Re: [Full-Disclosure] Anti-MS drivel
This perhaps needs some clarification. My response to Tobias should in no way be construed as an MS Apologista defending their record vis-a-vis software design/secure coding. Far from it. It was, rather, an effort to point out that >>When a customer "makes a mistake" then it's not his own but the vendor's<< does not even remotely survive the test of extending a statement/arguement to even logical extremes. When we have users who, within 5 minutes of receiving and reading an email from IS Security that says "X Email may be landing in your inbasket...with this subject...from this address...DO NOT OPEN THE ATTACHMENT IN THAT EMAIL, please delete it immediately" decide that it did not really mean them, and proceed to open said attachment anyway, they are making mistakes...period. (NOTE: Yes we should be stripping all potentially executable attachments, my shop does...hope yours does too...but, I'm also willing to bet that if we are honest...I am damned sure not in the minority of people who have had this scenario play out in the past...and who are still very concerned about hundreds of laptop users who are garbbing email from ISP-based sources while they are on the road) It's wonderful to pontificate about how the world ought to be...but there are more than a few of us who get to deal with it the way it is. People make mistakes. Bart Lansing Manager, Desktop Services Kohl's IT [EMAIL PROTECTED] wrote on 01/24/2004 05:57:25 PM: > [EMAIL PROTECTED] wrote: > > > Tobias, I have to tell you that >>Customer is king. mistake.<< is getting old. > > > > 1. If the customer decided to make a sharp left turn at 120 kph on an icy > > mountain road and slid his car off the side of the cliff...or... > > > > 2. If the customer decided to ignore the product warnings and popped that > > can of beans in the microwave then stood there with his face against the > > window to watch...or... > > > > 3. If the customer decided to go scuba diving at 100 meters, ignored the > > guages that told him he was out of air, then decided to rocket to the > > surface as fast as he could so he could get a breath... > > > > THE CUSTOMER MADE A MISTAKE > > True, but in all those cases it is reasonable to expect that a > (reasonable) customer _should_ know better. > > The problem -- at least with "consumer computers" -- is that typical > consumers do not (and, it seems, for quite some time to come yet, will > not) "know better". However, we keep selling them computers as if the > mismatch between the devices' capability and the user's ability to use > them safely are in harmony. > > This assumption clearly does not even hold for much of the corporate > world (or at least _has not_), where supposedly "expert" folk are > responsible for running the computer systems much of our financial > systems, and thus our commerce, now depends on. Despite this, the > computer industry was allowed to expand and expand and expand to the > point where any attempt to regulate it would have had massive negative > social, economic and political repercussions, meaning we ended up in > the situation of self-sustaining (commercial) madness that produced > Windows XP Home... > > > Regards, > > Nick FitzGerald > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Full-Disclosure] Anti-MS drivel
[flame-bait ahead] also sprach Helmut Hauser <[EMAIL PROTECTED]> [2004.01.23.2154 +0100]: > Sometimes it?s to blame us administrators for not installing patches - > slammer and blaster patches were released way BEFORE the outbreak(s) occured > but most admins did not patch, > simply they dont?t even know that there is a patch available ! Could you > blame Microsoft on that ? Simply no, cause as admin I have to know about > patches/releases, I have to be on the MS security mailinglist and so on. when i patch a windows system, i encounter downtime and possibly a whole set of new problems. been there many times. when there is a security hazard in linux, i can fix it over ssh from a beach in malibu in 98% of the cases, requiring a restart of a single service. > e.g. I had to help out one large organisation (the famous infected notebook > thingy) to patch the whole IT, what a nightshift ... > > *nix admins patch regulary but some (so called) windows admins) don?t - > cause they did not realize that there is something to patch ... the source of this difference is deeper: (a) UNIX admins know computers and networks; windows admins know where the control panel is. (b) unix is modular; windoze is monolithic. flames -> /dev/null > I recommend the MS SUS server, it?s free, you can test patches > before approving them and it is inexpensive compared to SMS i recommend linux. it's free and it works. > - Change the behavior of XP Home (everyone is admin) - create an > own install account with warning background - SuSE like with bombs windows won't properly operate in all cases without admin rights, unless you spend hours tweaking it. remember: NT's help and print system did not work if you made c:\winnt read-only to everyone. > - Software vendors - change your installers - most games run only > as admin in WinXP ... little they can do with a flawed operating system. while in unix, security is being worked into the core, in the windoze world, security is a band aid you shuff on top of the other 100 you already stuck on. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! i'm currently out trying to find myself. If I should get back before i return, please keep me here. signature.asc Description: Digital signature
Re: [Full-Disclosure] Anti-MS drivel
[EMAIL PROTECTED] wrote: > Tobias, I have to tell you that >>Customer is king. When a customer "makes > a mistake" then it's not his > own but the vendor's mistake.<< is getting old. > > 1. If the customer decided to make a sharp left turn at 120 kph on an icy > mountain road and slid his car off the side of the cliff...or... > > 2. If the customer decided to ignore the product warnings and popped that > can of beans in the microwave then stood there with his face against the > window to watch...or... > > 3. If the customer decided to go scuba diving at 100 meters, ignored the > guages that told him he was out of air, then decided to rocket to the > surface as fast as he could so he could get a breath... > > THE CUSTOMER MADE A MISTAKE True, but in all those cases it is reasonable to expect that a (reasonable) customer _should_ know better. The problem -- at least with "consumer computers" -- is that typical consumers do not (and, it seems, for quite some time to come yet, will not) "know better". However, we keep selling them computers as if the mismatch between the devices' capability and the user's ability to use them safely are in harmony. This assumption clearly does not even hold for much of the corporate world (or at least _has not_), where supposedly "expert" folk are responsible for running the computer systems much of our financial systems, and thus our commerce, now depends on. Despite this, the computer industry was allowed to expand and expand and expand to the point where any attempt to regulate it would have had massive negative social, economic and political repercussions, meaning we ended up in the situation of self-sustaining (commercial) madness that produced Windows XP Home... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
On Fri, 23 Jan 2004 12:58:34 CST, [EMAIL PROTECTED] said: > Tobias, I have to tell you that >>Customer is king. When a customer "makes > a mistake" then it's not his > own but the vendor's mistake.<< is getting old. > > 1. If the customer decided to > 1. If the customer decided to make a sharp left turn at 120 kph on an icy > mountain road and slid his car off the side of the cliff...or... We have a hundred years of experience and hand-me-down knowledge that let people know this is a Bad Idea. It's in enough lifetime-experience that it's safe to assume that by the time somebody goes to get a driver's license, they've been passengers in enough cars and seen enough movies and TV where cars go sliding off the road during high-speed chases to know that "normal speeds the car tends to stay on the road, high-speed car goes ballistic". It's only been about 5 or 6 years since "Aunt Tilly" was the canonical user, and Aunt Tilly didn't learn about the hazards from daily experience because the hazards didn't exist. I learned a lot about cars from my father, and I learned a lot about things that mattered 50 years ago, were still important enough for him to teach me about 30 years ago, but don't matter at all now, and I certainly didn't learn much about things that came along after *I* hit middle age. > 2. If the customer decided to ignore the product warnings and popped that > can of beans in the microwave then stood there with his face against the > window to watch...or... Bad Example. A can of beans probably won't be that interesting, as the can will probably generate enough sparks and similar that you'll say "Holy S**T" and turn it off within 5 seconds. Trying to make a hard-boiled egg in a microwave... now *that* is less obviously a Bad Idea (as the cooking will appear to progress quite normailly), and particularly dangerous because it's possible for the Bad Things to happen *after* you've removed it from the microwave... > 3. If the customer decided to go scuba diving at 100 meters, ignored the > guages that told him he was out of air, then decided to rocket to the > surface as fast as he could so he could get a breath... Which is why dive instructors will beat this into you over and over and over. > THE CUSTOMER MADE A MISTAKE "If a customer pops a chocolate in their mouth, they hardly expect to have their cheeks pierced". It's the rare software package that says "Caution: Real Crunchy Dead Frog inside" on the packaging. I don't think you can say "the customer made a mistake" when they are using the product in accordance with the manufacturer guidelines they received with the product. http://www.microsoft.com/security/protect/default.asp 1) When did Microsoft start shipping operating systems? 2) When did Microsoft start publicizing the above URL? 3) When did Microsoft start shipping systems pre-configured that way? 4) When did Microsoft make that URL the "first time connected" default for IE? Now if the information that's on that web page was in a big READ THIS FIRST that came with the computer, I'd agree.. But until that day The closest comparison I can think of is the state of tobacco advertising before the mandatory Surgeon General warnings - the manufacturers were spending lots of money saying it was cool, and not informing of the risks. pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Anti-MS drivel
"Gregh" <[EMAIL PROTECTED]> wrote:
<>
> > I haven't seen a sign on the shrink wrap of Windows XP Home that says
> > "Administrator not included".
>
> It is always accepted in the Western world that if something is not SAID to
> be there and ISNT there, then the people who manufactured it or sold it to
> you cant be held accountable for it NOT being there.
This is where you go off the rails...
You are simply wrong. At least when it comes to "general consumer
goods" there are all kinds of _assumed_ properties _that are never or
only very seldom mentioned in labelling_. You're in a supermarket or
at roadside stall buying apples; they have a big bin of them and you
can choose as many and whichever apples you want. The apples are not
labelled and any labelling you may find on the bin will not contain a
warning something like "Contain less than the minimum acceptable levels
of dioxin, PCBs, DDT [etc, etc]". Why not? Because various legal
processes "behind the scenes" require that (and, we hope, actually test
for it and monitor the situation, at least in some broad scope).
Likewise, other "due level of care" requirements specify, either
formally or through the court-determined if it ever gets there
"expectations of a reasonable person" concept.
And there's the rub with computers. They are now (and have been for
quite some time) sold as pretty much any other consumer electronics
device. The "reasonable person" does not worry, when buying a toaster,
or afterwards, while using it, that an entirely unknown and untrackable
person on the other side of the world can pillage his bank account
while the toaster is plugged in or at least while the toasting
mechanism is engaged and the machine is cooking his toast. It is
entirely reasonable for the consumer to not have to worry about such
things, so there is no need to put a pre-sales warning on the device to
that effect. Windows PCs however, are sold into the consumer market to
a very large extent because they enable Internet access. They are (by
and large) not sold with warnings about the near total lack of any
effective "protection" from the kinds of evils just described. Your
typical "reasonable person" may or may not be expected to be aware that
such dangers lurk at the end of the modem/DSL/cable/WiFi/etc
connection, but let's say for the sake of argument that in today's
society a "reasonable person" should be aware of such possibilities, at
least at some general level (such dangers are, after all reported in
the media, depicted in other popular culture materials and so on). The
"reasonable person" notes that there are no warnings on the computer
sales display stand at their favourite consumer electronics store,
notes there are no warnings about such thing inside the box when they
get it home, doesn't see any warnings when first turning the device on
nor when connecting it to the Internet. The reasonable person,
therefore, is quite reasonable in assuming the PC manufacturer and/or
Microsoft has taken the necessary precautions to make this machine
"safe" for Internet use because it was sold as "Internet ready". If
the "reasonable person" knows enough to aware of various online
dangers, surely the experts at the PC manufacturer and/or Microsoft do
too and given they were allowed to sell the machine and it wasn't
plastered with warnings about its unsuitability for Internet use, the
reasonable person is entirely within their rights to assume that the
machine is, in fact, safe for such use.
Of course, we computer experts know that is not the case, but it is not
the typical consumer's fault they get bitten. It is the fault of the
computer seller who recommended this model given the consumer
explicitly said they wanted to "use the Internet", the PC manufacturer
for selling self-described "Internet ready" computers that are not
"Internet ready" by the reasonable standards of most of the folk who
will buy them, it is Microsoft's fault for foisting its OS on the
market claiming such high levels of ease of use while ignoring that all
the security shortcuts it took to make Windows so easy to use are
precisely the things that bite typical users hardest when it comes to
the typical uses they are encouraged to make of the machines running
the OS ("out of the box" Windows is only "safe" for an entirely
standalone, non-networked environment) and it is the regulators fault
for perpetuating the travesty of removing from software (or even
computer systems as a whole) the same basic consumer protections as
every other product manufacturer has to work under (Why is Billy Boy
the richest kid in the world and so many of the other computer and
especially s/w moguls right up there despite the brief life of their
sector? Because they have not had to build their empires under the
treat of the huge financial costs of ensuring that they are making
products fit for its intended use, due to their lobbying for, and
Re: [Full-Disclosure] Anti-MS drivel
Tobias, I have to tell you that >>Customer is king. When a customer "makes a mistake" then it's not his own but the vendor's mistake.<< is getting old. 1. If the customer decided to make a sharp left turn at 120 kph on an icy mountain road and slid his car off the side of the cliff...or... 2. If the customer decided to ignore the product warnings and popped that can of beans in the microwave then stood there with his face against the window to watch...or... 3. If the customer decided to go scuba diving at 100 meters, ignored the guages that told him he was out of air, then decided to rocket to the surface as fast as he could so he could get a breath... THE CUSTOMER MADE A MISTAKE Bart Lansing Manager, Desktop Services Kohl's IT 262-703-2911 [EMAIL PROTECTED] wrote on 01/21/2004 12:07:04 PM: > Hi yossarian, > > Am Mi, den 21.01.2004 schrieb yossarian um 02:04: > ... > > So, basically, you are blaming the MS people for building a UI that can be > > used by anyone. > > You haven't understood. Basically _I'm_ blaming "the MS people" for > building a product that _can't_ be used by anyone but _is_ used by > anyone. > > If anyone can use Windows, Office and so on then why the heck are there > still that many virus and worm breakouts? Obviously MS Windows and > Outlook are not easy to use. > > Read my other posts. > > Customer is king. When a customer "makes a mistake" then it's not his > own but the vendor's mistake. > > cheers, > Tobias > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited. If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000. CAUTION: Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time without any further consent. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "Cael Abal" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 23, 2004 1:27 AM > > If I understand him correctly, Tobias is simply suggesting that users > ought not be held accountable for using faulty software. Using a That IS and WAS the point. Perhaps you ought to read what I was saying. To boil it all down, I was saying "If the user is such an idiot as to get on to the net without understanding what they can be open to and doing something about it in the first place, it isnt the fault of the bank if their account was emptied because they installed a keylogger on their machine.". Such things arent the fault of the OS but the fault of the user entirely. In this case, the bank did nothing wrong, the OS wasnt to blame, the ISP had no fault attributable to them either. You cant blame MS, the ISP or anyone else if you decide to go web banking without a decent AV and/or firewall prog. If the user doesnt even know what all that means, then they should have the sense to seek out someone who does. > debatable but reasonable definition of faulty software, as he does, it's > really a fairly robust and straightforward argument. > It's also classically wrong in a lot of users' cases. In most cases it isnt the OS to blame. Most users who are ripped off by Dumpers or Keyloggers do so because they get on the net without a clue and without a thought. Those people often then blame the corporate entity which did nothing wrong. It is their own fault. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "Tobias Weisserth" <[EMAIL PROTECTED]> To: "Gregh" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, January 22, 2004 7:38 PM Subject: Re: [Full-Disclosure] Anti-MS drivel > Hi Greg, > > Am Do, den 22.01.2004 schrieb Gregh um 07:07: > .. > > > I'm dieing to know... > > > > > > > What are you dieing? T-shirts? :) > > Yes, foreign languages are hard to master. I guess "dieing T-shirts" is > in the process of learning them ;-) > > Maybe we should continue this debate in German then. Or Dutch. Or > French. Choose one :-) You chose to be silly in the first place. You just got it back when I was in a weak moment. > > .. > > > You didn't understand this. Not one bit. > > > > > > > Nope, YOU didnt understand this "not one bit". > > I guess we're stuck then. Nothing you are going to say or compare will > change my view and vice versa. > > > > If you are a vendor and you ship a software that is intended to be used > > > by average Joe and average Jennie then _you_ have to take this into > > > account. > > > > If the user is so stupid as to not have someone check his computer and > > secure it, then it isnt the problem of the OS vendor *WHERE* the problem is > > something like a keylogger though admittedly, if the OS is to blame, there > > is some reason to blame the OS manufacturer. > > If the consumer version of an OS requires "someone to check his > computer" then there IS something major wrong with the product. Excuse > me, but this is trivial. Of course it is trivial. The computer owner SHOULD check his computer or have someone check it for him if he doesnt understand it. That is a BASIC principle you seem not to understand. I am no locksmith. Should I trust the new house I am moving in to wont be robbed or should I get a locksmith to check it out for me, as I dont know much about that and advise me how to lock down my house properly? Same principle as locking down your computer. > > > > Why is it possible that a user is able to make this mistake? > > > > Oh COME now! Are you so INSULAR that you dont realise the real world? > > I do realise. But do manufacturers? If this is so natural to you why > don't you think that it's a bad idea to ship an OS WITHOUT the option to > open attachments from within email clients? Let's give you an example. My own father in law, when first going on internet, decided he wanted to read about one of his hobbies, model trains, on the web. He knew enough to dial in to his ISP, load his browser and go to Yahoo where he typed in, for the search "models". He clicked on the first thing that came up and it happened to be a topless model (female) gif done to music where the breasts independently did odd things. :) Who's fault is that? MS? Nope. They wrote the browser he used and this was no access violation issue. His ISP? Nope. Dont shoot the messenger, here! Yahoo? Well, not really though to some extent, probably yes. Was it the fault of the person who put that web site up that he ended up at? No, it was soft porn and was totally legal in this country at that time. It was HIS fault. Why? He didnt KNOW enough. Why do you think there are drivers tests? So people with the physical ability to get a car key and get into a car, start it and drive it can be tested for ability to drive safely. Put another way, an expert has taught them what to do to the point where they can be licenced. If they have an accident not due to shoddy workmanship of the car or road or someone else doing the wrong thing then it is their fault. So it is that if a person gets on the web and does web banking (one thing I dont like the idea of one bit, personally) with a keylogger installed, no idea about AV progs or even a basic software firewall, then it is no-one else's fault but theirs if they lose their money. > > > My > > wife works for a MENSA member, a recognised genius who would likely have > > more brain capacity than most people in the world. He doesnt have a CLUE how > > to secure his computer. WHY? He isnt in the least INTERESTED in computers > > outside of using them to do his work on. Oh and BTW, his work, nothing to do > > with computers other than using them as a tool, made him a > > multi-millionaire. Why the HELL should this guy, according to you, *HAVE* to > > know what he is doing with a computer. He, likely, has more money than you > > and I put together EVER will have unless one of us wins over 300 million US > > dollars. > > You know, money isn't my ultimate goal in life, so let the guy have > another 300 million ;-) I don't measure
Re: [Full-Disclosure] Anti-MS drivel
n is the Administration controls - Take a peak @ LockOut 4.05.2002 News Mac OS X Security update is available for download. To do so open up the Software update in the System Panel and perform the security update or download for Apples web site. This update fixes/upgrades/installs the following: Apache Mod_SSL - updated to version 2.8.7-1.3.23 to address a buffer overflow vulnerability which could potentially be used to run arbitrary code in conjuction Apache is updated to version 1.3.23. groff updated version 1.17.2 to address the vulnerability CVE ID: CAN-2002-0003, where an attacker could gain rights as the 'lp' user remotely. mail_cmds is updated to fix a vulnerability where users could be added to the mail group OpenSSH - updated to version 3.1p1 to address the vulnerability reported in FreeBSD Security Advisory FreeBSD-SA-02:13, where an attacker could influence the contents of the memory. PHP - updated to version 4.1.2 to address the vulnerability reported in CERT CA-2002-05, which could allow an intruder to execute arbitrary code with the privileges of the web server. rsync - updated to version 2.5.2 addresses a vulnerability which could lead to corruption of the stack and possibly to execution of arbitrary code as the root user. FreeBSD Security Advisory FreeBSD-SA-02:10 sudo - updated to version 1.6.5p2 to address the vulnerability reported in FreeBSD Security Advisory FreeBSD-SA-02:06, where a local user may obtain superuser privileges. 4.01.2002 News Protect Your Mac from Hackers and Viruses is a article which informs Macintosh users about security and details the importances of data recovery and loss prevention. Read this article now 3.08.2002 News Mac OS X users running Apache with PHP installed be aware there is a security issue in PHP versions prior to 4.1.2. OpenOSX.com has prepared a 4.1.2 install of PHP for Mac OS X which corrects the security issue.. 2.22.2002 News TypeRecorder released version 1.5 of their keystroke saving application which runs under Mac OS 9+ adding new features to the program. 2.20.2002 News Mac OS X 10.1.3 has been released you can update with the built in "Software Update" feature. Networking and Security Improvements include: Login authentication support for LDAP and Active Directory services OpenSSH version 3.0.2p1 WebDAV support for Digest authentication Mail includes support for SSL encryption 2.18.2002 News MacAnalysis 2.0b9 for classic and 2.1.4 for OS X has been released. This update for the security auditing tools adds new functionality supporting the airport, adding new exploits to the security sweep, auto updating and content filtering. MacAnalysis is available for Mac OS and Mac OS X 2.13.2002 News Ettercap 0.6.4 just released and tested with Darwin. Ettercap will sniff, intercept, and log data on LAN networks, used by system administrators to find problematic situations. 2.07.2002 News IPNetSentry 1.3.3 for the PPC has been released fixing a few bugs in this Firewall software, not protected yet from the outside world? Give IPNetSentry a try - It's shareware, free download get more info 2.04.2002 News February 2002 virus definitions have been released. Update your anti-virus software to protect you from the latest viruses, trojans and macros. Find the links to download the newest definitions from the left hand side of the web page. MacAnalysis 2.1.3 X the security auditing suite for Mac OS X has been released, this version fixing a bug many users were running into and adds more improvements. Download MacAnalysis X or the classic version here - Original Message ----- From: "Scott Francis" <[EMAIL PROTECTED]> To: "yossarian" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, January 22, 2004 6:29 AM Subject: Re: [Full-Disclosure] Anti-MS drivel ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Why is it possible that a user is able to make this mistake? Oh COME now! Are you so INSULAR that you dont realise the real world? My wife works for a MENSA member, a recognised genius who would likely have more brain capacity than most people in the world. He doesnt have a CLUE how to secure his computer. WHY? He isnt in the least INTERESTED in computers outside of using them to do his work on. Oh and BTW, his work, nothing to do with computers other than using them as a tool, made him a multi-millionaire. Why the HELL should this guy, according to you, *HAVE* to know what he is doing with a computer. He, likely, has more money than you and I put together EVER will have unless one of us wins over 300 million US dollars. In my book, this guy is devoting his time the best way possible. Learning what to do with computers to the extent where he can lock it down is actually financially irresponsible to him. He can PAY someone US$200 an hour to do that and per hour STILL come out in front by a LONG shot. What IS it with computer/I.T. professionals (or those who know as much even if not so employed) that they think just because THEY know how to do it, everyone SHOULD know? Not everyone is INTERESTED and not everyone thinks it Greg, I just wanted to break in here and suggest you reread Tobias' last few posts -- he's not arguing the position you seem to think he is. Actually, he's arguing almost completely polar to what you're attributing to him. Are you trolling? If I understand him correctly, Tobias is simply suggesting that users ought not be held accountable for using faulty software. Using a debatable but reasonable definition of faulty software, as he does, it's really a fairly robust and straightforward argument. take care, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Hi Greg, Am Do, den 22.01.2004 schrieb Gregh um 07:21: > ... > That has nothing to do with ANYTHING. If I install a keylogger on YOUR > computer and you DONT know about it and let's say your bank was at > www.bank.com and your account name was BOB and password was 123ghqofc0 > right? Now you have just gone to the bank's web site and have typed, in > plain text on your keyboard, that username and password. Where does > CRYPTOGRAPHY stop that being recorded as you TYPE it and later sent > elsewhere? Surely you know what a keylogger IS dont you? You couldn't do a thing with the account information of a European online bankin account. You need a new TAN number for every transaction you make. Even changing personal data of the account settings requires a TAN. No keylogger in the world can make you use this account if you haven't the TANs. Delivering TANs may be a "low tech" measure but it works. There hasn't been a single reported incident of online banking fraud I know of. For the rest, you have read my views in most other mails, cheers, Tobias ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Hi Greg, Am Do, den 22.01.2004 schrieb Gregh um 07:07: ... > > I'm dieing to know... > > > > What are you dieing? T-shirts? :) Yes, foreign languages are hard to master. I guess "dieing T-shirts" is in the process of learning them ;-) Maybe we should continue this debate in German then. Or Dutch. Or French. Choose one :-) ... > > You didn't understand this. Not one bit. > > > > Nope, YOU didnt understand this "not one bit". I guess we're stuck then. Nothing you are going to say or compare will change my view and vice versa. > > If you are a vendor and you ship a software that is intended to be used > > by average Joe and average Jennie then _you_ have to take this into > > account. > > If the user is so stupid as to not have someone check his computer and > secure it, then it isnt the problem of the OS vendor *WHERE* the problem is > something like a keylogger though admittedly, if the OS is to blame, there > is some reason to blame the OS manufacturer. If the consumer version of an OS requires "someone to check his computer" then there IS something major wrong with the product. Excuse me, but this is trivial. > > Why is it possible that a user is able to make this mistake? > > Oh COME now! Are you so INSULAR that you dont realise the real world? I do realise. But do manufacturers? If this is so natural to you why don't you think that it's a bad idea to ship an OS WITHOUT the option to open attachments from within email clients? > My > wife works for a MENSA member, a recognised genius who would likely have > more brain capacity than most people in the world. He doesnt have a CLUE how > to secure his computer. WHY? He isnt in the least INTERESTED in computers > outside of using them to do his work on. Oh and BTW, his work, nothing to do > with computers other than using them as a tool, made him a > multi-millionaire. Why the HELL should this guy, according to you, *HAVE* to > know what he is doing with a computer. He, likely, has more money than you > and I put together EVER will have unless one of us wins over 300 million US > dollars. You know, money isn't my ultimate goal in life, so let the guy have another 300 million ;-) I don't measure personal achievements in money. > In my book, this guy is devoting his time the best way possible. > Learning what to do with computers to the extent where he can lock it down > is actually financially irresponsible to him. He can PAY someone US$200 an > hour to do that and per hour STILL come out in front by a LONG shot. Why should owning an consumer version of an OS require ANYBODY (no matter how rich or poor) require an additional administrator? I haven't seen a sign on the shrink wrap of Windows XP Home that says "Administrator not included". Obviously you think too that Windows XP Home can't be used without professional help so of course there's something wrong with the product. > What IS it with computer/I.T. professionals (or those who know as much even > if not so employed) that they think just because THEY know how to do it, > everyone SHOULD know? Now you are talking my way. How does this fit in with the idea that everybody should have his personal IT guru at home?! > Not everyone is INTERESTED and not everyone thinks it > is a good use of their time! So he shouldn't be bothered, right? Why does he have to hire someone then? > > Why can attachments that come in via email be executed by a user? > > Why not? Because it poses a significant security threat. And every sane OS designer _knows_ there billions of potential users who'll blindly do it. A bright designer foresees this and designs his product in a way users can't blow themselves into oblivion. > In benign situations it is often helpful to a user. Just because > Mr. Nasty decided to exploit this for whatever reason doesnt make it a BAD > idea. Yes it does. Of course it's nice to leave the door open while you do shopping. A constant draft of fresh air will flow through the house. But it's a VERY stupid idea because everybody knows that open doors provoke theft. > It just makes it a co-opted idea. Education is the fault here. Then have fun. Explain security to consumers. It NEVER has worked and it NEVER will. Look at it!! Viruses are part of business life for almost a decade now and people still are falling for "Hi... Test" and start an attachment that is named randomly. You yourself said that this rich guy doesn't bother how to secure his PC. What makes you think he is willing to spend his time on "education" about how or not to open an attachment?! > The person doesnt KNOW what they are doing yet are blindly clicking anyway. If > they didnt get someone to educate them or tie things down to safeguard > against this, then THEY are at fault. That's where we differ. If a vendor can't produce a product in a way the consumers use it in a safe way without education then the product sucks. > Why can a car be started by ANYONE with the key? Again: cars and computers are not
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "Erich Buri" <[EMAIL PROTECTED]> To: "Gregh" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, January 21, 2004 10:21 AM Subject: Re: [Full-Disclosure] Anti-MS drivel > Hi Gregh, > > do you work for MS? look at the answer from tobias. If I did, do you think I would bother being on lists? I would be having too much fun looking into their software! > All what you wrote > can be avoided with todays knowledge of cryptography. And must be What? You mean that as you type, you dont think that those strokes can be taken down and transmitted elsewhere on the net NOT encoded? Surely you must be joking!? > avoided, at least in Europe. The bank is responsible for that. There's > even no need for TC/Palladium what so ever. That has nothing to do with ANYTHING. If I install a keylogger on YOUR computer and you DONT know about it and let's say your bank was at www.bank.com and your account name was BOB and password was 123ghqofc0 right? Now you have just gone to the bank's web site and have typed, in plain text on your keyboard, that username and password. Where does CRYPTOGRAPHY stop that being recorded as you TYPE it and later sent elsewhere? Surely you know what a keylogger IS dont you? > > I think you can move on with painting hypothetical situations, but > finally I fully agree with Tobias: Customer is king. Only a company as > big as MS can ignore this. Actually you are arse about face on that. MS actually THINKS customer is king which is why they made a simple to use OS for most people. If the customer installs a keylogger on their system, NO amount of cryptography will stop the keypresses being recorded and sent elsewhere and thus the customer running the chance of being ripped off. This isnt the fault of MS or the bank. It is the CUSTOMER'S fault. Dont you understand that BASIC idea? > > What MS actually does is leading customers into a trap. MS Products look > as if they were so easy to use that _every_ body colud work with it, > just like that - "you don't need to know a thing". Intuitive User > interface etc. Absolutely nothing to do with anything at all discussed in what I said. A keylogger wouldnt care about that. If a keylogger writer wrote it to infect a MAC it would be the same output as if it were on an MS based PC or a keylogger that may be on *nix. Gee, mate, wake up! KEYLOGGER! It records what keys you press on your keyboard as you type! Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "Tobias Weisserth" <[EMAIL PROTECTED]> To: "Gregh" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, January 21, 2004 8:53 AM Subject: Re: [Full-Disclosure] Anti-MS drivel > Hi Greg, > > Am Di, den 20.01.2004 schrieb Gregh um 21:45: > .. > > Let me paint you a hypothetical situation to show you where what you said is > > wrong: > > I'm dieing to know... > What are you dieing? T-shirts? :) > > User receives keylogger attached to email as an exe and stupidly executes > > it. > > You didn't understand this. Not one bit. > Nope, YOU didnt understand this "not one bit". > If you are a vendor and you ship a software that is intended to be used > by average Joe and average Jennie then _you_ have to take this into > account. If the user is so stupid as to not have someone check his computer and secure it, then it isnt the problem of the OS vendor *WHERE* the problem is something like a keylogger though admittedly, if the OS is to blame, there is some reason to blame the OS manufacturer. > > Why is it possible that a user is able to make this mistake? Oh COME now! Are you so INSULAR that you dont realise the real world? My wife works for a MENSA member, a recognised genius who would likely have more brain capacity than most people in the world. He doesnt have a CLUE how to secure his computer. WHY? He isnt in the least INTERESTED in computers outside of using them to do his work on. Oh and BTW, his work, nothing to do with computers other than using them as a tool, made him a multi-millionaire. Why the HELL should this guy, according to you, *HAVE* to know what he is doing with a computer. He, likely, has more money than you and I put together EVER will have unless one of us wins over 300 million US dollars. In my book, this guy is devoting his time the best way possible. Learning what to do with computers to the extent where he can lock it down is actually financially irresponsible to him. He can PAY someone US$200 an hour to do that and per hour STILL come out in front by a LONG shot. What IS it with computer/I.T. professionals (or those who know as much even if not so employed) that they think just because THEY know how to do it, everyone SHOULD know? Not everyone is INTERESTED and not everyone thinks it is a good use of their time! > Why can attachments that come in via email be executed by a user? Why not? In benign situations it is often helpful to a user. Just because Mr. Nasty decided to exploit this for whatever reason doesnt make it a BAD idea. It just makes it a co-opted idea. Education is the fault here. The person doesnt KNOW what they are doing yet are blindly clicking anyway. If they didnt get someone to educate them or tie things down to safeguard against this, then THEY are at fault. Why can a car be started by ANYONE with the key? If someone starting that car without the permission of the owner takes it and runs over another person, killing them, is that the fault of the car manufacturer? > > This is software design flaw, not a user mistake. > > This is a matter of definition, Greg. > > When I say that the user is always right then this means that software > has to be adapted to the users education and not the other way around. > A common setup - Say WIN98 with Internet access. They call in someone and tell them they want to be as secure as possible. That person installs (name your flavour of WIN98 compatible AV prog here) which works well and also, say, Zone Alarm *free edition*. The person, still no wiser as to executables, receives an infected one from a friend who has an infected machine and didnt actually send it to them but the person thinks it is from them anyway so executes it. Their AV prog jumps in at this point, stops it from executing and informs the user that it was a virus and gives the name. The user doesnt HAVE to worry about thing that way. This IS software already around adapted to the least knowledgeable computer user. The fact that the infected exe CAN be run doesnt mean there is a design flaw. You will never stop viruses happening while the world still uses PCs the way they are now and it doesnt matter what OS you use. There are enough on any of them AND Macs to make people who KNOW what they are doing at least think about them. At this point I took the time to read the rest of your letter instead of reading while replying because I was a little amazed at your lack of understanding of the real world OUTSIDE of computers and I realised I would never convince you that the world operates not the way you want it to but the way it will, so I have to give up right now. All I can say is that experience will, one day, light the way. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "Scott Francis" <[EMAIL PROTECTED]> To: "Gregh" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, January 22, 2004 4:17 PM Subject: Re: [Full-Disclosure] Anti-MS drivel > On Wed, Jan 21, 2004 at 07:50:47AM +1100, [EMAIL PROTECTED] said: > > Yeah! Keylogger trojans and spyware are ALL the fault of MS!! > > > > (blink blink?) > how many keylogger trojans and spyware do you know of that will run on > anything _other_ than MS (hell, most of them require IE/OE to get on in the > first place). HAHAHA!! You cant HONESTLY be serious! You think MS wrote them, huh? Yeah, MS is to blame for everything! HAHAHA!! Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "Tobias Weisserth" <[EMAIL PROTECTED]> To: "Gregh" <[EMAIL PROTECTED]> Cc: "Mary Landesman" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, January 21, 2004 9:01 AM Subject: Re: [Full-Disclosure] Anti-MS drivel > Hi Greg, > > Am Di, den 20.01.2004 schrieb Gregh um 21:48: > .. > > In the same way as that, your computer today, may be as secure as anyone can > > make it, on the web and then tomorrow, someone finds another way in. Hell, > > MS may be the most attacked OS in the world for sure (it is the most used > > one so no surprise, there) but every other OS has had weaknesses that can be > > exploited. > > Is it really so hard to agree that there is a difference between an OS > that ships with all services disabled in comparison to an OS with many > services enabled by default? ...and there we have it. You are talking about 1970s computing as opposed to now. Actually, even computing from 1990. I had to write reams of configs just to get on the net back in 1990. Today, I can point and click a Windows PC on to the net in minutes. What's the difference here? Well, the harder a thing is, the less the person wants it. MS sells to more because they made it easier to do a lot of things and of course they made some sound business decisions early on in the company's life. Whereas YOU can enable whatever you want because YOU know how, most people in the world cant. So, where would we be today if we went your way? Less take-up of computers, thus internet thus jobs. > > If you're not able to see this and agree to this you'll always be > trapped inside the prison of you mind on this. You know, I would have to say that you cant see past your OWN limitations therefore it is everyone else's fault by that comment. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
> The Pinto is a perfect example. It was a concious design decision to save a > few bucks, the theory being that lawsuits for exploding pintos would cost > less then fixing said Pinto. The difference being that suing a software > company is almost impossible, so the cost of fixing vs. the cost of lawsuits > is wildly in favor of dealing with any lawsuits (of which so far there > haven't really been any). Ohwell. Why? Since software is not used out of the box, but applied to a hardware device in order to function. The legalities are that you can only sue the vendor of the preinstalled box, as long as you follow the instructions. you do take your car to the garage, don't you. If someone in a shop advised you to buy a specific 'puter, sue the shop. This is the reality of software, unless the CD jumps out of the jewel case and slits your wife's throat, there is no legal case. At best you can get your money back, never the collatoral damage, especially when the said software does not claim to be for mission critical systems. Run NSK if you need that. The only possible vector for home PC users might be if the home PC gets rooted by an unfixed yet disclosed flaw and attacks another party, which subsequently sues you. Then you might have a case - for the defense. Part II is of course that with the Pinto, people got killed. With computers that is rarely the case. If it is, it is in hospitals and the like, and then you sue the hospital for not patching or for using a piece of software for what it wasn't designed to do. In windows, it is design decision not to make it mission critical. Hence the licenses come a lot cheaper than NSK or the like, and you can run it on nearly any crappy hardware. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
> I don't know how this works in the US but in Europe gas stations and > fuel inlets are only compatible if you use the right fuel. I couldn't > refuel my car with Diesel even if I wanted to. Like I said - the other way around. Since the majority of cars is on petrol, putting diesel in it is blocked by the size of the muzzle. I drive a diesel - and lo!, I can put petrol in it. Of course there is the sticker. Well, that does not seem to help much as the man from Hertz told me - a reason why renting a diesel car is much more expensive. The point: people make mistakes. > > > Who is to blaim - where are talking product liability > > here, while most of us are not trained in legal matters - hence the example. > > There is the difference between a consumer taking action to damage the > product in contrast to the consumer NOT taking action to REPAIR a > product the vendor shipped broken. Shipped broken is a matter of definition. If it comes preinstalled you might have a case, selecting the default options from a CD - then you don't. If it is preinstalled, you should go for the vendor of the machine, not MS. > > And remember - people are required to have formal training to drive a > > car > > Do you want to establish the same situation for PCs? Vendors will not be > happy since this limits their market. No. I would be jobless without stupid users. And the drivers license thingie - well I drive some 300 Km per day to get to work, it doesn't seem to help much anyway. > > > When I drove home after reading this thread, I tried to open the hood while > > driving - guess what? It does. > > It's mechanical, right? No electronic stuff between the lever you pull > and the hood, right? So? Precautions need not be electronical. And like you said, with the lever under the drivers seat - well I had a car (Renault4) and the lever was in the centre of the dashboard. True it is an old design, but the analogy just proves that it takes ages to design idiot proof consumer products, wether operating systems or cars. And I am quite sure that lessons are forgotten in car design too. The Pinto is the most famous misdesign in cars, having the fuel tank in a position where it would easily explode in a car accident. A propos your OT: many of these differences in availability have to do with safety regulations resulting in part from the Pinto. Maybe google for the affair, it gives a good insight in product liability. I have never actually seen a Pinto, living in the Old world as you do, but the example was used when I went to law school in the 80s. > [OT] > Sorry, doesn't ring a bell. I'm not really into the American car market, > sorry. I drive a car you can't buy in the States and there are even more > cars in the States that are not for sale in Europe. It's amazing how a > landscape can differ by just looking at the different types of cars, > don't you think? :-) > [/OT] > If people wouldn't run as administrators in XP Home then the execution > of malicious code would only be half as bad as it is. XP Home is like it says, for home use. All it needs is a Do Not Do This At Home sticker;-). What would you expect home users to do - hire an admin? I know MCSE's come cheap these days, but in reality, they'll mess up any system. > > You haven't understood this a bit. You are not doing the customer a > favour when you let him be administrator by default. When end user > applications need admin rights to run under Windows then this is serious > design flaw that needs to be changed before demanding changes in users > behaviour. Well, end users do not like to log off to install software, and many home users do that all the time. Bought a PC magazine lately? Allways a CD or DVD with it. It usually is a hobby machine. Messing around is part of the fun, but they don't want the risk. That's what I learned being a repairsman for a computershop. And IMHO customers are usually wrong, but heck, it is their money. You can run all normal Windows software under a normal user account anyway - unless it is a certain AV tool -, but that is not what people want: all the power but none of the risks. Gosh, just like the real world. > Who do you want to sell PCs? Only companies with IT infrastructures? > Only administrators? Computer Science students? Or the average guy on > the street, the six year old, the granny? > This is an economic question. Not a technical one. If you want to sell a > product then it has to be aimed at a specific group of consumers. If > they can't handle your design, then they'll eventually switch as soon as > there is competition available that is doing better. We are about to get > into this situation within this year and the next few years. You are aiming to outlaw XP Home? The competition already exists, but people do not change. I have seen many home users running XP Pro at home - never seen XP Home in a Torrent or eDonkey - and allways as Admin. > > Yes. Let's blame MS for not closing down unnecessary services on > con
Re: [Full-Disclosure] Anti-MS drivel
Hi yossarian, Am Do, den 22.01.2004 schrieb yossarian um 00:05: > Have you noticed that you can put diesel in a normal car, cause the muzzle > at the gas station is too thick? When you open the lid it says on the inside which type of fuel you need. When a user buys a computer he knows if he bought a PPC or a x86 the same way they know they bought a Diesel instead of an Otto fuel engine. Your fuel analogy may work for cases where consumers have bought Mac software by accident though they have a PC ;-) > Ask the local garage how often it happens the other way around. I don't know how this works in the US but in Europe gas stations and fuel inlets are only compatible if you use the right fuel. I couldn't refuel my car with Diesel even if I wanted to. > Who is to blaim - where are talking product liability > here, while most of us are not trained in legal matters - hence the example. There is the difference between a consumer taking action to damage the product in contrast to the consumer NOT taking action to REPAIR a product the vendor shipped broken. > And remember - people are required to have formal training to drive a > car Do you want to establish the same situation for PCs? Vendors will not be happy since this limits their market. > With the laters updates for Outlook, most attachments are blocked by > default, and guess what: question No.1 to the helpdesk: how do I turn this > feature off? See? That's what I actually predicted. If a risky feature is turned off by default then users who want it enabled have to educate themselves, using the help-desk at the company or local product documentation in the case of the home end user. If a single user is willing to take the risk - fine. Let him. But millions of other users will be happy the way it is and stupid spreading mechanism like "running an attachment" will not be spreading Win32/Bagle-A in the future. > When I drove home after reading this thread, I tried to open the hood while > driving - guess what? It does. It's mechanical, right? No electronic stuff between the lever you pull and the hood, right? As You must know, such "driving"-"computing" analogies are useless and pointless since people need a license to drive while a PC is an ordinary consumer product we expect our kids can operate. > So things can go wrong when I just push buttons randomly. But only irresponsible and > stupid people will do that! But people are this way. There's no point in trying to change them. Even when you succeed in doing so, new and maybe even worse stupidity regrows. When you have a solid product that is near fool-prove it doesn't matter if Murphy sends waves after waves of stupid users against you. > Yep, cause if the wind catches the hood it wil fold over the windscreen. > Let's sue GM! Let's say the lever to open the hood is placed in a way the driver or the co-driver could operate it with ease and without shifting position in the seat then this would indeed be a reason to sue the manufacturer. Imagine a curios minor is sitting on the co-driver's seat and plays around at the radio and pulls the lever next to it. The lever in my car is placed UNDER the driver's seat so that people don't get the idea of pulling it. Attachments are usually displayed along with the message and can be opened without "shifting position while driving". > My car won't even complain when driving in the dark without > the lights on. Technically a piece of cake to fix - my former car put them > on automatically - and the whipers when it rained, too. But the new one > doesn't - my point is that even in car manufacturing with a 100 years > experience, certain security features are lacking in new cars. Remember the > Pinto? [OT] Sorry, doesn't ring a bell. I'm not really into the American car market, sorry. I drive a car you can't buy in the States and there are even more cars in the States that are not for sale in Europe. It's amazing how a landscape can differ by just looking at the different types of cars, don't you think? :-) [/OT] > Now the e-mail attachment. E-mail is the killer app, most used PC feature, > so this is where stupid people are bound to do wrong. If you block opening > attachments they'll save it to their desktop and either call the helpdesk > since they can't seem to find the file and start yelling about it, or open > it from the desktop. This is already enough. Most users won't even bother when they can't open an executable attachment they didn't expect. They'll dismiss it and go on. Even if some individual users pursue their quest of curiosity and want to start the damn thing then they still form a minority. This improves things. Imagine only 3 out of 10 users who want to start an anonymous email attachment, care to find out how to sail around inbuilt security. The 7 other users give up, don't care or continue in their work flow. Then only 3 out of 10 PCs get infected where we normally had 10 infected PCs that would have tried to infect more and co
Re: [Full-Disclosure] Anti-MS drivel
Tobias Wrote: > > The fact that people use Windows and Office, proves that they can - basic > > Vulcan Logic. > > No. _IF_ people could use MS Windows/Outlook then things like > Win32/Bagle-A wouldn't stand a chance because people either knew not to > start or couldn't execute attachments from within email clients. The > fact that millions of end users _do_ run email attachments from within > their email clients shows that they _are not_ able to use Windows. It is > the wrong operating system for them. Have you noticed that you can put diesel in a normal car, cause the muzzle at the gas station is too thick? Ask the local garage how often it happens the other way around. Who is to blaim - where are talking product liability here, while most of us are not trained in legal matters - hence the example. And remember - people are required to have formal training to drive a car With the laters updates for Outlook, most attachments are blocked by default, and guess what: question No.1 to the helpdesk: how do I turn this feature off? When I drove home after reading this thread, I tried to open the hood while driving - guess what? It does. So things can go wrong when I just push buttons randomly. But only irresponsible and stupid people will do that! Yep, cause if the wind catches the hood it wil fold over the windscreen. Let's sue GM! My car won't even complain when driving in the dark without the lights on. Technically a piece of cake to fix - my former car put them on automatically - and the whipers when it rained, too. But the new one doesn't - my point is that even in car manufacturing with a 100 years experience, certain security features are lacking in new cars. Remember the Pinto? Now the e-mail attachment. E-mail is the killer app, most used PC feature, so this is where stupid people are bound to do wrong. If you block opening attachments they'll save it to their desktop and either call the helpdesk since they can't seem to find the file and start yelling about it, or open it from the desktop. Believe me, i've seen this happen. What do we do next - prevent users from starting executables alltogether? Make a .Pol file so the only executable they can run is winword.exe and outlook.exe? Theoretically sound, but with the reality in many shops that they give local admin to users since the customer is allways right, or some other lame excuse, it won't work. People just clicking everywhere should not be using *any* operating system, or any other complex device for that matter, like a car. Why blame a device for complexity some people can't handle? ANY device? > > The faulty nature does not deter many people from using it, so > > the flaws cannot be too serious. > > A problem is only a problem in the eye of the end consumer if "rien ne > va plus". Only when a PC won't start up again, the end user knows > "Uh-Oh...". > > In the meantime this same virus and worm ridden system has caused major > traffic jam on email servers and made the day on the Internet a hell. Routers choke, servers gasp, let's blame MS, is that it? Let's imagine a worm that propagates using something like older OpenSSH, open FTP directories accepting anon, and samba shares - use buffer overflows in sendmail and apache for effective rights - and CORBA to root. It contains a mechanism for detecting the network lay-out, along the lines of p0f, and a tunneling mechanism for additional payload over a P2P like network, with a TLS communication. And it would trigger at certain intervals ARP flooding to all systems with DNS and BootPS. At the end of the year it would tell intel processors it is a 286. To make the fun bigger it would find the installed certificates on the machine and use it to sign the trojans it installs. Would networks crumble? Servers and routers need special care, for cases such as this one. Complaining about either stupid users or Outlook is not going to change anything - fix your infra. And chop-bloody-chop with it! If you are to build a virus, go for the greater numbers. Worms even more so. So this is what it all boils down to - the risk of the monopoly. And yes this puts a huge responsibility on MS. Maybe we can blame them, but any monopoly on the desktop brings this risk. Since standardisation in OS and applications is corporate policy everywhere, and globalization is real, there will allways be a monopoly on the desktop with all its inherent risks. Maybe not MS's but then some other. And guess what? The next one will be worm and virusridden too That is the reality of being a sysadmin in the 21st century. If you can't take the heat, stop whining, this is a kitchen you know. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Hi yossarian, Am Mi, den 21.01.2004 schrieb yossarian um 20:20: > Mmmm, who forced them to use it? Mmh. Nobody "forced" them to use it. They are kind of deceived into using it. What choice do they have when they buy a new PC? Ever heard of OEM vendor deals?! And they might think they are able to use it but actually they utterly fail. And when a consumer fails to use a product the product is broken. > Not the IT people, who at the time where > still locked up in the Ivory Towers of Data Heaven. Those are the same people sitting in their tower demanding that user be educated how to properly use a product. > I remember my then CEO (at a big bank) firing the head of IT, because he was still > opposing windows > on the desktop, and the CEO could make splendid presentations and the like > on his sons windows PC. It was a bottom up revolution, small businesses and > home users where the early adaptors. At this blissful time MS still had to show innovation in order to _gain_ market shares. Nowadays they have nothing to gain in terms of market share. > The fact that people use Windows and Office, proves that they can - basic > Vulcan Logic. No. _IF_ people could use MS Windows/Outlook then things like Win32/Bagle-A wouldn't stand a chance because people either knew not to start or couldn't execute attachments from within email clients. The fact that millions of end users _do_ run email attachments from within their email clients shows that they _are not_ able to use Windows. It is the wrong operating system for them. > The faulty nature does not deter many people from using it, so > the flaws cannot be too serious. A problem is only a problem in the eye of the end consumer if "rien ne va plus". Only when a PC won't start up again, the end user knows "Uh-Oh...". In the meantime this same virus and worm ridden system has caused major traffic jam on email servers and made the day on the Internet a hell. So, from my perspective these ARE serious flaws. > Otherwise they would just stop or get an > alternative. Before Mandrake 9 many companies tried to push their desktop > OS... and failed. You know what? This is happening just now. THERE ARE alternatives for 75% of end users. And please don't give me the "there are no games" crap. You can pretty much buy a good console and some games from the savings in license costs when you chose a free operating system and free software. :-) > Remember Warp? I had Warp. It was a great product. A pity MS already had their Office monopoly established. I used Star Office 3.1 on Warp and it was stable, MUCH MUCH MUCH more stable than Windows 95 which seemed like an unstable alpha version of Windows 98 in retro-perspective. > Or NeXTstep? Or Perihelios? They went to > bit heaven since the users chose MS. Yes. That's right. And it's legitimate that everybody chose MS. But now we are stuck with it and simple demands like "Hey, turn off that damn RPC service by default for end users please!" or "Hey, why is it you let Joe Stubborn be Administrator by default on his XP Home box?!" are not allowed anymore. What happened to customer awareness and innovation? I guess you don't need those two when you've 90% market share and 50 billion dollars cash. I don't blame people for choosing MS software. I did so myself in the past and I actually liked it. But customers have needs and vendors responsibilities. cheers, Tobias ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel
tobias wrote: > > What's the incentive to make the vendor change? It's going > >to take one > > HUGE boycott to achieve that, HUGE becuase the market is > >worlwide > The ultimate solution to solve this problem would be a free > market with > free competition and no entry barriers for potential competitors for > Microsoft. We won't have to boycott, the market will decide. In 10 years MS may not be dead, but they will not be dominant IMHO. The tide turned the day Novell bought Suse. The only thing Linux lacked for the enterprise was enterprise level support and Novell just gave it that. And we in security have always known that Netware was not only the best networking OS around, but also the most secure. When admins come to realize they will patch once or twice a year, how much work they will save, I believe Novell share will grow dramatically, in both Netware and Linux. >Apply liability laws to software and IT products in general. Liability laws do apply, unfortunately we sell our soul and give up all rights when we scroll down and hit F8. > And let's face it, many of the folks on this and other > lists that buy a > PC, wipe windows and install a *bsd or linux/*nix clone, are still > contributing to the redmond bottom line of their big buck, > cause most > those PC's come pre-installed with a M$ OS underneath. The cheapest PC HP/Compaq carries is a box running Linux. Again the market. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
> Hi yossarian, > > Am Mi, den 21.01.2004 schrieb yossarian um 02:04: > ... > > So, basically, you are blaming the MS people for building a UI that can be > > used by anyone. > > You haven't understood. Basically _I'm_ blaming "the MS people" for > building a product that _can't_ be used by anyone but _is_ used by > anyone. Mmmm, who forced them to use it? Not the IT people, who at the time where still locked up in the Ivory Towers of Data Heaven. I remember my then CEO (at a big bank) firing the head of IT, because he was still opposing windows on the desktop, and the CEO could make splendid presentations and the like on his sons windows PC. It was a bottom up revolution, small businesses and home users where the early adaptors. The fact that people use Windows and Office, proves that they can - basic Vulcan Logic. The faulty nature does not deter many people from using it, so the flaws cannot be too serious. Otherwise they would just stop or get an alternative. Before Mandrake 9 many companies tried to push their desktop OS... and failed. Remember Warp? Or NeXTstep? Or Perihelios? They went to bit heaven since the users chose MS. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Hi yossarian, Am Mi, den 21.01.2004 schrieb yossarian um 02:04: ... > So, basically, you are blaming the MS people for building a UI that can be > used by anyone. You haven't understood. Basically _I'm_ blaming "the MS people" for building a product that _can't_ be used by anyone but _is_ used by anyone. If anyone can use Windows, Office and so on then why the heck are there still that many virus and worm breakouts? Obviously MS Windows and Outlook are not easy to use. Read my other posts. Customer is king. When a customer "makes a mistake" then it's not his own but the vendor's mistake. cheers, Tobias ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
WOW, I think that is the most informative, well thought out and intelligent posting I have read on this thread. Cheers to both of you. Points made, counterpoints presented, and no technospeak, OS specific drivel mixed in. Viva La Competitione >From: Tobias Weisserth <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: Ron DuFresne <[EMAIL PROTECTED]> >CC: Mary Landesman <[EMAIL PROTECTED]>, [EMAIL PROTECTED] >Subject: Re: [Full-Disclosure] Anti-MS drivel >Date: Wed, 21 Jan 2004 18:34:13 +0100 > >Hi Ron, > >Am Di, den 20.01.2004 schrieb Ron DuFresne um 23:03: > > > Up to now they rule the consumer OS market with more than 90% market > > > share. Any error they make regarding default settings in their OS > > > affects 90% of all end consumers. It is impossible to require that many > > > customers to adapt. Rather the vendor has to adapt. This is only > > > logical. > > > > What's the incentive to make the vendor change?  It's going to take one > > HUGE boycott to achieve that, HUGE becuase the market is worlwide, and we > > can't get a few thousand users on this single FD list to agree to much > > from one day to the next, let alone to get a large international boycott > > up and running, despite the dependance of many gov's and home users, and > > corps upon the M$ code.  So far the feds and a number of state in the US > > have not been up to forcing change in redmond, even with million dollar a > > day fines once imposed. > >This isn't solved by just one incentive or pulling a single lever. > >The ultimate solution to solve this problem would be a free market with >free competition and no entry barriers for potential competitors for >Microsoft. It's not about slicing MS in two parts as the US prosecution >wanted to. That's the wrong side. > >Deregulate the market. Make competition possible again. Limit the extend >software patents are applicable to. Why should a patent on a technology >like software be valid for DECADES? After that, no possible competitor >has a value for that technology. Software patents are legalised >monopolies. There's a VERY good reason most European software vendors >are against software patents in Europe while the American, >MS/Oracle/Sun/etc. led BSA is propagating software patents in Europe to >extend their monopoly on certain technologies that define access to >markets. > >Apply liability laws to software and IT products in general. When I buy >hardware, I have a legally guaranteed period of 6 months to 1 year in >Germany within which the vendor is liable 100%. Why doesn't such a thing >exist with software? EULAs as MS is issuing them are contrasting current >laws. In fact, a MS EULA in Germany isn't worth the paper it is printed >on. The MS EULA in Germany isn't 100% valid since it doesn't comply with >German law. > >Did I mention competition? Well, it's the most important lever to assure >quality and low prices in products so repetition is not bad. > > > And let's face it, many of the folks on this and other lists that buy a > > PC, wipe windows and install a *bsd or linux/*nix clone, are still > > contributing to the redmond  bottom line of their big buck, cause most > > those PC's come pre-installed with a M$ OS underneath. > >Which PC vendors can't decide on their own since OEM contracts issued by >MS are rather restrictive. Either you take it or you don't take MS >products at all... This is a case where anti-trust laws should permit >vendors to ignore the restrictive parts of such agreements whenever this >excludes competition. Competition is capitalism. Capitalism is living of >free markets with no entries. This MS situation is close to living in >communist East-Germany before 1991 where people could buy one sort of >car which was very expensive and sucked. > > > What do they care if that software license sits in a drawer and remains unused after first > > turning on the system?  They made their share . > >That's absolutely true. But I guess real MS refuseniks don't buy >hardware with OEM software attached to it and invest the additional time >to buy individual hardware components and build their own system from >scratch. That's cheaper anyway since you really get what you want and >the OEM software attached to new PCs isn't really free because it's >somehow included in the price. > > > And most on these list should understand as well, I do not disagree with > > the anti-M$ sentiments, I've posted many of my own over the years, but, I > > do kno
Re: [Full-Disclosure] Anti-MS drivel
Hi Ron, Am Di, den 20.01.2004 schrieb Ron DuFresne um 23:03: > > Up to now they rule the consumer OS market with more than 90% market > > share. Any error they make regarding default settings in their OS > > affects 90% of all end consumers. It is impossible to require that many > > customers to adapt. Rather the vendor has to adapt. This is only > > logical. > > What's the incentive to make the vendor change? It's going to take one > HUGE boycott to achieve that, HUGE becuase the market is worlwide, and we > can't get a few thousand users on this single FD list to agree to much > from one day to the next, let alone to get a large international boycott > up and running, despite the dependance of many gov's and home users, and > corps upon the M$ code. So far the feds and a number of state in the US > have not been up to forcing change in redmond, even with million dollar a > day fines once imposed. This isn't solved by just one incentive or pulling a single lever. The ultimate solution to solve this problem would be a free market with free competition and no entry barriers for potential competitors for Microsoft. It's not about slicing MS in two parts as the US prosecution wanted to. That's the wrong side. Deregulate the market. Make competition possible again. Limit the extend software patents are applicable to. Why should a patent on a technology like software be valid for DECADES? After that, no possible competitor has a value for that technology. Software patents are legalised monopolies. There's a VERY good reason most European software vendors are against software patents in Europe while the American, MS/Oracle/Sun/etc. led BSA is propagating software patents in Europe to extend their monopoly on certain technologies that define access to markets. Apply liability laws to software and IT products in general. When I buy hardware, I have a legally guaranteed period of 6 months to 1 year in Germany within which the vendor is liable 100%. Why doesn't such a thing exist with software? EULAs as MS is issuing them are contrasting current laws. In fact, a MS EULA in Germany isn't worth the paper it is printed on. The MS EULA in Germany isn't 100% valid since it doesn't comply with German law. Did I mention competition? Well, it's the most important lever to assure quality and low prices in products so repetition is not bad. > And let's face it, many of the folks on this and other lists that buy a > PC, wipe windows and install a *bsd or linux/*nix clone, are still > contributing to the redmond bottom line of their big buck, cause most > those PC's come pre-installed with a M$ OS underneath. Which PC vendors can't decide on their own since OEM contracts issued by MS are rather restrictive. Either you take it or you don't take MS products at all... This is a case where anti-trust laws should permit vendors to ignore the restrictive parts of such agreements whenever this excludes competition. Competition is capitalism. Capitalism is living of free markets with no entries. This MS situation is close to living in communist East-Germany before 1991 where people could buy one sort of car which was very expensive and sucked. > What do they care if that software license sits in a drawer and remains unused after > first > turning on the system? They made their share . That's absolutely true. But I guess real MS refuseniks don't buy hardware with OEM software attached to it and invest the additional time to buy individual hardware components and build their own system from scratch. That's cheaper anyway since you really get what you want and the OEM software attached to new PCs isn't really free because it's somehow included in the price. > And most on these list should understand as well, I do not disagree with > the anti-M$ sentiments, I've posted many of my own over the years, but, I > do know better then to lie to myself and think that M$ on the desktop or > in the corporate world is faced with any major threat at this time from > redhat or suse. Not yet but the ball started to move. Once the critical mass is reached we'll actually be moving into a situation again where competition is part of the market. Look at Munich, Germany. They may be having trouble doing so but they decided to switch 14.000 desktop PCs to SuSE. This is a small start. But with initiatives rolling in Asia and South America I don't think MS can count on being the only desktop OS vendor in the near future. > Understand this is not going to be a simple boycott by a few thousand or > hundred thousand buyers of bannanas from say nicaragua... I'm not speaking about a boycott. I'm speaking about vendor liability and free choice (actually free markets, but it's nearly the same). cheers, Tobias ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
> M$ has built one of the best UIs on the planet, but that doesn't give them a > license to ignore all of the security problems in their OS. If that were true, I'd quit working with computers tomorrow. "Show Full-Menus after a short delay" ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Anti-MS drivel
Finger-pointing is a trivial task, solving the M$ problem isn't. M$ has built one of the best UIs on the planet, but that doesn't give them a license to ignore all of the security problems in their OS. Check out Red Hat 9. We should exit and destroy our ivory towers; they have no useful purpose anymore. Smart and creative people succeed, regardless of the era/technology/company/product. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of yossarian Sent: Tuesday, January 20, 2004 8:04 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Anti-MS drivel Erich wrote: > What MS actually does is leading customers into a trap. MS Products > look as if they were so easy to use that _every_ body colud work with > it, just like that - "you don't need to know a thing". Intuitive User > interface etc. So, basically, you are blaming the MS people for building a UI that can be used by anyone. Duh. Let's give 'em a TSO interface. That'll scare them away from the computer so they won't just click on any attachment. Better still, they would be using typewriters. Yep, I still miss my Underwood, like others miss the Unix prompt - not concealing the complexity of the beast, or worse. At the same time we can withdraw to the ivory tower of the IT department, where users are just a nuisance. Lets call it Data Central. Don't forget users pay the bill. And to put it bluntly - your job would not exist if it had not been for the PC revolution. Neither would mine. Without MS's distributive powers and later - mid 90s - marketing power, grey haired people probably would still be scribbling in COBOL and we would be delivering the internal mail - by hand in those funny envelopes where you strike out the name of the user before you. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
> Yup, security research focuses on home computing, but this does not mean > the quality of enterprise software is any better; quite the opposite. I > had a chance to audit a bunch of big enterprise applications in several > places I've worked in, and it is very uncommon to find a solution that > will not fall apart if you mess with its proprietary protocols and > interfaces - often exposing gross trust model design problems. Never said corporate computing was any better, quite the opposite. But our dwelling on irrelevant software in the security community makes us, uh, look silly. > > These applications usually undergo much more rigorous QA, and this > elliminates most of basic reliability issues that occur in reasonably > "normal" working conditions - but the most common type of QA does almost > nothing to find problems that will surface only when the application poked > with a stick by a sufficiently skilled attacker. Well, QA has probably suffered a lot. I work by a dirty mind, but testing in TMap rules that one out. > Old school development > and quality assurance practices, and developers with mindsets locked on > the network security it used to be in late '80s or so, are far more > prevalent in these environments. And it really really shows. Maybe where you work. The last three years in auditing gave me a lot of smartie experiences - hard on the outside, gooey on the inside. > The relatively low number of vulnerabilities found in those products can > be contributed to a couple of basic factors: > > 1) Average Joe Hacker does not have access to prohibitively expensive >or highly specialized systems used in high-profile corporations. >He does have his Windows and Linux partition, though, maybe even >a Solaris box somewhere, and can sometimes get ahold of Oracle. >Enterprise applications for VMS or OS/400, doubtly so. This holds true >both for amateur researchers, and for many "vulnerability research" >shops, too - they simply do not have the budget (or incentive) to >do it. Budget or incentive? Well if the shops don't have the incentive, they are probably groping for the real customers. > 2) Joseph Hacker who happens to be working in a corporation that has such >a platform is usually limited in how far he can experiment with it >while playing it safe, especially if it is a production system "ever >since", and creating a dedicated testbed with appropriate data feeds >would be overly complex or time-consuming. Yep, same here. > > 3) Even if Joseph finds a flaw, he is expected to work with the vendor >to protect his company's assets, instead of disclosing a problem >(otherwise, a swift retaliation from both the vendor and his >now ex-employer would ensue). He does not have the freedom >Joe enjoys. Grumble - spot on again. >Moreover, sometimes vendors are extremely non-cooperative, and there >is simply no other choice for this platform that could be used >as a replacement without major transition expenses and problems. Usually they are the same vendors you see in the big shops. Let's start some IBM bashing here. Uh no, they went Open Source, AND they are opposing Bill, so they must be good... > > 4) The public interest in this type of vulnerabilities is marginal. >Although some solutions may be popular in corporations, the systems >usually do not face the Internet, and are seldom mentioned in the >media. As such, there is very little incentive to disclose this >type of stuff, as only a couple of folks are going to realize >what you are talking about to start with. Well, with BEA and all alike, they are facing the internet. This has yet to settle in. But what is that public interest in stuff like scripts in Perl or PHP? Who is our audience? Are we geeks disclosing to other geeks? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Erich wrote: > What MS actually does is leading customers into a trap. MS Products look > as if they were so easy to use that _every_ body colud work with it, > just like that - "you don't need to know a thing". Intuitive User > interface etc. So, basically, you are blaming the MS people for building a UI that can be used by anyone. Duh. Let's give 'em a TSO interface. That'll scare them away from the computer so they won't just click on any attachment. Better still, they would be using typewriters. Yep, I still miss my Underwood, like others miss the Unix prompt - not concealing the complexity of the beast, or worse. At the same time we can withdraw to the ivory tower of the IT department, where users are just a nuisance. Lets call it Data Central. Don't forget users pay the bill. And to put it bluntly - your job would not exist if it had not been for the PC revolution. Neither would mine. Without MS's distributive powers and later - mid 90s - marketing power, grey haired people probably would still be scribbling in COBOL and we would be delivering the internal mail - by hand in those funny envelopes where you strike out the name of the user before you. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Hi Gregh, do you work for MS? look at the answer from tobias. All what you wrote can be avoided with todays knowledge of cryptography. And must be avoided, at least in Europe. The bank is responsible for that. There's even no need for TC/Palladium what so ever. I think you can move on with painting hypothetical situations, but finally I fully agree with Tobias: Customer is king. Only a company as big as MS can ignore this. What MS actually does is leading customers into a trap. MS Products look as if they were so easy to use that _every_ body colud work with it, just like that - "you don't need to know a thing". Intuitive User interface etc. And now... You come up and blame the user for trusting MS? So MS should write this on top of all their products - "You have to take lessons in securing this Product before can start using it!" or "Attention: Security is left to the user!" greetings buri On Tue, 2004-01-20 at 21:45, Gregh wrote: > - Original Message - > From: "Tobias Weisserth" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, January 21, 2004 3:55 AM > Subject: RE: [Full-Disclosure] Anti-MS drivel > > > > Hi Paul, > > > > Am Di, den 20.01.2004 schrieb Schmehl, Paul L um 17:01: > > > But the *real* problem isn't the OS, it's the users. > > > > Actually, that's wrong. > > > > Users are never the problem. It's always the software. When a user > > doesn't understand something, then there's a problem with the software, > > not the user. When a user doesn't operate the software in the way the > > developers intended to, then there's a problem with the software. > > > > > Let me paint you a hypothetical situation to show you where what you said is > wrong: > > User receives keylogger attached to email as an exe and stupidly executes > it. User has no anti virus software on the system so keylogger installs > without interference. User shuts down the machine and goes to bed. Next day, > user starts the machine and gets on to their web banking with keylogger > doing it's thing and reporting to Mr. Nasty, all the keypresses. User goes > to bed and shuts down the machine again that night. On the other side of the > world in a different timezone, Mr. Nasty receives User's keypress log and > sees the web banking account details, logs on to User's bank account which > contains $10,000 and in a few short hours, Mr. Nasty has transferred the > entire amount to somewhere he can reach in this other country, which doesn't > have any agreement with User's Govt so he can be touched in any way. User > gets up in the morning, goes to his computer, turns it on and logs on to his > web banking account, finding it at a zero balance and immediately starts > screaming blue murder to the bank. The bank says "We understand your plight, > User, but the transfers were done with your web banking username and > password so was quite legal in our eyes. We cant help you, the $10,000 is > gone". > > So who do you blame there? The world's MEDIA blames the bank, at least in my > country. We all know the truth is Mr. Nasty is to blame ultimately but he is > in that country where he cant be touched. So who bears the brunt of this? > User does, of course. It isn't up to the bank to even WARN their web bankers > about such things though I think you will find they all do. If the users > infect their own machines and cause this problem it isn't the software (OS > or otherwise) that caused this problem. It is the USER. See, User in the > story above, may well be so computer illiterate that web banking is the > pinnacle of his computer talent because he is basically uninterested in > computers but thought web banking would make his life easier. He could, > however, have hired someone who works in computers and knows how to secure > his computer so that he can not automatically stuff his life up like that. > He didn't. > > In Australia when things similar to that happen, it is always the corporate > entity portrayed as the bad guy here when it really isn't, in this case. I > keep thinking it is like someone who drives a Toyota suing Toyota because of > a car accident they had through the brakes not working though the car is 4 > years old and never had a service in it's life since that person bought it. > Ultimately, though they may know NOTHING, the user is to blame for scenarios > as above. They hire locksmiths to make sure their doors aren't so easy to > open to unauthorised people. Why aren't they hiring "Computer Locksmith" > companies to do the same? Ignorance is why! Gee, you don'
Re: [Full-Disclosure] Anti-MS drivel
> > Up to now they rule the consumer OS market with more than 90% market > share. Any error they make regarding default settings in their OS > affects 90% of all end consumers. It is impossible to require that many > customers to adapt. Rather the vendor has to adapt. This is only > logical. What's the incentive to make the vendor change? It's going to take one HUGE boycott to achieve that, HUGE becuase the market is worlwide, and we can't get a few thousand users on this single FD list to agree to much from one day to the next, let alone to get a large international boycott up and running, despite the dependance of many gov's and home users, and corps upon the M$ code. So far the feds and a number of state in the US have not been up to forcing change in redmond, even with million dollar a day fines once imposed. And let's face it, many of the folks on this and other lists that buy a PC, wipe windows and install a *bsd or linux/*nix clone, are still contributing to the redmond bottom line of their big buck, cause most those PC's come pre-installed with a M$ OS underneath. What do they care if that software license sits in a drawer and remains unused after first turning on the system? They made their share . And most on these list should understand as well, I do not disagree with the anti-M$ sentiments, I've posted many of my own over the years, but, I do know better then to lie to myself and think that M$ on the desktop or in the corporate world is faced with any major threat at this time from redhat or suse. Understand this is not going to be a simple boycott by a few thousand or hundred thousand buyers of bannanas from say nicaragua... Thanks, Ron DuFresne ~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Anti-MS drivel
The posts describing 'house construction' isn't a bad one, but I feel there's a better way to express it. The makers of our operating systems should be able to sell us a house with a pretty standard set of components. Walls, roof, etc. There's doors and windows in it, but the really spiffy part is that not only are all the doors very tightly locked - but that the vendor doesn't even provide the keys. You've got instructions on how to MAKE the keys, and they're nice and clear instructions. This gives us two things to bear in mind. One: services off/running securely by default. Two: RTFM. It almost gives me chills. End users should *never* *ever* *ever* have to know jack or squat about the systems they're running. Gramma should be able to just get her e-mail, and not have to worry. (I should never have to do tech support for my family, ever again... off the clock, that is.) .dfbarth ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Hi Greg, Am Di, den 20.01.2004 schrieb Gregh um 21:48: ... > In the same way as that, your computer today, may be as secure as anyone can > make it, on the web and then tomorrow, someone finds another way in. Hell, > MS may be the most attacked OS in the world for sure (it is the most used > one so no surprise, there) but every other OS has had weaknesses that can be > exploited. Is it really so hard to agree that there is a difference between an OS that ships with all services disabled in comparison to an OS with many services enabled by default? If you're not able to see this and agree to this you'll always be trapped inside the prison of you mind on this. Besides, sheer market share doesn't account for the quantity of exploits. Microsofts IIS always manages to attract more negative attention than the Apache webserver although Apache rules the market with more than 60%. Of course, products that are so different in design and distribution philosophies can only be compared with very limited consequences. But reducing the number of viruses, exploits and attacks on Windows systems to the simple fact that they rule the market is plain stupid. cheers, Tobias ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
On Sun, 18 Jan 2004, yossarian wrote:
> I checked the flaws reported the last week - and yes I read many many lists,
> some 250 mails per day - and the only thing getting close to software used
> in bigger environments is this BEA thingie 5 days ago /.../
Yup, security research focuses on home computing, but this does not mean
the quality of enterprise software is any better; quite the opposite. I
had a chance to audit a bunch of big enterprise applications in several
places I've worked in, and it is very uncommon to find a solution that
will not fall apart if you mess with its proprietary protocols and
interfaces - often exposing gross trust model design problems.
These applications usually undergo much more rigorous QA, and this
elliminates most of basic reliability issues that occur in reasonably
"normal" working conditions - but the most common type of QA does almost
nothing to find problems that will surface only when the application poked
with a stick by a sufficiently skilled attacker. Old school development
and quality assurance practices, and developers with mindsets locked on
the network security it used to be in late '80s or so, are far more
prevalent in these environments. And it really really shows.
The relatively low number of vulnerabilities found in those products can
be contributed to a couple of basic factors:
1) Average Joe Hacker does not have access to prohibitively expensive
or highly specialized systems used in high-profile corporations.
He does have his Windows and Linux partition, though, maybe even
a Solaris box somewhere, and can sometimes get ahold of Oracle.
Enterprise applications for VMS or OS/400, doubtly so. This holds true
both for amateur researchers, and for many "vulnerability research"
shops, too - they simply do not have the budget (or incentive) to
do it.
2) Joseph Hacker who happens to be working in a corporation that has such
a platform is usually limited in how far he can experiment with it
while playing it safe, especially if it is a production system "ever
since", and creating a dedicated testbed with appropriate data feeds
would be overly complex or time-consuming.
3) Even if Joseph finds a flaw, he is expected to work with the vendor
to protect his company's assets, instead of disclosing a problem
(otherwise, a swift retaliation from both the vendor and his
now ex-employer would ensue). He does not have the freedom
Joe enjoys.
Moreover, sometimes vendors are extremely non-cooperative, and there
is simply no other choice for this platform that could be used
as a replacement without major transition expenses and problems.
4) The public interest in this type of vulnerabilities is marginal.
Although some solutions may be popular in corporations, the systems
usually do not face the Internet, and are seldom mentioned in the
media. As such, there is very little incentive to disclose this
type of stuff, as only a couple of folks are going to realize
what you are talking about to start with.
Just my $.02.
--
- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--- 2004-01-20 21:31 --
http://lcamtuf.coredump.cx/photo/current/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
On Tue, 20 Jan 2004 14:49:52 EST, Justin Bajko <[EMAIL PROTECTED]> said: > What would you say to someone if you were a home builder and the buyer of a > home you built a year ago had their lawyers call you and threaten to sue you > because their house got broken into? You installed locks on the doors and > you installed latches on all the windows, but the person who bought the > house never took the time to bother out how they worked, thus they always > left their house unlocked, and eventually, it bit them in the ass when they > came home to a house full of nothing. Well.. this is a broken analogy. The average home builder doesn't build a door only visible from across the street and conceal the lock as one of the knobs on the stove Oh, yeah.. *SURE* you can disable all those open ports. But why would Joe Sixpack even *suspect* that he has ports open, even assuming that he understands what a port *IS*? pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "Tobias Weisserth" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 21, 2004 3:55 AM Subject: RE: [Full-Disclosure] Anti-MS drivel > Hi Paul, > > Am Di, den 20.01.2004 schrieb Schmehl, Paul L um 17:01: > > But the *real* problem isn't the OS, it's the users. > > Actually, that's wrong. > > Users are never the problem. It's always the software. When a user > doesn't understand something, then there's a problem with the software, > not the user. When a user doesn't operate the software in the way the > developers intended to, then there's a problem with the software. > Let me paint you a hypothetical situation to show you where what you said is wrong: User receives keylogger attached to email as an exe and stupidly executes it. User has no anti virus software on the system so keylogger installs without interference. User shuts down the machine and goes to bed. Next day, user starts the machine and gets on to their web banking with keylogger doing it's thing and reporting to Mr. Nasty, all the keypresses. User goes to bed and shuts down the machine again that night. On the other side of the world in a different timezone, Mr. Nasty receives User's keypress log and sees the web banking account details, logs on to User's bank account which contains $10,000 and in a few short hours, Mr. Nasty has transferred the entire amount to somewhere he can reach in this other country, which doesn't have any agreement with User's Govt so he can be touched in any way. User gets up in the morning, goes to his computer, turns it on and logs on to his web banking account, finding it at a zero balance and immediately starts screaming blue murder to the bank. The bank says "We understand your plight, User, but the transfers were done with your web banking username and password so was quite legal in our eyes. We cant help you, the $10,000 is gone". So who do you blame there? The world's MEDIA blames the bank, at least in my country. We all know the truth is Mr. Nasty is to blame ultimately but he is in that country where he cant be touched. So who bears the brunt of this? User does, of course. It isn't up to the bank to even WARN their web bankers about such things though I think you will find they all do. If the users infect their own machines and cause this problem it isn't the software (OS or otherwise) that caused this problem. It is the USER. See, User in the story above, may well be so computer illiterate that web banking is the pinnacle of his computer talent because he is basically uninterested in computers but thought web banking would make his life easier. He could, however, have hired someone who works in computers and knows how to secure his computer so that he can not automatically stuff his life up like that. He didn't. In Australia when things similar to that happen, it is always the corporate entity portrayed as the bad guy here when it really isn't, in this case. I keep thinking it is like someone who drives a Toyota suing Toyota because of a car accident they had through the brakes not working though the car is 4 years old and never had a service in it's life since that person bought it. Ultimately, though they may know NOTHING, the user is to blame for scenarios as above. They hire locksmiths to make sure their doors aren't so easy to open to unauthorised people. Why aren't they hiring "Computer Locksmith" companies to do the same? Ignorance is why! Gee, you don't buy a KNIFE without knowing it can be a weapon rather than a vegetable cutter, should someone grab it and wield it at you. Well, you don't buy a computer without realising that if someone grabs it and wields it, the computer can ALSO be a weapon used against you. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Hi Mary, Am Di, den 20.01.2004 schrieb Mary Landesman um 20:13: > > not lose your keys on purpose > > Does anyone lose their keys on purpose? :-) If you've got a stupid insurance company... :-) I don't know? > As I stated originally, you can reduce the risk but you can never alleviate > it entirely. Windows can be broken, locks can be picked, heck, use a > chainsaw and you can slice right through pretty much any part of it. Of > course, it requires physical presence which raises the risk of being caught, > hence it's not very likely. Conversely, using the Internet to anonymously > launch exploits is pretty much risk-free - some might argue it's ideally > suited to the cowardly criminal. Sometimes smarts plays a part, but never > guts. We all agree that the people behind these attacks are the bad guys. But we can't change them, we can't eradicate them. We have to live with them. The one thing we can change though is accepting or not accepting the way vendors ship software. Opportunities make thieves. If you leave your door open you mustn't be surprised if that Van Gogh is gone when you're done with shopping. No insurance would cover the loss of that picture if you didn't lock the door. So in fact, although someone else has committed the crime, the loss of the Van Gogh is YOUR fault. YOU didn't lock the door. YOU created the opportunity. What I'm criticising here is the amount of senseless opportunities MS has created over the past years. Nothing else. > Now, MS has made bad decisions but they are not unique in this regard. That's not what I said. But they have a unique impact. Up to now they rule the consumer OS market with more than 90% market share. Any error they make regarding default settings in their OS affects 90% of all end consumers. It is impossible to require that many customers to adapt. Rather the vendor has to adapt. This is only logical. > They certainly have more at stake, given the numbers of users, thus their bad > decisions tend to be very high profile. Well seen. > I suspect that when and if they achieve their Trusted Computing goals, many of the > same anti-MS folks will > shift their focus to complaining about the privacy and censorship issues it > brings to the table. You still haven't understood. Trusted Computing won't bring us security as long as basic philosophies like "secure by default" and "opt-out of security" haven't been accepted by MS. Having an open RPC port in a consumer OS that can be exploited ISN'T solved by putting a personal firewall in front of it. The flaw is still there, may it be hid by an additional layer of software (which itself can contain flaws). Trusted Computing will worsen matters actually. Not only from the privacy point of view, also from the security point of view. No matter what technical feature they will use to implement Trusted Computing it will be broken the minute it is on the market. Add the lack of basic security philosophies and you're stuck in the same bad situation with the added "bonus" of a lack of privacy and some more technical abstraction layers many more end users won't be able to understand. Take a look at the X-Box. The X-Box actually implements what MS had in mind as a predecessor for Trusted Computing. Has it been 6 months until people were able to run ANY code they wanted to with minor modifications to the X-Box? > Ironically, the very people who seek to publicly decry > and exploit every MS flaw are the ones who are helping to force TC into > reality. No, that's actually not the case. Technical innovations and new features are subject to market laws. If consumers ultimately decide to reject such technologies then it will fail. As soon as there is an opportunity for alternative vendors to promote hardware and software WITHOUT these unwanted features, competition will kick in and level market shares again. I'm pretty confident free markets will take care of "Trusted Computing". Look at the trouble the music industry has to establish "Trusted Computing" in audio goods. > For more on the implications, see > http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html This seems interesting though not new. I'll give it a "visit" ;-) cheers, Tobias W. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Fwd: Re: [Full-Disclosure] Anti-MS drivel]
Dan, I think you've got it wrong there. The bickering actually brings people together, albiet smaller groups with similar interests. Sometimes it's just plain fun to beat a dead horse :-) And sometimes it's not about fixing things but rather having a good bitch session cause you know the problem isn't gonna get fixed anytime soon and you need to vent in some manner. --Harry Quoting "Daniel H. Renner" <[EMAIL PROTECTED]>: *> Yo guys, *> *> How do you keep a group of people from attaining any sort of goal *> whatsoever? How do you make any group smaller and less powerfull? *> *> SIMPLE. Keep them bickering about ANYTHING. Which color, creed, beer, *> pizza, or operating system is better than the other. *> *> Fall into that trap and you've made your group that much smaller, that *> much less powerfull because instead of doing what they like to do - *> they're bickering about something. *> *> And even a newbie can see that nothing gets handled, fixed or done when *> you're wasting time bickering like a bunch of fish-wives... *> *> I'm not saying that these things can't be discussed, but when it goes on *> for rediculous lengths of time, it's only bickering and nothing more. *> *> *> Cheers, *> Dan *> -- Harry Hoffman [EMAIL PROTECTED] ## # Harry: version 4.0a# # Known bugs:# # 1) Verbal output may occur before data processing is complete. # # 2) Loudspeaker option may activate without being invoked. # # 3) Other bugs as reported # ## - This mail sent through IpSolutions: http://www.ip-solutions.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Hi Greg, Am Di, den 20.01.2004 schrieb Gregh um 21:45: ... > Let me paint you a hypothetical situation to show you where what you said is > wrong: I'm dieing to know... > User receives keylogger attached to email as an exe and stupidly executes > it. You didn't understand this. Not one bit. If you are a vendor and you ship a software that is intended to be used by average Joe and average Jennie then _you_ have to take this into account. Why is it possible that a user is able to make this mistake? Why can attachments that come in via email be executed by a user? This is software design flaw, not a user mistake. This is a matter of definition, Greg. When I say that the user is always right then this means that software has to be adapted to the users education and not the other way around. You don't blame a child of 5 years old when it unsuccessfully tries to mount a bicycle fit for children older than 10. It's the wrong bike. Obviously everybody being infected with Blaster has been using the wrong OS. This is a matter of definition and philosophy. > User has no anti virus software on the system so keylogger installs > without interference. The fact that users have no anti virus software running or in many cases old versions without updates (sense of false security!) can be linked to the fact that they are being told time and again that they have bought a secure operating system. You certainly can't blame the users for not knowing the security risks of the software they bought. If they don't know then it's not their fault. Actually it's NEVER their fault. By definition. > User shuts down the machine and goes to bed. Next day, > user starts the machine and gets on to their web banking with keylogger > doing it's thing and reporting to Mr. Nasty, all the keypresses. User goes > to bed and shuts down the machine again that night. On the other side of the > world in a different timezone, Mr. Nasty receives User's keypress log and > sees the web banking account details, logs on to User's bank account which > contains $10,000 and in a few short hours, Mr. Nasty has transferred the > entire amount to somewhere he can reach in this other country, which doesn't > have any agreement with User's Govt so he can be touched in any way. Sorry, again not the users fault. OSs, online banking and so on are products which have to be ready for the end user to use. Liability affects vendors, not users. Besides, just a login account would do a bank account hacker no good since he also needs a TAN number to commit a transactions. TAN numbers can only be used once for ONE transaction and are discarded after that. Banks send TAN numbers via snail-mail in protected envelopes. As you see, in the real world banks have foreseen the lack of education of their clients and adapted to them rather than expect it the other way around. > User gets up in the morning, goes to his computer, turns it on and logs on to his > web banking account, finding it at a zero balance and immediately starts > screaming blue murder to the bank. He's damn right to do so. How could a bank let something like this happen?! Don't they know there is always this possibility? It's the bank and not the client that has to come up with a FOOL PROVE solution to this. After all, the bank offered the product "web banking". > The bank says "We understand your plight, User, but the transfers were done with > your web banking username and > password so was quite legal in our eyes. We cant help you, the $10,000 is > gone". Well, see above. Besides, this is far from reality, at least in Europe. When a criminal abuses the credit card details which you have used for online deals then the credit card company is liable for ANY damage that has occurred. The fact that a bank would allow transactions of this magnitude with only a web account and no additional methods of verifications (TAN etc.) is already almost criminal. > So who do you blame there? The OS vendor and the bank. No doubt about it. Customer is king. Always. > The world's MEDIA blames the bank, at least in my > country. Which is their fine right. The bank would have acted negligent to say the least and could be held full accountable for any losses. They offered their client the promise to do secure online banking, then THEY have to consider all risks, INCLUDING the possibility that criminals gain access to the clients PC. > We all know the truth is Mr. Nasty is to blame ultimately but he is > in that country where he cant be touched. Actually, he is the villain but he isn't to blame since he used an opportunity someone else created: the OS vendor. See above. > So who bears the brunt of this? The OS vendor and the bank. > User does, of course. No. This is where you are wrong and this is what keeps us stuck in this dilemma. As long as product and technical solutions are not designed to fit the end user we'll be stuck in this security nightmare. > It isn't up to the bank to even WARN the
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "David F. Skoll" <[EMAIL PROTECTED]> To: "Gregh" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, January 20, 2004 11:48 PM Subject: Re: [Full-Disclosure] Anti-MS drivel > On Tue, 20 Jan 2004, Gregh wrote: > > > > > I get tired of anti-MS drivel. > > > > *I* get tired of people who dismiss reasoned arguments as "anti-MS > > drivel." > > > So show me where I did that in that email. > > Above, and in the subject line. ...and therein lies YOUR problem. Well pointed out! Thank you. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "Tobias Weisserth" <[EMAIL PROTECTED]> To: "Mary Landesman" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, January 21, 2004 4:42 AM Subject: Re: [Full-Disclosure] Anti-MS drivel > Hi Mary, > > Am Di, den 20.01.2004 schrieb Mary Landesman um 18:12: > > On January 20, 2004 11:55 AM, "Tobias Weisserth" claimed: > > > > > And the blame goes on MS for this. Nobody else. > > > > There is absolutely nothing I can do to secure my home from break-in. > > You could close the doors, get a better lock, not lose your keys on > purpose, never leave without the door being locked... and so on. There > is VERY much you can do to REDUCE the risk of being a victim. > Doesnt work. In Australia, thieves have been known to take tiles off the roof to get in, peel back tin roofs, remove fibro wall panels or just smash them, saw through wooden house walls, smash the glass out of windows etc. In the same way as that, your computer today, may be as secure as anyone can make it, on the web and then tomorrow, someone finds another way in. Hell, MS may be the most attacked OS in the world for sure (it is the most used one so no surprise, there) but every other OS has had weaknesses that can be exploited. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "Harry Hoffman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, January 21, 2004 5:00 AM Subject: Re: [Full-Disclosure] Anti-MS drivel > Yeah, but if the builder built the house in such a way that the door would never > stay closed then you would "sue the pants off of that builder" as well as blame > the criminal. > > That's pretty much what MS has done. :-) > Yeah! Keylogger trojans and spyware are ALL the fault of MS!! (blink blink?) Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
> not lose your keys on purpose Does anyone lose their keys on purpose? :-) As I stated originally, you can reduce the risk but you can never alleviate it entirely. Windows can be broken, locks can be picked, heck, use a chainsaw and you can slice right through pretty much any part of it. Of course, it requires physical presence which raises the risk of being caught, hence it's not very likely. Conversely, using the Internet to anonymously launch exploits is pretty much risk-free - some might argue it's ideally suited to the cowardly criminal. Sometimes smarts plays a part, but never guts. Now, MS has made bad decisions but they are not unique in this regard. They certainly have more at stake, given the numbers of users, thus their bad decisions tend to be very high profile. I suspect that when and if they achieve their Trusted Computing goals, many of the same anti-MS folks will shift their focus to complaining about the privacy and censorship issues it brings to the table. Ironically, the very people who seek to publicly decry and exploit every MS flaw are the ones who are helping to force TC into reality. For more on the implications, see http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html -- Mary ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
> not lose your keys on purpose Does anyone lose their keys on purpose? :-) As I stated originally, you can reduce the risk but you can never alleviate it entirely. Windows can be broken, locks can be picked, heck, use a chainsaw and you can slice right through pretty much any part of it. Of course, it requires physical presence which raises the risk of being caught, hence it's not very likely. Conversely, using the Internet to anonymously launch exploits is pretty much risk-free - some might argue it's ideally suited to the cowardly criminal. Sometimes smarts plays a part, but never guts. Now, MS has made bad decisions but they are not unique in this regard. They certainly have more at stake, given the numbers of users, thus their bad decisions tend to be very high profile. I suspect that when and if they achieve their Trusted Computing goals, many of the same anti-MS folks will shift their focus to complaining about the privacy and censorship issues it brings to the table. Ironically, the very people who seek to publicly decry and exploit every MS flaw are the ones who are helping to force TC into reality. For more on the implications, see http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html -- Mary ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Anti-MS drivel
> If a builder sold you a home with no locks on the doors and no > latches on the windows, I suspect that he could be successfully sued > in the modern "blame everyone in sight" environment of the U.S. And, > unlike a number of other cases, I would agree with that, on the basis > that (unless the home was in an extremely remote location) the > builder was intolerably negligent to omit those locks and latches. I don't doubt that I'll regret posting in this thread, but, what the hell? I don't think that (holding true to the analogy) Microsoft has built its houses without latches on the windows or locks on the doors. The latches and locks are there, and they're not all that hard to use if you take the time to figure out how to turn them. What would you say to someone if you were a home builder and the buyer of a home you built a year ago had their lawyers call you and threaten to sue you because their house got broken into? You installed locks on the doors and you installed latches on all the windows, but the person who bought the house never took the time to bother out how they worked, thus they always left their house unlocked, and eventually, it bit them in the ass when they came home to a house full of nothing. The door locks and window latches are there -- people are just too apathetic to figure out how to turn them. -- -jtb [Note: I'm mainly referring to Windows XP, which comes with a firewall built into it. No, it doesn't come with an anti-virus client, but I can't think of an operating system that does; at least, not by default.] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Fwd: Re: [Full-Disclosure] Anti-MS drivel]
Yo guys, How do you keep a group of people from attaining any sort of goal whatsoever? How do you make any group smaller and less powerfull? SIMPLE. Keep them bickering about ANYTHING. Which color, creed, beer, pizza, or operating system is better than the other. Fall into that trap and you've made your group that much smaller, that much less powerfull because instead of doing what they like to do - they're bickering about something. And even a newbie can see that nothing gets handled, fixed or done when you're wasting time bickering like a bunch of fish-wives... I'm not saying that these things can't be discussed, but when it goes on for rediculous lengths of time, it's only bickering and nothing more. Cheers, Dan From: Dave Sherohman <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Anti-MS drivel Date: 20 Jan 2004 12:01:09 -0600 On Tue, Jan 20, 2004 at 12:12:46PM -0500, Mary Landesman wrote: > On January 20, 2004 11:55 AM, "Tobias Weisserth" claimed: > > And the blame goes on MS for this. Nobody else. > > There is absolutely nothing I can do to secure my home from break-in. I can > minimize the risks, but I cannot alleviate the risk entirely. However, we > don't blame the builders when a home invasion occurs. We rightfully blame > the burglar. If a builder sold you a home with no locks on the doors and no latches on the windows, I suspect that he could be successfully sued in the modern "blame everyone in sight" environment of the U.S. And, unlike a number of other cases, I would agree with that, on the basis that (unless the home was in an extremely remote location) the builder was intolerably negligent to omit those locks and latches. -- The freedoms that we enjoy presently are the most important victories of the White Hats over the past several millennia, and it is vitally important that we don't give them up now, only because we are frightened. - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Mary Landesman wrote: > There is absolutely nothing I can do to secure my home from break-in. I can > minimize the risks, but I cannot alleviate the risk entirely. However, we > don't blame the builders when a home invasion occurs. We rightfully blame > the burglar. > > The blame goes to the crackers and virus writers. Please. Analogies are for the weak of mind, and for trying to confuse the true issues at hand. Being that this is a technical list, how about constraining arguments to the relevant subject. It is reasonable to assume that anyone subscribed to this list can understand the discussion in native terms. I don't think tired analogies about burglars and virus writes help to clarify anything. Put simply: 'Some kid tweaking Nimbda' != 'Burglar breaking into houses' No matter how many times you hear it repeated. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
On Sun, 18 Jan 2004, yossarian wrote:
[SNIP]
>
> I checked the flaws reported the last week - and yes I read many many lists,
> some 250 mails per day - and the only thing getting close to software used
> in bigger environments is this BEA thingie 5 days ago. Yeah, and I quote: "a
> weakness in BEA WebLogic Server and Express allowing malicious people to see
> a password when it is entered {a weakness in BEA WebLogic Server and Express
> allowing malicious people to see a password when it is entered - it is
> echoed to the screen when using ANT". So what? Looking at a keyboard is
> easier. And stuff like BEA, or any J2EE for that matter, are just emerging
> on the perifery, and have still a long way to go. The security industry is
> primarily focussed on what is happening in small computing or the internet,
> and these discussions here just mirror this narrowness. Alas, yet true. This
> is also an explanation for the lack of legal claims - one of many, I know
> that - against MS for the vulnerable software, it rarely hurts the bigger
> companies that can afford the legal costs. And Yes you guys can give me a
> lot of examples of companies hits over the years. So can I. But think again,
> there are a lot of big companies out there. Do they all keep silent? You
> think they can?
>
Actually BEA weblogic trinkets fit right into the middle of the core
infratructure and so blend their threats into the whole set/suit of
applications they are bound to, like in our case, authentication.
Makes their trinkets more then periphery...my employer also fits not the
small business model, tends towards the large end really.
Thanks,
Ron DuFresne
~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
At 12:12 PM 1/20/2004 -0500, Mary Landesman wrote: There is absolutely nothing I can do to secure my home from break-in. I can minimize the risks, but I cannot alleviate the risk entirely. However, we don't blame the builders when a home invasion occurs. We rightfully blame the burglar. The blame goes to the crackers and virus writers. I am loathe to participate in yet around round of questionable analogies, but if the builder provided you with door locks that you had to install yourself, I believe the blame might shift somewhat. The issue here, if I've understood it correctly, is that MS has historically been lax in providing security mechanisms that operate "out of the box." In an increasingly insecure environment, this is neither a credible nor responsible business practice. m5x ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
On Tue, Jan 20, 2004 at 12:12:46PM -0500, Mary Landesman wrote: > On January 20, 2004 11:55 AM, "Tobias Weisserth" claimed: > > And the blame goes on MS for this. Nobody else. > > There is absolutely nothing I can do to secure my home from break-in. I can > minimize the risks, but I cannot alleviate the risk entirely. However, we > don't blame the builders when a home invasion occurs. We rightfully blame > the burglar. If a builder sold you a home with no locks on the doors and no latches on the windows, I suspect that he could be successfully sued in the modern "blame everyone in sight" environment of the U.S. And, unlike a number of other cases, I would agree with that, on the basis that (unless the home was in an extremely remote location) the builder was intolerably negligent to omit those locks and latches. -- The freedoms that we enjoy presently are the most important victories of the White Hats over the past several millennia, and it is vitally important that we don't give them up now, only because we are frightened. - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Yeah, but if the builder built the house in such a way that the door would never stay closed then you would "sue the pants off of that builder" as well as blame the criminal. That's pretty much what MS has done. :-) --Harry Quoting Mary Landesman <[EMAIL PROTECTED]>: *> On January 20, 2004 11:55 AM, "Tobias Weisserth" claimed: *> *> > And the blame goes on MS for this. Nobody else. *> *> There is absolutely nothing I can do to secure my home from break-in. I can *> minimize the risks, but I cannot alleviate the risk entirely. However, we *> don't blame the builders when a home invasion occurs. We rightfully blame *> the burglar. *> *> The blame goes to the crackers and virus writers. *> *> -- Mary *> *> ___ *> Full-Disclosure - We believe in it. *> Charter: http://lists.netsys.com/full-disclosure-charter.html *> -- Harry Hoffman [EMAIL PROTECTED] ## # Harry: version 4.0a# # Known bugs:# # 1) Verbal output may occur before data processing is complete. # # 2) Loudspeaker option may activate without being invoked. # # 3) Other bugs as reported # ## - This mail sent through IpSolutions: http://www.ip-solutions.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
Hi Mary, Am Di, den 20.01.2004 schrieb Mary Landesman um 18:12: > On January 20, 2004 11:55 AM, "Tobias Weisserth" claimed: > > > And the blame goes on MS for this. Nobody else. > > There is absolutely nothing I can do to secure my home from break-in. You could close the doors, get a better lock, not lose your keys on purpose, never leave without the door being locked... and so on. There is VERY much you can do to REDUCE the risk of being a victim. If this requires much attention on your side because the house builder disabled all these possibilities, say you don't have a proper lock, then you should be putting the house builder under pressure. > I can minimize the risks, but I cannot alleviate the risk entirely. However, we > don't blame the builders when a home invasion occurs. We rightfully blame > the burglar. If the builders of the house deliver it with measures to secure it, but most inhabitants don't use because THEY have to go into much trouble to enable these measures then the builder is responsible these measures are not used. > The blame goes to the crackers and virus writers. This is too easy. It's the same with guns. People always blame the people who pull the trigger but the fact that guns are soo damn easy to get, even for minors doesn't startle a soul... cheers, Tobias ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
On January 20, 2004 11:55 AM, "Tobias Weisserth" claimed: > And the blame goes on MS for this. Nobody else. There is absolutely nothing I can do to secure my home from break-in. I can minimize the risks, but I cannot alleviate the risk entirely. However, we don't blame the builders when a home invasion occurs. We rightfully blame the burglar. The blame goes to the crackers and virus writers. -- Mary ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Anti-MS drivel
Hi Paul, Am Di, den 20.01.2004 schrieb Schmehl, Paul L um 17:01: > But the *real* problem isn't the OS, it's the users. Actually, that's wrong. Users are never the problem. It's always the software. When a user doesn't understand something, then there's a problem with the software, not the user. When a user doesn't operate the software in the way the developers intended to, then there's a problem with the software. Customer is king. Always. Why should every single user on earth have to worry about virus updates, personal firewalls and so on? They want to USE a PC not secure it. Any attempt to deliver software in a state as secure as possible without cutting too many features must be welcomed. Any practise where software is delivered "with open doors" should be considered a fatal flaw. When a user has to act in order to deactivate features he doesn't use that are potentially dangerous then this is wrong. There shouldn't be any "opt-in" into security. If individual users discover they need an additional feature of their software that adds to overall risks then let those individual users find out how to do that. That's education. Not the other way around. If they have to do something on their behalf to use risky features that the majority doesn't use, then they actually educate themselves in the process. If you want to have a webserver running on your box, then it's better there isn't one by default and the user has to find out how to enable it and how to enable it SAFE. The majority of users who don't, won't have to care about this. Users should always have to "opt-out" from the more secure setting into the risky setting. The "anti MS" drive IMHO results from the fact that MS has practised "opt-in" into security far too long. One of the most striking examples giving evidence to this is the fact that _AOL_ had to shut down the Windows Messaging Service on its clients PCs because clients were complaining about receiving unwanted ad messages that way. I find it very striking that this feature seems to be activated by default in an OS that is aimed at the end user, a single connected machine connected to the Internet by mostly a modem or some other form of dial-up connection without something in between. Delivering an OS with such a feature enabled leaves millions of users to disable that feature while only a minority actually makes good use of the feature. This is just one example of many. The Blaster worm is yet another example how "opt-in" into security fails. Why do private, single connected machines to the Internet use an open RPC port by default?! Obviously there hasn't been a real use to it for most end consumers because the recommended Personal Firewall just shuts it down. Why has it been enabled for millions of end users by default? Just because this is a feature that may be used in a certain scenario inside LANs? Again millions of end users who don't know about "RPC what?!" had to act to "opt-in" into security. This stinks. THIS is why MS is drawing so much bad attention here. It's not because people don't like the colours of Windows XP around here or because of the idea that Windows is not a good OS. It's about "opt-in" into security. And the blame goes on MS for this. Nobody else. cheers, Tobias W. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Anti-MS drivel
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, January 20, 2004 1:55 AM > To: David F. Skoll > Cc: Gregh; [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Anti-MS drivel > > Moral of the story - in the past 2 decades, the users have > gotten stupider, and many of the software designers have as well. > Yes, and this little story puts the lie to David's tiresome rant about MS. Regardless of how secure or insecure any OS is "by default" (whatever that means), the *real* problem is users who don't understand what they're doing. We can sit here and fight OS wars until we all turn to dust and not one damn thing will change. Or we can start taking action to educate users and *perhaps* change the nature of computing entirely. So long as we have users who ignore basic computer safety, we will have problems with malicious software attacks, regardless of what OS that user is using. I've had to clean viruses and worms out of Linux and Solaris, just as I've had to do with Windows. In *every* case, the problem was a user who was either ignorant or didn't care. Are the problems easier to avoid when using Unix? Perhaps. But the *real* problem isn't the OS, it's the users. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
On Tue, 20 Jan 2004, Gregh wrote: > > > I get tired of anti-MS drivel. > > *I* get tired of people who dismiss reasoned arguments as "anti-MS > drivel." > So show me where I did that in that email. Above, and in the subject line. [...] > Let's put it another way - if it weren't for MS you wouldn't be able to sit > on your high perch of morals. That suit you? What a stupid argument. If it weren't for drug dealers, you wouldn't be able to feel superior. For the record, I have never used Microsoft software, either at work or at home, except for a six-month period at one of my very early jobs. > The fact is that there wouldn't be half the jobs available were it not for > MS. So what? That's completely irrelevant. Microsoft had its day; that day is now over. Please respond to my point about the serious Windows design flaw that's been known for 17 years and continues, to this day, to be exploited. Don't avoid the issues. Regards, David. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
On Mon, 19 Jan 2004 19:58:15 EST, "David F. Skoll" said: > It's pathetic that 17 years after CHRISTMA EXEC, hundreds of thousands of > Windows machines are succumbing to the same easily-preventable security flaw. What's even MORE pathetic is that even 17 years ago, CHRISTMA EXEC required for you *first* to receive the file from your "reader" space to your disk space, and *then* to invoke it as a command. So that's the equivalent of first saving an attachment from an e-mail into a directory, and then going and finding the file in the directory and launching it. At that point, there's not much you can do if you're going to allow attachments at ALL. (Also, IBM quickly released a set of patches against RSCS (the communications subsystem in use for VNET and Bitnet) that allowed filtering of filename/filetypes, with either quarantining or renaming of the files - so a site admin could make CHRISTMA EXEC end up being called CHRISTMA CEXE, which then wouldn't run unless the user manually renamed it back.) The other interesting thing was that although CHRISTMA EXEC went on quite the burn then (I should know, I was the admin of a VM system on Bitnet at the time ;), the user community *learned*, and although there were 5-6 subsequent copycat programs, they were nowhere near as widespread. However, today people will *still* click on unknown stuff Moral of the story - in the past 2 decades, the users have gotten stupider, and many of the software designers have as well. pgp0.pgp Description: PGP signature
RE: [Full-Disclosure] Anti-MS drivel
Hello David I'm interested in your comment "... Windows has a severe design flaw that has cost the world economy billions of dollars. That design flaw (the encoding of metadata -- specifically, "executableness" -- in filenames) has been known since at least 1987 to be highly dangerous in a network environment. Furthermore, that design flaw has been exploited several thousand times in the past. Finally, that design flaw cannot be fixed without fundamentally changing the way Windows works" Can you send me more details about this vulnerability and design flaw? Thanks Dinis Cruz -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll Sent: 20 January 2004 00:58 To: Gregh Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Anti-MS drivel On Sun, 18 Jan 2004, Gregh wrote: > I wonder if you would have the job you have or know the things you know were > it not for MS. I wasn't planning on responding, but I changed my mind. Of course I can't answer if I'd have the job I have now if not for MS. That's a silly question; would you have the job you have now if not for UNIX? IBM? The transistor? > I get tired of anti-MS drivel. *I* get tired of people who dismiss reasoned arguments as "anti-MS drivel." Look. I'll try to spell it out simply. Windows has a severe design flaw that has cost the world economy billions of dollars. That design flaw (the encoding of metadata -- specifically, "executableness" -- in filenames) has been known since at least 1987 to be highly dangerous in a network environment. Furthermore, that design flaw has been exploited several thousand times in the past. Finally, that design flaw cannot be fixed without fundamentally changing the way Windows works. So where does that leave us in 2004? It leaves me running Linux, and waking up tomorrow to breakfast on a bagel. It leaves thousands of Windows administrators staying up all night to ensure that Bagle doesn't breakfast on their Windows machines. It's pathetic that 17 years after CHRISTMA EXEC, hundreds of thousands of Windows machines are succumbing to the same easily-preventable security flaw. In the last 12 hours, my very low-volume mail server has dropped 16 Bagle viruses. By message volume, Windows viruses account for between 4-7% of our daily mail volume. Because they tend to be large, they account for between 30-60% of our mail traffic if you count the number of bytes. Windows people, I think we have a problem here. > The fact is that around my area the businesses are medium-small to > small and of course home users. Without MS, there wouldn't be > anywhere near the amount of computer users there are now from whom I > can make a living. This is a revealing statement. Better to make a buck from people chronically in need of support due to a crummy operating system, than sell them something that works and doesn't need support. Trus me, if MS hadn't come along at the right time, someone else would have (and I'd be bitching about Apple/IBM/whomever. :-)) > MS has weaknesses to be sure but if you think you can write a much better OS > from the ground up with no holes in it, let me know. I would like to use it! Linux/UNIX/*BSD/etc are much better OS's written from the ground up, with no *serious design flaws* comparable to the one I outlined in Windows. I'd never be as arrogant as to claim that Linux has no holes in it, but I will go out on a limb and say that for a general-purpose operating system, the security holes in Linux are due to implementation errors rather than design errors. I will keep quiet now. :-) Regards, David. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.563 / Virus Database: 355 - Release Date: 17/01/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.563 / Virus Database: 355 - Release Date: 17/01/2004 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "David F. Skoll" <[EMAIL PROTECTED]> To: "Gregh" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, January 20, 2004 11:58 AM Subject: Re: [Full-Disclosure] Anti-MS drivel > On Sun, 18 Jan 2004, Gregh wrote: > > > I wonder if you would have the job you have or know the things you know were > > it not for MS. > > I wasn't planning on responding, but I changed my mind. > > Of course I can't answer if I'd have the job I have now if not for MS. That's > a silly question; would you have the job you have now if not for UNIX? IBM? > The transistor? > It's only a silly question if you dont understand the question. > > I get tired of anti-MS drivel. > > *I* get tired of people who dismiss reasoned arguments as "anti-MS drivel." > So show me where I did that in that email. > Look. I'll try to spell it out simply. > Working to your best advantage is always the best idea. I believe in it, too. > Windows has a severe design flaw that has cost the world economy billions > of dollars. That design flaw (the encoding of metadata -- specifically, > "executableness" -- in filenames) has been known since at least 1987 to > be highly dangerous in a network environment. Furthermore, that design > flaw has been exploited several thousand times in the past. Finally, > that design flaw cannot be fixed without fundamentally changing the way > Windows works. > > So where does that leave us in 2004? > Let's put it another way - if it weren't for MS you wouldn't be able to sit on your high perch of morals. That suit you? The fact is that there wouldn't be half the jobs available were it not for MS. That doesn't mean that their OS writing capabilities are FABULOUS but there wouldn't be even half the NEED for Internet/Computer related jobs because more than half the people in any Western Hemisphere nation wouldn't be using Internet thus the demand wouldn't be there thus the need for web pages, servers, you name it. So next time you climb into your saddle, remember not to kick the horse in the arse. Horse's arses often DON'T see well, do they? Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
On Sun, 18 Jan 2004, Gregh wrote: > I wonder if you would have the job you have or know the things you know were > it not for MS. I wasn't planning on responding, but I changed my mind. Of course I can't answer if I'd have the job I have now if not for MS. That's a silly question; would you have the job you have now if not for UNIX? IBM? The transistor? > I get tired of anti-MS drivel. *I* get tired of people who dismiss reasoned arguments as "anti-MS drivel." Look. I'll try to spell it out simply. Windows has a severe design flaw that has cost the world economy billions of dollars. That design flaw (the encoding of metadata -- specifically, "executableness" -- in filenames) has been known since at least 1987 to be highly dangerous in a network environment. Furthermore, that design flaw has been exploited several thousand times in the past. Finally, that design flaw cannot be fixed without fundamentally changing the way Windows works. So where does that leave us in 2004? It leaves me running Linux, and waking up tomorrow to breakfast on a bagel. It leaves thousands of Windows administrators staying up all night to ensure that Bagle doesn't breakfast on their Windows machines. It's pathetic that 17 years after CHRISTMA EXEC, hundreds of thousands of Windows machines are succumbing to the same easily-preventable security flaw. In the last 12 hours, my very low-volume mail server has dropped 16 Bagle viruses. By message volume, Windows viruses account for between 4-7% of our daily mail volume. Because they tend to be large, they account for between 30-60% of our mail traffic if you count the number of bytes. Windows people, I think we have a problem here. > The fact is that around my area the businesses are medium-small to > small and of course home users. Without MS, there wouldn't be > anywhere near the amount of computer users there are now from whom I > can make a living. This is a revealing statement. Better to make a buck from people chronically in need of support due to a crummy operating system, than sell them something that works and doesn't need support. Trus me, if MS hadn't come along at the right time, someone else would have (and I'd be bitching about Apple/IBM/whomever. :-)) > MS has weaknesses to be sure but if you think you can write a much better OS > from the ground up with no holes in it, let me know. I would like to use it! Linux/UNIX/*BSD/etc are much better OS's written from the ground up, with no *serious design flaws* comparable to the one I outlined in Windows. I'd never be as arrogant as to claim that Linux has no holes in it, but I will go out on a limb and say that for a general-purpose operating system, the security holes in Linux are due to implementation errors rather than design errors. I will keep quiet now. :-) Regards, David. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Anti-MS drivel
Kind of sad that you have to resort to insults, but I guess that's just how some people are used to operating. " Apple employs extremely talented people. Or do you think they just grabbed Mach and FreeBSD and threw out an OS without testing and engineering?" As far as Apple goes, I really must have hit on a nerve of OS X lovers out there. I guess they skimmed over the "The OS is more stable than Microsoft" statement. I did not question their commitment to the OS, but their attitude toward their general public and the price of their products. Apple needs to replace their army of design engineers (not software and hardware engineers) with MBA's. Spend less time trying to make their products prettier and concentrate on increasing market share. When Steve Jobs was asked about the screwed up pricing on the new iPod Mini, he said that they are marketed to "existing iPod owners so that they can have one iPod for normal use and one for the gym . . ." And he said it with a straight face Like I said, screwed up attitude. "Last time I checked Java was not an operating system." http://sourceforge.net/projects/jos Here is the ZDNet article on the rover using Java: http://zdnet.com.com/2100-1104_2-5142220.html It's OK, I won't call you any names for not knowing. "When a new worm comes out that infects your whole Windows network because some guy brought his laptop and bypassed your firewall, do you sue Microsoft?" "If someone brings in a laptop and infects your network, you cannot sure Microsoft." Poor security policy enforcement caused that problem. Unless there is a zero-day exploit that Microsoft knew about and failed to warn customers about or failed to try to resolve, no court would find them guilty (especially with Microsoft lawyers). The IE exploit that has been infecting home users for the past few months has not businesses as hard because most large businesses spend then money on decent administrators who enforce security policy, patch regularly and read lists like this to protect their enterprise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miguel Mendez Sent: Sunday, January 18, 2004 9:59 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Anti-MS drivel James Patterson Wicks wrote: > Microsoft has competition. Apple, Sun, Red Hat . . . It sure does, but not on the x86 desktop. > Problem is Apple is full of idiots who feature style over substance. > The system has to look better than it performs. They want people to pay > a premium to make it seem that their products are for the elite only. > The OS is more stable than Microsoft, but their elitist attitude will > always keep them at 5% market share. James, I don't know how old you are, or if you're just dim. Apple employs extremely talented people. Or do you think they just grabbed Mach and FreeBSD and threw out an OS without testing and engineering? They have people like Jordan Hubbard and Mike Smith working hard on the BSD side of things. They have extremely good people working on the UI side of things. Add to that the NeXT heritage and what you get is the finest desktop OS ever made, combined with the robustnes typically found in *ix systems. And cut the expensive hardware crap, that was true 10 years ago, not now. You can get a very nice Mac for a decent price these days. The fact is, OS X has had far less security problems than any desktop OS Microsoft has ever made. > Sun's Java should be the market leader, but they don't have the cash to > take on the 800 pound gorilla that is Microsoft. Java is on running > Spirit, the rover that is on Mars right now. Imagine if Spirit had a Again, you don't know what you're talking about. Java has its place in the server, that's where it shines. Nobody uses java for desktop apps except when you want easy multi-platform support, and even then, there are other alternatives. Java is very strong in the middleware market, where it shows all its true potential. > Sorry, but the guy from the Help Desk can't just stop by and reboot it > this time. Even NASA is not crazy enough to trust a billion dollar > project to a Microsoft OS. Last time I checked Java was not an operating system. > Linux is just not ready for prime time. By prime time I mean on the > homes of the American public. Regular home consumers don't want to have > to learn a new language to use e-mail or play games. They want to be > able to update a security hole without having to compile something. > Linux needs an interface like OS X and a software library to back it for > "normal" people to be interested. Perhaps Microsoft's contracts with the major vendors also have something to do with this. OTOH, I do think there are Joe ComputerUser-ready linux
RE: [inbox] RE: [Full-Disclosure] Anti-MS drivel
I agree on the Novell statement. I read about it last night. I'm sure that IBM will follow suit. Still does not solve the problem with re-educating your IT staff and desktop users is still and long and expensive proposition. As far as Apple goes, I never questioned their commitment to the enterprise, I questioned their ability to compete effectively due to their screwed up attitude about their product and their prices. When was the last time you heard a CTO talk about migrating 10,000 users to OS X. The cost factor alone would make a CFO cringe. Apple needs to replace their army of design engineers with MBA's. Spend less time trying to make their products prettier and concentrate on increasing market share. When Steve Jobs was asked about the screwed up pricing on the new iPod Mini, he said that they are marketed to "existing iPod owners so that they can have one iPod for normal use and one for the gym . . ." And he said it with a straight face. Is that how you increase market share? It's that attitude that keeps Apple at 5%, and until that form of thinking is forced out, Apple will LOSE market share before it gains a percent more. -Original Message- From: Curt Purdy [mailto:[EMAIL PROTECTED] Sent: Sunday, January 18, 2004 10:34 AM To: James Patterson Wicks; [EMAIL PROTECTED] Subject: RE: [inbox] RE: [Full-Disclosure] Anti-MS drivel Wicks wrote: > Microsoft has competition. Apple, Sun, Red Hat . . . > > Problem is Apple is full of idiots who feature style over substance. > The system has to look better than it performs. The OS is more stable than >Microsoft, but their elitist attitude will >always keep them at 5% market share. > Business on the other hand is moving slowly to Linux. Why > slowly? Who > do you sue when your business is hacked by someone who planted a > backdoor in the Linux kernel? Your point about Apple is off the mark. However that very statement applies perfectly to MS. They take the best OS they ever made, W2K (though not as good as the other three mentioned) and make a pretty interface for XP while adding very little in functionality but adding tons of bugs and security flaws to come up with the worst OS since 3.1 If you doubt Apples commitment to a solid, secure, enterprise strategy, read Tom Yager of InfoWorld sometime. I would gladly give you 2-to-1 odds on your 5% market prediction. As for Linux, the problem is not who to sue, otherwise MS would have thousands of suits against it right now. The problem is support and that has now been solved with Novell's acquisition of Suse. The combination of the most secure OS around with an experienced, quality support staff, fully integrated with Linux is a driving force. Novell has finally got it right and their growing market share in the enterprise will reflect that. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke This e-mail is the property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies of this e-mail. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
if the services like samba and apache werent on by default on mandrake then linux would be ready for grandma..let me clarify that just a little , in mandrake 9.0 they are turned on if you want internet/networking urpmi is extremely easy for updating mandrake but i prefer to use command line only because if i miss a few updates i can run into some rpm dependency issues and with commandline i dont seem to.if linux was preloaded i believe it would be far better received than people think.make sure to tell them that this might not be suitable for certain games and that drivers arent available for certain products.with it preloaded tho you end a lot of issues. br3n ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [inbox] Re: [Full-Disclosure] Anti-MS drivel
On Sun, 18 Jan 2004 18:20:54 EST, joe <[EMAIL PROTECTED]> said: > imply are common place for you. Not one restore from backup ever. Our AD has > failures and the directory stops replicating to protect itself. We fix the > disk subsystem failure, reload the machine, repromote, and it is up and Am I missing something here regarding the difference between a restore and a reload? pgp0.pgp Description: PGP signature
RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel
I would be curious what exactly you and your customers are doing with your Active Directory implementations. I have been running a 250k user global multiple domain AD environement consisting of 9 domains across some 400 domain controllers for 3 years come April without the issues you seem to imply are common place for you. Not one restore from backup ever. Our AD has the crap beat out of it daily and supports Win9x-WinXP/2K3 as well as UNIX/LINUX Kerberos Clients, OS/2, UNIX/LINUX LDAP Clients, Linux, Samba on every known flavor of UNIX/LINUX and even Digital Equipment Systems, PeopleSoft, etc. We process tens if not hundreds of millions of authentications a day across the world. Probably a good 60-70k security groups and several hundred thousand computer objects. I don't know the size of implementations you have been playing with but I would certainly consider my environment Enterprise Level. Any database corruption we have ever gotten has been due to complete disk subsystem failures and the directory stops replicating to protect itself. We fix the disk subsystem failure, reload the machine, repromote, and it is up and happy again. We don't really need the reload most of the time probably but once I blow a disk system I don't trust the machine until it has been scrubbed and reloaded. Obviously if it is a simple RAID disk blown out we don't even think twice about that, just throw in another disk and keep going on our merry way. Is it perfect? No? Have I had problems? Absolutely. I probably have hit more real non-self generated issues than a vast majority of the people who have or ever will use it simply due to the size and the distributed nature of what I run and probably have at least 30+ KB's generated based on what I have found and I don't know how many hot fixes and code flow changes are due to my experiences and riding MS for the changes. There is certainly room for improvement and there always will be. W2K AD was a good first swipe, W2K3 AD is better, I expect the next rev to be better yet. That is how it works. The biggest problem to the masses with AD is that it isn't the quick plug and play environment that the NT4 domain structure was. MS got everyone so trained into the idea that some brain dead individual could take a couple of simple tests, call themselves an MCSE, and be a big bad network admin that it turned around and bit companies firing up AD as they found out MCSE didn't mean someone knew what the hell they were talking about. Unfortunately for just about all of the Windows Admins/Consultants out there one actually has to understand AD a little. Knowing NT4 Domains or Windows 2000 Servers doesn't make anyone an Active Directory Admin or consultant though some will still claim it is so. Most Windows admins and consultants don't have that knowledge and shouldn't be playing with it in production environments without an adult present. Getting it to run on a home PC isn't practical experience. As for a poor revisit, I have a Banyan friend who used to go off on NDS just like you are going off on AD. I have people at work who complain about leaving various X.500 implementations running on Big Iron. I guess what I am saying is that any system will run like shit if misconfigured. Just like any system will be insecure if misconfigured. You want to beat on a MS product that absolutely deserves to be beat on, beat on Exchange 2000/2003. Now there is a product that defies any logic and configuration skills and truly isn't how an Enterprise class product should work. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Curt Purdy Sent: Sunday, January 18, 2004 4:06 PM To: 'yossarian'; '[Full Disclosure]' Subject: RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel And a poor revisit at that. I have had ADS crash and burn at two customers in the last year (unfortunately no backup domain controllers - no we did not set them up). Check out MS's knowledge base article on repairing ADS. It is like a 50 page article that basically ends with "Re-install and restore from tape and synch with other controllers". I have NEVER seen that happen with DNS in all the years I've worked with Netware. Also have seen ADS get all confused more than once in multiple domain sites requiring either finding the server with the least corruption and making it authoritative, or restoring from a known good backup. No way to run an enterprise. Again, whenever a problem has shown up in NDS, a simple DSREPAIR has always fixed everything, without fail. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke __
RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel
I would be curious what exactly you and your customers are doing with your Active Directory implementations. I have been running a 250k user global multiple domain AD environement consisting of 9 domains across some 400 domain controllers for 3 years come April without the issues you seem to imply are common place for you. Not one restore from backup ever. Our AD has the crap beat out of it daily and supports Win9x-WinXP/2K3 as well as UNIX/LINUX Kerberos Clients, OS/2, UNIX/LINUX LDAP Clients, Linux, Samba on every known flavor of UNIX/LINUX and even Digital Equipment Systems, PeopleSoft, etc. We process tens if not hundreds of millions of authentications a day across the world. Probably a good 60-70k security groups and several hundred thousand computer objects. I don't know the size of implementations you have been playing with but I would certainly consider my environment Enterprise Level. Any database corruption we have ever gotten has been due to complete disk subsystem failures and the directory stops replicating to protect itself. We fix the disk subsystem failure, reload the machine, repromote, and it is up and happy again. We don't really need the reload most of the time probably but once I blow a disk system I don't trust the machine until it has been scrubbed and reloaded. Obviously if it is a simple RAID disk blown out we don't even think twice about that, just throw in another disk and keep going on our merry way. Is it perfect? No? Have I had problems? Absolutely. I probably have hit more real non-self generated issues than a vast majority of the people who have or ever will use it simply due to the size and the distributed nature of what I run and probably have at least 30+ KB's generated based on what I have found and I don't know how many hot fixes and code flow changes are due to my experiences and riding MS for the changes. There is certainly room for improvement and there always will be. W2K AD was a good first swipe, W2K3 AD is better, I expect the next rev to be better yet. That is how it works. The biggest problem to the masses with AD is that it isn't the quick plug and play environment that the NT4 domain structure was. MS got everyone so trained into the idea that some brain dead individual could take a couple of simple tests, call themselves an MCSE, and be a big bad network admin that it turned around and bit companies firing up AD as they found out MCSE didn't mean someone knew what the hell they were talking about. Unfortunately for just about all of the Windows Admins/Consultants out there one actually has to understand AD a little. Knowing NT4 Domains or Windows 2000 Servers doesn't make anyone an Active Directory Admin or consultant though some will still claim it is so. Most Windows admins and consultants don't have that knowledge and shouldn't be playing with it in production environments without an adult present. Getting it to run on a home PC isn't practical experience. As for a poor revisit, I have a Banyan friend who used to go off on NDS just like you are going off on AD. I have people at work who bitch about leaving various X.500 implementations running on Big Iron. I guess what I am saying is that any system will run like shit if misconfigured. Just like any system will be insecure if misconfigured. You want to beat on a MS product that absolutely deserves to be beat on, beat on Exchange 2000/2003. Now there is a product that defies any logic and configuration skills and truly isn't how an Enterprise class product should work. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Curt Purdy Sent: Sunday, January 18, 2004 4:06 PM To: 'yossarian'; '[Full Disclosure]' Subject: RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel And a poor revisit at that. I have had ADS crash and burn at two customers in the last year (unfortunately no backup domain controllers - no we did not set them up). Check out MS's knowledge base article on repairing ADS. It is like a 50 page article that basically ends with "Re-install and restore from tape and synch with other controllers". I have NEVER seen that happen with DNS in all the years I've worked with Netware. Also have seen ADS get all confused more than once in multiple domain sites requiring either finding the server with the least corruption and making it authoritative, or restoring from a known good backup. No way to run an enterprise. Again, whenever a problem has shown up in NDS, a simple DSREPAIR has always fixed everything, without fail. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke __
Re: [Full-Disclosure] Anti-MS drivel
On Sat, 17 Jan 2004 15:47:44 EST, James Patterson Wicks <[EMAIL PROTECTED]> said: > Linux is just not ready for prime time. By prime time I mean on the > homes of the American public. Regular home consumers don't want to have > to learn a new language to use e-mail or play games. They want to be > able to update a security hole without having to compile something. Well.. if you're on a RedHat box, you run up2date and it gives you a nice little gui to download and install the RPMs. Even gives you a flashing exclamation point on the menu bar if there's updates available. You're on Debian, you 'apt-get' the updates, and I'm sure there's a gui for that too. The only people who have to compile anything are the people who compiled it from source the first time. And in fact, that's the whole *point* of a Linux DISTRIBUTION - so you don't have to run Linux-from-scratch. Linux isn't quite ready for Aunt Tilley yet. But having to compile stuff to install patches isn't one of the reasons. pgp0.pgp Description: PGP signature
RE: [inbox] Re: [Full-Disclosure] Anti-MS drivel
yossarian wrote: >And a propos the ADS rant - you can hardly call it an MS invention. For me >it is NDS revisited. And a poor revisit at that. I have had ADS crash and burn at two customers in the last year (unfortunately no backup domain controllers - no we did not set them up). Check out MS's knowledge base article on repairing ADS. It is like a 50 page article that basically ends with "Re-install and restore from tape and synch with other controllers". I have NEVER seen that happen with DNS in all the years I've worked with Netware. Also have seen ADS get all confused more than once in multiple domain sites requiring either finding the server with the least corruption and making it authoritative, or restoring from a known good backup. No way to run an enterprise. Again, whenever a problem has shown up in NDS, a simple DSREPAIR has always fixed everything, without fail. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] RE: [Full-Disclosure] Anti-MS drivel
Wicks wrote: > Microsoft has competition. Apple, Sun, Red Hat . . . > > Problem is Apple is full of idiots who feature style over substance. > The system has to look better than it performs. The OS is more stable than >Microsoft, but their elitist attitude will >always keep them at 5% market share. > Business on the other hand is moving slowly to Linux. Why > slowly? Who > do you sue when your business is hacked by someone who planted a > backdoor in the Linux kernel? Your point about Apple is off the mark. However that very statement applies perfectly to MS. They take the best OS they ever made, W2K (though not as good as the other three mentioned) and make a pretty interface for XP while adding very little in functionality but adding tons of bugs and security flaws to come up with the worst OS since 3.1 If you doubt Apples commitment to a solid, secure, enterprise strategy, read Tom Yager of InfoWorld sometime. I would gladly give you 2-to-1 odds on your 5% market prediction. As for Linux, the problem is not who to sue, otherwise MS would have thousands of suits against it right now. The problem is support and that has now been solved with Novell's acquisition of Suse. The combination of the most secure OS around with an experienced, quality support staff, fully integrated with Linux is a driving force. Novell has finally got it right and their growing market share in the enterprise will reflect that. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke <>
Re: [Full-Disclosure] Anti-MS drivel
To move any kind of new system, network, office systems, email...takes time and money. While there are better options for everything we do, the simple fact of ROI and IT becoming the service industry it was always destined to be, causes alot of folk to re value, and alot of the time make do, or spend less on migration. I look after a 10,000 user network, now if I make one simple change to a template or how folks work, I have to think of support costs, training costs, and loss of business and work rate due to the new system being in place, and thats just for starters. To move people to the next version of something is still hard, but incurrs less cost (well you would think hehehe) but anyways, my point is, having all the answers in my mind doesnt make my busines run better, Facts figures and a sound plan and even then I would have to turn in down, due to the cost of just getting those figures and plan hehehe Have to base my decision on business not IT, as they are the ones that pay for it. - Original Message - From: "Michael Gale" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, January 18, 2004 5:14 AM Subject: Re: [Full-Disclosure] Anti-MS drivel > > HAHHHAHAH > > --snip-- > > Business on the other hand is moving slowly to Linux. Why slowly? > > Who do you sue when your business is hacked by someone who planted a > > backdoor in the Linux kernel? Won't happen you say? Let's see, > > almost happened once already . . . > --snip-- > > Oh please ... did you read the wed site or did a friendly who knows how > to read explain it. The site says a public DB that offers TEST and BETA > kernels was attacked. It also says that the intrusion was caught which > would suggest that this was a unsuccessful attack. > > I like how you point out one unsuccessful attack on linux but leave out > thousands of successful working and money costing Microsoft windows > problems. > > Michael. > > > > > On Sat, 17 Jan 2004 15:47:44 -0500 > "James Patterson Wicks" <[EMAIL PROTECTED]> wrote: > > > Microsoft has competition. Apple, Sun, Red Hat . . . > > > > Problem is Apple is full of idiots who feature style over substance. > > The system has to look better than it performs. They want people to > > pay a premium to make it seem that their products are for the elite > > only. The OS is more stable than Microsoft, but their elitist attitude > > will always keep them at 5% market share. > > > > Sun's Java should be the market leader, but they don't have the cash > > to take on the 800 pound gorilla that is Microsoft. Java is on > > running Spirit, the rover that is on Mars right now. Imagine if > > Spirit had a Microsoft OS running it. Right after touchdown on Mars, > > you see the first image of the landscape and then . . . . BLUE SCREEN > > OF DEATH!! Sorry, but the guy from the Help Desk can't just stop by > > and reboot it this time. Even NASA is not crazy enough to trust a > > billion dollar project to a Microsoft OS. > > > > Linux is just not ready for prime time. By prime time I mean on the > > homes of the American public. Regular home consumers don't want to > > have to learn a new language to use e-mail or play games. They want > > to be able to update a security hole without having to compile > > something. Linux needs an interface like OS X and a software library > > to back it for"normal" people to be interested. > > > > Business on the other hand is moving slowly to Linux. Why slowly? > > Who do you sue when your business is hacked by someone who planted a > > backdoor in the Linux kernel? Won't happen you say? Let's see, > > almost happened once already . . . > > > > Linux kernel suffers Trojan horse hack - > > http://www.silicon.com/software/os/0,39024651,39116796,00.htm > > > > Microsoft threw an incomplete, insecure computer solution at an eager > > market for a low price, so home users and businesses lapped it up. > > Ever since Windows 95, home computing and Microsoft are nearly joined > > at the hip. It will take time to break Microsoft's nine-year hold, > > but it's going to take more than OS X and the current Linux offerings > > to do it. > > > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Edward W. > > Ray > > Sent: Saturday, January 17, 2004 12:38 PM > > To: 'Mary Landesman'; 'David F. Skoll'; [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > > [EMAIL PROTECTED] > > Subject: [Full
Re: [Full-Disclosure] Anti-MS drivel
James Patterson Wicks wrote: Microsoft has competition. Apple, Sun, Red Hat . . . It sure does, but not on the x86 desktop. Problem is Apple is full of idiots who feature style over substance. The system has to look better than it performs. They want people to pay a premium to make it seem that their products are for the elite only. The OS is more stable than Microsoft, but their elitist attitude will always keep them at 5% market share. James, I don't know how old you are, or if you're just dim. Apple employs extremely talented people. Or do you think they just grabbed Mach and FreeBSD and threw out an OS without testing and engineering? They have people like Jordan Hubbard and Mike Smith working hard on the BSD side of things. They have extremely good people working on the UI side of things. Add to that the NeXT heritage and what you get is the finest desktop OS ever made, combined with the robustnes typically found in *ix systems. And cut the expensive hardware crap, that was true 10 years ago, not now. You can get a very nice Mac for a decent price these days. The fact is, OS X has had far less security problems than any desktop OS Microsoft has ever made. Sun's Java should be the market leader, but they don't have the cash to take on the 800 pound gorilla that is Microsoft. Java is on running Spirit, the rover that is on Mars right now. Imagine if Spirit had a Again, you don't know what you're talking about. Java has its place in the server, that's where it shines. Nobody uses java for desktop apps except when you want easy multi-platform support, and even then, there are other alternatives. Java is very strong in the middleware market, where it shows all its true potential. Sorry, but the guy from the Help Desk can't just stop by and reboot it this time. Even NASA is not crazy enough to trust a billion dollar project to a Microsoft OS. Last time I checked Java was not an operating system. Linux is just not ready for prime time. By prime time I mean on the homes of the American public. Regular home consumers don't want to have to learn a new language to use e-mail or play games. They want to be able to update a security hole without having to compile something. Linux needs an interface like OS X and a software library to back it for "normal" people to be interested. Perhaps Microsoft's contracts with the major vendors also have something to do with this. OTOH, I do think there are Joe ComputerUser-ready linux distros. For people who use their computer to check e-mail, write some letters and browse the web, that is. I don't think a Mandrake or Knoppix system is that hard to learn. I'll give you the games thing, though. It's a catch-22 situation. The Linux market is too small, so little games are available, but few gamers will switch too linux if no games are available. Business on the other hand is moving slowly to Linux. Why slowly? Who do you sue when your business is hacked by someone who planted a backdoor in the Linux kernel? Won't happen you say? Let's see, almost happened once already . . . You are so wrong. Businesses tend to be very conservative. If it works, don't touch it. That's why there are still IBM mainframes, that's why there are thousands of COBOL apps still running. Get a support contract with RedHat or SuSe. When a new worm comes out that infects your whole Windows network because some guy brought his laptop and bypassed your firewall, do you sue Microsoft? Linux kernel suffers Trojan horse hack - http://www.silicon.com/software/os/0,39024651,39116796,00.htm Guess what, no operating system is perfectly bugfree. Cheers, -- Miguel Mendez <[EMAIL PROTECTED]> http://www.energyhq.es.eu.org PGP Key: 0xDC8514F1 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
HAHHHAHAH --snip-- > Business on the other hand is moving slowly to Linux. Why slowly? > Who do you sue when your business is hacked by someone who planted a > backdoor in the Linux kernel? Won't happen you say? Let's see, > almost happened once already . . . --snip-- Oh please ... did you read the wed site or did a friendly who knows how to read explain it. The site says a public DB that offers TEST and BETA kernels was attacked. It also says that the intrusion was caught which would suggest that this was a unsuccessful attack. I like how you point out one unsuccessful attack on linux but leave out thousands of successful working and money costing Microsoft windows problems. Michael. On Sat, 17 Jan 2004 15:47:44 -0500 "James Patterson Wicks" <[EMAIL PROTECTED]> wrote: > Microsoft has competition. Apple, Sun, Red Hat . . . > > Problem is Apple is full of idiots who feature style over substance. > The system has to look better than it performs. They want people to > pay a premium to make it seem that their products are for the elite > only. The OS is more stable than Microsoft, but their elitist attitude > will always keep them at 5% market share. > > Sun's Java should be the market leader, but they don't have the cash > to take on the 800 pound gorilla that is Microsoft. Java is on > running Spirit, the rover that is on Mars right now. Imagine if > Spirit had a Microsoft OS running it. Right after touchdown on Mars, > you see the first image of the landscape and then . . . . BLUE SCREEN > OF DEATH!! Sorry, but the guy from the Help Desk can't just stop by > and reboot it this time. Even NASA is not crazy enough to trust a > billion dollar project to a Microsoft OS. > > Linux is just not ready for prime time. By prime time I mean on the > homes of the American public. Regular home consumers don't want to > have to learn a new language to use e-mail or play games. They want > to be able to update a security hole without having to compile > something. Linux needs an interface like OS X and a software library > to back it for"normal" people to be interested. > > Business on the other hand is moving slowly to Linux. Why slowly? > Who do you sue when your business is hacked by someone who planted a > backdoor in the Linux kernel? Won't happen you say? Let's see, > almost happened once already . . . > > Linux kernel suffers Trojan horse hack - > http://www.silicon.com/software/os/0,39024651,39116796,00.htm > > Microsoft threw an incomplete, insecure computer solution at an eager > market for a low price, so home users and businesses lapped it up. > Ever since Windows 95, home computing and Microsoft are nearly joined > at the hip. It will take time to break Microsoft's nine-year hold, > but it's going to take more than OS X and the current Linux offerings > to do it. > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Edward W. > Ray > Sent: Saturday, January 17, 2004 12:38 PM > To: 'Mary Landesman'; 'David F. Skoll'; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: [Full-Disclosure] Anti-MS drivel > > Mary: > > Cisco at least has competition. Juniper Networks has about a 25% > share of > the router market, which keeps Cisco honest. Microsoft has almost > market > penetration at the desktop for both the home and business. IMHO, they > deserve all the anti-MS drivel people can dish out. I will tire of it > when > I don't have to spend an hour each month clearing my firewall logs of > attempted Code Red and Nimda infection attempts > > Edward W. Ray > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mary > Landesman > Sent: Thursday, January 15, 2004 10:55 AM > To: David F. Skoll; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Re: January 15 is Personal Firewall > Day, help > the cause > > That's pretty much like teaching your kids to never talk to strangers, > or > never visit the "bad" part of town. Fact is, most crimes are committed > by > people we know. Microsoft is often victimized, mainly because they are > so > ubiquitous. Cisco is running a poll right now to see which of the 17 > critical patches are most important to users, because they only have > the manpower to fix 10 of them. Should we all stop using Cisco > products? > > This anti-MS drivel is so tiresome. > > -- Mary > > - Original Message - > From: "David F. Skoll" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Thursday, January 15, 2004 12:06 PM > Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, > help the > cause > > > On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote: > > > I just wanted to remind everybody that tomorrow is Personal Firewall > Day. > > http://www.personalfirewallda
Re: [Full-Disclosure] Anti-MS drivel
- Original Message - From: "Edward W. Ray" <[EMAIL PROTECTED]> To: "'Mary Landesman'" <[EMAIL PROTECTED]>; "'David F. Skoll'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, January 18, 2004 4:37 AM Subject: [Full-Disclosure] Anti-MS drivel > Mary: > > Cisco at least has competition. Juniper Networks has about a 25% share of > the router market, which keeps Cisco honest. Microsoft has almost market > penetration at the desktop for both the home and business. IMHO, they > deserve all the anti-MS drivel people can dish out. I will tire of it when > I don't have to spend an hour each month clearing my firewall logs of > attempted Code Red and Nimda infection attempts > Amazing. I wonder if you would have the job you have or know the things you know were it not for MS. I get tired of anti-MS drivel. The fact is that around my area the businesses are medium-small to small and of course home users. Without MS, there wouldn't be anywhere near the amount of computer users there are now from whom I can make a living. MS has weaknesses to be sure but if you think you can write a much better OS from the ground up with no holes in it, let me know. I would like to use it! Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
David, Your company is obivously a "geek" friendly enviroment where not using m$ products is ok and not a business requirement.But when you have tons of presentations monthly where the client is only using Powerpoint ( and only powerpoint because it's working for him ) , using OpenOffice it's NOT an option.Same goes for the rest of office products. We have around 600 desktops running a mix of win 2k/ xp pro and maybe 50 servers running 2k server and 2k3 server.We use a checkpoint fw and symantec corporate edition for antivir. Last time I've seen a server infected was 3 years ago ( one nt machine everybody forgot about got owned using unicode exploit ).As for virii we NEVER had an infection. It all boils down to keeping an eye on what's out there in terms of exploits and being pro-active.And don't give the "we dont have enough manpower to deal with all the windows exploits" stuff. I dont even remember when was the last time i had to go to a machine and install a patch ( we're using software update services for that - does a good job and it's free ). The antivirus server is deploying updated virus def files as soon is it gets any...and so on. Ah, and the mail server strips any "funny" mail attachments. Luca. Quoting "Edward W. Ray" <[EMAIL PROTECTED]>: > Mary: > > Cisco at least has competition. Juniper Networks has about a 25% share of > the router market, which keeps Cisco honest. Microsoft has almost market > penetration at the desktop for both the home and business. IMHO, they > deserve all the anti-MS drivel people can dish out. I will tire of it when > I don't have to spend an hour each month clearing my firewall logs of > attempted Code Red and Nimda infection attempts > > Edward W. Ray > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mary Landesman > Sent: Thursday, January 15, 2004 10:55 AM > To: David F. Skoll; [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help > the cause > > That's pretty much like teaching your kids to never talk to strangers, or > never visit the "bad" part of town. Fact is, most crimes are committed by > people we know. Microsoft is often victimized, mainly because they are so > ubiquitous. Cisco is running a poll right now to see which of the 17 > critical patches are most important to users, because they only have the > manpower to fix 10 of them. Should we all stop using Cisco products? > > This anti-MS drivel is so tiresome. > > -- Mary > > - Original Message - > From: "David F. Skoll" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]> > Sent: Thursday, January 15, 2004 12:06 PM > Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the > cause > > > On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote: > > > I just wanted to remind everybody that tomorrow is Personal Firewall Day. > > http://www.personalfirewallday.org/ > > That Web site is utterly disingenuous. Rather than giving low-value > information, how about high-value information that actually protects people: > > 1) Don't use Windows. > 2) Don't use Outlook. > > Our company uses neither Windows nor Outlook, and although we do have a > firewall, we do not use anti-virus software. > > Of course, the sponsors of the site (Microsoft and a bunch of anti-virus > vendors) can hardly see it as being in their interest to actually create > a secure computing environment. > > Regards, > > David. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anti-MS drivel
> On Sat, 2004-01-17 at 13:47, James Patterson Wicks wrote:
>
> > Business on the other hand is moving slowly to Linux. Why slowly? Who
> > do you sue when your business is hacked by someone who planted a
> > backdoor in the Linux kernel? Won't happen you say? Let's see, almost
> > happened once already . . .
>
>Scott Taylor wrote"
> How many businesses are suing Microsoft for putting out a wonderful
> platform on which to automatically replicate viruses? No, the reason is
> that managers get their free keychains and t-shirts from Microsoft for
> going to their stupid seminars and believe that all their vaporware will
> really revolutionize the world pretty soon, if only they choose to
> invest hundreds of hours converting their current enterprise into
> something that fits the active directory model, and in the process
> paying excessive amounts of money to consultants that correctly answered
> a couple multiple choice tests to get their silly Microsoft
> certification. Its a free market, let them waste their money like that.
> I've found some great deals on hardware at the auctions of companies
> that really truly believed all that marketing crap.
It is not the keychains 'n stuff. MS software suits amateurs better, 95% or
more of all people using computers are basically that, amateurs. By choice
or by necessity. Maybe that is why linux is safer as well - beginners don't
touch the stuff.
In many businesses it still holds true that MS rules the desktop, but is
considered a frivolous piece of computing, not to be taking too seriously.
It is the smaller companies relying on MS alone, rarely bigger companies -
unless it is IT companies of course. But they don't need a fully functional
network anyway - just powerpoint. IBM still holds a firm grip on the bigger
environments, but people working on big iron in that line of business rarely
touch the internet - even less security groups, since that is a boring
debate between MS Believers and *NIX Zealots talking about CGI sploits
updates for distro whatever or something, and PHP scripts. When do we get to
see some real software over here?
I checked the flaws reported the last week - and yes I read many many lists,
some 250 mails per day - and the only thing getting close to software used
in bigger environments is this BEA thingie 5 days ago. Yeah, and I quote: "a
weakness in BEA WebLogic Server and Express allowing malicious people to see
a password when it is entered {a weakness in BEA WebLogic Server and Express
allowing malicious people to see a password when it is entered - it is
echoed to the screen when using ANT". So what? Looking at a keyboard is
easier. And stuff like BEA, or any J2EE for that matter, are just emerging
on the perifery, and have still a long way to go. The security industry is
primarily focussed on what is happening in small computing or the internet,
and these discussions here just mirror this narrowness. Alas, yet true. This
is also an explanation for the lack of legal claims - one of many, I know
that - against MS for the vulnerable software, it rarely hurts the bigger
companies that can afford the legal costs. And Yes you guys can give me a
lot of examples of companies hits over the years. So can I. But think again,
there are a lot of big companies out there. Do they all keep silent? You
think they can?
And a propos the ADS rant - you can hardly call it an MS invention. For me
it is NDS revisited. Lets face it - IT companies can't design software that
suits entire companies. Especially all of them.
Have fun, it is supposed to be weekend.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Anti-MS drivel
On Sat, 2004-01-17 at 13:47, James Patterson Wicks wrote: > Business on the other hand is moving slowly to Linux. Why slowly? Who > do you sue when your business is hacked by someone who planted a > backdoor in the Linux kernel? Won't happen you say? Let's see, almost > happened once already . . . How many businesses are suing Microsoft for putting out a wonderful platform on which to automatically replicate viruses? No, the reason is that managers get their free keychains and t-shirts from Microsoft for going to their stupid seminars and believe that all their vaporware will really revolutionize the world pretty soon, if only they choose to invest hundreds of hours converting their current enterprise into something that fits the active directory model, and in the process paying excessive amounts of money to consultants that correctly answered a couple multiple choice tests to get their silly Microsoft certification. Its a free market, let them waste their money like that. I've found some great deals on hardware at the auctions of companies that really truly believed all that marketing crap. -- Scott Taylor - <[EMAIL PROTECTED]> If you look like your driver's license photo -- see a doctor. If you look like your passport photo -- it's too late for a doctor. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Anti-MS drivel
Microsoft has competition. Apple, Sun, Red Hat . . . Problem is Apple is full of idiots who feature style over substance. The system has to look better than it performs. They want people to pay a premium to make it seem that their products are for the elite only. The OS is more stable than Microsoft, but their elitist attitude will always keep them at 5% market share. Sun's Java should be the market leader, but they don't have the cash to take on the 800 pound gorilla that is Microsoft. Java is on running Spirit, the rover that is on Mars right now. Imagine if Spirit had a Microsoft OS running it. Right after touchdown on Mars, you see the first image of the landscape and then . . . . BLUE SCREEN OF DEATH!! Sorry, but the guy from the Help Desk can't just stop by and reboot it this time. Even NASA is not crazy enough to trust a billion dollar project to a Microsoft OS. Linux is just not ready for prime time. By prime time I mean on the homes of the American public. Regular home consumers don't want to have to learn a new language to use e-mail or play games. They want to be able to update a security hole without having to compile something. Linux needs an interface like OS X and a software library to back it for "normal" people to be interested. Business on the other hand is moving slowly to Linux. Why slowly? Who do you sue when your business is hacked by someone who planted a backdoor in the Linux kernel? Won't happen you say? Let's see, almost happened once already . . . Linux kernel suffers Trojan horse hack - http://www.silicon.com/software/os/0,39024651,39116796,00.htm Microsoft threw an incomplete, insecure computer solution at an eager market for a low price, so home users and businesses lapped it up. Ever since Windows 95, home computing and Microsoft are nearly joined at the hip. It will take time to break Microsoft's nine-year hold, but it's going to take more than OS X and the current Linux offerings to do it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward W. Ray Sent: Saturday, January 17, 2004 12:38 PM To: 'Mary Landesman'; 'David F. Skoll'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Full-Disclosure] Anti-MS drivel Mary: Cisco at least has competition. Juniper Networks has about a 25% share of the router market, which keeps Cisco honest. Microsoft has almost market penetration at the desktop for both the home and business. IMHO, they deserve all the anti-MS drivel people can dish out. I will tire of it when I don't have to spend an hour each month clearing my firewall logs of attempted Code Red and Nimda infection attempts Edward W. Ray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mary Landesman Sent: Thursday, January 15, 2004 10:55 AM To: David F. Skoll; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause That's pretty much like teaching your kids to never talk to strangers, or never visit the "bad" part of town. Fact is, most crimes are committed by people we know. Microsoft is often victimized, mainly because they are so ubiquitous. Cisco is running a poll right now to see which of the 17 critical patches are most important to users, because they only have the manpower to fix 10 of them. Should we all stop using Cisco products? This anti-MS drivel is so tiresome. -- Mary - Original Message - From: "David F. Skoll" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, January 15, 2004 12:06 PM Subject: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause On Wed, 14 Jan 2004 [EMAIL PROTECTED] wrote: > I just wanted to remind everybody that tomorrow is Personal Firewall Day. > http://www.personalfirewallday.org/ That Web site is utterly disingenuous. Rather than giving low-value information, how about high-value information that actually protects people: 1) Don't use Windows. 2) Don't use Outlook. Our company uses neither Windows nor Outlook, and although we do have a firewall, we do not use anti-virus software. Of course, the sponsors of the site (Microsoft and a bunch of anti-virus vendors) can hardly see it as being in their interest to actually create a secure computing environment. Regards, David. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disc
