Linux-Advocacy Digest #401, Volume #26 Sun, 7 May 00 22:13:06 EDT
Contents:
Re: Built in Virus Scanners! (Charlie Ebert)
Re: Built in Virus Scanners! (Charlie Ebert)
Re: Dvorak calls Microsoft on 'innovation' ("Erik Funkenbusch")
Re: Malicious scripts on Unix ("Erik Funkenbusch")
Re: which OS is best? ("Quantum Leaper")
Re: This is Bullsh&^%T!!! ("Erik Funkenbusch")
Re: This is Bullsh&^%T!!! ("Erik Funkenbusch")
Re: This is Bullsh&^%T!!! ("Erik Funkenbusch")
Re: This is Bullsh&^%T!!! ("Erik Funkenbusch")
Programs for Linux ("Nick")
Re: Browsers and e-mail ([EMAIL PROTECTED])
Re: This is Bullsh&^%T!!! (mlw)
Re: Malicious scripts on Unix (Leslie Mikesell)
Re: QB 4.5 in Win 2000 (Roger)
Re: QB 4.5 in Win 2000 (Roger)
----------------------------------------------------------------------------
From: Charlie Ebert <[EMAIL PROTECTED]>
Subject: Re: Built in Virus Scanners!
Crossposted-To: comp.os.ms-windows.nt.advocacy
Date: Mon, 08 May 2000 00:15:41 GMT
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 5/7/00, 4:07:24 PM, Jeff Szarka <[EMAIL PROTECTED]> wrote=20
regarding Re: Built in Virus Scanners!:
> On Sun, 07 May 2000 16:45:53 GMT, Charlie Ebert <[EMAIL PROTECTED]>
> wrote:
> <snip>
> :> Boris
> :
> :
> :NO BORIN,
> :
> :The main problem with the Microsoft Virus is it spread itself and
> :matastisized itself
> :to virtually everything in my office.
> :
> :I'm afraid you have to step down now and return to the audience sir.
> :
> :Charlie
> Exactly why were you letting .vbs files even come in? Seems like bad
> administration to me after the first few vbs viruses.
> By the way, your news reader is broken.
Our company has no filter for eliminating a certain extensioned file.
The VB script files are allowed in as our corporate package uses them=20
to communicate
with 17,000 other branch offices thru our software system. VB script=20
passing is
pretty common place at my office.
Charlie
------------------------------
From: Charlie Ebert <[EMAIL PROTECTED]>
Subject: Re: Built in Virus Scanners!
Crossposted-To: comp.os.ms-windows.nt.advocacy
Date: Mon, 08 May 2000 00:23:29 GMT
I think this man's article is intelligent but, I
have to comment on just two paragraphs.
> Ahhh, maybe. Influenced by Windows 3.11. Backward
> compatibility and so on. I agree there are too many
> compromises for backward compatibility. But I also
> deal with people every day who literally froth at the
> mouth at the prospect of changing one silly legacy
> feature.
Backwards compatibility is a VERY SAD POINT which I=20
do not want to discuss in detail here and now!
But I'm glad you have caught this, despite everyone
else NOT doing so. It makes me EVEN madder that
the ONLY backwards compatibility we haven't had a problem
with has been VIRUS INFECTIONS!
> Same here. In NT. Not saying it isn't an issue, people
> do have these sorts of problems. Just pointing out that
> not everyone has these problems. Those of us who
> don't have them don't really care how much trouble other
> people have.
I've been a WIN API programmer since windows came out and
I just want to say I have to reboot my NT workstation=20
every 2 days and my server has to be re-booted EVERYDAY!
But, as you said, "your not saying this isn't an issue".
Charlie
------------------------------
From: "Erik Funkenbusch" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy,comp.lang.java.advocacy
Subject: Re: Dvorak calls Microsoft on 'innovation'
Date: Sun, 7 May 2000 20:06:24 -0500
Mathias Grimmberger <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > Displaying the image is not difficult. Getting the Image from the
Biometric
> > module in a standard way is. A common theme in Fingerprint
identification
> > (not just validation, which is much easier than identification) is to
show
> > the user the fingerprint being scanned and then superimposing graphical
data
> > on top which helps show how many minutiae points are identified.
>
> As I look at the problem the biometrics module should do that. It has
> all the data and presumably also knows the best way to provide suitable
> feedback to the user so it can work in an optimal way. I would not
> expect the app vendor to think about or do research on the topic.
If you rely on the biometrics module to provide feedback, then the feedback
image could appear anywhere. The application underneath may not want that,
thus it may want to control where the feedback is displayed and perhaps
display it within it's own application.
> > Now, suppose you want the app to determine how accurate a sample you
need.
> > You might say that only 40% accuracy was needed for this application.
The
> > less accuracy you accept, the fewer false negatives you'll have and the
> > easier it is to use.
>
> Easy. Just pass some parameter(s) (a number between 0 and 100 was what
> we used IIRC) to the biometrics module and document it's effects
> (e.g. that it is the required accuracy in percent).
>
> This is suitably abstract to work for many biometric methods.
But requires a common API in order to make it vendor neutral.
> > In my experience, providing proper user feedback is essential to getting
a
> > good identification.
>
> Of course. I'm just saying that I think getting the users to cooperate
> is difficult, at least if your target audience is the general
> population.
It's seldom the general population. Your target audience is almost always
going to be corporate employees (or government). Those people can be
trained.
> > What's wrong with a cleartext password? It's not like the password is
being
> > transmitted over a wire. It's all internal.
>
> One of the first rules in security is: "Do not store passwords nor
> password equivalents". That it's all internal doesn't matter - if it's
> there then there is a way to get at it. It doesn't even matter if that
> would require Admin privileges, even the admin should not be able to get
> at any passwords.
There is symanticly no difference between forcing a user to enter his
cleartext password and having an application send that password. I fail to
see the difference. Suppose the password were encrypted. Sending an
encrypted password is no different than sending a cleartext one, it's just a
set of characters.
> > So your argument is that "few apps need this"? If it was available,
more
> > apps would take advantage of it.
>
> That and that a useful generic API is very hard to do.
I didn't say it wasn't. But a useful generic CryptoAPI is also hard to do.
> I don't believe that every app will use biometrics if it is only made
> easy enough. What use would biometrics be for e.g. a word processor? The
> user using it is *already* authenticated by being logged in in the first
> place and that goes for the majority of apps.
I didn't say every app will use it. I did say that if there was a common
API, then more apps would use it.
> Of course one can do neat things with biometrics, like constantly
> verifying that the user in front of the box is allowed to use it. How
> relevant would that be in the real world?
I think we're only touching the tip of the iceberg when it comes to
biometrics. We'll find much greater uses for it in the coming years as it
becomes more ubiquitious. I don't pretend to know the future.
> > And not all uses of biometrics are for national defense level security.
A
> > good use is when you have a terminal sitting out in a store somewhere
and
> > you want to make sure only authorized people use it.
>
> But that is again a very special application, there will be special
> software running, not some generic app. What use is biometrics for the
> average user, the market MS is in?
Very special? It's a pretty common one actually. There are millions of
stores around the world that could make use of such a feature.
> > Biometrics is uncommon and expensive primarily because there's no
> > standardized way of using it.
>
> May be true, I don't really know. I'm a pessimist as far as funky new
> technologies are concerned.
And that's the attitude that keeps them from becoming commonplace.
> > Why do you say that? I think all use cases can be identified in
biometrics.
>
> All use cases maybe (although saying "all" in such a context frightens
> me).
I should have said most. You're always going to have special circumstances.
> All biometric methods, useful data formats - no way. What data format
> will a biometric method using DNS samples use? Can you get all providers
> of fingerprint biometrics to use the same data format? I don't see it.
You mean DNA? And part of a standard is to define commmon formats. That
doesn't mean the vendor has to use that format internally, only that it
exports that format on request.
> So the API either will only deal with opaque data or can't support every
> biometric method imaginable.
It doesn't need to deal with every opaque data format. Only the ones that
it defines.
> > Not true. Suppose I want to integrate speech recognition and voice
print
> > recognition (each command must be identified as valid from this person
> > before processed). Now, I need access to the voice sample to run it
through
> > my speech recognition after it's been validated. How do I do that in a
> > generic way without calling directly into the vendors API?
>
> Hmm, OK, I didn't think of such a scenario.
>
> But this requires that the data formats used by the speech recognition
> and the voice print recognition be the same or convertable into each
> other.
I think we can agree that voice samples are pretty common formats these
days.
> > > > They did a pretty good job with the CryptoAPI.
> > >
> > > You mean the one with the _NSAKEY variable? It's not secure. And no,
> > > this has nothing to do with "NSA" being a part of that variable name,
if
> > > the rumours where true that would be the second security hole.
> >
> > Do you know anything about this? MS's CryptoAPI has been reviewed by
lots
> > of security experts. Don't babble about net rumors.
>
> The story goes like this:
>
> In CAPI all components used are cryptographically signed - no valid
> signature, no way to use that module. This is an important part of the
> security of the whole thing.
>
> For unknown reasons MS included *two* public keys in the API, the
> primary one and the one called _NSAKEY. MS claims the second one is a
> backup should the first one become unavailable - that is just bogus, why
> can't they keep a backup of the first one? AFAIK MS also never provided
> proof that they actually have access to the private key matching the
> public _NSAKEY, but that thought leads to the conspiracy theory...
Bruce Schnier, one of the most respected members of the cryptology field has
said in his newsletter that he doesn't buy the story coming from the
anti-microsoft advocates.
Your question, why not store a backup copy of the key is silly. Keys are
meant to be secure and not to be copied. If you can copy it once, you can
copy it a million times. Then it's not secure at all. And in any case,
that doesn't help if the key is compromised and changed. Suppose you have
1000 keys to your front door. Does it help you if you wife changes the
lock?
> Now for the purpose of signing CAPI components the two keys are
> equivalent. Their protection is not equivalent however - while you can't
> change the primary key you can just change the secondary and sign new
> modules with the matching private key.
>
> There exists a little tool on the net which does just that. Apparently
> crypto companies have known about the whole thing for some years and
> have used it for their own purposes (installing their crypto modules).
>
> A bad guy could now install new components which use rot-13 for
> encryption. Poof, no security anymore. Whithout additional measures you
> just can't trust the modules CAPI is using which was a design goal
> AFAIK. So in my book CAPI is not secure because of that.
Installing rot-13 won't allow you to decode 128 bit encrypted data.
------------------------------
From: "Erik Funkenbusch" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy,local.unix.general
Subject: Re: Malicious scripts on Unix
Date: Sun, 7 May 2000 20:09:17 -0500
Bob Tennent <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Fri, 05 May 2000 13:38:43 -0500, Brian Fristensky wrote:
> >Unix mailers are still susceptible
> >to malicious scripts.
>
> You've ignored a rather significant difference between Windows
> and Unix (or NT W2k) systems: no security. Even if a malicious script
> is executed on a properly configured Unix box it will only affect the
files
> accessible to the luser, *not* crucial system files.
Irrelevant. The biggest problem with the love bug virus is that it sends
copies of itself to other users on their mailing lists. This has been
clogging email systems and bringing them to a crawl. This is doable with or
without security.
------------------------------
From: "Quantum Leaper" <[EMAIL PROTECTED]>
Crossposted-To:
comp.os.ms-windows.advocacy,comp.sys.mac.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: which OS is best?
Date: Mon, 08 May 2000 01:02:10 GMT
"Mike Marion" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> craig wrote:
>
> > I've been through domain name changes with MSX many times - just export
your
> > user lists to a CSV, import into spreadsheet, add the new address via
search
> > and replace, and import the updates.Shouldn't take more than an hour or
> > so!!!
>
> So you need another large app installed just to make some simple changes?
The
> fact that you have to export and then import is pretty lame. You can get
to
> simple data like this on a unix box with a text editor.
>
No, CSV is comma delimited format (you do know what that means), and can be
edit with just about ANY Text editor, also. It might help to know what the
format of the data is, before responding.
> Whereas on the *nix box, you can do the same thing in less time using the
shell
> itself (it's scripting language) and things like sed or awk... which come
with
> every unix nowadays.
>
Everyone has their favorite tools...
------------------------------
From: "Erik Funkenbusch" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: This is Bullsh&^%T!!!
Date: Sun, 7 May 2000 20:18:16 -0500
mlw <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > So a script I run monthly to delete a whole bunch of files off my drive
is
> > going to get stopped as a virus ?
> >
> > A script I have that sends out a monthly letter to a mailing list ?
> >
> > A script to regularly download a web page for me ?
> >
> > A sysadmin-supplied script to update the registry ?
>
> From an e-mail? Absolutely.
But that's just it. The script doesn't execute in the context of the email
program. It executes outside of it because the user has told the email
program to execute the attachment.
------------------------------
From: "Erik Funkenbusch" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: This is Bullsh&^%T!!!
Date: Sun, 7 May 2000 20:20:45 -0500
Bart Oldeman <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > Please detail to us how you're going to detect the difference between
> > "dangerous" and "safe" attachments.
>
> Every binary and vb-script is potentially dangerous. A jpeg, text file,
> java file executed in a sandbox is not. It's easy enough.
vbscript executed in a sandbox is equally as safe. The problem is that this
is executed outside the sandbox because it's an attachment. The same would
be true of a java program sent to a user as an attachment, it would be run
outside of the sandbox.
------------------------------
From: "Erik Funkenbusch" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: This is Bullsh&^%T!!!
Date: Sun, 7 May 2000 20:22:31 -0500
Marc Schlensog <[EMAIL PROTECTED]> wrote in message
news:8f3vqf$e6v$[EMAIL PROTECTED]...
> > Please detail to us how you're going to detect the difference between
> > "dangerous" and "safe" attachments.
>
> Dangerous in a sense, that the attachment has access to the entire system,
> safe in a sense, that the attachment contains a picture, a textfile, a
> soundfile, or even a JAVA-script
Sorry, attached Java scripts can do the same damage.
------------------------------
From: "Erik Funkenbusch" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: This is Bullsh&^%T!!!
Date: Sun, 7 May 2000 20:26:55 -0500
Rich C <[EMAIL PROTECTED]> wrote in message news:3915a528@news...
> > No, it probably doesn't. Even in this particular case, all the OS is
> doing
> > is fetching and executing another application - the scripting host - to
> > execute a script. The script *is* a document.
>
> Right. And as I've said in other parts of this thread, and "document" file
> should be passed to the registered application, and it should be up to the
> application to provide security. Which simply proves how irresponsible the
> VB scripting host is. Java doesn't do this type of thing.
Wrong. Java is just as dangerous when executed outside the sandbox (which
is what happens when you open an attachment. Go ahead, send yourself a Java
program as an attachment and then open the attachment and see what happens).
Unix doesn't check the source of the shell script either.
------------------------------
From: "Nick" <[EMAIL PROTECTED]>
Crossposted-To:
alt.linux,alt.os.linux,alt.os.linux.caldera,alt.os.linux.mandrake,comp.os.linux,comp.os.linux.questions
Subject: Programs for Linux
Date: Mon, 08 May 2000 01:41:44 GMT
Hello all, to start off, I'd like to tell you what this is about. I am a
certified Linux Admin, and I have several
issues about programs for Linux that I would like to talk about. Just to
clarify to all of the dull-brained argumentative people (you know who you
are): I am using Windows to write this.
I like Linux, I think it's the coolest OS in the world, however any OS needs
programs to make it popular. If I was just going to be an Internet Junkie,
Linux is fine. I can listen to my multimedia files, I can chat on ICQ, and I
can surf the web. However, I can not do the productive things I want to do.
First off, I want to be able to do lots of CAD, and I want to use my CAD
work to design electronic devices. Print blueprints... et cetera.
Another thing I would like to is Advanced 3D modeling and other 3D imaging.
Perhaps I want to make a model of something I want to build, or make a 3D
computer-animated cartoon.
I want to compose MIDI files. Nuff said.
I want to use IEEE 1394 to edit videos.
I want to make Employee Identification Cards with a plastic card printer.
Just like the one they have at the local YMCA to make member cards.
If you know of some post-development applications that can do these things,
tell us all!!!
You can email me at [EMAIL PROTECTED]
If not, guys and gals, we need to get busy programming!
--NSC--
_The Liquid Linux Project_
Posted on: alt.linux, alt.os.linux, alt.os.linux.caldera,
alt.os.linux.mandrake, comp.os.linux, comp.os.linux.advocacy,
comp.os.linux.questions
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: Browsers and e-mail
Date: 8 May 2000 01:42:32 GMT
In comp.os.linux.advocacy Christopher Smith <[EMAIL PROTECTED]> wrote:
> "mlw" <[EMAIL PROTECTED]> wrote in message
>> So, OK, what's the answer? I think we all agree that something like the
>> "ILOVEYOU" virus will continue to happen in increasing frequency. How do
>> you stop it? You can't keep arresting 14 year olds everytime this
>> happens, you have to decide that security is important.
> 1. Get out a clue stick and *cough*re-educate*cough* people who open
> attachments they know nothing about.
When did the definition of "open" suddenly switch from "read" to
"execute"? Suppose you recieved a letter through snailmail that read
"burn the house down". If you did things like Outlook did things, you'd
torch your house without question. However, you'd set it aside because
you wouldn't follow suggestions that come unknown sources.
> 2. Get your sysadmin to distribute a little registry patch to make the
> default action of a .vbs file to "Edit" instead of "Open". Have said patch
> installed during a login script.
This doesn't fix the underlying problem that BillWare likes to execute
unknown code without telling anybody. You don't pick up objects on the
sidewalk and pop them into your mouth, do you? Your operating system and
applications shouldn't be doing the equivelent.
--
David Griffith Have you met Cadbury, the Destructo-Bunny yet?
[EMAIL PROTECTED]
------------------------------
From: mlw <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: This is Bullsh&^%T!!!
Date: Sun, 07 May 2000 21:47:20 -0400
Erik Funkenbusch wrote:
>
> mlw <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > > So a script I run monthly to delete a whole bunch of files off my drive
> is
> > > going to get stopped as a virus ?
> > >
> > > A script I have that sends out a monthly letter to a mailing list ?
> > >
> > > A script to regularly download a web page for me ?
> > >
> > > A sysadmin-supplied script to update the registry ?
> >
> > From an e-mail? Absolutely.
>
> But that's just it. The script doesn't execute in the context of the email
> program. It executes outside of it because the user has told the email
> program to execute the attachment.
A vbs script is interpreted on the context of a vb dll, which is loaded
by the e-mail client. Are you telling me that it is impossible to add
limitations to the environment in which code executes? If so, then
Microsoft should get out of the browser and e-mail business right now.
--
Mohawk Software
Windows 9x, Windows NT, UNIX, Linux. Applications, drivers, support.
Visit http://www.mohawksoft.com
"We've got a blind date with destiny, and it looks like she ordered the
lobster"
------------------------------
From: [EMAIL PROTECTED] (Leslie Mikesell)
Crossposted-To: comp.os.ms-windows.nt.advocacy,local.unix.general
Subject: Re: Malicious scripts on Unix
Date: 7 May 2000 20:44:49 -0500
In article <QloR4.20$[EMAIL PROTECTED]>,
Erik Funkenbusch <[EMAIL PROTECTED]> wrote:
>Bob Tennent <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> On Fri, 05 May 2000 13:38:43 -0500, Brian Fristensky wrote:
>> >Unix mailers are still susceptible
>> >to malicious scripts.
>>
>> You've ignored a rather significant difference between Windows
>> and Unix (or NT W2k) systems: no security. Even if a malicious script
>> is executed on a properly configured Unix box it will only affect the
>files
>> accessible to the luser, *not* crucial system files.
>
>Irrelevant. The biggest problem with the love bug virus is that it sends
>copies of itself to other users on their mailing lists. This has been
>clogging email systems and bringing them to a crawl. This is doable with or
>without security.
That may be the biggest problem for most people, but it also deletes
graphic files. If you happen to be a graphic artist and it deletes
all your archived work I don't think you would be real happy.
Les Mikesell
[EMAIL PROTECTED]
------------------------------
From: Roger <roger@.>
Crossposted-To: alt.lang.basic,alt.destroy.microsoft
Subject: Re: QB 4.5 in Win 2000
Date: Mon, 08 May 2000 02:06:06 GMT
On Tue, 25 Apr 2000 22:03:27 -0400, someone claiming to be T. Max
Devlin wrote:
>Quoting Roger from alt.destroy.microsoft; Wed, 26 Apr 2000 01:10:13 GMT
>>If I thought you were a person of honour, [...]
>Well, you don't. So quit wasting my time.
Once again, I do not post for your benefit, liar.
------------------------------
From: Roger <roger@.>
Crossposted-To: alt.lang.basic,alt.destroy.microsoft
Subject: Re: QB 4.5 in Win 2000
Date: Mon, 08 May 2000 02:07:29 GMT
On 03 May 2000 10:56:02 -0600, someone claiming to be Craig Kelley
wrote:
>We run Office97.
>
>How do we buy new copies for the new machines (which aren't just
>replacing the old ones).
>
>Either we all have to upgrade to Office2000, or the new machines go
>without...
Why? Office 2000 can save its docs in the older format, and this can
even be made the default.
Why should you have to upgrade?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.advocacy) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
