QODS ec

Saturday, June 19, 2004

OT: CompTIA Announces Substantial Linux Exam Revision

CompTIA Announces Substantial Linux Exam Revision

OT: Blogger uses RSS feeds for charity

Blogger uses RSS feeds for charity: "Rory Blyth, a 26-year-old software developer in Portland, is something of a middleman, The New York Times reports. His blog, www.neopoleon.com, offers several free services th"

Rory Blyth, a 26-year-old software developer in Portland, is something of a middleman, The New York Times reports. His blog, www.neopoleon.com, offers several free services that deliver information from other Web sites directly to users through a technology called RSS, or really simple syndication.

RSS is becoming a popular way to "subscribe" to Web logs and other frequently updated sites. It requires a special reader that attaches to your browser or e-mail program; most readers are free.

Blyth's RSS feed from the Louvre, for instance, highlights a different artwork each day from the museum's collection. But his real innovation may be RSS for Charity, which delivers customized information on new products available at Amazon.com.
If a subscriber buys a product by way of his link, he receives a small commission from Amazon that he donates to a charitable organization. So far, the proceeds have enabled him to sponsor a Filipino child through Children International.

OT: Aggregators Attack Info Overload

Wired News: Aggregators Attack Info Overload

Maniacally wired netizens who read a hundred blogs a day and just as many news sources are turning to a new breed of software, called newsreaders or aggregators, to help them manage information overload.

Many now say that their news aggregator is as indispensable as their e-mail client.

Aggregators, such as NewsGator and AmphetaDesk, allow users to subscribe to feeds from sources as diverse as the BBC, Sci-Fi Today, Slashdot and thousands of bloggers across the world. The services work by checking an Internet address at a regular interval, usually once an hour, to see if new content has been added.

The feeds are written according to one of a few competing shared specifications, which are collectively referred to as RSS, which stands, depending on who you talk to, for really simple syndication or rich site summary.

At heart, RSS is simply a specification that a site uses to produce a page of XML code. The code breaks up each entry or story on a website by title, description and direct link. An aggregator then determines how to display that output in a reader.

For instance, the popular aggregator SharpReader, which runs on Microsoft's .NET framework, displays RSS feeds in a window similar to that of a standard e-mail client. The difference is that the items in the folders are not e-mail messages; they are news stories or individual blog entries.

Users say the clean interfaces let them read hundreds of stories and blog entries in less than half the time it would take using a browser and a favorites list.

"I'm subscribed to 200 feeds," said Luke Hutteman, who designed SharpReader. "Last year, I didn't even know what an aggregator was."

Though newsreaders have been around almost as long as Usenet and the Internet, some prominent bloggers and programmers argue that better syndication standards and more sophisticated readers herald the next big leap for life on the Internet.

"I'm a voracious reader and I built the software because I couldn't stand the Web without it," said Brent Simmons, who says the number of downloads of his Macintosh-based aggregator, NetNewsWire, is now in five figures. "The demand for aggregators is just going to tip over at some point and go wild."

Over the last year, the number of aggregators available has exploded, with shareware and paid aggregators now available for every common operating system and even for PDAs and iPods.

Some even say the emergence of the aggregator is the best thing since a visual Web browser.

"It's going to subsume e-mail and subsume many forms of publicity," said Steve Gillmor, a technology columnist and blogger. "The problem with e-mail is trying to stop a fire hose of data with a thumb in a dike."

Gillmor argues that RSS will solve the spam problem with "mutual syndication," since aggregators subscribe and retrieve data in what's called a "pull model," as opposed to e-mail, which other people push to a user's e-mail account. He also believes that RSS can be helpful in suggesting new sources of information, based on what others with similar feeds are reading.

Not everyone in the RSS community is as bullish as Gillmor.

"I can see the headline now, 'Death of E-mail. News at 11,'" said Kevin Burton, who created the aggregator NewsMonster. "I don't think so."

Still, those who use and build RSS aggregators, including Burton, expect RSS to conquer some of the communications territory currently held by announcement lists and online mailing lists such as Yahoo Groups. Many also expect companies to turn increasingly to RSS and aggregators for internal communications.

The next step for aggregators, according to Hutteman and Burton, is including collaborative-filtering capabilities along the lines of Amazon.com's automated recommendation system.

NewsMonster, which runs inside a Mozilla browser, already has a relevance and reputation reporting system built into the pay version of the software so a user can rate an item and other users can view vote tallies to decide what is important to read.

"I want to solve the question of 'I don't have any time and I subscribe to 500 feeds. I just got off the plane. What do I need to read?'" said Burton.

OT: Purdue mathematician claims proof for Riemann hypothesis

Purdue mathematician claims proof for Riemann hypothesis: "Note to Journalists: The following release concerns research that has not yet been peer reviewed or published in a professional journal. The researcher can be reached via air mai"


Note to Journalists: The following release concerns research that has not yet been peer reviewed or published in a professional journal. The researcher can be reached via air mail or international telephone with the contact information listed at the end of the release.

June 8, 2004
Purdue mathematician claims proof for Riemann hypothesis

WEST LAFAYETTE, Ind. – A Purdue University mathematician claims to have proven the Riemann hypothesis, often dubbed the greatest unsolved problem in mathematics.

Louis De Branges de Bourcia, or de Branges (de BRONZH) as he prefers to be called, has posted a 124-page paper detailing his attempt at a proof on his university Web page. While mathematicians ordinarily announce their work at formal conferences or in scientific journals, the spirited competition to prove the hypothesis – which carries a $1 million prize for whoever accomplishes it first – has encouraged de Branges to announce his work as soon as it was completed.

"I invite other mathematicians to examine my efforts," said de Branges, who is the Edward C. Elliott Distinguished Professor of Mathematics in Purdue's School of Science. "While I will eventually submit my proof for formal publication, due to the circumstances I felt it necessary to post the work on the Internet immediately."

The Riemann hypothesis is a highly complex theory about the nature of prime numbers – those numbers divisible only by 1 and themselves – that has stymied mathematicians since 1859. In that year, Bernhard Riemann published a conjecture about how prime numbers were distributed among other numbers. He labored over his own theory until his death in 1866, but was ultimately unable to prove it.

The problem attracted a cult following among mathematicians, but after nearly 150 years no one has ever definitively proven Riemann's theory to be either true or false. Although a definitive solution would not have any immediate industrial application, in 2001 the Clay Mathematics Institute in Cambridge, Mass., offered a $1 million purse to whoever proves it first.

At least two books for popular audiences have appeared recently that describe the efforts of mathematicians to solve the puzzle. One of the books, Karl Sabbagh's "Dr. Riemann's Zeros," provides an extensive profile of de Branges and offers one of the mathematician's earlier, incomplete attempts at a proof as an appendix.

De Branges is perhaps best known for solving another trenchant problem in mathematics, the Bieberbach conjecture, about 20 years ago. Since then, he has occupied himself to a large extent with the Riemann hypothesis and has attempted its proof several times. His latest efforts have neither been peer reviewed nor accepted for publication, but Leonard Lipshitz, head of Purdue's mathematics department, said that de Branges' claim should be taken seriously.

"De Branges' work deserves attention from the mathematics community," he said. "It will obviously take time to verify his work, but I hope that anyone with the necessary background will read his paper so that a useful discussion of its merits can follow."

Writer: Chad Boutin, (765) 494-2081, cboutin@purdue.edu

Sources: Louis de Branges de Bourcia, Hameau de l'Yvette, Bat D, Chemin des Graviers, F-91190 Gif-sur-Yvette, FRANCE; international telephone 33-1-69074621

Leonard Lipshitz, (765) 494-1908, lipshitz@math.purdue.edu

Purdue News Service: (765) 494-2096; purduenews@purdue.edu

GOOGLE: New Google WebSearch Program Pays Publishers For Searches

New Google WebSearch Program Pays Publishers For Searches: "By Danny Sullivan, Editor June 18, 2004 Google has released two new services allowing site owners to install web search capabilities on their own sites, including one that pays.G"

By Danny Sullivan, Editor
June 18, 2004

Google has released two new services allowing site owners to install web search capabilities on their own sites, including one that pays.

Google WebSearch allows publishers to add a Google web search box to their web sites. Searches generated then show both Google's paid and unpaid listings. The publisher receives a share of all revenue generated from clicks on the paid listings.

Anyone already involved in the Google AdSense program can make use of Google WebSearch, Google says. Those who aren't can apply for the Google AdSense program to make use of the search and contextual ads that AdSense provides.

The new program harkens back to the search box affiliate programs that emerged in 1999 and 2000. Overture, then GoTo, launched the first significant one in January 1999 paying $0.03 per search. By the following year, others such as AltaVista, Lycos and even Google were paying up to three cents themselves.

The dotcom downturn seemed to prompt the closure of these programs. Toward the end of 2001, both AltaVista and Google had closed theirs, for example. In the wake of Google's new offering, it may be that we'll see a renaissance in these type of offerings.

Google's also unveiled a new tweak to the web search feature it has long offered publishers. Called Site-Flavored Google Search, this lets publishers set ranking criteria to favor particular categories of web pages.

For example, a site about computers could offer web searching via Google where the search results boost pages classified as being related to computers. A site dealing with news could offer web search that boosts news content.

The service takes advantage of classification features that are part of the Google Personalized Web Search service that was released in March. That feature lets users do category weighting for their own personal use. In contrast, the new Site-Flavored Google Search lets publishers create customization for an entire audience of searchers.

Google still offers "unflavored" web search to publishers, as well as a feature to search with a specific site. This service has been rebranded as Google Free. Other companies also offer such services, and Avi Rappoport's Search Tools web site is a good place to explore options.

GOOGLE: Google Gains in Popularity, But Will It Last?

Google Gains in Popularity, But Will It Last?: "By Chris Sherman, Associate Editor June 16, 2004Over the past year, Google took market share from Yahoo and MSN, according to a new report from industry analyst Hitwise. But the in"


By Chris Sherman, Associate Editor
June 16, 2004

Over the past year, Google took market share from Yahoo and MSN, according to a new report from industry analyst Hitwise. But the increasing popularity of vertical search sites poses a significant threat to all of the major search engines.

The Hitwise report monitored U.S. internet visits to more than 1,900 search and directory web sites between August 2003 and April 2004. Combined, this category accounted for 14% of all internet visits.

During the study period, Google.com increased its share of visitors to 15%, while Yahoo.com and MSN.com both lost share, slipping to 29% and 11%, respectively. Factoring in sub-sites such as search.yahoo.com and images.google.com, Yahoo's combined share was 45%, followed by MSN at 19% and Google at 17%. Ask Jeeves, Excite, and iWon were the only three other services to make the top ten, each with about 1% share.

These market share numbers differ from other industry metrics, such as the comScore Media Metrix Search Engine Ratings which measures popularity based on search volume and the Nielsen NetRatings Search Engine Ratings which measures audience reach. Each service uses different methodologies, so the rankings are not directly comparable.

Hitwise also looked at what people search for. MSN Search has the highest percentage of visits from the very lucrative categories of shopping and classifieds, business and finance, and travel. By contrast, Yahoo! Search and Google are stronger in the education, news and media, and entertainment categories.

What specific sites do people visit immediately after using a search engine? For Google, it's images.google.com, followed by a number of popular non-Google web sites such as eBay, CNN and the Internet Movie Database (Google news was #3).

Both Yahoo and MSN were more successful in routing visitors to other properties within their own networks. Notably for search marketers who are wavering on renewing their Yahoo directory listing, the most frequently visited site immediately after a Yahoo search was Yahoo's Directory.

The two most frequently visited sites after an MSN search were Google.com and Yahoo.com, suggesting dissatisfaction with MSN search results.

Though the big three dominate search market share now, vertical search sites experienced strong growth over the past year, most notably in the shopping, classifieds and travel categories. This growth is correlated with a concurrent decrease in referral visits from search engines.

In other words, searchers are becoming more sophisticated, and are learning that general purpose search engines are not always the best choice for every type of search, a mantra that we've been chanting here at Search Engine Watch for years.

Will the growth of verticals threaten the big three? Possibly, but it's more likely what we're seeing is a maturation of the industry that allows for both general purpose search engines and verticals to co-exist. A similar phenomenon occurred with television, with the original major networks dominating the scene until the advent of cable, and the explosion of niche and specialized networks and programming. While the major networks lost share to the specialized services, they still dominate in terms of overall market share.

The study also found that visitors to the three leading search engines have varying demographic profiles. The most predominant demographic for Google users is male (53.42%) aged 35-44 (25.26%) earning an annual household income between $60,000 and $100,000.

Both Yahoo! Search and MSN Search capture more of the lower income demographic of $30,000 -$60,000 annual household income. Yahoo! Search stands out in the younger age demographic of 25-34 (25.99%), while MSN Search is stronger with females (54.26%. All of these findings are based on data for the 12 weeks ending May 15, 2004.

SearchDay readers may request a free copy of the full report by filling out this request form (the report ID is embedded in this special URL).
Sound Off

Are vertical search sites a threat to the major search engines? As search marketers, are you targeting vertical search sites in your campaigns? Join the Vertical Search - The Next Big Thing? discussion in the Search Engine Watch forums.

OT: Behind the Scenes at News Aggregator Topix.Net

Behind the Scenes at News Aggregator Topix.Net: "By Gary Price, Guest Writer April 13, 2004 Topix.net combines an excellent news search engine with two other hot technologies: local search and personalization.The Topix datab"

By Gary Price, Guest Writer
April 13, 2004

Topix.net combines an excellent news search engine with two other hot technologies: local search and personalization.

The Topix database includes full text news stories from over 4,000 sources, including a great deal of content that's difficult to quickly access elsewhere. The real power of this nifty news search engine comes from its easy-to-use pre-built pages that aggregate news and other information into more than 150,000 topic-specific pages.

These specialized pages cover local news and information for every zip code in the United States. There are also news pages dedicated to specific companies, industries, sports teams, actors, and many other subjects.

We interviewed Rich Skrenta, CEO of Topix.Net, via e-mail.

Q. Where did the idea for Topix.Net come from? What made you decide that this service was needed in the current marketplace? What does Topix.Net offer that's not available from other companies?

In 1998 we did a project called NewHoo, which was acquired by Netscape/AOL, and is now called the Open Directory Project (ODP). It used a massive group of volunteers to build the web's largest human-edited directory. The ODP now has 60,000 volunteer editors, and the data powers Google Directory.

Our team left Netscape/AOL in 2002, and rather than using human labor again, we wanted to explore emerging AI (artificial intelligence) techniques for classifying and extracting structured data from the web. The goal for Topix.net is to make a web page about everything -- every person, place, and thing in the world -- constantly machine-summarized from the Internet. Since the web can be a messy place, surfing a well-constructed encyclopedia based on live content from the web would be a win for users.

Rather than starting with a full web crawl, which has 4 billion+ pages, we started with news, which has 4,000 sources, and is very dynamic and high quality content. We don't cover everything in the world yet, but we do have every place in the U.S., every sports team, music artist, movie personality, health condition, public company, business vertical, and many other topics.

Q. Can you share some background about how Topix.Net builds a page? Are pages built automatically or is there some human intervention? Is the technology your own? How long did it take to get it up and running?

We developed separate software modules to crawl, cluster and categorize articles. The heart of our system is a proprietary AI categorizer that uses a massive Knowledge Base (KB) to determine the geographic location and subject categorization for each story.

The final step is the Robo-Editor, which picks the best stories for display. For example, our 2004 Presidential Election page may have seen 1,000 articles for the past hour. The Robo-Editor's job is to pick the 10 best articles to show the user to give them a good overview of the news.

Our system is fully automated, there is no human involvement at any stage. We developed the technology in-house over the past two years. The AI was particularly tricky to get right, since an accuracy rate in excess of 99% was necessary to make the system useful.

Q. Do you have any plans to market your crawling and categorization technology as a source of revenue or providing your services to create Topix.Net pages for companies and other organizations?

We have a commercial feed business for companies that want to enhance their own website offerings with deeply categorized news content. Topix.net offers an extremely rich newsfeed -- in addition to the standard URL, title, and summary, we have the latitude/longitude of the news source, the latitude/longitude for the subjects of the story, the prominence of the news source, the subject categorizations, and more. We can also "geo-spin" any subject category, to produce a locally focused version. These features give us a lot of flexibility to customize feeds for clients.

We're also excited about using our categorization technology to apply to other areas beyond news, such as local web search.

Q. Are you crawling and aggregating web content other than news sources? Do you include press release material?

In addition to newspapers, Topix.net is crawling radio and TV station websites, college papers, and some high school papers and weblogs. We're also crawling government websites with "newsy" public information, such as police department crime alerts, health department reports, OSHA violation announcements, coast guard notices, and news releases from other city, county and state level government entities. We are crawling and including press releases too.

Our focus is on hyperlocal deep coverage of the U.S.. We love police blotters and little papers with extremely local coverage. If your local PTA has online meeting minutes, that's the kind of source we want to add.

Q. Does Topix.Net offer any type of RSS/syndication options?

We have an RSS feed for each of our 150,000 categories. This includes an RSS feed for every ZIP code in the U.S. Topix.net is the largest publisher of non-weblog RSS on the net.

Each of our pages also has an "Add to My Yahoo" button, which drops Topix.net headlines onto your My Yahoo desktop. We worked with the My Yahoo team to pre-load 35,000 of our newsfeeds into their new RSS reader module.

In addition to the RSS feeds, we also have free javascript headline syndication. Website owners can easily add a Topix headline box from any of our categories to their site by including a bit of HTML.

Q. What are Topix.Net's current sources of revenue?

Website advertising and commercial newsfeed sales.

Q. What do you have in the pipeline to further enhance Topix? In other words, what will Topix.Net offer in a year that's not available today? What about local pages for areas outside of the U.S.?

Expanding beyond the U.S. to full worldwide coverage is something we'd like to do. We're also looking at adding personalization features to the site, and using our categorization technology to apply to content beyond just news.

Gary Price is the publisher of ResourceShelf, a weblog covering the online information industry.

OT: RSS: The Next Generation

RSS: The Next Generation by Giles Turnbull -- Syndicated summaries of web content are more popular than ever before, and the recent explosion of users has prompted some dramatic changes in the world of RSS software. Giles Turnbull takes a look at some of the latest offerings, including PulpFiction, Shrook, and of course, NetNewsWire.

GOOGLE: Google considering support for RSS news feeds

Google considering support for RSS news feeds: "June 11, 2004Search engine giant Google is perceived at renewing its support for the popular RSS news feeds format in some of its search services, marking the latest turn in a stand"


June 11, 2004

Search engine giant Google is perceived at renewing its support for the popular RSS news feeds format in some of its search services, marking the latest turn in a standards war over technology.

RSS, or Really Simple Syndication, lets online publishers automatically send Web content to subscribers, giving readers a powerful tool to compile news headlines on the fly from several sources at once.

Next to Atom, which launched as a challenger last year, RSS has become a leading candidate to form the basis of an industry standard for an entirely new style of Web publishing.

In January, Google seemingly chose sides, bypassing RSS support for most subscribers of its Blogger publishing tool in favor of rival Atom. But now, there are signs that Google may be poised for a change of heart, as support has grown inside the company to restore equal footing to both formats.

According to an internal Google e-mail seen by CNET News.com, the company has been considering the change and last month assigned at least one staffer to write a memo summarizing technical details relating to RSS. The request came amid a broader discussion touching on extending RSS support for new Blogger subscribers and Google Groups, which supports Atom but not RSS in a test version of the service.

"I did ask (a Google product manager) to develop a summary...about RSS feeds, including the ways they are produced and consumed, which platforms/devices they run on, and information on the various formats (RSS 1.0, 2.0, Atom)," Jonathan Rosenberg, Google's vice president of product management, wrote on May 22. The message was part of a thread addressed to Google co-founders Sergey Brin and Larry Page, CEO Eric Schmidt and others.

As of June 4, it appeared no decision had yet been made on the issue. A Google representative declined to comment.

Were Google to support both RSS and Atom equally, it might help ease growing pains for a swiftly rising movement of Web publishing. It would also restore Google to the status of a neutral party in the midst of a bitter fight between backers of RSS and Atom, who have been divided since last summer when critics of RSS banded together to create the alternative format. Since then, many blog sites and individuals have rallied behind Atom.

Google is central to the debate because of its mounting influence in the online community and within Web publishing circles as the owner of Blogger.

The Mountain View, Calif.-based company, which is gearing up for a $2.7 billion initial public offering later this year, recently redesigned Blogger with simplified features to help newbie Web surfers publish regular accounts of their lives online, a move to appeal to wider audiences.

Google also has plans to introduce a raft of community services, including e-mail discussion groups (Google Groups 2), free Web-based e-mail and search personalization tools, which could eventually tap the syndication format.

A slew of feed readers or news aggregators has emerged to take advantage of the technology and spur consumer demand. Newsgator, for example, lets people subscribe to various Web logs and news sites and have the feeds delivered to their e-mail via a plug-in for Microsoft Outlook, at a cost of $29.

Topix.net lets people parse news into 150,000 different categories, even down to a ZIP code, and create their own information site. Pluck recently released a set of browser add-ons for Microsoft's Internet Explorer with an RSS reader. Many news readers support both RSS and Atom, although some support only one or the other.

Despite the fissure, RSS has been gaining allegiance among many computer makers and online publishers. In recent weeks, Time magazine, Reuters, Variety.com and Smartmoney.com have started supporting the format, syndicating their headlines to news aggregators and individuals.

In January, Yahoo started testing RSS feeds, allowing visitors for the first time to create personalized MyYahoo pages with automatic news feeds from third parties of their choice. Yahoo also supports Atom feeds. Computer companies including Microsoft, Apple Computer and Sun Microsystems also support RSS.

Two major versions of RSS currently exist. They are known as RDF Site Summary and Rich Site Summary, respectively.

The technology is becoming more important because it essentially allows Web surfers to get information how and when they want it, without surfing to Web sites.

People can set up a Web page and aggregate headlines from multiple sites, and click only on those that interest them. Publishers are embracing the technology to drive more traffic to their sites, amidst media overdrive on the Web. Many publishers and advertisers are even evaluating ways to make money from syndicating news feeds with ads or sponsorships. For example, publishers could seed advertisements into RSS and Atom news feeds.

Yet without interoperability between the news readers, consumers could eventually hit a brick wall. If a publisher's syndicated news feeds are available only in one format, then the consumer using another would have to install an updated news reader.

"From a layman's perspective, if this is going to move out of the geek space, these two warring parties need to come together and realize it's the applications that will determine the standard," said Charlene Li, principal analyst for Forrester Research. "It shouldn't be polarized into a Betamax vs. VHS discussion."

RSS was developed as a Web scripting format in the late '90s by a team of Netscape engineers and eventually came under the domain of Dave Winer's blog software company, Userland, when Netscape's RSS team disbanded.

Last year, Winer transferred the format to the Berkman Center for Internet & Society at Harvard Law School, where he is a fellow. RSS is also now available for use under a "creative commons" license, which frees it from commercial copyright claims.

Sam Ruby, an IBM software engineer, launched Atom last summer as a way of bypassing what he and other critics called Winer's de facto control over RSS. Industry watchers say the format is more robust than RSS, with more tagging capabilities in syndication, and is more promising because it's on a fast track to becoming an open standard.

Atom backers have proceeded with plans to bring their technology under the auspices of the Internet Engineering Task Force (IETF). Detractors of RSS argue that the format is closed because it is essentially governed by one man, Winer.

In May, the Internet Engineering Steering Group (IESG) announced a proposal for a new IETF Atom publishing format and working group under the IETF. Ruby and others have said that the working group would draw on the experience of RSS to help create a single, interoperable format. Ruby could not immediately be reached for comment.

Winer himself has lobbied for a merger of the rival formats, in part because of concern that Google's dominance would influence a greater split in the Web publishing industry.

In a worst-case scenario, Winer described how in the future, people might need to download two different news reader applications to compile headlines from publications supporting competing formats.

Winer said that he's asked the company repeatedly to get behind RSS and quell confusion over competing formats, with no answer.

The "RSS 2.0 format is by far the most widely used format. There was a time when it looked like things would coalesce, but then things started to fragment, largely due to Google," Winer said. "RSS deserves Google's respect, and it's not getting it."

Source: C-Net News

OT: [Full-Disclosure] Akamai

Niek Baakman
to full-disclosure
Jun 15 (4 days ago)
Hi list,

akamai disappeared from the internet about an hour ago.
(all their dns servers are dead, hence many companies that
use akamai are unreachable: microsoft.com/liveupdate.symantec.com
apple/some search engines)

Does anyone know if it is security-related (ddos, something else).

Regards,

Niek

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________


Chris Carlson
to Niek, full-disclosure
Jun 15 (4 days ago)
I've just been told that it was a DoS. No details.


> -----Original Message-----
> From: full-disclosure-admin[ at ]lists.netsys.com
> [mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of
> Niek Baakman
> Sent: Tuesday, June 15, 2004 09:58
> To: full-disclosure[ at ]lists.netsys.com
> Subject: [Full-Disclosure] Akamai
>
> Hi list,
>
> akamai disappeared from the internet about an hour ago.
> (all their dns servers are dead, hence many companies that
> use akamai are unreachable: microsoft.com/liveupdate.symantec.com
> apple/some search engines)
>
> Does anyone know if it is security-related (ddos, something else).
>
> Regards,
>
> Niek
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Chris


james edwards
to full-disclosure
Jun 15 (4 days ago)
> I've just been told that it was a DoS. No details.

Unlikely, Akamai is an overlay network & the root content node is not
reachable.
Akamai can in real time spread web traffic through out their global network
of
servers, diluting a DoS to the point it is not significant. It is more
likely that the
complexity of the overlay network was the cause. Last week it was a DNS
issue
and it seemed much the same this week. Provided you know the IP's of the
content servers
you would find they were still up. At least that was what I as seeing.

Here is some info on Overlay Networks:
http://nms.lcs.mit.edu/ron/
http://nms.lcs.mit.edu/ron/#papers

Dr. Andersons "Mayday: Distributed Filtering for Internet Services "
is quite interesting.
http://nms.lcs.mit.edu/papers/mayday-usits2003/paper.html

--
James H. Edwards
Routing and Security Administrator
At the Santa Fe Office: Internet at Cyber Mesa
jamesh[ at ]cybermesa.com
noc[ at ]cybermesa.com
(505) 795-7101


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________james


Brent Colflesh
to full-disclosure
Jun 15 (4 days ago)
"Young called it a "large scale, international attack on Internet
infrastructure." However, there was no evidence that non-Akamai
infrastructure was affected."

http://apnews.excite.com/article/20040615/D837KIU00.html

Regards,
Brent


-----Original Message-----
From: full-disclosure-admin[ at ]lists.netsys.com
[mailto:full-disclosure-admin[ at ]lists.netsys.com]On Behalf Of james
edwards
Sent: Tuesday, June 15, 2004 4:45 PM
To: full-disclosure[ at ]lists.netsys.com
Subject: Re: [Full-Disclosure] Akamai

> I've just been told that it was a DoS. No details.

Unlikely, Akamai is an overlay network & the root content node is not
reachable.
Akamai can in real time spread web traffic through out their global network
of
servers, diluting a DoS to the point it is not significant. It is more
likely that the
complexity of the overlay network was the cause. Last week it was a DNS
issue
and it seemed much the same this week. Provided you know the IP's of the
content servers
you would find they were still up. At least that was what I as seeing.

Here is some info on Overlay Networks:
http://nms.lcs.mit.edu/ron/
http://nms.lcs.mit.edu/ron/#papers

Dr. Andersons "Mayday: Distributed Filtering for Internet Services "
is quite interesting.
http://nms.lcs.mit.edu/papers/mayday-usits2003/paper.html

--
James H. Edwards
Routing and Security Administrator
At the Santa Fe Office: Internet at Cyber Mesa
jamesh[ at ]cybermesa.com
noc[ at ]cybermesa.com
(505) 795-7101

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Brent


Chris Carlson
to james, full-disclosure
Jun 15 (4 days ago)
http://www.washingtonpost.com/wp-dyn/articles/A43635-2004Jun15.html

Need to register, but it's no hassle.
I'd mirror to my server, but copyright blah blah blah.

Anyone have any more info?


> -----Original Message-----
> From: full-disclosure-admin[ at ]lists.netsys.com
> [mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of
> james edwards
> Sent: Tuesday, June 15, 2004 16:45
> To: full-disclosure[ at ]lists.netsys.com
> Subject: Re: [Full-Disclosure] Akamai
>
> > I've just been told that it was a DoS. No details.
>
> Unlikely, Akamai is an overlay network & the root content
> node is not reachable.
> Akamai can in real time spread web traffic through out their
> global network of servers, diluting a DoS to the point it is
> not significant. It is more likely that the complexity of the
> overlay network was the cause. Last week it was a DNS issue
> and it seemed much the same this week. Provided you know the
> IP's of the content servers you would find they were still
> up. At least that was what I as seeing.
>
> Here is some info on Overlay Networks:
> http://nms.lcs.mit.edu/ron/
> http://nms.lcs.mit.edu/ron/#papers
>
> Dr. Andersons "Mayday: Distributed Filtering for Internet Services "
> is quite interesting.
> http://nms.lcs.mit.edu/papers/mayday-usits2003/paper.html
>
> --
> James H. Edwards
> Routing and Security Administrator
> At the Santa Fe Office: Internet at Cyber Mesa
> jamesh[ at ]cybermesa.com noc[ at ]cybermesa.com
> (505) 795-7101
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Chris


james edwards
to full-disclosure
Jun 15 (4 days ago)
Akamai is saying their DNS continued to work.

http://www.theregister.co.uk/2004/06/15/akamai_goes_postal/

Akamai has got back to us to explain that the problem stemmed from what a
spokesman called a "large scale international attack on the Internet's
infrastructure". Akamai said the attack was primarily aimed at the large
search engines - of which it runs the three largest, Yahoo!, Google and
Lycos - which meant that people were unable to access the sites.

The spokesman denied however that it was an outage and ****said that the
Akamai name service continued to function throughout the attack**** which
ended around two hours later.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________james


Ben Nelson
to full-disclosure
Jun 15 (4 days ago)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keep in mind that the term 'DOS' doesn't necessarily mean 'flood of
traffic'. A denial of service is just that......a _denial of service_
by any means, and I'd say that there was definitlely some service being
denied. Don't think so?.....ask Google or Yahoo.

- --Ben

james edwards wrote:
|>I've just been told that it was a DoS. No details.
|
|
| Unlikely, Akamai is an overlay network & the root content node is not
| reachable.
| Akamai can in real time spread web traffic through out their global
network
| of
| servers, diluting a DoS to the point it is not significant. It is more
| likely that the
| complexity of the overlay network was the cause. Last week it was a DNS
| issue
| and it seemed much the same this week. Provided you know the IP's of the
| content servers
| you would find they were still up. At least that was what I as seeing.
|
| Here is some info on Overlay Networks:
| http://nms.lcs.mit.edu/ron/
| http://nms.lcs.mit.edu/ron/#papers
|
| Dr. Andersons "Mayday: Distributed Filtering for Internet Services "
| is quite interesting.
| http://nms.lcs.mit.edu/papers/mayday-usits2003/paper.html
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAz2293cL8qXKvzcwRAljLAJ9cRyIW3pK0pGgjwVjkO8RXhztMwwCg8ql6
hqZiM20cOQ6cdosafHeexic=
=YmGu
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Ben


scosol[ at ]scosol.org
to james, full-disclosure
Jun 15 (4 days ago)
james edwards wrote:
>>I've just been told that it was a DoS. No details.
>
>
> Unlikely, Akamai is an overlay network & the root content node is not
> reachable.
> Akamai can in real time spread web traffic through out their global network
> of
> servers, diluting a DoS to the point it is not significant. It is more
> likely that the
> complexity of the overlay network was the cause. Last week it was a DNS
> issue
> and it seemed much the same this week.

I don't think so- yeah a DOS against the content nodes isn't gonna do
much but a DOS against their nameservers is fully workable.

--
"jupiter accepts your offer"
AIM: IMFDUP
http://www.scosol.org/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________scosol[ at ]scosol.org


james edwards
to full-disclosure
Jun 15 (4 days ago)
> "Young called it a "large scale, international attack on Internet
> infrastructure." However, there was no evidence that non-Akamai
> infrastructure was affected."
>
> http://apnews.excite.com/article/20040615/D837KIU00.html
>
> Regards,
> Brent


With an attack of this indicated size, there are always choke points
just prior to the DoS traffic hitting the intended hosts. These choke points
tend to be NAP's or IX'es. The real harm gets done at these points, where
the DoS converges. So far no one has spoken up on NANOG with issues
at NAP's or IX'es. With the last big DDoS of the DNS root's the roots never
when down;
it was the access points just prior to the root that took the beating. I had
no problems with
any east or west coast NAP's or IX'es this morning nor were any problems
reported on NANOG.


james


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________james


james edwards
to full-disclosure
Jun 15 (4 days ago)

>
> I don't think so- yeah a DOS against the content nodes isn't gonna do
> much but a DOS against their nameservers is fully workable.

Akamai seems to be saying the NS was functioning:


The spokesman denied however that it was an outage and ****said that the
Akamai name service continued to function throughout the attack**** which
ended around two hours later.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________james


james edwards
to full-disclosure
Jun 15 (4 days ago)
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Keep in mind that the term 'DOS' doesn't necessarily mean 'flood of
> traffic'. A denial of service is just that......a _denial of service_
> by any means, and I'd say that there was definitlely some service being
> denied. Don't think so?.....ask Google or Yahoo.
>
> - --Ben


Actually I did not sat this part:

>
> james edwards wrote:
> |>I've just been told that it was a DoS. No details.

I would agree that a DoS can be many things. But if you are able to read for
context
it is clear the below is speaking of a DoS in the flood of traffic context.

This part is me:



> |
> |
> | Unlikely, Akamai is an overlay network & the root content node is not
> | reachable.
> | Akamai can in real time spread web traffic through out their global
> network
> | of
> | servers, diluting a DoS to the point it is not significant. It is more
> | likely that the
> | complexity of the overlay network was the cause. Last week it was a DNS
> | issue
> | and it seemed much the same this week. Provided you know the IP's of the
> | content servers
> | you would find they were still up. At least that was what I as seeing.
> |
> | Here is some info on Overlay Networks:
> | http://nms.lcs.mit.edu/ron/
> | http://nms.lcs.mit.edu/ron/#papers
> |
> | Dr. Andersons "Mayday: Distributed Filtering for Internet Services "
> | is quite interesting.
> | http://nms.lcs.mit.edu/papers/mayday-usits2003/paper.html
> |
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFAz2293cL8qXKvzcwRAljLAJ9cRyIW3pK0pGgjwVjkO8RXhztMwwCg8ql6
> hqZiM20cOQ6cdosafHeexic=
> =YmGu
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________james


Bob Beringer
to full-disclosure
Jun 15 (4 days ago)
All,

Just found this site: http://bugmenot.com/
It will help you bypass registration, if you would like :-)

v/r
Bob Beringer


"Chris Carlson" <chris[ at ]compucounts.com> wrote:

http://www.washingtonpost.com/wp-dyn/articles/A43635-2004Jun15.html

Need to register, but it's no hassle.
I'd mirror to my server, but copyright blah blah blah.

Anyone have any more info?

> -----Original Message-----
> From: full-disclosure-admin[ at ]lists.netsys.com
> [mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of
> james edwards
> Sent: Tuesday, June 15, 2004 16:45
> To: full-disclosure[ at ]lists.netsys.com
> Subject: Re: [Full-Disclosure] Akamai
>
> > I've just been told that it was a DoS. No details.
>
> Unlikely, Akamai is an overlay network & the root content
> node is not reachable.
> Akamai can in real time spread web traffic through out their
> global network of servers, diluting a DoS to the point it is
> not significant. It is more likely that the complexity of the
> overlay network was the cause. Last week it was a DNS issue
> and it seemed much the same this week. Provided you know the
> IP's of the content servers you would find they were still
> up. At least that was what I as seeing.
>
> Here is some info on Overlay Networks:
> http://nms.lcs.mit.edu/ron/
> http://nms.lcs.mit.edu/ron/#papers
>
> Dr. Andersons "Mayday: Distributed Filtering for Internet Services "
> is quite interesting.
> http://nms.lcs.mit.edu/papers/mayday-usits2003/paper.html
>
> --
> James H. Edwards
> Routing and Security Administrator
> At the Santa Fe Office: Internet at Cyber Mesa
> jamesh[ at ]cybermesa.com noc[ at ]cybermesa.com
> (505) 795-7101
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Bob


scosol
to james, full-disclosure
Jun 15 (4 days ago)
james edwards wrote:

>>I don't think so- yeah a DOS against the content nodes isn't gonna do
>>much but a DOS against their nameservers is fully workable.
>
>
> Akamai seems to be saying the NS was functioning:
>
> The spokesman denied however that it was an outage and ****said that the
> Akamai name service continued to function throughout the attack**** which
> ended around two hours later.

That's BS-

See these Symantec and Apple graphs- the outage was clearly at the DNS
level:

http://anon.scosol.speedera.net/anon.scosol/apple_outage.png
http://anon.scosol.speedera.net/anon.scosol/symantec_outage.png

It's my 24/7 job to monitor Akamai :)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________scosol


Darren Reed
to james, full-disclosure
Jun 15 (4 days ago)
> "Young called it a "large scale, international attack on Internet
> infrastructure." However, there was no evidence that non-Akamai
> infrastructure was affected."
>
> http://apnews.excite.com/article/20040615/D837KIU00.html
>
> Regards,
> Brent

I curious to know if organised crime was involved or was it
some rogue hacker/group or just a technical glitch?

Reports say the attacked stopped after ~2 hours but why?

Someone must have "called it off" but in response to what?

If so, was it just a demonstration of "power" or something else?

After reading about extortion attempts by various groups that use
DoS tactics to impact web sales, clearly the nature of all DoS
attacks against large sites must be looked at in more depth to
get a good picture of what is happening.

This is a whole new play ground for organised crime, mostly thanks
to Microsoft. You've got millions of PC's around the world that
are largely, in one way or another, susceptible to computer virii,
making them open targets for use as minions. And the perfect seed
for spreading them is the databases of email addresses used by
spammers...

What's interesting is that in contrast to old-school protection
rackets, there appears to be no offering of protection from attack
by others.

Darren


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Darren


tcleary2[ at ]csc.com.au
to full-disclosure
Jun 16 (3 days ago)
Darren Reed said:

>What's interesting is that in contrast to old-school protection
>rackets, there appears to be no offering of protection from attack
>by others.

IIRC the main purpose of DoS attacks ( apart from kiddie fights )
is to allow a trust exploit/MITM to succeed - e.g. session hijacking.

Maybe someone wanted to plant something by pretending to be the
WindowsUpdate site?

If you're akamamai'd, poisoning DNS would be harder, but changing
IP address wouldn't seem unusual, would it?

Regards,

tom.

----------------------------------------------------------------------------------------
Tom Cleary - Security Architect

"In IT, acceptable solutions depend upon humans - Computers don't
negotiate."
----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit
written agreement or government initiative expressly permitting the use of
e-mail for such purpose.
----------------------------------------------------------------------------------------


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________tcleary2[ at ]csc.com.au


Paul Schmehl
to full-disclosure
Jun 16 (3 days ago)
--On Wednesday, June 16, 2004 11:53:23 AM +1000 Darren Reed
<avalon[ at ]caligula.anu.edu.au> wrote:
>
> This is a whole new play ground for organised crime, mostly thanks
> to Microsoft. You've got millions of PC's around the world that
> are largely, in one way or another, susceptible to computer virii,
> making them open targets for use as minions. And the perfect seed
> for spreading them is the databases of email addresses used by
> spammers...
>
If networks simply took responsibility for the traffic that comes from
them, this problem wouldn't exist. It's completely trivial to find
infected hosts on a network through passive monitoring. They should then
be disconnected until they are properly cleaned and secured.

Unless networks begin doing this routinely (including ISPs), legislation
will be introduced to "solve" the problem, and then we will all be much
worse off. There's nothing like a law to completely screw things up.

Paul Schmehl (pauls[ at ]utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Paul


Peter van den Heuvel
to full-disclosure
Jun 16 (3 days ago)
Paul Schmehl wrote:
> If networks simply took responsibility for the traffic that comes from
> them, this problem wouldn't exist.
Indeed. DNS's, AS's and what not else is required to make the internet
tick; all is centrally controlled and delegated. What's missing is a
flanking reverse of resposibilities. It's idiotic that providers or even
full countries can completely ignore / reject any complaint without
having their AS or DNS taken down.

> Unless networks begin doing this routinely (including ISPs), legislation
> will be introduced to "solve" the problem, and then we will all be much
> worse off. There's nothing like a law to completely screw things up.
Amen!

Peter


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Peter


Ron DuFresne
to Paul, full-disclosure
Jun 16 (3 days ago)

Might as well toss in egress filtering to prvent many of the abuses of
spoofing that happen in the present env of the internet. The ISP and
others will claim that this is far too costly for their routers to handle,
but, for the vast majority of sites, this is likely to not be as costly as
the network folks are claiming as a way to avoid doing a tad bit more work
in their router configs. Some of the worst sites for spoofing abuses, and
those that have networkies that will complain the loudest, are the .edu's.

Thanks,

Ron DuFresne

[SNIP]

> >
> If networks simply took responsibility for the traffic that comes from
> them, this problem wouldn't exist. It's completely trivial to find
> infected hosts on a network through passive monitoring. They should then
> be disconnected until they are properly cleaned and secured.
>
> Unless networks begin doing this routinely (including ISPs), legislation
> will be introduced to "solve" the problem, and then we will all be much
> worse off. There's nothing like a law to completely screw things up.
>
> Paul Schmehl (pauls[ at ]utdallas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Ron


valdis.kletnieks[ at ]vt.edu
to Peter, full-disclosure
Jun 16 (3 days ago)
On Wed, 16 Jun 2004 21:26:45 +0200, Peter van den Heuvel <peter[ at ]bank-connect.com> said:
> Indeed. DNS's, AS's and what not else is required to make the internet
> tick; all is centrally controlled and delegated. What's missing is a
> flanking reverse of resposibilities. It's idiotic that providers or even
> full countries can completely ignore / reject any complaint without
> having their AS or DNS taken down.

In other arenas, they call the concept "diplomatic immunity"....


noname - 1K

_______________________________________valdis.kletnieks[ at ]vt.edu


Peter van den Heuvel
to full-disclosure
Jun 16 (3 days ago)
Yo!

> In other arenas, they call the concept "diplomatic immunity"....
Indeed. And is almost as idiotic there. But the issue is that the
Internet does not have any "reverse responsibility" mechanism; an evil
minor-player under a lax-average-provider can do whatever he feels that
suits him best, and disregard majority opinion. An anarchy without even
fundamental feedback regulatory mechanisms is simply prey; me paying for
anothers fortune. And the least thing that would work is governments
imposing their preferences. So maybe ICAN and the likes should consider
some form of responsibility in these matters.

Alas, Peter


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Peter


gabriel rosenkoetter
<gr[ at ]eclipsed.net> to full-disclosure
Jun 16 (3 days ago)
On Wed, Jun 16, 2004 at 04:57:10PM -0400, Valdis.Kletnieks[ at ]vt.edu wrote:
> On Wed, 16 Jun 2004 21:26:45 +0200, Peter van den Heuvel <peter[ at ]bank-connect.com> said:
> > flanking reverse of resposibilities. It's idiotic that providers or even
> > full countries can completely ignore / reject any complaint without
> > having their AS or DNS taken down.
> In other arenas, they call the concept "diplomatic immunity"....

In those same arenas, they call the denial of privilege by an
unrecognized entity (or entities) "anarchy". Which is one of those
things that sounds like a really good idea till you're no longer
in the de facto majority. ("They came for...")

On Wed, Jun 16, 2004 at 12:23:35PM -0500, Paul Schmehl wrote:
> Unless networks begin doing this routinely (including ISPs), legislation
> will be introduced to "solve" the problem, and then we will all be much
> worse off. There's nothing like a law to completely screw things up.

Actually, a clearly defined, limited, exact law is precisely what
we need here. We just lack any appropriate legislative body. (No
national legislature qualifies, and no international body--they
exist: NATO, UN, EU--can make a plausible claim to jurisdiction.)

--
gabriel rosenkoetter
gr[ at ]eclipsed.net

noname - 1K

_______________________________________gabriel


Niek Baakman
to full-disclosure
Jun 17 (2 days ago)
Niek Baakman wrote:

> Hi list,
>
> akamai disappeared from the internet about an hour ago.
> (all their dns servers are dead, hence many companies that
> use akamai are unreachable: microsoft.com/liveupdate.symantec.com
> apple/some search engines)
>
> Does anyone know if it is security-related (ddos, something else).
>
> Regards,
>
> Niek

http://www.computerworld.com/securitytopics/security/story/0,10801,93875,00.html?SKC=security-93875


Regards,

Niek

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________


Darren Reed
to Paul, full-disclosure
Jun 17 (2 days ago)
In some mail from Paul Schmehl, sie said:
>
> --On Wednesday, June 16, 2004 11:53:23 AM +1000 Darren Reed
> <avalon[ at ]caligula.anu.edu.au> wrote:
> >
> > This is a whole new play ground for organised crime, mostly thanks
> > to Microsoft. You've got millions of PC's around the world that
> > are largely, in one way or another, susceptible to computer virii,
> > making them open targets for use as minions. And the perfect seed
> > for spreading them is the databases of email addresses used by
> > spammers...
> >
> If networks simply took responsibility for the traffic that comes from
> them, this problem wouldn't exist. It's completely trivial to find
> infected hosts on a network through passive monitoring. They should then
> be disconnected until they are properly cleaned and secured.
>
> Unless networks begin doing this routinely (including ISPs), legislation
> will be introduced to "solve" the problem, and then we will all be much
> worse off. There's nothing like a law to completely screw things up.

That depends upon whose pockets the legislators responsible live in.

In America, the legislation seems loathe to do anything that impedes
people making money and companies will lobby senators, congressmen to
ensure this stays the same (c.f. comments about Microsoft and others
trying to ensure that the FCC doesn't decide that VoIP people deserve
the same kind of basic service as POTS.)

In other countries, you might find the legislators are more influenced
by organised crime and so you're not likely to get as much assistance
in combatting the root cause of these problems.

But I'm sure that ISPs would argue that being forced to take responsibility
for the traffic that comes from them is an excellent example of legislation
geting in the way and screwing things up.

Darren

M$: [Full-Disclosure] MS Anti Virus?

Andre Ludwig
to full-disclosure
Jun 16 (3 days ago)
Oh this should be good...

http://www.reuters.com/newsArticle.jhtml?storyID=5429092

SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
Research) is still on track to offer an anti-virus product that will
compete against similar software offered by Symantec Corp. (SYMC.O:
Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
Profile, Research) , the world's largest software maker said late on
Monday.

Mike Nash, chief of Microsoft's security business unit, told reporters
that Microsoft is developing software to protect personal computers
running Windows against malicious software, the worms and viruses that
have plagued users with data loss, shutdowns and disruptions in Web
traffic in recent years.

"We're still planning to offer our own AV (anti-virus) product," Nash said.

Asked if that would hurt sales of competing products, such as Network
Associates' McAfee and Symantec's Norton family of products, Nash said
that Microsoft said that it would sell its anti-virus program as a
separate product from Windows, rather than including it in Windows.

Redmond, Washington-based acquired anti-virus technology from GeCAD
Software Srl., a Romanian software company, last year to develop its
own software.

Microsoft, whose Windows operating system is a favorite target for
computer viruses, launched a company-wide "Trustworthy Computing"
campaign in early 2002 to boost the security and reliability of its
software.

Nash did not give a time frame for the release of Microsoft's
anti-virus software.

and another

http://www.entmag.com/news/article.asp?EditorialsID=6272

by Scott Bekker

6/16/04

Microsoft is leaning toward offering a paid anti-virus subscription service.

Mike Nash, corporate vice president for the security business and
technology unit at Microsoft, said Microsoft will probably sell its
own anti-virus software and subscription service. It is the first
public signal that Microsoft intends to turn its acquisition of the
Romanian anti-virus company GeCAD into a product customers pay for.

The comments came up at a dinner with reporters in Seattle on Monday
night when Nash was asked how Microsoft's anti-virus efforts might
affect Symantec. "I want to make sure customers have another choice,"
the Bloomberg News agency quoted Nash as saying. "Some people will
continue to use Symantec, and some will use ours."

-- advertisement --

Shares of Symantec, which gets 85 percent of its revenues from
anti-virus products, were down following Nash's comments, according to
Bloomberg.

Previously, Microsoft had been coy about its plans for GeCAD, which it
acquired last June. "This acquisition will help us and our partner
anti-virus providers further mitigate risks from these threats," Nash
said at the time, implying Microsoft would use GeCAD's programming
talent to make Windows and other Microsoft products more resistant to
viruses.

But Microsoft also immediately indicated at the time that it was fully
evaluating how to proceed with GeCAD's technology and employees. In a
white paper published last June on Microsoft's Web site, the company
wrote, "Details of the Microsoft antivirus solution, including any
product plans, pricing, and a timeline for delivery, are not yet
available. Microsoft strongly recommends that customers continue to
use antivirus solutions from industry partners and keep their virus
signatures updated."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________


Andre Ludwig
to slacker, full-disclosure
Jun 16 (3 days ago)
Think the mafia refers to this as a protection racket...

man so much can be made of this its a techy comedy gold mine.

"our software sucks so bad that the market for anti virus software for
our platform is such a lucrative market that we cant stay out of it"

Andre Ludwig CISSP

On Wed, 16 Jun 2004 19:41:49 -0400, slacker <leetslacker[ at ]softhome.net> wrote:
>
> <snip>
> > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
> > Research) is still on track to offer an anti-virus product that will
> > compete against similar software offered by Symantec Corp. (SYMC.O:
> > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
> > Profile, Research) , the world's largest software maker said late on
>
> Oh yeah, what's the average delay to release on exploit patches? What makes
> me think that they are going to be that slow on releasing AV updates? =P
>
> slacker
- Show quoted text -
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________


Chris Cappuccio
<chris[ at ]nmedia.net> to Andre, slacker, full-disclosure
Jun 16 (3 days ago)
I hate to say this, but I don't think Microsoft software could be any
worse than Symantec...
- Show quoted text -

Andre Ludwig [andre.ludwig[ at ]gmail.com] wrote:
> Think the mafia refers to this as a protection racket...
>
> man so much can be made of this its a techy comedy gold mine.
>
>
> "our software sucks so bad that the market for anti virus software for
> our platform is such a lucrative market that we cant stay out of it"
>
> Andre Ludwig CISSP
>
> On Wed, 16 Jun 2004 19:41:49 -0400, slacker <leetslacker[ at ]softhome.net> wrote:
> >
> > <snip>
> > > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
> > > Research) is still on track to offer an anti-virus product that will
> > > compete against similar software offered by Symantec Corp. (SYMC.O:
> > > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
> > > Profile, Research) , the world's largest software maker said late on
> >
> > Oh yeah, what's the average delay to release on exploit patches? What makes
> > me think that they are going to be that slow on releasing AV updates? =P
> >
> > slacker
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

--
"When it absolutely, positively had to be there yesterday: Temporal Express"
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Chris to join Gmail


Todd Burroughs
<todd[ at ]hostopia.com> to Chris, Andre, slacker, full-disclosure
Jun 17 (2 days ago)
They are planning to get into a market that gaurds against the failures
in their own product. I don't like this, as it seems that they are going
to be in a position to intentionally make holes that their "anti-virus"
software will fix. If we had a more competitive market in this type of
software there would be no market for AV software and the AV companies
would be making better operating systems. Remember, Microsoft is a
marketing company and they are very good at it and very powerful.

Educate your friends and family. Unfortunately, there isn't much choice
right now, but someone will do for Linux (or *BSD) what Apple has done.
If Apple was smart, they would make an OS for PCs. Maybe they will...

It's sad that we are wasting so much resources on what should be a
non-problem.

Todd Burroughs
---
The Internet has given us unprecedented opportunity to communicate and
share on a global scale without borders; fight to keep it that way.
- Show quoted text -

On Wed, 16 Jun 2004, Chris Cappuccio wrote:

> I hate to say this, but I don't think Microsoft software could be any
> worse than Symantec...
>
> Andre Ludwig [andre.ludwig[ at ]gmail.com] wrote:
> > Think the mafia refers to this as a protection racket...
> >
> > man so much can be made of this its a techy comedy gold mine.
> >
> >
> > "our software sucks so bad that the market for anti virus software for
> > our platform is such a lucrative market that we cant stay out of it"
> >
> > Andre Ludwig CISSP
> >
> > On Wed, 16 Jun 2004 19:41:49 -0400, slacker <leetslacker[ at ]softhome.net> wrote:
> > >
> > > <snip>
> > > > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
> > > > Research) is still on track to offer an anti-virus product that will
> > > > compete against similar software offered by Symantec Corp. (SYMC.O:
> > > > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
> > > > Profile, Research) , the world's largest software maker said late on
> > >
> > > Oh yeah, what's the average delay to release on exploit patches? What makes
> > > me think that they are going to be that slow on releasing AV updates? =P
> > >
> > > slacker
> > >
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> "When it absolutely, positively had to be there yesterday: Temporal Express"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Todd to join Gmail


Chris Cappuccio
<chris[ at ]nmedia.net> to Todd, full-disclosure
Jun 17 (2 days ago)
Todd Burroughs [todd[ at ]hostopia.com] wrote:
> They are planning to get into a market that gaurds against the failures
> in their own product. I don't like this, as it seems that they are going
> to be in a position to intentionally make holes that their "anti-virus"
> software will fix. If we had a more competitive market in this type of

I hate to break it to you, but being the Monopoly, they've been in this
position since the days of MS-DOS. The fix was always to buy the next version.
Of course, now we're talking about a more specific type of software bug than we
were before. There's nothing new and exciting about Microsoft entering
the AV market, except, perhaps we may see software that is better than
some of the other spew out there.

Ok, that was phrased incorrectly. I couldn't possibly feel _excited_ by this
new software from Microsoft. That would be like rushing to McDonald's for a
salad-in-a-cup. What I mean to say is that Microsoft seems to have an easy
time matching and exceeding the quality of many third parties (maybe since
everyone writes such shit software!)

> software there would be no market for AV software and the AV companies
> would be making better operating systems. Remember, Microsoft is a
> marketing company and they are very good at it and very powerful.
>

You would run an operating system written by Symantec? Commercial AV vendors
are the epitomy of junk software. The thought just makes me cringe. Better
operating systems? Better than what?

> It's sad that we are wasting so much resources on what should be a
> non-problem.
>

The fact that Microsoft has the monopoly reflects social and economic values,
not technical ones. So, it's largely irrelevant to the thousands of people
who happily run other operating systems. If it seems sad to you, then most of
the world probably makes you cry. (Hey, that's OK, it gets to me from time
to time as well)

-c
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Chris to join Gmail


npguy
to full-disclosure
Jun 17 (2 days ago)
M$ anti-virus free with every Outlook 2005.
- Show quoted text -

On Thursday 17 June 2004 08:41 am, Chris Cappuccio wrote:
> I hate to say this, but I don't think Microsoft software could be any
> worse than Symantec...
>
> Andre Ludwig [andre.ludwig[ at ]gmail.com] wrote:
> > Think the mafia refers to this as a protection racket...
> >
> > man so much can be made of this its a techy comedy gold mine.
> >
> >
> > "our software sucks so bad that the market for anti virus software for
> > our platform is such a lucrative market that we cant stay out of it"
> >
> > Andre Ludwig CISSP
> >
> > On Wed, 16 Jun 2004 19:41:49 -0400, slacker <leetslacker[ at ]softhome.net>
wrote:
> > > <snip>
> > >
> > > > SEATTLE (Reuters) - Microsoft Corp. (MSFT.O: Quote, Profile,
> > > > Research) is still on track to offer an anti-virus product that will
> > > > compete against similar software offered by Symantec Corp. (SYMC.O:
> > > > Quote, Profile, Research) and Network Associates Inc. (NET.N: Quote,
> > > > Profile, Research) , the world's largest software maker said late on
> > >
> > > Oh yeah, what's the average delay to release on exploit patches? What
> > > makes me think that they are going to be that slow on releasing AV
> > > updates? =P
> > >
> > > slacker
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite npguy to join Gmail


joe
<mvp[ at ]joeware.net> to full-disclosure
Jun 17 (2 days ago)
My initial thought of a response to this was something along the lines of do
you wear an aluminum foil helmet as you seem to fit the profile... I decided
against that. I mean I still think it but I think this response is
better....

Antivirus software will probably always be around. Why? Because it is mostly
software to prevent uneducated users from hurting themselves and it is
probably impossible to get to a point that all users will be educated and
there won't be ways to hurt themselves and people specifically trying to
hurt them. While AV is simply an extension of the user interface of the OS,
at this point in the game if the OS vendor treats it that way it would
simply result in lawsuits by the AV vendors against the OS vendors which is
why MS will have to sell what they have.

It is possible now to run without AV software and be safe, if you are fully
educated user and take precautions and patch when the patches are available,
you will be pretty safe even if you don't run AV and there are probably many
users on this list that fit that category and don't run AV.

Many of the recent viruses hitting the corporate world haven't been holes in
MS products causing the problem. It has been good social engineering. One of
the more recent ones that had me laughing was an email that came through
with a password protected zip file with the password in the email and the
note sounding like it came from the IT dept. People all over the world
opened that up and ran it. If they would have had to have downloaded it,
chmod'ed it, and then run it they would have done so if the instructions had
said so. Yes you could probably stop this with a simple note in a small
company, maybe 50,100,1000 people. This was a company comprising 250k people
from around the world and no simple note was going to do the trick. You
could also lock machines down to the point that they are merely kiosks as
well but this isn't realistic except in a tightly controlled corporate
environment and even still you would have considerable bitching by users who
wanted more control.

I don't care what OS you run, if it is a user popular OS and if that OS gets
targeted by someone with a clever social engineering scheme, it will have
impact.

I have pretty close ties to MS so most of your post simply make me smirk. I
have met and talked with many developers there and know how busy they are
and that they are mostly good guys trying to do a good job. Now that the
company has switched to a more secure stance they are allowed to do more
good whereas before they didn't have a hammer in terms of security.

I have had "official" access to MS OS source now for almost a year and can
say that the code base is huge. While it is possible that someone could bury
something in there purposely it is more likely that someone makes a mistake
and doesn't understand all of the different ways that their function or
module could be used. This is changing, the new code being written is being
looked at very closely for security now and not just functionality. I know I
know... "MS did a complete security review of all code when they made this
decision and....". Again this code base is huge, no way they could catch
everything. I am, however, not happy about some of the things that have
gotten through such as the various USN/BER encoding and RPC issues but it is
getting better whether you want to admit it or not.


joe
- Show quoted text -


-----Original Message-----
From: full-disclosure-admin[ at ]lists.netsys.com
[mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of Todd Burroughs
Sent: Thursday, June 17, 2004 5:04 AM
To: Chris Cappuccio
Cc: Andre Ludwig; slacker; full-disclosure[ at ]lists.netsys.com
Subject: Re: [Full-Disclosure] MS Anti Virus?

They are planning to get into a market that gaurds against the failures in
their own product. I don't like this, as it seems that they are going to be
in a position to intentionally make holes that their "anti-virus"
software will fix. If we had a more competitive market in this type of
software there would be no market for AV software and the AV companies would
be making better operating systems. Remember, Microsoft is a marketing
company and they are very good at it and very powerful.

Educate your friends and family. Unfortunately, there isn't much choice
right now, but someone will do for Linux (or *BSD) what Apple has done.
If Apple was smart, they would make an OS for PCs. Maybe they will...

It's sad that we are wasting so much resources on what should be a
non-problem.

Todd Burroughs
---
The Internet has given us unprecedented opportunity to communicate and share
on a global scale without borders; fight to keep it that way.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


Steffen Schumacher
<ssch[ at ]wheel.dk> to joe, full-disclosure
Jun 17 (2 days ago)
On 17.06.2004 10:11:06 +0000, joe wrote:
> My initial thought of a response to this was something along the lines of do
> you wear an aluminum foil helmet as you seem to fit the profile... I decided
> against that. I mean I still think it but I think this response is
> better....
>
> Antivirus software will probably always be around. Why? Because it is mostly
> software to prevent uneducated users from hurting themselves and it is
> probably impossible to get to a point that all users will be educated and
> there won't be ways to hurt themselves and people specifically trying to
> hurt them. While AV is simply an extension of the user interface of the OS,
> at this point in the game if the OS vendor treats it that way it would
> simply result in lawsuits by the AV vendors against the OS vendors which is
> why MS will have to sell what they have.
>
> It is possible now to run without AV software and be safe, if you are fully
> educated user and take precautions and patch when the patches are available,
> you will be pretty safe even if you don't run AV and there are probably many
> users on this list that fit that category and don't run AV.
>
> Many of the recent viruses hitting the corporate world haven't been holes in
> MS products causing the problem. It has been good social engineering. One of
> the more recent ones that had me laughing was an email that came through
> with a password protected zip file with the password in the email and the
> note sounding like it came from the IT dept. People all over the world
> opened that up and ran it. If they would have had to have downloaded it,
> chmod'ed it, and then run it they would have done so if the instructions had
> said so. Yes you could probably stop this with a simple note in a small
> company, maybe 50,100,1000 people. This was a company comprising 250k people
> from around the world and no simple note was going to do the trick. You
> could also lock machines down to the point that they are merely kiosks as
> well but this isn't realistic except in a tightly controlled corporate
> environment and even still you would have considerable bitching by users who
> wanted more control.
>

While I have no numbers to back this up, I do think that worms are far worse
when it comes to the extent of which viruses spread, and speed.
It is my belief that most worms are based upon MS exploits, rather then social
engineering.

It is my belief that we will simply have to wait untill MS cleans up their act,
which they should be doing, before the world becomes a better place to live.

I realize that this doesn't clear situtations like the one above, but in general
such situations can't really be solved unless all mails are scanned extensively,
and / or the people are educate enough so that they never should run executeables
recieved from mail (its actually quite simple to me). The *real* IT department
could then link to the executeable and place it on an intranet server which
would be secure.

/Steffen
- Show quoted text -


> I don't care what OS you run, if it is a user popular OS and if that OS gets
> targeted by someone with a clever social engineering scheme, it will have
> impact.
>
> I have pretty close ties to MS so most of your post simply make me smirk. I
> have met and talked with many developers there and know how busy they are
> and that they are mostly good guys trying to do a good job. Now that the
> company has switched to a more secure stance they are allowed to do more
> good whereas before they didn't have a hammer in terms of security.
>
> I have had "official" access to MS OS source now for almost a year and can
> say that the code base is huge. While it is possible that someone could bury
> something in there purposely it is more likely that someone makes a mistake
> and doesn't understand all of the different ways that their function or
> module could be used. This is changing, the new code being written is being
> looked at very closely for security now and not just functionality. I know I
> know... "MS did a complete security review of all code when they made this
> decision and....". Again this code base is huge, no way they could catch
> everything. I am, however, not happy about some of the things that have
> gotten through such as the various USN/BER encoding and RPC issues but it is
> getting better whether you want to admit it or not.
>
>
> joe
>
>
> -----Original Message-----
> From: full-disclosure-admin[ at ]lists.netsys.com
> [mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of Todd Burroughs
> Sent: Thursday, June 17, 2004 5:04 AM
> To: Chris Cappuccio
> Cc: Andre Ludwig; slacker; full-disclosure[ at ]lists.netsys.com
> Subject: Re: [Full-Disclosure] MS Anti Virus?
>
> They are planning to get into a market that gaurds against the failures in
> their own product. I don't like this, as it seems that they are going to be
> in a position to intentionally make holes that their "anti-virus"
> software will fix. If we had a more competitive market in this type of
> software there would be no market for AV software and the AV companies would
> be making better operating systems. Remember, Microsoft is a marketing
> company and they are very good at it and very powerful.
>
> Educate your friends and family. Unfortunately, there isn't much choice
> right now, but someone will do for Linux (or *BSD) what Apple has done.
> If Apple was smart, they would make an OS for PCs. Maybe they will...
>
> It's sad that we are wasting so much resources on what should be a
> non-problem.
>
> Todd Burroughs
> ---
> The Internet has given us unprecedented opportunity to communicate and share
> on a global scale without borders; fight to keep it that way.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Steffen to join Gmail


Eric Paynter
<eric[ at ]arcticbears.com> to full-disclosure
Jun 17 (2 days ago)
On Thu, June 17, 2004 2:45 am, Chris Cappuccio said:
> The fact that Microsoft has the monopoly reflects social and economic
> values, not technical ones.

I'm not sure if "values" is the right word. They got there by signing an
exclusive deal with IBM back when IBM made the only "serious" business
computers and the Mac was thought to be a toy. They stayed there by using
unethical and illegal tactics to coerce other vendors to bend to their
will - something only a monopoly can do.

-Eric
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Eric to join Gmail


joe
<mvp[ at ]joeware.net> to full-disclosure
Jun 17 (2 days ago)
However the worms would be blocked if people had patched their machine or
otherwise properly administrated the machines they were responsible for. All
of the worms that I think you are probably referring to all had patches well
in advance of the worm that impacted it, blaster, slammer, sasser, etc.

Home users never should have been impacted as they should be running
firewall software on the internet connections. The fact that they don't
isn't MS's fault, however MS is stepping up with XP SP2 to help out. On top
of that they should be patching when necessary.

Corporate users shouldn't have been impacted either and were only because
the IT department didn't keep the machines patched properly. Too many
companies run on a deploy and forget strategy, this doesn't work for any OS
be it Windows, *nix, or ios. I am not saying keeping them patched is an easy
task, I managed 400 servers in a Fortune 5 company that were distributed
around the world. None of them ran antivirus, none of them got infected by
either viruses nor worms, none of them allowed any but only a small number
of people to have admin rights to do harm to them. When a patch came out
that affected those servers, it was on the machines in a rather quick
fashion, generally within 72 hours depending on testing times.

Thinking that there will never be code patches required isn't realistic. It
is humans writing the code and even the humans writing the other Oses make
mistakes and need to release patches. If the people who manage the machines
don't take the time to apply the patches then the issue isn't an MS issue,
it is an admin issue.


> The *real* IT department could then link to the
> executeable and place it on an intranet server
> which would be secure.

This is an interesting idea but I can't see how one could do it in a
feasible manner in a large company that is receiving hundreds of thousands
of emails from the outside a day. Also you would have to watch for internal
emails and attachments as well because you could get an infected machine on
the inside. Now in large companies you are up to millions of emails.

My recommendation to the email manager at the time of the last major
outbreak where they started just stipping all ZIPs from emails was that they
strip ALL attachments that didn't have a specific internally defined
extension on them, that way they knew it was a purposeful thing that that
attachment was there. The extension would be something specific to a company
and people involved know that extension. Obviously this is just a crutch to
block the issue with well known executable file extensions.

The file associations are a tough thing to repeal since they are so deeply
embedded in how things are done on Windows and people have gotten so used to
them; it made life easier for a majority of the users and was a great idea
at the time. Now however, if you, for instance, removed the DOC extension
from the file associations half the corporate Windows Admins out there would
be at a complete loss as to why Word wasn't working... Those bad Windows
Admins are partially MS's fault, but mostly the fault of companies who look
for cheap admins versus good admins.

joe
- Show quoted text -


-----Original Message-----
From: Steffen Schumacher [mailto:ssch[ at ]wheel.dk]
Sent: Thursday, June 17, 2004 10:43 AM
To: joe
Cc: full-disclosure[ at ]lists.netsys.com
Subject: Re: [Full-Disclosure] MS Anti Virus?

While I have no numbers to back this up, I do think that worms are far worse
when it comes to the extent of which viruses spread, and speed.
It is my belief that most worms are based upon MS exploits, rather then
social engineering.

It is my belief that we will simply have to wait untill MS cleans up their
act, which they should be doing, before the world becomes a better place to
live.

I realize that this doesn't clear situtations like the one above, but in
general such situations can't really be solved unless all mails are scanned
extensively, and / or the people are educate enough so that they never
should run executeables recieved from mail (its actually quite simple to
me). The *real* IT department could then link to the executeable and place
it on an intranet server which would be secure.

/Steffen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


DAN MORRILL
<dan_20407[ at ]msn.com> to ssch, mvp, full-disclosure
Jun 17 (2 days ago)
You make anti virus software sound like a gun lock on a 9MM.

Does it really matter who is in the anti-virus market? If Microsoft goes
that way, and they have the best knowledge of what they created, what we can
reasonably expect to see in the words of Bill Gates "Innovation, with rich
user features, deeply embeded in our software".

So, we can have an AV product that does great things, but maybe only 2% of
it will be used, and because it is a microsoft product, we can expect
patches every month, with known and unknown vulnerabilites from day one.

LOL!
r/
Dan
- Show quoted text -


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite DAN to join Gmail


Steffen Schumacher
<ssch[ at ]wheel.dk> to joe, full-disclosure
Jun 17 (2 days ago)
On 17.06.2004 11:51:46 +0000, joe wrote:
> However the worms would be blocked if people had patched their machine or
> otherwise properly administrated the machines they were responsible for. All
> of the worms that I think you are probably referring to all had patches well
> in advance of the worm that impacted it, blaster, slammer, sasser, etc.
>

Agreed.
I'm not saying that MS doesn't provide patches - they do.
I simply think that the amount of bugs in MS' OS' are to great.
If you install windows and attempt to either patch it or install firewall
afterwards while on the live internet - Your chances of getting infected
are quite high. The time it takes to install patches or a firewall may in
some situations be longer then it would take for a user to get infected.

I picture it a bit like a para trooper which has noo means of defense until
he lands and can take cover.
Other OS' like FreeBSD take a different approach. All non vital services are
disabled until the user explicitly installs or enables them.

Microsofts products should provide the means to a secure patch before risky
services like DCOM are enabled.
This should in fact be the case everytime a MS pc starts up.
Otherwise a pc which has been offline for a period may become infected while
patching.

But ultimately MS have to catch more of their serious bugs before releasing
their software. Consider how many resources that are spent on patching.
Could they have been spent revising code in stead?
I wonder what the average load on the windows update server park is...


> Home users never should have been impacted as they should be running
> firewall software on the internet connections. The fact that they don't
> isn't MS's fault, however MS is stepping up with XP SP2 to help out. On top
> of that they should be patching when necessary.
>
> Corporate users shouldn't have been impacted either and were only because
> the IT department didn't keep the machines patched properly. Too many
> companies run on a deploy and forget strategy, this doesn't work for any OS
> be it Windows, *nix, or ios. I am not saying keeping them patched is an easy
> task, I managed 400 servers in a Fortune 5 company that were distributed
> around the world. None of them ran antivirus, none of them got infected by
> either viruses nor worms, none of them allowed any but only a small number
> of people to have admin rights to do harm to them. When a patch came out
> that affected those servers, it was on the machines in a rather quick
> fashion, generally within 72 hours depending on testing times.
>
>
> Thinking that there will never be code patches required isn't realistic. It
> is humans writing the code and even the humans writing the other Oses make
> mistakes and need to release patches. If the people who manage the machines
> don't take the time to apply the patches then the issue isn't an MS issue,
> it is an admin issue.
>
I know. I just wan't fewer. When you sell these amounts of functionality
which is reused in multiple future software, then one should *REALLY* test
it better, or lower the prices.
- Show quoted text -

>
>
> > The *real* IT department could then link to the
> > executeable and place it on an intranet server
> > which would be secure.
>
> This is an interesting idea but I can't see how one could do it in a
> feasible manner in a large company that is receiving hundreds of thousands
> of emails from the outside a day. Also you would have to watch for internal
> emails and attachments as well because you could get an infected machine on
> the inside. Now in large companies you are up to millions of emails.
>
> My recommendation to the email manager at the time of the last major
> outbreak where they started just stipping all ZIPs from emails was that they
> strip ALL attachments that didn't have a specific internally defined
> extension on them, that way they knew it was a purposeful thing that that
> attachment was there. The extension would be something specific to a company
> and people involved know that extension. Obviously this is just a crutch to
> block the issue with well known executable file extensions.
>
> The file associations are a tough thing to repeal since they are so deeply
> embedded in how things are done on Windows and people have gotten so used to
> them; it made life easier for a majority of the users and was a great idea
> at the time. Now however, if you, for instance, removed the DOC extension
> from the file associations half the corporate Windows Admins out there would
> be at a complete loss as to why Word wasn't working... Those bad Windows
> Admins are partially MS's fault, but mostly the fault of companies who look
> for cheap admins versus good admins.
>
> joe
>
>
> -----Original Message-----
> From: Steffen Schumacher [mailto:ssch[ at ]wheel.dk]
> Sent: Thursday, June 17, 2004 10:43 AM
> To: joe
> Cc: full-disclosure[ at ]lists.netsys.com
> Subject: Re: [Full-Disclosure] MS Anti Virus?
>
>
> While I have no numbers to back this up, I do think that worms are far worse
> when it comes to the extent of which viruses spread, and speed.
> It is my belief that most worms are based upon MS exploits, rather then
> social engineering.
>
> It is my belief that we will simply have to wait untill MS cleans up their
> act, which they should be doing, before the world becomes a better place to
> live.
>
> I realize that this doesn't clear situtations like the one above, but in
> general such situations can't really be solved unless all mails are scanned
> extensively, and / or the people are educate enough so that they never
> should run executeables recieved from mail (its actually quite simple to
> me). The *real* IT department could then link to the executeable and place
> it on an intranet server which would be secure.
>
> /Steffen
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Steffen to join Gmail


Joshua Levitsky
<jlevitsk[ at ]joshie.com> to full-disclosure
Jun 17 (2 days ago)
----- Original Message -----
From: "DAN MORRILL" <dan_20407[ at ]msn.com>
Sent: Thursday, June 17, 2004 11:51 AM
Subject: Re: [Full-Disclosure] MS Anti Virus?

> You make anti virus software sound like a gun lock on a 9MM.
>
> Does it really matter who is in the anti-virus market? If Microsoft goes
> that way, and they have the best knowledge of what they created, what we
can
> reasonably expect to see in the words of Bill Gates "Innovation, with rich
> user features, deeply embeded in our software".

Wonder if Microsoft will give their new AV product the same crappy treatment
they gave their past AV product...

http://home.pmt.org/~drose/aw-win3x-31.html

Perhaps they will release it during XP SP2 and then kill it just in time for
Longhorn. Anyone that puts any faith in this new AV from Microsoft is a
fool.

--
Joshua Levitsky, MCSE, CISSP
System Engineer
http://www.foist.org/
[5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Joshua to join Gmail


valdis.kletnieks[ at ]vt.edu
to Andre, full-disclosure
Jun 17 (2 days ago)
On Wed, 16 Jun 2004 15:53:45 PDT, Andre Ludwig <andre.ludwig[ at ]gmail.com> said:

> Asked if that would hurt sales of competing products, such as Network
> Associates' McAfee and Symantec's Norton family of products, Nash said
> that Microsoft said that it would sell its anti-virus program as a
> separate product from Windows, rather than including it in Windows.

<paranoia mode=full>

I can see it now - there's an undocumented API (Gasp! Shock!) in Windows, which
interfaces from Windows to MS/AV. The gotcha is that the next service pack or
hotfix from MS doesn't actually fix the problem - it's merely a data file that
Windows pipes out the API to MS/VA saying "Here's the hole, guard against
it..."

Then the ad campaign would start: "MS/AV catches 100% of the known security
issues, while Symantec and McAffee only catch 75%...."

<paranoia mode=normal>

Naah.. They'd never use an undocumented API to benefit their product at the
expense of the competition, would they? ;)


noname - 1K

_______________________________________Invite valdis.kletnieks[ at ]vt.edu to join Gmail


joe
<mvp[ at ]joeware.net> to full-disclosure
Jun 17 (2 days ago)
I think you will be pleasantly surprised by XP SP2 and XP Reloaded and
Windows Server R2. They are listening and they are correcting.

On the services running by default front, MS has finally come around that
corner, if you have installed 2K3 you will note a large reduction in what is
installed by default, that trend will continue.

In terms of the check for patches prior to starting business, that may be a
little too intrusive, at least in my opinion. However if the folks are
running the firewall it shouldn't be an issue. I am especially thinking with
Reloaded and R2 here.

Also if you can chase down the PPTs from the Spring D.E.C. conference held
in Washington D.C. you can see some of the future thinking stuff in terms of
Federation and identity based firewall access to make it easier for home
users to use firewalls and still being able to do what they want to do.

You will note that the number of bugs, at least security related are going
down in the newer version. Most of the issues you see are issues that are
legacy that have "always" been in the product and are being found now and
removed. I.E. It is more likely you will see a bug/hole that affects NT3/4,
2K, XP, and 2K3 versus just 2K3 or XP.

Check out the scope of the various fixes, does the fix go all the way back
to NT4 or later? Most certainly that is code that hasn't been written
recently and you are pointing out things from the past that they are working
on correcting already. It would literally be impossible to go back through
all of the old code and find all of the bad things. Even for this august
body of admins, developers, security folks. Look at BSD and Linux, if being
open to everyone was the answer you wouldn't still be seeing bugs/holes
discovered in the *nixs that have been there for some time and many
revisions, you would only supposedly have new bugs in the latest revisions.

One of Microsoft's biggest strengths and issues has been their support of
legacy apps, systems. They don't want people to break and contrary to
popular opinion do spend a considerable amount of time and effort working to
make it so legacy third party stuff doesn't break on the new stuff even if
the reason for the break is bad coding/processes on the part of the vendor.
An example would be what they did for simcity back in the day, it used
memory incorrectly so MS actually put a special check into the allocator to
protect against that bad use. Note the difference in a company that doesn't
really do that... Apple. Most old stuff will not run on new Apples but you
will find many apps that run on MS-DOS that can still be run on the latest
versions of Windows. I have a couple of programs I wrote in the early 80s
for machine shops that still run fine today, they haven't seen a compiler
since 1987 or so. Actually I just saw the other day a great article on this
but I can't find the link at the moment. The person, however, was
highlighting/complaining about MS's recent swing away from worrying about
legacy as much.

I am not really sure where I stand with the break with legacy argument. On
the plus side it would be nice because they can stop putting in all of the
overhead to support old junk and maybe get rid of a lot of bugs that have
always existed in that code that haven't been exposed. Doing that might
possibly shut up a bunch of the anti-MS camp. However, that would break a
bunch of things and then other anti-MS people would start whining about that
and how MS doesn't care about its users so it isn't even close to a win-win
situation.

If you have an XP machine lying about and haven't played with the XP SP2
Release Candidate, I highly recommend it. If anything, it gives you an idea
of where MS is currently going. Also check out 2K3.

http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx


joe
- Show quoted text -


-----Original Message-----
From: Steffen Schumacher [mailto:ssch[ at ]wheel.dk]
Sent: Thursday, June 17, 2004 12:51 PM
To: joe
Cc: full-disclosure[ at ]lists.netsys.com
Subject: Re: [Full-Disclosure] MS Anti Virus?

On 17.06.2004 11:51:46 +0000, joe wrote:
> However the worms would be blocked if people had patched their machine
> or otherwise properly administrated the machines they were responsible
> for. All of the worms that I think you are probably referring to all
> had patches well in advance of the worm that impacted it, blaster,
slammer, sasser, etc.
>

Agreed.
I'm not saying that MS doesn't provide patches - they do.
I simply think that the amount of bugs in MS' OS' are to great.
If you install windows and attempt to either patch it or install firewall
afterwards while on the live internet - Your chances of getting infected are
quite high. The time it takes to install patches or a firewall may in some
situations be longer then it would take for a user to get infected.

I picture it a bit like a para trooper which has noo means of defense until
he lands and can take cover.
Other OS' like FreeBSD take a different approach. All non vital services are
disabled until the user explicitly installs or enables them.

Microsofts products should provide the means to a secure patch before risky
services like DCOM are enabled.
This should in fact be the case everytime a MS pc starts up.
Otherwise a pc which has been offline for a period may become infected while
patching.

But ultimately MS have to catch more of their serious bugs before releasing
their software. Consider how many resources that are spent on patching.
Could they have been spent revising code in stead?
I wonder what the average load on the windows update server park is...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


Alfie
<alfie[ at ]leaflock.homeip.net> to full-disclosure
Jun 17 (2 days ago)
On Thu, Jun 17, 2004 at 10:11:26AM -0700, Eric Paynter wrote:
> On Thu, June 17, 2004 8:51 am, DAN MORRILL said:
> > Does it really matter who is in the anti-virus market? If Microsoft goes
> > that way, and they have the best knowledge of what they created...
>
> (puts on tinfoil hat)
>
> >From a paranoid point of view, "best knowledge of what they created" is a
> little scary. With MS in the virus prevention market, and with their
> history of unethical anti-competitive behaviour... I'd bet they'd always
> be the first to recognize a new virus. How? Because they could build in
> the vulnerability and create the virus and the signature in the AV all at
> the same time. Then anybody who has MSAV is unaffected, while the *real*
> AV companies are always one step behind... Zero day viruses already
> detected by MSAV - MS are Gods! How did they know? The other vendors lose
> market share because they suck compared to MS... Eventually, MS owns the
> AV market, the competition declares bankrupcy, and we have no choice in
> what AV tool to use.
>
> (takes off tinfoil hat)
>
> OK, it seems paranoid. And if they were found out, it would mean (several
> more) years in anti-trust court. But when has that stopped MS before?
> [...]

Recently, an audio tape was released of Enron employees frankly
talking about stealing millions of dollars per day from the
people of California.

http://www.cbsnews.com/stories/2004/06/01/eveningnews/main620626.shtml

So, if there was any doubt before whether a large corporation can
brazenly gouge customers, I think it's safe to say that such
behavior is quite possible.


--
"There isn't enough darkness in the world to douse the light of a single
candle."
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Alfie to join Gmail


Eric Paynter
<eric[ at ]arcticbears.com> to full-disclosure
Jun 17 (2 days ago)
On Thu, June 17, 2004 8:51 am, DAN MORRILL said:
> Does it really matter who is in the anti-virus market? If Microsoft goes
> that way, and they have the best knowledge of what they created...

(puts on tinfoil hat)

From a paranoid point of view, "best knowledge of what they created" is a
little scary. With MS in the virus prevention market, and with their
history of unethical anti-competitive behaviour... I'd bet they'd always
be the first to recognize a new virus. How? Because they could build in
the vulnerability and create the virus and the signature in the AV all at
the same time. Then anybody who has MSAV is unaffected, while the *real*
AV companies are always one step behind... Zero day viruses already
detected by MSAV - MS are Gods! How did they know? The other vendors lose
market share because they suck compared to MS... Eventually, MS owns the
AV market, the competition declares bankrupcy, and we have no choice in
what AV tool to use.

(takes off tinfoil hat)

OK, it seems paranoid. And if they were found out, it would mean (several
more) years in anti-trust court. But when has that stopped MS before?
Haven't their already been dozens of lawsuits that MS has lost for using
their monopoly status to squash competition? Isn't it their MO to enter a
market and completely take it over by *seeming* to be the best? (seeming
-they became best by using their exclusive control of the OS to break the
competition, not by doing better job than the competition.)

I think there is a serious conflict of interest here. It may leave us with
little choice in the AV market. And that may have serious long term
security implications.

Too bad there is nothing anybody can do about it.

-Eric
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Eric to join Gmail


Gregory A. Gilliss
<ggilliss[ at ]netpublishing.com> to full-disclosure
Jun 17 (2 days ago)
Dan et al:

You are missing the point here. While it matters little *who* is in the A/V
market, it matters very much when one player is Microsoft, because the M$
business model (according to them and to the US DOJ) is to enter a market,
undercut the market, co-opt the market, drive out the competition, and
move on to the next market (not unlike a virus, as told by Agent Smith).
So if M$ enters the A/V market and "bundles" their solution with Windows
whatever, they likely will drive Symantec and McAfee out of the market
over time by co-opting the A/V subscription market.

The security ramifications of a M$ only A/V marketplace relate to Dan Geer's
monoculture argument (already well discussed here) and also a conflict of
interest (since M$ products account for a majority of the A/V infections).
Can we "trust" an A/V solution from M$ that addresses virus infections of
M$ products? And is M$ controls both the virus host and the A/V inoculation,
does that not create a potential area of abuse - no license/upgrade/whatever,
no A/V subscription/update/whatever?

As Reagan told Gorbachev, "Let me tell you why we do not trust you..."

G

On or about 2004.06.17 15:51:19 +0000, DAN MORRILL (dan_20407[ at ]msn.com) said:

> You make anti virus software sound like a gun lock on a 9MM.
>
> Does it really matter who is in the anti-virus market? If Microsoft goes
> that way, and they have the best knowledge of what they created, what we
> can reasonably expect to see in the words of Bill Gates "Innovation, with
> rich user features, deeply embeded in our software".
>
> So, we can have an AV product that does great things, but maybe only 2% of
> it will be used, and because it is a microsoft product, we can expect
> patches every month, with known and unknown vulnerabilites from day one.

--
Gregory A. Gilliss, CISSP E-mail: greg[ at ]gilliss.com
Computer Security WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Gregory to join Gmail


Nick FitzGerald
<nick[ at ]virus-l.demon.co.uk> to full-disclosure
Jun 17 (2 days ago)
Valdis.Kletnieks[ at ]vt.edu wrote:

> Naah.. They'd never use an undocumented API to benefit their product at the
> expense of the competition, would they? ;)

In this case, no.

Given that a lot of AV technical work is reverse engineering and that
most of the best AV reversers are not among those MS "acquired" from
RAV or who have joined MS from other AV developers subsequently (not
that they haven't got some very good reversers, just there are still an
awful ot of them elsewhere), I doubt even MS is stupid enough to
consider trying something like this.


--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Nick to join Gmail


Pavel Kankovsky
<peak[ at ]argo.troja.mff.cuni.cz> to full-disclosure
Jun 17 (2 days ago)
On Thu, 17 Jun 2004, joe wrote:

> Home users never should have been impacted as they should be running
> firewall software on the internet connections. The fact that they don't
> isn't MS's fault, however MS is stepping up with XP SP2 to help out. On top
> of that they should be patching when necessary.

But it is their fault they release OS with ~5 hard-to-deactivate plus ~5
almost-impossible-to-deactivate dangerous but mostly useless (*) network
services enabled by default that is guaranteed to be owned within 10
minutes after you plug it to the network unless you 1. install extra
firewalling software, or (assuming you got the version with a builtin
packet filter) 2. smoke enough grass to be able to grok their own
configuration dialog windows (**).

Indeed other vendors made the same stupid mistake in the past (and some
of them insist on repeating it).

(*) Who needs network accessible MS RPC services on a home PC?

(**) I admit I am talking about the Czech version. Maybe the English
version, not affected by the "creativity" of any localization team, is
somewhat more understandable.


--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Pavel to join Gmail


Dan B. Mann
<dbm[ at ]wkkf.org> to Steffen, full-disclosure
Jun 17 (2 days ago)


From my perspective, a place that MS needs to also focus on is the
patch scanning technology. SMS, WindowsUpdate, MBSA, all can give
different, confusing results even when scanning the same machine!
Please, give me a scanner that covers all of your internal products, and
gives reliable results. Having one tool contradict another ends up
creating a mess, and it is frightening. It's not fun to try and track
down a bunch of machines on a weekly basis to really find out whether
they are patched or not.

Does Microsoft read this list?

I will give Kudos to Microsoft for making an effort to IMPROVE themself
regarding security though.

Dan
- Show quoted text -

> -----Original Message-----
> From: full-disclosure-admin[ at ]lists.netsys.com [mailto:full-disclosure-
> admin[ at ]lists.netsys.com] On Behalf Of Steffen Schumacher
> Sent: Thursday, June 17, 2004 12:51 PM
> To: joe
> Cc: full-disclosure[ at ]lists.netsys.com
> Subject: Re: [Full-Disclosure] MS Anti Virus?
>
> On 17.06.2004 11:51:46 +0000, joe wrote:
> > However the worms would be blocked if people had patched their
machine
> or
> > otherwise properly administrated the machines they were responsible
for.
> All
> > of the worms that I think you are probably referring to all had
patches
> well
> > in advance of the worm that impacted it, blaster, slammer, sasser,
etc.
> >
>
> Agreed.
> I'm not saying that MS doesn't provide patches - they do.
> I simply think that the amount of bugs in MS' OS' are to great.
> If you install windows and attempt to either patch it or install
firewall
> afterwards while on the live internet - Your chances of getting
infected
> are quite high. The time it takes to install patches or a firewall may
in
> some situations be longer then it would take for a user to get
infected.
>
> I picture it a bit like a para trooper which has noo means of defense
> until
> he lands and can take cover.
> Other OS' like FreeBSD take a different approach. All non vital
services
> are
> disabled until the user explicitly installs or enables them.
>
> Microsofts products should provide the means to a secure patch before
> risky
> services like DCOM are enabled.
> This should in fact be the case everytime a MS pc starts up.
> Otherwise a pc which has been offline for a period may become infected
> while
> patching.
>
> But ultimately MS have to catch more of their serious bugs before
> releasing
> their software. Consider how many resources that are spent on
patching.
> Could they have been spent revising code in stead?
> I wonder what the average load on the windows update server park is...
>
>
> > Home users never should have been impacted as they should be running
> > firewall software on the internet connections. The fact that they
don't
> > isn't MS's fault, however MS is stepping up with XP SP2 to help out.
On
> top
> > of that they should be patching when necessary.
> >
> > Corporate users shouldn't have been impacted either and were only
> because
> > the IT department didn't keep the machines patched properly. Too
many
> > companies run on a deploy and forget strategy, this doesn't work for
any
> OS
> > be it Windows, *nix, or ios. I am not saying keeping them patched is
an
> easy
> > task, I managed 400 servers in a Fortune 5 company that were
distributed
> > around the world. None of them ran antivirus, none of them got
infected
> by
> > either viruses nor worms, none of them allowed any but only a small
> number
> > of people to have admin rights to do harm to them. When a patch came
out
> > that affected those servers, it was on the machines in a rather
quick
> > fashion, generally within 72 hours depending on testing times.
> >
> >
> > Thinking that there will never be code patches required isn't
realistic.
> It
> > is humans writing the code and even the humans writing the other
Oses
> make
> > mistakes and need to release patches. If the people who manage the
> machines
> > don't take the time to apply the patches then the issue isn't an MS
> issue,
> > it is an admin issue.
> >
> I know. I just wan't fewer. When you sell these amounts of
functionality
> which is reused in multiple future software, then one should *REALLY*
test
> it better, or lower the prices.
>
> >
> >
> > > The *real* IT department could then link to the
> > > executeable and place it on an intranet server
> > > which would be secure.
> >
> > This is an interesting idea but I can't see how one could do it in a
> > feasible manner in a large company that is receiving hundreds of
> thousands
> > of emails from the outside a day. Also you would have to watch for
> internal
> > emails and attachments as well because you could get an infected
machine
> on
> > the inside. Now in large companies you are up to millions of emails.
> >
> > My recommendation to the email manager at the time of the last major
> > outbreak where they started just stipping all ZIPs from emails was
that
> they
> > strip ALL attachments that didn't have a specific internally defined
> > extension on them, that way they knew it was a purposeful thing that
> that
> > attachment was there. The extension would be something specific to a
> company
> > and people involved know that extension. Obviously this is just a
crutch
> to
> > block the issue with well known executable file extensions.
> >
> > The file associations are a tough thing to repeal since they are so
> deeply
> > embedded in how things are done on Windows and people have gotten so
> used to
> > them; it made life easier for a majority of the users and was a
great
> idea
> > at the time. Now however, if you, for instance, removed the DOC
> extension
> > from the file associations half the corporate Windows Admins out
there
> would
> > be at a complete loss as to why Word wasn't working... Those bad
Windows
> > Admins are partially MS's fault, but mostly the fault of companies
who
> look
> > for cheap admins versus good admins.
> >
> > joe
> >
> >
> > -----Original Message-----
> > From: Steffen Schumacher [mailto:ssch[ at ]wheel.dk]
> > Sent: Thursday, June 17, 2004 10:43 AM
> > To: joe
> > Cc: full-disclosure[ at ]lists.netsys.com
> > Subject: Re: [Full-Disclosure] MS Anti Virus?
> >
> >
> > While I have no numbers to back this up, I do think that worms are
far
> worse
> > when it comes to the extent of which viruses spread, and speed.
> > It is my belief that most worms are based upon MS exploits, rather
then
> > social engineering.
> >
> > It is my belief that we will simply have to wait untill MS cleans up
> their
> > act, which they should be doing, before the world becomes a better
place
> to
> > live.
> >
> > I realize that this doesn't clear situtations like the one above,
but in
> > general such situations can't really be solved unless all mails are
> scanned
> > extensively, and / or the people are educate enough so that they
never
> > should run executeables recieved from mail (its actually quite
simple to
> > me). The *real* IT department could then link to the executeable and
> place
> > it on an intranet server which would be secure.
> >
> > /Steffen
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Dan to join Gmail


Steffen Schumacher
<ssch[ at ]wheel.dk> to joe, full-disclosure
Jun 17 (2 days ago)

I also agree that MS *is* turning their gigantic boat around with regards
to security. I have yet to see all the new stuff in detail, but what I've
heard, I've liked!

In my line of work (ISP) it will be greatly welcomed to have more OS' less
prone to become infected by worms, as it allows for things such as DDoS to
be quite an easy task to perform.

My only fear, is that it may take some time to get there.. ;o)

/Steffen
- Show quoted text -


On 17.06.2004 13:31:30 +0000, joe wrote:
> I think you will be pleasantly surprised by XP SP2 and XP Reloaded and
> Windows Server R2. They are listening and they are correcting.
>
> On the services running by default front, MS has finally come around that
> corner, if you have installed 2K3 you will note a large reduction in what is
> installed by default, that trend will continue.
>
> In terms of the check for patches prior to starting business, that may be a
> little too intrusive, at least in my opinion. However if the folks are
> running the firewall it shouldn't be an issue. I am especially thinking with
> Reloaded and R2 here.
>
> Also if you can chase down the PPTs from the Spring D.E.C. conference held
> in Washington D.C. you can see some of the future thinking stuff in terms of
> Federation and identity based firewall access to make it easier for home
> users to use firewalls and still being able to do what they want to do.
>
> You will note that the number of bugs, at least security related are going
> down in the newer version. Most of the issues you see are issues that are
> legacy that have "always" been in the product and are being found now and
> removed. I.E. It is more likely you will see a bug/hole that affects NT3/4,
> 2K, XP, and 2K3 versus just 2K3 or XP.
>
> Check out the scope of the various fixes, does the fix go all the way back
> to NT4 or later? Most certainly that is code that hasn't been written
> recently and you are pointing out things from the past that they are working
> on correcting already. It would literally be impossible to go back through
> all of the old code and find all of the bad things. Even for this august
> body of admins, developers, security folks. Look at BSD and Linux, if being
> open to everyone was the answer you wouldn't still be seeing bugs/holes
> discovered in the *nixs that have been there for some time and many
> revisions, you would only supposedly have new bugs in the latest revisions.
>
> One of Microsoft's biggest strengths and issues has been their support of
> legacy apps, systems. They don't want people to break and contrary to
> popular opinion do spend a considerable amount of time and effort working to
> make it so legacy third party stuff doesn't break on the new stuff even if
> the reason for the break is bad coding/processes on the part of the vendor.
> An example would be what they did for simcity back in the day, it used
> memory incorrectly so MS actually put a special check into the allocator to
> protect against that bad use. Note the difference in a company that doesn't
> really do that... Apple. Most old stuff will not run on new Apples but you
> will find many apps that run on MS-DOS that can still be run on the latest
> versions of Windows. I have a couple of programs I wrote in the early 80s
> for machine shops that still run fine today, they haven't seen a compiler
> since 1987 or so. Actually I just saw the other day a great article on this
> but I can't find the link at the moment. The person, however, was
> highlighting/complaining about MS's recent swing away from worrying about
> legacy as much.
>
> I am not really sure where I stand with the break with legacy argument. On
> the plus side it would be nice because they can stop putting in all of the
> overhead to support old junk and maybe get rid of a lot of bugs that have
> always existed in that code that haven't been exposed. Doing that might
> possibly shut up a bunch of the anti-MS camp. However, that would break a
> bunch of things and then other anti-MS people would start whining about that
> and how MS doesn't care about its users so it isn't even close to a win-win
> situation.
>
>
> If you have an XP machine lying about and haven't played with the XP SP2
> Release Candidate, I highly recommend it. If anything, it gives you an idea
> of where MS is currently going. Also check out 2K3.
>
> http://www.microsoft.com/technet/prodtechnol/winxppro/sp2preview.mspx
>
>
>
> joe
>
>
>
> -----Original Message-----
> From: Steffen Schumacher [mailto:ssch[ at ]wheel.dk]
> Sent: Thursday, June 17, 2004 12:51 PM
> To: joe
> Cc: full-disclosure[ at ]lists.netsys.com
> Subject: Re: [Full-Disclosure] MS Anti Virus?
>
> On 17.06.2004 11:51:46 +0000, joe wrote:
> > However the worms would be blocked if people had patched their machine
> > or otherwise properly administrated the machines they were responsible
> > for. All of the worms that I think you are probably referring to all
> > had patches well in advance of the worm that impacted it, blaster,
> slammer, sasser, etc.
> >
>
> Agreed.
> I'm not saying that MS doesn't provide patches - they do.
> I simply think that the amount of bugs in MS' OS' are to great.
> If you install windows and attempt to either patch it or install firewall
> afterwards while on the live internet - Your chances of getting infected are
> quite high. The time it takes to install patches or a firewall may in some
> situations be longer then it would take for a user to get infected.
>
> I picture it a bit like a para trooper which has noo means of defense until
> he lands and can take cover.
> Other OS' like FreeBSD take a different approach. All non vital services are
> disabled until the user explicitly installs or enables them.
>
> Microsofts products should provide the means to a secure patch before risky
> services like DCOM are enabled.
> This should in fact be the case everytime a MS pc starts up.
> Otherwise a pc which has been offline for a period may become infected while
> patching.
>
> But ultimately MS have to catch more of their serious bugs before releasing
> their software. Consider how many resources that are spent on patching.
> Could they have been spent revising code in stead?
> I wonder what the average load on the windows update server park is...
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Steffen to join Gmail


Ron DuFresne
to Gregory, full-disclosure
Jun 17 (2 days ago)

They did this years back in the 90's anyone remember pctools, and their
offerings? Guess what was bundled under DOS 6.2, might have gone back to
DOS 6.0, but, pctools is no longer in the market...and was the norton
counterpart/competition at the time...so, this would be a reentry...

Thanks,

Ron DuFresne
- Show quoted text -


On Thu, 17 Jun 2004, Gregory A. Gilliss wrote:

> Dan et al:
>
> You are missing the point here. While it matters little *who* is in the A/V
> market, it matters very much when one player is Microsoft, because the M$
> business model (according to them and to the US DOJ) is to enter a market,
> undercut the market, co-opt the market, drive out the competition, and
> move on to the next market (not unlike a virus, as told by Agent Smith).
> So if M$ enters the A/V market and "bundles" their solution with Windows
> whatever, they likely will drive Symantec and McAfee out of the market
> over time by co-opting the A/V subscription market.
>
> The security ramifications of a M$ only A/V marketplace relate to Dan Geer's
> monoculture argument (already well discussed here) and also a conflict of
> interest (since M$ products account for a majority of the A/V infections).
> Can we "trust" an A/V solution from M$ that addresses virus infections of
> M$ products? And is M$ controls both the virus host and the A/V inoculation,
> does that not create a potential area of abuse - no license/upgrade/whatever,
> no A/V subscription/update/whatever?
>
> As Reagan told Gorbachev, "Let me tell you why we do not trust you..."
>
> G
>
> On or about 2004.06.17 15:51:19 +0000, DAN MORRILL (dan_20407[ at ]msn.com) said:
>
> > You make anti virus software sound like a gun lock on a 9MM.
> >
> > Does it really matter who is in the anti-virus market? If Microsoft goes
> > that way, and they have the best knowledge of what they created, what we
> > can reasonably expect to see in the words of Bill Gates "Innovation, with
> > rich user features, deeply embeded in our software".
> >
> > So, we can have an AV product that does great things, but maybe only 2% of
> > it will be used, and because it is a microsoft product, we can expect
> > patches every month, with known and unknown vulnerabilites from day one.
>
> --
> Gregory A. Gilliss, CISSP E-mail: greg[ at ]gilliss.com
> Computer Security WWW: http://www.gilliss.com/greg/
> PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.
- Show quoted text -


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Ron to join Gmail


valdis.kletnieks[ at ]vt.edu
to nick, full-disclosure
Jun 17 (2 days ago)
On Fri, 18 Jun 2004 06:30:55 +1200, Nick FitzGerald <nick[ at ]virus-l.demon.co.uk> said:
> Valdis.Kletnieks[ at ]vt.edu wrote:
>
> > Naah.. They'd never use an undocumented API to benefit their product at the
> > expense of the competition, would they? ;)
>
> In this case, no.
>
> Given that a lot of AV technical work is reverse engineering and that
> most of the best AV reversers are not among those MS "acquired" from
> RAV or who have joined MS from other AV developers subsequently (not
> that they haven't got some very good reversers, just there are still an
> awful ot of them elsewhere), I doubt even MS is stupid enough to
> consider trying something like this.

You're forgetting that in this case, technical excellence fall behind marketing
and treachery in importance....

You don't think that the MS reverse engineers couldn't do better, if they had
an API that would tell them the exact footprints associated with a known
vulnerability? :)

Remember that the BugBear virus used an undocumented API to snarf
all the passwords: http://www.extremetech.com/article2/0,3973,582176,00.asp

You really expect us to believe that the M$ AV team won't leverage off the
fact that they could know about that API, and all the others in Windows?

Now consider all the cases where Microsoft has shipped a half-working patch
that closes some cases but not others - could that be a case of "we intentionally
shipped half the patch because we're going to let our AV software in on the secret
sauce so it can install the OTHER half of the patch"? :)

noname - 1K

_______________________________________Invite valdis.kletnieks[ at ]vt.edu to join Gmail


Ron DuFresne
to Dan, Steffen, full-disclosure
Jun 17 (2 days ago)
On Thu, 17 Jun 2004, Dan B. Mann wrote:

>
>
> From my perspective, a place that MS needs to also focus on is the
> patch scanning technology. SMS, WindowsUpdate, MBSA, all can give
> different, confusing results even when scanning the same machine!
> Please, give me a scanner that covers all of your internal products, and
> gives reliable results. Having one tool contradict another ends up
> creating a mess, and it is frightening. It's not fun to try and track
> down a bunch of machines on a weekly basis to really find out whether
> they are patched or not.
>
> Does Microsoft read this list?

I believe that if it's not in VB script, then it's inedible to M$
personnel.

Thanks,


Ron DuFresne
- Show quoted text -
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Ron to join Gmail


valdis.kletnieks[ at ]vt.edu
to bugs, nick, full-disclosure
Jun 17 (2 days ago)
On Thu, 17 Jun 2004 17:37:11 EDT, Mohit Muthanna said:
> > You really expect us to believe that the M$ AV team won't leverage off the
> > fact that they could know about that API, and all the others in Windows?
>
> in addition, given that they have the sources to their own OS, i doubt
> they really have to do much manual reversing... i'm sure the debugging
> tools they have developed over the years would quite easily aid them
> in determining precisely what the viruses do and how they do it.

No... you're still not getting it. There's no reverse engineering involved. ;)

Let's pop over to http://www.eeye.com/html/research/upcoming/index.html

Hey look.. http://www.eeye.com/html/research/upcoming/20031007.html is
194 days overdue.. Now, your AV software doesn't have to have *ANY*
reverse engineering for the virus if the operating system and/or AV updates
is whispering in its ear "Anything that does *this* is malware exploiting 20031007".

And at that point, there's no reason to actually ship a *patch*, you just ship
a data file that tells *your* AV that "20031007 exploits look like this" - at which
point you can presumably trap 100% of exploits, and the competition has to
reverse engineer each one... ;)

"Systems protected with M$ AV were 100% safe, while 30% of Brand X users
got whacked while their teams were busy reverse engineering"... Hard to argue
with THAT sales pitch.. ;)

noname - 1K

_______________________________________Invite valdis.kletnieks[ at ]vt.edu to join Gmail


Poof
<poof[ at ]fansubber.com> to Gregory, full-disclosure
Jun 17 (2 days ago)
Gregory:

According to Microsoft they are making their A/V a separate product. So
it'll be sold much like Microsoft Money is.

~
- Show quoted text -

> So if M$ enters the A/V market and "bundles" their solution with Windows
> whatever, they likely will drive Symantec and McAfee out of the market
> over time by co-opting the A/V subscription market.

smime.p7s - 2K

_______________________________________Invite Poof to join Gmail


rob[ at ]comcast.net
to full-disclosure
Jun 17 (2 days ago)
On Thu, Jun 17, 2004 at 11:51:46AM -0400, joe wrote:
> However the worms would be blocked if people had patched their machine or
> otherwise properly administrated the machines they were responsible for. All
> of the worms that I think you are probably referring to all had patches well
> in advance of the worm that impacted it, blaster, slammer, sasser, etc.
>
> Home users never should have been impacted as they should be running
> firewall software on the internet connections. The fact that they don't
> isn't MS's fault, however MS is stepping up with XP SP2 to help out. On top
> of that they should be patching when necessary.
[snip]
> Thinking that there will never be code patches required isn't realistic.
[snip]

Can you explain how it's realistic to expect the millions of home
Windows users out there now to know how to properly administrate
their systems?

If anything that's been discussed here so far is unrealistic, that
must top the list. They're only starting to get the message that
patching is necessary. Very arguably, Microsoft helped create this
culture of technically inept users who view the computer like any
other household appliance. And now what? It plans to force-feed
basic computer security training and earthshaking updates down the
throats of the same users to whom it's been spoon-feeding
computing-through-ignorance babyfood for years and years?

You say "the worms would be blocked if users would..." I say the
worms wouldn't exist in the first place if Microsoft had written
their software securely. It's easy for both of us to say, but which
is easier to actually *do*? Microsoft has little control over what
end users do, but it has complete control over the design, quality,
and configuration of the software it ships. With the resources and
market share they have, they ought to be leading the industry.
Instead, they are the armpit of the industry.

Folks who have been paying attention o'er the years know the same
lies, half-truths, and PR maneuvering they hear today that they
heard back then. "It'll be fixed in the next version", eh? You'll
have to pardon me if I don't shit myself repeatedly in fits of
white-knuckle anticipation of the next version.

---
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite rob[ at ]comcast.net to join Gmail


Mohit Muthanna
<mohit.muthanna[ at ]gmail.com> to valdis.kletnie., nick, full-disclosure
Jun 17 (2 days ago)
> You really expect us to believe that the M$ AV team won't leverage off the
> fact that they could know about that API, and all the others in Windows?

in addition, given that they have the sources to their own OS, i doubt
they really have to do much manual reversing... i'm sure the debugging
tools they have developed over the years would quite easily aid them
in determining precisely what the viruses do and how they do it.

Mohit.


Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________


Aditya, ALD [ Aditya Lalit Deshmukh ]
<aditya.deshmukh[ at ]online.gateway.technolabs.net> to joe, full-disclosure
Jun 18 (1 day ago)
> it is an admin issue.

that is very true, like the programmers have become code monkeys, sysadmin & netadmins have become patch monkeys

>
>
> > The *real* IT department could then link to the
> > executeable and place it on an intranet server
> > which would be secure.
>
> This is an interesting idea but I can't see how one could do it in a

how about only doing so with the file that are zip encrypted - unencrpyted attachments are scanned and passed along, zipped ones are unzipped and scanned but the ones that cannot be unzipped are the ones that go as a link to the user. how does then one deal with other compression formats like ace, rar, lha, arj etc etc ?

-aditya
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
éb½êÞvë"žaxZÞx÷«²‰Ú"Gb¶*'¡óŠ[kj¯ðÃæj)m­ªÿr‰ÿ
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite ALD [ Aditya Lalit Deshmukh ] to join Gmail


Eric Paynter
<eric[ at ]arcticbears.com> to full-disclosure
Jun 18 (1 day ago)
On Fri, June 18, 2004 1:34 am, Aditya, ALD [ Aditya Lalit Deshmukh ] said:
> how does then one deal with other compression formats
> like ace, rar, lha, arj etc etc ?

Why not exactly the same as zip?

-Eric

--
arctic bears - affordable email and name services [ at ]yourdomain.com
http://www.arcticbears.com
- Show quoted text -

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Eric to join Gmail


joe
<mvp[ at ]joeware.net> to Pavel, full-disclosure
Jun 18 (1 day ago)
1. See XP SP2
2. If you know the amount, possibly this could be part of your issue. :oP
[1]

[1] I wouldn't know Czech from Portuguese. You could give me a shampoo
bottle with instructions in Czech and I wouldn't know what to do with it,
heck I might not even know it was shampoo.
- Show quoted text -


-----Original Message-----
From: full-disclosure-admin[ at ]lists.netsys.com
[mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of Pavel Kankovsky
Sent: Thursday, June 17, 2004 2:31 PM
To: full-disclosure[ at ]lists.netsys.com
Subject: RE: [Full-Disclosure] MS Anti Virus?

On Thu, 17 Jun 2004, joe wrote:

> Home users never should have been impacted as they should be running
> firewall software on the internet connections. The fact that they
> don't isn't MS's fault, however MS is stepping up with XP SP2 to help
> out. On top of that they should be patching when necessary.

But it is their fault they release OS with ~5 hard-to-deactivate plus ~5
almost-impossible-to-deactivate dangerous but mostly useless (*) network
services enabled by default that is guaranteed to be owned within 10 minutes
after you plug it to the network unless you 1. install extra firewalling
software, or (assuming you got the version with a builtin packet filter) 2.
smoke enough grass to be able to grok their own configuration dialog windows
(**).

Indeed other vendors made the same stupid mistake in the past (and some of
them insist on repeating it).

(*) Who needs network accessible MS RPC services on a home PC?

(**) I admit I am talking about the Czech version. Maybe the English
version, not affected by the "creativity" of any localization team, is
somewhat more understandable.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


joe
<mvp[ at ]joeware.net> to full-disclosure
Jun 18 (1 day ago)
Can users hook themselves up to the internet? Last time I got a cable modem
hooked up I had to have some "technician" come into my home and spend a
couple of hours trying to figure out how to hook the thing up even though I
bought my own Cable MODEM and ran my own RG6 and had everything ready, just
needed an IP address. In fact I built a special PC with bare bones
configuration so the "technician" could monkey with that and not try to
figure out my LAN.

It was a nightmare, I would keep dropping hints and he wouldn't listen and
then a while later would be like,oh yeah, I have to do this, which would be
exactly what I hinted. The guy had no clue what he was really doing as he
was a wiring guy that had picked up an extra task. Had no clue what a patch
was let alone wondering if the PC was patched even though the little balloon
was sitting there saying there were updates to install. I think if I said
firewall he would have a nightmares of running cable between a garage and a
house and properly repairing the hole he made in the garage firewall (fire
break) so that it was back up to building code...

So what I am saying is, I think the ISPs need to share some of the
responsibility of hooking people up safely, don't just plug them in. If they
already have to come into the home or at the very least you talk to them on
the phone, push firewalls and internet safety. The first time they come up
when they sign up, maybe scan them and see what is open and drop a friendly
hint, why I see that all of your ports are wide open and your PC named
EasyRider69 is fully visible to me... You might want to secure that.
Alternatively, have the ISP block all but say ports 25,80, and 110 by
default for every user and the user has to connect to a website of the ISP
and uncheck other ports they want opened up. That way it would take a
semi-educated user to actually use the service irregardless of the OS. If
that is too tough, set up a multiple VLAN configuration where by default the
user gets placed in babystep VLAN which only has a couple of basic ports and
they have to be requested to be put in the big person VLAN to get open
access.

Again however, MS is stepping up on this. Go look at XP SP2. It is a big
step in the direction to help users protect themselves. Of course of course,
they have always done bad things so they can't possibly do anything better
now. How thoughtless of me. Of course someone like yourself is so good at
coding you know that every piece of code you have ever written has been
perfect right off and no possible issues... Oh wait, you implying that means
you probably have never coded anything more complex than a basic tool if
that.

I agree that MS helped create the mass of inept users... However, I don't
see any OSes going out there creating knowledgeable users. In fact had MS
not done what it had done, I don't think we would be anywhere near where we
are right now for penetration of PCs in the home and lower costs associated
with that. I am just guessing but irregardless of what OS you are on now,
you most likely were running an MS OS at some point. Not many people start
on Mainframes and UNIX machines and went straight to non-MS offerings. Why?
Not much else existed in the home for some time. Probably the few
(relatively speaking) that can say they haven't ever run an MS OS are those
that started using computers in University and never left so always lived in
the UNIX world or Apple folks. If you had a PC at home and it wasn't an
Apple, the chances are good it had MS on it. This is slowly changing now
with the various *nix knockoffs such as BSD and Linux, but was the case for
a long time.

I look forward to BSD/Linux gathering steam and becoming better and better
and more and more accepted. For several reasons actually. First off, MS
always thrives when given good competition, it pushes itself to do better
and better which is good for computing in general because they have serious
cash to put into the endevour, not many computing places now have
multi-billion dollar R&D budgets to make home computing better. Second off,
the Linux world will have to clean up, right now it is a bit chaotic with
all of the various vendors duking it out over who is better and you having
to be really sure of what you have before you install things. It reminds me
of earlier MS days with Win9x and NT and having to figure out what you had
so you knew what you could install. It is a pain in the butt when consulting
for large companies when they are trying to figure it out because not only
is it a case of figure out if you want Linux or Windows, it is which flavor
of Linux do you want. Just dilutes the whole thing. Yes yes choice is good
blah blah blah. Sometimes though in the committee driven worlds of corporate
America, a multitude of choices can be a bad thing.


> You'll have to pardon me if I don't shit myself
> repeatedly in fits of white-knuckle anticipation
> of the next version.

You sound like a jilted lover here. Not someone looking for the computing
world to get better.
- Show quoted text -


-----Original Message-----
From: full-disclosure-admin[ at ]lists.netsys.com
[mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of rob[ at ]comcast.net
Sent: Thursday, June 17, 2004 5:42 PM
To: full-disclosure[ at ]lists.netsys.com
Subject: Re: [Full-Disclosure] MS Anti Virus?

On Thu, Jun 17, 2004 at 11:51:46AM -0400, joe wrote:
> However the worms would be blocked if people had patched their machine
> or otherwise properly administrated the machines they were responsible
> for. All of the worms that I think you are probably referring to all
> had patches well in advance of the worm that impacted it, blaster,
slammer, sasser, etc.
>
> Home users never should have been impacted as they should be running
> firewall software on the internet connections. The fact that they
> don't isn't MS's fault, however MS is stepping up with XP SP2 to help
> out. On top of that they should be patching when necessary.
[snip]
> Thinking that there will never be code patches required isn't realistic.
[snip]

Can you explain how it's realistic to expect the millions of home Windows
users out there now to know how to properly administrate their systems?

If anything that's been discussed here so far is unrealistic, that must top
the list. They're only starting to get the message that patching is
necessary. Very arguably, Microsoft helped create this culture of
technically inept users who view the computer like any other household
appliance. And now what? It plans to force-feed basic computer security
training and earthshaking updates down the throats of the same users to whom
it's been spoon-feeding computing-through-ignorance babyfood for years and
years?

You say "the worms would be blocked if users would..." I say the worms
wouldn't exist in the first place if Microsoft had written their software
securely. It's easy for both of us to say, but which is easier to actually
*do*? Microsoft has little control over what end users do, but it has
complete control over the design, quality, and configuration of the software
it ships. With the resources and market share they have, they ought to be
leading the industry.
Instead, they are the armpit of the industry.

Folks who have been paying attention o'er the years know the same lies,
half-truths, and PR maneuvering they hear today that they heard back then.
"It'll be fixed in the next version", eh? You'll have to pardon me if I
don't shit myself repeatedly in fits of white-knuckle anticipation of the
next version.

---

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


joe
<mvp[ at ]joeware.net> to full-disclosure
Jun 18 (1 day ago)
I think you believe MS is going into the AV market because it wants to. I
don't think that is the case. In fact I think they would rather not be in
that market. I take as evidenced the fact of going into that market once and
then dropping out of it. I also recall hearing the rumors that the bought
the AV company and started working on it because they wanted to give this AV
away for free with SP2 and then realized that they would be back in court
over it.

I believe MS is doing this strictly as a means to protect itself and
possibly help users at the same time. With luck as the OS features get
better and better the reasons for AV should hopefully reduce (but again I
doubt entirely dry up) thereby reducing the market that you think they are
going into to make cash on.

Since they will have to charge for it, I hope to see them do a small charge
once up front, and then free updates for the time frame you have the OS
loaded. A lot of folks lose their protection after the free update period
expires with the third party stuff. Many, myself included aren't willing to
pay monthly or yearly fees to AV companies.


> since M$ products account for a majority of the A/V infections

This is on par with saying most cars crashed are from GM without stating the
point that GM has the most cars on the road. You can say MS has the most
inept users, most inept admins, most viruses, most bugs, most lots of things
because they simply have the most period.

I was chatting with some friends the other day and the conversation turned
to the idea that had MS initially started with the implementation of fewest
services running as possible on their machines, we wouldn't know about a
great deal of the bugs/holes that were in there as they would still be
buried. Why? Because there would be no point in attacking the service if
only a small subset of people were running it. The bugs could sit in there
and live forever until someone accidentally stumbled on one. You wouldn't be
cool for finding a hole in say the messenger service if hardly anyone was
running it, people would simply say big deal, the press wouldn't be
reporting "Hole found in messenger service, thousands in danger of illicit
penetration!". As an aside, I think we would also have less penetration of
computers in general in the market place. Most people started using
computers in the home because they were easy to use and MS made it that way.
- Show quoted text -


-----Original Message-----
From: full-disclosure-admin[ at ]lists.netsys.com
[mailto:full-disclosure-admin[ at ]lists.netsys.com] On Behalf Of Gregory A.
Gilliss
Sent: Thursday, June 17, 2004 2:03 PM
To: full-disclosure[ at ]lists.netsys.com
Subject: Re: [Full-Disclosure] MS Anti Virus?

Dan et al:

You are missing the point here. While it matters little *who* is in the A/V
market, it matters very much when one player is Microsoft, because the M$
business model (according to them and to the US DOJ) is to enter a market,
undercut the market, co-opt the market, drive out the competition, and move
on to the next market (not unlike a virus, as told by Agent Smith).
So if M$ enters the A/V market and "bundles" their solution with Windows
whatever, they likely will drive Symantec and McAfee out of the market over
time by co-opting the A/V subscription market.

The security ramifications of a M$ only A/V marketplace relate to Dan Geer's
monoculture argument (already well discussed here) and also a conflict of
interest (since M$ products account for a majority of the A/V infections).
Can we "trust" an A/V solution from M$ that addresses virus infections of M$
products? And is M$ controls both the virus host and the A/V inoculation,
does that not create a potential area of abuse - no
license/upgrade/whatever, no A/V subscription/update/whatever?

As Reagan told Gorbachev, "Let me tell you why we do not trust you..."

G

On or about 2004.06.17 15:51:19 +0000, DAN MORRILL (dan_20407[ at ]msn.com) said:

> You make anti virus software sound like a gun lock on a 9MM.
>
> Does it really matter who is in the anti-virus market? If Microsoft
> goes that way, and they have the best knowledge of what they created,
> what we can reasonably expect to see in the words of Bill Gates
> "Innovation, with rich user features, deeply embeded in our software".
>
> So, we can have an AV product that does great things, but maybe only
> 2% of it will be used, and because it is a microsoft product, we can
> expect patches every month, with known and unknown vulnerabilites from day
one.

--
Gregory A. Gilliss, CISSP E-mail:
greg[ at ]gilliss.com
Computer Security WWW:
http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C
A3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite joe to join Gmail


Ben Timby
<asp[ at ]webexc.com> to full-disclosure
Jun 18 (1 day ago)
I think everyone missed Nick's point. Since reversers work for the
competition, don't you think they would find and use the M$ undocumented
API? M$ would not be dumb enough to try it, since their competition in
this market is comprised of reverse engineers, who would simply
"counter-innovate" by using the M$ API :-).

Nick FitzGerald wrote:

> Valdis.Kletnieks[ at ]vt.edu wrote:
>
>
>>Naah.. They'd never use an undocumented API to benefit their product at the
>>expense of the competition, would they? ;)
>
>
> In this case, no.
>
> Given that a lot of AV technical work is reverse engineering and that
> most of the best AV reversers are not among those MS "acquired" from
> RAV or who have joined MS from other AV developers subsequently (not
> that they haven't got some very good reversers, just there are still an
> awful ot of them elsewhere), I doubt even MS is stupid enough to
> consider trying something like this.
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________Invite Ben to join Gmail


valdis.kletnieks[ at ]vt.edu
to Ben, full-disclosure
Jun 18 (23 hours ago)
On Fri, 18 Jun 2004 13:22:11 CDT, Ben Timby <asp[ at ]webexc.com> said:
> I think everyone missed Nick's point. Since reversers work for the
> competition, don't you think they would find and use the M$ undocumented
> API? M$ would not be dumb enough to try it, since their competition in
> this market is comprised of reverse engineers, who would simply
> "counter-innovate" by using the M$ API :-).

Patent the API. Or document it with a EULA attached (remember their
documentation of their flavor of Kerberos?)... ;)

noname - 1K

_______________________________________Invite valdis.kletnieks[ at ]vt.edu to join Gmail


st3ng4h
<st3ng4h[ at ]comcast.net> to joe, full-disclosure
1:33pm (1 hour ago)
First, apologies to the list for the unintentional header forgery.
My correct address is st3ng4h[ at ]comcast.net, not rob[ at ]comcast.net. It
is my fault for configuring my SMTP forwarder in a hurry. A
boneheaded mistake. What can I say, it's been a long week.

On Fri, Jun 18, 2004 at 01:08:08PM -0400, joe wrote:
> Can users hook themselves up to the internet?
[snip]

Some can. It certainly takes less knowledge than sound system
administration; someone who successfully played with the toy where
one fits circular, rectangular, or triangular plastic blocks into
holes of corresponding shapes has all the 'skills' s/he needs to
plug coaxial and power cables into a cable modem, and RJ-45 from
cable modem to PC.

You will hear no argument from me when you assert that there are
many, many braindead users, admins, and 'technicians' out there.

> So what I am saying is, I think the ISPs need to share some of the
> responsibility of hooking people up safely, don't just plug them in.
[snip]

This is a good idea, and some ISPs do make efforts to educate their
customers about security, albeit in mostly passive ways.

However, it seems odd to me that you feel the ISPs should be obliged
to leap through many hoops to protect their customers, essentially
before they take customers' money. Microsoft has been taking
customers' money for years and years, and have given little or no
real consideration to customers' protection. By Gates' own
admission, (paraphrased) 'we have not done all that we can to
protect our customers'. Which, judging by their track record, is
still an understatement in the extreme.

In your last post, you made it clear that you believe that it is
primarily failings on the part of users that have allowed these
security gaffes to have such dire effect. So, can you explain why
you put such heavy responsibility on ISPs to protect customers, but
seemingly relieve Microsoft of any such responsibility, blaming
nearly everything on the user?

My point remains the same: Microsoft has no control over what its
end users do. It cannot force education, patches, or firewalls on
users if they don't want them. It has complete control over the
design, configuration, and quality of the software it sells. Which
is easier for them to fix- their software, or the mind of every end
user?

> Alternatively, have the ISP block all but say ports 25,80, and 110 by
[snip]

Truly draconian. And exceptionally bad for business. I remember when
Comcast had the nerve (sense) to block TCP 135 when Blaster hit. You
should have seen all the screaming users, infuriated that their
Windows File and Print Sharing didn't work. "I need this to connect
to our corporate file server and update the Excel spreadsheet that
has all our passwords in it, or my boss is gonna kill me!!"

Oh, and even this "security-through-unplugging-cables" style of
approach does absolutely nothing to protect people merrily browsing
the net with Internet Explorer and receiving email with Outlook
Express. Ever hear of phishing? How bout spyware?

> Again however, MS is stepping up on this. Go look at XP SP2. It is a big
> step in the direction to help users protect themselves. Of course of course,
> they have always done bad things so they can't possibly do anything better
> now. How thoughtless of me. Of course someone like yourself is so good at
> coding you know that every piece of code you have ever written has been
> perfect right off and no possible issues... Oh wait, you implying that means
> you probably have never coded anything more complex than a basic tool if
> that.

Admittedly, no. I didn't claim to be. I am young and learning. But
I think I have a good understanding of the concepts behind
designing and implementing secure software and avoiding the
programming errors that lead to easy exploits. And some things, like
active scripting in mail clients (to pull one off the top of my
head and recent full-disc history, that has inspired more than one
well-justified rant by list regulars) are just dumb and should have
never been considered in the first place, let alone turned on by
default. It doesn't seem to me to be rocket science. Assume that
software *will* be used and abused by Bad Guys; trust no input, and
validate all of it; write software that uses the least privileges it
needs to function, and no more; write small software; use techniques
such as isolation to provide additional layers of security that
increase the difficulty or nullify the risk of attacks; perpetually
strive to educate oneself about new attacks and new classes of
attacks, and learn to defend against them. The list continues; you
get the idea. It can be tedious and difficult. But it's one of the
things we have got to do, if we want to improve the status quo.

If what you wrote above is some kind of thinly-veiled attempt to
undermine my credibility (I don't have any yet, silly wabbit) by
making insinuations about my programming skill, it has probably
backfired on you. If what you want is to start a flame war, contact
me off-list.

Back to the topic at hand, XP SP2. Yes, I've seen it, and I'm not
terribly impressed. Most of these things have been in free *nixes
for a long time now. Comparing with Red Hat/Fedora (which is far
from the panacea of secure OSes, mind you):

Firewall on by default: Red Hat's had iptables setup as part of the
installation for years now. Configuration involves clicking one of
four radio buttons.

Safer networking defaults: Red Hat turned off most if not all
networked services in the default installation years ago, IIRC. I
think it took them about 10 minutes. Long overdue for Microsoft.

Memory protection: many distros, and I believe Fedora is one of
these, compile packages with stack-smashing protection or provide
versions of gcc with such features. More robust protection is
freely available with tools like grsecurity.

Safer email handling: safer than what? I can't think of a *nix mail
client that's proven as unsafe as Outlook and Outlook Express have.
Shoring up these programs is a 'duh', and also long overdue. Fedora
offers a choice of no less than ten different mail clients. Pick one
at random; I'll bet the cost of a Windows Server 2003 license that
it will never be victim to the types of vulns that have plagued and
continue to plague the Outlook series.

Safer browsing: More safe defaults that are long overdue. My
comments above on mail clients can be applied directly to browsers:
you have lots of choices, pick one at random, it's almost guaranteed
that you'll never suffer from the same types of stupid tricks that
can be played successfully on IE.

Automagic updates: trivially achieved with ANY *nix package
management system, and cron. And yes, they've been around for years.
Oh, and no one worries about whether updating Mozilla or Konqueror
means their network connection gets hosed or their OS is rendered
unbootable.

This is a simplified overview, but I think I've addressed the major
features MS is touting here, agree?

> I agree that MS helped create the mass of inept users... However, I don't
> see any OSes going out there creating knowledgeable users.

Try sitting a new user in front of a freshly installed *BSD box, and
see how far he gets without reading the manual.

> In fact had MS
> not done what it had done, I don't think we would be anywhere near where we
> are right now for penetration of PCs in the home and lower costs associated
> with that.

Is that supposed to be a good thing? Personally, I'd like to see far
fewer stupid people and sleazy corporations on the 'net. If that
means I have to pay more for access, and perhaps have one computer
in my home instead of half a dozen, so be it.

> I am just guessing but irregardless of what OS you are on now,
> you most likely were running an MS OS at some point.

Yes, and I rue the day I ever let it sink its teeth into me. I have
since freed myself of this unnecessary burden. Windows to me is now
little more than a gaming system, slightly superior to PS2 (except
in the respect that I never worry about my PS2 becoming the newest
member of a botnet).

> Not many people start
> on Mainframes and UNIX machines and went straight to non-MS offerings. Why?
> Not much else existed in the home for some time. Probably the few
> (relatively speaking) that can say they haven't ever run an MS OS are those
> that started using computers in University and never left so always lived in
> the UNIX world or Apple folks. If you had a PC at home and it wasn't an
> Apple, the chances are good it had MS on it.

Again, is that supposed to be a good thing?

Lots of people like double bacon cheeseburgers and Krispy Kremes. It
doesn't mean it's a good idea to eat nothing but.

> I look forward to BSD/Linux gathering steam and becoming better and better
> and more and more accepted. For several reasons actually. First off, MS
> always thrives when given good competition, it pushes itself to do better

Microsoft is well-known for its decidedly monopolistic and
*anti*-competitive behavior. Is this news?

As outlined in the Report That Got Dan Geer Canned From [ at ]stake [1],
this in and of itself is a danger to security. More generally, any
ubiquitous, identical systems on a huge global network are
inherently dangerous to the network itself, as the possibility
exists that a single piece of malicious code can destroy the systems
and/or the data contained on them and/or cripple the entire network.
Diversity is a key risk management strategy, and it has proven
parallels in fields like biology. I believe it also applies to
security risk management.

We've seen code that does this, and has the potential to do much
worse, many times over again, for a long time now.

Is it becoming clear why a simple 'step-up' from MS won't cut it?

I don't want to see any one operating system or piece of software
'take over the world'. I would like to see some real competition
resulting in better code and more diversity, so perhaps we can make
some progress on overcoming the attacks of yesterday that continue
today.

> and better which is good for computing in general because they have serious
> cash to put into the endevour, not many computing places now have
> multi-billion dollar R&D budgets to make home computing better.

It must be humbling for you to think that a bunch of rag-tag GNU
hippies, young Finnish CS students, Berkeley grads, Canadians
*gasp!*, and thousands of other hackers coding in their spare time
often for free, have produced operating systems and software that
rival or are outright superior to the products of the largest,
richest software company in the world.

> Second off,
> the Linux world will have to clean up, right now it is a bit chaotic with
> all of the various vendors duking it out over who is better and you having
> to be really sure of what you have before you install things. It reminds me
> of earlier MS days with Win9x and NT and having to figure out what you had
> so you knew what you could install. It is a pain in the butt when consulting
> for large companies when they are trying to figure it out because not only
> is it a case of figure out if you want Linux or Windows, it is which flavor
> of Linux do you want. Just dilutes the whole thing. Yes yes choice is good
> blah blah blah. Sometimes though in the committee driven worlds of corporate
> America, a multitude of choices can be a bad thing.

Yes, there are a lot of Linux distros out there now, and yes, most
of them are pretty useless, lame, and contrived. There are also some
very good ones, and the skilled sysadmin can always build their own
if they don't like anyone else's. Yes, for a corporation trying to
'pick one' it can be difficult, for those not used to actually
having choices. Yes, trying to figure it out is difficult for
companies, especially ones full of admins who are glued to the
shiny friendly happy clicky GUI world to which they're accustomed,
and don't know a whit about what's actually happening- on the
system, on the network, anywhere.

Who ever told these people it would be easy, ever? These are some of
the most complex machines mankind has created. Who made them
allergic to getting their hands dirty and spending some time
understanding the systems they're supposed to be taking care of with
competence?

> You sound like a jilted lover here. Not someone looking for the computing
> world to get better.

Jilted lover isn't quite accurate; it's more like MS keeps trying
to slip people roofies at the bar and date-rape them in the parking
lot. I'll tell you why, and fundamentally I believe this is the
reason for our differences of opinion.

You still trust Microsoft. I don't. They had it for a time, and
they have earned my distrust. It will take significant leaps and
bounds forward in several areas for them to earn it back. Call me
paranoid, pessimistic, jaded, what have you.

I've been promised that they will step up with every new version and
new product, just as you are offering promises that they are
stepping up with SP2. Don't get me wrong; it will help, for those
who are running XP (many aren't), are aware of its existence (the
many who cannot even be bothered with patching now will likely be
oblivious), and who won't remove or disable it after seeing that it
makes life on the 'puter an iota more difficult than it had been
before.

It won't undo the disservice they have done to the industry and
their customers by consistently failing to improve the security and
quality of their software, nor will it undo the damage caused by
making it so easy for users as zombie-like as their infected
machines to play with it on high-speed wireless 'net connections.

It's a baby step in the right direction, for a corporation that as I
said, ought to be leading the industry.

In any case, before our 'discussions' become any more verbose,
flame-ish, religious, or off-topic (they're currently all four), we
should do the good list members a favor and take it off list.

[1] http://www.ccianet.org/papers/cyberinsecurity.pdf


Get Firefox!