Comments on: Microsoft exec calls XP hack 'frightening'

In a matter of minutes, e-crime experts hack into a Windows XP computer that is unprotected and connected to an unsecured wireless network.

[Penguinisto]

Speaking of which, today is Patch Tuesday.

http://isc.sans.org/diary.html?storyid=3642

Get on it, campers... there's two real nasty ones out today.

/P

[perfectblue97]

scaremongering

This is base level scaremongering and little more.

They basically demonstrated how easy it is to get into a system with EVERYTHING LEFT WIDE OPEN. This is the IT equivalent of a girl walking into a frat party stark naked and drunk, and when she is interfered with using it as a warning that female students that they are at risk of being molested on campus.

You get more protection than this PC had simply by following the instructions on a basic wireless router. In fact since most PCs come with SP2, you get more protection straight out of the box than this PC had.

[slaingod]

Not scaremongering

The main problem is that if for any reason you need to reinstall/repair windows from your 'OEM disks', this is what you will get for the hour or two it takes to download all of the updates. I have literally tried installing Windows on a system from Dell OEM Windows disks and had the system hacked with 1-2 minutes, before the system had a chance to even determine which updates it needed.

[JoeF2]

Yes, but

"You get more protection than this PC had simply by following the instructions on a basic wireless router."

Sure, but people don't follow the instructions. They just plug the thing in. Just go around with a sniffer and watch how many wireless routers broadcast the default SSID.

[fokwp]

What's frightening Microsoft execs . . .

. . . is the massive preference for XP over Vista.

I don't think these scare tactics will impress people enough to get them to upgrade.


Let's talk about programs that can only be run as an administrator after upgrading to Vista because of its new security "features"; now that's scary.

[e_chappuis]

Future new Story: Microsoft-exec-calls-Vista-hack-'frightening'

Well it's only question of time to see this new one:

Future new Story: Microsoft-exec-calls-Vista-hack-'frightening'.... hahahaha!!!

Maybe it's not kid stuff yet, but as sure as write these lines, someone will offer packs on the net so that wiz kids (and not so kids)will be able to do so, hack Vista, just like that, 5 or 10 mn, with security plagued with the usual M$ flows, if not why do they already offer patches, + Vista SP1 due soon?!*roflol and ruffles*!!!

*** Tips, why don't people start to use DeepFreezer on their machine, make a day 0 ghost, naturally offline and use it when things go wrong!!!

That's what I offer to my customers when they bring me their wrecks to fix!

I also keep reminding myself of a few things, who made the internet, who builds and owns the global sistem, who sells us machines that don't work well?

By the way the other day I connected an old Windows 3.11, Ram 46MB, with Lotus and +++ and the damn machine was flying... Oh I'll hear some of the bot talkers say, Ey! try to play a game other than pinball with that...Ok, Ok but it's beside the point I try to make. Why this complicated, ever so intricated and heavy Windows XP, Windows Vista

Linux and others have long ago developed OS that beat any modern Windows running on double core 2x 3 Gigs, with only an Intel Pentium III at 1 Gig!!!

etc.etc.etc.

[thedreaming]

NOT NEWS

Two guys proved something that we already knew, that a system, not properly patched, is vulnerable to attack by hackers.

NO FRAKING DUHH!

[ShamusMac]

A Marketing Tactic

This comes across as a marketing tactic. Why would Microsoft choose to participate in this event thta underlines the vulnerabiltity of their own product? Becuase they want you to be afraid to use it and therefore purchase the latest product VISTA. They weren't going around publicly discussing how "frightening" it is to use XP last year even though everyone else and their mother knew exactly what the vulnerabilities shown in this example were for years.

[DrtyDogg]

what's being advertised?

He barely mentioned Vista, he said just about as much about Vista as he did, XP SP2.

[MSSlayer]

There is one legitimate item in this story

The built in firewall for XP does not block outgoing, so its inability to deal with malware without third party applications is a serious problem that MS has never fully dealt with.

At least with Linux, you get a rock solid firewall from the get-go.

Of course, if Windows wasn't so damn susceptible to malware, this would be less of a problem.

[pctec100]

Re: There is one legitimate item in this story

And if they had current revision software the lack of an outbound firewall wouldn't be an issue either since the Vista firewall does outbound checking.

[fred dunn]

Frightening...That Vista is a dud.....

Oh how frightening, WinXP on an unsecured network.
I and many others would "own" that system in no time at all. This is just a spin from Microsoft to try and push Vista.
Put Vista under the same circumstances and I can assure you it will be compromised as well.

I'm sorry to say this C|Net but this is the biggest piece of propogandic fluff I have ever seen published by you. You should either be ashamed of your inability to interpret the test or be proud that you just made some very good friends at Microsoft.

This is just wrong.

[alt117]

Go ahead and try

"Put Vista under the same circumstances and I can assure you it will be compromised as well."
get back to us when you've done it and tell us how long it took.

[RoseD1st]

Vista is awful

of course this is BS cnet this is pretty sad of you!Must be getting a check from Microsoft to try to get us to switch to buggy as hell Vista!

[Mister C]

When You Make Swiss Cheese!

You shouldn't be surprised that it is full of holes!
:)

[JBSimmons]

Getting Old - Don't Need New O/S Yet!

Just when we're on the path to stability and the bug counts gets lower and lower, we are FORCED to migrate to the newest, buggiest O/S rolled out. Let's not forget that 2000/NT is on SP5. Let's have a period of relative stability and then developers can have more time to get the next O/S bug free. When I was at Intel writing S/W of all sorts, having a bug in your code was an abomination! It still is. That's why Intel offers lifetime warranties. If we can slow down the pace of O/S turnover we wouldn't have the problems we have. S/W could then offer longer warranties - like 3 years N/C. I have even caught compilers and link/loaders producing erroneous code. They share the blame too. I caught quite a few of those. Early on ASM and PL/M forced developers to really pay attention to what was really going on. c++ and million lines of code make that prohibitive. The bar is lowered greatly. This release of Vista will be good until next summer when a new 64bit quad processor will make everything we have now obsolete. If that is true, why did Vista roll out before XP SP2 was completely clean? What's next for 2000/NT? SP6? and for XP? SP3? What really needs fixing is .NET, ->Passport, Windows "live" <product>, hotmail, IE5,6,7, and especially MSN Explorer 5 & 6. There is a lot of turmoil in the MS mail infrastructure. IE7 used to run independently from MSN Explorer 6 three days ago. Something got d/l into my machine that made IE7 absolutely dependent on MSN Explorer. You have to invoke MSN Explorer once to dial-up, and any number of instances of IE7 for different tasks. Why do we even need MSN Explorer today when 3 days ago IE7 was doing all of the dialing thru the MSN.NET behind the scenes without bother. These components should be running, working together, bug free before making a massive switch. These components were not ready on time, but d/l automagically anyway. I've got 3 ways to access my mail and it's 3 separate COPIES. 1 has gone away yesterday, now it's now "Live Mail" vs. hotmail vs. MSN mail and MSN e-mail errors galore. Quite a few holes there big enough to drive an 18 wheeler through. Hack city galore.

[Jim Harmon]

MSN Explorer

I had that same problem years ago when MSN was the DSL ISP where I lived (Qwest just provided the wires - MSN provided the service). I switched to cable as soon as it became available in my area.

[WJeansonne]

Free Open Source is Evil

That's the real problem. Instead of building commercially viable products, anyone can build their own hacking tools and wreak havoc on the world. The Anarchists must love it.

[The_Decider]

Correction

Anyone can build hacking tools for Windows.

It takes a bit more on real operating systems.

[Phillep_H]

Oooooo, How SCARY!

Why don't you just come out and say you want everyone living in a 1984 society, with Big Brother Watching?

Everyone MUST BE CONTROLLED!

[ferretboy88]

Who doesn't run a firewall and Antivirus?

I know a lot of not so computer smart people and even they all run a firewall and antivirus software.

[mjoecups--2008]

People with a quality OS

I have a Mac OSX Server (10.1.5) that has been up for the last 5
years and has no firewall (it's off) or antivirus. It's a
webserver/mailserver/dnsserver/fileserver/printserver and all of
these services are exposed to the internet.

No problem.

Windows is crap, wake up.

[JoeF2]

A lot of people

You just haven't looked enough.
And obviously, antivirus definitions have to be updated.

[sirron33]

Who doesn't run a firewall and Antivirus?:

Me. But then I have a Mac. You windows people should get a life,
fooling around with all those problems. Don't get Vista either -
you'll be even more sorry.

[ezeze5000]

re-firewall

I know a lot of people who don't even know what a firewall is, let alone what version of windows they are using. They use their computer everyday and couldn't live with out it. They are lost if something happens to it, but they know how to play games and check their e-mail. When asked they didn't know if their system was patched or not.

Just my two cents worth.

[ferretboy88]

Maybe the linux guys should stop

linux guys should stop writing viruses and creating hacking software. Move out of your parents basement and get a new hobby. Try to get a girlfriend also.

[Spork_This1]

Just shake my head and sigh.

Yet another reason I own a Macintosh. Realistically though, the only safe way to warehouse information is in your head. Until we perfect wireless neural nanotech interfaces at least THAT should continue to remain safe. Don't be paranoid just because they are watching you... be afraid because they know what you will do next... mu-hu-wa-ha-ha!

[matthewcsims]

No one cares about secruity.

I don't think most people care about security. Even if they say they do. It is well known that Windows is the least secure operating system and IE is the least secure browser, but they are both the most popular. So obviously people just don?t care.

This is a conversation I had with a friend.
Me: You shouldn?t run your computer in Administrator mode all the time.
Friend: Yeah, but then I can?t install anything.
Me: Just click run as, and type in the administrator password when you need to install something.
Friend: Oh, my administrator account doesn?t have a password.
Me: Why not?
Friend: I would just forget it.

Another conversation I had with a friend.
Me: You shouldn?t leave your comp on when connected to the net. Shut it off or put it in hibernate when you are done with it.
Friend: Well I don?t want to shut it down, turning it on and off can hurt the hard drive.
Me: Yeah well, it?ll take about three to five years for your hard drive to go bad. You already have adware, and probably spyware on here already. Wouldn?t that be your primary concern?
Friend: Well you?re going to uninstall that for me anyway.
Me: Correction, I was going to uninstall it for you.

Another friend
Me: Why don?t you use your firewall software?
Friend: I have firewall software.
Me: Why don?t you use it? It is not running.
Friend: Oh it kept popping up these confirmation boxes. It was really annoying.
Me: How about your anti-virus?
Friend: Oh I run that when I think I have a virus.
Me: Well, when was the last time you think you had a virus?
Friend: Oh I ran it about six months ago. I don?t do it that often. It takes forever to do a complete scan.
Friend: So why is my computer going so slow anyway?
Me: Well, it looks like you have some viruses and adware that is slowing it down.

I know most people on this thread care about security. But most people out there in the world don?t. They want to see pretty colors, play 3D games, IM, and get on MySpace. Microsoft knows this.

That?s why Windows has pretty colors, 3D games, and no security. That?s what the market wants.

[davtaylor]

Lowering news standards

Wow, Tom Espiner reports that a computer that has not been patched for 4 years and is not running a firewall or virus checking has been hacked!

I am suprised Tom Espiner's editor has allowed CNET to lower quality of reporting to this level. Your headline is taken out of context from what the speaker intended to convey.

I hope you are happy this is the top hitting story as everyone clicks on it today only to find their time wasted.


David

[aemarques]

Why are we discussing this, anyway?

This is what matters in the article:

A SOCA representative said that the demonstration was "purely to point out that, if a system hasn't had patches, it's a relatively simple matter to hack into it." SOCA stopped short of recommending small businesses move to Vista; a SOCA representative said that applying Service Pack 2 to XP, with all the patches applied, and running a secured wireless network is "perfectly sensible way to do it."

BTW, if anyone is using Windows XP unpatched and without SP2, he/she deserves to be hacked!

[Phillep_H]

Eh?

Why are "you" part of this "we" if you think it's a waste of time?

[Ted Miller]

Dumb and Dumber

Don't you smell the setup here?

This is nothing but a Microsoft pitch to ditch XP and buy Vista. We all know that old XP versions can be hacked.

All this is Microsoft saying " Thats why you need to buy Vista, for if you don't then your computer will blow up"

By the way, my Vista computer would not start up the other day. It went into system recovery and fixed itself. Look I did not do anything new to it, like adding software or something. It just flipped on me and that SUCKS!!!

I will still be a microsoft user for a long time to come, but if you are new to computers, I highly recommend you look some where else for something reliable

[arv2]

Love/Hate microsoft

It sounds like MS should provide a fix for this security gap. Unless, they are using this to promote the sales of Vista. But, if they can hack XP easliy, I'm sure they can do the same for Vista...maybe it's just a little harder. *** for tat. As long as MS is around, hackers will do their best to trash their products. It's a game. Bottom line, you can't blame MS for criminal behavior, only neglect.

[DrtyDogg]

Fix

Most likely already issued, this machine was set up intentionally leaving it open to known exploits.

[chash360]

XP, Vista, it won't matter

Just like the drug companies, its much more profitable to sell the 'treatments' (continuous updates and revisions of crappy code) than actually produce a cure. If security and privacy was actually taken seriously, and put before all other considerations, a totally network secure computing environment could exist.

Software does not have any moving parts, it does not wear out, it does not degrade (unless programmed to), it does not deteriorate (unless programmed to), it was either written correctly or it wasn't, binary, black and white, no excuses.

M$ violated basic internet protocols, implementing their own, creating the potential for most of these problems, coupled with outsourcing to low wage countries, where it is in their best interest to ensure their are holes to hack. ( and potentially sell to adware companies).

The solution starts with a security model, the first level of that model is if it could compromise security of the software system, it requires physical access to the hardware to make that compromise by default. Following this simple guideline would eliminate the proliferation of malware across networks.

[Phillep_H]

Agreed

Well, pretty much. How many of the weak spots are located in the "Gee Whiz" junk added in?

Even Mozilla keeps issuing updates, and upgrades.

And, as Veghead experienced, "48 critical security updates" on Ubuntu?

What in? "Neat stuff" or "basic stuff"?