1995-10-18 - Re: Microsoft: WFW & Win95 TCP/IP is insecure, and alleged serious computer crime

Header Data

From: llurch@Networking.Stanford.EDU (Richard Charles Graves)
To: N/A
Message Hash: ed9a248a98c6a03950a809dca7ac26a05ef6079f6a0aebcee589f1f1cec73f01
Message ID: <462r32$mj@Networking.Stanford.EDU>
Reply To: <45rims$9fc@Networking.Stanford.EDU>
UTC Datetime: 1995-10-18 13:23:08 UTC
Raw Date: Wed, 18 Oct 95 06:23:08 PDT

Raw message

From: llurch@Networking.Stanford.EDU (Richard Charles Graves)
Date: Wed, 18 Oct 95 06:23:08 PDT
Subject: Re: Microsoft: WFW & Win95 TCP/IP is insecure, and alleged serious computer crime
In-Reply-To: <45rims$9fc@Networking.Stanford.EDU>
Message-ID: <462r32$mj@Networking.Stanford.EDU>
MIME-Version: 1.0
Content-Type: text/plain


Posted, emailed, and archived. I probably should have talked to a lawyer
first. Oh well. Followup-To poster (that means email) or spawn new threads.
The FAQ is at http://www-dccs.stanford.edu/NetConsult/Win95Net/faq.html. 
It's getting dated; please download the new.txt link, in UNIX mbox format.
The quixote list archive server has been turned off for security reasons.

-----BEGIN PGP SIGNED MESSAGE-----

In article <461u88$luk@dingo.cc.uq.oz.au> in a few newsgroups, 
DavidS@gpo.pa.uq.edu.au (David Steadson) writes:
>In article <45rims$9fc@Networking.Stanford.EDU>, llurch@Networking.Stanford.EDU 
>says...
>>
>>Note that Microsoft's "in order to have this problem, there must be a 
>>UNIX
>>computer on your network" really means "if you're connected to the
>>Internet, and you're not behind a firewall that disallows all SMB traf
>>fic,
>>you have this problem." Some other bits are misleading as well.
>
>Ummm, this is new??  I knew about this security hole in MS TCP/IP months ago, 
>via newsgroups.

Lots of things are new, and very interesting, especially for Usenet 
readers, because the story involves forged cancels, apparently stolen 
passwords, and serious computer crime. I'm so glad you asked.

Unsurprising Fact: Microsoft has finally acknowledged and documented the
problem, and, without fanfare, released a patch for Windows for Workgroups
that claims to fix it. 

Fact: several people at Microsoft have been lying about the problem. In
early September, paulbal@microsoft.com assured a gathering of Stanford
computing support staff that the problem had been fixed in build 490, so I
looked no further into it. For a while.

Fact: On September 27, I reposted a July article from the SAMBA email list 
archive about the bug you know all about. I asked for confirmation 
on whether it had been fixed in the release version of Win95, and whether 
a fix was available for WFW.

Supposition: Early morning September 28, my kerberos password was
apparently hacked, and my .forward file was disabled on several UNIX
machines, preventing me from receiving some personal and work-related
email. I did not notice this problem until October 6 because I seldom log
on to the machines in question. 

Fact: On September 28, I received several replies to my post, several
saying that Microsoft had assured them that it had been fixed at some
specified (often specified different) build. I also received two replies
that the problem had *not* been fixed, and volunteering to reproduce the
problem for me. 

Fact: I posted the confirmation of the bug to win95netbugs@lists.stanford.edu.

Fact: The Windows for Workgroups security bug fix patch on Microsoft's FTP 
server is dated late night September 28.

Fact: On October 2, Paul_Krill@InfoWorld.Com phoned and emailed me
inquiring about the problem. He had also been assured by Microsoft sources
that the problem had been fixed. I forwarded several articles his way
indicating that it had not been fixed. I again searched the Microsoft
Knowledge Base for any mention of "SAMBA" or "SMBCLIENT" and found none. 

Fact: On October 4, received an email message from henrysa@microsoft.com
inquiring about the problem and offering to investigate for me the current
status of the problem. In reply, I sent him the three email messages that
are included at the bottom of this post. I have not received any sort of
reply from Henry. 

Fact/Supposition: October 2 (?), somebody made a directory on a Stanford
FTP server world-readable and world-writeable, uploaded several megabytes
of "warez," and advertised the site on hacker BBSes. Since many people had
access to this directory, there were no suspicions about who was
responsible. My kerberos password, which I now believe was stolen, would
have been sufficient to cause this problem. 

Fact: Late night/early morning October 14-15, in a routine browse of the
Microsoft Knowledge Base, I came across articles on the SMB security bugs,
which we all know about now. I posted them, with commentary rather less 
lurid than what you have seen from me since, when I was perturbed. 

Fact: The article was canceled. On this day 10/18/95, under penalty of
perjury, I swear that it was not canceled by me. My PGP signature should 
be legally binding.

Fact: I also Cc'd the article to \win95netbugs and myself via email. The 
email made it. NewsWatcher works such that separate Message-IDs are 
created for news and email, and someone reading the news post has no way 
of knowing whether the article was also emailed.

Supposition: the canceler did not know that NewsWatcher worked this way.

Fact: In the morning, I noticed the article was missing, but that earlier 
and later articles by me were there. I figured something must have gone 
wrong, so I reposted it.

Fact: From 12:10 to 5PM, I was with Kevin Morris at Sacred Heart school in
Atherton, building a local PhoneNET network. Obviously, I had no Internet
access. While I was there, my second post of the article was canceled.

Fact: Around 7PM, I noticed the second cancel, and a followup thereto from
a netcom account confirming that the article had been posted and
propagated, got really pissed off, and posted it a third time. I also
posted to news.admin.net-abuse.misc and our local news administration 
group. I also Cc'd several PC and networking magazines via email, and 
cross-posted to a .test group so that I would have verification of the 
propagation of the article in hand.

Fact: Today, as was the case 15 hours after it was posted, article
<llurch-1510951157410001@tip-mp3-ncs-3.stanford.edu>, to which there was
that netcom followup, is missing, presumed canceled, from the core
Stanford news servers nntp and csd-newshost. It is present on the
secondary news host morrow.stanford.edu, and on external sites. No one 
has been able to provide any explanation for this.

Supposition: the canceler either screwed up or canceled the cancel or,
more likely, forged a repost after seeing the netcom followup. For some
reason, however, the article did not make it back onto nntp or 
csd-newshost.

Fact: Later that night and in the morning, I received copies of the 
forged cancels of my messages as seen from nasa.gov, rand.org, and 
mcom.com. I posted them to news.admin.net-abuse.misc.

Supposition: an individual or group has gone great lengths, engaging in 
quite a bit of highly illegal and unethical behavior, in order to cover up 
security and networking bugs in Microsoft products. 

Opinion: they have failed. In a big, big way.

- -rich graves
 distributed computing and communication systems
 stanford university
 llurch@networking.stanford.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMITf34ND7LjhcPQ9AQGlsQP+KFNuOehBPLExKjJc0e/7bv8iAF29bYgi
o4ioLYuwx4AKtR2hER85PWWPNBuDO+G8uqDBcDNzKZ+VxrNDWvhP9oSfTy9ry9OM
p5hkcQfB/MqqeDZ5nFOXmTkI2y+EI3az1lHWBr9kQuSalpAVkXTx0/qeW9WWYVFZ
cuZ8+Tf3W7o=
=G/Dk
-----END PGP SIGNATURE-----

Unanswered letters to henrysa@microsoft.com:





Thread