previous message: Chirgwin, Richard: "RE: [LINK] Another privacy/security concern?"
Next in thread: Tony Barry: "Re:[LINK] More Microsoft insecurity"
Reply: Tony Barry: "Re:[LINK] More Microsoft insecurity"
Reply: Rick Welykochy: "Re: [LINK] More Microsoft insecurity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.1 : Fri Aug 31 2001 - 03:10:05 EST