Just goes to show ya that the advantages of open source in mass-market products that require security is quite real. Security thru obscurity works damn good when there are only a reletively few copies of your server in existance (i.e. some of the old phone company systems...) Nevertheless, even then people locate security holes, sometimes on accident*. With open source, there are both security professionals and hackers who want nothing more than their name in lights, as authors of a script (hence gaining fame and admiration from script kiddies the world round...) who will search day and night for a hole. When such is found, its generally reported to something like BUGTRAQ pretty quickly, right? The net result of this constant repurging of security flaws is that its quite rare that the same security flaw sits undiscovered for half a decade in Open Sourced software... What eEye has discovered is quite shocking, really, if the story is reported factually... and unless Bill and friends recently sold all their stock and are now shorting Microsoft, I doubt msnbc.com will be slandering Microsoft... Ive heard from a friend who develops for Microsoft that they DO release their source code, after you sign a billion waivers, your firstborn, etc... to their developers, for an outrageous sum of money, or some such. I'd bet money this is how eEye was able to discover this flaw, and the one they discovered prior to it. Microsoft could dramatically better its image if it offered high-dollar rewards to companies that could demonstrate, privately for MS, working exploits with patches to provided source to prevent them... ah well. -- *Ive done so myself, having found the magic to get to the configuration menu for "Proctor Test Set" - a centrally located payphone testing tool. I published that and other info in the summer 1994 issue of 2600 magazine. The "exploit"? Administrators were leaving the configuration password at 000 and then setting the system to not make option 11 (the configuration submenu) not available. The problem was that the button "B", (a DTMF tone not found on most phones, most phones only have 12 of the 16 DTMF tones. Most older modems, particularly USR and Hayes, could dial the A, B, C, and D tones, however), returned the SAME VALUE that the programs menu driver reinterpreted the two key combo of 11 to be... I only discovered this since I was trying to figure out why the hell menu item 11 wasnt there. Since "1" was obviously an extension to add digits, I figured that 11 might have even more digits. I'd also noticed that *, #, and A, C, and D were shortcuts for dialing the higher-numbered menu items. Since pressing 11 resulted in a message of "invalid choice", I started mapping out by pressing B, then hitting zeros. (suffice to say, B001 and all others returned the phrase "invalid password", something I discovered later). Technomage wrote: > something I happened across in a hacking newsgroup. > http://www.msnbc.com/news/588963.asp?cp1=1 -- jkenner @ mindspring . com__ I Support Linux: _> _ _ |_ _ _ _| Working Together To <__(_||_)| )| `(_|(_)(_| To Build A Better Future. |