Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Technology Stocks : How high will Microsoft fly? -- Ignore unavailable to you. Want to Upgrade?

To: Hal Rubel who wrote (10023)	8/7/1998 5:04:00 PM
From: Charles Tutt	Respond to of 74651

The URL you had trouble with has an extraneous ']' appended to it (as do they all, I think). Delete that and it will work.

To: Hal Rubel who wrote (10023)	8/7/1998 5:24:00 PM
From: Kevin Podsiadlik	Read Replies (1) \| Respond to of 74651

The CULT OF THE DEAD COW (cDc) is the most influential group of hackers in the world. As the 10-pin once said, spare me. You'd think no one had ever heard of a Trojan Horse program before.

To: Hal Rubel who wrote (10023)	8/7/1998 6:30:00 PM
From: Hal Rubel	Respond to of 74651

FYI: cDc Technical Response to MS RE: "On July 21, a self-described hacker group known as the Cult of the Dead Cow released a tool called BackOrifice, and suggested that Windows users were at risk from unauthorized attacks. Microsoft takes security seriously, and has issued this bulletin to advise customers that Windows 95 and Windows 98 users following safe computing practices are not at risk and Windows NT users are not threatened in any way by this tool. ..." Microsoft Marketing Department Press Release The tone of the reply was rude and arrogant. Microsoft faithful who do not want to be exposed to such abuse may want to avoid reading further. However, here are some of the statements made by cDc in response to Microsoft that I have paraphrased for interested readers: Scope BO "does not take advantage of any bugs in the operating system or use any undocumented or internal APIs." (It apparently uses the OS as it was intentionally written.) BO "does NOT do anything that the Windows 95/98 operating system was not intended to do." BO "is only as dangerous as Microsoft's security is deficient." NT BO does not yet support NT. (Though MS has been in limited contact with cDc about NT.) Vulnerability BO "attacker must know the user's IP address, or know the where the user is likely to log in." but ... BO "client can sweep through lists of addresses and network blocks searching for active servers." BO "does not rely on the user to install it. To install it, it simply needs to be run. There are several ways a program could be run on a windows computer, not only without the user's approval, but without the user's knowledge." Firewalls BO "client can send packets from any port, if the firewall lets any udp packets through at all, communication can be achieved, and for transferring files, Back Orifice can initiate tcp file transfers where the connection originates from _inside_ the firewall." BO "is no threat to W95/98 users if the computer is connected to the Internet through an Internet service provider that dynamically assigns IP addresses - as the vast majority of ISPs already do, unless the dynamic address assigned is always in the same subnet, as the vast majority of ISPs do." Microsoft's Initial Response BO "is a Rorschach for Microsoft credibility. Microsoft's own official response to us was issued as a marketing bulletin! Does anybody else besides cDc find it disturbing that the Marketing Department is running the show over there?" Message Conclusion "Oh, never mind. Forget we ever mentioned it. Listen to Microsoft; don't worry, be happy. Everything will be allright. Move along, there's nothing to see here" Hal PS: Given That -Microsoft seems to admit that Back Orifice does infact work. Microsoft has always been diligent in the pursuit of bug fixes. Both MS and cDc agree that Back Orifice is NOT based on any kind of bug or unintended programming error. Back Orifice is readily available freeware. Clearly, Microsoft does not need any expertise from cDc to adjust their own code. Then ... With respect, my take on all this is that there may be some "known, but tolerable" security flaws in Windows 95/98 that Microsoft is reluctant to admit to or is not currently ready to change. I think the big question now becimes: How acceptable are these known but tolerable holes in security? HR