NOVEMBER 6 in response to ulTRAX letter
From: jgreely@corp.webtv.net (J Greely)
Date: Fri, Nov 6,
1998, 5:11pm (EST-3) To: ultrax@webtv.net
Subject: Re: question
The first was why when I first hacked mattman's account I found it empty of all files?
Actually, it would be a bit
surprising if you had seen his files at all. There is
a fair amount of compartmentalization that goes on in
our service, and with a few exceptions the different
groups are completely isloated from each other. This
includes the servers that provide file storage. So, you were connected to the machines appropriate for your group, and then pretended to be someone else from another group. The servers you were talking to didn't have access to his files.
Also.... what was it that allowed someone elses account to be downloaded on to a box that was not their's?
The sincere belief on the part of the person who wrote the code that there was no way to insert bad data into a "trusted" transaction.
But who's ShowService IP list was I getting? Matt's or mine?
This is actually difficult to answer, since I wasn't involved and don't really know the details, and I couldn't replicate it today to give a definitive answer. If you ever got to see his favorites and mail, then you got a services list appropriate for his group (since only those machines are connected to the file server that has that data). If not, then they were always the ones for your group.
I noticed that the IP list really can change each time we log on to a user. Is this to balance the load
on the servers?
Yup. There are at least two hosts for every service. Quite a few more, in some cases, shared across groups.
Can this explain why when I was a Blue previewer I had so much trouble accessing my mail?
The group of servers that blue is on is an exact
copy of the structure of the groups used in production. Mail problems probably had more to do with the fact that you were running pre-release services. -j
======================================================
NOVEMBER 7
From: jgreely@corp.webtv.net (J Greely)
Date: Sat, Nov 7, 1998, 8:08am (EST-3)
To: ultrax@webtv.net
Subject: Re: question
The box never seemed to happy doing any of this
LOL.
No surprise there.
It seems that WTV has sealed up the login side
pretty well... so that no one can just load an entire
account. But what about direct access to individual
pages on an account?
They shouldn't work. First, as discussed previously,
the odds are against you having the same set of
servers, so the files simply won't be there unless
you're "really" them. Second, the code no longer trusts URLs to pass plaintext authentication data (as far as I know, the person who did that in the first place was
flogged :-)).
I'm assuming that it was by this method that
Previewer NG security was maintained. If the nameserver did not have the color category... one simply could not get in.
Right idea, wrong mechanism; nothing should ever have
been getting user category out of a URL, since it's in
the database, and I don't think anything is left that
does.
Anyway.... HEY IT FRIDAY!!!! Doesn't Uncle Billy
let you hard working professionals have a night off to
get a beer?
I don't work particularly normal hours. For instance,
I don't work Wednesdays at all, since I'm home sleeping off downtime.
Or do they simply deliver it to work for you?
We rarely officially have beer, but management pays for our meals on a fairly regular basis.
-j
======================================================
NOVEMBER 12
From: jgreely@corp.webtv.net (J Greely)
Date: Thu, Nov 12, 1998, 6:15pm (EST-3)
To: ultrax@webtv.net
Subject: Re: What do you think?
such as the flashrom files were NEVER intended to be made public.
Most of the builds simply aren't there any more, and the new security model is... "imminent", so it won't matter for long. Care to guess what people are *most* upset about in this?
Maybe WTV can look up the other user names for DRY_ICE@webtv.net God-of-ALL Vargyr and make an official request that hypermart look into their sites to see it they are legitimate, or violate the hypermart TOS.
If someone shows up with an official piece of paper requiring that information, we'll look them up. Otherwise, we're very cautious about that sort of information (modulo a few (former) contractors who've abused it in the past).
-j
PS: I saw something a while back about someone from here supposedly trying (badly) to go undercover and pretend that they were just another hacker. This was definitely not something official, and I really hope it wasn't the most likely suspect, because I thought he was brighter than that.
PPS: I loved the guy who thought he'd uncovered a great secret with Dig ("corp=testdrive" :-)), and then went ballistic when I replied to him. A classic example of someone using a tool without understanding what it does, with a healthy dollop of conspiracy theory on top. :-)
======================================================
NOVEMBER 15
From: jgreely@corp.webtv.net (J Greely)
Date: Sun, Nov 15, 1998, 7:05pm (EST-3)
To: ultrax@webtv.net
Subject: Re: What do you think?
So when the next Upgrade Loop in imposed on the new Daily intruders, I just want to let know that to to other demands on my time, I was NOT one of them. So please make sure my name is not on the Limbo List.
If you got in, you're in the log files; if you didn't, you won't be on the list.
Now you see why I was so worried about that Flashrom List?
I don't know who put those two builds back out on Production. They're gone now, the Weekly service is shut down, and Daily will soon follow. The person who removed our override to keep people out of Daily will be slapped vigorously. You know, they couldn't have picked a worse week to fuck with the service. We're in the middle of trying to release the new service code, with some of it going out tonight. At least, it *was* going out tonight...
-j
======================================================
NOVEMBER 15
From: jgreely@corp.webtv.net (J Greely)
Date: Sun, Nov 15, 1998, 9:20pm (EST-3)
To: ultrax@webtv.net
Subject: Re: What do you think?
I wouldn't be to hard on anyone who may have messed up putting internal builds on Big Willie.
The files shouldn't have been present on those servers at all.
Willies is just a web page that has links to them. Maybe if WTV paid these people a stipen you at least could bind them to a NDA and still use them to find the security holes. Just a thought. LOL
This only works if we trust them.
-j
======================================================
NOVEMBER 15
From: J Greely
Subject: Re: TestD Weekly
To: MattMan69@webtv.net (Matt Man)
Date: Sun, Nov 15, 1998, 6:56pm (EDT-4)
I'm back on, if you still want to give me a call let me know and i will disconnect right away
I'm talking to Krishna now, and we've dealt with the "gateway" build that you used to get to Weekly (I'll deal with the person who put it back it out there later). Someone is gathering the hit list of who to force new builds on (yes, there will be another force-upgrade loop), and I'm going to shut down Weekly (and probably Daily) in a few minutes.
-j
======================================================
NOVEMBER 16
From: jgreely@corp.webtv.net (J Greely)
Date: Mon, Nov 16, 1998, 10:35pm (EST-3)
To: ulTRAX@webtv.net Subject: Re: QUICK!!! NEED IP LISTS
ulTRAX@webtv.net writes: It seems that of all the possible servers a plus can hook up to.... many are off the list (not that you might notice unless you have studied this list). This may be an indication that WTV is getting ready to release it's new server side upgrade...
The two things have nothing in common, but we were wondering when someone would notice it. Also the RWC stuff... -j
================================================
From: jgreely@corp.webtv.net(J Greely)
Date: Mon, Jan 25, 1999, 1:44am (EDT-4)
To: ulTRAX@webtv.net
Subject: Re: What do you think?
Could be a hoax... just to see if I'd confirm if it were possible. But then I always suspected it was, just was too afraid to work on it.
Too busy to tinker right now. I'll mention it to the SOC guys and let them play and see if they can make it work.
What happened to all the @corpies who used to post? It's like someone threw a switch one day and they were all gone.
Well, in fact, I threw the switch. I hadn't been keeping up for a while, and dropped in one day to find Javier posting all over the place. He apparently hadn't read the Microsoft policies on participating in public forums in any official capacity (they basically say "don't", which is why I've always kept a low profile).
Hope you survived the XMas rush LOL!
We had quite an impressive rush, actually, but we'd spent so much time and money preparing for it that the service just coped. We were all sitting around our homes waiting for pagers to go off, and nothing happened. Quite refreshing.
-j