Re: [Full-Disclosure] Support the Sasser-author fund started
On Tue, May 18, 2004 at 12:39:46PM +1200, Nick FitzGerald wrote: Shane C. Hage to Bill Royds: I agree with most of your statements below. Well, actually, he was wrong if you consider the NT family of OSes starting in about 1993-4 (true, OOTB they were configured to be fully Win 3.x compatible -- that is, with all security disabled/dumbed down -- but the underlying architecture design at least met most of the minimum criteria for C2...). Sorry, in a networked world, C2 ist just a bad joke. Keep in mind, that you do not get a blank certificate for 'this OS', but the certification always is for the full OS/hardware combo. No, you can't purchase the hardware for C2 certified NT anymore (not new, anyway). Even so, it was a specially patched Windows NT 3.51 that got certified on a (AFAIR) specific Compaq machine. It hat no network card (absolutely great - most Windows security problems could be avoided by ripping out the network cards - too bad that this is unrealistic because it would pretty much reduce the usefulness of the machines to almost zero), no floppy drive, no printer - the only way to get data in was keyboard mouse, the only way to get data out was the screen. The printer spool system was disabled. The Windows system directory was read-only (not allowing your users to overwrite the system installation is computer security 101, but this _is_ windows, after all) making the installation of MS Office (which wants to dump a metric crapload of stuff there), unfortunately, impossible. So you had a system where you could log on, play minesweeper and log off again. Lots of use, that. Besides, the C2 stuff is rather tame, things like no object re-use (clear all memory and disk blocks before handing them to another use, don't re-use user-ids, ...), auditing, identify users (no open system, user have to log in - what everybody else was doing for 30 years at this time), discretionary access control (think chmod - again, what others were doing since probably 30 years then), protected system mode of operation (read: your users are not supposed to able to overwrite kernel memory at will) which is really old stuff too. So, while the marketing department got a nice spin out of it, everybody with a clue just shrugged and said So, you've discovered sliced bread too? What an _amazing_ discovery, isn't it?. Keep in mind that _high_ grade security (things like mandatory access control, security labels, security levels (and making sure there is no downwriting) and so on) has been understood at this point for quite some time. Some of this work even went back to the time of MULTICS, which started life in 1965 and was the first OS to get a B2 rating in 1985. And B2 is already really interesting. Regards, Alex. -- Opportunity is missed by most people because it is dressed in overalls and looks like work. -- Thomas A. Edison ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Alexander Schreiber [EMAIL PROTECTED] to me: Sorry, in a networked world, C2 ist just a bad joke. ... Well, at least weak... ... Keep in mind, that you do not get a blank certificate for 'this OS', but the certification always is for the full OS/hardware combo. No, you can't purchase the hardware for C2 certified NT anymore (not new, anyway). Even so, it was a specially patched ... Really?? I heard it was just a specially prepared machine -- network card, floppy drive pulled, much non-default configuratiuon tweaking, etc. ... Windows NT 3.51 that got certified on a (AFAIR) specific Compaq machine. It hat no network card (absolutely great - most Windows security problems could be avoided by ripping out the network cards - too bad that this is unrealistic because it would pretty much reduce the usefulness of the machines to almost zero), no floppy drive, no printer - the only way to get data in was keyboard mouse, the only way to get data out was the screen. The printer spool system was disabled. The Windows system directory was read-only (not allowing your users to overwrite the system installation is computer security 101, but this _is_ windows, after all) making the installation of MS Office (which wants to dump a metric crapload of stuff there), unfortunately, impossible. ... Hmmm -- you're not another know it all user/admin who does not know about setup -a installs? (Of course, in a modestly well secured Windows system, a user is expected not to be able to install a complex piece of s/w like Office, so doing this as admin and getting the configuration right is the job of the system admin, not the user...) BTW, from _extensive_ experience in a university lab setup, the only major problem with Office (95) on NT 3.x systems with proper ACL'ing of user and non-user disk areas was that the $%^%-ing wizards in the online help were done by an engine that was hard-coded to write temporary files into the system dir and would fail if it could not write those files. (MS tech support had no idea what we were talking about when we told them this feature, so widely touted by their sales- droids in the Office 95 promos, would not work in a properly secured NT setup and a colleague told me one of then actually told him to fix the problem by gicing everyone full access to the system dir -- if that tech had been talking to me I'd have been talking very strongly with his supervisor within a few seconds). We simply told the lecturers (profs in the US) and tutors teaching the classes that used Word to _not_ mention wizards nor expect them to work -- thank-you Microsoft!) ... So you had a system where you could log on, play minesweeper and log off again. Lots of use, that. Or, where a competent admin could install and rollout dozens and dozens of applications, all appropriately ACL'ed down, after a few days training (we even did systems installation rollouts that were entirely handsfree after the boot disk login prompts had been answered...). Or are you talking about NT machines after they had been C2-ed? Must admit, never tried that -- we were interested in practical security, not some pie-in-the-sky quasi-military stuff... Besides, the C2 stuff is rather tame, things like no object re-use (clear all memory and disk blocks before handing them to another use, don't re-use user-ids, ...), auditing, identify users (no open system, user have to log in - what everybody else was doing for 30 years at this time), discretionary access control (think chmod - again, what others were doing since probably 30 years then), protected system mode of operation (read: your users are not supposed to able to overwrite kernel memory at will) which is really old stuff too. So, while the marketing department got a nice spin out of it, everybody with a clue just shrugged and said So, you've discovered sliced bread too? What an _amazing_ discovery, isn't it?. Keep in mind that _high_ grade security (things like mandatory access control, security labels, security levels (and making sure there is no downwriting) and so on) has been understood at this point for quite some time. Some of this work even went back to the time of MULTICS, which started life in 1965 and was the first OS to get a B2 rating in 1985. And B2 is already really interesting. Yeah, yeah. I know all that. However, note I was responding to a rather ill-informed comment along the line *nix was always better because Windows can't a list of things what NT _could_ do. So, while I fully appreciate that C2-ish security is not actually much security, it is at or above the level that NT is (was?) capable of and thus beyond where most *nix-ish OSes could ever get certified. Don't get me wrong -- I'm not defending MS' entirely shoddy effort on the security side of things, but in many senses MS is clearly no worse than that which its traditional loudest critics prefer. (In fact, IIRC, it was not
Re: [Full-Disclosure] Support the Sasser-author fund started
[EMAIL PROTECTED] to me: Actually reading what C2 *required* is quite enlightening. More worrying given that MS' focus on getting C2 certified was to be able to bid for the more lucrative DoD and related contracts that required C2-level systems (no matter how arbitrarily -- incredibly few of them were ever actually configured and run at C2). Code identified as a 'Trusted Computing Base'. Identification of specific users.. discretionary access controls.. an audit trail.. object clearing before reuse.. Testing for *obvious* flaws.. Yep, that's about it. ... Guaranteed boot path (can't recall the precise wording) -- something MS was already actively campaigning against with its boot from network requirement for the upcoming PC 95 or PC 97 hardware platform specs, and something that no typical PC could ever meet. The C2 cert for NT fudged this requirement by removing the floppy drive (and perhaps by testing on a machine whose BIOS did not yet support boot from CD). ... Userid/password, some sort of user-settable file permissions, don't let the next user snarf blocks off the disk by allocating a big file, and keep an audit trail. *real* stringent. Even when NT came out, C2 wasn't considered much security at all... Most of this stuff was already well understood when Multics was done in the mid-60s. Security labels? MAC? Those are B1. A team of individuals who thoroughly understand the specific implementation of the TCB shall subject its design documentation, source code, and object code to through analysis and testing. That's not a requirement till B1 either. (Yeah.. ponder THAT one - you don't have to do a thorough test to get C2 ;) Trusted Path for login? That's in B2, as is covert channel analysis. You get the idea... ;) No -- I _know_ the idea. The point is that NT is usually sneered at by *nix bigots whose favourite OSes are _just as lame_ by those same miserable criteria. IIRC (and I really don't care as it really doesn't matter) but no mainstream *nix matched NT's C2 certification for a year or more when, IIRC, some Solaris variant was gonged C2 too. Anyway, the real point is that all the currently popular systems implement some form of _discretionary_ controls, which (by definition) have to actually be enabled before thay can be any use (regardless of how much or how little use they can be) and as most current system admins don't even have that concept in their computing world views, it's kinda academic to debate whether the OSes these admins run support DAC, MAC or whatever... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Tue, May 18, 2004 at 11:01:32PM +1200, Nick FitzGerald wrote: Alexander Schreiber [EMAIL PROTECTED] to me: Sorry, in a networked world, C2 ist just a bad joke. ... Well, at least weak... ... Keep in mind, that you do not get a blank certificate for 'this OS', but the certification always is for the full OS/hardware combo. No, you can't purchase the hardware for C2 certified NT anymore (not new, anyway). Even so, it was a specially patched ... Really?? I heard it was just a specially prepared machine -- network card, floppy drive pulled, much non-default configuratiuon tweaking, etc. According to what I read, it was NT 3.51 with a special service pack for this purpose. ... Windows NT 3.51 that got certified on a (AFAIR) specific Compaq machine. It hat no network card (absolutely great - most Windows security problems could be avoided by ripping out the network cards - too bad that this is unrealistic because it would pretty much reduce the usefulness of the machines to almost zero), no floppy drive, no printer - the only way to get data in was keyboard mouse, the only way to get data out was the screen. The printer spool system was disabled. The Windows system directory was read-only (not allowing your users to overwrite the system installation is computer security 101, but this _is_ windows, after all) making the installation of MS Office (which wants to dump a metric crapload of stuff there), unfortunately, impossible. ... Hmmm -- you're not another know it all user/admin who does not know about setup -a installs? (Of course, in a modestly well secured Windows system, a user is expected not to be able to install a complex piece of s/w like Office, so doing this as admin and getting the configuration right is the job of the system admin, not the user...) In a properly secured system, the user has neither reason nor permission (administrative and technical) to install anything - thats what the sysadmin is for. Allowing users to install stuff at random just leads to spending a lot of time fixing unnecessary problems. In a former job, I started to tighten the W2K installs a bit, only to find out that certain applications would only run with elevated privileges for the users and just die quietly when run under normal user accounts - they most likely stumbled over not being able to write to certain files, but I then didn't have the time to check it out with a Windows equivalent for strace. I fortunately no longer have to deal with Windows as an admin. BTW, from _extensive_ experience in a university lab setup, the only major problem with Office (95) on NT 3.x systems with proper ACL'ing of user and non-user disk areas was that the $%^%-ing wizards in the online help were done by an engine that was hard-coded to write temporary files into the system dir and would fail if it could not write those files. (MS tech support had no idea what we were talking about when we told them this feature, so widely touted by their sales- droids in the Office 95 promos, would not work in a properly secured NT setup and a colleague told me one of then actually told him to fix the problem by gicing everyone full access to the system dir -- if that tech had been talking to me I'd have been talking very strongly with his supervisor within a few seconds). We simply told the lecturers (profs in the US) and tutors teaching the classes that used Word to _not_ mention wizards nor expect them to work -- thank-you Microsoft!) I know that NT and descendants _can_ be properly secured, given an admin who knows exactly what he is doing and sufficient time - I see our windows staff doing it. But I _also_ noticed that its a job that, in my opinion, is a _lot_ harder than locking down a typical UNIX system. There are just too damn many helpful automatics there. You think you've locked down all network and similiar interfaces ... along comes somebody with a mobile phone and IR interface and *bing* Windows has detected an IR device, installing drivers ... - _that_ one made our Windows folks curse when we (UNIX staff) tried it. Yes, they got it locked down now too. As I wrote, the system _can_ be locked down nicely (and in theory, probably better than a typical UNIX), but the default configuration is a desaster. Its too damn open even for corporate use (I'm _not_ talking security critical stuff!), so you have to go and lock it down. Only to discover that there are still a lot of monkeys out there programming windows application who never heard about limited privileges and whose programs simply crash and burn upon encountering EACCES or mumble about self invented privilege names when they really mean Hey, just run me as Administrator and be done with it, pal, ok? (yeah, great idea. not.). ... So you had a system where you could log on, play minesweeper and log off again. Lots of use, that. Or, where a competent admin could
RE: [Full-Disclosure] Support the Sasser-author fund started
On Fri, 2004-05-14 at 06:22, Yan Doldonov wrote: After all, nobody forces anyone to purchase and use MS Products. MS has been selling imperfect products for years and people still continue to use them. Intresting, I seem to recall a minor anti-trust case in the US that kinda decided that M$ used a monopoly position to kinda force OEMs to sell M$ Windows on thier PCs or suffer a serious price difference compared to those that do. Also, until recently, MS had pretty much crushed the opposition, meaning there was no realistic option to Windows for a general purpose GUI based OS on the cheap and cheerful Intel platform. Admittably, IBM started that monopoly, that part being overcome very quickly, but MS is the company that brought it to the current level, breaking laws and acting immorally in the process. ktabic -- www.ktabic.co.uk Many sysadmins won't give you the time of day. Thats what NTP is for. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Georgi Guninski wrote: On Sun, May 16, 2004 at 12:19:21PM -0700, [EMAIL PROTECTED] wrote: The MS operating systems are the main source of problems for really only 2 reasons: 1) their popularity makes them the most valuable targets i suggest you stop smoking bad stuff, it is illegal in bulgaria. are you aware of the popularity of ii$ against apache - just consult: http://news.netcraft.com/archives/web_server_survey.html Developer April 2004 Percent Apache 3332987966.99 Microsoft 1069168321.49 how many ii$ worms screwed the net and to what extent? how many apache worms screwed the net and to what extent? You must have missed the second reason George: 2) people don't update One reason without the other doesn't create the situation we have today. -- AIM: IMFDUP http://www.scosol.org/ RIP Red-Boy - 1998-2004 - jupiter accepts your offer ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
I run anti-virus software on my servers... to sluff away the moronic Windows viruses that clog up my email account. Anti-virus monitors are a built-in performance drag on the OS. Microsoft says, hey, when we benchmark against samba, we're almost as fast, and this special case, we're faster. Add on an the required anti-virus program monitoring packets in and out and watch your performance drop as that eliminates the whole concept behind DMA as now you have to route all data through the host cpu anyways. Pretty soon, we'll need AV signature engines encoded in the data bus of Windows machines in silicon. I wouldn't be surprised if Intel or AMD had a skunkworks project on this very problem. M$ is going to hit a performance wall pretty hard otherwise. IMHO the data are routed through host CPU anyway, DMA is not as clever to locate the proper file in the proper filesystem on the proper volume and pass them to the proper network card. You're right that the CPU does not have to process every single bit of each (?) file. But this could be solved by used more advanced bus architecture (PCIX or even something faster) and adding more CPU. Dedicated anti-virus chip is a thing which I hope is not going to happen. Virus prevention solutions are useless when you have careless or undereducated users. I've seen a secretary who were told not to open attachments in e-mails in Outlook. When she got another tremendous birthday card from god-knows-who she obeyed, saved the attachment to the desktop and then opened it. What other vendors have done is to disable services by default, separate code privileges by user, run code in various levels of restricted privileges from limited access to the filesystem (chroot jails) to limited access to generic capabilities (POSIX 1e), and even just making simple distinctions like what code is data and what code is executable... They've supposedly got a microkernel design in the flagship NT OSs. This should be wonderful from a security standpoint, but in reality, has it helped them? Why did so many processes require system level access? Why are _parsers_ (ASN.1) running with system level access at all? OpenSSH learned its lesson on that, and every other major unix-style daemon has learned how to drop privileges and run non-privilege-requiring code in users and processes with restricted and dropped privileges. Why is M$ so late to the market with even this? Well, it's worth another discussion whether the NT kernel is really a microkernel. It's not a classical monolith, but still far from Mach. In design, it's rather comparable to the Linux modular kernel (yes, I know that NT were first out there). The whole thing with security is that Windows OS is so complex, that whole bunch of decisions is made for simplicity's sake, _alas_. No wonder that today, after more than ten years of Windows development, they still lack fundamental management and monitoring capabilities (for instance). Because of the clever idea, that some space must be left to third parties to earn some extra bucks. Do they? An accountant I know got blaster from connecting to MSN's registration service after a fresh XP install. Why was the registration service on Internet-routable IPs? Why can't one get updates via a M$ dialup BBS system? Why is the MSN installation and registration system forcing people to get exploited and they haven't even finished their registration? This would be too expensive for the end user (not mentioning the speed of BBS and the last-mile dial-up connections). Instead, there could be some locked-down default internet connection set up, which allows the user to connect to the Windows Update and _ONLY_ to the Windows Update, throwing away all traffic from the rest of world. Also, another problem is maintaining security in older versions of Windows. Microsoft is slowly pushing implementations of lacking security features (such as usable firewall, etc.). But what to do when you really must maintain security even for Windows98 boxes? We'd better to run away screaming when Microsoft introduced the concept of Windows95... Ondra +-+ |Ondrej Krajicek (-KO| |Institute of Computer Science, Masaryk University Brno, CR | |http://isildur.ics.muni.cz/~ondra [EMAIL PROTECTED]| ++ pgpIJup8qYKkp.pgp Description: PGP signature
RE: [Full-Disclosure] Support the Sasser-author fund started
Virus prevention solutions are useless when you have careless or undereducated users. I've seen a secretary who were told not to open attachments in e-mails in Outlook. When she got another tremendous birthday card from god-knows-who she obeyed, saved the attachment to the desktop and then opened it. Well, it's a start. Now you just have to teach them to Right-Click-Scan-for-viruses in the middle of that... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Mon, 17 May 2004 13:33:44 +0200, Ondrej Krajicek [EMAIL PROTECTED] said: we're faster. Add on an the required anti-virus program monitoring packets in and out and watch your performance drop as that eliminates the whole concept behind DMA as now you have to route all data through the host cpu anyways. Pretty soon, we'll need AV signature engines encoded in the data bus of Windows machines in silicon. I wouldn't be surprised if Intel or AMD had a skunkworks project on this very problem. Palladium. It's more about DRM than about real security (think about it - if somebody find yet another IIS exploit, the buffer overflow will run in the IIS context same as it does now IMHO the data are routed through host CPU anyway, DMA is not as clever to locate the proper file in the proper filesystem on the proper volume and pass them to the proper network card. You're right that the=20 CPU does not have to process every single bit of each (?) file. But this could be solved by used more advanced bus architecture (PCIX or even something faster) and adding more CPU. Dedicated anti-virus chip is a thing which I hope is not going to happen. Hmm.. let me get this straight - I can run something like SELinux and get snappy performance on a 700mz PentiumIII, but to get security out of Windows I'll need even MORE CPU and a PCIX? What's wrong with this picture? pgpmBixBZ2VIA.pgp Description: PGP signature
Re: [Full-Disclosure] Support the Sasser-author fund started
IMHO the data are routed through host CPU anyway, DMA is not as clever to locate the proper file in the proper filesystem on the proper volume and pass them to the proper network card. You're right that the=20 CPU does not have to process every single bit of each (?) file. But this could be solved by used more advanced bus architecture (PCIX or even something faster) and adding more CPU. Dedicated anti-virus chip is a thing which I hope is not going to happen. Hmm.. let me get this straight - I can run something like SELinux and get snappy performance on a 700mz PentiumIII, but to get security out of Windows I'll need even MORE CPU and a PCIX? What's wrong with this picture? We are talking about on-line anti-virus scanning performance, which is decided mainly by the troughput of the I/O bus and CPU speed. SELinux is about mandatory access control. Ondra +-+ |Ondrej Krajicek (-KO| |Institute of Computer Science, Masaryk University Brno, CR | |http://isildur.ics.muni.cz/~ondra [EMAIL PROTECTED]| ++ pgpEYqkKLudf7.pgp Description: PGP signature
Re: [Full-Disclosure] Support the Sasser-author fund started
On Mon, 17 May 2004 15:58:35 BST, Jos Osborne [EMAIL PROTECTED] said: Well, it's a start. Now you just have to teach them to Right-Click-Scan-for-viruses in the middle of that... Of course, the problem here is that if it got to our user's desktop via e-mail, it didn't get detected by the mail hub's scanner. That probably means we're in the 4-6 hours between first sighting and a pattern showing up, so scanning probably won't do much good. On the other hand, if you're in that several hour gap, you're basically screwed anyway pgpRNmN5zgTpx.pgp Description: PGP signature
Re: [Full-Disclosure] Support the Sasser-author fund started
On Mon, 17 May 2004 17:29:04 +0200, Ondrej Krajicek [EMAIL PROTECTED] said: We are talking about on-line anti-virus scanning performance, which is decided mainly by the troughput of the I/O bus and CPU speed. SELinux is about mandatory access control. Exactly. (from another list about 2 months ago, regarding the Bagle worm): Within days, antivirus companies updated their products to look for the password and http://news.zdnet.co.uk/internet/security/0,39020375,39148066,00.htmdecrypt the Zip file, but the Bagle author has now released these three new versions of the worm that produce the password in the form of a graphic or picture file, so a simple text scan of the infected email would not find the password. http://news.zdnet.co.uk/0,39020330,39149030,00.htm [After playing out all possible outcomes for Global Thermonuclear War] Joshua: Greetings, Professor Falken. Stephen Falken: Hello, Joshua. Joshua: A strange game. The only winning move is not to play. How about a nice game of chess? -- War Games, 1983 pgpZv2T2tSxOr.pgp Description: PGP signature
Re: [Full-Disclosure] Support the Sasser-author fund started
Bill, I agree with most of your statements below. However, with competing operating systems such as those you mentioned below plus OS/2 and Apple Macintosh in the 1980's, the business leaders and consumers chose Windows. I think people forget that Microsoft must have filled a gap that these other operating systems didn't. How can we blame Microsoft for capitalizing on the need at the time? When the Internet revolution started, there was no way to predict the magnitude that a malicious program could have across the world. Sure, Microsoft is playing catch-up with security. They are just filling the gap in their own products now. -Shane - Original Message - From: Bill Royds [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 16, 2004 10:51 PM Subject: RE: [Full-Disclosure] Support the Sasser-author fund started The real problem is the MS Operating Systems are toys that are trying to grow up. They still have code and design decisions that were part of the DOS operating systems of the early 80's. All the features required of mature operating systems were added as an afterthought and not designed in. Such things as memory management and file access control have been grafted on a single user/single process/non-network OS. To maintain backward compatibility with DOS and Windows 95, key OS data structures have many assumptions about things like buffer size that lead to buffer overflows. Witness the assumption about machine names that led to Slammer. The whole Microsoft OS effort has been to grow from a system designed for minimal size machines such as the 640K PC to something that can be used as a system for commerce. Features have been bolted on as they are deemed sellable to make a profit. It wasn't until NT that the file system even had the concept of access control and backward compatibility has meant that the default ACL is give everyone full control. Unix, by contrast, has always been designed as a multi-user/multi-process system so things like file security and separation of processes are inherent. The Unix security model is actually much simpler than the NT one, so Unix/Linux users are able to apply it. The NT one, despite its great power and flexibility, creates such complexity that most administrators give up and drop real security because they are not sure of the consequences of strong security. This complexity in the security model leads to complexity in the code that implements it, so things like LSASS.EXE need to be complicated (and therefore buggy) to implement it. The whole patchwork that is Active-X/COM/COM+/OLE/DLL etc. is a sign that they don't have an overarching design and just try to add new systems to add to flawed designs rather than biting the bullet and fixing their mistakes. Unix has a consistency in design (single hierarchy for files and devices, separation of files from their names etc.) that shows its elegant beginning. Microsoft OS show that design by sales droid that leads to a real quagmire. True professional systems run using non-Microsoft OS, like Solaris and other Unix, MVS, VMS, QNX. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: May 16, 2004 3:19 PM To: Seth Alan Woolley Cc: Shane C. Hage; Georgi Guninski; Tobias Weisserth; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Support the Sasser-author fund started Seth Alan Woolley wrote: On Sat, May 15, 2004 at 08:31:25PM -0400, Shane C. Hage wrote: Why should Microsoft have more blame? In my opinion, I believe that software companies, especially Microsoft, have taken all of the appropriate steps to provide security within their products. Keep your head in the sand, then. The design from the very beginning was put together without security in mind. Their OS revolutionized the anti-virus industry. There are numerous alternative operating systems and cases where worms and viruses have been created for them (cf. the Morris worm, slapper, etc), and most of the bandwidth in the world sits on non-Microsoft software, mind you. Isn't that more of a very gray area? Yes, MS operating systems weren't really designed with security in mind until (IMO) NT4, and then- that security wasn't really pushed to the consumer until Win2k- but- that was *5 years ago* that it was. Win2k and WinXP aren't that different from OSX or most popular Linux distros from the number of network servers enabled perspective- The MS operating systems are the main source of problems for really only 2 reasons: 1) their popularity makes them the most valuable targets 2) people don't update All of us on this list know that if all consumers ran auto-update properly and had it install stuff automatically, these worms would become very rare occurences. (while admittedly creating an interesting new set of problems) I don't really see what more MS can be expected to do, short of shoving
Re: [Full-Disclosure] Support the Sasser-author fund started
Shane C. Hage [EMAIL PROTECTED] writes: When the Internet revolution started, there was no way to predict the magnitude that a malicious program could have across the world. We had proof of the effects that a malicious program could have in, what, 1988 ? Now it's 2004. -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Hi Shane, A little correction in history: On Mon, 17 May 2004, Shane C. Hage wrote: I agree with most of your statements below. However, with competing operating systems such as those you mentioned below plus OS/2 and Apple Macintosh in the 1980's, the business leaders and consumers chose Windows. They did not choose Windows. They chose small, relatively cheap machines, which eventually offered them applications like Word and Excel. It was the applications, not the OS that made the difference. I think people forget that Microsoft must have filled a gap that these other operating systems didn't. How can we blame Microsoft for capitalizing on the need at the time? No, you can't blame them for capitalizing, but their earlier greed and lack of understanding of how grown up operating systems work has caused problems that persist today. When the Internet revolution started, there was no way to predict the magnitude that a malicious program could have across the world. Yes there was and people so. The Morris worm (pre 1990) was a good demonstration of how would work. The Net did not really take off until '95 or so, about the time BillG started to notice it. Sure, Microsoft is playing catch-up with security. They are just filling the gap in their own products now. Gap, like the Grand Canyon is a gap in the landscape :) cheers, bob ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Mon, 17 May 2004 16:27:28 EDT, Shane C. Hage [EMAIL PROTECTED] said: I think people forget that Microsoft must have filled a gap that these other operating systems didn't. How can we blame Microsoft for capitalizing on the need at the time? Yes, there was a market niche for monopolistic companies that would rather buy/litigate/bundle their competition out of existence rather than compete on technical merits. Oh.. and marketing. Don't forget marketing. magnitude that a malicious program could have across the world. Sure, Microsoft is playing catch-up with security. They are just filling the gap in their own products now. Just like they had to play catch-up with the concept of a GUI, and the Internet, and now they act like they invented both of those. I see dark times ahead.. pgp5weW431IXf.pgp Description: PGP signature
Re: [Full-Disclosure] Support the Sasser-author fund started
Shane C. Hage to Bill Royds: I agree with most of your statements below. Well, actually, he was wrong if you consider the NT family of OSes starting in about 1993-4 (true, OOTB they were configured to be fully Win 3.x compatible -- that is, with all security disabled/dumbed down -- but the underlying architecture design at least met most of the minimum criteria for C2...). ... However, with competing operating systems such as those you mentioned below plus OS/2 and Apple Macintosh in the 1980's, the business leaders and consumers chose Windows. I think people forget that Microsoft must have filled a gap that these other operating systems didn't. ... They beat OS/2 on installation ease (_great_ OS, dog of an install, even on some IBM hardware) and Apple by running on any old crud (and therefore very cheap) hardware (and the market size then contributed further to the PC harder getting much cheaper, much faster than Apple would allow/could match) with its proprietary hardware/OS lock-in. ... How can we blame Microsoft for capitalizing on the need at the time? Need? They sold completely insecurable products into large -- real large; I recall Ford being poster boy for _Win95_ fercrissakes -- markets to make sure they got market penetration, when (if they had any integrity or could have been at all objective about the product they'd either have pushed NT _or not even tried_ for the sale). Of course, some folk at Ford and many other large corporates that made the same mistake have a lot to answer for too... When the Internet revolution started, there was no way to predict the magnitude that a malicious program could have across the world. ... Bollox -- the Morris Worm had already showed us what could be achieved. Are we really so dense that we need weekly to monthly replays on a slightly different scale, and with slightly different attack vectors, before we can learn anything from such attacks? Or did the all-out greed fuelled by the contemporaneous dot-com bubble cloud some folks' judgement? ... Sure, Microsoft is playing catch-up with security. They are just filling the gap in their own products now. The trouble with that approach is that there is just not enough spackle in the world for them to achieve that goal any time soon. So, what do they do? What they've always done -- continuing with business as usual; spin, spin, spin. Seems to have worked for you... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Tue, 18 May 2004 12:39:46 +1200, Nick FitzGerald [EMAIL PROTECTED] said: Shane C. Hage to Bill Royds: I agree with most of your statements below. Well, actually, he was wrong if you consider the NT family of OSes starting in about 1993-4 (true, OOTB they were configured to be fully Win 3.x compatible -- that is, with all security disabled/dumbed down -- but the underlying architecture design at least met most of the minimum criteria for C2...). Actually reading what C2 *required* is quite enlightening. Code identified as a 'Trusted Computing Base'. Identification of specific users.. discretionary access controls.. an audit trail.. object clearing before reuse.. Testing for *obvious* flaws.. Yep, that's about it. Userid/password, some sort of user-settable file permissions, don't let the next user snarf blocks off the disk by allocating a big file, and keep an audit trail. *real* stringent. Even when NT came out, C2 wasn't considered much security at all... Most of this stuff was already well understood when Multics was done in the mid-60s. Security labels? MAC? Those are B1. A team of individuals who thoroughly understand the specific implementation of the TCB shall subject its design documentation, source code, and object code to through analysis and testing. That's not a requirement till B1 either. (Yeah.. ponder THAT one - you don't have to do a thorough test to get C2 ;) Trusted Path for login? That's in B2, as is covert channel analysis. You get the idea... ;) pgplCURIfrDMt.pgp Description: PGP signature
RE: [Full-Disclosure] Support the Sasser-author fund started
Microsoft built an OS for a desk-top stand alone computer that could run apps like a Word Processor and spreadsheet. This filled a very large niche for business and they did it very well, powerful enough to get things down, cheap enough to be affordable. But from NT on, they have tried to extend this design upwards to corporate networks and systems. They have been able to convince corporations that they could leverage their investment in desk tops into systems for corporate use, because all a corporation needed to do to turn a word processor operator into a server administrator was send him/her to training for a week. A nice GUI does not make the job of administrating systems trivial. It only trivializes the results. MS has probably the best marketing force in the world and they do look cheaper on paper. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shane C. Hage Sent: May 17, 2004 4:27 PM To: Bill Royds; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Support the Sasser-author fund started Bill, I agree with most of your statements below. However, with competing operating systems such as those you mentioned below plus OS/2 and Apple Macintosh in the 1980's, the business leaders and consumers chose Windows. I think people forget that Microsoft must have filled a gap that these other operating systems didn't. How can we blame Microsoft for capitalizing on the need at the time? When the Internet revolution started, there was no way to predict the magnitude that a malicious program could have across the world. Sure, Microsoft is playing catch-up with security. They are just filling the gap in their own products now. -Shane - Original Message - From: Bill Royds [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, May 16, 2004 10:51 PM Subject: RE: [Full-Disclosure] Support the Sasser-author fund started The real problem is the MS Operating Systems are toys that are trying to grow up. They still have code and design decisions that were part of the DOS operating systems of the early 80's. All the features required of mature operating systems were added as an afterthought and not designed in. Such things as memory management and file access control have been grafted on a single user/single process/non-network OS. To maintain backward compatibility with DOS and Windows 95, key OS data structures have many assumptions about things like buffer size that lead to buffer overflows. Witness the assumption about machine names that led to Slammer. The whole Microsoft OS effort has been to grow from a system designed for minimal size machines such as the 640K PC to something that can be used as a system for commerce. Features have been bolted on as they are deemed sellable to make a profit. It wasn't until NT that the file system even had the concept of access control and backward compatibility has meant that the default ACL is give everyone full control. Unix, by contrast, has always been designed as a multi-user/multi-process system so things like file security and separation of processes are inherent. The Unix security model is actually much simpler than the NT one, so Unix/Linux users are able to apply it. The NT one, despite its great power and flexibility, creates such complexity that most administrators give up and drop real security because they are not sure of the consequences of strong security. This complexity in the security model leads to complexity in the code that implements it, so things like LSASS.EXE need to be complicated (and therefore buggy) to implement it. The whole patchwork that is Active-X/COM/COM+/OLE/DLL etc. is a sign that they don't have an overarching design and just try to add new systems to add to flawed designs rather than biting the bullet and fixing their mistakes. Unix has a consistency in design (single hierarchy for files and devices, separation of files from their names etc.) that shows its elegant beginning. Microsoft OS show that design by sales droid that leads to a real quagmire. True professional systems run using non-Microsoft OS, like Solaris and other Unix, MVS, VMS, QNX. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: May 16, 2004 3:19 PM To: Seth Alan Woolley Cc: Shane C. Hage; Georgi Guninski; Tobias Weisserth; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Support the Sasser-author fund started Seth Alan Woolley wrote: On Sat, May 15, 2004 at 08:31:25PM -0400, Shane C. Hage wrote: Why should Microsoft have more blame? In my opinion, I believe that software companies, especially Microsoft, have taken all of the appropriate steps to provide security within their products. Keep your head in the sand, then. The design from the very beginning was put together without security in mind. Their OS revolutionized the anti-virus industry. There are numerous alternative
Re: [Full-Disclosure] Support the Sasser-author fund started
[SNIP] Therefore we should license computer users and require tests before they are allowed to buy and/or use a computer? Something along the lines of a drivers license? Also, have you seen some of the absurd warning in the operating manuals - 'Do not touch the chain saw blade while in motion'. Perhaps all computers sould have a warning - 'Do not use if you are an idiot'. But then most internet commerce would cease... Perhaps not, due to Byron L. Sonne's law;; Being stupid is a real impediment; first of all you're dumb and second of all you're too stupid to know how dumb you really are. Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Support the Sasser-author fund started
--On Friday, May 14, 2004 11:06 PM +0530 Aditya, ALD [Aditya Lalit Deshmukh] [EMAIL PROTECTED] wrote: the problem is many times when the patch is released it tends to break many applications and other random stuff! ms is patching a hole but manages to break other things in the process quite frequently. Let's seethis would seem to indicate that they depend on the holes to run the applications. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Support the Sasser-author fund started
Paul Schmel wrote: Let's seethis would seem to indicate that they depend on the holes to run the applications. :-) Well, that is pretty accurate. Pick any part of the architechture, the window event system, the pervasive visual basic access to system controls, lack of privilege seperation for services and a user community keep in the dark as to what the machine actually does . . . Egads, the US government is entertaining a law against spyware to cover up the fact that the majority of americans are running a system so horribly broken that uninvited guests can render it inoperable . ? ! When will the hidden costs of running such a poor operating system be recognized ? more, l8r, v -- america sig ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Sun, May 16, 2004 at 12:19:21PM -0700, [EMAIL PROTECTED] wrote: The MS operating systems are the main source of problems for really only 2 reasons: 1) their popularity makes them the most valuable targets i suggest you stop smoking bad stuff, it is illegal in bulgaria. are you aware of the popularity of ii$ against apache - just consult: http://news.netcraft.com/archives/web_server_survey.html Developer April 2004 Percent Apache 3332987966.99 Microsoft 1069168321.49 how many ii$ worms screwed the net and to what extent? how many apache worms screwed the net and to what extent? -- When I answered where I wanted to go today, they just hung up -- Unknown ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Seth Alan Woolley wrote: On Sat, May 15, 2004 at 08:31:25PM -0400, Shane C. Hage wrote: Why should Microsoft have more blame? In my opinion, I believe that software companies, especially Microsoft, have taken all of the appropriate steps to provide security within their products. Keep your head in the sand, then. The design from the very beginning was put together without security in mind. Their OS revolutionized the anti-virus industry. There are numerous alternative operating systems and cases where worms and viruses have been created for them (cf. the Morris worm, slapper, etc), and most of the bandwidth in the world sits on non-Microsoft software, mind you. Isn't that more of a very gray area? Yes, MS operating systems weren't really designed with security in mind until (IMO) NT4, and then- that security wasn't really pushed to the consumer until Win2k- but- that was *5 years ago* that it was. Win2k and WinXP aren't that different from OSX or most popular Linux distros from the number of network servers enabled perspective- The MS operating systems are the main source of problems for really only 2 reasons: 1) their popularity makes them the most valuable targets 2) people don't update All of us on this list know that if all consumers ran auto-update properly and had it install stuff automatically, these worms would become very rare occurences. (while admittedly creating an interesting new set of problems) I don't really see what more MS can be expected to do, short of shoving auto-update down everyone's throats whether they like it or not (which will bring the tinfoil-hat crowd out in force) It is very seldom that a worm is out before the fix for the exploited vulnerability- it's just a matter of diligence. Also- your argument of most of the bandwidth in the world sits on non-Microsoft software is IMO invalid- these machines that you speak of are not operated by consumers- people are paid to keep them updated and secure. -- AIM: IMFDUP http://www.scosol.org/ RIP Red-Boy - 1998-2004 - jupiter accepts your offer ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [inbox] Re: [Full-Disclosure] Support the Sasser-author fund started
I also know enough not to rely on what the media trys to shove down everyone's throat. Something that you appear to rely on. You keep on thinking the way you're thinking... Oh, and I'll guarantee that you'd never EVER challenge my Patriotism to my face. I'll say nothing more on this subject, don't bother to reply. It's clear that you're a troll You're funny. -- For Good, return Good. For Evil, return Justice. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Support the Sasser-author fund started
The real problem is the MS Operating Systems are toys that are trying to grow up. They still have code and design decisions that were part of the DOS operating systems of the early 80's. All the features required of mature operating systems were added as an afterthought and not designed in. Such things as memory management and file access control have been grafted on a single user/single process/non-network OS. To maintain backward compatibility with DOS and Windows 95, key OS data structures have many assumptions about things like buffer size that lead to buffer overflows. Witness the assumption about machine names that led to Slammer. The whole Microsoft OS effort has been to grow from a system designed for minimal size machines such as the 640K PC to something that can be used as a system for commerce. Features have been bolted on as they are deemed sellable to make a profit. It wasn't until NT that the file system even had the concept of access control and backward compatibility has meant that the default ACL is give everyone full control. Unix, by contrast, has always been designed as a multi-user/multi-process system so things like file security and separation of processes are inherent. The Unix security model is actually much simpler than the NT one, so Unix/Linux users are able to apply it. The NT one, despite its great power and flexibility, creates such complexity that most administrators give up and drop real security because they are not sure of the consequences of strong security. This complexity in the security model leads to complexity in the code that implements it, so things like LSASS.EXE need to be complicated (and therefore buggy) to implement it. The whole patchwork that is Active-X/COM/COM+/OLE/DLL etc. is a sign that they don't have an overarching design and just try to add new systems to add to flawed designs rather than biting the bullet and fixing their mistakes. Unix has a consistency in design (single hierarchy for files and devices, separation of files from their names etc.) that shows its elegant beginning. Microsoft OS show that design by sales droid that leads to a real quagmire. True professional systems run using non-Microsoft OS, like Solaris and other Unix, MVS, VMS, QNX. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: May 16, 2004 3:19 PM To: Seth Alan Woolley Cc: Shane C. Hage; Georgi Guninski; Tobias Weisserth; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Support the Sasser-author fund started Seth Alan Woolley wrote: On Sat, May 15, 2004 at 08:31:25PM -0400, Shane C. Hage wrote: Why should Microsoft have more blame? In my opinion, I believe that software companies, especially Microsoft, have taken all of the appropriate steps to provide security within their products. Keep your head in the sand, then. The design from the very beginning was put together without security in mind. Their OS revolutionized the anti-virus industry. There are numerous alternative operating systems and cases where worms and viruses have been created for them (cf. the Morris worm, slapper, etc), and most of the bandwidth in the world sits on non-Microsoft software, mind you. Isn't that more of a very gray area? Yes, MS operating systems weren't really designed with security in mind until (IMO) NT4, and then- that security wasn't really pushed to the consumer until Win2k- but- that was *5 years ago* that it was. Win2k and WinXP aren't that different from OSX or most popular Linux distros from the number of network servers enabled perspective- The MS operating systems are the main source of problems for really only 2 reasons: 1) their popularity makes them the most valuable targets 2) people don't update All of us on this list know that if all consumers ran auto-update properly and had it install stuff automatically, these worms would become very rare occurences. (while admittedly creating an interesting new set of problems) I don't really see what more MS can be expected to do, short of shoving auto-update down everyone's throats whether they like it or not (which will bring the tinfoil-hat crowd out in force) It is very seldom that a worm is out before the fix for the exploited vulnerability- it's just a matter of diligence. Also- your argument of most of the bandwidth in the world sits on non-Microsoft software is IMO invalid- these machines that you speak of are not operated by consumers- people are paid to keep them updated and secure. -- AIM: IMFDUP http://www.scosol.org/ RIP Red-Boy - 1998-2004 - jupiter accepts your offer ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Support the Sasser-author fund started
All the features required of mature operating systems were added as an afterthought and not designed in. Such things as memory management and file access control They've been designed into the Windows NT based OS from the start. on a single user/single process/non-network OS. To maintain backward compatibility with DOS and Windows 95, key OS data structures have many assumptions about things like buffer size that lead to buffer overflows. Witness the assumption about machine names that led to Slammer. Which is an implementation issue, not a design issue. The whole Microsoft OS effort has been to grow from a system designed for minimal size machines such as the 640K PC to something that can be used as a system for commerce. Features have been bolted on as they are deemed sellable to make a profit. It wasn't until NT that the file system even had the concept of access control So since around 1993 then? and backward compatibility has meant that the default ACL is give everyone full control. Which has now changed (and a good thing too) Unix, by contrast, has always been designed as a multi-user/multi-process system so things like file security and separation of processes are inherent. That's a bit of a stretch. Unix has had security bolted on after the fact as well - it's just got about ten years head start on Windows. Your mail seemed to switch between issues relating to design and issues relating to implementation - from what I can gather the design of the NT OS is a good one (Things like ActiveX excluded), but the implementation has been full of holes. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Guys, I am not trying to defend the worm author. Thierry ([EMAIL PROTECTED]) made a point earlier on that the guy admitted to writing the source, not spreading (maybe it is an outdated info, I do not know) My point is, that the guy innocent until proven otherwise in the court of law. I am just opposed to Mr.Lynch law order discussions. kos Exibar wrote: --- Konstantin V. Gavrilenko wrote: snip snip My personal opinion is that more blame should be put on M$. But where would the security industry be if not for Microsoft's products :) But Microsoft released a patch for the security hole that was found, I don't care if it was 5 days or 5 years after they were told about it, they still released the patch before the worm was written! THEY are not to blame and shouldn't be prosecuted, nor should the IDIOTS that didn't apply that patch, the person that wrote and released the worm is the one that pulled the trigger. Plain and simple. In this case he wrote more than one (he did write NetSky as well), and knowingly and admittingly released the worms to cause harm to other people's computer systems. Supposedly to increase business for a familiy computer shop. this kid is as guilty as the day is long guys he should pay for his crime, perhaps not with 20 years in prison, but at least 6 - 12 months in prison, 5 years of probation and 1000 hours community service with zero access to computers for those 5 years. Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- Respectfully, Konstantin V. Gavrilenko Arhont Ltd - Information Security web:http://www.arhont.com http://www.wi-foo.com e-mail: [EMAIL PROTECTED] tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0x4F3608F7 PGP: Server - keyserver.pgp.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Fri, May 14, 2004 at 07:12:08PM +0200, Tobias Weisserth wrote: My personal opinion is that more blame should be put on M$. The company is called Microsoft or MS in short. Why don't you use its proper name? are you sure it is MS and not M$ i was always taught it was M$. -- When I answered where I wanted to go today, they just hung up -- Unknown ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Sim Brown [EMAIL PROTECTED] wrote: You're a nazi... A patriot would respect other countries and their laws... I hereby invoke Godwin's Law and declare this thread dead. Harhar, this is not going to work i bet...anyway a wise idea. Best wishes, Christian -- Christian Fromme chris at linux.fanatism.us PGP-Pubkey: http://www.informatik.fh-wiesbaden.de/~cfrom001/pgp/index.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Why should Microsoft have more blame? In my opinion, I believe that software companies, especially Microsoft, have taken all of the appropriate steps to provide security within their products. Imagine you own a home and installed a security system on all the doors and windows. You set the alarm and leave for a weekend. A thief comes up to your house, breaks a window, and slides through the opening. The alarm does not go off because the thief found a vulnerability in the security system. Do you blame the security company that installed your intrusion detection system? Software companies like Microsoft spend a lot of money developing their software. In particular, Microsoft halted development on its products so that all of its developers could receive training in 'secure coding' techniques. Above and beyond that, Microsoft and other software companies undergo 3rd-party security testing of their software before it is released. Plus, most of the software is released to the public in the form of Betas or Release Candidates months ahead of the release date. If identifying security holes was that easy then why aren't there more vulnerabilities reported before the 'gold' release of products. I do expect that any computer user should have fundamental security training before using it. After all, the computer is a tool. Nobody should operate a microwave or chainsaw without reading the safety instructions. The same care should be taken for computers. Thanks for taking the time to listen to my thoughts. Sincerely, -Shane - Original Message - From: Georgi Guninski [EMAIL PROTECTED] To: Tobias Weisserth [EMAIL PROTECTED] Sent: Friday, May 14, 2004 6:00 PM Subject: Re: [Full-Disclosure] Support the Sasser-author fund started On Fri, May 14, 2004 at 07:12:08PM +0200, Tobias Weisserth wrote: My personal opinion is that more blame should be put on M$. The company is called Microsoft or MS in short. Why don't you use its proper name? are you sure it is MS and not M$ i was always taught it was M$. -- When I answered where I wanted to go today, they just hung up -- Unknown ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
At least in the States if you don't like a law you can try and do something about it, in a lot of other countries you could get thrown in jail for speaking out against the government. Ha! HA! HAHAHAHAHAHAHA phew That was funny. Thanks for the laugh... clearly you are only pretending to be an American, since any truly patriotic American would be educated, intelligent, informed of their history and aware of the news... you know, the news out there that tells you all about people getting arrested for speaking out against the American government, right in the good old USA... -- For Good, return Good. For Evil, return Justice. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
My point is, then, that as we diversify, users are going to go into more unfamiliar territory, cause more problems and have less people available for a low fee to fix them. What then, for the computer industry? Are we ALL going to have to know every brand of OS that runs on a PC and products that run on that OS and how to fix it's problems? There may be quite a few gifted people who can do that right now. As we get used to the proliferation of different OS's (if that happens), I am of the belief that there will be more people with more problems and less people capable of fixing them. 'Fuck em then. At some point, in many areas of life, we have to rediscover the technique of letting people be responsible for themselves. Of course we should be helping people and providing assistance; community is a very important ideal. Compassion is wise. But there needs to be a threshold set such that when you cross it is evident to all you are abusing the privilege. As long as poverty or disability isn't an issue/cause, if a person is spreading themselves so thin that they can't master whatever tasks they arbitrarily decide is worth their time, then fuck 'em. They need to adjust their priorities. Stop watching so much damn TV, hanging out at the mall or working too many hours trying to become rich. Sit down, shut up, and fucking learn. Of course, I'm preaching to the choir here. It's very, very hard to help people that don't want to be helped. Being stupid is a real impediment; first of all you're dumb and second of all you're too stupid to know how dumb you really are. Once you learn the basic troubleshooting techniques, it's not too hard to apply them to *any* situation. The tools that people develop aren't the most important thing: after all if they were never made to begin with, somebody else would have thought up another solution. The trick is the philisophy. Your mind needs to be shaped to the problem, and too many people don't want to spend the effort... it's just like physical exercise. I can respect the decision, it's a personal choice. But not when they wail 'oh why me'... like people who live in flood plains and tornado zones and don't get the fuckin' hint that hey, you know what, this *is* a bad place to build a house... and expect me to help pay for it, time after time. Or fat assed fucks who can't lay off the burgers and fries and expect *my* tax dollars to help get their stomachs stapled or the fat sucked out of their asses. MS did home users, at least, one real favour. It spawned a lot of people able to fix MS problems who honestly DO know what they are doing. As there ARE a lot and especially as things over where I live are getting worse for I.T. people thus they are losing their big pay packet jobs and doing what the back yarders do, prices are competitive. It isn't unusual for someone doing those things, with an I.T. diploma of REAL value, to be charging $30 an hour to fix problems and earning less than $15,000 a YEAR in Australian dollars or a little over 66% of that if converted to US dollars right now. You cant live on that in Australia so people are moving out of I.T. altogether or if they have enough savings, are doing the low paid income, draining their resources and hoping to find another I.T. job in an overcrowded market. If I.T. industry needs improve so these people can get the jobs they are qualified for, that still leaves a lot of back yarders capable of fixing users' problems. If we diversify without thought, we may end up wishing for the days of the MS security holes! The industry _counts_ on this. They want everyone to be super educated so that they can have the pick of the crop and pay them diddly-squat. They'll get a PhD to mop the floor if they can... yet again another instance where people need to think ahead to what the future holds. Which means thinking outside of your borders, about the world at large. It's all one economy now, and has been for a while. Those who choose to remain in ignorance... well, you sow the wind you reap the whirlwind... Sorry for the rant! :) -- For Good, return Good. For Evil, return Justice. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
I tend to give MS alot of credit, their patch availability tools are best-of-class, IMO, and they have done so at considerable cost. That said, a few glaring examples makes me question their general business sense. What are we up to , 3rd or 4th RPC patch now? Even with large enterprises, governments, and military looking at open-source in ever increasing numbers, MS doggedly hangs on to this dog API. The fact that the RPC vulnerabilities stretch from NT4 to XP SP1 (8 years), shows they haven't yet gotten it, and overhauled this interface line-by-line. A secondary argument could be made about the various IIS scripting problems. If MS doesn't get their act together, and folks starting put Linux out en masse on the desktop, well, our lives are going to be really interesting then. :-) -m - Original Message - From: Shane C. Hage [EMAIL PROTECTED] To: Georgi Guninski [EMAIL PROTECTED]; Tobias Weisserth [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, May 15, 2004 7:31 PM Subject: Re: [Full-Disclosure] Support the Sasser-author fund started Why should Microsoft have more blame? In my opinion, I believe that software companies, especially Microsoft, have taken all of the appropriate steps to provide security within their products. Imagine you own a home and installed a security system on all the doors and windows. You set the alarm and leave for a weekend. A thief comes up to your house, breaks a window, and slides through the opening. The alarm does not go off because the thief found a vulnerability in the security system. Do you blame the security company that installed your intrusion detection system? Software companies like Microsoft spend a lot of money developing their software. In particular, Microsoft halted development on its products so that all of its developers could receive training in 'secure coding' techniques. Above and beyond that, Microsoft and other software companies undergo 3rd-party security testing of their software before it is released. Plus, most of the software is released to the public in the form of Betas or Release Candidates months ahead of the release date. If identifying security holes was that easy then why aren't there more vulnerabilities reported before the 'gold' release of products. I do expect that any computer user should have fundamental security training before using it. After all, the computer is a tool. Nobody should operate a microwave or chainsaw without reading the safety instructions. The same care should be taken for computers. Thanks for taking the time to listen to my thoughts. Sincerely, -Shane - Original Message - From: Georgi Guninski [EMAIL PROTECTED] To: Tobias Weisserth [EMAIL PROTECTED] Sent: Friday, May 14, 2004 6:00 PM Subject: Re: [Full-Disclosure] Support the Sasser-author fund started On Fri, May 14, 2004 at 07:12:08PM +0200, Tobias Weisserth wrote: My personal opinion is that more blame should be put on M$. The company is called Microsoft or MS in short. Why don't you use its proper name? are you sure it is MS and not M$ i was always taught it was M$. -- When I answered where I wanted to go today, they just hung up -- Unknown ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] Support the Sasser-author fund started
Hi Byron, Yes, I am educated, intelligent, and informed I also know enough not to rely on what the media trys to shove down everyone's throat. Something that you appear to rely on. You keep on thinking the way you're thinking... Oh, and I'll guarantee that you'd never EVER challenge my Patriotism to my face. I'll say nothing more on this subject, don't bother to reply. It's clear that you're a troll Ex -Original Message- From: Byron L. Sonne [mailto:[EMAIL PROTECTED] Sent: Saturday, May 15, 2004 9:34 PM To: [EMAIL PROTECTED] Subject: [inbox] Re: [Full-Disclosure] Support the Sasser-author fund started At least in the States if you don't like a law you can try and do something about it, in a lot of other countries you could get thrown in jail for speaking out against the government. Ha! HA! HAHAHAHAHAHAHA phew That was funny. Thanks for the laugh... clearly you are only pretending to be an American, since any truly patriotic American would be educated, intelligent, informed of their history and aware of the news... you know, the news out there that tells you all about people getting arrested for speaking out against the American government, right in the good old USA... -- For Good, return Good. For Evil, return Justice. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Imagine you own a home and installed a security system on all the doors and windows. You set the alarm and leave for a weekend. OK A thief comes up to your house, breaks a window, and slides through the opening. The alarm does not go off because the thief found a vulnerability in the security system. Do you blame the security company that installed your intrusion detection system? Yes, and then I sue the security company for failure to provide what was paid for. I believe this would be a warranty provision which the security company breached. Plus, most of the software is released to the public in the form of Betas or Release Candidates months ahead of the release date. If identifying security holes was that easy then why aren't there more vulnerabilities reported before the 'gold' release of products. The primary purpose for this realease is to allow a specific group of developers and software companies the opportunity to prepare for the new release. It is not specifically released for security testing although I am certain that this is performed to a limited extent (although it would be more fruitful if they paid for security audits rather than assume they are performed gratuitously) I do expect that any computer user should have fundamental security training before using it. After all, the computer is a tool. Nobody should operate a microwave or chainsaw without reading the safety instructions. The same care should be taken for computers. Therefore we should license computer users and require tests before they are allowed to buy and/or use a computer? Something along the lines of a drivers license? Also, have you seen some of the absurd warning in the operating manuals - 'Do not touch the chain saw blade while in motion'. Perhaps all computers sould have a warning - 'Do not use if you are an idiot'. But then most internet commerce would cease... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Support the Sasser-author fund started
After all, nobody forces anyone to purchase and use MS Products. MS has been selling imperfect products for years and people still continue to use them. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
You're a nazi... A patriot would respect other countries and their laws... I hereby invoke Godwin's Law and declare this thread dead. -caelyx -- Forwarded message -- From: van Helsing [EMAIL PROTECTED] Date: Thu, 13 May 2004 19:58:18 +0200 Subject: Re: [Full-Disclosure] Support the Sasser-author fund started To: [EMAIL PROTECTED] On Thu, 13 May 2004 11:21:10 -0400 Exibar [EMAIL PROTECTED] wrote: support the sasser writer? Yup, I'll support a big kick in the pants for him give him a year or so in jail, 5 years probation and 1000 hours of community service, that's what I'll support. As for the twerp that said that US laws aren't sane, go pound sand, your comments were not on topic, needed, nor warrented. If this kid was in the USA, he'd be standing trial just like he would in Germany... so I repeat, go pound sand, bugger off, toddle off, just plain piss off. If you don't like the US, stay the hell out, we don't want you here. Exibar You're a nazi... A patriot would respect other countries and their laws... So look in the mirror and follow the leader... And I personaly can say that US-Admins are offen too lazy. On the other hand I can't explain how McAfee produce their virus-maps. Take a look and be quiet: http://us.mcafee.com/virusInfo/default.asp?cid=9043 vh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Tobias, following your logic, the people who found and disclosed the vulnerability that Sasser was abusing should be prosecuted together with the author of the viral code. What is the next stage? Jalining people who write proof of concept exploit code? Punish Fyodor for writing nmap or maybe prosecute the nessus team? If the guy wrote the code and intentionally released the worm and infected half of the Internet then he is guilty, but that remains to be proven. Nobody has cancelled the presumtion of innocence yet! My personal opinion is that more blame should be put on M$. But where would the security industry be if not for Microsoft's products :) -- Respectfully, Konstantin V. Gavrilenko Arhont Ltd - Information Security web:http://www.arhont.com http://www.wi-foo.com e-mail: [EMAIL PROTECTED] tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0x4F3608F7 PGP: Server - keyserver.pgp.com Tobias Weisserth wrote: Hi harry, On Thu, 2004-05-13 at 14:33, harry wrote: Tobias Weisserth wrote: snip I find your explanation why this author of a virus should be treated any different than other authors somehow illogical. The Sasser author has done nothing to foster security. So there is really no need for the security scene to support him. there is one other thing... he is correct when he says that Microsoft will say it's completely the worm writer's fault. It IS completely the author's fault. HE wrote it, HE caused the damages and HE violated German law. As much as MS products suck, MS has done nothing illegal. BUT i think Microsoft should be punished too for having so many security holes. they had to patch it faster. A patch to this problem has been available for at least two weeks prior to the release of the worm. So what's your boundary when you speak of earlier? A month? A year? Should the exploitation of a bug be legal if the vendor doesn't offer a patch in time?! That's the direction you're pushing here. who's fault is it really when you buy a door, you lock it, but a burglar finds a way to easily open it, comes in and tells you... Nobody asked the burglar to do this. He broke law. He caused damages. And he certainly didn't improve your security by doing so when the door vendor already offered a patch for your door two weeks ago. There's just no way you can justify the action of this idiot by blaming MS. I say this idiot has to be punished and punished to the full extend law allows. Maybe this deters other idiots to do the same. Tobias W. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
[SNIP} --- Yes, but the context that he used implied that German laws are sane and US laws are not. Not just one or two laws, but ALL laws. I took offense to that. I see it time and time again where people are just into US bashing for the sake of it. Just like saying that Microsoft is to be blamed for worm outbreaks... it's just plain rubbish. For the most part US laws are very sane, You can't take pornographic pictures of children in the US, sounds sane to me... some countries this is legal You can't sell crude oil and call it medicine to heal all that ails you, sounds sane to mesome countries this is legal You ignore the fact though that the media waves are hit quite often with stories about fed, state, and more local legislation dating back to the 1700's or even 1800's that are dated, silly, and in some cases just plain stupid if not unconstitutuinal, and need or are being revised to fit the time and understanding of the present. No country is perfect, I'll give everyone that. Why don't people start bashing Antarctica for a change. Certainly, if we all paid a tad more head to this variant of he who is without fault can cast the frst stone, we have far less silly flamefests out here smile, course to err is human, and we tend to err alot and some of us, me tend to typo up a storm as well!. But, please, leave the antartic and it's frozeded inhabitants alone, but do send firewood. Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Support the Sasser-author fund started
Nobody asked the burglar to do this. He broke law. He caused damages. And he certainly didn't improve your security by doing so when the door vendor already offered a patch for your door two weeks ago. if the burglar was a really a good guy he would have come over knocked your door, ring your bell till you open the door and *then* demonstrate this in front of u and then instruct u to repair it. I say this idiot has to be punished and punished to the full extend law allows. Maybe this deters other idiots to do the same. may we add ms to the above list ? -aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Support the Sasser-author fund started
Umm, I'm confused. Fairly new to the security scene, but, didn't the worm come out AFTER the patch? I guess Microsoft could have patched it sooner so that the worm could have come out sooner. The biggest question I have is why all the hostility at Microsoft for patching their system? the problem is many times when the patch is released it tends to break many applications and other random stuff! ms is patching a hole but manages to break other things in the process quite frequently. There are plenty of holes still in the system that warrant your wrath. When I see a worm that comes out before Microsoft patches, I'll be all over Microsoft just as the rest of you Microsoft can do no right doomsayers. just wait till the next worm / malware that comes and tries to infect all the computers then we will welcome u to our clan. -aditya p.s i am not a ms basher but i wish the ms products were not a glass house where repairing one thing causes other things to crack. Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Fri, 2004-05-14 at 17:23, Konstantin Gavrilenko wrote: Tobias, following your logic, the people who found and disclosed the vulnerability that Sasser was abusing should be prosecuted together with the author of the viral code. Why is that? Did they break German law? Are they responsible by their actions that third parties sustained damages? Did *they* attack by direct or indirect means the systems of third parties? The answer is no. Releasing an advisory in full-disclosure manner is something totally different than writing a virus and spreading it. Say, why do I have to explain these things anyway?! Do you guys have no moral perception at all?! What is the next stage? Jalining people who write proof of concept exploit code? If a proof of concept exploit is released and it illegally manipulates data on third party computers, spreads autonomously and proves an exploit against the permission of third parties on their systems, this is an illegal activity and as such should be prosecuted and prosecuted hard. Punish Fyodor for writing nmap or maybe prosecute the nessus team? Now you're being irrational. Comparing Sasser to nmap or nessus is a bit far fetched, won't you say? And don't tell me there is no sharp boundary between those two, because nobody ain't going to believe it. If the guy wrote the code and intentionally released the worm and infected half of the Internet then he is guilty, He already confessed that at the instant the police searched his house. but that remains to be proven. The police has already confiscated and verified that he is the author of Sasser. The police is also investigating leads that friends helped him spread the virus. Nobody has cancelled the presumtion of innocence yet! Well, a made confession isn't exactly a very strong presumption of innocence, is it? My personal opinion is that more blame should be put on M$. The company is called Microsoft or MS in short. Why don't you use its proper name? And why should blame be put on MS when they released a patch and advised their customers to install the patch two weeks prior to the release of Sasser? There is no law against bad code or bad products but there is law against the abuse and sabotage of computers. Let me get this right for you again: the Sasser author is the bad guy here. He is the reason I have to stay informed about bugs because *he* is exploiting them and not MS. MS doesn't break my computer, it's him and his creation Sasser (Actually this is somehow wrong because I don't have a MS system anymore, but the point is still the same). But where would the security industry be if not for Microsoft's products :) Did you know that the Sasser author's mother runs a little IT consultant company? Now you can talk about self-interest... Tobias ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Support the Sasser-author fund started - Please stop this thread
Guys, I request you all to please stop this thread. There is no need to fill up mailboxes with some non-sense topic. Let's maintain the quality of the list by posting something useful to all. thnx, Manu Garg http://manugarg.freezope.org [EMAIL PROTECTED] wrote on 05/14/2004 11:06:57 PM: Nobody asked the burglar to do this. He broke law. He caused damages. And he certainly didn't improve your security by doing so when the door vendor already offered a patch for your door two weeks ago. if the burglar was a really a good guy he would have come over knocked your door, ring your bell till you open the door and *then* demonstrate this in front of u and then instruct u to repair it. I say this idiot has to be punished and punished to the full extend law allows. Maybe this deters other idiots to do the same. may we add ms to the above list ? -aditya Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ForwardSourceID:NTDC2E DISCLAIMER: The information contained in this message is intended only and solely for the addressed individual or entity indicated in this message and for the exclusive use of the said addressed individual or entity indicated in this message (or responsible for delivery of the message to such person) and may contain legally privileged and confidential information belonging to Tata Consultancy Services. It must not be printed, read, copied, disclosed, forwarded, distributed or used (in whatsoever manner) by any person other than the addressee. Unauthorized use, disclosure or copying is strictly prohibited and may constitute unlawful act and can possibly attract legal action, civil and/or criminal. The contents of this message need not necessarily reflect or endorse the views of Tata Consultancy Services on any subject matter. Any action taken or omitted to be taken based on this message is entirely at your risk and neither the originator of this message nor Tata Consultancy Services takes any responsibility or liability towards the same. Opinions, conclusions and any other information contained in this message that do not relate to the official business of Tata Consultancy Services shall be understood as neither given nor endorsed by Tata Consultancy Services or any affiliate of Tata Consultancy Services. If you have received this message in error, you should destroy this message and may please notify the sender by e-mail. Thank you.
Re: [Full-Disclosure] Support the Sasser-author fund started
--- Konstantin V. Gavrilenko wrote: snip snip My personal opinion is that more blame should be put on M$. But where would the security industry be if not for Microsoft's products :) But Microsoft released a patch for the security hole that was found, I don't care if it was 5 days or 5 years after they were told about it, they still released the patch before the worm was written! THEY are not to blame and shouldn't be prosecuted, nor should the IDIOTS that didn't apply that patch, the person that wrote and released the worm is the one that pulled the trigger. Plain and simple. In this case he wrote more than one (he did write NetSky as well), and knowingly and admittingly released the worms to cause harm to other people's computer systems. Supposedly to increase business for a familiy computer shop. this kid is as guilty as the day is long guys he should pay for his crime, perhaps not with 20 years in prison, but at least 6 - 12 months in prison, 5 years of probation and 1000 hours community service with zero access to computers for those 5 years. Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Support the Sasser-author fund started
.. he is correct when he says that Microsoft will say it's completely the worm writer's fault. BUT i think Microsoft should be punished too for having so many security holes. they had to patch it faster. Why not punish all the admins/users who failed to patch their systems in time as well. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thursday, May 13, 2004 8:33 AM, harry [EMAIL PROTECTED] wrote: Tobias Weisserth wrote: snip I find your explanation why this author of a virus should be treated any different than other authors somehow illogical. The Sasser author has done nothing to foster security. So there is really no need for the security scene to support him. there is one other thing... he is correct when he says that Microsoft will say it's completely the worm writer's fault. BUT i think Microsoft should be punished too for having so many security holes. they had to patch it faster. Umm, I'm confused. Fairly new to the security scene, but, didn't the worm come out AFTER the patch? I guess Microsoft could have patched it sooner so that the worm could have come out sooner. The biggest question I have is why all the hostility at Microsoft for patching their system? There are plenty of holes still in the system that warrant your wrath. When I see a worm that comes out before Microsoft patches, I'll be all over Microsoft just as the rest of you Microsoft can do no right doomsayers. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Hi harry, On Thu, 2004-05-13 at 14:33, harry wrote: Tobias Weisserth wrote: snip I find your explanation why this author of a virus should be treated any different than other authors somehow illogical. The Sasser author has done nothing to foster security. So there is really no need for the security scene to support him. there is one other thing... he is correct when he says that Microsoft will say it's completely the worm writer's fault. It IS completely the author's fault. HE wrote it, HE caused the damages and HE violated German law. As much as MS products suck, MS has done nothing illegal. BUT i think Microsoft should be punished too for having so many security holes. they had to patch it faster. A patch to this problem has been available for at least two weeks prior to the release of the worm. So what's your boundary when you speak of earlier? A month? A year? Should the exploitation of a bug be legal if the vendor doesn't offer a patch in time?! That's the direction you're pushing here. who's fault is it really when you buy a door, you lock it, but a burglar finds a way to easily open it, comes in and tells you... Nobody asked the burglar to do this. He broke law. He caused damages. And he certainly didn't improve your security by doing so when the door vendor already offered a patch for your door two weeks ago. There's just no way you can justify the action of this idiot by blaming MS. I say this idiot has to be punished and punished to the full extend law allows. Maybe this deters other idiots to do the same. Tobias W. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Tobias Weisserth wrote: snip I find your explanation why this author of a virus should be treated any different than other authors somehow illogical. The Sasser author has done nothing to foster security. So there is really no need for the security scene to support him. there is one other thing... he is correct when he says that Microsoft will say it's completely the worm writer's fault. BUT i think Microsoft should be punished too for having so many security holes. they had to patch it faster. who's fault is it really when you buy a door, you lock it, but a burglar finds a way to easily open it, comes in and tells you... just my 2 cents -- harry aka Rik Bobbaers ps. i don't agree with the worm writers, but just want to say it's not just his fault, microsoft has to take it's responsability too K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org -- Air conditioned environment - do not open windows! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
support the sasser writer? Yup, I'll support a big kick in the pants for him give him a year or so in jail, 5 years probation and 1000 hours of community service, that's what I'll support. As for the twerp that said that US laws aren't sane, go pound sand, your comments were not on topic, needed, nor warrented. If this kid was in the USA, he'd be standing trial just like he would in Germany... so I repeat, go pound sand, bugger off, toddle off, just plain piss off. If you don't like the US, stay the hell out, we don't want you here. Exibar - Original Message - From: harry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 13, 2004 8:33 AM Subject: Re: [Full-Disclosure] Support the Sasser-author fund started Tobias Weisserth wrote: snip I find your explanation why this author of a virus should be treated any different than other authors somehow illogical. The Sasser author has done nothing to foster security. So there is really no need for the security scene to support him. there is one other thing... he is correct when he says that Microsoft will say it's completely the worm writer's fault. BUT i think Microsoft should be punished too for having so many security holes. they had to patch it faster. who's fault is it really when you buy a door, you lock it, but a burglar finds a way to easily open it, comes in and tells you... just my 2 cents -- harry aka Rik Bobbaers ps. i don't agree with the worm writers, but just want to say it's not just his fault, microsoft has to take it's responsability too K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org -- Air conditioned environment - do not open windows! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004 14:33:25 +0200, harry [EMAIL PROTECTED] said: he is correct when he says that Microsoft will say it's completely the worm writer's fault. BUT i think Microsoft should be punished too for having so many security holes. they had to patch it faster. There *are* punishments. You don't HAVE to use Microsoft, you know.. Yes, there's costs involved (retraining, etc) even in moving to a free alternative. On the other hand, there's costs involved in staying with MS. It's like cars - when the price of gas is sitting at $3/gallon, the companies making fuel-inefficient cars notice it on their sales figures pgp0.pgp Description: PGP signature
RE: [Full-Disclosure] Support the Sasser-author fund started
So we donate money and you use it to buy a new video card? I'll pass. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 2:55 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Support the Sasser-author fund started -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At the moment the Author of SASSER, Sven Jaschan is free again. Don't let him be a victim of the mistakes microsoft makes. Microsoft is still working on a new process, we want to give Mr. Jaschan some money to at least hire a lawyer to stand against the troll called Microsoft! At http://support-sasser.homepage.dk you can support this project using PayPal. We'll wait for a few weeks and then use the money the way money is meant to be used. Let's all make sure that microsoft can't blame engineers and worm-authors for using these so-called Microsoft Features also known as bugs! After all, SASSER was intended as a harmless wake-up call to the world. Imagine what could happen if this had been done by criminals with no respect for the public. Medical systems could be open for tampering, harbor control systems could cause massive oil spills by terrorists and so on. Sven did the right thing by making this alarm call. When will people realise that microsofts base products are not fit to be subjected to the hostile environment that the internet is these days? PLEASE HELP US SUPPORT THE CAUSE! THIS INSANE MICROSOFT MANIA MUST END! Cheers, The support sasser team. http://support-sasser.homepage.dk [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkCigVQACgkQmCuz7F30nzPhGgCeOqsvJK8VdA+WCsRHDiRbzQg76BgA n1862ImdimreEPw7xHEAyy3Xl08h =2V2K -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004 10:16:50 EDT, Duquette, John [EMAIL PROTECTED] said: Why not punish all the admins/users who failed to patch their systems in time as well. You *WILL* install this patch within 24 hours, or go to jail. The fact that it might crash your payroll system is no excuse. What's wrong with this picture? pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004 16:43:23 +0200, Tobias Weisserth [EMAIL PROTECTED] said: I say this idiot has to be punished and punished to the full extend law allows. Maybe this deters other idiots to do the same. I can guarantee that there will be sufficient idiots left that the vendors won't be able to slack off on fixing their stuff, for the same reasons that you still need locks on doors, even though the police do arrest a lot of the miscreants... pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Support the Sasser-author fund started
I wonder if people forget the liability that any organization inherits if they do NOT maintain a above standard protection scheme for their network/hosts. Misconfiguration of network hosts/machines after being NOTIFIED of a OS flaw or other should deem that organization responsible. Smurf was a great example. Following the postings of actual usable broadcast hosts, most organizations did NOT fix the problem. The vendors were left to deal with the issue. Maybe companies should start hiring clueful people that care about not only their internal infrastructure but the last mile facing their own customers. IE. All last mile providers. You can't expect end users to maintain their own machines. They want solitaire. Rant, /m - Original Message - From: Aaron Gee-Clough [EMAIL PROTECTED] To: Full Disclosure List [EMAIL PROTECTED] Sent: Thursday, May 13, 2004 9:17 AM Subject: Re: [Full-Disclosure] Support the Sasser-author fund started Duquette, John wrote: Why not punish all the admins/users who failed to patch their systems in time as well. Because they didn't break the law. It's really that simple. If you're saying that you think there should be a law to force people to patch their systems in a timely manner, that's a different issue. (and one that will lead to all sorts of unintended problems...think about it for a while.) Aaron ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004 [EMAIL PROTECTED] wrote: On Thu, 13 May 2004 14:33:25 +0200 said: You don't HAVE to use Microsoft, you know.. This assertion is not true. There are many instances requiring the use of MS products. It is only recently that Open Office has started to change this. For example, governments at the all levels have required us to use MS Word if we want to use on-line tax forms and other documents. Many prospective employeers require the submission of a Word formatted resume. If I want to publish a paper or speak at a conference or propose a book, most require me to put the document in Word format.There are many more examples, but this should make the point. It is not good enough to expect that some of us simply can choose not to work, do taxes, etc. It's like cars - when the price of gas is sitting at $3/gallon, the companies making fuel-inefficient cars notice it on their sales figures Some us need those inefficient vehicles because of where we live. I'd love an off-road, all wheel, high enough clearance, fuel efficient vehicle to get down my dirt road through the woods in the six feet of snow I get in the winter. I had to give up my 35 mpg cheap car when I moved out of the city. And I should be able to choose where I live without being hassled about the tools I need to live there. cheers, bob -- Bob Bruen Cold Rain Technologies ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
give me a break, there are laws that are misguided in all the other countries in the world as well. People just like to pick on the biggest kid on the block At least in the States if you don't like a law you can try and do something about it, in a lot of other countries you could get thrown in jail for speaking out against the government. - Original Message - From: [EMAIL PROTECTED] To: Exibar [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, May 13, 2004 3:25 PM Subject: Re: [Full-Disclosure] Support the Sasser-author fund started ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, May 13, 2004 at 02:33:25PM +0200, harry wrote: Tobias Weisserth wrote: snip who's fault is it really when you buy a door, you lock it, but a burglar finds a way to easily open it, comes in and tells you... I don't really see any question of ethics, morals, or legality here. The burgaler is at fault. Said intruder may not be guilty of theft, and may have had pure motives, but they're still plainly guilty of Tresspass and Breaking and Entering. Remember - I did lock my door. With the possible exception of an Admin or Owner breaking into a system they are responsible for, _using an exploit to gain access_ is -always- a breach of ethics. just my 2 cents -- harry aka Rik Bobbaers ps. i don't agree with the worm writers, but just want to say it's not just his fault, microsoft has to take it's responsability too Microsoft has to take responsibility for making cruddy doors (to use your metaphore) but they are not to blame for someone kicking the door in. And, much as I am not a fan of the Curse of Redmond, the patch for this 'sploit was already out and avilable. They HAD fixed the problem. Cheers, L4J K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org -- Air conditioned environment - do not open windows! Love the sig. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Ron == Ron Jackson [EMAIL PROTECTED] writes: RonThe biggest question I have is why all the hostility at RonMicrosoft for patching their system? There are plenty of Ronholes still in the system that warrant your wrath. When I see Rona worm that comes out before Microsoft patches, I'll be all Ronover Microsoft just as the rest of you Microsoft can do no Ronright doomsayers. Well, in one corner, we have Microsoft, with billeeeunnss of dollars, having to release patches in the first place, and based on past experience will likely have more holes and more patches to deal with. In the other corner, we have OpenBSD, on a shoestring budget, with only one remote hole in the past seven years since its debut, and a comparably complex and functional operating system. So why is it, with Microsoft and all of their billeeeunnss of dollars, that they wouldn't spend at least SOME MORE of that BEFORE they release their code? OpenBSD manages a decent security review and a right mindset towards security on the annual amount of money that Bill Gates makes every time he takes a dump. This is what irks me about Microsoft. It's irresponsible. Continuously and apparently knowingly. Does that justify actual malicious acts? No. The Sasser Worm guy deserves punishment. But when I spend hours and days trying to defend my paid-for bandwidth from the incoming onslaught of Microsoft-enabled worm mail, I've got to think that I'm due some payment for damages, both from the worm writers, *and* from Microsoft. If this were indeed a fair world. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 [EMAIL PROTECTED] URL:http://www.stonehenge.com/merlyn/ Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004 15:32:06 EDT, Exibar said: give me a break, there are laws that are misguided in all the other countries in the world as well. People just like to pick on the biggest kid on the block But your original statement was: As for the twerp that said that US laws aren't sane, go pound sand It's usually a bad idea to tell people to go pound sand when they're in fact right. Unless of course you don't care about the fact that they are right. --- Yes, but the context that he used implied that German laws are sane and US laws are not. Not just one or two laws, but ALL laws. I took offense to that. I see it time and time again where people are just into US bashing for the sake of it. Just like saying that Microsoft is to be blamed for worm outbreaks... it's just plain rubbish. For the most part US laws are very sane, You can't take pornographic pictures of children in the US, sounds sane to me... some countries this is legal You can't sell crude oil and call it medicine to heal all that ails you, sounds sane to mesome countries this is legal No country is perfect, I'll give everyone that. Why don't people start bashing Antarctica for a change. Exibar ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
Oliver Raymond [EMAIL PROTECTED] writes: I am no more likely to support a German committing terroristic acts on electronic infrastructure than I am a pick_a_nationality committing terroristic acts to real world infrastructure. Availablity? Patches for the previous Slammer, Blaster and Sasser worms have all been available for 14 days or more from Microsoft. Bad management practices or poor administration practices are to blame. 14 days is fine if the patch works straight out-of-the-box. I'd usually expect to deploy within around 10 days with a clean patch. MS04-011 did NOT work fine; in particular it's causing us BSODs and USB issues on a large number of hosts. -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, May 13, 2004 at 04:43:23PM +0200, Tobias Weisserth wrote: As much as MS products suck, MS has done nothing illegal. this is completely false, haven't you read news in the past years? -- In Germany they first came for the Communists, and I didn't speak up because I wasn't a Communist. Then they came for the Jews, and I didn't speak up because I wasn't a Jew. Then they came for the trade unionists, and I didn't speak up because I wasn't a trade unionist. Then they came for the Catholics, and I didn't speak up because I was a Protestant. Then they came for me - and by that time no one was left to speak up. -- Pastor Martin Niem?ller ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
[EMAIL PROTECTED] (Randal L. Schwartz) writes: So why is it, with Microsoft and all of their billeeeunnss of dollars, that they wouldn't spend at least SOME MORE of that BEFORE they release their code? OpenBSD manages a decent security review and a right mindset towards security on the annual amount of money that Bill Gates makes every time he takes a dump. I haven't seen the Win32 source code, but I'd bet that OpenBSD is considerably easier to audit - I have a growing suspicion that Win32 is just too complex to be properly secured. A lot of recent patches have had unintended consequences or have been marked as having new functionality. -- James Riden / [EMAIL PROTECTED] / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Fri, May 14, 2004 at 12:38:05AM +0300, Georgi Guninski wrote: On Thu, May 13, 2004 at 04:43:23PM +0200, Tobias Weisserth wrote: As much as MS products suck, MS has done nothing illegal. this is completely false, haven't you read news in the past years? Overall, you're right. Microsoft has been found guilty, in court, of breaking quite a few laws. But here, in this specific case (as was implied), they didn't do anything wrong. They released the advisory. They released the patch. It doesn't excuse their business practices, or the original code flaws, but writing bad code isn't illegal. Lame perhaps. But not illegal. Cheers, L4J ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004 11:21:10 -0400 Exibar [EMAIL PROTECTED] wrote: support the sasser writer? Yup, I'll support a big kick in the pants for him give him a year or so in jail, 5 years probation and 1000 hours of community service, that's what I'll support. As for the twerp that said that US laws aren't sane, go pound sand, your comments were not on topic, needed, nor warrented. If this kid was in the USA, he'd be standing trial just like he would in Germany... so I repeat, go pound sand, bugger off, toddle off, just plain piss off. If you don't like the US, stay the hell out, we don't want you here. Exibar You're a nazi... A patriot would respect other countries and their laws... So look in the mirror and follow the leader... And I personaly can say that US-Admins are offen too lazy. On the other hand I can't explain how McAfee produce their virus-maps. Take a look and be quiet: http://us.mcafee.com/virusInfo/default.asp?cid=9043 vh pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Support the Sasser-author fund started
Le jeu 13/05/2004 à 18:17, Aaron Gee-Clough a écrit : Duquette, John wrote: Why not punish all the admins/users who failed to patch their systems in time as well. Because they didn't break the law. It's really that simple. In France, there's a law that says you have to furnish available means to appropriatly protect systems that personnal datas (names, addresses, telephone numbers, CC numbers, etc.). However, it is not strict, so you can justify a patch delay for validation means or anything else that obviously prevent you to patch, in particular if you can produce a workaround. But doing nothing at all (no patch, no workaround) simply break the law. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
- Original Message - From: Stormwalker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, May 14, 2004 2:57 AM Subject: Re: [Full-Disclosure] Support the Sasser-author fund started On Thu, 13 May 2004 [EMAIL PROTECTED] wrote: On Thu, 13 May 2004 14:33:25 +0200 said: You don't HAVE to use Microsoft, you know.. This assertion is not true. There are many instances requiring the use of MS products. It is only recently that Open Office has started to change this. To start off with, let me say I don't disagree with the above point. I do want to raise a spin-off point from the above, though. We say, right now the way things are, things like Some users are so dumb, they cant find their way to their rear end without a road map, a bottle of prune juice and a real lot of luck so trying to get them to do the right thing with virus releases, spyware problems etc is a real problem and as we know, currently the majority of the world uses MS products at home and in a real lot of businesses. Right now we have your back yarder who can also fix a lot of those problems easily. My point is, then, that as we diversify, users are going to go into more unfamiliar territory, cause more problems and have less people available for a low fee to fix them. What then, for the computer industry? Are we ALL going to have to know every brand of OS that runs on a PC and products that run on that OS and how to fix it's problems? There may be quite a few gifted people who can do that right now. As we get used to the proliferation of different OS's (if that happens), I am of the belief that there will be more people with more problems and less people capable of fixing them. MS did home users, at least, one real favour. It spawned a lot of people able to fix MS problems who honestly DO know what they are doing. As there ARE a lot and especially as things over where I live are getting worse for I.T. people thus they are losing their big pay packet jobs and doing what the back yarders do, prices are competitive. It isn't unusual for someone doing those things, with an I.T. diploma of REAL value, to be charging $30 an hour to fix problems and earning less than $15,000 a YEAR in Australian dollars or a little over 66% of that if converted to US dollars right now. You cant live on that in Australia so people are moving out of I.T. altogether or if they have enough savings, are doing the low paid income, draining their resources and hoping to find another I.T. job in an overcrowded market. If I.T. industry needs improve so these people can get the jobs they are qualified for, that still leaves a lot of back yarders capable of fixing users' problems. If we diversify without thought, we may end up wishing for the days of the MS security holes! Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004, harry wrote: who's fault is it really when you buy a door, you lock it, but a burglar finds a way to easily open it, comes in and tells you... how about when he comes in and pees on your carpet, pushes your furniture into the street and blocks traffic, and throws rocks at the neighbor's house? i'm gonna say it's the burglar's fault. -- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Support the Sasser-author fund started
Well actually... By not patching your system you're leaving yourself open to exploit and the danger of having your machine attacking another machine. Now- If a person doesn't get something fixed that they know exists and can avoid an 'accident' then they are indirectly responsible. (EG. You know the safety seat you're sticking your baby in has a recall because it can strangle your child. Yet you never trade it in. You're still indirectly responsible for your babies death.) Then again... You'd have to prove that... . ~ (Yes, I know it's a stupid example.) -Original Message- From: [EMAIL PROTECTED] [mailto:full-disclosure- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 13, 2004 12:11 PM To: Duquette, John Cc: Full Disclosure List Subject: Re: [Full-Disclosure] Support the Sasser-author fund started On Thu, 13 May 2004 10:16:50 EDT, Duquette, John [EMAIL PROTECTED] said: Why not punish all the admins/users who failed to patch their systems in time as well. You *WILL* install this patch within 24 hours, or go to jail. The fact that it might crash your payroll system is no excuse. What's wrong with this picture? smime.p7s Description: S/MIME cryptographic signature
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004 11:32:17 PDT, Micah McNelly [EMAIL PROTECTED] said: I wonder if people forget the liability that any organization inherits if they do NOT maintain a above standard protection scheme for their network/hosts. One of the problems there is the lack of a widely accepted minimum due care best practices document for you to be above. The Center for Internet Security (http://www.cisecurity.org) has been trying to address that, and slowly making some progress and buy-in. (ObFullDisclosure: I'm biased, I helped develop the Solaris and Linux ones) pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004 [EMAIL PROTECTED] wrote: On Thu, 13 May 2004 10:16:50 EDT, Duquette, John [EMAIL PROTECTED] said: Why not punish all the admins/users who failed to patch their systems in time as well. You *WILL* install this patch within 24 hours, or go to jail. The fact that it might crash your payroll system is no excuse. What's wrong with this picture? raises and frantically waves his hand It's missing the obligatory blue screen!? Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
[EMAIL PROTECTED] (Randal L. Schwartz) wrote: snippage So why is it, with Microsoft and all of their billeeeunnss of dollars, that they wouldn't spend at least SOME MORE of that BEFORE they release their code? OpenBSD manages a decent security review and a right mindset towards security on the annual amount of money that Bill Gates makes every time he takes a dump. This is what irks me about Microsoft. It's irresponsible. Continuously and apparently knowingly. Does that justify actual malicious acts? No. The Sasser Worm guy deserves punishment. But when I spend hours and days trying to defend my paid-for bandwidth from the incoming onslaught of Microsoft-enabled worm mail, I've got to think that I'm due some payment for damages, both from the worm writers, *and* from Microsoft. If this were indeed a fair world. The issue here though is one of liability. And by definition, MS is not liable because of the completely iniquitous exception only sofwtare developers enjoy under (US) law (and extensively copied most everywhere, often following extensive lobbying from the major software developers themselves). It's nice -- perhaps even quaint -- that the BSD folk (and especially OpenBSD) expend so much effort on perfecting the implementation of such lofty computer security ideals as they hold so dear, but the market reality is that, at least sans strong liability expectations, flying pink elephants are clearly much more desirable than security, so companies like MS which have put all their idealistic fervour into becoming disgustingly, unethically and largely illegally rich at almost any cost have won over the BSDs of the world. Further, because machines running MS products can just as easily as any others connect to the open sewer model of internetworking we have adopted, of course we all pay the bandwidth tax levied by the worms, viruses and so on of the most popular OSes and applications. Perhaps back in 1995 we should have all been praying for MSN (remember, it was originally more of what you would consider an ISP service than what it is now) to succeed in tackling CompuServe and AOL, and the Internet could have remained pure of all that negative influence from MS products of which you complain... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004 10:20:40 PDT, Randal L. Schwartz said: This is what irks me about Microsoft. It's irresponsible. No. It's being *very* responsible. Doing security right is very complicated and expensive. Blowing it off and patching holes as they're found is a lot cheaper. And they don't have any obligation to you, the customer - their obligation is to improve the bottom line. I am willing to suspect that if a C-level exec at Microsoft suggested that they spend more money on security without any business case (We'll lose market share to Linux or similar) to back it up, they could find themselves the target of a shareholder suit alleging fiduciary irresponsibility. pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004 14:28:10 EDT, Poof said: By not patching your system you're leaving yourself open to exploit and the danger of having your machine attacking another machine. Now- If a person doesn't get something fixed that they know exists and can avoid an 'accident' then they are indirectly responsible. Your baby seat analogy is flawed. In this case, you're having to make the decision between not pulling the car *entirely* off onto the shoulder when you have a mechanical breakdown, and risking being hit by another car - or pulling all the way onto that shoulder that looks like it's rather soft and crumbly and likely to spill your car into the ravine. (We actually had a case of that locally just a few weeks ago - a school bus going down one of the dirt roads around here went off the side.. then a dump truck coming down the road *also* went off the side just a few yards after passing the bus.. It was believed that in both cases, the soft shoulder contributed to the vehicle's sliding sideways and ending up on their sides...) pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Support the Sasser-author fund started
A fool-proof software has yet to be written. Bugs and fixes are common for Softwares. Its a continuous process to attain a no-bug or near-no-bug state. As many fixes and patches are released for M'soft, other unix flavours are also releasing fixes and patches and in more numbers than M'soft. If you subscribe to Security tracker, you will know how many fixes and patches released for Unix flavours recently. Don't foul cry Its a collective effort to keep a system security. Bugs and Taxes will be there always. - Original Message - From: harry [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 13, 2004 8:33 PM Subject: Re: [Full-Disclosure] Support the Sasser-author fund started Tobias Weisserth wrote: snip I find your explanation why this author of a virus should be treated any different than other authors somehow illogical. The Sasser author has done nothing to foster security. So there is really no need for the security scene to support him. there is one other thing... he is correct when he says that Microsoft will say it's completely the worm writer's fault. BUT i think Microsoft should be punished too for having so many security holes. they had to patch it faster. who's fault is it really when you buy a door, you lock it, but a burglar finds a way to easily open it, comes in and tells you... just my 2 cents -- harry aka Rik Bobbaers ps. i don't agree with the worm writers, but just want to say it's not just his fault, microsoft has to take it's responsability too K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org -- Air conditioned environment - do not open windows! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004, van Helsing wrote: You're a nazi... Godwin. End of thread - you lose. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 2004-05-13 at 23:38, Georgi Guninski wrote: On Thu, May 13, 2004 at 04:43:23PM +0200, Tobias Weisserth wrote: As much as MS products suck, MS has done nothing illegal. this is completely false, haven't you read news in the past years? Then please explain to me what illegal behaviour of MS is related to the Sasser worm and the caused damages. Maybe you wanted to indicate that because MS has been proven to be practicing illegal business it is therefor OK to cause damage to MS customers and break into their computer systems using a worm like Sasser? I'd also appreciate it if you wouldn't reply to all in the future as I have just done by answering your mail in my private inbox. Better email clients have an option answer to list or similar. Please use it if it exists. Tobias W. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Support the Sasser-author fund started
On Thu, 13 May 2004 15:55:34 PDT, Mister Coffee [EMAIL PROTECTED] said: It doesn't excuse their business practices, or the original code flaws, but writing bad code isn't illegal. Lame perhaps. But not illegal. And be careful of unintended consequences of any attempts to make bad code illegal. Remember that Microsoft is sitting on $52B in cash, and can afford to fight a charge of criminally negligent coding. There's very few open source projects that can bankroll a legal defense if their programmers screw up. If you make programmers liable to civil actions for their screw-ups, then it's possibly almost workable - programmer insurance similar to medical malpractice insurance will spring up, rates will be set according to the perceived risk of frequency and cost of errors, and life will go on, more or less. Also - remember that there's a distinction between civil liability and criminal liability. Doctors become doctors because they can afford to pay for malpractice insurance (I'll overlook the issues in high-risk specialties). On the other hand, it's *very* hard to get a doctor convicted of criminal negligence and sent to prison for the simple reason that if the standard for getting sent to jail was anywhere near as low as for losing a malpractice suit, we'd have no medical profession left. pgp0.pgp Description: PGP signature