QODS ec

Saturday, June 19, 2004

M$: [Full-Disclosure] MS Anti Virus?

Andre Ludwig
to full-disclosure
Jun 16 (3 days ago)
Oh this should be good...

http://www.reuters.com/newsArticle.jhtml?storyID=5429092

SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
Research) is still on track to offer an anti-virus product that will
compete against similar software offered by Symantec Corp. (SYMC.O:
Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
Profile, Research) , the world's largest software maker said late on
Monday.

Mike Nash, chief of Microsoft's security business unit, told reporters
that Microsoft is developing software to protect personal computers
running Windows against malicious software, the worms and viruses that
have plagued users with data loss, shutdowns and disruptions in Web
traffic in recent years.

"We're still planning to offer our own AV (anti-virus) product," Nash said.

Asked if that would hurt sales of competing products, such as Network
Associates' McAfee and Symantec's Norton family of products, Nash said
that Microsoft said that it would sell its anti-virus program as a
separate product from Windows, rather than including it in Windows.

Redmond, Washington-based acquired anti-virus technology from GeCAD
Software Srl., a Romanian software company, last year to develop its
own software.

Microsoft, whose Windows operating system is a favorite target for
computer viruses, launched a company-wide "Trustworthy Computing"
campaign in early 2002 to boost the security and reliability of its
software.

Nash did not give a time frame for the release of Microsoft's
anti-virus software.

and another

http://www.entmag.com/news/article.asp?EditorialsID=6272

by Scott Bekker

6/16/04

Microsoft is leaning toward offering a paid anti-virus subscription service.

Mike Nash, corporate vice president for the security business and
technology unit at Microsoft, said Microsoft will probably sell its
own anti-virus software and subscription service. It is the first
public signal that Microsoft intends to turn its acquisition of the
Romanian anti-virus company GeCAD into a product customers pay for.

The comments came up at a dinner with reporters in Seattle on Monday
night when Nash was asked how Microsoft's anti-virus efforts might
affect Symantec. "I want to make sure customers have another choice,"
the Bloomberg News agency quoted Nash as saying. "Some people will
continue to use Symantec, and some will use ours."

-- advertisement --

Shares of Symantec, which gets 85 percent of its revenues from
anti-virus products, were down following Nash's comments, according to
Bloomberg.

Previously, Microsoft had been coy about its plans for GeCAD, which it
acquired last June. "This acquisition will help us and our partner
anti-virus providers further mitigate risks from these threats," Nash
said at the time, implying Microsoft would use GeCAD's programming
talent to make Windows and other Microsoft products more resistant to
viruses.

But Microsoft also immediately indicated at the time that it was fully
evaluating how to proceed with GeCAD's technology and employees. In a
white paper published last June on Microsoft's Web site, the company
wrote, "Details of the Microsoft antivirus solution, including any
product plans, pricing, and a timeline for delivery, are not yet
available. Microsoft strongly recommends that customers continue to
use antivirus solutions from industry partners and keep their virus
signatures updated."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________


Andre Ludwig
to slacker, full-disclosure
Jun 16 (3 days ago)
Think the mafia refers to this as a protection racket...

man so much can be made of this its a techy comedy gold mine.

"our software sucks so bad that the market for anti virus software for
our platform is such a lucrative market that we cant stay out of it"

Andre Ludwig CISSP

On Wed, 16 Jun 2004 19:41:49 -0400, slacker <leetslacker[ at ]softhome.net> wrote:
>
> <snip>
> > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
> > Research) is still on track to offer an anti-virus product that will
> > compete against similar software offered by Symantec Corp. (SYMC.O:
> > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
> > Profile, Research) , the world's largest software maker said late on
>
> Oh yeah, what's the average delay to release on exploit patches? What makes
> me think that they are going to be that slow on releasing AV updates? =P
>
> slacker
- Show quoted text -
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________


Chris Cappuccio
<chris[ at ]nmedia.net> to Andre, slacker, full-disclosure
Jun 16 (3 days ago)
I hate to say this, but I don't think Microsoft software could be any
worse than Symantec...
- Show quoted text -

Andre Ludwig [andre.ludwig[ at ]gmail.com] wrote:
> Think the mafia refers to this as a protection racket...
>
> man so much can be made of this its a techy comedy gold mine.
>
>
> "our software sucks so bad that the market for anti virus software for
> our platform is such a lucrative market that we cant stay out of it"
>
> Andre Ludwig CISSP
>
> On Wed, 16 Jun 2004 19:41:49 -0400, slacker <leetslacker[ at ]softhome.net> wrote:
> >
> > <snip>
> > > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
> > > Research) is still on track to offer an anti-virus product that will
> > > compete against similar software offered by Symantec Corp. (SYMC.O:
> > > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
> > > Profile, Research) , the world's largest software maker said late on
> >
> > Oh yeah, what's the average delay to release on exploit patches? What makes
> > me think that they are going to be that slow on releasing AV updates? =P
> >
> > slacker
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

--
"When it absolutely, positively had to be there yesterday: Temporal Express"
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Chris to join Gmail


Todd Burroughs
<todd[ at ]hostopia.com> to Chris, Andre, slacker, full-disclosure
Jun 17 (2 days ago)
They are planning to get into a market that gaurds against the failures
in their own product. I don't like this, as it seems that they are going
to be in a position to intentionally make holes that their "anti-virus"
software will fix. If we had a more competitive market in this type of
software there would be no market for AV software and the AV companies
would be making better operating systems. Remember, Microsoft is a
marketing company and they are very good at it and very powerful.

Educate your friends and family. Unfortunately, there isn't much choice
right now, but someone will do for Linux (or *BSD) what Apple has done.
If Apple was smart, they would make an OS for PCs. Maybe they will...

It's sad that we are wasting so much resources on what should be a
non-problem.

Todd Burroughs
---
The Internet has given us unprecedented opportunity to communicate and
share on a global scale without borders; fight to keep it that way.
- Show quoted text -

On Wed, 16 Jun 2004, Chris Cappuccio wrote:

> I hate to say this, but I don't think Microsoft software could be any
> worse than Symantec...
>
> Andre Ludwig [andre.ludwig[ at ]gmail.com] wrote:
> > Think the mafia refers to this as a protection racket...
> >
> > man so much can be made of this its a techy comedy gold mine.
> >
> >
> > "our software sucks so bad that the market for anti virus software for
> > our platform is such a lucrative market that we cant stay out of it"
> >
> > Andre Ludwig CISSP
> >
> > On Wed, 16 Jun 2004 19:41:49 -0400, slacker <leetslacker[ at ]softhome.net> wrote:
> > >
> > > <snip>
> > > > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
> > > > Research) is still on track to offer an anti-virus product that will
> > > > compete against similar software offered by Symantec Corp. (SYMC.O:
> > > > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
> > > > Profile, Research) , the world's largest software maker said late on
> > >
> > > Oh yeah, what's the average delay to release on exploit patches? What makes
> > > me think that they are going to be that slow on releasing AV updates? =P
> > >
> > > slacker
> > >
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> "When it absolutely, positively had to be there yesterday: Temporal Express"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Todd to join Gmail


Chris Cappuccio
<chris[ at ]nmedia.net> to Todd, full-disclosure
Jun 17 (2 days ago)
Todd Burroughs [todd[ at ]hostopia.com] wrote:
> They are planning to get into a market that gaurds against the failures
> in their own product. I don't like this, as it seems that they are going
> to be in a position to intentionally make holes that their "anti-virus"
> software will fix. If we had a more competitive market in this type of

I hate to break it to you, but being the Monopoly, they've been in this
position since the days of MS-DOS. The fix was always to buy the next version.
Of course, now we're talking about a more specific type of software bug than we
were before. There's nothing new and exciting about Microsoft entering
the AV market, except, perhaps we may see software that is better than
some of the other spew out there.

Ok, that was phrased incorrectly. I couldn't possibly feel _excited_ by this
new software from Microsoft. That would be like rushing to McDonald's for a
salad-in-a-cup. What I mean to say is that Microsoft seems to have an easy
time matching and exceeding the quality of many third parties (maybe since
everyone writes such shit software!)

> software there would be no market for AV software and the AV companies
> would be making better operating systems. Remember, Microsoft is a
> marketing company and they are very good at it and very powerful.
>

You would run an operating system written by Symantec? Commercial AV vendors
are the epitomy of junk software. The thought just makes me cringe. Better
operating systems? Better than what?

> It's sad that we are wasting so much resources on what should be a
> non-problem.
>

The fact that Microsoft has the monopoly reflects social and economic values,
not technical ones. So, it's largely irrelevant to the thousands of people
who happily run other operating systems. If it seems sad to you, then most of
the world probably makes you cry. (Hey, that's OK, it gets to me from time
to time as well)

-c
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Chris to join Gmail


npguy
to full-disclosure
Jun 17 (2 days ago)
M$ anti-virus free with every Outlook 2005.
- Show quoted text -

On Thursday 17 June 2004 08:41 am, Chris Cappuccio wrote:
> I hate to say this, but I don't think Microsoft software could be any
> worse than Symantec...
>
> Andre Ludwig [andre.ludwig[ at ]gmail.com] wrote:
> > Think the mafia refers to this as a protection racket...
> >
> > man so much can be made of this its a techy comedy gold mine.
> >
> >
> > "our software sucks so bad that the market for anti virus software for
> > our platform is such a lucrative market that we cant stay out of it"
> >
> > Andre Ludwig CISSP
> >
> > On Wed, 16 Jun 2004 19:41:49 -0400, slacker <leetslacker[ at ]softhome.net>
wrote:
> > > <snip>
> > >
> > > > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
> > > > Research) is still on track to offer an anti-virus product that will
> > > > compete against similar software offered by Symantec Corp. (SYMC.O:
> > > > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
> > > > Profile, Research) , the world's largest software maker said late on
> > >
> > > Oh yeah, what's the average delay to release on exploit patches? What
> > > makes me think that they are going to be that slow on releasing AV
> > > updates? =P
> > >
> > > slacker
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite npguy to join Gmail


joe
<mvp[ at ]joeware.net> to full-disclosure
Jun 17 (2 days ago)
My initial thought of a response to this was something along the lines of do
you wear an aluminum foil helmet as you seem to fit the profile... I decided
against that. I mean I still think it but I think this response is
better....

Antivirus software will probably always be around. Why? Because it is mostly
software to prevent uneducated users from hurting themselves and it is
probably impossible to get to a point that all users will be educated and
there won't be ways to hurt themselves and people specifically trying to
hurt them. While AV is simply an extension of the user interface of the OS,
at this point in the game if the OS vendor treats it that way it would
simply result in lawsuits by the AV vendors against the OS vendors which is
why MS will have to sell what they have.

It is possible now to run without AV software and be safe, if you are fully
educated user and take precautions and patch when the patches are available,
you will be pretty safe even if you don't run AV and there are probably many
users on this list that fit that category and don't run AV.

Many of the recent viruses hitting the corporate world haven't been holes in
MS products causing the problem. It has been good social engineering. One of
the more recent ones that had me laughing was an email that came through
with a password protected zip file with the password in the email and the
note sounding like it came from the IT dept. People all over the world
opened that up and ran it. If they would have had to have downloaded it,
chmod'ed it, and then run it they would have done so if the instructions had
said so. Yes you could probably stop this with a simple note in a small
company, maybe 50,100,1000 people. This was a company comprising 250k people
from around the world and no simple note was going to do the trick. You
could also lock machines down to the point that they are merely kiosks as
well but this isn't realistic except in a tightly controlled corporate
environment and even still you would have considerable bitching by users who
wanted more control.

I don't care what OS you run, if it is a user popular OS and if that OS gets
targeted by someone with a clever social engineering scheme, it will have
impact.

I have pretty close ties to MS so most of your post simply make me smirk. I
have met and talked with many developers there and know how busy they are
and that they are mostly good guys trying to do a good job. Now that the
company has switched to a more secure stance they are allowed to do more
good whereas before they didn't have a hammer in terms of security.

I have had "official" access to MS OS source now for almost a year and can
say that the code base is huge. While it is possible that someone could bury
something in there purposely it is more likely that someone makes a mistake
and doesn't understand all of the different ways that their function or
module could be used. This is changing, the new code being written is being
looked at very closely for security now and not just functionality. I know I
know... "MS did a complete security review of all code when they made this
decision and....". Again this code base is huge, no way they could catch
everything. I am, however, not happy about some of the things that have
gotten through such as the various USN/BER encoding and RPC issues but it is
getting better whether you want to admit it or not.


joe
- Show quoted text -


-----Original Message-----
From: full-disclosure-admin[ at ]lists.netsys.com
[mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of Todd Burroughs
Sent: Thursday, June 17, 2004 5:04 AM
To: Chris Cappuccio
Cc: Andre Ludwig; slacker; full-disclosure[ at ]lists.netsys.com
Subject: Re: [Full-Disclosure] MS Anti Virus?

They are planning to get into a market that gaurds against the failures in
their own product. I don't like this, as it seems that they are going to be
in a position to intentionally make holes that their "anti-virus"
software will fix. If we had a more competitive market in this type of
software there would be no market for AV software and the AV companies would
be making better operating systems. Remember, Microsoft is a marketing
company and they are very good at it and very powerful.

Educate your friends and family. Unfortunately, there isn't much choice
right now, but someone will do for Linux (or *BSD) what Apple has done.
If Apple was smart, they would make an OS for PCs. Maybe they will...

It's sad that we are wasting so much resources on what should be a
non-problem.

Todd Burroughs
---
The Internet has given us unprecedented opportunity to communicate and share
on a global scale without borders; fight to keep it that way.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


Steffen Schumacher
<ssch[ at ]wheel.dk> to joe, full-disclosure
Jun 17 (2 days ago)
On 17.06.2004 10:11:06 +0000, joe wrote:
> My initial thought of a response to this was something along the lines of do
> you wear an aluminum foil helmet as you seem to fit the profile... I decided
> against that. I mean I still think it but I think this response is
> better....
>
> Antivirus software will probably always be around. Why? Because it is mostly
> software to prevent uneducated users from hurting themselves and it is
> probably impossible to get to a point that all users will be educated and
> there won't be ways to hurt themselves and people specifically trying to
> hurt them. While AV is simply an extension of the user interface of the OS,
> at this point in the game if the OS vendor treats it that way it would
> simply result in lawsuits by the AV vendors against the OS vendors which is
> why MS will have to sell what they have.
>
> It is possible now to run without AV software and be safe, if you are fully
> educated user and take precautions and patch when the patches are available,
> you will be pretty safe even if you don't run AV and there are probably many
> users on this list that fit that category and don't run AV.
>
> Many of the recent viruses hitting the corporate world haven't been holes in
> MS products causing the problem. It has been good social engineering. One of
> the more recent ones that had me laughing was an email that came through
> with a password protected zip file with the password in the email and the
> note sounding like it came from the IT dept. People all over the world
> opened that up and ran it. If they would have had to have downloaded it,
> chmod'ed it, and then run it they would have done so if the instructions had
> said so. Yes you could probably stop this with a simple note in a small
> company, maybe 50,100,1000 people. This was a company comprising 250k people
> from around the world and no simple note was going to do the trick. You
> could also lock machines down to the point that they are merely kiosks as
> well but this isn't realistic except in a tightly controlled corporate
> environment and even still you would have considerable bitching by users who
> wanted more control.
>

While I have no numbers to back this up, I do think that worms are far worse
when it comes to the extent of which viruses spread, and speed.
It is my belief that most worms are based upon MS exploits, rather then social
engineering.

It is my belief that we will simply have to wait untill MS cleans up their act,
which they should be doing, before the world becomes a better place to live.

I realize that this doesn't clear situtations like the one above, but in general
such situations can't really be solved unless all mails are scanned extensively,
and / or the people are educate enough so that they never should run executeables
recieved from mail (its actually quite simple to me). The *real* IT department
could then link to the executeable and place it on an intranet server which
would be secure.

/Steffen
- Show quoted text -


> I don't care what OS you run, if it is a user popular OS and if that OS gets
> targeted by someone with a clever social engineering scheme, it will have
> impact.
>
> I have pretty close ties to MS so most of your post simply make me smirk. I
> have met and talked with many developers there and know how busy they are
> and that they are mostly good guys trying to do a good job. Now that the
> company has switched to a more secure stance they are allowed to do more
> good whereas before they didn't have a hammer in terms of security.
>
> I have had "official" access to MS OS source now for almost a year and can
> say that the code base is huge. While it is possible that someone could bury
> something in there purposely it is more likely that someone makes a mistake
> and doesn't understand all of the different ways that their function or
> module could be used. This is changing, the new code being written is being
> looked at very closely for security now and not just functionality. I know I
> know... "MS did a complete security review of all code when they made this
> decision and....". Again this code base is huge, no way they could catch
> everything. I am, however, not happy about some of the things that have
> gotten through such as the various USN/BER encoding and RPC issues but it is
> getting better whether you want to admit it or not.
>
>
> joe
>
>
> -----Original Message-----
> From: full-disclosure-admin[ at ]lists.netsys.com
> [mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of Todd Burroughs
> Sent: Thursday, June 17, 2004 5:04 AM
> To: Chris Cappuccio
> Cc: Andre Ludwig; slacker; full-disclosure[ at ]lists.netsys.com
> Subject: Re: [Full-Disclosure] MS Anti Virus?
>
> They are planning to get into a market that gaurds against the failures in
> their own product. I don't like this, as it seems that they are going to be
> in a position to intentionally make holes that their "anti-virus"
> software will fix. If we had a more competitive market in this type of
> software there would be no market for AV software and the AV companies would
> be making better operating systems. Remember, Microsoft is a marketing
> company and they are very good at it and very powerful.
>
> Educate your friends and family. Unfortunately, there isn't much choice
> right now, but someone will do for Linux (or *BSD) what Apple has done.
> If Apple was smart, they would make an OS for PCs. Maybe they will...
>
> It's sad that we are wasting so much resources on what should be a
> non-problem.
>
> Todd Burroughs
> ---
> The Internet has given us unprecedented opportunity to communicate and share
> on a global scale without borders; fight to keep it that way.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Steffen to join Gmail


Eric Paynter
<eric[ at ]arcticbears.com> to full-disclosure
Jun 17 (2 days ago)
On Thu, June 17, 2004 2:45 am, Chris Cappuccio said:
> The fact that Microsoft has the monopoly reflects social and economic
> values, not technical ones.

I'm not sure if "values" is the right word. They got there by signing an
exclusive deal with IBM back when IBM made the only "serious" business
computers and the Mac was thought to be a toy. They stayed there by using
unethical and illegal tactics to coerce other vendors to bend to their
will - something only a monopoly can do.

-Eric
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Eric to join Gmail


joe
<mvp[ at ]joeware.net> to full-disclosure
Jun 17 (2 days ago)
However the worms would be blocked if people had patched their machine or
otherwise properly administrated the machines they were responsible for. All
of the worms that I think you are probably referring to all had patches well
in advance of the worm that impacted it, blaster, slammer, sasser, etc.

Home users never should have been impacted as they should be running
firewall software on the internet connections. The fact that they don't
isn't MS's fault, however MS is stepping up with XP SP2 to help out. On top
of that they should be patching when necessary.

Corporate users shouldn't have been impacted either and were only because
the IT department didn't keep the machines patched properly. Too many
companies run on a deploy and forget strategy, this doesn't work for any OS
be it Windows, *nix, or ios. I am not saying keeping them patched is an easy
task, I managed 400 servers in a Fortune 5 company that were distributed
around the world. None of them ran antivirus, none of them got infected by
either viruses nor worms, none of them allowed any but only a small number
of people to have admin rights to do harm to them. When a patch came out
that affected those servers, it was on the machines in a rather quick
fashion, generally within 72 hours depending on testing times.

Thinking that there will never be code patches required isn't realistic. It
is humans writing the code and even the humans writing the other Oses make
mistakes and need to release patches. If the people who manage the machines
don't take the time to apply the patches then the issue isn't an MS issue,
it is an admin issue.


> The *real* IT department could then link to the
> executeable and place it on an intranet server
> which would be secure.

This is an interesting idea but I can't see how one could do it in a
feasible manner in a large company that is receiving hundreds of thousands
of emails from the outside a day. Also you would have to watch for internal
emails and attachments as well because you could get an infected machine on
the inside. Now in large companies you are up to millions of emails.

My recommendation to the email manager at the time of the last major
outbreak where they started just stipping all ZIPs from emails was that they
strip ALL attachments that didn't have a specific internally defined
extension on them, that way they knew it was a purposeful thing that that
attachment was there. The extension would be something specific to a company
and people involved know that extension. Obviously this is just a crutch to
block the issue with well known executable file extensions.

The file associations are a tough thing to repeal since they are so deeply
embedded in how things are done on Windows and people have gotten so used to
them; it made life easier for a majority of the users and was a great idea
at the time. Now however, if you, for instance, removed the DOC extension
from the file associations half the corporate Windows Admins out there would
be at a complete loss as to why Word wasn't working... Those bad Windows
Admins are partially MS's fault, but mostly the fault of companies who look
for cheap admins versus good admins.

joe
- Show quoted text -


-----Original Message-----
From: Steffen Schumacher [mailto:ssch[ at ]wheel.dk]
Sent: Thursday, June 17, 2004 10:43 AM
To: joe
Cc: full-disclosure[ at ]lists.netsys.com
Subject: Re: [Full-Disclosure] MS Anti Virus?

While I have no numbers to back this up, I do think that worms are far worse
when it comes to the extent of which viruses spread, and speed.
It is my belief that most worms are based upon MS exploits, rather then
social engineering.

It is my belief that we will simply have to wait untill MS cleans up their
act, which they should be doing, before the world becomes a better place to
live.

I realize that this doesn't clear situtations like the one above, but in
general such situations can't really be solved unless all mails are scanned
extensively, and / or the people are educate enough so that they never
should run executeables recieved from mail (its actually quite simple to
me). The *real* IT department could then link to the executeable and place
it on an intranet server which would be secure.

/Steffen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


DAN MORRILL
<dan_20407[ at ]msn.com> to ssch, mvp, full-disclosure
Jun 17 (2 days ago)
You make anti virus software sound like a gun lock on a 9MM.

Does it really matter who is in the anti-virus market? If Microsoft goes
that way, and they have the best knowledge of what they created, what we can
reasonably expect to see in the words of Bill Gates "Innovation, with rich
user features, deeply embeded in our software".

So, we can have an AV product that does great things, but maybe only 2% of
it will be used, and because it is a microsoft product, we can expect
patches every month, with known and unknown vulnerabilites from day one.

LOL!
r/
Dan
- Show quoted text -


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite DAN to join Gmail


Steffen Schumacher
<ssch[ at ]wheel.dk> to joe, full-disclosure
Jun 17 (2 days ago)
On 17.06.2004 11:51:46 +0000, joe wrote:
> However the worms would be blocked if people had patched their machine or
> otherwise properly administrated the machines they were responsible for. All
> of the worms that I think you are probably referring to all had patches well
> in advance of the worm that impacted it, blaster, slammer, sasser, etc.
>

Agreed.
I'm not saying that MS doesn't provide patches - they do.
I simply think that the amount of bugs in MS' OS' are to great.
If you install windows and attempt to either patch it or install firewall
afterwards while on the live internet - Your chances of getting infected
are quite high. The time it takes to install patches or a firewall may in
some situations be longer then it would take for a user to get infected.

I picture it a bit like a para trooper which has noo means of defense until
he lands and can take cover.
Other OS' like FreeBSD take a different approach. All non vital services are
disabled until the user explicitly installs or enables them.

Microsofts products should provide the means to a secure patch before risky
services like DCOM are enabled.
This should in fact be the case everytime a MS pc starts up.
Otherwise a pc which has been offline for a period may become infected while
patching.

But ultimately MS have to catch more of their serious bugs before releasing
their software. Consider how many resources that are spent on patching.
Could they have been spent revising code in stead?
I wonder what the average load on the windows update server park is...


> Home users never should have been impacted as they should be running
> firewall software on the internet connections. The fact that they don't
> isn't MS's fault, however MS is stepping up with XP SP2 to help out. On top
> of that they should be patching when necessary.
>
> Corporate users shouldn't have been impacted either and were only because
> the IT department didn't keep the machines patched properly. Too many
> companies run on a deploy and forget strategy, this doesn't work for any OS
> be it Windows, *nix, or ios. I am not saying keeping them patched is an easy
> task, I managed 400 servers in a Fortune 5 company that were distributed
> around the world. None of them ran antivirus, none of them got infected by
> either viruses nor worms, none of them allowed any but only a small number
> of people to have admin rights to do harm to them. When a patch came out
> that affected those servers, it was on the machines in a rather quick
> fashion, generally within 72 hours depending on testing times.
>
>
> Thinking that there will never be code patches required isn't realistic. It
> is humans writing the code and even the humans writing the other Oses make
> mistakes and need to release patches. If the people who manage the machines
> don't take the time to apply the patches then the issue isn't an MS issue,
> it is an admin issue.
>
I know. I just wan't fewer. When you sell these amounts of functionality
which is reused in multiple future software, then one should *REALLY* test
it better, or lower the prices.
- Show quoted text -

>
>
> > The *real* IT department could then link to the
> > executeable and place it on an intranet server
> > which would be secure.
>
> This is an interesting idea but I can't see how one could do it in a
> feasible manner in a large company that is receiving hundreds of thousands
> of emails from the outside a day. Also you would have to watch for internal
> emails and attachments as well because you could get an infected machine on
> the inside. Now in large companies you are up to millions of emails.
>
> My recommendation to the email manager at the time of the last major
> outbreak where they started just stipping all ZIPs from emails was that they
> strip ALL attachments that didn't have a specific internally defined
> extension on them, that way they knew it was a purposeful thing that that
> attachment was there. The extension would be something specific to a company
> and people involved know that extension. Obviously this is just a crutch to
> block the issue with well known executable file extensions.
>
> The file associations are a tough thing to repeal since they are so deeply
> embedded in how things are done on Windows and people have gotten so used to
> them; it made life easier for a majority of the users and was a great idea
> at the time. Now however, if you, for instance, removed the DOC extension
> from the file associations half the corporate Windows Admins out there would
> be at a complete loss as to why Word wasn't working... Those bad Windows
> Admins are partially MS's fault, but mostly the fault of companies who look
> for cheap admins versus good admins.
>
> joe
>
>
> -----Original Message-----
> From: Steffen Schumacher [mailto:ssch[ at ]wheel.dk]
> Sent: Thursday, June 17, 2004 10:43 AM
> To: joe
> Cc: full-disclosure[ at ]lists.netsys.com
> Subject: Re: [Full-Disclosure] MS Anti Virus?
>
>
> While I have no numbers to back this up, I do think that worms are far worse
> when it comes to the extent of which viruses spread, and speed.
> It is my belief that most worms are based upon MS exploits, rather then
> social engineering.
>
> It is my belief that we will simply have to wait untill MS cleans up their
> act, which they should be doing, before the world becomes a better place to
> live.
>
> I realize that this doesn't clear situtations like the one above, but in
> general such situations can't really be solved unless all mails are scanned
> extensively, and / or the people are educate enough so that they never
> should run executeables recieved from mail (its actually quite simple to
> me). The *real* IT department could then link to the executeable and place
> it on an intranet server which would be secure.
>
> /Steffen
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Steffen to join Gmail


Joshua Levitsky
<jlevitsk[ at ]joshie.com> to full-disclosure
Jun 17 (2 days ago)
----- Original Message -----
From: "DAN MORRILL" <dan_20407[ at ]msn.com>
Sent: Thursday, June 17, 2004 11:51 AM
Subject: Re: [Full-Disclosure] MS Anti Virus?

> You make anti virus software sound like a gun lock on a 9MM.
>
> Does it really matter who is in the anti-virus market? If Microsoft goes
> that way, and they have the best knowledge of what they created, what we
can
> reasonably expect to see in the words of Bill Gates "Innovation, with rich
> user features, deeply embeded in our software".

Wonder if Microsoft will give their new AV product the same crappy treatment
they gave their past AV product...

http://home.pmt.org/~drose/aw-win3x-31.html

Perhaps they will release it during XP SP2 and then kill it just in time for
Longhorn. Anyone that puts any faith in this new AV from Microsoft is a
fool.

--
Joshua Levitsky, MCSE, CISSP
System Engineer
http://www.foist.org/
[5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Joshua to join Gmail


valdis.kletnieks[ at ]vt.edu
to Andre, full-disclosure
Jun 17 (2 days ago)
On Wed, 16 Jun 2004 15:53:45 PDT, Andre Ludwig <andre.ludwig[ at ]gmail.com> said:

> Asked if that would hurt sales of competing products, such as Network
> Associates' McAfee and Symantec's Norton family of products, Nash said
> that Microsoft said that it would sell its anti-virus program as a
> separate product from Windows, rather than including it in Windows.

<paranoia mode=full>

I can see it now - there's an undocumented API (Gasp! Shock!) in Windows, which
interfaces from Windows to MS/AV. The gotcha is that the next service pack or
hotfix from MS doesn't actually fix the problem - it's merely a data file that
Windows pipes out the API to MS/VA saying "Here's the hole, guard against
it..."

Then the ad campaign would start: "MS/AV catches 100% of the known security
issues, while Symantec and McAffee only catch 75%...."

<paranoia mode=normal>

Naah.. They'd never use an undocumented API to benefit their product at the
expense of the competition, would they? ;)


noname - 1K

_______________________________________Invite valdis.kletnieks[ at ]vt.edu to join Gmail


joe
<mvp[ at ]joeware.net> to full-disclosure
Jun 17 (2 days ago)
I think you will be pleasantly surprised by XP SP2 and XP Reloaded and
Windows Server R2. They are listening and they are correcting.

On the services running by default front, MS has finally come around that
corner, if you have installed 2K3 you will note a large reduction in what is
installed by default, that trend will continue.

In terms of the check for patches prior to starting business, that may be a
little too intrusive, at least in my opinion. However if the folks are
running the firewall it shouldn't be an issue. I am especially thinking with
Reloaded and R2 here.

Also if you can chase down the PPTs from the Spring D.E.C. conference held
in Washington D.C. you can see some of the future thinking stuff in terms of
Federation and identity based firewall access to make it easier for home
users to use firewalls and still being able to do what they want to do.

You will note that the number of bugs, at least security related are going
down in the newer version. Most of the issues you see are issues that are
legacy that have "always" been in the product and are being found now and
removed. I.E. It is more likely you will see a bug/hole that affects NT3/4,
2K, XP, and 2K3 versus just 2K3 or XP.

Check out the scope of the various fixes, does the fix go all the way back
to NT4 or later? Most certainly that is code that hasn't been written
recently and you are pointing out things from the past that they are working
on correcting already. It would literally be impossible to go back through
all of the old code and find all of the bad things. Even for this august
body of admins, developers, security folks. Look at BSD and Linux, if being
open to everyone was the answer you wouldn't still be seeing bugs/holes
discovered in the *nixs that have been there for some time and many
revisions, you would only supposedly have new bugs in the latest revisions.

One of Microsoft's biggest strengths and issues has been their support of
legacy apps, systems. They don't want people to break and contrary to
popular opinion do spend a considerable amount of time and effort working to
make it so legacy third party stuff doesn't break on the new stuff even if
the reason for the break is bad coding/processes on the part of the vendor.
An example would be what they did for simcity back in the day, it used
memory incorrectly so MS actually put a special check into the allocator to
protect against that bad use. Note the difference in a company that doesn't
really do that... Apple. Most old stuff will not run on new Apples but you
will find many apps that run on MS-DOS that can still be run on the latest
versions of Windows. I have a couple of programs I wrote in the early 80s
for machine shops that still run fine today, they haven't seen a compiler
since 1987 or so. Actually I just saw the other day a great article on this
but I can't find the link at the moment. The person, however, was
highlighting/complaining about MS's recent swing away from worrying about
legacy as much.

I am not really sure where I stand with the break with legacy argument. On
the plus side it would be nice because they can stop putting in all of the
overhead to support old junk and maybe get rid of a lot of bugs that have
always existed in that code that haven't been exposed. Doing that might
possibly shut up a bunch of the anti-MS camp. However, that would break a
bunch of things and then other anti-MS people would start whining about that
and how MS doesn't care about its users so it isn't even close to a win-win
situation.

If you have an XP machine lying about and haven't played with the XP SP2
Release Candidate, I highly recommend it. If anything, it gives you an idea
of where MS is currently going. Also check out 2K3.

http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx


joe
- Show quoted text -


-----Original Message-----
From: Steffen Schumacher [mailto:ssch[ at ]wheel.dk]
Sent: Thursday, June 17, 2004 12:51 PM
To: joe
Cc: full-disclosure[ at ]lists.netsys.com
Subject: Re: [Full-Disclosure] MS Anti Virus?

On 17.06.2004 11:51:46 +0000, joe wrote:
> However the worms would be blocked if people had patched their machine
> or otherwise properly administrated the machines they were responsible
> for. All of the worms that I think you are probably referring to all
> had patches well in advance of the worm that impacted it, blaster,
slammer, sasser, etc.
>

Agreed.
I'm not saying that MS doesn't provide patches - they do.
I simply think that the amount of bugs in MS' OS' are to great.
If you install windows and attempt to either patch it or install firewall
afterwards while on the live internet - Your chances of getting infected are
quite high. The time it takes to install patches or a firewall may in some
situations be longer then it would take for a user to get infected.

I picture it a bit like a para trooper which has noo means of defense until
he lands and can take cover.
Other OS' like FreeBSD take a different approach. All non vital services are
disabled until the user explicitly installs or enables them.

Microsofts products should provide the means to a secure patch before risky
services like DCOM are enabled.
This should in fact be the case everytime a MS pc starts up.
Otherwise a pc which has been offline for a period may become infected while
patching.

But ultimately MS have to catch more of their serious bugs before releasing
their software. Consider how many resources that are spent on patching.
Could they have been spent revising code in stead?
I wonder what the average load on the windows update server park is...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


Alfie
<alfie[ at ]leaflock.homeip.net> to full-disclosure
Jun 17 (2 days ago)
On Thu, Jun 17, 2004 at 10:11:26AM -0700, Eric Paynter wrote:
> On Thu, June 17, 2004 8:51 am, DAN MORRILL said:
> > Does it really matter who is in the anti-virus market? If Microsoft goes
> > that way, and they have the best knowledge of what they created...
>
> (puts on tinfoil hat)
>
> >From a paranoid point of view, "best knowledge of what they created" is a
> little scary. With MS in the virus prevention market, and with their
> history of unethical anti-competitive behaviour... I'd bet they'd always
> be the first to recognize a new virus. How? Because they could build in
> the vulnerability and create the virus and the signature in the AV all at
> the same time. Then anybody who has MSAV is unaffected, while the *real*
> AV companies are always one step behind... Zero day viruses already
> detected by MSAV - MS are Gods! How did they know? The other vendors lose
> market share because they suck compared to MS... Eventually, MS owns the
> AV market, the competition declares bankrupcy, and we have no choice in
> what AV tool to use.
>
> (takes off tinfoil hat)
>
> OK, it seems paranoid. And if they were found out, it would mean (several
> more) years in anti-trust court. But when has that stopped MS before?
> [...]

Recently, an audio tape was released of Enron employees frankly
talking about stealing millions of dollars per day from the
people of California.

http://www.cbsnews.com/stories/2004/06/01/eveningnews/main620626.shtml

So, if there was any doubt before whether a large corporation can
brazenly gouge customers, I think it's safe to say that such
behavior is quite possible.


--
"There isn't enough darkness in the world to douse the light of a single
candle."
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Alfie to join Gmail


Eric Paynter
<eric[ at ]arcticbears.com> to full-disclosure
Jun 17 (2 days ago)
On Thu, June 17, 2004 8:51 am, DAN MORRILL said:
> Does it really matter who is in the anti-virus market? If Microsoft goes
> that way, and they have the best knowledge of what they created...

(puts on tinfoil hat)

From a paranoid point of view, "best knowledge of what they created" is a
little scary. With MS in the virus prevention market, and with their
history of unethical anti-competitive behaviour... I'd bet they'd always
be the first to recognize a new virus. How? Because they could build in
the vulnerability and create the virus and the signature in the AV all at
the same time. Then anybody who has MSAV is unaffected, while the *real*
AV companies are always one step behind... Zero day viruses already
detected by MSAV - MS are Gods! How did they know? The other vendors lose
market share because they suck compared to MS... Eventually, MS owns the
AV market, the competition declares bankrupcy, and we have no choice in
what AV tool to use.

(takes off tinfoil hat)

OK, it seems paranoid. And if they were found out, it would mean (several
more) years in anti-trust court. But when has that stopped MS before?
Haven't their already been dozens of lawsuits that MS has lost for using
their monopoly status to squash competition? Isn't it their MO to enter a
market and completely take it over by *seeming* to be the best? (seeming
-they became best by using their exclusive control of the OS to break the
competition, not by doing better job than the competition.)

I think there is a serious conflict of interest here. It may leave us with
little choice in the AV market. And that may have serious long term
security implications.

Too bad there is nothing anybody can do about it.

-Eric
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Eric to join Gmail


Gregory A. Gilliss
<ggilliss[ at ]netpublishing.com> to full-disclosure
Jun 17 (2 days ago)
Dan et al:

You are missing the point here. While it matters little *who* is in the A/V
market, it matters very much when one player is Microsoft, because the M$
business model (according to them and to the US DOJ) is to enter a market,
undercut the market, co-opt the market, drive out the competition, and
move on to the next market (not unlike a virus, as told by Agent Smith).
So if M$ enters the A/V market and "bundles" their solution with Windows
whatever, they likely will drive Symantec and McAfee out of the market
over time by co-opting the A/V subscription market.

The security ramifications of a M$ only A/V marketplace relate to Dan Geer's
monoculture argument (already well discussed here) and also a conflict of
interest (since M$ products account for a majority of the A/V infections).
Can we "trust" an A/V solution from M$ that addresses virus infections of
M$ products? And is M$ controls both the virus host and the A/V inoculation,
does that not create a potential area of abuse - no license/upgrade/whatever,
no A/V subscription/update/whatever?

As Reagan told Gorbachev, "Let me tell you why we do not trust you..."

G

On or about 2004.06.17 15:51:19 +0000, DAN MORRILL (dan_20407[ at ]msn.com) said:

> You make anti virus software sound like a gun lock on a 9MM.
>
> Does it really matter who is in the anti-virus market? If Microsoft goes
> that way, and they have the best knowledge of what they created, what we
> can reasonably expect to see in the words of Bill Gates "Innovation, with
> rich user features, deeply embeded in our software".
>
> So, we can have an AV product that does great things, but maybe only 2% of
> it will be used, and because it is a microsoft product, we can expect
> patches every month, with known and unknown vulnerabilites from day one.

--
Gregory A. Gilliss, CISSP E-mail: greg[ at ]gilliss.com
Computer Security WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Gregory to join Gmail


Nick FitzGerald
<nick[ at ]virus-l.demon.co.uk> to full-disclosure
Jun 17 (2 days ago)
Valdis.Kletnieks[ at ]vt.edu wrote:

> Naah.. They'd never use an undocumented API to benefit their product at the
> expense of the competition, would they? ;)

In this case, no.

Given that a lot of AV technical work is reverse engineering and that
most of the best AV reversers are not among those MS "acquired" from
RAV or who have joined MS from other AV developers subsequently (not
that they haven't got some very good reversers, just there are still an
awful ot of them elsewhere), I doubt even MS is stupid enough to
consider trying something like this.


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Nick to join Gmail


Pavel Kankovsky
<peak[ at ]argo.troja.mff.cuni.cz> to full-disclosure
Jun 17 (2 days ago)
On Thu, 17 Jun 2004, joe wrote:

> Home users never should have been impacted as they should be running
> firewall software on the internet connections. The fact that they don't
> isn't MS's fault, however MS is stepping up with XP SP2 to help out. On top
> of that they should be patching when necessary.

But it is their fault they release OS with ~5 hard-to-deactivate plus ~5
almost-impossible-to-deactivate dangerous but mostly useless (*) network
services enabled by default that is guaranteed to be owned within 10
minutes after you plug it to the network unless you 1. install extra
firewalling software, or (assuming you got the version with a builtin
packet filter) 2. smoke enough grass to be able to grok their own
configuration dialog windows (**).

Indeed other vendors made the same stupid mistake in the past (and some
of them insist on repeating it).

(*) Who needs network accessible MS RPC services on a home PC?

(**) I admit I am talking about the Czech version. Maybe the English
version, not affected by the "creativity" of any localization team, is
somewhat more understandable.


--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Pavel to join Gmail


Dan B. Mann
<dbm[ at ]wkkf.org> to Steffen, full-disclosure
Jun 17 (2 days ago)


From my perspective, a place that MS needs to also focus on is the
patch scanning technology. SMS, WindowsUpdate, MBSA, all can give
different, confusing results even when scanning the same machine!
Please, give me a scanner that covers all of your internal products, and
gives reliable results. Having one tool contradict another ends up
creating a mess, and it is frightening. It's not fun to try and track
down a bunch of machines on a weekly basis to really find out whether
they are patched or not.

Does Microsoft read this list?

I will give Kudos to Microsoft for making an effort to IMPROVE themself
regarding security though.

Dan
- Show quoted text -

> -----Original Message-----
> From: full-disclosure-admin[ at ]lists.netsys.com [mailto:full-disclosure-
> admin[ at ]lists.netsys.com] On Behalf Of Steffen Schumacher
> Sent: Thursday, June 17, 2004 12:51 PM
> To: joe
> Cc: full-disclosure[ at ]lists.netsys.com
> Subject: Re: [Full-Disclosure] MS Anti Virus?
>
> On 17.06.2004 11:51:46 +0000, joe wrote:
> > However the worms would be blocked if people had patched their
machine
> or
> > otherwise properly administrated the machines they were responsible
for.
> All
> > of the worms that I think you are probably referring to all had
patches
> well
> > in advance of the worm that impacted it, blaster, slammer, sasser,
etc.
> >
>
> Agreed.
> I'm not saying that MS doesn't provide patches - they do.
> I simply think that the amount of bugs in MS' OS' are to great.
> If you install windows and attempt to either patch it or install
firewall
> afterwards while on the live internet - Your chances of getting
infected
> are quite high. The time it takes to install patches or a firewall may
in
> some situations be longer then it would take for a user to get
infected.
>
> I picture it a bit like a para trooper which has noo means of defense
> until
> he lands and can take cover.
> Other OS' like FreeBSD take a different approach. All non vital
services
> are
> disabled until the user explicitly installs or enables them.
>
> Microsofts products should provide the means to a secure patch before
> risky
> services like DCOM are enabled.
> This should in fact be the case everytime a MS pc starts up.
> Otherwise a pc which has been offline for a period may become infected
> while
> patching.
>
> But ultimately MS have to catch more of their serious bugs before
> releasing
> their software. Consider how many resources that are spent on
patching.
> Could they have been spent revising code in stead?
> I wonder what the average load on the windows update server park is...
>
>
> > Home users never should have been impacted as they should be running
> > firewall software on the internet connections. The fact that they
don't
> > isn't MS's fault, however MS is stepping up with XP SP2 to help out.
On
> top
> > of that they should be patching when necessary.
> >
> > Corporate users shouldn't have been impacted either and were only
> because
> > the IT department didn't keep the machines patched properly. Too
many
> > companies run on a deploy and forget strategy, this doesn't work for
any
> OS
> > be it Windows, *nix, or ios. I am not saying keeping them patched is
an
> easy
> > task, I managed 400 servers in a Fortune 5 company that were
distributed
> > around the world. None of them ran antivirus, none of them got
infected
> by
> > either viruses nor worms, none of them allowed any but only a small
> number
> > of people to have admin rights to do harm to them. When a patch came
out
> > that affected those servers, it was on the machines in a rather
quick
> > fashion, generally within 72 hours depending on testing times.
> >
> >
> > Thinking that there will never be code patches required isn't
realistic.
> It
> > is humans writing the code and even the humans writing the other
Oses
> make
> > mistakes and need to release patches. If the people who manage the
> machines
> > don't take the time to apply the patches then the issue isn't an MS
> issue,
> > it is an admin issue.
> >
> I know. I just wan't fewer. When you sell these amounts of
functionality
> which is reused in multiple future software, then one should *REALLY*
test
> it better, or lower the prices.
>
> >
> >
> > > The *real* IT department could then link to the
> > > executeable and place it on an intranet server
> > > which would be secure.
> >
> > This is an interesting idea but I can't see how one could do it in a
> > feasible manner in a large company that is receiving hundreds of
> thousands
> > of emails from the outside a day. Also you would have to watch for
> internal
> > emails and attachments as well because you could get an infected
machine
> on
> > the inside. Now in large companies you are up to millions of emails.
> >
> > My recommendation to the email manager at the time of the last major
> > outbreak where they started just stipping all ZIPs from emails was
that
> they
> > strip ALL attachments that didn't have a specific internally defined
> > extension on them, that way they knew it was a purposeful thing that
> that
> > attachment was there. The extension would be something specific to a
> company
> > and people involved know that extension. Obviously this is just a
crutch
> to
> > block the issue with well known executable file extensions.
> >
> > The file associations are a tough thing to repeal since they are so
> deeply
> > embedded in how things are done on Windows and people have gotten so
> used to
> > them; it made life easier for a majority of the users and was a
great
> idea
> > at the time. Now however, if you, for instance, removed the DOC
> extension
> > from the file associations half the corporate Windows Admins out
there
> would
> > be at a complete loss as to why Word wasn't working... Those bad
Windows
> > Admins are partially MS's fault, but mostly the fault of companies
who
> look
> > for cheap admins versus good admins.
> >
> > joe
> >
> >
> > -----Original Message-----
> > From: Steffen Schumacher [mailto:ssch[ at ]wheel.dk]
> > Sent: Thursday, June 17, 2004 10:43 AM
> > To: joe
> > Cc: full-disclosure[ at ]lists.netsys.com
> > Subject: Re: [Full-Disclosure] MS Anti Virus?
> >
> >
> > While I have no numbers to back this up, I do think that worms are
far
> worse
> > when it comes to the extent of which viruses spread, and speed.
> > It is my belief that most worms are based upon MS exploits, rather
then
> > social engineering.
> >
> > It is my belief that we will simply have to wait untill MS cleans up
> their
> > act, which they should be doing, before the world becomes a better
place
> to
> > live.
> >
> > I realize that this doesn't clear situtations like the one above,
but in
> > general such situations can't really be solved unless all mails are
> scanned
> > extensively, and / or the people are educate enough so that they
never
> > should run executeables recieved from mail (its actually quite
simple to
> > me). The *real* IT department could then link to the executeable and
> place
> > it on an intranet server which would be secure.
> >
> > /Steffen
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Dan to join Gmail


Steffen Schumacher
<ssch[ at ]wheel.dk> to joe, full-disclosure
Jun 17 (2 days ago)

I also agree that MS *is* turning their gigantic boat around with regards
to security. I have yet to see all the new stuff in detail, but what I've
heard, I've liked!

In my line of work (ISP) it will be greatly welcomed to have more OS' less
prone to become infected by worms, as it allows for things such as DDoS to
be quite an easy task to perform.

My only fear, is that it may take some time to get there.. ;o)

/Steffen
- Show quoted text -


On 17.06.2004 13:31:30 +0000, joe wrote:
> I think you will be pleasantly surprised by XP SP2 and XP Reloaded and
> Windows Server R2. They are listening and they are correcting.
>
> On the services running by default front, MS has finally come around that
> corner, if you have installed 2K3 you will note a large reduction in what is
> installed by default, that trend will continue.
>
> In terms of the check for patches prior to starting business, that may be a
> little too intrusive, at least in my opinion. However if the folks are
> running the firewall it shouldn't be an issue. I am especially thinking with
> Reloaded and R2 here.
>
> Also if you can chase down the PPTs from the Spring D.E.C. conference held
> in Washington D.C. you can see some of the future thinking stuff in terms of
> Federation and identity based firewall access to make it easier for home
> users to use firewalls and still being able to do what they want to do.
>
> You will note that the number of bugs, at least security related are going
> down in the newer version. Most of the issues you see are issues that are
> legacy that have "always" been in the product and are being found now and
> removed. I.E. It is more likely you will see a bug/hole that affects NT3/4,
> 2K, XP, and 2K3 versus just 2K3 or XP.
>
> Check out the scope of the various fixes, does the fix go all the way back
> to NT4 or later? Most certainly that is code that hasn't been written
> recently and you are pointing out things from the past that they are working
> on correcting already. It would literally be impossible to go back through
> all of the old code and find all of the bad things. Even for this august
> body of admins, developers, security folks. Look at BSD and Linux, if being
> open to everyone was the answer you wouldn't still be seeing bugs/holes
> discovered in the *nixs that have been there for some time and many
> revisions, you would only supposedly have new bugs in the latest revisions.
>
> One of Microsoft's biggest strengths and issues has been their support of
> legacy apps, systems. They don't want people to break and contrary to
> popular opinion do spend a considerable amount of time and effort working to
> make it so legacy third party stuff doesn't break on the new stuff even if
> the reason for the break is bad coding/processes on the part of the vendor.
> An example would be what they did for simcity back in the day, it used
> memory incorrectly so MS actually put a special check into the allocator to
> protect against that bad use. Note the difference in a company that doesn't
> really do that... Apple. Most old stuff will not run on new Apples but you
> will find many apps that run on MS-DOS that can still be run on the latest
> versions of Windows. I have a couple of programs I wrote in the early 80s
> for machine shops that still run fine today, they haven't seen a compiler
> since 1987 or so. Actually I just saw the other day a great article on this
> but I can't find the link at the moment. The person, however, was
> highlighting/complaining about MS's recent swing away from worrying about
> legacy as much.
>
> I am not really sure where I stand with the break with legacy argument. On
> the plus side it would be nice because they can stop putting in all of the
> overhead to support old junk and maybe get rid of a lot of bugs that have
> always existed in that code that haven't been exposed. Doing that might
> possibly shut up a bunch of the anti-MS camp. However, that would break a
> bunch of things and then other anti-MS people would start whining about that
> and how MS doesn't care about its users so it isn't even close to a win-win
> situation.
>
>
> If you have an XP machine lying about and haven't played with the XP SP2
> Release Candidate, I highly recommend it. If anything, it gives you an idea
> of where MS is currently going. Also check out 2K3.
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx
>
>
>
> joe
>
>
>
> -----Original Message-----
> From: Steffen Schumacher [mailto:ssch[ at ]wheel.dk]
> Sent: Thursday, June 17, 2004 12:51 PM
> To: joe
> Cc: full-disclosure[ at ]lists.netsys.com
> Subject: Re: [Full-Disclosure] MS Anti Virus?
>
> On 17.06.2004 11:51:46 +0000, joe wrote:
> > However the worms would be blocked if people had patched their machine
> > or otherwise properly administrated the machines they were responsible
> > for. All of the worms that I think you are probably referring to all
> > had patches well in advance of the worm that impacted it, blaster,
> slammer, sasser, etc.
> >
>
> Agreed.
> I'm not saying that MS doesn't provide patches - they do.
> I simply think that the amount of bugs in MS' OS' are to great.
> If you install windows and attempt to either patch it or install firewall
> afterwards while on the live internet - Your chances of getting infected are
> quite high. The time it takes to install patches or a firewall may in some
> situations be longer then it would take for a user to get infected.
>
> I picture it a bit like a para trooper which has noo means of defense until
> he lands and can take cover.
> Other OS' like FreeBSD take a different approach. All non vital services are
> disabled until the user explicitly installs or enables them.
>
> Microsofts products should provide the means to a secure patch before risky
> services like DCOM are enabled.
> This should in fact be the case everytime a MS pc starts up.
> Otherwise a pc which has been offline for a period may become infected while
> patching.
>
> But ultimately MS have to catch more of their serious bugs before releasing
> their software. Consider how many resources that are spent on patching.
> Could they have been spent revising code in stead?
> I wonder what the average load on the windows update server park is...
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Steffen to join Gmail


Ron DuFresne
to Gregory, full-disclosure
Jun 17 (2 days ago)

They did this years back in the 90's anyone remember pctools, and their
offerings? Guess what was bundled under DOS 6.2, might have gone back to
DOS 6.0, but, pctools is no longer in the market...and was the norton
counterpart/competition at the time...so, this would be a reentry...

Thanks,

Ron DuFresne
- Show quoted text -


On Thu, 17 Jun 2004, Gregory A. Gilliss wrote:

> Dan et al:
>
> You are missing the point here. While it matters little *who* is in the A/V
> market, it matters very much when one player is Microsoft, because the M$
> business model (according to them and to the US DOJ) is to enter a market,
> undercut the market, co-opt the market, drive out the competition, and
> move on to the next market (not unlike a virus, as told by Agent Smith).
> So if M$ enters the A/V market and "bundles" their solution with Windows
> whatever, they likely will drive Symantec and McAfee out of the market
> over time by co-opting the A/V subscription market.
>
> The security ramifications of a M$ only A/V marketplace relate to Dan Geer's
> monoculture argument (already well discussed here) and also a conflict of
> interest (since M$ products account for a majority of the A/V infections).
> Can we "trust" an A/V solution from M$ that addresses virus infections of
> M$ products? And is M$ controls both the virus host and the A/V inoculation,
> does that not create a potential area of abuse - no license/upgrade/whatever,
> no A/V subscription/update/whatever?
>
> As Reagan told Gorbachev, "Let me tell you why we do not trust you..."
>
> G
>
> On or about 2004.06.17 15:51:19 +0000, DAN MORRILL (dan_20407[ at ]msn.com) said:
>
> > You make anti virus software sound like a gun lock on a 9MM.
> >
> > Does it really matter who is in the anti-virus market? If Microsoft goes
> > that way, and they have the best knowledge of what they created, what we
> > can reasonably expect to see in the words of Bill Gates "Innovation, with
> > rich user features, deeply embeded in our software".
> >
> > So, we can have an AV product that does great things, but maybe only 2% of
> > it will be used, and because it is a microsoft product, we can expect
> > patches every month, with known and unknown vulnerabilites from day one.
>
> --
> Gregory A. Gilliss, CISSP E-mail: greg[ at ]gilliss.com
> Computer Security WWW: http://www.gilliss.com/greg/
> PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.
- Show quoted text -


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Ron to join Gmail


valdis.kletnieks[ at ]vt.edu
to nick, full-disclosure
Jun 17 (2 days ago)
On Fri, 18 Jun 2004 06:30:55 +1200, Nick FitzGerald <nick[ at ]virus-l.demon.co.uk> said:
> Valdis.Kletnieks[ at ]vt.edu wrote:
>
> > Naah.. They'd never use an undocumented API to benefit their product at the
> > expense of the competition, would they? ;)
>
> In this case, no.
>
> Given that a lot of AV technical work is reverse engineering and that
> most of the best AV reversers are not among those MS "acquired" from
> RAV or who have joined MS from other AV developers subsequently (not
> that they haven't got some very good reversers, just there are still an
> awful ot of them elsewhere), I doubt even MS is stupid enough to
> consider trying something like this.

You're forgetting that in this case, technical excellence fall behind marketing
and treachery in importance....

You don't think that the MS reverse engineers couldn't do better, if they had
an API that would tell them the exact footprints associated with a known
vulnerability? :)

Remember that the BugBear virus used an undocumented API to snarf
all the passwords: http://www.extremetech.com/article2/0,3973,582176,00.asp

You really expect us to believe that the M$ AV team won't leverage off the
fact that they could know about that API, and all the others in Windows?

Now consider all the cases where Microsoft has shipped a half-working patch
that closes some cases but not others - could that be a case of "we intentionally
shipped half the patch because we're going to let our AV software in on the secret
sauce so it can install the OTHER half of the patch"? :)

noname - 1K

_______________________________________Invite valdis.kletnieks[ at ]vt.edu to join Gmail


Ron DuFresne
to Dan, Steffen, full-disclosure
Jun 17 (2 days ago)
On Thu, 17 Jun 2004, Dan B. Mann wrote:

>
>
> From my perspective, a place that MS needs to also focus on is the
> patch scanning technology. SMS, WindowsUpdate, MBSA, all can give
> different, confusing results even when scanning the same machine!
> Please, give me a scanner that covers all of your internal products, and
> gives reliable results. Having one tool contradict another ends up
> creating a mess, and it is frightening. It's not fun to try and track
> down a bunch of machines on a weekly basis to really find out whether
> they are patched or not.
>
> Does Microsoft read this list?

I believe that if it's not in VB script, then it's inedible to M$
personnel.

Thanks,


Ron DuFresne
- Show quoted text -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Ron to join Gmail


valdis.kletnieks[ at ]vt.edu
to bugs, nick, full-disclosure
Jun 17 (2 days ago)
On Thu, 17 Jun 2004 17:37:11 EDT, Mohit Muthanna said:
> > You really expect us to believe that the M$ AV team won't leverage off the
> > fact that they could know about that API, and all the others in Windows?
>
> in addition, given that they have the sources to their own OS, i doubt
> they really have to do much manual reversing... i'm sure the debugging
> tools they have developed over the years would quite easily aid them
> in determining precisely what the viruses do and how they do it.

No... you're still not getting it. There's no reverse engineering involved. ;)

Let's pop over to http://www.eeye.com/html/research/upcoming/index.html

Hey look.. http://www.eeye.com/html/research/upcoming/20031007.html is
194 days overdue.. Now, your AV software doesn't have to have *ANY*
reverse engineering for the virus if the operating system and/or AV updates
is whispering in its ear "Anything that does *this* is malware exploiting 20031007".

And at that point, there's no reason to actually ship a *patch*, you just ship
a data file that tells *your* AV that "20031007 exploits look like this" - at which
point you can presumably trap 100% of exploits, and the competition has to
reverse engineer each one... ;)

"Systems protected with M$ AV were 100% safe, while 30% of Brand X users
got whacked while their teams were busy reverse engineering"... Hard to argue
with THAT sales pitch.. ;)

noname - 1K

_______________________________________Invite valdis.kletnieks[ at ]vt.edu to join Gmail


Poof
<poof[ at ]fansubber.com> to Gregory, full-disclosure
Jun 17 (2 days ago)
Gregory:

According to Microsoft they are making their A/V a separate product. So
it'll be sold much like Microsoft Money is.

~
- Show quoted text -

> So if M$ enters the A/V market and "bundles" their solution with Windows
> whatever, they likely will drive Symantec and McAfee out of the market
> over time by co-opting the A/V subscription market.

smime.p7s - 2K

_______________________________________Invite Poof to join Gmail


rob[ at ]comcast.net
to full-disclosure
Jun 17 (2 days ago)
On Thu, Jun 17, 2004 at 11:51:46AM -0400, joe wrote:
> However the worms would be blocked if people had patched their machine or
> otherwise properly administrated the machines they were responsible for. All
> of the worms that I think you are probably referring to all had patches well
> in advance of the worm that impacted it, blaster, slammer, sasser, etc.
>
> Home users never should have been impacted as they should be running
> firewall software on the internet connections. The fact that they don't
> isn't MS's fault, however MS is stepping up with XP SP2 to help out. On top
> of that they should be patching when necessary.
[snip]
> Thinking that there will never be code patches required isn't realistic.
[snip]

Can you explain how it's realistic to expect the millions of home
Windows users out there now to know how to properly administrate
their systems?

If anything that's been discussed here so far is unrealistic, that
must top the list. They're only starting to get the message that
patching is necessary. Very arguably, Microsoft helped create this
culture of technically inept users who view the computer like any
other household appliance. And now what? It plans to force-feed
basic computer security training and earthshaking updates down the
throats of the same users to whom it's been spoon-feeding
computing-through-ignorance babyfood for years and years?

You say "the worms would be blocked if users would..." I say the
worms wouldn't exist in the first place if Microsoft had written
their software securely. It's easy for both of us to say, but which
is easier to actually *do*? Microsoft has little control over what
end users do, but it has complete control over the design, quality,
and configuration of the software it ships. With the resources and
market share they have, they ought to be leading the industry.
Instead, they are the armpit of the industry.

Folks who have been paying attention o'er the years know the same
lies, half-truths, and PR maneuvering they hear today that they
heard back then. "It'll be fixed in the next version", eh? You'll
have to pardon me if I don't shit myself repeatedly in fits of
white-knuckle anticipation of the next version.

---
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite rob[ at ]comcast.net to join Gmail


Mohit Muthanna
<mohit.muthanna[ at ]gmail.com> to valdis.kletnie., nick, full-disclosure
Jun 17 (2 days ago)
> You really expect us to believe that the M$ AV team won't leverage off the
> fact that they could know about that API, and all the others in Windows?

in addition, given that they have the sources to their own OS, i doubt
they really have to do much manual reversing... i'm sure the debugging
tools they have developed over the years would quite easily aid them
in determining precisely what the viruses do and how they do it.

Mohit.


Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________


Aditya, ALD [ Aditya Lalit Deshmukh ]
<aditya.deshmukh[ at ]online.gateway.technolabs.net> to joe, full-disclosure
Jun 18 (1 day ago)
> it is an admin issue.

that is very true, like the programmers have become code monkeys, sysadmin & netadmins have become patch monkeys

>
>
> > The *real* IT department could then link to the
> > executeable and place it on an intranet server
> > which would be secure.
>
> This is an interesting idea but I can't see how one could do it in a

how about only doing so with the file that are zip encrypted - unencrpyted attachments are scanned and passed along, zipped ones are unzipped and scanned but the ones that cannot be unzipped are the ones that go as a link to the user. how does then one deal with other compression formats like ace, rar, lha, arj etc etc ?

-aditya
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
éb½êÞvë"žaxZÞx÷«²‰Ú"Gb¶*'¡óŠ[kj¯ðÃæj)m­ªÿr‰ÿ
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite ALD [ Aditya Lalit Deshmukh ] to join Gmail


Eric Paynter
<eric[ at ]arcticbears.com> to full-disclosure
Jun 18 (1 day ago)
On Fri, June 18, 2004 1:34 am, Aditya, ALD [ Aditya Lalit Deshmukh ] said:
> how does then one deal with other compression formats
> like ace, rar, lha, arj etc etc ?

Why not exactly the same as zip?

-Eric

--
arctic bears - affordable email and name services [ at ]yourdomain.com
http://www.arcticbears.com
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Eric to join Gmail


joe
<mvp[ at ]joeware.net> to Pavel, full-disclosure
Jun 18 (1 day ago)
1. See XP SP2
2. If you know the amount, possibly this could be part of your issue. :oP
[1]

[1] I wouldn't know Czech from Portuguese. You could give me a shampoo
bottle with instructions in Czech and I wouldn't know what to do with it,
heck I might not even know it was shampoo.
- Show quoted text -


-----Original Message-----
From: full-disclosure-admin[ at ]lists.netsys.com
[mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of Pavel Kankovsky
Sent: Thursday, June 17, 2004 2:31 PM
To: full-disclosure[ at ]lists.netsys.com
Subject: RE: [Full-Disclosure] MS Anti Virus?

On Thu, 17 Jun 2004, joe wrote:

> Home users never should have been impacted as they should be running
> firewall software on the internet connections. The fact that they
> don't isn't MS's fault, however MS is stepping up with XP SP2 to help
> out. On top of that they should be patching when necessary.

But it is their fault they release OS with ~5 hard-to-deactivate plus ~5
almost-impossible-to-deactivate dangerous but mostly useless (*) network
services enabled by default that is guaranteed to be owned within 10 minutes
after you plug it to the network unless you 1. install extra firewalling
software, or (assuming you got the version with a builtin packet filter) 2.
smoke enough grass to be able to grok their own configuration dialog windows
(**).

Indeed other vendors made the same stupid mistake in the past (and some of
them insist on repeating it).

(*) Who needs network accessible MS RPC services on a home PC?

(**) I admit I am talking about the Czech version. Maybe the English
version, not affected by the "creativity" of any localization team, is
somewhat more understandable.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


joe
<mvp[ at ]joeware.net> to full-disclosure
Jun 18 (1 day ago)
Can users hook themselves up to the internet? Last time I got a cable modem
hooked up I had to have some "technician" come into my home and spend a
couple of hours trying to figure out how to hook the thing up even though I
bought my own Cable MODEM and ran my own RG6 and had everything ready, just
needed an IP address. In fact I built a special PC with bare bones
configuration so the "technician" could monkey with that and not try to
figure out my LAN.

It was a nightmare, I would keep dropping hints and he wouldn't listen and
then a while later would be like,oh yeah, I have to do this, which would be
exactly what I hinted. The guy had no clue what he was really doing as he
was a wiring guy that had picked up an extra task. Had no clue what a patch
was let alone wondering if the PC was patched even though the little balloon
was sitting there saying there were updates to install. I think if I said
firewall he would have a nightmares of running cable between a garage and a
house and properly repairing the hole he made in the garage firewall (fire
break) so that it was back up to building code...

So what I am saying is, I think the ISPs need to share some of the
responsibility of hooking people up safely, don't just plug them in. If they
already have to come into the home or at the very least you talk to them on
the phone, push firewalls and internet safety. The first time they come up
when they sign up, maybe scan them and see what is open and drop a friendly
hint, why I see that all of your ports are wide open and your PC named
EasyRider69 is fully visible to me... You might want to secure that.
Alternatively, have the ISP block all but say ports 25,80, and 110 by
default for every user and the user has to connect to a website of the ISP
and uncheck other ports they want opened up. That way it would take a
semi-educated user to actually use the service irregardless of the OS. If
that is too tough, set up a multiple VLAN configuration where by default the
user gets placed in babystep VLAN which only has a couple of basic ports and
they have to be requested to be put in the big person VLAN to get open
access.

Again however, MS is stepping up on this. Go look at XP SP2. It is a big
step in the direction to help users protect themselves. Of course of course,
they have always done bad things so they can't possibly do anything better
now. How thoughtless of me. Of course someone like yourself is so good at
coding you know that every piece of code you have ever written has been
perfect right off and no possible issues... Oh wait, you implying that means
you probably have never coded anything more complex than a basic tool if
that.

I agree that MS helped create the mass of inept users... However, I don't
see any OSes going out there creating knowledgeable users. In fact had MS
not done what it had done, I don't think we would be anywhere near where we
are right now for penetration of PCs in the home and lower costs associated
with that. I am just guessing but irregardless of what OS you are on now,
you most likely were running an MS OS at some point. Not many people start
on Mainframes and UNIX machines and went straight to non-MS offerings. Why?
Not much else existed in the home for some time. Probably the few
(relatively speaking) that can say they haven't ever run an MS OS are those
that started using computers in University and never left so always lived in
the UNIX world or Apple folks. If you had a PC at home and it wasn't an
Apple, the chances are good it had MS on it. This is slowly changing now
with the various *nix knockoffs such as BSD and Linux, but was the case for
a long time.

I look forward to BSD/Linux gathering steam and becoming better and better
and more and more accepted. For several reasons actually. First off, MS
always thrives when given good competition, it pushes itself to do better
and better which is good for computing in general because they have serious
cash to put into the endevour, not many computing places now have
multi-billion dollar R&D budgets to make home computing better. Second off,
the Linux world will have to clean up, right now it is a bit chaotic with
all of the various vendors duking it out over who is better and you having
to be really sure of what you have before you install things. It reminds me
of earlier MS days with Win9x and NT and having to figure out what you had
so you knew what you could install. It is a pain in the butt when consulting
for large companies when they are trying to figure it out because not only
is it a case of figure out if you want Linux or Windows, it is which flavor
of Linux do you want. Just dilutes the whole thing. Yes yes choice is good
blah blah blah. Sometimes though in the committee driven worlds of corporate
America, a multitude of choices can be a bad thing.


> You'll have to pardon me if I don't shit myself
> repeatedly in fits of white-knuckle anticipation
> of the next version.

You sound like a jilted lover here. Not someone looking for the computing
world to get better.
- Show quoted text -


-----Original Message-----
From: full-disclosure-admin[ at ]lists.netsys.com
[mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of rob[ at ]comcast.net
Sent: Thursday, June 17, 2004 5:42 PM
To: full-disclosure[ at ]lists.netsys.com
Subject: Re: [Full-Disclosure] MS Anti Virus?

On Thu, Jun 17, 2004 at 11:51:46AM -0400, joe wrote:
> However the worms would be blocked if people had patched their machine
> or otherwise properly administrated the machines they were responsible
> for. All of the worms that I think you are probably referring to all
> had patches well in advance of the worm that impacted it, blaster,
slammer, sasser, etc.
>
> Home users never should have been impacted as they should be running
> firewall software on the internet connections. The fact that they
> don't isn't MS's fault, however MS is stepping up with XP SP2 to help
> out. On top of that they should be patching when necessary.
[snip]
> Thinking that there will never be code patches required isn't realistic.
[snip]

Can you explain how it's realistic to expect the millions of home Windows
users out there now to know how to properly administrate their systems?

If anything that's been discussed here so far is unrealistic, that must top
the list. They're only starting to get the message that patching is
necessary. Very arguably, Microsoft helped create this culture of
technically inept users who view the computer like any other household
appliance. And now what? It plans to force-feed basic computer security
training and earthshaking updates down the throats of the same users to whom
it's been spoon-feeding computing-through-ignorance babyfood for years and
years?

You say "the worms would be blocked if users would..." I say the worms
wouldn't exist in the first place if Microsoft had written their software
securely. It's easy for both of us to say, but which is easier to actually
*do*? Microsoft has little control over what end users do, but it has
complete control over the design, quality, and configuration of the software
it ships. With the resources and market share they have, they ought to be
leading the industry.
Instead, they are the armpit of the industry.

Folks who have been paying attention o'er the years know the same lies,
half-truths, and PR maneuvering they hear today that they heard back then.
"It'll be fixed in the next version", eh? You'll have to pardon me if I
don't shit myself repeatedly in fits of white-knuckle anticipation of the
next version.

---

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


joe
<mvp[ at ]joeware.net> to full-disclosure
Jun 18 (1 day ago)
I think you believe MS is going into the AV market because it wants to. I
don't think that is the case. In fact I think they would rather not be in
that market. I take as evidenced the fact of going into that market once and
then dropping out of it. I also recall hearing the rumors that the bought
the AV company and started working on it because they wanted to give this AV
away for free with SP2 and then realized that they would be back in court
over it.

I believe MS is doing this strictly as a means to protect itself and
possibly help users at the same time. With luck as the OS features get
better and better the reasons for AV should hopefully reduce (but again I
doubt entirely dry up) thereby reducing the market that you think they are
going into to make cash on.

Since they will have to charge for it, I hope to see them do a small charge
once up front, and then free updates for the time frame you have the OS
loaded. A lot of folks lose their protection after the free update period
expires with the third party stuff. Many, myself included aren't willing to
pay monthly or yearly fees to AV companies.


> since M$ products account for a majority of the A/V infections

This is on par with saying most cars crashed are from GM without stating the
point that GM has the most cars on the road. You can say MS has the most
inept users, most inept admins, most viruses, most bugs, most lots of things
because they simply have the most period.

I was chatting with some friends the other day and the conversation turned
to the idea that had MS initially started with the implementation of fewest
services running as possible on their machines, we wouldn't know about a
great deal of the bugs/holes that were in there as they would still be
buried. Why? Because there would be no point in attacking the service if
only a small subset of people were running it. The bugs could sit in there
and live forever until someone accidentally stumbled on one. You wouldn't be
cool for finding a hole in say the messenger service if hardly anyone was
running it, people would simply say big deal, the press wouldn't be
reporting "Hole found in messenger service, thousands in danger of illicit
penetration!". As an aside, I think we would also have less penetration of
computers in general in the market place. Most people started using
computers in the home because they were easy to use and MS made it that way.
- Show quoted text -


-----Original Message-----
From: full-disclosure-admin[ at ]lists.netsys.com
[mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of Gregory A.
Gilliss
Sent: Thursday, June 17, 2004 2:03 PM
To: full-disclosure[ at ]lists.netsys.com
Subject: Re: [Full-Disclosure] MS Anti Virus?

Dan et al:

You are missing the point here. While it matters little *who* is in the A/V
market, it matters very much when one player is Microsoft, because the M$
business model (according to them and to the US DOJ) is to enter a market,
undercut the market, co-opt the market, drive out the competition, and move
on to the next market (not unlike a virus, as told by Agent Smith).
So if M$ enters the A/V market and "bundles" their solution with Windows
whatever, they likely will drive Symantec and McAfee out of the market over
time by co-opting the A/V subscription market.

The security ramifications of a M$ only A/V marketplace relate to Dan Geer's
monoculture argument (already well discussed here) and also a conflict of
interest (since M$ products account for a majority of the A/V infections).
Can we "trust" an A/V solution from M$ that addresses virus infections of M$
products? And is M$ controls both the virus host and the A/V inoculation,
does that not create a potential area of abuse - no
license/upgrade/whatever, no A/V subscription/update/whatever?

As Reagan told Gorbachev, "Let me tell you why we do not trust you..."

G

On or about 2004.06.17 15:51:19 +0000, DAN MORRILL (dan_20407[ at ]msn.com) said:

> You make anti virus software sound like a gun lock on a 9MM.
>
> Does it really matter who is in the anti-virus market? If Microsoft
> goes that way, and they have the best knowledge of what they created,
> what we can reasonably expect to see in the words of Bill Gates
> "Innovation, with rich user features, deeply embeded in our software".
>
> So, we can have an AV product that does great things, but maybe only
> 2% of it will be used, and because it is a microsoft product, we can
> expect patches every month, with known and unknown vulnerabilites from day
one.

--
Gregory A. Gilliss, CISSP E-mail:
greg[ at ]gilliss.com
Computer Security WWW:
http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C
A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


Ben Timby
<asp[ at ]webexc.com> to full-disclosure
Jun 18 (1 day ago)
I think everyone missed Nick's point. Since reversers work for the
competition, don't you think they would find and use the M$ undocumented
API? M$ would not be dumb enough to try it, since their competition in
this market is comprised of reverse engineers, who would simply
"counter-innovate" by using the M$ API :-).

Nick FitzGerald wrote:

> Valdis.Kletnieks[ at ]vt.edu wrote:
>
>
>>Naah.. They'd never use an undocumented API to benefit their product at the
>>expense of the competition, would they? ;)
>
>
> In this case, no.
>
> Given that a lot of AV technical work is reverse engineering and that
> most of the best AV reversers are not among those MS "acquired" from
> RAV or who have joined MS from other AV developers subsequently (not
> that they haven't got some very good reversers, just there are still an
> awful ot of them elsewhere), I doubt even MS is stupid enough to
> consider trying something like this.
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Ben to join Gmail


valdis.kletnieks[ at ]vt.edu
to Ben, full-disclosure
Jun 18 (23 hours ago)
On Fri, 18 Jun 2004 13:22:11 CDT, Ben Timby <asp[ at ]webexc.com> said:
> I think everyone missed Nick's point. Since reversers work for the
> competition, don't you think they would find and use the M$ undocumented
> API? M$ would not be dumb enough to try it, since their competition in
> this market is comprised of reverse engineers, who would simply
> "counter-innovate" by using the M$ API :-).

Patent the API. Or document it with a EULA attached (remember their
documentation of their flavor of Kerberos?)... ;)

noname - 1K

_______________________________________Invite valdis.kletnieks[ at ]vt.edu to join Gmail


st3ng4h
<st3ng4h[ at ]comcast.net> to joe, full-disclosure
1:33pm (1 hour ago)
First, apologies to the list for the unintentional header forgery.
My correct address is st3ng4h[ at ]comcast.net, not rob[ at ]comcast.net. It
is my fault for configuring my SMTP forwarder in a hurry. A
boneheaded mistake. What can I say, it's been a long week.

On Fri, Jun 18, 2004 at 01:08:08PM -0400, joe wrote:
> Can users hook themselves up to the internet?
[snip]

Some can. It certainly takes less knowledge than sound system
administration; someone who successfully played with the toy where
one fits circular, rectangular, or triangular plastic blocks into
holes of corresponding shapes has all the 'skills' s/he needs to
plug coaxial and power cables into a cable modem, and RJ-45 from
cable modem to PC.

You will hear no argument from me when you assert that there are
many, many braindead users, admins, and 'technicians' out there.

> So what I am saying is, I think the ISPs need to share some of the
> responsibility of hooking people up safely, don't just plug them in.
[snip]

This is a good idea, and some ISPs do make efforts to educate their
customers about security, albeit in mostly passive ways.

However, it seems odd to me that you feel the ISPs should be obliged
to leap through many hoops to protect their customers, essentially
before they take customers' money. Microsoft has been taking
customers' money for years and years, and have given little or no
real consideration to customers' protection. By Gates' own
admission, (paraphrased) 'we have not done all that we can to
protect our customers'. Which, judging by their track record, is
still an understatement in the extreme.

In your last post, you made it clear that you believe that it is
primarily failings on the part of users that have allowed these
security gaffes to have such dire effect. So, can you explain why
you put such heavy responsibility on ISPs to protect customers, but
seemingly relieve Microsoft of any such responsibility, blaming
nearly everything on the user?

My point remains the same: Microsoft has no control over what its
end users do. It cannot force education, patches, or firewalls on
users if they don't want them. It has complete control over the
design, configuration, and quality of the software it sells. Which
is easier for them to fix- their software, or the mind of every end
user?

> Alternatively, have the ISP block all but say ports 25,80, and 110 by
[snip]

Truly draconian. And exceptionally bad for business. I remember when
Comcast had the nerve (sense) to block TCP 135 when Blaster hit. You
should have seen all the screaming users, infuriated that their
Windows File and Print Sharing didn't work. "I need this to connect
to our corporate file server and update the Excel spreadsheet that
has all our passwords in it, or my boss is gonna kill me!!"

Oh, and even this "security-through-unplugging-cables" style of
approach does absolutely nothing to protect people merrily browsing
the net with Internet Explorer and receiving email with Outlook
Express. Ever hear of phishing? How bout spyware?

> Again however, MS is stepping up on this. Go look at XP SP2. It is a big
> step in the direction to help users protect themselves. Of course of course,
> they have always done bad things so they can't possibly do anything better
> now. How thoughtless of me. Of course someone like yourself is so good at
> coding you know that every piece of code you have ever written has been
> perfect right off and no possible issues... Oh wait, you implying that means
> you probably have never coded anything more complex than a basic tool if
> that.

Admittedly, no. I didn't claim to be. I am young and learning. But
I think I have a good understanding of the concepts behind
designing and implementing secure software and avoiding the
programming errors that lead to easy exploits. And some things, like
active scripting in mail clients (to pull one off the top of my
head and recent full-disc history, that has inspired more than one
well-justified rant by list regulars) are just dumb and should have
never been considered in the first place, let alone turned on by
default. It doesn't seem to me to be rocket science. Assume that
software *will* be used and abused by Bad Guys; trust no input, and
validate all of it; write software that uses the least privileges it
needs to function, and no more; write small software; use techniques
such as isolation to provide additional layers of security that
increase the difficulty or nullify the risk of attacks; perpetually
strive to educate oneself about new attacks and new classes of
attacks, and learn to defend against them. The list continues; you
get the idea. It can be tedious and difficult. But it's one of the
things we have got to do, if we want to improve the status quo.

If what you wrote above is some kind of thinly-veiled attempt to
undermine my credibility (I don't have any yet, silly wabbit) by
making insinuations about my programming skill, it has probably
backfired on you. If what you want is to start a flame war, contact
me off-list.

Back to the topic at hand, XP SP2. Yes, I've seen it, and I'm not
terribly impressed. Most of these things have been in free *nixes
for a long time now. Comparing with Red Hat/Fedora (which is far
from the panacea of secure OSes, mind you):

Firewall on by default: Red Hat's had iptables setup as part of the
installation for years now. Configuration involves clicking one of
four radio buttons.

Safer networking defaults: Red Hat turned off most if not all
networked services in the default installation years ago, IIRC. I
think it took them about 10 minutes. Long overdue for Microsoft.

Memory protection: many distros, and I believe Fedora is one of
these, compile packages with stack-smashing protection or provide
versions of gcc with such features. More robust protection is
freely available with tools like grsecurity.

Safer email handling: safer than what? I can't think of a *nix mail
client that's proven as unsafe as Outlook and Outlook Express have.
Shoring up these programs is a 'duh', and also long overdue. Fedora
offers a choice of no less than ten different mail clients. Pick one
at random; I'll bet the cost of a Windows Server 2003 license that
it will never be victim to the types of vulns that have plagued and
continue to plague the Outlook series.

Safer browsing: More safe defaults that are long overdue. My
comments above on mail clients can be applied directly to browsers:
you have lots of choices, pick one at random, it's almost guaranteed
that you'll never suffer from the same types of stupid tricks that
can be played successfully on IE.

Automagic updates: trivially achieved with ANY *nix package
management system, and cron. And yes, they've been around for years.
Oh, and no one worries about whether updating Mozilla or Konqueror
means their network connection gets hosed or their OS is rendered
unbootable.

This is a simplified overview, but I think I've addressed the major
features MS is touting here, agree?

> I agree that MS helped create the mass of inept users... However, I don't
> see any OSes going out there creating knowledgeable users.

Try sitting a new user in front of a freshly installed *BSD box, and
see how far he gets without reading the manual.

> In fact had MS
> not done what it had done, I don't think we would be anywhere near where we
> are right now for penetration of PCs in the home and lower costs associated
> with that.

Is that supposed to be a good thing? Personally, I'd like to see far
fewer stupid people and sleazy corporations on the 'net. If that
means I have to pay more for access, and perhaps have one computer
in my home instead of half a dozen, so be it.

> I am just guessing but irregardless of what OS you are on now,
> you most likely were running an MS OS at some point.

Yes, and I rue the day I ever let it sink its teeth into me. I have
since freed myself of this unnecessary burden. Windows to me is now
little more than a gaming system, slightly superior to PS2 (except
in the respect that I never worry about my PS2 becoming the newest
member of a botnet).

> Not many people start
> on Mainframes and UNIX machines and went straight to non-MS offerings. Why?
> Not much else existed in the home for some time. Probably the few
> (relatively speaking) that can say they haven't ever run an MS OS are those
> that started using computers in University and never left so always lived in
> the UNIX world or Apple folks. If you had a PC at home and it wasn't an
> Apple, the chances are good it had MS on it.

Again, is that supposed to be a good thing?

Lots of people like double bacon cheeseburgers and Krispy Kremes. It
doesn't mean it's a good idea to eat nothing but.

> I look forward to BSD/Linux gathering steam and becoming better and better
> and more and more accepted. For several reasons actually. First off, MS
> always thrives when given good competition, it pushes itself to do better

Microsoft is well-known for its decidedly monopolistic and
*anti*-competitive behavior. Is this news?

As outlined in the Report That Got Dan Geer Canned From [ at ]stake [1],
this in and of itself is a danger to security. More generally, any
ubiquitous, identical systems on a huge global network are
inherently dangerous to the network itself, as the possibility
exists that a single piece of malicious code can destroy the systems
and/or the data contained on them and/or cripple the entire network.
Diversity is a key risk management strategy, and it has proven
parallels in fields like biology. I believe it also applies to
security risk management.

We've seen code that does this, and has the potential to do much
worse, many times over again, for a long time now.

Is it becoming clear why a simple 'step-up' from MS won't cut it?

I don't want to see any one operating system or piece of software
'take over the world'. I would like to see some real competition
resulting in better code and more diversity, so perhaps we can make
some progress on overcoming the attacks of yesterday that continue
today.

> and better which is good for computing in general because they have serious
> cash to put into the endevour, not many computing places now have
> multi-billion dollar R&D budgets to make home computing better.

It must be humbling for you to think that a bunch of rag-tag GNU
hippies, young Finnish CS students, Berkeley grads, Canadians
*gasp!*, and thousands of other hackers coding in their spare time
often for free, have produced operating systems and software that
rival or are outright superior to the products of the largest,
richest software company in the world.

> Second off,
> the Linux world will have to clean up, right now it is a bit chaotic with
> all of the various vendors duking it out over who is better and you having
> to be really sure of what you have before you install things. It reminds me
> of earlier MS days with Win9x and NT and having to figure out what you had
> so you knew what you could install. It is a pain in the butt when consulting
> for large companies when they are trying to figure it out because not only
> is it a case of figure out if you want Linux or Windows, it is which flavor
> of Linux do you want. Just dilutes the whole thing. Yes yes choice is good
> blah blah blah. Sometimes though in the committee driven worlds of corporate
> America, a multitude of choices can be a bad thing.

Yes, there are a lot of Linux distros out there now, and yes, most
of them are pretty useless, lame, and contrived. There are also some
very good ones, and the skilled sysadmin can always build their own
if they don't like anyone else's. Yes, for a corporation trying to
'pick one' it can be difficult, for those not used to actually
having choices. Yes, trying to figure it out is difficult for
companies, especially ones full of admins who are glued to the
shiny friendly happy clicky GUI world to which they're accustomed,
and don't know a whit about what's actually happening- on the
system, on the network, anywhere.

Who ever told these people it would be easy, ever? These are some of
the most complex machines mankind has created. Who made them
allergic to getting their hands dirty and spending some time
understanding the systems they're supposed to be taking care of with
competence?

> You sound like a jilted lover here. Not someone looking for the computing
> world to get better.

Jilted lover isn't quite accurate; it's more like MS keeps trying
to slip people roofies at the bar and date-rape them in the parking
lot. I'll tell you why, and fundamentally I believe this is the
reason for our differences of opinion.

You still trust Microsoft. I don't. They had it for a time, and
they have earned my distrust. It will take significant leaps and
bounds forward in several areas for them to earn it back. Call me
paranoid, pessimistic, jaded, what have you.

I've been promised that they will step up with every new version and
new product, just as you are offering promises that they are
stepping up with SP2. Don't get me wrong; it will help, for those
who are running XP (many aren't), are aware of its existence (the
many who cannot even be bothered with patching now will likely be
oblivious), and who won't remove or disable it after seeing that it
makes life on the 'puter an iota more difficult than it had been
before.

It won't undo the disservice they have done to the industry and
their customers by consistently failing to improve the security and
quality of their software, nor will it undo the damage caused by
making it so easy for users as zombie-like as their infected
machines to play with it on high-speed wireless 'net connections.

It's a baby step in the right direction, for a corporation that as I
said, ought to be leading the industry.

In any case, before our 'discussions' become any more verbose,
flame-ish, religious, or off-topic (they're currently all four), we
should do the good list members a favor and take it off list.

[1] http://www.ccianet.org/papers/cyberinsecurity.pdf

1 Comments:

  • - Don't kid on your own; a payday loan is actually a LOAN [url=http://www.fastlongtermloans.co.uk/]http://www.fastlongtermloans.co.uk/[/url] 12 month loans It helps you arise and realize that you need to be worthwhile some of this specific debt in order to have desires for owning a home http://www.fastlongtermloans.co.uk/

    By Anonymous Anonymous, at April 18, 2013 at 12:08 PM  

Post a Comment

<< Home


Get Firefox!