Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))

[Chris Palmer]

Doug White writes:

> It would be nearly impossible for computer software makers to provide
> against any type of attack by those so inclined.  The result is that
> they are reactive rather than pro-active.

That's not the point. The difference in degree of security between
Windows and Mac OS X is so great as to be a difference in kind. It is
possible for vendors to build, and customers to buy, sufficiently safe
Internet client software.


It is also possible to mitigate the spam problem (which started this
whole thread, as you may recall :). From where I'm sitting, Apple Mail's
spam detection feature, Spam Assassin, and similar products all do a
sufficiently good job. I get obscene amounts of spam at this account,
but I see very little of it (even though my version of Spam Assassin is 
old).

Now, I know network operators have a different point of view (I have
been one): that spam consumes expensive network resources. But even
Hotmail (and who could have a worse spam problem than Hotmail?) only
blackholes specific hosts or small subnets, and only then for 24-48
hours. This idea of cutting off entire ISPs/countries/operating
systems/ethnicities from their access to certain or all services is very 
poor and reflects badly on those who propose it.

The spam problem is as mitigatable as it is bad, and taking away or
reducing the usefulness of the network in order to save a few bits or
bucks is a bad trade. Freedom, openness and universal access are worth
the trouble.

Why is it that some people respond to the problem by breaking things 
rather than building things? In particular, something like Bastille (the 
Linux hardening kit) for Windows would be great.


-- 
Chris Palmer
Staff Technologist, Electronic Frontier Foundation
415 436 9333 x124 (desk), 415 305 5842 (cell)

Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))

[Scott McGrath]

Operating systems bundled with a retail computer _should_ be reasonably
secure out of the box.

OS X can be placed on a unprotected internet connection in a unpatched
state and it's default configuration allows it to be patched to current
levels without it being compromised.

On the other hand Win2k & XP will be compromised in under 5 minutes if
connected to the same unfiltered connection (The record here is 35 seconds
for time to compromise)

I am not saying that OS X is the paragon of all things good.  But it's
basic settings take into account the average user's skill level and
ability to secure the OS if you want less security the user needs to
_specifically_ configure the machine to allow the reduced level of
protection.

Whereas the desire for chrome on Win has made a platform which is
virtually impossible for the average user to secure.

I use both on a daily basis as well as Solaris and Linux so I consider
myself somewhat agnostic on OS choices as each does something better than
the others and I use it for that function.


Scott C. McGrath

Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))

[Doug White]

[snip]
:
: My argument is that a computer needs to be in a safe state by default. I
: firmly believe that if I buy a brand new box from any reputable vendor
: with a premium operating system of choice I should be able to connect this
: device to a local broadband connection indefinitely. It needs to be safe
: without user training or user intervention.
:


It would be nearly impossible for computer software makers to provide against
any type of attack by those so inclined.  The result is that they are reactive
rather than pro-active.

Understand that the software maker wants his product to have all the features
and gee-gaws that make it attractive and simple to use, and most work well in
this area, but  over-compensating for any potential type of attack before
delivery is, in my opinion an impossible task.

One may wish that there were no vulnerabilities in any operating system, but
this is not the case.  There are vulnerabilities in all the operating systems
in place today.   Ther are many admins, (even if the admin is an uneducated
end-user) who do not bother to update their sofware or operating systems.

This practice is why Linux/Unix systems get chrooted, Windows machines get
compromised, even OSX.

Some of the vulnerabilities are in the chipset on the motherboard, be it Intel,
AMD, or Motorola.
The software maker must try to compensate for those failings as well.

As long as there arre otherwise bored miscreants who will continue to try to
exploit the vulnerabilities they will continue to happen, no matter what the
patch position is, no matter the OS or chipset used.

Thre are many security capabilities built into many OS distributions, and
relatively few are ever implemented.  Why?  Your guess is as good as mine, but
my guess is that it is time consuming of time that is not budgeted.

just my 0.02

Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))

[Adi Linden]

> As for the specifics of your comments, I could not disagree more, but it
> is a philosophy of life that distinguishes our views, not the analysis of
> the problem.   I believe (like a lot of other New Englanders and even
> some from California) that people must assume responsibility for their
> actions.  If responsibility is not enforced, society collapses (into e.g.
> the kind of chaos we see on the internet.)

I like the term responsibility but how is it applied? If I own a vehicle, 
what are my responsibilities? I have to obtain a drivers license which 
gives me the privilege of driving a motor vehicle. Driving a motor vehicle 
is an active choice, I am behind the wheel putting the vehicle in motion. 
I am responsible for all the consequences of my actions while driving. 
Where is my responsibility in vehicle ownership? Is is responsible to 
leave the vehicle locked at the curb, unlocked, keys in the ignition? What 
are my responsibilities when an unauthorized person uses my vehicle?
Driving a motor vehicle is a complex task. There is enforcement in place 
and it is common knowledge that training and license is required to use a 
motor vehicle.

What about a baseball bat? Where is my responsibility in owning a baseball 
bat? If I store my baseball bat leaning against my backdoor, am I 
responsible if my neighbour uses it without my permission to crack his 
wifes skull?

> In 2004 no one is "tricked" into using rubbish software; there are 
> plenty of alternatives, and the rubbishy nature of the leading OS is
> in almost every day's newspaper.  It's a choice people make, like overeating
> and gaining weight.  No one is there with a gun forcing people to gain 
> weight.

My argument is that a computer needs to be in a safe state by default. I 
firmly believe that if I buy a brand new box from any reputable vendor 
with a premium operating system of choice I should be able to connect this 
device to a local broadband connection indefinitely. It needs to be safe 
without user training or user intervention.

> As for "uneducated", the solution is the same as for bad drivers:
> training.  If you are a threat to the rest of the internet because of
> your ignorance (or irresponsibility) then you do not qualify for
> connectivity, just as bad drivers don't get licenses, bad credit
> risks don't get credit, and drunk airline pilots stop flying.  

I can walk, I can take a bicycle. Owning a computer today is like owning a 
performance car. There is no learning curve, it's all or nothing.

If this is the way it has to be, then service providers need to take 
responsibility and provide a safe environment for the uneducated users. 
This includes filtering ports, filtering emails, etc. A last resort is 
terminating service if a user is unwilling to learn at all.

Adi

Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))

[Dr. Jeffrey Race]

On Tue, 20 Apr 2004 09:21:02 -0500 (CDT), Adi Linden wrote:
>> Since many gateway service providers will not prevent insufficiently
>> skilled users from connecting to the internet and injuring others, the 
>> only remaining solution, as far as I can see, is cutting connectivity
>> with those enablers.  That is the proposal I advanced in
>> .
>And once again the you're punishing the victim. Let's not forget that the 
>uneducated end user is tricked into doing things that are not good for 
>them or the rest of the internet connected world.
>Unfortunately the only feasible and readily available computer solution 
>for the uneducated end user is a single available operating system. 
>Everyone is at the mercy of this product with all its flaws and downfalls. 
>Instead of continually blaming the uneducated end user how about providing 
>tools to the uneducated end user that can be used to connect to the 
>internet without becoming a liability. A toaster with keyboard an monitor...

I beg to clarify that I am not "blaming" anyone; I am describing a system
with known input-output properties and internal structures.  We know how
this system behaves in terms of technology and human behavior, and we 
know what to do to the inputs to change the outputs.   If you choose
to smoke, you get cancer.   Same with spam.   If you don't want to have
spam, you have to change some behaviors.   Some people will be inconvenienced.
Life is full of such choices.

As for the specifics of your comments, I could not disagree more, but it
is a philosophy of life that distinguishes our views, not the analysis of
the problem.   I believe (like a lot of other New Englanders and even
some from California) that people must assume responsibility for their
actions.  If responsibility is not enforced, society collapses (into e.g.
the kind of chaos we see on the internet.)

In 2004 no one is "tricked" into using rubbish software; there are 
plenty of alternatives, and the rubbishy nature of the leading OS is
in almost every day's newspaper.  It's a choice people make, like overeating
and gaining weight.  No one is there with a gun forcing people to gain 
weight.

As for "uneducated", the solution is the same as for bad drivers:
training.  If you are a threat to the rest of the internet because of
your ignorance (or irresponsibility) then you do not qualify for
connectivity, just as bad drivers don't get licenses, bad credit
risks don't get credit, and drunk airline pilots stop flying.  

To repeat: the solution to spam is to apply rigorously the same rules
to the internet as are used everywhere else in society.   It is simple,
it pays for itself, it works, and it works immediately.  Some people
will be upset, like the smokers who have to go outside for a puff or
even give up their habit.  However the result is better for EVERYONE
including "the uneducated".

Jeffrey Race

The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))

[Adi Linden]

> >Think globally.  Even though this forum has NA as its heading, we need to
> >think globally when suggesting solutions.  You'll never get any sort of
> >licensing globally nor will you EVER get end users (globally) educated
> >enough to stop doing the things that they do which allow these events to
> >continually occur.
> 
> Since many gateway service providers will not prevent insufficiently
> skilled users from connecting to the internet and injuring others, the 
> only remaining solution, as far as I can see, is cutting connectivity
> with those enablers.  That is the proposal I advanced in
> .

And once again the you're punishing the victim. Let's not forget that the 
uneducated end user is tricked into doing things that are not good for 
them or the rest of the internet connected world.

Unfortunately the only feasible and readily available computer solution 
for the uneducated end user is a single available operating system. 
Everyone is at the mercy of this product with all its flaws and downfalls. 

Instead of continually blaming the uneducated end user how about providing 
tools to the uneducated end user that can be used to connect to the 
internet without becoming a liability. A toaster with keyboard an 
monitor...

Adi

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Alexei Roudnev]

I agree.

90% users CAN NOT UPDATE. How?

- (1) updates are too big to be diownloaded by modem , which fail every 20 -
40 minutes (which is common in many countries);
- (2) if you connect to Internet for update, you are infected by virus much
faster than you install update.

I saw it. Home user install Win2K, then connect to internet to get update...
and catch virus.




>
> ** Reply to message from Drew Weaver <[EMAIL PROTECTED]> on Mon,
> 19 Apr 2004 13:42:53 -0400
>
> > -- Jeff said -- 
> >
> >
> > Patches either need to be of a size that a dialup user doesn't have to
> > be dialed in for 24 hours to download and install them.  Or .iso's
> > should be available for ISP's to download, turn into CD's and
> > distribute as appropriate. Wouldn't that be nice for a dialup user -
> > getting Windows Update on a CD-ROM from their ISP?
> >
> > To which I reply:
> >
> > It is somewhat unreasonable to think that ISPs should be responsible
> > for the security of its users' systems on a systematic basis.
>
> Responsible? No.
> Able to assist in maintaining that security (and thus that of the ISP's
> network)? Yes.
>
> >Another reason
> > the idea of a 'CD with updates' most likely wouldn't be effective is
because
> > by the time the ISP produced the CD, the user got the CD, and installed
it,
> > the patches would most likely not be the most recent available.
>
> I can burn a CD from ISO in about 5 minutes - how about you?
> I'm talking about XP users who haven't even updated as far as SP1.
> Win98 users who have never run an update in their life...
> Win2k users are usually the most patched up that I've seen - because
> that went into mostly business environments.
> This would at least get them up to the level of the playing field,
> where the routine updates are not as much of a hassle.  Sure, you'll
> get the little old ladies and gentlemen who will drop by every month
> for their service pack fix, but that's just customer service.
>
> > Also, do you
> > realize how much the 'average technical school graduate type' makes just
> > from acquaintances who complain that their computers are slow, by simply
> > removing whatever "flavor of the month backdoor spam proxy virus"
>
> Ah, now you are talking about why I happily promote Ad-Aware and
> Spybot.
>
> >I bet a
> > good number of 'tech service calls' that companies such as PC On Call
and
> > people who service residences get could've been avoided by patching in a
> > reasonable time period.
>
> And your problem with the local ISP having this stuff available for
> their users is?
>
> > However, awhile ago we tried an idea of sending out E-Mail alerts to
> > our customers whenever a critical update of "Remote execution" or worse
was
> > released. We found that most of our users were annoyed by this, a
different
> > time we used a network sniffing tool to find a few dozen handfuls of
your
> > average home Dial-Up users who were infected with various malicious
agents
> > (I.e. Nimda, et cetera) and we actually contacted those users, to let
them
> > know and again we were met with more hostility.
>
> You definitely don't have our customers then.  Our usually appreciate
> being told that their systems are screwed up.
>
> > From this interesting pattern I would surmise that users want their
> > ISPs to be hands-off unless the problem that they're causing is
effecting
> > them directly. End users on the Internet see their connectivity as a
right,
> > and not a privilege. I remember when I was 13 (that was only 11 years
ago)
>
> Some of ours are like that. Most seem to realize their limitations and
> are happy to know that at some level we are looking out for them. BTW,
> for me 13 was many more years ago than that... RTM wasn't even in
> college yet, I imagine.
>
> > and I signed up for my Freenet account at the Columbus Public Library (I
> > believe it was, ? still is? Through OSU), they really made me feel like
it
> > was a privilege to be using the Internet, and I honored that.
>
> Dial-up, or using their systems at the library? And you weren't paying
> for the privilege, at least not directly.
>
> > Its just difficult to explain from a professional level what the effects
> > these peoples' behavior (or lack there of) is having on the rest of the
> > community. Think of it like people who drive monster SUV's, they can
afford
> > the gas, and the insurance so they don't believe that the harm that
these
> > beasts do to our environment matter, because again its their god given
right
> > to drive them.
> >
> That's a whole 'nuther horse to kill there.
> -- 
> Jeff Shultz
> Network Technician
> Willamette Valley Internet

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Alexei Roudnev]

Yes.

Unfortunately, one day 1,000,000 users will find in their mail boxes fully
automated CD with 'Microsoft Update' on the label and 1,000 viruses /
trojans inside. -:)





>
> >>
> Patches either need to be of a size that a dialup user doesn't have to
> be dialed in for 24 hours to download and install them.  Or .iso's
> should be available for ISP's to download, turn into CD's and
> distribute as appropriate. Wouldn't that be nice for a dialup user -
> getting Windows Update on a CD-ROM from their ISP?
> <<
>
> It shouldn't be just windows update which of course doesn't patch office
> etc., it should be a fully automated cd that the user pops in and it
> autoupdates ALL MICROSOFT PRODUCTS that are installed and it should do it
> without asking for the stupid office CDs..
>
> Geo.
>

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Dr. Jeffrey Race]

On Mon, 19 Apr 2004 17:53:45 -1000 (HST), Scott Weeks wrote:

>Neither can happen.  That's just another way of saying make 
all your users
>skilled or go out of business.

The SPs whose business model entails externalizing the
costs SHOULD go out of business

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Gregh]

- Original Message - 
From: "Scott Weeks" <[EMAIL PROTECTED]>
To: "Dr. Jeffrey Race" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, April 20, 2004 1:07 PM
Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)


>
> Think globally.  Even though this forum has NA as its heading, we need to
> think globally when suggesting solutions.  You'll never get any sort of
> licensing globally nor will you EVER get end users (globally) educated
> enough to stop doing the things that they do which allow these events to
> continually occur.
>

I would like to point out one little area of concern in this discussion for
me - that was the critical update for Win XP of March 28th, 2002 in it's
original output, not the amended one.

I don't know how many of your clients were affected by this but I had to
rush about in circles like a duck with a broken wing simply because some
users had altered their own settings, regardless of policy at each company,
so that they could apply updates for themselves. Consequently some XP (and I
believe W2K as well but I didn't see this on a W2K machine personally)
setups just went down in a heap and it took some time to fix them all.

So, while considering global solutions, if anyone were to seriously decide
all Windows machines will now be auto updated whether you like it or not, I
would definitely put a block on Windows web sites - as I had to do at that
time - so that no-one could get an update I didn't apply. Since that time,
any XP update gets tested on a machine that doesn't matter should it go down
prior to installation.

We are all so busy, here, looking at ways to solve a problem that is already
there. It should be stopped prior to it coming out and fixed at that point.
This means REAL beta testers, not whatever is going on in MS right now.
There should also be consequences. That implies a lot of people in I.T.
acting as one mind and enforcing something upon MS. That is where we will
always fail. Like the untended hard drive, we are too fragmented.

Greg.

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Scott Weeks]

: >Think globally.  Even though this forum has NA as its heading, we need to
: >think globally when suggesting solutions.  You'll never get any sort of
: >licensing globally nor will you EVER get end users (globally) educated
: >enough to stop doing the things that they do which allow these events to
: >continually occur.
:
: Since many gateway service providers will not prevent insufficiently
: skilled users from connecting to the internet and injuring others, the
: only remaining solution, as far as I can see, is cutting connectivity
: with those enablers.  That is the proposal I advanced in
: .
:
: The logic seems quite simple: either fix all the users (impossible
: as you state) or keep them off the net (which you say many SPs won't
: do; I believe some will but many won't) so the only solution is to
: cut the latter off.

Neither can happen.  That's just another way of saying make all your users
skilled or go out of business.  For example, cutting granny out of the
$9.95 dialup service is comitting hari-kari for those that do that type of
business.  You'll never get her to complete training so she can send baby
pictures to all her friends.   Especially all the grannies in all the
countries globally.


: If you are not willing to do that, then you will just have to accept
: the spam and we might as well stop whining about it.  It is your
: choice.

While I'm listening to all the smart (and many not so) folks figure it
out, I can press "d" quickly.  I'm not whining, I'm listening intently...
:-)

scott

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Dr. Jeffrey Race]

On Mon, 19 Apr 2004 17:07:45 -1000 (HST), Scott Weeks wrote:
>Think globally.  Even though this forum has NA as its heading, we need to
>think globally when suggesting solutions.  You'll never get any sort of
>licensing globally nor will you EVER get end users (globally) educated
>enough to stop doing the things that they do which allow these events to
>continually occur.

We are in violent agreement about this.

Since many gateway service providers will not prevent insufficiently
skilled users from connecting to the internet and injuring others, the 
only remaining solution, as far as I can see, is cutting connectivity
with those enablers.  That is the proposal I advanced in
.

The logic seems quite simple: either fix all the users (impossible
as you state) or keep them off the net (which you say many SPs won't
do; I believe some will but many won't) so the only solution is to
cut the latter off.  

If you are not willing to do that, then you will just have to accept
the spam and we might as well stop whining about it.  It is your
choice.

Jeffrey Race

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Scott Weeks]

On Mon, 19 Apr 2004, Dr. Jeffrey Race wrote:
: On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote:
:
: > An uneducated
: >end user is not something you can fix with a service pack.
:
: A profound point, again highlighting the fact that there
: are no technical solutions to this problem.  (Though
: technical measures to enhance traceability are a big help.)
:
: So, the logical inference is training and licensing to
: get internet access.   When I was 16 in Connecticut many
: many years ago, we had to take a driver-training course
: (given by a policeman) to get a driver's license.
:
: I see no discussion about this approach, here or elsewhere.



Think globally.  Even though this forum has NA as its heading, we need to
think globally when suggesting solutions.  You'll never get any sort of
licensing globally nor will you EVER get end users (globally) educated
enough to stop doing the things that they do which allow these events to
continually occur.

scott

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[John Kristoff]

On 19 Apr 2004 22:16:58 +
Paul Vixie <[EMAIL PROTECTED]> wrote:

> [(*) "wierd" could mean streams of tcp/syn or tcp/rst, or forged source
>  addresses, or streams of unanswered udp, or streams of ourbound tcp/25,
>  or udp/137..139, or who knows what it'll be by this time next month?]

Precisely.  It could be most anything and likely will be eventually.
Why not stop the hacks that are filtering, whitelists and rate limiting
and just replace end hosts with dumb terminals, the links with fixed
rate channels and in the network place all the controls and content?
Instead of network service providers we would mostly be a collection of
systems operators.

> inside the headend, or whatever), it's going to get done by the dreaded
> giant merciless monster known as "market forces".

This and the installed base is probably why the above won't occur over
night, but things are veering in that direction.  While end users will
resist many attempts to remove their freedom of bits, freedom of cpu and
freedom of connectivity, what is being designed, or better, re-designed
is a network with a very fragile infrastructure.  This is good for no
one.

The ideas about tussle (D. Clark, et al) are a way to think about the
problems and solutions, but still the difficulty, because of market
forces and installed base, is how to get there from here.

John

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Paul Vixie]

> > Should ISPs start requiring their users to install Windows XP SP2?

nope.  especially since, according to bill gates, linux would have the
same reputation if it was a popular a platform (and therefore a target
of more virii.)  now, you could go further, and say "if you emit streams
of wierd(*) looking traffic we'll shut your line down and wait for you to
call us and give us an explaination" but then you're just going to be
on the phone all the time and that's no good for anybody -- especially
since cleanup costs are high, and reinfection "costs" are low, and phone
time is really expensive.  so why not just disallow all that bad junk
all the time, instead of waiting for it to be seen in flight?

[(*) "wierd" could mean streams of tcp/syn or tcp/rst, or forged source
 addresses, or streams of unanswered udp, or streams of ourbound tcp/25,
 or udp/137..139, or who knows what it'll be by this time next month?]

> Let's face it -- this shouldn't have to be the ISP's problem. 

you're right, and it won't be for very much longer.  access isp's cannot
take responsibility for the health of their customers' computers, they
just need to work harder to ensure that access is all they provide, and
that servers don't work, udp/137..139 doesn't work, and outbound e-mail
is via tunnel or proxy.  since access isp's aren't able to do even that
much (for fear of their customers wraith, or due to lack of technology
inside the headend, or whatever), it's going to get done by the dreaded
giant merciless monster known as "market forces".
-- 
Paul Vixie

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Robert Boyle]

At 02:27 PM 4/19/2004, you wrote:
> >I can burn a CD from ISO in about 5 minutes - how about you?
> >I'm talking about XP users who haven't even updated as far as SP1.
> >Win98 users who have never run an update in their life...
> >Win2k users are usually the most patched up that I've seen - because
> >that went into mostly business environments.
> >
> >This would at least get them up to the level of the playing field,
> >where the routine updates are not as much of a hassle.  Sure, you'll
> >get the little old ladies and gentlemen who will drop by every month
> >for their service pack fix, but that's just customer service.
>
> Doesn't Windows XP automatically do this by default currently?
No, but it will ask you if you want to configure automatic updates.
That's still not going to do much for the dialup user who has to
download SP1.  And we're also talking about the majority of customers
who don't have WinXP - and won't be getting it.
http://v4.windowsupdate.microsoft.com/en/default.asp?corporate=true

You can download anything on Windows Update here. We make many of this 
update files part of our standard dialup install CD. Especially service 
packs. They aren't installed by default, but they are on the CD if they 
need them. No 24 hour downloads needed.

R

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Valdis . Kletnieks]

On Mon, 19 Apr 2004 09:10:32 EDT, "Dr. Jeffrey Race" said:
> 
> On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote:
> 
> > An uneducated
> >end user is not something you can fix with a service pack.
> 
> 
> A profound point, again highlighting the fact that there
> are no technical solutions to this problem.  (Though
> technical measures to enhance traceability are a big help.)

Well, there *are* technical solutions, but over the last few hundred years
we've managed to essentially stop Darwinian selection against idiots, and we as
a society seem to frown on the forced sterilization of same.



pgp0.pgp
Description: PGP signature

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[John Osmon]

On Mon, Apr 19, 2004 at 12:03:32PM -0700, Dan Hollis wrote:
> 
> On Mon, 19 Apr 2004, Jeff Shultz, WIllamette Valley Internet wrote:
> > ** Reply to message from Drew Weaver <[EMAIL PROTECTED]> on Mon, 19 Apr 2004 
> > 13:42:53 -0400

[...notification of the...]
> > > average home Dial-Up users who were infected with various malicious agents
> > > (I.e. Nimda, et cetera) and we actually contacted those users, to let them
> > > know and again we were met with more hostility. 
> > You definitely don't have our customers then.  Our usually appreciate
> > being told that their systems are screwed up. 
> 
> He's right.
> 
> Most customers get defensive/hostile when you tell them there's something 
> wrong with their system.

For what it's worth, our (dial-up and DSL) customers have generally
act thankful when contact them about the problems their machines
are causing.

I guess nothing changes -- the world is full of people.  :-)

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Dan Hollis]

On Mon, 19 Apr 2004, Jeff Shultz, WIllamette Valley Internet wrote:
> ** Reply to message from Drew Weaver <[EMAIL PROTECTED]> on Mon,
> 19 Apr 2004 13:42:53 -0400
> > However, awhile ago we tried an idea of sending out E-Mail alerts to
> > our customers whenever a critical update of "Remote execution" or worse was
> > released. We found that most of our users were annoyed by this, a different
> > time we used a network sniffing tool to find a few dozen handfuls of your
> > average home Dial-Up users who were infected with various malicious agents
> > (I.e. Nimda, et cetera) and we actually contacted those users, to let them
> > know and again we were met with more hostility. 
> You definitely don't have our customers then.  Our usually appreciate
> being told that their systems are screwed up. 

He's right.

Most customers get defensive/hostile when you tell them there's something 
wrong with their system.

However I've encountered the same attitude with many NOCs when informing 
them they have open relays / smurf amps / owned servers. First they deny 
it - "you must be mistaken", then get defensive "what business is it of 
yours anyway?" or hostile "you can't possibly know that without having 
broken into our network, I'm calling the police" (yeah right, I need to 
break into your network in order to be smurfed by your broken routers.)

So this isnt unique to end users. It seems most people would rather 
discover problems themselves, and go into a sort of panic mode when 
informed by a third party. Many (including NOCs) aren't emotionally 
prepared to handle anything beyond "hit ctrl-alt-del".

I'm still looking for a good way to gently inform end users/nocs of 
problems without having them fly off the handle.

-Dan

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Jeff Shultz, WIllamette Valley Internet]

** Reply to message from "Jonathan M. Slivko"
<[EMAIL PROTECTED]> on Mon, 19 Apr 2004 13:57:43 -0400
(GMT-04:00)

> -Original Message-
> From: "Jeff Shultz, WIllamette Valley Internet" <[EMAIL PROTECTED]>
> Sent: Apr 19, 2004 1:39 PM
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
> 
> >I can burn a CD from ISO in about 5 minutes - how about you? 
> >I'm talking about XP users who haven't even updated as far as SP1.
> >Win98 users who have never run an update in their life...  
> >Win2k users are usually the most patched up that I've seen - because
> >that went into mostly business environments. 
> >
> >This would at least get them up to the level of the playing field,
> >where the routine updates are not as much of a hassle.  Sure, you'll
> >get the little old ladies and gentlemen who will drop by every month
> >for their service pack fix, but that's just customer service. 
> 
> Doesn't Windows XP automatically do this by default currently?

No, but it will ask you if you want to configure automatic updates.
That's still not going to do much for the dialup user who has to
download SP1.  And we're also talking about the majority of customers
who don't have WinXP - and won't be getting it. 

> If not,
> it's something that Microsoft should consider setting to "ON"
> automatically to help defend the users from hackers, and in the same
> turn, help defend the ISP's network from being maliciously attacked or
> used for illegitimate purposes. 

Then you come up against the "I don't want MS messing with my machine
without my permission!" bunch. Who, incidentally, have a valid point. 
Turning the firewall on by default in SP2 is going to have...
interesting results I imagine. Esp. in company environments that  use
Netbios over TCP/IP.  I assume it will firewall 137-140/445 by default. 

>However - I do think that Windows needs
> some more improvements in the area of security (which UNIX/Linux
> already has). However - to Microsoft's credit, they seem to be doing a
> rather nice  job of actually beefing up their security practices. Now,
> if only they could figure out how to make Outlook/Outlook Express more
> security-concious because as of the time of this writing, the Outlook
> Express/Outlook defaults are extremely unsafe.
> 
> Does anyone have/care to post a URL that explains how to set Outlook
> Express/Outlook to be more secure?
> 

That's easy. In Outlook Express: Tools-->Options-->Read. Check the box
"Read all messages in plain text" 

You've just massively improved OE's security. Outlook doesn't do
this yet, does it? I haven't dug through Office 2003 much yet.
-- 
Jeff Shultz
Network Technician
Willamette Valley Internet

RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Vivien M.]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of David Schwartz
> Sent: April 19, 2004 12:57 PM
> To: 'Dr. Jeffrey Race'
> Cc: [EMAIL PROTECTED]
> Subject: RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
> 
> 
> > Firstly, who enforces it? The reason it "works" with cars 
> is that the 
> > state (or province for those of us north of the border) effectively 
> > says "you can't drive a car without this lovely piece of 
> paper/plastic 
> > that we'll give
> > you" and "if we find you driving a car without the lovely piece of
> > paper/plastic, you're going to be in serious trouble". Are 
> you proposing
> > that each jurisdiction that currently licences drivers also
> > licence Internet
> > users and tell ISPs "sorry, but if they don't give their licence,
> > you can't
> > give them an account"?
> 
>   That's not a problem. The state licenses drivers but it 
> also owns the roads.

Yes... And the state doesn't own the Internet, and can't SEE the Internet
(or its component networks). How does it enforce who uses it?

> > Secondly, HOW do you enforce it? Motor vehicles only 
> require a licence 
> > to be operated on public roads in all jurisdictions I'm aware of. 
> > IANAL, but if some 14 year old kid without a licence wants to drive 
> > around on his parents'
> > private property, that is not illegal.
> 
>   So? If you want to mess around on your private network, 
> I don't care either.

And exactly how do you separate public and private networks, from the point
of view of law enforcement? In the driving world, public roads are easy
enough to enforce things on... 

Besides, there are no [major] public networks, if by public, you mean
taxpayer-owned... If you mean publicly accessible, that's another story, of
course... 

> > Now, the instant that
> > vehicle leaves
> > the private property, it's another story (assuming, of course, cops 
> > around to check licences. In some jurisdictions, this is more true 
> > than in others).
> 
>   Exactly. You want to go on someone else's roads, you do 
> so only by their rules.

But my point is, they can SEE you. If I drive out on the roads of whatever
state/province/municipality/etc, their authorized agents (read: cops) can
SEE me and stop me. Try and do that with my IP packets. You try and track
the IP packet that you are getting from my machine to me as a human... Sure,
you can do it, if you have an army of lawyers in a bunch of jurisdictions,
but it's not like the cop who sees a moron driving badly and just pulls them
over, at which point they HAVE the moron in their hands... You can have my
packets going around into your network without having physical access to me,
but you CAN'T have my car driving around (unless I'm not driving it :P) in
your roads without me being in it. 

So, how do you ask my packets for my computer licence?

> > My point is, driving is ONLY regulated when it is done in 
> public view, 
> > for obvious reasons. Computer use is an inherently private 
> activity, 
> > so how do you propose to verify that the person using a 
> computer is in 
> > fact licenced? Mandatory webcams? :P
> 
>   So you can drive however you want on *my* driveway? 
> That's not public view, is it? If there only private roads, 
> I'll bet you that private road owners would have come up with 
> a licensing system quite similar to what we have today, for 
> liability reasons if nothing else. You might also notice that 
> you can't get liability insurance without a license even 
> though that insurance is issued privately, and there aren'y 
> many road owners who let you drive on their roads without insurance.

If I drive on YOUR driveway without a licence, assuming I can GET to your
driveway without driving on a public road (e.g. someone with a licence
drives me to your driveway), I'm guilty of tresspassing on your property,
but I don't think I'm guilty of driving without a licence. 

And why would any insurer insure somebody without a licence? Sounds to me
like financial suicide, assuming driver licencing actually DOES keep morons
off roads...

> > Thirdly, WHO do you enforce it against? It's pretty difficult (and 
> > illegal) for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and 
> > drive someone's car
> > without their explicit knowledge and permission. (Okay, so you
> > can hotwire a
> > car, but...) It's very easy for someone other than the computer
> > owner or ISP
> > contractholder to have access to i

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Jonathan M. Slivko]

Sorry about the double sending - I wasn't subscribed to nanog-post from this address.
-- Jonathan

-Original Message-
From: "Jonathan M. Slivko" <[EMAIL PROTECTED]>
Sent: Apr 19, 2004 1:51 PM
To: Jeff Shultz <[EMAIL PROTECTED]>, "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)



-Original Message-
From: "Jeff Shultz, WIllamette Valley Internet" <[EMAIL PROTECTED]>
Sent: Apr 19, 2004 1:39 PM
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

>I can burn a CD from ISO in about 5 minutes - how about you? 
>I'm talking about XP users who haven't even updated as far as SP1.
>Win98 users who have never run an update in their life...  
>Win2k users are usually the most patched up that I've seen - because
>that went into mostly business environments. 
>
>This would at least get them up to the level of the playing field,
>where the routine updates are not as much of a hassle.  Sure, you'll
>get the little old ladies and gentlemen who will drop by every month
>for their service pack fix, but that's just customer service. 

Doesn't Windows XP automatically do this by default currently? If not, it's something 
that Microsoft should consider setting to "ON" automatically to help defend the users 
from hackers, and in the same turn, help defend the ISP's network from being 
maliciously attacked or used for illegitimate purposes. However - I do think that 
Windows needs some more improvements in the area of security (which UNIX/Linux already 
has). However - to Microsoft's credit, they seem to be doing a rather nice  job of 
actually beefing up their security practices. Now, if only they could figure out how 
to make Outlook/Outlook Express more security-concious because as of the time of this 
writing, the Outlook Express/Outlook defaults are extremely unsafe.

Does anyone have/care to post a URL that explains how to set Outlook Express/Outlook 
to be more secure?

-- Jonathan

--
Jonathan M. Slivko - [EMAIL PROTECTED]
"Linux: The Choice for the GNU Generation"
 - http://www.linux.org/ -

Don't fear the penguin.
 .^.
 /V\
   /(   )\
^^-^^
  He's here to help.


--
Jonathan M. Slivko - [EMAIL PROTECTED]
"Linux: The Choice for the GNU Generation"
 - http://www.linux.org/ -

Don't fear the penguin.
 .^.
 /V\
   /(   )\
^^-^^
  He's here to help.

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Jeff Shultz, WIllamette Valley Internet]

** Reply to message from Drew Weaver <[EMAIL PROTECTED]> on Mon,
19 Apr 2004 13:42:53 -0400

> -- Jeff said -- 
> 
> 
> Patches either need to be of a size that a dialup user doesn't have to
> be dialed in for 24 hours to download and install them.  Or .iso's
> should be available for ISP's to download, turn into CD's and
> distribute as appropriate. Wouldn't that be nice for a dialup user -
> getting Windows Update on a CD-ROM from their ISP?
> 
> To which I reply: 
> 
>   It is somewhat unreasonable to think that ISPs should be responsible
> for the security of its users' systems on a systematic basis. 

Responsible? No.
Able to assist in maintaining that security (and thus that of the ISP's
network)? Yes. 

>Another reason
> the idea of a 'CD with updates' most likely wouldn't be effective is because
> by the time the ISP produced the CD, the user got the CD, and installed it,
> the patches would most likely not be the most recent available.

I can burn a CD from ISO in about 5 minutes - how about you? 
I'm talking about XP users who haven't even updated as far as SP1.
Win98 users who have never run an update in their life...  
Win2k users are usually the most patched up that I've seen - because
that went into mostly business environments. 
This would at least get them up to the level of the playing field,
where the routine updates are not as much of a hassle.  Sure, you'll
get the little old ladies and gentlemen who will drop by every month
for their service pack fix, but that's just customer service. 

> Also, do you
> realize how much the 'average technical school graduate type' makes just
> from acquaintances who complain that their computers are slow, by simply
> removing whatever "flavor of the month backdoor spam proxy virus" 

Ah, now you are talking about why I happily promote Ad-Aware and
Spybot. 

>I bet a
> good number of 'tech service calls' that companies such as PC On Call and
> people who service residences get could've been avoided by patching in a
> reasonable time period.

And your problem with the local ISP having this stuff available for
their users is? 

>   However, awhile ago we tried an idea of sending out E-Mail alerts to
> our customers whenever a critical update of "Remote execution" or worse was
> released. We found that most of our users were annoyed by this, a different
> time we used a network sniffing tool to find a few dozen handfuls of your
> average home Dial-Up users who were infected with various malicious agents
> (I.e. Nimda, et cetera) and we actually contacted those users, to let them
> know and again we were met with more hostility. 

You definitely don't have our customers then.  Our usually appreciate
being told that their systems are screwed up. 

>   From this interesting pattern I would surmise that users want their
> ISPs to be hands-off unless the problem that they're causing is effecting
> them directly. End users on the Internet see their connectivity as a right,
> and not a privilege. I remember when I was 13 (that was only 11 years ago)

Some of ours are like that. Most seem to realize their limitations and
are happy to know that at some level we are looking out for them. BTW,
for me 13 was many more years ago than that... RTM wasn't even in
college yet, I imagine. 

> and I signed up for my Freenet account at the Columbus Public Library (I
> believe it was, ? still is? Through OSU), they really made me feel like it
> was a privilege to be using the Internet, and I honored that.

Dial-up, or using their systems at the library? And you weren't paying
for the privilege, at least not directly. 

> Its just difficult to explain from a professional level what the effects
> these peoples' behavior (or lack there of) is having on the rest of the
> community. Think of it like people who drive monster SUV's, they can afford
> the gas, and the insurance so they don't believe that the harm that these
> beasts do to our environment matter, because again its their god given right
> to drive them.
> 
That's a whole 'nuther horse to kill there.
-- 
Jeff Shultz
Network Technician
Willamette Valley Internet

RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Geo.]

>>
Patches either need to be of a size that a dialup user doesn't have to
be dialed in for 24 hours to download and install them.  Or .iso's
should be available for ISP's to download, turn into CD's and
distribute as appropriate. Wouldn't that be nice for a dialup user -
getting Windows Update on a CD-ROM from their ISP?
<<

It shouldn't be just windows update which of course doesn't patch office
etc., it should be a fully automated cd that the user pops in and it
autoupdates ALL MICROSOFT PRODUCTS that are installed and it should do it
without asking for the stupid office CDs..

Geo.

RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Drew Weaver]

-- Jeff said -- 


Patches either need to be of a size that a dialup user doesn't have to
be dialed in for 24 hours to download and install them.  Or .iso's
should be available for ISP's to download, turn into CD's and
distribute as appropriate. Wouldn't that be nice for a dialup user -
getting Windows Update on a CD-ROM from their ISP?

To which I reply: 

It is somewhat unreasonable to think that ISPs should be responsible
for the security of its users' systems on a systematic basis. Another reason
the idea of a 'CD with updates' most likely wouldn't be effective is because
by the time the ISP produced the CD, the user got the CD, and installed it,
the patches would most likely not be the most recent available. Also, do you
realize how much the 'average technical school graduate type' makes just
from acquaintances who complain that their computers are slow, by simply
removing whatever "flavor of the month backdoor spam proxy virus" I bet a
good number of 'tech service calls' that companies such as PC On Call and
people who service residences get could've been avoided by patching in a
reasonable time period.
However, awhile ago we tried an idea of sending out E-Mail alerts to
our customers whenever a critical update of "Remote execution" or worse was
released. We found that most of our users were annoyed by this, a different
time we used a network sniffing tool to find a few dozen handfuls of your
average home Dial-Up users who were infected with various malicious agents
(I.e. Nimda, et cetera) and we actually contacted those users, to let them
know and again we were met with more hostility. 
From this interesting pattern I would surmise that users want their
ISPs to be hands-off unless the problem that they're causing is effecting
them directly. End users on the Internet see their connectivity as a right,
and not a privilege. I remember when I was 13 (that was only 11 years ago)
and I signed up for my Freenet account at the Columbus Public Library (I
believe it was, ? still is? Through OSU), they really made me feel like it
was a privilege to be using the Internet, and I honored that.
Its just difficult to explain from a professional level what the effects
these peoples' behavior (or lack there of) is having on the rest of the
community. Think of it like people who drive monster SUV's, they can afford
the gas, and the insurance so they don't believe that the harm that these
beasts do to our environment matter, because again its their god given right
to drive them.

-Drew

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[John Neiberger]

>Patches either need to be of a size that a dialup user doesn't have to
>be dialed in for 24 hours to download and install them.  Or .iso's
>should be available for ISP's to download, turn into CD's and
>distribute as appropriate. Wouldn't that be nice for a dialup user -
>getting Windows Update on a CD-ROM from their ISP?

Amen to that. My mom lives in a small town with very spotty Internet
access. The fastest possible connection speed is 28.8 but her actual
connection is usually slower than that, probably thanks to the quality
of lines in the area. You wouldn't believe how long those patches take
to download over 28.8. In fact, I've given up on it because the phone
simply can't be tied up for that long and she's not going to get a
second line for the sole purpose of downloading MS patches.

Periodic Windows Update on a CD-ROM is a must-have until more of the
world has high-speed access.

John
--

RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[David Schwartz]

> Firstly, who enforces it? The reason it "works" with cars is that
> the state
> (or province for those of us north of the border) effectively says "you
> can't drive a car without this lovely piece of paper/plastic that
> we'll give
> you" and "if we find you driving a car without the lovely piece of
> paper/plastic, you're going to be in serious trouble". Are you proposing
> that each jurisdiction that currently licences drivers also
> licence Internet
> users and tell ISPs "sorry, but if they don't give their licence,
> you can't
> give them an account"?

That's not a problem. The state licenses drivers but it also owns the
roads.

> Secondly, HOW do you enforce it? Motor vehicles only require a
> licence to be
> operated on public roads in all jurisdictions I'm aware of. IANAL, but if
> some 14 year old kid without a licence wants to drive around on
> his parents'
> private property, that is not illegal.

So? If you want to mess around on your private network, I don't care
either.

> Now, the instant that
> vehicle leaves
> the private property, it's another story (assuming, of course, cops around
> to check licences. In some jurisdictions, this is more true than
> in others).

Exactly. You want to go on someone else's roads, you do so only by their
rules.

> My point is, driving is ONLY regulated when it is done in public view, for
> obvious reasons. Computer use is an inherently private activity, so how do
> you propose to verify that the person using a computer is in fact
> licenced?
> Mandatory webcams? :P

So you can drive however you want on *my* driveway? That's not public view,
is it? If there only private roads, I'll bet you that private road owners
would have come up with a licensing system quite similar to what we have
today, for liability reasons if nothing else. You might also notice that you
can't get liability insurance without a license even though that insurance
is issued privately, and there aren'y many road owners who let you drive on
their roads without insurance.

> Thirdly, WHO do you enforce it against? It's pretty difficult
> (and illegal)
> for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and drive
> someone's car
> without their explicit knowledge and permission. (Okay, so you
> can hotwire a
> car, but...) It's very easy for someone other than the computer
> owner or ISP
> contractholder to have access to it and abuse it and stuff.

I'm not sure I understand why you think this is so. My kids know that my
computer is off-limits to them just like they know my car is off-limits to
them. They are physically capable of obtaining access to either without my
permission.

> So what do you
> propose? Mandatory cardreaders on all computers? Fingerprint scanners
> integrated into keyboards? How else can you avoid Mom logging online, and
> then letting the unlicenced kids roam free online, allegedly to
> do "research
> for school"? Do you want to fine/jail/etc Mom if the kids
> download a trojan
> somewhere?

I would presume that a license would include the rights to allow others to
use your access under appropriate supervision or with appropriately
restrictive software.

> Fourthly, as someone pointed out, the first generation always complains. I
> hate to show how young I probably am compared to many on this list, but my
> jurisdiction introduced graduated driver's licencing a few years before I
> was old enough to get a driver's licence, and it angers me that the random
> guy who's out on the road driving like a moron had to go through way less
> bureaucracy, road tests, etc than me simply because he was born ten years
> before me. That said, if no reforms are made to make this system stricter,
> I'm sure the next generation won't see this system as an outrage simply
> because they won't remember an era when the bureaucracy.
> Currently, people can buy computers/Internet access/etc unregulated at the
> random store down the street. You're proposing that some regulatory
> authority require licencing... Why should these voters accept it?

Because their failure to cooperate will result in ostracism. That's how the
Internet has always worked.

> Especially
> since, unlike with cars, the damage done by poorly-operated computers is
> rather hard to explain to a technologically-unskilled person. Most would
> respond something like "well, it's not my fault some criminal wrote a
> virus/exploit/whatever. Put that person in jail, and let me mind my own
> business." Good luck educating them on the fallacies in that statement.

The point is, you don't have to. You just have to not let them on your
roads. If they think the things they have to do to get on your roads are
worth the value of those roads, they'll do them. If not, not. You don't care
why people comply with your rules. People don't get driver's licenses
because they think the piece of paper makes them a better driver, they do it
because that is what's required for th

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Jeff Shultz, WIllamette Valley Internet]

** Reply to message from Brian Russo <[EMAIL PROTECTED]> on Mon, 19 Apr
2004 10:51:18 -0400

> As far as mainstream users..
> * Software needs to patch itself, users aren't going to do it.
> * Software needs to be intuitive, people interact with computers as if 
> they were doing 'real' things. Things like cut and paste are easy 
> because they make sense...
> * Software patches need to WORK and not screw up Joe User's system, 
> believe me they won't "understand" that software is never bug-free, 
> they'll instead swear off installing patches in future.
> * Software needs reasonable defaults.. this doesn't necessarily mean 
> turning every feature off.
> * Wizards and/or a choice of 'starter' confs can be great.

Patches either need to be of a size that a dialup user doesn't have to
be dialed in for 24 hours to download and install them.  Or .iso's
should be available for ISP's to download, turn into CD's and
distribute as appropriate. Wouldn't that be nice for a dialup user -
getting Windows Update on a CD-ROM from their ISP?
-- 
Jeff Shultz
Network Technician
Willamette Valley Internet

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Patrick W . Gilmore]

On Apr 19, 2004, at 4:10 AM, Michael Painter wrote:

First time user of the "net" in '87 when CompuServe announced it to 
its denizens.
Thank [deity] for Micro$oft or we'd have to get a real job.
I hear this a lot and it is such BS.  Does anyone here HONESTLY believe 
the "computer revolution" was caused by MS alone and would never have 
happened without them?

Microsoft *might* have made it happen slightly faster than without 
them, but a good argument can be made that MS actually set back the 
software industry in many ways, from stifling competition & innovation 
to the current mess with uneducated users and a homogeneous OS.

The truth is, we will not know if things are better or worse because of 
MS.  But it is no _no way_ a slam dunk one way or the other.

--
TTFN,
patrick

RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Vivien M.]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
> Behalf Of Dr. Jeffrey Race
> Sent: April 19, 2004 9:11 AM
> To: Jeffrey Race
> Cc: [EMAIL PROTECTED]
> Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
> 
> 
> 
> On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote:
> 
> > An uneducated
> >end user is not something you can fix with a service pack.
> 
> 
> A profound point, again highlighting the fact that there
> are no technical solutions to this problem.  (Though
> technical measures to enhance traceability are a big help.)
> 
> So, the logical inference is training and licensing to
> get internet access.   When I was 16 in Connecticut many
> many years ago, we had to take a driver-training course
> (given by a policeman) to get a driver's license.
> 
> I see no discussion about this approach, here or elsewhere.

Well, there are a number of problems with this.

Firstly, who enforces it? The reason it "works" with cars is that the state
(or province for those of us north of the border) effectively says "you
can't drive a car without this lovely piece of paper/plastic that we'll give
you" and "if we find you driving a car without the lovely piece of
paper/plastic, you're going to be in serious trouble". Are you proposing
that each jurisdiction that currently licences drivers also licence Internet
users and tell ISPs "sorry, but if they don't give their licence, you can't
give them an account"?

Secondly, HOW do you enforce it? Motor vehicles only require a licence to be
operated on public roads in all jurisdictions I'm aware of. IANAL, but if
some 14 year old kid without a licence wants to drive around on his parents'
private property, that is not illegal. Now, the instant that vehicle leaves
the private property, it's another story (assuming, of course, cops around
to check licences. In some jurisdictions, this is more true than in others).
My point is, driving is ONLY regulated when it is done in public view, for
obvious reasons. Computer use is an inherently private activity, so how do
you propose to verify that the person using a computer is in fact licenced?
Mandatory webcams? :P

Thirdly, WHO do you enforce it against? It's pretty difficult (and illegal)
for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and drive someone's car
without their explicit knowledge and permission. (Okay, so you can hotwire a
car, but...) It's very easy for someone other than the computer owner or ISP
contractholder to have access to it and abuse it and stuff. So what do you
propose? Mandatory cardreaders on all computers? Fingerprint scanners
integrated into keyboards? How else can you avoid Mom logging online, and
then letting the unlicenced kids roam free online, allegedly to do "research
for school"? Do you want to fine/jail/etc Mom if the kids download a trojan
somewhere?

Fourthly, as someone pointed out, the first generation always complains. I
hate to show how young I probably am compared to many on this list, but my
jurisdiction introduced graduated driver's licencing a few years before I
was old enough to get a driver's licence, and it angers me that the random
guy who's out on the road driving like a moron had to go through way less
bureaucracy, road tests, etc than me simply because he was born ten years
before me. That said, if no reforms are made to make this system stricter,
I'm sure the next generation won't see this system as an outrage simply
because they won't remember an era when the bureaucracy.
Currently, people can buy computers/Internet access/etc unregulated at the
random store down the street. You're proposing that some regulatory
authority require licencing... Why should these voters accept it? Especially
since, unlike with cars, the damage done by poorly-operated computers is
rather hard to explain to a technologically-unskilled person. Most would
respond something like "well, it's not my fault some criminal wrote a
virus/exploit/whatever. Put that person in jail, and let me mind my own
business." Good luck educating them on the fallacies in that statement.

Fact is, until home computer security issues result in a pile of bloody
bodies to show on CNN, no one in the general public and/or the legislative
branches of government has any incentive to care... 

Vivien

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Brian Russo]

At Mon, Apr 19, 2004 at 11:22:17PM +1000, Gregh wrote:
> I would love to know the average age of the list inhabitants.

22

> 
> It has been my observation that things which are new become better known
> when a generation has grown up, completely, with it and is teaching the next
> generation.
> 
> Until that occurs, you are going to get one heck of a larger lot of
> uninformed users because they are not only young and clueless but every
> other age and clueless. Worse, they are clueless in a lot of cases because
> they are frightened by new technology. Eventually, it will become as common
> as a car on the road and at that point, taking obvious steps wont even be a
> topic for discussion any longer.

Of course you're right, but this isn't going to happen for a long time.. 
and besides.. there are a lot of people in my generation that are not 
that tech-savvy at all.. 

I'd say the top uses are Games, IM/blogs/etc and P2P

None of these really have anything to do with being good guardians of 
the net.

Of course in the long-run you'll prove me wrong.. but I think it'll take 
a fair while yet.. anyway, i just hope we'll have made good progress on 
other fronts.

 - bri

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Brian Russo]

At Mon, Apr 19, 2004 at 08:22:48AM -0400, Chris Brenton wrote:
>
> Agreed. I think part of what makes 0-day easier to hide *is* the raw
> quantity of preventable exploits that are taking place. In many ways we
> have become numb to compromises so that the first response ends up being
> "format and start over". If 0-day was a higher percentage, it would be
> easier to catch them when they occur and do a proper forensic analysis. 

Right, they fit in with the noise.

> 
> I guess I have a hard time blaming this type of thing on the end user.
> Part of the fall out from making computers easier to use, is making it
> easier for end users to shoot themselves in the foot. One of the
> benefits of complexity is that it forces end user education. I'm
> guessing that if you had to load SQL as a dependency you would have
> caught your mistake before you made it. 
> 
> Let me give you an example of the easy to use interface thing. Back in
> 2000 I made it a personal goal to try and get the top 5 SMURF amplifier
> sites shut down. I did some research to figure out what net blocks were
> being used and started contacting the admins. Imagine my surprise when I
> found out that 3 of the 5 _had_ a firewall. They had clicked their way
> though configuring Firewall-1, didn't know they needed to tweak the
> default property settings, and were letting through all ICMP
> unrestricted and unlogged. 
>
> IMHO its only getting worse. I teach a lot of perimeter security folks
> and it seems like more and more of them are moving up the ranks without
> ever seeing a command prompt. I actually had one guy argue that
> everything in Windows is point and click and if you could not use a
> mouse to do something, it was not worth doing. Again, I don't see this
> as an end user problem because as an industry we've tried to make
> security seem easier than it actually is. We want to make it like
> driving a car when its more like flying an airplane. 

That's pretty sad, I can forgive users, but nobody doing 'security' 
should be living in a pure GUI world, to extend your analogy it would be 
like only knowing how to configure the autopilot and getting a pilot's 
license.

As far as mainstream users..
* Software needs to patch itself, users aren't going to do it.
* Software needs to be intuitive, people interact with computers as if 
they were doing 'real' things. Things like cut and paste are easy 
because they make sense...
* Software patches need to WORK and not screw up Joe User's system, 
believe me they won't "understand" that software is never bug-free, 
they'll instead swear off installing patches in future.
* Software needs reasonable defaults.. this doesn't necessarily mean 
turning every feature off.
* Wizards and/or a choice of 'starter' confs can be great.

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Gregh]

- Original Message - 
From: "Dr. Jeffrey Race" <[EMAIL PROTECTED]>
To: "Jeffrey Race" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, April 19, 2004 11:10 PM
Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)


>
> On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote:
>
> > An uneducated
> >end user is not something you can fix with a service pack.
>
>
> A profound point, again highlighting the fact that there
> are no technical solutions to this problem.  (Though
> technical measures to enhance traceability are a big help.)
>
> So, the logical inference is training and licensing to
> get internet access.   When I was 16 in Connecticut many
> many years ago, we had to take a driver-training course
> (given by a policeman) to get a driver's license.
>
> I see no discussion about this approach, here or elsewhere.
>

I would love to know the average age of the list inhabitants.

It has been my observation that things which are new become better known
when a generation has grown up, completely, with it and is teaching the next
generation.

Until that occurs, you are going to get one heck of a larger lot of
uninformed users because they are not only young and clueless but every
other age and clueless. Worse, they are clueless in a lot of cases because
they are frightened by new technology. Eventually, it will become as common
as a car on the road and at that point, taking obvious steps wont even be a
topic for discussion any longer.

When that happens, arts majors wont be the only ones serving fries at
Maccas.

Greg.

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Dr. Jeffrey Race]

On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote:

> An uneducated
>end user is not something you can fix with a service pack.


A profound point, again highlighting the fact that there
are no technical solutions to this problem.  (Though
technical measures to enhance traceability are a big help.)

So, the logical inference is training and licensing to
get internet access.   When I was 16 in Connecticut many
many years ago, we had to take a driver-training course
(given by a policeman) to get a driver's license.

I see no discussion about this approach, here or elsewhere.

Jeffrey Race

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Chris Brenton]

On Mon, 2004-04-19 at 06:27, Brian Russo wrote:
>
> There're a lot more 0-days than that.

Agreed. My ego has not grown so large as to think I've seen every 0-day.
;-) As I said however, the true number of 0-day is less than ground
noise compared to the number of systems that *could* have remained safe
with proper patching or configuring. 

> They just tend to remain 
> within a smaller community (typically the ones who discover it) and are 
> used carefully/intelligently for compromises, often for a very long 
> time.

Agreed. I think part of what makes 0-day easier to hide *is* the raw
quantity of preventable exploits that are taking place. In many ways we
have become numb to compromises so that the first response ends up being
"format and start over". If 0-day was a higher percentage, it would be
easier to catch them when they occur and do a proper forensic analysis. 

> Agreed, and even conscientious users screw up. I did this some months 
> ago when installing MS SQL Server Desktop Engine from a third-party CD 
> (packaged with software).


I guess I have a hard time blaming this type of thing on the end user.
Part of the fall out from making computers easier to use, is making it
easier for end users to shoot themselves in the foot. One of the
benefits of complexity is that it forces end user education. I'm
guessing that if you had to load SQL as a dependency you would have
caught your mistake before you made it. 

Let me give you an example of the easy to use interface thing. Back in
2000 I made it a personal goal to try and get the top 5 SMURF amplifier
sites shut down. I did some research to figure out what net blocks were
being used and started contacting the admins. Imagine my surprise when I
found out that 3 of the 5 _had_ a firewall. They had clicked their way
though configuring Firewall-1, didn't know they needed to tweak the
default property settings, and were letting through all ICMP
unrestricted and unlogged. 

IMHO its only getting worse. I teach a lot of perimeter security folks
and it seems like more and more of them are moving up the ranks without
ever seeing a command prompt. I actually had one guy argue that
everything in Windows is point and click and if you could not use a
mouse to do something, it was not worth doing. Again, I don't see this
as an end user problem because as an industry we've tried to make
security seem easier than it actually is. We want to make it like
driving a car when its more like flying an airplane. 


Cheers,
Chris

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Brian Russo]

At Mon, Apr 19, 2004 at 06:12:16AM -0400, Chris Brenton wrote:
>
> Key word here is "essentially". I've been involved with about a half
> dozen compromises that have been true zero days. Granted that's less
> than ground noise compared to what we are seeing today.

There're a lot more 0-days than that. They just tend to remain 
within a smaller community (typically the ones who discover it) and are 
used carefully/intelligently for compromises, often for a very long 
time. Then it gets leaked by someone and released into the wild/script 
kiddie community or someone else discovers it...

(more for benefit of others than a response to you)

> Also, don't underestimate a person's ability to shoot themselves in the
> foot. Windows 2003 server, out of the box, is technically one of the
> most secure operating systems out there because it ships with no open
> listening ports. Based on the auditing I've done however, it ends up
> being deployed even less secure than 2000 because a lot of admins end up
> doing the "turn everything on to get it working" thing. An uneducated
> end user is not something you can fix with a service pack.

Agreed, and even conscientious users screw up. I did this some months 
ago when installing MS SQL Server Desktop Engine from a third-party CD 
(packaged with software). This was well after the whole Slammer affair, 
memories fade and I didn't stop to realize they used the same 
codebase (oops)

 - bri

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Chris Brenton]

On Sun, 2004-04-18 at 23:16, Sean Donelan wrote:
>
> When the Morris worm was release, there wasn't a patch available.  Since
> then essentially every compromised computer has been via a vulnerability
> with a patch available or misconfiguration (or usually lack of
> configuration).

Key word here is "essentially". I've been involved with about a half
dozen compromises that have been true zero days. Granted that's less
than ground noise compared to what we are seeing today.

> As far as improvements go, Microsoft's XP SP2 is a great improvement.  If
> you have a Window's machine, implementing XP SP2 could help with a lot of
> the stupid vulnerabilities.  Unfortunately less than 50% of Internet users
> have XP.

This ends up being a catch 22 all the way around. Since MS has focused
on locking down XP, they have ended up focusing on a minimal market
share of the problem. With this in mind, I don't think we are going to
see things getting any better now that SP2 is out. For the end user
running 2000 or less, it ends up sounding like "we screwed up and sold
you an insecure product so now we want you to to give us more money in
order to fix the problem". A fix that addressed the problem in a more
universal fashion would have been cool. 

> Should ISPs start requiring their users to install Windows XP SP2?

Many folk have already commented on the economics of trying to require
this. I think technically it would be hard to implement as well. I've
done a lot of work with passive fingerprinting and from my observations
you don't see enough of a difference in the packet creation to tell the
difference between patched and unpatched systems. This leaves you with
active fingerprinting which may fail if a personal firewall is active,
or loading software on their system which is now a whole other support
nightmare. Lots of overhead for little gain in my opinion.

Also, don't underestimate a person's ability to shoot themselves in the
foot. Windows 2003 server, out of the box, is technically one of the
most secure operating systems out there because it ships with no open
listening ports. Based on the auditing I've done however, it ends up
being deployed even less secure than 2000 because a lot of admins end up
doing the "turn everything on to get it working" thing. An uneducated
end user is not something you can fix with a service pack.

Chris

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Michael Painter]

First time user of the "net" in '87 when CompuServe announced it to its denizens.
Thank [deity] for Micro$oft or we'd have to get a real job.


- Original Message - 
From: "Henry Yen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, April 18, 2004 8:14 PM
Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)


>
> On Mon, Apr 19, 2004 at 08:50:34AM +0300, Petri Helenius wrote:
> > > Let's face it -- this shouldn't have to be the ISP's problem.
> > > Microsoft needs to quit rushing out new OS releases without properly
> > > straining them and stress testing to find as many holes as they can.
> > > They need to start cracking down on themselves and really start
> > > worrying about securing their OS and patching it as much as possible
> > > before throwing it to market.
> >
> > It´s very challenging to say that the world´s most profitable company
> > should do anything significantly different.
>
> s/most profitable company/convicted (and continuing) OS\&browser monopolist/
>
> Still feel the same?
>
> > Putting out releases and
> > letting marketing to address security concerns brings in billions. Not
> > putting out release will make less money.
>
> Forcing OEM pre-loads is where they get most of their money.  Maybe
> if they spent less on money-losing ventures like X-Box and WebTV,
> and maybe if they spent their R&D $Billions more wisely, and further
> if they spent less time and money knifing others' babies and put
> more genuine effort into it...
>
> > This is not that they would not be "trying their best". There is just a
> > very justifiable business decision between what we would like the best
> > to be and what it needs to be to keep their money machine running.
>
> Well, if they would just admit as such ("Keep the Money Machine Running!"),
> instead of offering endless platitudes and excuses (and FUD) and
> press releases about how much $money they are donating (yeah, right)
> to libraries and schools and ...
>
> -- 
> Henry Yen   Aegis Information Systems, Inc.
> Senior Systems Programmer   Hicksville, New York
>

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Peter Galbavy]

Henry Yen wrote:
> s/most profitable company/convicted (and continuing) OS\&browser
> monopolist/

Sadly the two are not incompatible it appears. If the "rewards" of breaking
the law were normally so good, then most of us would be down at the
localbank with a shotgun... actually, given the audience, no physical
attendance would be expected.

Peter

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Henry Yen]

On Mon, Apr 19, 2004 at 08:50:34AM +0300, Petri Helenius wrote:
> > Let's face it -- this shouldn't have to be the ISP's problem. 
> > Microsoft needs to quit rushing out new OS releases without properly 
> > straining them and stress testing to find as many holes as they can. 
> > They need to start cracking down on themselves and really start 
> > worrying about securing their OS and patching it as much as possible 
> > before throwing it to market. 
> 
> It´s very challenging to say that the world´s most profitable company 
> should do anything significantly different.

s/most profitable company/convicted (and continuing) OS\&browser monopolist/

Still feel the same?

> Putting out releases and 
> letting marketing to address security concerns brings in billions. Not 
> putting out release will make less money.

Forcing OEM pre-loads is where they get most of their money.  Maybe
if they spent less on money-losing ventures like X-Box and WebTV,
and maybe if they spent their R&D $Billions more wisely, and further
if they spent less time and money knifing others' babies and put
more genuine effort into it...

> This is not that they would not be "trying their best". There is just a 
> very justifiable business decision between what we would like the best 
> to be and what it needs to be to keep their money machine running.

Well, if they would just admit as such ("Keep the Money Machine Running!"),
instead of offering endless platitudes and excuses (and FUD) and
press releases about how much $money they are donating (yeah, right)
to libraries and schools and ...

-- 
Henry Yen   Aegis Information Systems, Inc.
Senior Systems Programmer   Hicksville, New York

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Petri Helenius]

Brandon Shiers wrote:

Let's face it -- this shouldn't have to be the ISP's problem. 
Microsoft needs to quit rushing out new OS releases without properly 
straining them and stress testing to find as many holes as they can. 
They need to start cracking down on themselves and really start 
worrying about securing their OS and patching it as much as possible 
before throwing it to market. 
It´s very challenging to say that the world´s most profitable company 
should do anything significantly different. Putting out releases and 
letting marketing to address security concerns brings in billions. Not 
putting out release will make less money.

This is not that they would not be "trying their best". There is just a 
very justifiable business decision between what we would like the best 
to be and what it needs to be to keep their money machine running.

It´s another instance of the reason why ISP´s supposedly cannot afford 
to take out both backdoored and legit abusers at source but the Internet 
is in "defensive" mode of operation.

Pete

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Brandon Shiers]

On Sun, 18 Apr 2004 23:16:36 -0400 (EDT)
 Sean Donelan <[EMAIL PROTECTED]> wrote:
Should ISPs start requiring their users to install Windows XP SP2?

IMHO:

Not if they want to stay in business.  Our customer base is probably 
80%Win 9x users.  I can't speak for everybody else, but I would be 
willing to bet that a majority of ISP's have a good chunk of their 
customer base running Win 9x-based operating systems.  If the ISP I 
work for was to make a minimum system requirement like that, we'd go 
out of business overnight.  We don't even use Windows XP on our 
corporate LAN yet -- we're still running Win2K SP4.  

Let's face it -- this shouldn't have to be the ISP's problem. 
Microsoft needs to quit rushing out new OS releases without properly 
straining them and stress testing to find as many holes as they can. 
They need to start cracking down on themselves and really start 
worrying about securing their OS and patching it as much as possible 
before throwing it to market.  

I understand that they won't find EVERY possible hole, but the last 
few years, as far as bugs in their software goes, they have an 
extremely poor track record.  Since about the NT4 days, it's been 
horrible.  Service pack after service pack, etc.  We have our machines 
setup to autotmatically tell us when new updates are available.  It's 
pretty disheartening when you install 4 patches one day, and then 2 
days later you have to go through installing another 3 - 4 patches 
just to ensure your machine is keeping updated with patches to fix 
their shoddy software.  

--Brandon

RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Michel Py]

> Sean Donelan
> Should ISPs start requiring their users to install Windows XP SP2?

Most of those of us that work with m$ products on a daily basis are not
too hot about installing beta code in production. A week after m$
releases it, and after carefully listening to the volume of screams
coming from the street, we shall see.

Michel.