The Active Network
ActiveMac Anonymous | Create a User | Reviews | News | Forums | Advertise  
 

  *  

  Hacker code could unleash Windows worm
Time: 15:17 EST/20:17 GMT | News Source: CNET | Posted By: Alex Harris

A hacker group released code designed to exploit a widespread Windows flaw, paving the way for a major worm attack as soon as this weekend, security researchers warned. The warning came Friday, after hackers from the Chinese X Focus security group forwarded source code to several public security lists. The code is for a program designed to allow an intruder to enter Windows computers.

The X Focus program takes advantage of a hole in the Microsoft operating system that lets attackers break in remotely. The flaw has been characterized by some security experts as the most widespread ever found in Windows. "An exploit (program) like this is very easy to turn into a worm," said Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security. "I wouldn't be surprised if we see a worm sooner rather than later."

Write Comment
Return to News

  Displaying 1 through 25 of 336
Last | Next
  The time now is 8:11:21 AM ET.
Any comment problems? E-mail us
#1 By 2332 (65.221.182.2) at 7/26/2003 4:35:04 PM
What I don't understand is why the people who write these worms don't get punished more often.

While tracing these things can be difficult, I'm sure the thousands of companies hurt by the worm would be more than happy to help out.

How about 25 years in jail and you have to pay back all the money that was lost due to the worm? Sound good?

#2 By 135 (208.186.90.91) at 7/26/2003 5:55:26 PM
RMD - Agreed. Jail time is a strong deterrent force.

Although we better be careful here. We might get kicked out of the "imaginary liberal" club for not conforming to all the stereotypes.

#3 By 12071 () at 7/26/2003 11:37:21 PM
#4 I'm curious to know why you believe that jail (or gaol if you're British) is a strong deterrent? People continue to commit crimes knowing full well that they could be sent to prison or even receive the death sentence (depending on whether it's legal where they are). I'm not sure what a good deterrent for virus/worm/etc writers is, I just don't think jail is one of them.

"I don't like broken exploits, so I fixed it," he said.

#4 By 135 () at 7/27/2003 1:06:59 AM
kabuki - "People continue to commit crimes knowing full well that they could be sent to prison or even receive the death sentence (depending on whether it's legal where they are)."

But I don't commit crimes. Why? Because I know if I did, I'd likely go to jail.

If there is no penalty, people will never live up on their own to the responsibility for the damage they have wrought. A deterrent is never going to gain 100% compliance to a law, and to try to claim otherwise is nonsensical. Obviously you are going to have people in society who do not care.

That being said, the punishment should never be worse than the crime... the old "eye for an eye" concept should still apply. So I don't think the death penalty is appropriate, but a good 4-8 years in jail certainly ought to suffice.

Look at the P2P music problem. The RIAA files lawsuits against a few hundred people and suddenly file swapping is down 15%. Had a pretty dramatic effect, didn't it? Got you thinking whether it was worth the hassle? If those lawsuits are effective, and the RIAA cranks it up a notch file sharing will be down another 15%, then another... and so on. After a while it'll be a controllable problem.

#5 By 61 (24.92.223.112) at 7/27/2003 2:04:25 AM
4-5yrs jail time plus after time not being allowed to even look at a computer screen for the next 10 to 15 yrs.

#6 By 12071 (203.217.70.247) at 7/27/2003 3:17:05 AM
#7 "The RIAA files lawsuits against a few hundred people and suddenly file swapping is down 15%."

Where did the 15% statistic come from? The RIAA? Not that I have scientifically measured it but I don't see 15% less people trading music on Kazaa, eMule, WinMX and the like. Honestly I don't think it has deterred people very much at all. Piracy of applications and games has been a "problem" for far longer than music and there have been plenty of high profile law suits made against the main groups involved and individuals. Is piracy down (regardless of the statistics that the BSA and whoever else may come out with)? I don't think so. Especially now with P2P being so popular it has never been easier to pirate software even though the deterrents have been in place for years.

So yes there needs to be a deterrent in place... I'm just not sure what an effective one would be.

And linuxhippie touched on the other point I was going to make earlier. How do you prosecute these people? In the country where they are from? In every country where they caused harm?

#7 By 2332 (65.221.182.2) at 7/27/2003 4:30:02 AM
#9 - "might be easier just to use a more secure OS.."

If you ever find one, let us know.

#8 By 12071 (203.217.70.247) at 7/27/2003 4:37:01 AM
#11 OpenBSD =)

#9 By 2332 (65.221.182.2) at 7/27/2003 1:26:19 PM
#12 - Ok, I'll give you that.

#10 By 135 (208.186.90.91) at 7/27/2003 4:33:33 PM
kabuki - "Where did the 15% statistic come from? The RIAA?"

I don't get it. Why do people formulate opinions on things without reading about the issue?

http://news.com.com/2100-1027-1025684.html

"Is piracy down (regardless of the statistics that the BSA and whoever else may come out with)?"

Yes, piracy is down noticeably. What is this thing you have with disregarding statistics?

"And linuxhippie touched on the other point I was going to make earlier. How do you prosecute these people? In the country where they are from? In every country where they caused harm? "

Why does everything have to be an absolute with you?

Obviously through international law. How do we presently prosecute other criminals? If I commit a murder in the US and flee to china, do you think I'll get away with it?

"I don't think so."

I have to agree with that.


#11 By 135 (208.186.90.91) at 7/27/2003 4:34:15 PM
linuxhippie - If you want a secure OS... unplug your computer from the network.

#12 By 12071 (203.185.215.149) at 7/27/2003 8:31:22 PM
#15 "Why do people formulate opinions on things without reading about the issue?"
The '?' (question mark) character is just that, I was asking a question, not stating an opinion. I was just curious to know where that figure had come from. Do you take everything at face value? From that story you provided a link to the 15% figure came from Neilson/Netratings and the File-trading companies in question disagreed with their findings. ("File-trading companies question Nielsen/Netratings figures"). How were those figures determined... "Both measurements are extrapolated from a sample pool of about 50,000 home Internet users in the United States."... from 50,000 users in the US alone! And you wonder why I question these figures?

"Yes, piracy is down noticeably. What is this thing you have with disregarding statistics?"
I have a "thing" with questioning statistics. (Well I actually have a "thing" with question just about anything, in this case it happens to be statistics that from my own experiences at least I do not agree with). The BSA and yourself say that piracy is down.... I really don't see any evidence of that - maybe it's down in America, but overall I don't think it's down.

"If I commit a murder in the US and flee to china, do you think I'll get away with it?"
If you flee to a country from which the US cannot extradite you then you could very well get away with it yes.

#13 By 12071 (203.185.215.149) at 7/27/2003 8:37:04 PM
#18 No, the worst thing is that people try to simplify the reasons given by those that pirate software & music. It's not the same stealing - it's stealing a clone of if you like. If you have a BMW and I steal it from you, you have ever right to be pissed off with me, as I have just taken property away from you. However if I somehow create a clone of your car and then take that they you haven't really lost anything have you? I'm not justifying the theft of software and music but don't simplify the argument, it's not that simple.

#14 By 1845 (12.209.152.69) at 7/27/2003 8:48:10 PM
Preventing the realization of revenue, but still benefitting from a service or product that otherwise would have resulted in the realization of revenue, would be considered by most reasonable people as stealing.

Shoplifting, for instance, falls into this category. If I use my five finger discount to obtain the latest CD from Linkin Park, I have prevented the music store, the record company, and the artist from realizing a profit on the sale. Since my "discount" was on a tangible item, it is a somewhat worse scenario, because that physical item can no longer be sold, since the music store no longer has it to sell. In brief, while stealing a physical item might be worse, stealing an copyright protected works or intellectual property falls into the same category.

The issue may not be quite as simple jpursell has explained, but it certainly isn't that complex either.

#15 By 1845 (12.209.152.69) at 7/27/2003 9:10:10 PM
parker, interesting that you so often defend Microsoft, which arguably falls in the same catagory of dishonest business practices, yet you attack the RIAA. In either case, their fraud, deciept, or rape of the consumer, does not expunge the the duty of a citizen (at the very least a US citizen) to obey the law. The old saying "two wrongs don't make a right" applies here. If you defend pirates for their activities, you are advocating vigil-anti "justice". I find such a behavior odd coming from one whom I generally consider to be level-headed. Despite the harsh nature of my comment, this isn't meant as an offense, just an observation.

Five years ago I was a great programmer, fresh out of school, with no professional experience. Microsoft hired me, gave me $80,000/yr to write code. Specifically, I have worked on the UDA initiative, so my work has been included in every subsequent release of SQL Server, Internet Explorer, Exchange, and Windows. I have received stock options, some more useful than others, but I've barely received anything in comparison to the income Microsoft has generated from my work.

Using your logic of RIAA vs. artists, Microsoft has ripped me off and paid me a pittance. Interestingly enough, this same model is employed by virtually every other IP-based or copyright based company on earth. IBM, Oracle, the New York Times, New Line Cinema, etc. The key in each of these scenarios is that the worker (me, in my example) signed a contract. I was fully aware of the implication of the signature. Don't cry for me. Don't cry for Eminem that Aftermath has made a hundred million or so on him and he's only made 80 million. They made him who he was. Microsoft has made more than I would have made otherwise. Nearly every other artist, programmer, journalist, actor, movie producer falls into the same category. Though the contract may have been more favorable to the software house, music company, movie company, game company, etc. it was still very beneficial to the worker.

On price fixing, I thought RIAA has only dealt with that in the state of New York. If my facts are correct, are you thumbing your nose at one of the greatest ideals of the United States, namely that an entity is innocent until proven guilty? It would seem that an unconvicted RIAA (and more correctly, they don't sell music, it is the companies of which RIAA is composed) is an innocent RIAA.

Finally, a note on summer usage stats. By my logic, I'd guess that the most avid pirates are high school and college-aged guys. I'd imagine that they have more time in the summer than during the school year, so it would seem reasonable to me that if usage of p2p copyright infringing networks decreased during a summer month, it's likely not a result of vactions, but that people are scared. To be more objective, though, we should compare this year's usage stats with stats of the last few years to see what the usage patterns typically are during this time of year and to see if this year is anomolous in comparison to previous years.

#16 By 1845 (12.209.152.69) at 7/27/2003 9:12:51 PM
By the way, I don't work for Microsoft, but I have a few friends who work there. I based my example on the compensation plan one of my friends receives. Oh, I forgot his $10,000 signing bonus.

#17 By 12071 (203.185.215.149) at 7/27/2003 9:22:43 PM
#22 "Preventing the realization of revenue, but still benefitting from a service or product that otherwise would have resulted in the realization of revenue, would be considered by most reasonable people as stealing."

That's a fair definition. But here is where is starts to get a bit more interesting (i.e. not quite as simple as saying piracy = stealing) as there are several forms of stealing. Let's use the example used by a lot of pirates, downloading a copy of Adobe Photoshop. In many circumstances I would say this program is downloaded because that's what their friends use or because it's considered to be the best. I highly double many of these people use more than a couple of features of Photoshop and I would say very few use Photoshop to make money of. Would these same people purchase a copy of Photoshop if they could not download it? Of course not! They would either buy nothing or perhaps buy a cheaper alternative such a Jasc's Paint Shop Pro. It's still stealing, you're taking something which does not belong to you, but you are NOT really depriving anyone of any losses.

Same thing with music. I know plenty of people that do not and have not bought any cd's. They refuse to pay $30 for a CD with 3 good songs on it. To that you might say "tough" and that's a fair position too, but they will not go and buy that cd no matter what. In the past they have copied the songs they wanted onto cassette and these days they copy the songs onto cd-r. Are they stealing? Yes. Is this the same stealing as going into a music store and taking a cd? Not even close.

I think we've gone off on a bit of a tangent =)

#18 By 665 (64.126.83.86) at 7/27/2003 9:49:27 PM
I guess I'm going to jump in here and stay on the same topic, but I'm not really following the same thread as everyone else... I find it interesting how, back before the subpoenas were filed, the RIAA was going on and on about how downloading was effectively the same as walking into a music store and stealing a CD (which I think it is). Now, they have made threats to sue file sharers for figures in the hundreds of thousands PER song. I don’t think a judge will ever allow such an award, but I still think the threats are crazy. I don’t see how they can justify charging a little over a dollar per copyrighted song.

But ultimately, I do think “sharing” copyrighted is wrong. I still like Kazaa, though. I have a pressplay subscription and can get all the music I want from it. But I still often download music from Kazaa for whatever reason (pressplay’s search function sucks, they don’t often have acoustic or live versions, etc…). I don’t think they answer is suing, but I honestly don’t think there is much of a better one. None of the scheme’s I’ve heard to compensate the record companies and the artists are really feasible. At the same time, I don’t get how they can raise CD prices even higher and expect people not to download.

#19 By 1845 (12.209.152.69) at 7/27/2003 10:07:58 PM
#25

Ah, yes, the "well I wouldn't have paid for it anyway" argument. I just wonder how accurate it is to make such a claim when the oppurtunity to satisfy a desire exists. If I am in a position where the only means I have to hear the three songs from a disk are to buy the disk, and I choose not to buy it, then I know that I wouldn't have purchased it anyway. If I am in a position where I can either buy or pirate to hear the only three songs on a disk that I want to hear, and I pirate rather than purchase, I don't really know what I would have done had piracy not been an option. I can rationalize and claim that, but more than likely I'm lying to myself. Either way, piracy is against the law, whether you wouldn't have bought it or not. And, yes, the same goes for PhotoShop or VisualStudio or Microsoft Office.

If you pirate it, you are benefitting from the service or product that otherwise would have resulted in realization of revenue. Meaning, if the only way to use the product was to buy it, and you didn't but still used the product, you've meet the terms of my definition for stealing.

Is it the same as shoplifting? No, but I already said that. Is it close? Yes. Perhaps not as bad, but it is still bad.

#20 By 1845 (12.209.152.69) at 7/27/2003 10:14:12 PM
#26 RE Hundreds of thousands in damages.

You bring up an interesting point. I think there are a few components to be examined here. If I run a "super node" in a p2p network, then more than likely significantly more than one person will illegally obtain copyright protected works by my instrumentality. If I was the first to put Eminem's "Business" from the Eminem Show on Kazaa, and it was mirrored a few dozen times, and downloaded a few million times, then I have enabled more than one million violations of copyright law, even though I only had one file.

Another point to think about is this - for a crime, there is penalty and restitution. The fine for shoplifting a gallon milk is not merely the cost of a gallon of milk. Depending on age and location, there is likely a fine, jail time, or community service as well as restoring the price of the gallon of milk. It stands to reason that the fine for pirating a CD shouldn't only consist of the cost of the CD, but also of the number of people to whom you allowed pirated copies to flow, and a fine for breaking the law. Legal fees for the prosecution should also be paid be the convicted.

#21 By 665 (64.126.83.86) at 7/27/2003 10:24:57 PM
#28, you are right about the punishment being more than the crime, but if I stole a CD would the court make me pay hundreds of thousands of dollars PER track PER CD? No way... if you got caught stealing a lone CD, you might get a ride in a cop car. Maybe see a judge but that's about it. Any fine would be far far far far less than hundres of thousands of dollars.

I don't think being a SuperNode is any more illegal that working at a gas station. Sure, you might help people transport illegal things (weapons, drugs, etc.) but you are also helping legitimate people. P2P networks are used for legitimate uses (more than I think most people realize, although I can't support that). Besides, you'll get a court house full of people who have absolutely no idea what a SuperNode is...I'm sure more than 90% of the 57,000,000 people who file share have idea about the underlying technology...can you really punish people for that?

#22 By 1845 (12.209.152.69) at 7/27/2003 10:34:52 PM
I don't the "working in gas station" analogy is an apples to apples comparison for a few reasons. First and foremost, the RIAA isn't going to sue people for being supernodes of non-copyright protected material. If you write a song, record it, and release it to the public domain via Kazaa, RIAA won't touch you. If you copy a track from Fountains of Wayne's latest album, though, that is a different story.

In the case of publishing the FOW song, I'd say you fall into the category of "aiding and abedding" or "conspiracy to commit <insert crime>" or "trafficing in stolen goods" or something similar. If you knowingly allow someone to break the law, you are responsible. I find it highly unlikely that p2p network users don't know that most of the traffic is illegal. If you facilitate that traffic, you are then a contributer, conspirator, or are aiding and abedding and as such you should be punished.

I have looked at several p2p networks and I can say, anecdotally, that I've found little that wasn't illegal. IIRC Judge Patel shut down Napster because upwards of 95% of its traffic was of copyright protected works. I have seen no evidence, empiracal or otherwise, to indicate that any other p2p-style network carries a less illegal percentage of content. If you or anyone can show me some evidence, I'd be glad to change my opinion and increase my view of the integrity of the Internet using population as a whole

This post was edited by BobSmith on Sunday, July 27, 2003 at 22:35.

#23 By 1845 (12.209.152.69) at 7/28/2003 2:23:24 AM
Wow, thanks for correcting me on the class action suit. I didn't realize it was any where near that far reaching, that is, with respect to the number of states involved.

I'm not sure that I agree on the CD price rising thing. It seems to me that CDs cost roughly 12-20 dollars just as they have for the last ten years (when I first started buying CDs). There have also always been avenues - Columbia House, BMG Music Club, later eBay, etc. - to legally obtain CDs for less than typical market price. By the time I had purchased 100 CDs (all legal), I think I paid more than $15/disk or more for less than 8 of them. Now I have a policy of not paying more than $12/disk. I still buy everything legally.

I definately think that fewer titles will have an impact on sales. Still, fewer titles or higher prices, still do not excuse breaking the law. The bottom line is that pirates are trampling the rights of copyright holders and that is reprehensible. I may hate the business practices of the content producers or hate their content, but as a citizen of the United States, I have an obligation to obey the law of said country. It frightens me when citizens don't seem to think (no, this isn't aimed directly at you, parker) someone's rights are important if we don't like them or if they are a big corporation.

BTW, the reason I mentioned Eminem, other than that I was listening to him at the time, is that he has come out in opposition to piracy and his songs have topped the piracy charts in times past. For the purposes of my argument, though, any artist no matter how big or small, can replace him. Bottom line is that the artist knew what they were getting into when they signed the contract. You don't cry for the RIAA and I don't cry for the artists.

#24 By 1845 (12.209.152.69) at 7/28/2003 2:30:45 AM
Oops, forgot a point.

I don't understand why you claim I "attack the RIAA". I was just pointing out a few facts they would prefer no one to discuss.

Perhaps it was your earlier post where you said "I think the RIAA are lower than the lowest of the low. "

Maybe it is just me, but that didn't seem to be a hand of fellowship or a jovial pat on the back. One might think of that comment as a sucker punch or a punch in the nose. I'd consider either an attack.

#25 By 6859 (206.156.242.36) at 7/28/2003 9:32:45 AM
You guys are too soft on electronic criminals.

I would simply execute them. Single shot, to the head, publically.

Do that, maybe 10 to 15 times, then they'll all get the message and THAT'S a deterrant, not what the prospect of maybe service a few years--if they don't get probation or some crud like that.

Execute them. Simple and effective.

Write Comment
Return to News
  Displaying 1 through 25 of 336
Last | Next
  The time now is 8:11:21 AM ET.
Any comment problems? E-mail us
User name and password:

 

  *  
  *   *