Sun Microsystems Solaris hole opening way for hackers

CNet News.com ^ | January 15, 2002, 5:30 p.m. PT | Robert Lemos

[Bush2000]

I'd say the entire article is a joke. They completely ignore the context. The real story here is that a HoneyPot actually worked, and caught a hacker using a known exploit. But *some* people use FR for Clintonista-style disinformation, as a break from their posting of MS press releases.

Perhaps you ought to tell CERT that their advisories are a joke then because the article is merely repeating what is present in the CERT advisory. I love how you guys scurry for cover whenever your hypocrisy is laid bare.

[Dominic Harr]

I mean, what *he* posted.

Sorry.

[Common Tator]

anyone can create sockets with winsock

You are dead wrong.

The paragraph included below was pasted from the Microsoft Windows 2000 Platform Software Developers Kit dated February 01, 2001. The MSDN Library is available for reading at the msdn.microsoft.com web site. Anyone who doesnt believe the "tator" is invited to go the the MSN developers website and do a search on raw sockets.

Click here

Microsoft told me that they would either go to a new way to prevent raw sockets or change the documentation in future versions. The final verison of XP server is not finished so I don't know what if anything will be done in XP server.

Here is the paragraph as it appears in the Microsoft documentation.

 
         Note On Windows NT/Windows 2000, raw socket 
         support requires administrative privileges. Users 
         running Winsock applications that make use of raw 
         sockets must have administrative privileges on the 
         computer, otherwise raw socket calls fail with 
         an error code of WSAEACCESS.

    Microsoft Platform SDK, February 2001 Edition. This  
    content last built on Thursday, February 01, 2001.

[Michael Barnes]

Hehehe...After re-reading the article and CERT report; any self respecting sysadmin will laugh at this. And if their not laughing, or scratching their head why some of us are finding this funny, kindly leave their IP addr's on this thread? DDNS name will also do.

Unlike your beloved MS products, we can seperate that "pretty" GUI from the box and let the box do what it was intended to do, work. Must suck when you don't have complete control of your OS...

[AaronAnderson]

To hear you tell us that M$ used open source software in their product in light of their recent attacks is truely funny :)

[Michael Barnes]

Question, is BSD GPL'd?

[Dominic Harr]

CNet Advisory on the exploit:

This vulnerability was first reported to us in March 1999, and more recently by Internet Security Systems (ISS) X-Force.

This is a known, old exploit.

This machine was left vulnerable with an old, known exploit *on purpose*. By the HoneyNet project. To try and catch a hacker. Which they did.

[Dominic Harr]

As a side-note, what this *does* prove is that there are hackers out there trying to hack Solaris every day.

So the claim that MS has exploits because hackers target them was just completely disproven.

[AaronAnderson]

I love Bruce Eckel but disagree with this. It appears bruce does not like exceptions as he is forced to deal with them even when he doesn't want to. However, that is the purpose of exceptions and forcing you to take care of them as you write your code. In his empty catch statement he should have obviously used exception.printStackTrace() to at least log the error. I understand that this is a burden on the programmer and does hurt performance and productivity but I have learned that if you put things off for later and you are not careful you tend to forget them until it is too late. Relying on the system to gracefully handle errors is not a good practice by any means.

[Dominic Harr]

In his empty catch statement he should have obviously used exception.printStackTrace() to at least log the error.

Yes, yes, yes.

A *minimum*. At least print out errors when they occur, for goodness' sake. Forced, not 'voluntary'.

And there's a bigger problem, I'd say. Part of a good architecture is building a core of classes that can be extended by other programmers.

In C#, without a 'throws', those programmers can forget to handle the exceptions. There is no way to force them to handle the exceptions programatically. This is a serious potential point of failure.

[Bush2000]

Unlike your beloved MS products, we can seperate that "pretty" GUI from the box and let the box do what it was intended to do, work. Must suck when you don't have complete control of your OS...

Dude, don't kid yourself. I can lockdown my Win2K servers just as tight as your pretty little Unix boxes.

[Bush2000]

I understand that this is a burden on the programmer and does hurt performance and productivity but I have learned that if you put things off for later and you are not careful you tend to forget them until it is too late. Relying on the system to gracefully handle errors is not a good practice by any means.

Eckel is right on target, though: Java forces you to stub out the exception but it certainly doesn't force you to do anything meaningful with it, such as throw again or print a stack trace. That's his point: most developers will simply stub out the exception block and fill it in later. Quite often, they may forget to do so which gives the false sense that the code is safer than it really is. Personally, I don't mind checked exceptions but I also don't mind the flexibility of handling them in a higher location in the stack. After all, exceptions add performance overhead. If all you're going to do is throw again, anyway, you've sacrificed performance for principle.

[js1138]

But goes to prove again that no OS is really secure.

This can't be true. I was assured yesterday that MacOSX and Unix were secure due to their basic architecture. Freepers wouldn't lie to me.

[Mannaggia l'America]

go star go: anyone can create sockets with winsock

Common Tator: You are dead wrong.

Sorry, I think you are wrong and go star go is right.

Anyone can create sockets - otherwise, you wouldn't be able to use things like, oh, say, a web browser.

The information you responded with had to do with raw sockets. go star go didn't say raw sockets. He said just sockets, which any user can create.

[go star go]

anyone can create sockets with winsock

You are dead wrong.

i'm not really wrong. i was refering to the simplicity of programming using winsock for socket io not to any rights issues. that's the purpose of winsock.

[Michael Barnes]

Your #51, doubtfull at best.

[Bush2000]

Your #51, doubtfull at best.

Anytime you want to try to crack my server, you just let me know. My servers laugh in your general direction...

[Michael Barnes]

And how exactly did you turn off ICMP on your servers? (Not echo (port7)). I am willing ot bet it was not natively within the OS.

[Bush2000]

And how exactly did you turn off ICMP on your servers? (Not echo (port7)). I am willing ot bet it was not natively within the OS.

Heh heh. I have a hardware firewall in front of my boxes. Only the traffic that I want to go through gets through... ;-)

[Knitebane]

Really? A hardware firewall? Gee, did you make it yourself out of bits of wire and tubes and stuff?

Or do you mean that it's an appliance that runs an OS other than Windows and maybe boots from a EPROM chip instead of a disk?

And to think that I had doubts about how little you know about security. Well, my doubts are removed. You know nothing about security if you think:

1. Any kind of firewall will protect you from all hacks.

2. Any kind of firewall is itself completely secure.

3. Any kind of firewall stops virus or worm-bearing email.

4. Any kind of firewall will stop a man-in-the-middle attack against your data session.

Security is not a device, it's not a piece of code and it's not a machine configuration. It's a process that starts with the developer of every application that is accessible in any way, direct or indirect, to any user down through the installers and configurers all the way to the users.

If you bought a firewall appliance thinking that it will solve all of your security problems, I have some Enron stock to sell you.

And by the way, since have crowed about how you run Windows XP and how secure it is, why do you have a firewall running something other than Windows XP?

What? Even you don't trust Microsoft security? I'm shocked I tell you, shocked.

Knitebane