Comments on: Comments on 7084

Post number 7084

redleaf — Wed, 18 Apr 2001 08:51:32 -0800

Bring down MeFi in one easy step. Matt, does this affect you?

By: starvingartist

starvingartist — Wed, 18 Apr 2001 08:56:20 -0800

An attacker can take advantage of the vulnerability by sending the server a request to view a Web page with an unusually large address--for example, one with the letter A repeated 3,000 times, SecureXpert Labs said. Sending such a request will prevent the ISA software from letting computers inside its network view outside Web pages or letting outside computers view inside pages.
Is it just me, or does it seem vaguely irresponsible to actually explain how to make this attack work in the article? How many bored people with a penchant for anarchy are going to try this now, before the patch is sufficiently implemented around the net?

By: redleaf

redleaf — Wed, 18 Apr 2001 09:06:42 -0800

When I first read that my thought was what site do I know running Win2k that I could test this out on? Then my conscious kicked in.

By: PWA_BadBoy

PWA_BadBoy — Wed, 18 Apr 2001 09:08:32 -0800

Yes, I often feel the need to hack into websites while in an unconscious state too. Sorry for the jab..... I think you meant "conscience."

By: holloway

holloway — Wed, 18 Apr 2001 09:15:19 -0800

starvingartist: I prefer exposure as Microsoft have been slack in the past when it comes to patches and hopefully public embaressment spur them on. Really though - I like people considering products other than Microsoft.

By: Spanktacular

Spanktacular — Wed, 18 Apr 2001 09:31:05 -0800

Starvingartist, if the vulerabilities are not made public, Microsoft has a proven record of not doing anything about them until they *are* made public. Besides, from what I read in the article, the vulnerability only occurs with NT servers running a particular kind of firewall software.

By: starvingartist

starvingartist — Wed, 18 Apr 2001 09:40:16 -0800

Ow! Ow! Stop with the beating! ;-)
Seriously, though. I don't have a problem with the article itself. I agree that M$'s errors should be made public. I just question the move of giving the general public the knowledge to actually bring down a server. Granted, this is a very specific attack to a specific server combination, but how does disabling some small company's server affect Bill in any way? Isn't it enough to say "This program has a serious security flaw" and let the L337 hax0rs figure out how to do it?
It seems to me like publishing the recipe for napalm in the name of freedom of the press.

By: samsara

samsara — Wed, 18 Apr 2001 09:41:58 -0800

Am I the only one that notices the strange irony of Microsoft's Internet Security and Acceleration (ISA) being the very thing that was so easily hacked? Or is this just a product that is just three buzz words and a price tag?

By: Mocata

Mocata — Wed, 18 Apr 2001 09:57:53 -0800

Didn't seem to work for me. But then I'm an idiot.

By: jammer

jammer — Wed, 18 Apr 2001 10:54:28 -0800

Starvingartist, yours is a debate that often goes back and forth in computer security circles; the issue is full disclosure vs. limited disclosure. With open source software, full disclosure is obviously the better option -- the more people know about the problem, the more someone is likely to be motivated enough to fix it. However, the issue is slightly more complex with closed source software, as, no matter who knows about the problem, there is a very small number of people with the ability to fix it. However, as has been mentioned previously, criMosoft has a track record of not fixing security holes until there's a widespread public knowledge of the issue. It's not worth their time to put out a quality product, otherwise, apparently. In this case, it could be argued that it's for the public good to detail these things generally, in order to prompt a more rapid fix. One way or another, most of the people who *really* could use this information in a negative manner will have it, whether mainstream mags post it or not.

By: anildash

anildash — Wed, 18 Apr 2001 11:14:36 -0800

ISA has more of a corporate audience, designed not just to be a firewall, but also to cache pages for viewers on an Intranet. It's not (likely) the sort of thing Matt would have running on a one-server operation like MeFi's box.

By: redleaf

redleaf — Wed, 18 Apr 2001 11:22:49 -0800

Sorry for the jab..... I think you meant "conscience." Err ya... Doh. Spell check let me down on that one.

By: fooljay

fooljay — Wed, 18 Apr 2001 11:25:18 -0800

I just question the move of giving the general public the knowledge to actually bring down a server. How do you think they found out about it? Typically, reports come to these security agents from the field (the general public) and they are tested internally, then reported to Microsoft. Usually M$FT sits on it. At that point, forced disclosure is the only option. It's almost like a bureaucratic process. "No, sorry. We can't devote resources to that. It's not public." "Oh OK, hey Cnet..." Besides, there are many other Microsoft vulnerabilties out there for all the world to see, some even of the same type. What makes one more that significant? Anyway, most systems which are hacked are not exploited through the latest and greatest, but through some relatively ancient hole that the system administrator was too lazy to patch.

By: willnot

willnot — Wed, 18 Apr 2001 11:26:15 -0800

It looks like the linked story left out the important fact that this only works when the web page request is submitted from inside the network.

By: jessamyn

jessamyn — Wed, 18 Apr 2001 17:28:41 -0800

How many bored people with a penchant for anarchy... Actually, anarchists are really mostly in favor of a system of society without coercive government, where "individuals freely co-operate together as equals" and are rarely bored. And, apropos of this topic, we'd probably all behave a bit better if our actions were exposed to public scrutiny. Microsoft made this bed, they can lie in it.