Date: Sun, 30 Dec 2001 08:38:40 +0800 From: Raymond <[EMAIL PROTECTED]> Subject: Re: [LIB] Re: Windows XP again
At 03:02 PM 29/12/2001 -0800, you wrote: >Date: Sat, 29 Dec 2001 15:00:32 -0800 >From: "Jason Kim" <[EMAIL PROTECTED]> >Subject: Re: [LIB] Re: Windows XP again > >May I highly suggest that you do your own research (even lightly), and that >you take this guy's statements with a grain of salt the size of a Ford >Taurus. Personally, I find it very helpful to read whitepapers and detailed >reports to judge the accuracy of a source. Hmm ... I find 2 grains of salt tend to be more useful. About the size of marbles. That you stick in your ears before you get them to say it. ;-) >Port 80 is typically used as an incoming port for the HTTP protocol -- it's >only open if you're running webserver software on your computer. Even if you >are, the risk is very small that your computer can be hijacked through this >port. I think he means all these 'trojans' all go through remote port 80 making them much harder to detect in the midst of your normal web traffic in the event that you're monitoring your traffic (they could well disguise it as another ad banner hit or image counter or something). Even if you're using an application specific firewall (ZoneAlarm, Norton Internet Security, etc.), they're not much use if a trusted program gets compromised. >He's also wrong about the methods, but most everybody knows that Outlook >Express is susceptible to various forms of privilege elevation attacks -- >there are ways to fool it to do your evil bidding. Most (if not all) of >these problems, however, have corresponding patches available. You can patch stupidity and human error?!?!?! GIMME! >The same goes for the 'big' Windows XP UPnP bug, and the recent >Explorer/Internet Explorer security debacle. Both have patches available, >and both have been overexaggerated by the media, IMHO (especially >"technical" sources like cnet). Neither vulnerability, as far as I know, has >been widely exploited, and it shouldn't matter now that the patches are >available. Ya .. a bit like the Windows XP 'full TCP/IP stack' nonevent that a variety of outlets targetted at the half-savvy have been touting as the destruction of the Internet as we know it (Steve Gibson being a noteable one). >I run Linux, but not because it's more secure out of the box (in fact, lots >of Linux software contains bugs and security holes, too), but because >problems are easier to diagnose and fix. It's hard to infiltrate a Linux >server, and it's nearly impossible to do it without being noticed by an >astute sysadmin. You also have to keep up with the rapid releases of Linux >software, especially open source. Another thing about open source of course is that if you suspect an application or OS module is dodgy you can read the source code. I think part of what Matt Hanson was implying was that Microsoft was either somehow leaving holes in XP to let the NSA in or that they actually provide backdoors or trapdoors in their algorithms in order to do those things mentioned (both plausable given that XP does carry encryption technology which must have been OK'd by the NSA for export). Having said that, I dare say if someone DID want to hide some malicious code in an opensource module, given its written in C I'm sure they could create a bit of code so unreadable that people would just give up ... security through infuriation? >I do think the other sarcastic remark made on this list applies, too ... I >can't imagine anyone who wants my data anyway, but I'll play it on the safe >side. Well I think for a laptop, you've got a bigger risk of you losing the laptop or someone stealing it and getting the data THAT way ... anything important (your address book, business encryption keyrings, records, etc. can all be potentially valuable to an adversary or really annoying if they fell into the wrong hands) should really be encrypted locally and NOT using Microsoft's encrypted file system (well OK you can use it if you 'trust' it) ... I trust the PGP suite more (OK its been taken over by NAI, an American company which also has to appease the NSA but then again from what I gather it WASN'T put through the NSA in original form because of the legal bother Phil Zimmerman went through with them plus the fact that if you're paranoid the source for the algorithms IS available for you to compile). Of course, we still don't know if PGP has been broken by the NSA but then again, we're pretty sure its not been broken by the international public at large due to its wide use, common knowledge of the algorithms (IDEA, RSA and MD5) and and the amount of cryptanalysis thats been done on those algorithms. Certainly it'd be beyond the value of the data on most people's computers for an adversary to find it worthwhile breaking PGP (of course if your personal key management is sloppy they may not even need to break it but thats a different story). >Sorry to make such a big rant out of this, but I just felt like getting it >out. :) Hey I've not made a rant in a long time either ;-) - Raymond --- /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ | | "Does fuzzy logic tickle?" | | ___ | "My HDD has no reverse. How do I backup?" | | /__/ +-------------------------------------------| | / \ a y b o t | [EMAIL PROTECTED] | | | HTTP://www.raybot.net | | ICQ: 31756092 | Need help? Visit #Windows98 on DALNet! | \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/ ************************************************************** http://libretto.basiclink.com - Libretto mailing list http://libretto.basiclink.com/archive - Archives http://www.picante.com/~gtaylor/portable/faq.html - FAQ -------TO UNSUBSCRIBE------- Reply to any of the list messages. The reply mail should be addressed to: [EMAIL PROTECTED] - Then replace any text on the message's subject line: cmd:unsubscribe --------TO UNSUBSCRIBE DIGEST------ Do above but with this on subject line: cmd:unsubscribe digest **************************************************************
