Bring down MeFi in one easy step.
April 18, 2001 8:51 AM   Subscribe

Bring down MeFi in one easy step. Matt, does this affect you?
posted by redleaf (14 comments total)
An attacker can take advantage of the vulnerability by sending the server a request to view a Web page with an unusually large address--for example, one with the letter A repeated 3,000 times, SecureXpert Labs said. Sending such a request will prevent the ISA software from letting computers inside its network view outside Web pages or letting outside computers view inside pages.

Is it just me, or does it seem vaguely irresponsible to actually explain how to make this attack work in the article? How many bored people with a penchant for anarchy are going to try this now, before the patch is sufficiently implemented around the net?
posted by starvingartist at 8:56 AM on April 18, 2001

When I first read that my thought was what site do I know running Win2k that I could test this out on? Then my conscious kicked in.
posted by redleaf at 9:06 AM on April 18, 2001

Yes, I often feel the need to hack into websites while in an unconscious state too.

Sorry for the jab..... I think you meant "conscience."
posted by PWA_BadBoy at 9:08 AM on April 18, 2001

starvingartist: I prefer exposure as Microsoft have been slack in the past when it comes to patches and hopefully public embaressment spur them on. Really though - I like people considering products other than Microsoft.
posted by holloway at 9:15 AM on April 18, 2001

Starvingartist, if the vulerabilities are not made public, Microsoft has a proven record of not doing anything about them until they *are* made public. Besides, from what I read in the article, the vulnerability only occurs with NT servers running a particular kind of firewall software.
posted by Spanktacular at 9:31 AM on April 18, 2001

Ow! Ow! Stop with the beating! ;-)

Seriously, though. I don't have a problem with the article itself. I agree that M$'s errors should be made public. I just question the move of giving the general public the knowledge to actually bring down a server. Granted, this is a very specific attack to a specific server combination, but how does disabling some small company's server affect Bill in any way? Isn't it enough to say "This program has a serious security flaw" and let the L337 hax0rs figure out how to do it?

It seems to me like publishing the recipe for napalm in the name of freedom of the press.
posted by starvingartist at 9:40 AM on April 18, 2001

Am I the only one that notices the strange irony of Microsoft's Internet Security and Acceleration (ISA) being the very thing that was so easily hacked? Or is this just a product that is just three buzz words and a price tag?
posted by samsara at 9:41 AM on April 18, 2001

Didn't seem to work for me. But then I'm an idiot.
posted by Mocata at 9:57 AM on April 18, 2001

Starvingartist, yours is a debate that often goes back and forth in computer security circles; the issue is full disclosure vs. limited disclosure. With open source software, full disclosure is obviously the better option -- the more people know about the problem, the more someone is likely to be motivated enough to fix it.

However, the issue is slightly more complex with closed source software, as, no matter who knows about the problem, there is a very small number of people with the ability to fix it. However, as has been mentioned previously, criMosoft has a track record of not fixing security holes until there's a widespread public knowledge of the issue. It's not worth their time to put out a quality product, otherwise, apparently.

In this case, it could be argued that it's for the public good to detail these things generally, in order to prompt a more rapid fix. One way or another, most of the people who *really* could use this information in a negative manner will have it, whether mainstream mags post it or not.
posted by jammer at 10:54 AM on April 18, 2001

ISA has more of a corporate audience, designed not just to be a firewall, but also to cache pages for viewers on an Intranet. It's not (likely) the sort of thing Matt would have running on a one-server operation like MeFi's box.
posted by anildash at 11:14 AM on April 18, 2001

Sorry for the jab..... I think you meant "conscience."

Err ya... Doh. Spell check let me down on that one.
posted by redleaf at 11:22 AM on April 18, 2001

I just question the move of giving the general public the knowledge to actually bring down a server.

How do you think they found out about it? Typically, reports come to these security agents from the field (the general public) and they are tested internally, then reported to Microsoft. Usually M$FT sits on it. At that point, forced disclosure is the only option. It's almost like a bureaucratic process. "No, sorry. We can't devote resources to that. It's not public." "Oh OK, hey Cnet..."

Besides, there are many other Microsoft vulnerabilties out there for all the world to see, some even of the same type. What makes one more that significant?

Anyway, most systems which are hacked are not exploited through the latest and greatest, but through some relatively ancient hole that the system administrator was too lazy to patch.
posted by fooljay at 11:25 AM on April 18, 2001

It looks like the linked story left out the important fact that this only works when the web page request is submitted from inside the network.
posted by willnot at 11:26 AM on April 18, 2001

How many bored people with a penchant for anarchy...

Actually, anarchists are really mostly in favor of a system of society without coercive government, where "individuals freely co-operate together as equals" and are rarely bored.

And, apropos of this topic, we'd probably all behave a bit better if our actions were exposed to public scrutiny. Microsoft made this bed, they can lie in it.
posted by jessamyn at 5:28 PM on April 18, 2001

« Older Memorial to Wang Wei   |   Newer »

This thread has been archived and is closed to new comments