Posted, emailed, and archived. I probably should have talked to a lawyer first. Oh well. Followup-To poster (that means email) or spawn new threads. The FAQ is at http://www-dccs.stanford.edu/NetConsult/Win95Net/faq.html. It's getting dated; please download the new.txt link, in UNIX mbox format. The quixote list archive server has been turned off for security reasons. -----BEGIN PGP SIGNED MESSAGE----- In article <461u88$luk@dingo.cc.uq.oz.au> in a few newsgroups, DavidS@gpo.pa.uq.edu.au (David Steadson) writes:
In article <45rims$9fc@Networking.Stanford.EDU>, llurch@Networking.Stanford.EDU says...
Note that Microsoft's "in order to have this problem, there must be a UNIX computer on your network" really means "if you're connected to the Internet, and you're not behind a firewall that disallows all SMB traf fic, you have this problem." Some other bits are misleading as well.
Ummm, this is new?? I knew about this security hole in MS TCP/IP months ago, via newsgroups.
Lots of things are new, and very interesting, especially for Usenet readers, because the story involves forged cancels, apparently stolen passwords, and serious computer crime. I'm so glad you asked. Unsurprising Fact: Microsoft has finally acknowledged and documented the problem, and, without fanfare, released a patch for Windows for Workgroups that claims to fix it. Fact: several people at Microsoft have been lying about the problem. In early September, paulbal@microsoft.com assured a gathering of Stanford computing support staff that the problem had been fixed in build 490, so I looked no further into it. For a while. Fact: On September 27, I reposted a July article from the SAMBA email list archive about the bug you know all about. I asked for confirmation on whether it had been fixed in the release version of Win95, and whether a fix was available for WFW. Supposition: Early morning September 28, my kerberos password was apparently hacked, and my .forward file was disabled on several UNIX machines, preventing me from receiving some personal and work-related email. I did not notice this problem until October 6 because I seldom log on to the machines in question. Fact: On September 28, I received several replies to my post, several saying that Microsoft had assured them that it had been fixed at some specified (often specified different) build. I also received two replies that the problem had *not* been fixed, and volunteering to reproduce the problem for me. Fact: I posted the confirmation of the bug to win95netbugs@lists.stanford.edu. Fact: The Windows for Workgroups security bug fix patch on Microsoft's FTP server is dated late night September 28. Fact: On October 2, Paul_Krill@InfoWorld.Com phoned and emailed me inquiring about the problem. He had also been assured by Microsoft sources that the problem had been fixed. I forwarded several articles his way indicating that it had not been fixed. I again searched the Microsoft Knowledge Base for any mention of "SAMBA" or "SMBCLIENT" and found none. Fact: On October 4, received an email message from henrysa@microsoft.com inquiring about the problem and offering to investigate for me the current status of the problem. In reply, I sent him the three email messages that are included at the bottom of this post. I have not received any sort of reply from Henry. Fact/Supposition: October 2 (?), somebody made a directory on a Stanford FTP server world-readable and world-writeable, uploaded several megabytes of "warez," and advertised the site on hacker BBSes. Since many people had access to this directory, there were no suspicions about who was responsible. My kerberos password, which I now believe was stolen, would have been sufficient to cause this problem. Fact: Late night/early morning October 14-15, in a routine browse of the Microsoft Knowledge Base, I came across articles on the SMB security bugs, which we all know about now. I posted them, with commentary rather less lurid than what you have seen from me since, when I was perturbed. Fact: The article was canceled. On this day 10/18/95, under penalty of perjury, I swear that it was not canceled by me. My PGP signature should be legally binding. Fact: I also Cc'd the article to \win95netbugs and myself via email. The email made it. NewsWatcher works such that separate Message-IDs are created for news and email, and someone reading the news post has no way of knowing whether the article was also emailed. Supposition: the canceler did not know that NewsWatcher worked this way. Fact: In the morning, I noticed the article was missing, but that earlier and later articles by me were there. I figured something must have gone wrong, so I reposted it. Fact: From 12:10 to 5PM, I was with Kevin Morris at Sacred Heart school in Atherton, building a local PhoneNET network. Obviously, I had no Internet access. While I was there, my second post of the article was canceled. Fact: Around 7PM, I noticed the second cancel, and a followup thereto from a netcom account confirming that the article had been posted and propagated, got really pissed off, and posted it a third time. I also posted to news.admin.net-abuse.misc and our local news administration group. I also Cc'd several PC and networking magazines via email, and cross-posted to a .test group so that I would have verification of the propagation of the article in hand. Fact: Today, as was the case 15 hours after it was posted, article <llurch-1510951157410001@tip-mp3-ncs-3.stanford.edu>, to which there was that netcom followup, is missing, presumed canceled, from the core Stanford news servers nntp and csd-newshost. It is present on the secondary news host morrow.stanford.edu, and on external sites. No one has been able to provide any explanation for this. Supposition: the canceler either screwed up or canceled the cancel or, more likely, forged a repost after seeing the netcom followup. For some reason, however, the article did not make it back onto nntp or csd-newshost. Fact: Later that night and in the morning, I received copies of the forged cancels of my messages as seen from nasa.gov, rand.org, and mcom.com. I posted them to news.admin.net-abuse.misc. Supposition: an individual or group has gone great lengths, engaging in quite a bit of highly illegal and unethical behavior, in order to cover up security and networking bugs in Microsoft products. Opinion: they have failed. In a big, big way. - -rich graves distributed computing and communication systems stanford university llurch@networking.stanford.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMITf34ND7LjhcPQ9AQGlsQP+KFNuOehBPLExKjJc0e/7bv8iAF29bYgi o4ioLYuwx4AKtR2hER85PWWPNBuDO+G8uqDBcDNzKZ+VxrNDWvhP9oSfTy9ry9OM p5hkcQfB/MqqeDZ5nFOXmTkI2y+EI3az1lHWBr9kQuSalpAVkXTx0/qeW9WWYVFZ cuZ8+Tf3W7o= =G/Dk -----END PGP SIGNATURE----- Unanswered letters to henrysa@microsoft.com: