[Full-Disclosure] MS Anti Virus?
st3ng4h at comcast.net
Sat Jun 19 18:33:26 BST 2004
First, apologies to the list for the unintentional header forgery.
My correct address is st3ng4h at comcast.net, not rob at comcast.net. It
is my fault for configuring my SMTP forwarder in a hurry. A
boneheaded mistake. What can I say, it's been a long week.
On Fri, Jun 18, 2004 at 01:08:08PM -0400, joe wrote:
> Can users hook themselves up to the internet?
Some can. It certainly takes less knowledge than sound system
administration; someone who successfully played with the toy where
one fits circular, rectangular, or triangular plastic blocks into
holes of corresponding shapes has all the 'skills' s/he needs to
plug coaxial and power cables into a cable modem, and RJ-45 from
cable modem to PC.
You will hear no argument from me when you assert that there are
many, many braindead users, admins, and 'technicians' out there.
> So what I am saying is, I think the ISPs need to share some of the
> responsibility of hooking people up safely, don't just plug them in.
This is a good idea, and some ISPs do make efforts to educate their
customers about security, albeit in mostly passive ways.
However, it seems odd to me that you feel the ISPs should be obliged
to leap through many hoops to protect their customers, essentially
before they take customers' money. Microsoft has been taking
customers' money for years and years, and have given little or no
real consideration to customers' protection. By Gates' own
admission, (paraphrased) 'we have not done all that we can to
protect our customers'. Which, judging by their track record, is
still an understatement in the extreme.
In your last post, you made it clear that you believe that it is
primarily failings on the part of users that have allowed these
security gaffes to have such dire effect. So, can you explain why
you put such heavy responsibility on ISPs to protect customers, but
seemingly relieve Microsoft of any such responsibility, blaming
nearly everything on the user?
My point remains the same: Microsoft has no control over what its
end users do. It cannot force education, patches, or firewalls on
users if they don't want them. It has complete control over the
design, configuration, and quality of the software it sells. Which
is easier for them to fix- their software, or the mind of every end
> Alternatively, have the ISP block all but say ports 25,80, and 110 by
Truly draconian. And exceptionally bad for business. I remember when
Comcast had the nerve (sense) to block TCP 135 when Blaster hit. You
should have seen all the screaming users, infuriated that their
Windows File and Print Sharing didn't work. "I need this to connect
to our corporate file server and update the Excel spreadsheet that
has all our passwords in it, or my boss is gonna kill me!!"
Oh, and even this "security-through-unplugging-cables" style of
approach does absolutely nothing to protect people merrily browsing
the net with Internet Explorer and receiving email with Outlook
Express. Ever hear of phishing? How bout spyware?
> Again however, MS is stepping up on this. Go look at XP SP2. It is a big
> step in the direction to help users protect themselves. Of course of course,
> they have always done bad things so they can't possibly do anything better
> now. How thoughtless of me. Of course someone like yourself is so good at
> coding you know that every piece of code you have ever written has been
> perfect right off and no possible issues... Oh wait, you implying that means
> you probably have never coded anything more complex than a basic tool if
Admittedly, no. I didn't claim to be. I am young and learning. But
I think I have a good understanding of the concepts behind
designing and implementing secure software and avoiding the
programming errors that lead to easy exploits. And some things, like
active scripting in mail clients (to pull one off the top of my
head and recent full-disc history, that has inspired more than one
well-justified rant by list regulars) are just dumb and should have
never been considered in the first place, let alone turned on by
default. It doesn't seem to me to be rocket science. Assume that
software *will* be used and abused by Bad Guys; trust no input, and
validate all of it; write software that uses the least privileges it
needs to function, and no more; write small software; use techniques
such as isolation to provide additional layers of security that
increase the difficulty or nullify the risk of attacks; perpetually
strive to educate oneself about new attacks and new classes of
attacks, and learn to defend against them. The list continues; you
get the idea. It can be tedious and difficult. But it's one of the
things we have got to do, if we want to improve the status quo.
If what you wrote above is some kind of thinly-veiled attempt to
undermine my credibility (I don't have any yet, silly wabbit) by
making insinuations about my programming skill, it has probably
backfired on you. If what you want is to start a flame war, contact
Back to the topic at hand, XP SP2. Yes, I've seen it, and I'm not
terribly impressed. Most of these things have been in free *nixes
for a long time now. Comparing with Red Hat/Fedora (which is far
from the panacea of secure OSes, mind you):
Firewall on by default: Red Hat's had iptables setup as part of the
installation for years now. Configuration involves clicking one of
four radio buttons.
Safer networking defaults: Red Hat turned off most if not all
networked services in the default installation years ago, IIRC. I
think it took them about 10 minutes. Long overdue for Microsoft.
Memory protection: many distros, and I believe Fedora is one of
these, compile packages with stack-smashing protection or provide
versions of gcc with such features. More robust protection is
freely available with tools like grsecurity.
Safer email handling: safer than what? I can't think of a *nix mail
client that's proven as unsafe as Outlook and Outlook Express have.
Shoring up these programs is a 'duh', and also long overdue. Fedora
offers a choice of no less than ten different mail clients. Pick one
at random; I'll bet the cost of a Windows Server 2003 license that
it will never be victim to the types of vulns that have plagued and
continue to plague the Outlook series.
Safer browsing: More safe defaults that are long overdue. My
comments above on mail clients can be applied directly to browsers:
you have lots of choices, pick one at random, it's almost guaranteed
that you'll never suffer from the same types of stupid tricks that
can be played successfully on IE.
Automagic updates: trivially achieved with ANY *nix package
management system, and cron. And yes, they've been around for years.
Oh, and no one worries about whether updating Mozilla or Konqueror
means their network connection gets hosed or their OS is rendered
This is a simplified overview, but I think I've addressed the major
features MS is touting here, agree?
> I agree that MS helped create the mass of inept users... However, I don't
> see any OSes going out there creating knowledgeable users.
Try sitting a new user in front of a freshly installed *BSD box, and
see how far he gets without reading the manual.
> In fact had MS
> not done what it had done, I don't think we would be anywhere near where we
> are right now for penetration of PCs in the home and lower costs associated
> with that.
Is that supposed to be a good thing? Personally, I'd like to see far
fewer stupid people and sleazy corporations on the 'net. If that
means I have to pay more for access, and perhaps have one computer
in my home instead of half a dozen, so be it.
> I am just guessing but irregardless of what OS you are on now,
> you most likely were running an MS OS at some point.
Yes, and I rue the day I ever let it sink its teeth into me. I have
since freed myself of this unnecessary burden. Windows to me is now
little more than a gaming system, slightly superior to PS2 (except
in the respect that I never worry about my PS2 becoming the newest
member of a botnet).
> Not many people start
> on Mainframes and UNIX machines and went straight to non-MS offerings. Why?
> Not much else existed in the home for some time. Probably the few
> (relatively speaking) that can say they haven't ever run an MS OS are those
> that started using computers in University and never left so always lived in
> the UNIX world or Apple folks. If you had a PC at home and it wasn't an
> Apple, the chances are good it had MS on it.
Again, is that supposed to be a good thing?
Lots of people like double bacon cheeseburgers and Krispy Kremes. It
doesn't mean it's a good idea to eat nothing but.
> I look forward to BSD/Linux gathering steam and becoming better and better
> and more and more accepted. For several reasons actually. First off, MS
> always thrives when given good competition, it pushes itself to do better
Microsoft is well-known for its decidedly monopolistic and
*anti*-competitive behavior. Is this news?
As outlined in the Report That Got Dan Geer Canned From @stake ,
this in and of itself is a danger to security. More generally, any
ubiquitous, identical systems on a huge global network are
inherently dangerous to the network itself, as the possibility
exists that a single piece of malicious code can destroy the systems
and/or the data contained on them and/or cripple the entire network.
Diversity is a key risk management strategy, and it has proven
parallels in fields like biology. I believe it also applies to
security risk management.
We've seen code that does this, and has the potential to do much
worse, many times over again, for a long time now.
Is it becoming clear why a simple 'step-up' from MS won't cut it?
I don't want to see any one operating system or piece of software
'take over the world'. I would like to see some real competition
resulting in better code and more diversity, so perhaps we can make
some progress on overcoming the attacks of yesterday that continue
> and better which is good for computing in general because they have serious
> cash to put into the endevour, not many computing places now have
> multi-billion dollar R&D budgets to make home computing better.
It must be humbling for you to think that a bunch of rag-tag GNU
hippies, young Finnish CS students, Berkeley grads, Canadians
*gasp!*, and thousands of other hackers coding in their spare time
often for free, have produced operating systems and software that
rival or are outright superior to the products of the largest,
richest software company in the world.
> Second off,
> the Linux world will have to clean up, right now it is a bit chaotic with
> all of the various vendors duking it out over who is better and you having
> to be really sure of what you have before you install things. It reminds me
> of earlier MS days with Win9x and NT and having to figure out what you had
> so you knew what you could install. It is a pain in the butt when consulting
> for large companies when they are trying to figure it out because not only
> is it a case of figure out if you want Linux or Windows, it is which flavor
> of Linux do you want. Just dilutes the whole thing. Yes yes choice is good
> blah blah blah. Sometimes though in the committee driven worlds of corporate
> America, a multitude of choices can be a bad thing.
Yes, there are a lot of Linux distros out there now, and yes, most
of them are pretty useless, lame, and contrived. There are also some
very good ones, and the skilled sysadmin can always build their own
if they don't like anyone else's. Yes, for a corporation trying to
'pick one' it can be difficult, for those not used to actually
having choices. Yes, trying to figure it out is difficult for
companies, especially ones full of admins who are glued to the
shiny friendly happy clicky GUI world to which they're accustomed,
and don't know a whit about what's actually happening- on the
system, on the network, anywhere.
Who ever told these people it would be easy, ever? These are some of
the most complex machines mankind has created. Who made them
allergic to getting their hands dirty and spending some time
understanding the systems they're supposed to be taking care of with
> You sound like a jilted lover here. Not someone looking for the computing
> world to get better.
Jilted lover isn't quite accurate; it's more like MS keeps trying
to slip people roofies at the bar and date-rape them in the parking
lot. I'll tell you why, and fundamentally I believe this is the
reason for our differences of opinion.
You still trust Microsoft. I don't. They had it for a time, and
they have earned my distrust. It will take significant leaps and
bounds forward in several areas for them to earn it back. Call me
paranoid, pessimistic, jaded, what have you.
I've been promised that they will step up with every new version and
new product, just as you are offering promises that they are
stepping up with SP2. Don't get me wrong; it will help, for those
who are running XP (many aren't), are aware of its existence (the
many who cannot even be bothered with patching now will likely be
oblivious), and who won't remove or disable it after seeing that it
makes life on the 'puter an iota more difficult than it had been
It won't undo the disservice they have done to the industry and
their customers by consistently failing to improve the security and
quality of their software, nor will it undo the damage caused by
making it so easy for users as zombie-like as their infected
machines to play with it on high-speed wireless 'net connections.
It's a baby step in the right direction, for a corporation that as I
said, ought to be leading the industry.
In any case, before our 'discussions' become any more verbose,
flame-ish, religious, or off-topic (they're currently all four), we
should do the good list members a favor and take it off list.
Full-Disclosure is hosted and sponsored by Secunia.