Comments on: Green Dam exploit in the wild
A buffer overflow exploit for the Chinese censorware is circulating online, as university researchers warn the software remains vulnerable to a flaw.
Most Popular
15 sites that went kaput in 2009
Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.
Top 10 news stories of the decade
Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.
About Security
Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.
Add this feed to your online news reader
Security topics
Do you have any idea how big MS code base is compared to Green Dam.
Apple is the most proprietary companies you can purchase products from...
really? So where can I find the Microsoft-published specs and example code for building an app to open MS Office document formats (especially .doc, .xls, .ppt, and the like)? Furthermore, if they exist, will they be usable without Windows?
Oh, wait - they don't have them? You can't? Okay - how about the same goods for DirectX content, so that a translation layer can be built to use DirectX content on non-MS operating systems?
Nothing there either? Hmm... okay, how about Exchange? Does Microsoft have all the specs published and open so that one can build an app that reads from and writes to an Exchange database like Outlook can? You mean they demand absolute and exclusive access to that too!? (hint: even with OWA, you're stuck with the "Light" version unless you use Internet Explorer).
Well, crap. How about MS Access? It would be real nice to build a client that can open and convert Access databases... does Microsoft publish open file specs and sample code for that? Oh, they don't do that either?
Wow - for a company that you allege to be so open about access to content, Microsoft sure isn't living up to your assertions...
What does any of that have to do with content?
Sorry, but you are COMPLETELY WRONG. Microsoft indeed publishes file format specifications for Word, Excel, PowerPoint, and the like. You can download full specs for .doc, .ppt, .xls, etc. (both the old BINARY format and the new XML international standards versions.) Yes, Access (.mdb) format is also open and available.
See: http://www.microsoft.com/interop/osp/default.mspx
For example, here's the PowerPoint .ppt format: http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/PowerPoint97-2007BinaryFileFormat(ppt)Specification.pdf
What about Exchange you say? Exchange 2007 Protocols have been open since last year. See http://www.microsoft.com/protocols/default.mspx
So please take this ignorant FUD elsewhere. You have ZERO CREDIBILITY left here.
IfF you don't know how, then you don't know much about how programs actually work ;)
@mbenedict:
nice attempt, but if you actually open any of those alleged "specifications", you'll notice something. Well, a lot of somethings:
* "Patents. Microsoft has patents that may cover your implementations of the formats. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents"
* Incomplete/missing documentation (See also OOo and their strict adherence to those alleged "specifications", yet files written with MS Office still don't line up in too many cases). Complete specs would have eliminated that (see also the OOo mailing list, which almost constantly complains of this).
* You alleged cite of the Exchange 2007 "specifications" also comes with a big, fat patent barrier, and contains nothing about accessing the .mdb (as I had noted before). IF you can locate it, kindly do so, instead of pointing to a page loaded with nebulous statements.
"Microsoft irrevocably promises NOT TO ASSERT any Microsoft Necessary Claims against you for making, using, selling, offering for sale, importing or distributing any implementation to the extent it conforms to a Covered Specification [...] To clarify, ?Microsoft Necessary Claims? are those claims of Microsoft-owned or Microsoft-controlled PATENTS that are necessary to implement only the required portions of the Covered Specification"
On EXCHANGE: I already posted the link to the Open Protocols. Go look up the Exchange APIs.
BY THE WAY, Random_Walk... the company you shill for, Apple, USED to publish iWork formats (such as the Keynote apxl v1 file format), but Apple decided to migrate to new, incompatible, UNPUBLISHED formats that's now FULLY CLOSED, for the sole purpose of breaking any other 3rd party applications which could compete with Apple.
What's up with that, HUH???? Apple... hello.... PROPRIETARY.... hello????
- by n3td3v June 25, 2009 12:52 PM PDT
- Bruce Schneier, are you saying hackers couldn't create a massive bot net via China without Green Dam, come on, where do you think the reports of espionage were coming from. Some people blamed China directly for spying on British Telecom and other western interests, but its likely it was foreign intelligence outside of China compromising Chinese hosts to spy on interests in the west.
- Like this Reply to this comment
-
-
- by mbenedict June 25, 2009 3:26 PM PDT
- A "massive" botnet today might contain a few million zombies. That's about the practical limit that hackers can achieve, given the realities of today's infrastructure (rate of propagation vs. the number of unpatched machines vs. network topology, etc.) Even Conficker, by far the most sophisticated bot in the wild so far (from a control perspective), could only manage anywhere between 1 and 4.5 million machines depending on the measurement methodology.
- Like this
-
(15 Comments)With Green Dam, a hacker organization could conceivably create a botnet with a *billion* zombie machines. That's a few magnitudes higher than ANYTHING we've ever seen in the wild.
The only bright side would be... virtually all of those machines would be located in China. If a billion Chinese machines do become part of a botnet, the entire country would be disconnected from the 'net.