Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))
Doug White writes: It would be nearly impossible for computer software makers to provide against any type of attack by those so inclined. The result is that they are reactive rather than pro-active. That's not the point. The difference in degree of security between Windows and Mac OS X is so great as to be a difference in kind. It is possible for vendors to build, and customers to buy, sufficiently safe Internet client software. It is also possible to mitigate the spam problem (which started this whole thread, as you may recall :). From where I'm sitting, Apple Mail's spam detection feature, Spam Assassin, and similar products all do a sufficiently good job. I get obscene amounts of spam at this account, but I see very little of it (even though my version of Spam Assassin is old). Now, I know network operators have a different point of view (I have been one): that spam consumes expensive network resources. But even Hotmail (and who could have a worse spam problem than Hotmail?) only blackholes specific hosts or small subnets, and only then for 24-48 hours. This idea of cutting off entire ISPs/countries/operating systems/ethnicities from their access to certain or all services is very poor and reflects badly on those who propose it. The spam problem is as mitigatable as it is bad, and taking away or reducing the usefulness of the network in order to save a few bits or bucks is a bad trade. Freedom, openness and universal access are worth the trouble. Why is it that some people respond to the problem by breaking things rather than building things? In particular, something like Bastille (the Linux hardening kit) for Windows would be great. -- Chris Palmer Staff Technologist, Electronic Frontier Foundation 415 436 9333 x124 (desk), 415 305 5842 (cell)
The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))
Think globally. Even though this forum has NA as its heading, we need to think globally when suggesting solutions. You'll never get any sort of licensing globally nor will you EVER get end users (globally) educated enough to stop doing the things that they do which allow these events to continually occur. Since many gateway service providers will not prevent insufficiently skilled users from connecting to the internet and injuring others, the only remaining solution, as far as I can see, is cutting connectivity with those enablers. That is the proposal I advanced in http://www.camblab.com/misc/univ_std.txt. And once again the you're punishing the victim. Let's not forget that the uneducated end user is tricked into doing things that are not good for them or the rest of the internet connected world. Unfortunately the only feasible and readily available computer solution for the uneducated end user is a single available operating system. Everyone is at the mercy of this product with all its flaws and downfalls. Instead of continually blaming the uneducated end user how about providing tools to the uneducated end user that can be used to connect to the internet without becoming a liability. A toaster with keyboard an monitor... Adi
Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))
On Tue, 20 Apr 2004 09:21:02 -0500 (CDT), Adi Linden wrote: Since many gateway service providers will not prevent insufficiently skilled users from connecting to the internet and injuring others, the only remaining solution, as far as I can see, is cutting connectivity with those enablers. That is the proposal I advanced in http://www.camblab.com/misc/univ_std.txt. And once again the you're punishing the victim. Let's not forget that the uneducated end user is tricked into doing things that are not good for them or the rest of the internet connected world. Unfortunately the only feasible and readily available computer solution for the uneducated end user is a single available operating system. Everyone is at the mercy of this product with all its flaws and downfalls. Instead of continually blaming the uneducated end user how about providing tools to the uneducated end user that can be used to connect to the internet without becoming a liability. A toaster with keyboard an monitor... I beg to clarify that I am not blaming anyone; I am describing a system with known input-output properties and internal structures. We know how this system behaves in terms of technology and human behavior, and we know what to do to the inputs to change the outputs. If you choose to smoke, you get cancer. Same with spam. If you don't want to have spam, you have to change some behaviors. Some people will be inconvenienced. Life is full of such choices. As for the specifics of your comments, I could not disagree more, but it is a philosophy of life that distinguishes our views, not the analysis of the problem. I believe (like a lot of other New Englanders and even some from California) that people must assume responsibility for their actions. If responsibility is not enforced, society collapses (into e.g. the kind of chaos we see on the internet.) In 2004 no one is tricked into using rubbish software; there are plenty of alternatives, and the rubbishy nature of the leading OS is in almost every day's newspaper. It's a choice people make, like overeating and gaining weight. No one is there with a gun forcing people to gain weight. As for uneducated, the solution is the same as for bad drivers: training. If you are a threat to the rest of the internet because of your ignorance (or irresponsibility) then you do not qualify for connectivity, just as bad drivers don't get licenses, bad credit risks don't get credit, and drunk airline pilots stop flying. To repeat: the solution to spam is to apply rigorously the same rules to the internet as are used everywhere else in society. It is simple, it pays for itself, it works, and it works immediately. Some people will be upset, like the smokers who have to go outside for a puff or even give up their habit. However the result is better for EVERYONE including the uneducated. Jeffrey Race
Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))
As for the specifics of your comments, I could not disagree more, but it is a philosophy of life that distinguishes our views, not the analysis of the problem. I believe (like a lot of other New Englanders and even some from California) that people must assume responsibility for their actions. If responsibility is not enforced, society collapses (into e.g. the kind of chaos we see on the internet.) I like the term responsibility but how is it applied? If I own a vehicle, what are my responsibilities? I have to obtain a drivers license which gives me the privilege of driving a motor vehicle. Driving a motor vehicle is an active choice, I am behind the wheel putting the vehicle in motion. I am responsible for all the consequences of my actions while driving. Where is my responsibility in vehicle ownership? Is is responsible to leave the vehicle locked at the curb, unlocked, keys in the ignition? What are my responsibilities when an unauthorized person uses my vehicle? Driving a motor vehicle is a complex task. There is enforcement in place and it is common knowledge that training and license is required to use a motor vehicle. What about a baseball bat? Where is my responsibility in owning a baseball bat? If I store my baseball bat leaning against my backdoor, am I responsible if my neighbour uses it without my permission to crack his wifes skull? In 2004 no one is tricked into using rubbish software; there are plenty of alternatives, and the rubbishy nature of the leading OS is in almost every day's newspaper. It's a choice people make, like overeating and gaining weight. No one is there with a gun forcing people to gain weight. My argument is that a computer needs to be in a safe state by default. I firmly believe that if I buy a brand new box from any reputable vendor with a premium operating system of choice I should be able to connect this device to a local broadband connection indefinitely. It needs to be safe without user training or user intervention. As for uneducated, the solution is the same as for bad drivers: training. If you are a threat to the rest of the internet because of your ignorance (or irresponsibility) then you do not qualify for connectivity, just as bad drivers don't get licenses, bad credit risks don't get credit, and drunk airline pilots stop flying. I can walk, I can take a bicycle. Owning a computer today is like owning a performance car. There is no learning curve, it's all or nothing. If this is the way it has to be, then service providers need to take responsibility and provide a safe environment for the uneducated users. This includes filtering ports, filtering emails, etc. A last resort is terminating service if a user is unwilling to learn at all. Adi
Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))
[snip] : : My argument is that a computer needs to be in a safe state by default. I : firmly believe that if I buy a brand new box from any reputable vendor : with a premium operating system of choice I should be able to connect this : device to a local broadband connection indefinitely. It needs to be safe : without user training or user intervention. : It would be nearly impossible for computer software makers to provide against any type of attack by those so inclined. The result is that they are reactive rather than pro-active. Understand that the software maker wants his product to have all the features and gee-gaws that make it attractive and simple to use, and most work well in this area, but over-compensating for any potential type of attack before delivery is, in my opinion an impossible task. One may wish that there were no vulnerabilities in any operating system, but this is not the case. There are vulnerabilities in all the operating systems in place today. Ther are many admins, (even if the admin is an uneducated end-user) who do not bother to update their sofware or operating systems. This practice is why Linux/Unix systems get chrooted, Windows machines get compromised, even OSX. Some of the vulnerabilities are in the chipset on the motherboard, be it Intel, AMD, or Motorola. The software maker must try to compensate for those failings as well. As long as there arre otherwise bored miscreants who will continue to try to exploit the vulnerabilities they will continue to happen, no matter what the patch position is, no matter the OS or chipset used. Thre are many security capabilities built into many OS distributions, and relatively few are ever implemented. Why? Your guess is as good as mine, but my guess is that it is time consuming of time that is not budgeted. just my 0.02
Re: The Uneducated Enduser (Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT))
Operating systems bundled with a retail computer _should_ be reasonably secure out of the box. OS X can be placed on a unprotected internet connection in a unpatched state and it's default configuration allows it to be patched to current levels without it being compromised. On the other hand Win2k XP will be compromised in under 5 minutes if connected to the same unfiltered connection (The record here is 35 seconds for time to compromise) I am not saying that OS X is the paragon of all things good. But it's basic settings take into account the average user's skill level and ability to secure the OS if you want less security the user needs to _specifically_ configure the machine to allow the reduced level of protection. Whereas the desire for chrome on Win has made a platform which is virtually impossible for the average user to secure. I use both on a daily basis as well as Solaris and Linux so I consider myself somewhat agnostic on OS choices as each does something better than the others and I use it for that function. Scott C. McGrath
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, Apr 19, 2004 at 08:50:34AM +0300, Petri Helenius wrote: Let's face it -- this shouldn't have to be the ISP's problem. Microsoft needs to quit rushing out new OS releases without properly straining them and stress testing to find as many holes as they can. They need to start cracking down on themselves and really start worrying about securing their OS and patching it as much as possible before throwing it to market. It´s very challenging to say that the world´s most profitable company should do anything significantly different. s/most profitable company/convicted (and continuing) OS\browser monopolist/ Still feel the same? Putting out releases and letting marketing to address security concerns brings in billions. Not putting out release will make less money. Forcing OEM pre-loads is where they get most of their money. Maybe if they spent less on money-losing ventures like X-Box and WebTV, and maybe if they spent their RD $Billions more wisely, and further if they spent less time and money knifing others' babies and put more genuine effort into it... This is not that they would not be trying their best. There is just a very justifiable business decision between what we would like the best to be and what it needs to be to keep their money machine running. Well, if they would just admit as such (Keep the Money Machine Running!), instead of offering endless platitudes and excuses (and FUD) and press releases about how much $money they are donating (yeah, right) to libraries and schools and ... -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Henry Yen wrote: s/most profitable company/convicted (and continuing) OS\browser monopolist/ Sadly the two are not incompatible it appears. If the rewards of breaking the law were normally so good, then most of us would be down at the localbank with a shotgun... actually, given the audience, no physical attendance would be expected. Peter
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
First time user of the net in '87 when CompuServe announced it to its denizens. Thank [deity] for Micro$oft or we'd have to get a real job. - Original Message - From: Henry Yen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, April 18, 2004 8:14 PM Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) On Mon, Apr 19, 2004 at 08:50:34AM +0300, Petri Helenius wrote: Let's face it -- this shouldn't have to be the ISP's problem. Microsoft needs to quit rushing out new OS releases without properly straining them and stress testing to find as many holes as they can. They need to start cracking down on themselves and really start worrying about securing their OS and patching it as much as possible before throwing it to market. It´s very challenging to say that the world´s most profitable company should do anything significantly different. s/most profitable company/convicted (and continuing) OS\browser monopolist/ Still feel the same? Putting out releases and letting marketing to address security concerns brings in billions. Not putting out release will make less money. Forcing OEM pre-loads is where they get most of their money. Maybe if they spent less on money-losing ventures like X-Box and WebTV, and maybe if they spent their RD $Billions more wisely, and further if they spent less time and money knifing others' babies and put more genuine effort into it... This is not that they would not be trying their best. There is just a very justifiable business decision between what we would like the best to be and what it needs to be to keep their money machine running. Well, if they would just admit as such (Keep the Money Machine Running!), instead of offering endless platitudes and excuses (and FUD) and press releases about how much $money they are donating (yeah, right) to libraries and schools and ... -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Sun, 2004-04-18 at 23:16, Sean Donelan wrote: When the Morris worm was release, there wasn't a patch available. Since then essentially every compromised computer has been via a vulnerability with a patch available or misconfiguration (or usually lack of configuration). Key word here is essentially. I've been involved with about a half dozen compromises that have been true zero days. Granted that's less than ground noise compared to what we are seeing today. As far as improvements go, Microsoft's XP SP2 is a great improvement. If you have a Window's machine, implementing XP SP2 could help with a lot of the stupid vulnerabilities. Unfortunately less than 50% of Internet users have XP. This ends up being a catch 22 all the way around. Since MS has focused on locking down XP, they have ended up focusing on a minimal market share of the problem. With this in mind, I don't think we are going to see things getting any better now that SP2 is out. For the end user running 2000 or less, it ends up sounding like we screwed up and sold you an insecure product so now we want you to to give us more money in order to fix the problem. A fix that addressed the problem in a more universal fashion would have been cool. Should ISPs start requiring their users to install Windows XP SP2? Many folk have already commented on the economics of trying to require this. I think technically it would be hard to implement as well. I've done a lot of work with passive fingerprinting and from my observations you don't see enough of a difference in the packet creation to tell the difference between patched and unpatched systems. This leaves you with active fingerprinting which may fail if a personal firewall is active, or loading software on their system which is now a whole other support nightmare. Lots of overhead for little gain in my opinion. Also, don't underestimate a person's ability to shoot themselves in the foot. Windows 2003 server, out of the box, is technically one of the most secure operating systems out there because it ships with no open listening ports. Based on the auditing I've done however, it ends up being deployed even less secure than 2000 because a lot of admins end up doing the turn everything on to get it working thing. An uneducated end user is not something you can fix with a service pack. Chris
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
At Mon, Apr 19, 2004 at 06:12:16AM -0400, Chris Brenton wrote: Key word here is essentially. I've been involved with about a half dozen compromises that have been true zero days. Granted that's less than ground noise compared to what we are seeing today. There're a lot more 0-days than that. They just tend to remain within a smaller community (typically the ones who discover it) and are used carefully/intelligently for compromises, often for a very long time. Then it gets leaked by someone and released into the wild/script kiddie community or someone else discovers it... (more for benefit of others than a response to you) Also, don't underestimate a person's ability to shoot themselves in the foot. Windows 2003 server, out of the box, is technically one of the most secure operating systems out there because it ships with no open listening ports. Based on the auditing I've done however, it ends up being deployed even less secure than 2000 because a lot of admins end up doing the turn everything on to get it working thing. An uneducated end user is not something you can fix with a service pack. Agreed, and even conscientious users screw up. I did this some months ago when installing MS SQL Server Desktop Engine from a third-party CD (packaged with software). This was well after the whole Slammer affair, memories fade and I didn't stop to realize they used the same codebase (oops) - bri
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 2004-04-19 at 06:27, Brian Russo wrote: There're a lot more 0-days than that. Agreed. My ego has not grown so large as to think I've seen every 0-day. ;-) As I said however, the true number of 0-day is less than ground noise compared to the number of systems that *could* have remained safe with proper patching or configuring. They just tend to remain within a smaller community (typically the ones who discover it) and are used carefully/intelligently for compromises, often for a very long time. Agreed. I think part of what makes 0-day easier to hide *is* the raw quantity of preventable exploits that are taking place. In many ways we have become numb to compromises so that the first response ends up being format and start over. If 0-day was a higher percentage, it would be easier to catch them when they occur and do a proper forensic analysis. Agreed, and even conscientious users screw up. I did this some months ago when installing MS SQL Server Desktop Engine from a third-party CD (packaged with software). RANT I guess I have a hard time blaming this type of thing on the end user. Part of the fall out from making computers easier to use, is making it easier for end users to shoot themselves in the foot. One of the benefits of complexity is that it forces end user education. I'm guessing that if you had to load SQL as a dependency you would have caught your mistake before you made it. Let me give you an example of the easy to use interface thing. Back in 2000 I made it a personal goal to try and get the top 5 SMURF amplifier sites shut down. I did some research to figure out what net blocks were being used and started contacting the admins. Imagine my surprise when I found out that 3 of the 5 _had_ a firewall. They had clicked their way though configuring Firewall-1, didn't know they needed to tweak the default property settings, and were letting through all ICMP unrestricted and unlogged. IMHO its only getting worse. I teach a lot of perimeter security folks and it seems like more and more of them are moving up the ranks without ever seeing a command prompt. I actually had one guy argue that everything in Windows is point and click and if you could not use a mouse to do something, it was not worth doing. Again, I don't see this as an end user problem because as an industry we've tried to make security seem easier than it actually is. We want to make it like driving a car when its more like flying an airplane. /RANT Cheers, Chris
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote: An uneducated end user is not something you can fix with a service pack. A profound point, again highlighting the fact that there are no technical solutions to this problem. (Though technical measures to enhance traceability are a big help.) So, the logical inference is training and licensing to get internet access. When I was 16 in Connecticut many many years ago, we had to take a driver-training course (given by a policeman) to get a driver's license. I see no discussion about this approach, here or elsewhere. Jeffrey Race
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
- Original Message - From: Dr. Jeffrey Race [EMAIL PROTECTED] To: Jeffrey Race [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, April 19, 2004 11:10 PM Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote: An uneducated end user is not something you can fix with a service pack. A profound point, again highlighting the fact that there are no technical solutions to this problem. (Though technical measures to enhance traceability are a big help.) So, the logical inference is training and licensing to get internet access. When I was 16 in Connecticut many many years ago, we had to take a driver-training course (given by a policeman) to get a driver's license. I see no discussion about this approach, here or elsewhere. I would love to know the average age of the list inhabitants. It has been my observation that things which are new become better known when a generation has grown up, completely, with it and is teaching the next generation. Until that occurs, you are going to get one heck of a larger lot of uninformed users because they are not only young and clueless but every other age and clueless. Worse, they are clueless in a lot of cases because they are frightened by new technology. Eventually, it will become as common as a car on the road and at that point, taking obvious steps wont even be a topic for discussion any longer. When that happens, arts majors wont be the only ones serving fries at Maccas. Greg.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
At Mon, Apr 19, 2004 at 08:22:48AM -0400, Chris Brenton wrote: Agreed. I think part of what makes 0-day easier to hide *is* the raw quantity of preventable exploits that are taking place. In many ways we have become numb to compromises so that the first response ends up being format and start over. If 0-day was a higher percentage, it would be easier to catch them when they occur and do a proper forensic analysis. Right, they fit in with the noise. RANT I guess I have a hard time blaming this type of thing on the end user. Part of the fall out from making computers easier to use, is making it easier for end users to shoot themselves in the foot. One of the benefits of complexity is that it forces end user education. I'm guessing that if you had to load SQL as a dependency you would have caught your mistake before you made it. Let me give you an example of the easy to use interface thing. Back in 2000 I made it a personal goal to try and get the top 5 SMURF amplifier sites shut down. I did some research to figure out what net blocks were being used and started contacting the admins. Imagine my surprise when I found out that 3 of the 5 _had_ a firewall. They had clicked their way though configuring Firewall-1, didn't know they needed to tweak the default property settings, and were letting through all ICMP unrestricted and unlogged. IMHO its only getting worse. I teach a lot of perimeter security folks and it seems like more and more of them are moving up the ranks without ever seeing a command prompt. I actually had one guy argue that everything in Windows is point and click and if you could not use a mouse to do something, it was not worth doing. Again, I don't see this as an end user problem because as an industry we've tried to make security seem easier than it actually is. We want to make it like driving a car when its more like flying an airplane. That's pretty sad, I can forgive users, but nobody doing 'security' should be living in a pure GUI world, to extend your analogy it would be like only knowing how to configure the autopilot and getting a pilot's license. As far as mainstream users.. * Software needs to patch itself, users aren't going to do it. * Software needs to be intuitive, people interact with computers as if they were doing 'real' things. Things like cut and paste are easy because they make sense... * Software patches need to WORK and not screw up Joe User's system, believe me they won't understand that software is never bug-free, they'll instead swear off installing patches in future. * Software needs reasonable defaults.. this doesn't necessarily mean turning every feature off. * Wizards and/or a choice of 'starter' confs can be great.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
At Mon, Apr 19, 2004 at 11:22:17PM +1000, Gregh wrote: I would love to know the average age of the list inhabitants. 22 It has been my observation that things which are new become better known when a generation has grown up, completely, with it and is teaching the next generation. Until that occurs, you are going to get one heck of a larger lot of uninformed users because they are not only young and clueless but every other age and clueless. Worse, they are clueless in a lot of cases because they are frightened by new technology. Eventually, it will become as common as a car on the road and at that point, taking obvious steps wont even be a topic for discussion any longer. Of course you're right, but this isn't going to happen for a long time.. and besides.. there are a lot of people in my generation that are not that tech-savvy at all.. I'd say the top uses are Games, IM/blogs/etc and P2P None of these really have anything to do with being good guardians of the net. Of course in the long-run you'll prove me wrong.. but I think it'll take a fair while yet.. anyway, i just hope we'll have made good progress on other fronts. - bri
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Jeffrey Race Sent: April 19, 2004 9:11 AM To: Jeffrey Race Cc: [EMAIL PROTECTED] Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote: An uneducated end user is not something you can fix with a service pack. A profound point, again highlighting the fact that there are no technical solutions to this problem. (Though technical measures to enhance traceability are a big help.) So, the logical inference is training and licensing to get internet access. When I was 16 in Connecticut many many years ago, we had to take a driver-training course (given by a policeman) to get a driver's license. I see no discussion about this approach, here or elsewhere. Well, there are a number of problems with this. Firstly, who enforces it? The reason it works with cars is that the state (or province for those of us north of the border) effectively says you can't drive a car without this lovely piece of paper/plastic that we'll give you and if we find you driving a car without the lovely piece of paper/plastic, you're going to be in serious trouble. Are you proposing that each jurisdiction that currently licences drivers also licence Internet users and tell ISPs sorry, but if they don't give their licence, you can't give them an account? Secondly, HOW do you enforce it? Motor vehicles only require a licence to be operated on public roads in all jurisdictions I'm aware of. IANAL, but if some 14 year old kid without a licence wants to drive around on his parents' private property, that is not illegal. Now, the instant that vehicle leaves the private property, it's another story (assuming, of course, cops around to check licences. In some jurisdictions, this is more true than in others). My point is, driving is ONLY regulated when it is done in public view, for obvious reasons. Computer use is an inherently private activity, so how do you propose to verify that the person using a computer is in fact licenced? Mandatory webcams? :P Thirdly, WHO do you enforce it against? It's pretty difficult (and illegal) for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and drive someone's car without their explicit knowledge and permission. (Okay, so you can hotwire a car, but...) It's very easy for someone other than the computer owner or ISP contractholder to have access to it and abuse it and stuff. So what do you propose? Mandatory cardreaders on all computers? Fingerprint scanners integrated into keyboards? How else can you avoid Mom logging online, and then letting the unlicenced kids roam free online, allegedly to do research for school? Do you want to fine/jail/etc Mom if the kids download a trojan somewhere? Fourthly, as someone pointed out, the first generation always complains. I hate to show how young I probably am compared to many on this list, but my jurisdiction introduced graduated driver's licencing a few years before I was old enough to get a driver's licence, and it angers me that the random guy who's out on the road driving like a moron had to go through way less bureaucracy, road tests, etc than me simply because he was born ten years before me. That said, if no reforms are made to make this system stricter, I'm sure the next generation won't see this system as an outrage simply because they won't remember an era when the bureaucracy. Currently, people can buy computers/Internet access/etc unregulated at the random store down the street. You're proposing that some regulatory authority require licencing... Why should these voters accept it? Especially since, unlike with cars, the damage done by poorly-operated computers is rather hard to explain to a technologically-unskilled person. Most would respond something like well, it's not my fault some criminal wrote a virus/exploit/whatever. Put that person in jail, and let me mind my own business. Good luck educating them on the fallacies in that statement. Fact is, until home computer security issues result in a pile of bloody bodies to show on CNN, no one in the general public and/or the legislative branches of government has any incentive to care... Vivien
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Apr 19, 2004, at 4:10 AM, Michael Painter wrote: First time user of the net in '87 when CompuServe announced it to its denizens. Thank [deity] for Micro$oft or we'd have to get a real job. I hear this a lot and it is such BS. Does anyone here HONESTLY believe the computer revolution was caused by MS alone and would never have happened without them? Microsoft *might* have made it happen slightly faster than without them, but a good argument can be made that MS actually set back the software industry in many ways, from stifling competition innovation to the current mess with uneducated users and a homogeneous OS. The truth is, we will not know if things are better or worse because of MS. But it is no _no way_ a slam dunk one way or the other. -- TTFN, patrick
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
** Reply to message from Brian Russo [EMAIL PROTECTED] on Mon, 19 Apr 2004 10:51:18 -0400 As far as mainstream users.. * Software needs to patch itself, users aren't going to do it. * Software needs to be intuitive, people interact with computers as if they were doing 'real' things. Things like cut and paste are easy because they make sense... * Software patches need to WORK and not screw up Joe User's system, believe me they won't understand that software is never bug-free, they'll instead swear off installing patches in future. * Software needs reasonable defaults.. this doesn't necessarily mean turning every feature off. * Wizards and/or a choice of 'starter' confs can be great. Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? -- Jeff Shultz Network Technician Willamette Valley Internet
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Firstly, who enforces it? The reason it works with cars is that the state (or province for those of us north of the border) effectively says you can't drive a car without this lovely piece of paper/plastic that we'll give you and if we find you driving a car without the lovely piece of paper/plastic, you're going to be in serious trouble. Are you proposing that each jurisdiction that currently licences drivers also licence Internet users and tell ISPs sorry, but if they don't give their licence, you can't give them an account? That's not a problem. The state licenses drivers but it also owns the roads. Secondly, HOW do you enforce it? Motor vehicles only require a licence to be operated on public roads in all jurisdictions I'm aware of. IANAL, but if some 14 year old kid without a licence wants to drive around on his parents' private property, that is not illegal. So? If you want to mess around on your private network, I don't care either. Now, the instant that vehicle leaves the private property, it's another story (assuming, of course, cops around to check licences. In some jurisdictions, this is more true than in others). Exactly. You want to go on someone else's roads, you do so only by their rules. My point is, driving is ONLY regulated when it is done in public view, for obvious reasons. Computer use is an inherently private activity, so how do you propose to verify that the person using a computer is in fact licenced? Mandatory webcams? :P So you can drive however you want on *my* driveway? That's not public view, is it? If there only private roads, I'll bet you that private road owners would have come up with a licensing system quite similar to what we have today, for liability reasons if nothing else. You might also notice that you can't get liability insurance without a license even though that insurance is issued privately, and there aren'y many road owners who let you drive on their roads without insurance. Thirdly, WHO do you enforce it against? It's pretty difficult (and illegal) for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and drive someone's car without their explicit knowledge and permission. (Okay, so you can hotwire a car, but...) It's very easy for someone other than the computer owner or ISP contractholder to have access to it and abuse it and stuff. I'm not sure I understand why you think this is so. My kids know that my computer is off-limits to them just like they know my car is off-limits to them. They are physically capable of obtaining access to either without my permission. So what do you propose? Mandatory cardreaders on all computers? Fingerprint scanners integrated into keyboards? How else can you avoid Mom logging online, and then letting the unlicenced kids roam free online, allegedly to do research for school? Do you want to fine/jail/etc Mom if the kids download a trojan somewhere? I would presume that a license would include the rights to allow others to use your access under appropriate supervision or with appropriately restrictive software. Fourthly, as someone pointed out, the first generation always complains. I hate to show how young I probably am compared to many on this list, but my jurisdiction introduced graduated driver's licencing a few years before I was old enough to get a driver's licence, and it angers me that the random guy who's out on the road driving like a moron had to go through way less bureaucracy, road tests, etc than me simply because he was born ten years before me. That said, if no reforms are made to make this system stricter, I'm sure the next generation won't see this system as an outrage simply because they won't remember an era when the bureaucracy. Currently, people can buy computers/Internet access/etc unregulated at the random store down the street. You're proposing that some regulatory authority require licencing... Why should these voters accept it? Because their failure to cooperate will result in ostracism. That's how the Internet has always worked. Especially since, unlike with cars, the damage done by poorly-operated computers is rather hard to explain to a technologically-unskilled person. Most would respond something like well, it's not my fault some criminal wrote a virus/exploit/whatever. Put that person in jail, and let me mind my own business. Good luck educating them on the fallacies in that statement. The point is, you don't have to. You just have to not let them on your roads. If they think the things they have to do to get on your roads are worth the value of those roads, they'll do them. If not, not. You don't care why people comply with your rules. People don't get driver's licenses because they think the piece of paper makes them a better driver, they do it because that is what's required for them to get insurance and avoid tickets and even jail. Fact is, until home
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? Amen to that. My mom lives in a small town with very spotty Internet access. The fastest possible connection speed is 28.8 but her actual connection is usually slower than that, probably thanks to the quality of lines in the area. You wouldn't believe how long those patches take to download over 28.8. In fact, I've given up on it because the phone simply can't be tied up for that long and she's not going to get a second line for the sole purpose of downloading MS patches. Periodic Windows Update on a CD-ROM is a must-have until more of the world has high-speed access. John --
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
-- Jeff said -- Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? To which I reply: It is somewhat unreasonable to think that ISPs should be responsible for the security of its users' systems on a systematic basis. Another reason the idea of a 'CD with updates' most likely wouldn't be effective is because by the time the ISP produced the CD, the user got the CD, and installed it, the patches would most likely not be the most recent available. Also, do you realize how much the 'average technical school graduate type' makes just from acquaintances who complain that their computers are slow, by simply removing whatever flavor of the month backdoor spam proxy virus I bet a good number of 'tech service calls' that companies such as PC On Call and people who service residences get could've been avoided by patching in a reasonable time period. However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of Remote execution or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. From this interesting pattern I would surmise that users want their ISPs to be hands-off unless the problem that they're causing is effecting them directly. End users on the Internet see their connectivity as a right, and not a privilege. I remember when I was 13 (that was only 11 years ago) and I signed up for my Freenet account at the Columbus Public Library (I believe it was, ? still is? Through OSU), they really made me feel like it was a privilege to be using the Internet, and I honored that. Its just difficult to explain from a professional level what the effects these peoples' behavior (or lack there of) is having on the rest of the community. Think of it like people who drive monster SUV's, they can afford the gas, and the insurance so they don't believe that the harm that these beasts do to our environment matter, because again its their god given right to drive them. -Drew
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? It shouldn't be just windows update which of course doesn't patch office etc., it should be a fully automated cd that the user pops in and it autoupdates ALL MICROSOFT PRODUCTS that are installed and it should do it without asking for the stupid office CDs.. Geo.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
** Reply to message from Drew Weaver [EMAIL PROTECTED] on Mon, 19 Apr 2004 13:42:53 -0400 -- Jeff said -- Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? To which I reply: It is somewhat unreasonable to think that ISPs should be responsible for the security of its users' systems on a systematic basis. Responsible? No. Able to assist in maintaining that security (and thus that of the ISP's network)? Yes. Another reason the idea of a 'CD with updates' most likely wouldn't be effective is because by the time the ISP produced the CD, the user got the CD, and installed it, the patches would most likely not be the most recent available. I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service. Also, do you realize how much the 'average technical school graduate type' makes just from acquaintances who complain that their computers are slow, by simply removing whatever flavor of the month backdoor spam proxy virus Ah, now you are talking about why I happily promote Ad-Aware and Spybot. I bet a good number of 'tech service calls' that companies such as PC On Call and people who service residences get could've been avoided by patching in a reasonable time period. And your problem with the local ISP having this stuff available for their users is? However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of Remote execution or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up. From this interesting pattern I would surmise that users want their ISPs to be hands-off unless the problem that they're causing is effecting them directly. End users on the Internet see their connectivity as a right, and not a privilege. I remember when I was 13 (that was only 11 years ago) Some of ours are like that. Most seem to realize their limitations and are happy to know that at some level we are looking out for them. BTW, for me 13 was many more years ago than that... RTM wasn't even in college yet, I imagine. and I signed up for my Freenet account at the Columbus Public Library (I believe it was, ? still is? Through OSU), they really made me feel like it was a privilege to be using the Internet, and I honored that. Dial-up, or using their systems at the library? And you weren't paying for the privilege, at least not directly. Its just difficult to explain from a professional level what the effects these peoples' behavior (or lack there of) is having on the rest of the community. Think of it like people who drive monster SUV's, they can afford the gas, and the insurance so they don't believe that the harm that these beasts do to our environment matter, because again its their god given right to drive them. That's a whole 'nuther horse to kill there. -- Jeff Shultz Network Technician Willamette Valley Internet
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Sorry about the double sending - I wasn't subscribed to nanog-post from this address. -- Jonathan -Original Message- From: Jonathan M. Slivko [EMAIL PROTECTED] Sent: Apr 19, 2004 1:51 PM To: Jeff Shultz [EMAIL PROTECTED], '[EMAIL PROTECTED]' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) -Original Message- From: Jeff Shultz, WIllamette Valley Internet [EMAIL PROTECTED] Sent: Apr 19, 2004 1:39 PM To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service. Doesn't Windows XP automatically do this by default currently? If not, it's something that Microsoft should consider setting to ON automatically to help defend the users from hackers, and in the same turn, help defend the ISP's network from being maliciously attacked or used for illegitimate purposes. However - I do think that Windows needs some more improvements in the area of security (which UNIX/Linux already has). However - to Microsoft's credit, they seem to be doing a rather nice job of actually beefing up their security practices. Now, if only they could figure out how to make Outlook/Outlook Express more security-concious because as of the time of this writing, the Outlook Express/Outlook defaults are extremely unsafe. Does anyone have/care to post a URL that explains how to set Outlook Express/Outlook to be more secure? -- Jonathan -- Jonathan M. Slivko - [EMAIL PROTECTED] Linux: The Choice for the GNU Generation - http://www.linux.org/ - Don't fear the penguin. .^. /V\ /( )\ ^^-^^ He's here to help. -- Jonathan M. Slivko - [EMAIL PROTECTED] Linux: The Choice for the GNU Generation - http://www.linux.org/ - Don't fear the penguin. .^. /V\ /( )\ ^^-^^ He's here to help.
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: April 19, 2004 12:57 PM To: 'Dr. Jeffrey Race' Cc: [EMAIL PROTECTED] Subject: RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT) Firstly, who enforces it? The reason it works with cars is that the state (or province for those of us north of the border) effectively says you can't drive a car without this lovely piece of paper/plastic that we'll give you and if we find you driving a car without the lovely piece of paper/plastic, you're going to be in serious trouble. Are you proposing that each jurisdiction that currently licences drivers also licence Internet users and tell ISPs sorry, but if they don't give their licence, you can't give them an account? That's not a problem. The state licenses drivers but it also owns the roads. Yes... And the state doesn't own the Internet, and can't SEE the Internet (or its component networks). How does it enforce who uses it? Secondly, HOW do you enforce it? Motor vehicles only require a licence to be operated on public roads in all jurisdictions I'm aware of. IANAL, but if some 14 year old kid without a licence wants to drive around on his parents' private property, that is not illegal. So? If you want to mess around on your private network, I don't care either. And exactly how do you separate public and private networks, from the point of view of law enforcement? In the driving world, public roads are easy enough to enforce things on... Besides, there are no [major] public networks, if by public, you mean taxpayer-owned... If you mean publicly accessible, that's another story, of course... Now, the instant that vehicle leaves the private property, it's another story (assuming, of course, cops around to check licences. In some jurisdictions, this is more true than in others). Exactly. You want to go on someone else's roads, you do so only by their rules. But my point is, they can SEE you. If I drive out on the roads of whatever state/province/municipality/etc, their authorized agents (read: cops) can SEE me and stop me. Try and do that with my IP packets. You try and track the IP packet that you are getting from my machine to me as a human... Sure, you can do it, if you have an army of lawyers in a bunch of jurisdictions, but it's not like the cop who sees a moron driving badly and just pulls them over, at which point they HAVE the moron in their hands... You can have my packets going around into your network without having physical access to me, but you CAN'T have my car driving around (unless I'm not driving it :P) in your roads without me being in it. So, how do you ask my packets for my computer licence? My point is, driving is ONLY regulated when it is done in public view, for obvious reasons. Computer use is an inherently private activity, so how do you propose to verify that the person using a computer is in fact licenced? Mandatory webcams? :P So you can drive however you want on *my* driveway? That's not public view, is it? If there only private roads, I'll bet you that private road owners would have come up with a licensing system quite similar to what we have today, for liability reasons if nothing else. You might also notice that you can't get liability insurance without a license even though that insurance is issued privately, and there aren'y many road owners who let you drive on their roads without insurance. If I drive on YOUR driveway without a licence, assuming I can GET to your driveway without driving on a public road (e.g. someone with a licence drives me to your driveway), I'm guilty of tresspassing on your property, but I don't think I'm guilty of driving without a licence. And why would any insurer insure somebody without a licence? Sounds to me like financial suicide, assuming driver licencing actually DOES keep morons off roads... Thirdly, WHO do you enforce it against? It's pretty difficult (and illegal) for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and drive someone's car without their explicit knowledge and permission. (Okay, so you can hotwire a car, but...) It's very easy for someone other than the computer owner or ISP contractholder to have access to it and abuse it and stuff. I'm not sure I understand why you think this is so. My kids know that my computer is off-limits to them just like they know my car is off-limits to them. They are physically capable of obtaining access to either without my permission. You're an IT professional. This isn't about you. This is about the random family with the family computer that everybody installs random crapware onto in the kitchen or den. Does the same apply in that situation? So what do you propose? Mandatory cardreaders on all computers? Fingerprint scanners integrated
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
** Reply to message from Jonathan M. Slivko [EMAIL PROTECTED] on Mon, 19 Apr 2004 13:57:43 -0400 (GMT-04:00) -Original Message- From: Jeff Shultz, WIllamette Valley Internet [EMAIL PROTECTED] Sent: Apr 19, 2004 1:39 PM To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service. Doesn't Windows XP automatically do this by default currently? No, but it will ask you if you want to configure automatic updates. That's still not going to do much for the dialup user who has to download SP1. And we're also talking about the majority of customers who don't have WinXP - and won't be getting it. If not, it's something that Microsoft should consider setting to ON automatically to help defend the users from hackers, and in the same turn, help defend the ISP's network from being maliciously attacked or used for illegitimate purposes. Then you come up against the I don't want MS messing with my machine without my permission! bunch. Who, incidentally, have a valid point. Turning the firewall on by default in SP2 is going to have... interesting results I imagine. Esp. in company environments that use Netbios over TCP/IP. I assume it will firewall 137-140/445 by default. However - I do think that Windows needs some more improvements in the area of security (which UNIX/Linux already has). However - to Microsoft's credit, they seem to be doing a rather nice job of actually beefing up their security practices. Now, if only they could figure out how to make Outlook/Outlook Express more security-concious because as of the time of this writing, the Outlook Express/Outlook defaults are extremely unsafe. Does anyone have/care to post a URL that explains how to set Outlook Express/Outlook to be more secure? That's easy. In Outlook Express: Tools--Options--Read. Check the box Read all messages in plain text You've just massively improved OE's security. Outlook doesn't do this yet, does it? I haven't dug through Office 2003 much yet. -- Jeff Shultz Network Technician Willamette Valley Internet
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004, Jeff Shultz, WIllamette Valley Internet wrote: ** Reply to message from Drew Weaver [EMAIL PROTECTED] on Mon, 19 Apr 2004 13:42:53 -0400 However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of Remote execution or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up. He's right. Most customers get defensive/hostile when you tell them there's something wrong with their system. However I've encountered the same attitude with many NOCs when informing them they have open relays / smurf amps / owned servers. First they deny it - you must be mistaken, then get defensive what business is it of yours anyway? or hostile you can't possibly know that without having broken into our network, I'm calling the police (yeah right, I need to break into your network in order to be smurfed by your broken routers.) So this isnt unique to end users. It seems most people would rather discover problems themselves, and go into a sort of panic mode when informed by a third party. Many (including NOCs) aren't emotionally prepared to handle anything beyond hit ctrl-alt-del. I'm still looking for a good way to gently inform end users/nocs of problems without having them fly off the handle. -Dan
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, Apr 19, 2004 at 12:03:32PM -0700, Dan Hollis wrote: On Mon, 19 Apr 2004, Jeff Shultz, WIllamette Valley Internet wrote: ** Reply to message from Drew Weaver [EMAIL PROTECTED] on Mon, 19 Apr 2004 13:42:53 -0400 [...notification of the...] average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up. He's right. Most customers get defensive/hostile when you tell them there's something wrong with their system. For what it's worth, our (dial-up and DSL) customers have generally act thankful when contact them about the problems their machines are causing. I guess nothing changes -- the world is full of people. :-)
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004 09:10:32 EDT, Dr. Jeffrey Race said: On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote: An uneducated end user is not something you can fix with a service pack. A profound point, again highlighting the fact that there are no technical solutions to this problem. (Though technical measures to enhance traceability are a big help.) Well, there *are* technical solutions, but over the last few hundred years we've managed to essentially stop Darwinian selection against idiots, and we as a society seem to frown on the forced sterilization of same. pgp0.pgp Description: PGP signature
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
At 02:27 PM 4/19/2004, you wrote: I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service. Doesn't Windows XP automatically do this by default currently? No, but it will ask you if you want to configure automatic updates. That's still not going to do much for the dialup user who has to download SP1. And we're also talking about the majority of customers who don't have WinXP - and won't be getting it. http://v4.windowsupdate.microsoft.com/en/default.asp?corporate=true You can download anything on Windows Update here. We make many of this update files part of our standard dialup install CD. Especially service packs. They aren't installed by default, but they are on the CD if they need them. No 24 hour downloads needed. R Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 Good will, like a good name, is got by many actions, and lost by one. - Francis Jeffrey
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Should ISPs start requiring their users to install Windows XP SP2? nope. especially since, according to bill gates, linux would have the same reputation if it was a popular a platform (and therefore a target of more virii.) now, you could go further, and say if you emit streams of wierd(*) looking traffic we'll shut your line down and wait for you to call us and give us an explaination but then you're just going to be on the phone all the time and that's no good for anybody -- especially since cleanup costs are high, and reinfection costs are low, and phone time is really expensive. so why not just disallow all that bad junk all the time, instead of waiting for it to be seen in flight? [(*) wierd could mean streams of tcp/syn or tcp/rst, or forged source addresses, or streams of unanswered udp, or streams of ourbound tcp/25, or udp/137..139, or who knows what it'll be by this time next month?] Let's face it -- this shouldn't have to be the ISP's problem. you're right, and it won't be for very much longer. access isp's cannot take responsibility for the health of their customers' computers, they just need to work harder to ensure that access is all they provide, and that servers don't work, udp/137..139 doesn't work, and outbound e-mail is via tunnel or proxy. since access isp's aren't able to do even that much (for fear of their customers wraith, or due to lack of technology inside the headend, or whatever), it's going to get done by the dreaded giant merciless monster known as market forces. -- Paul Vixie
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On 19 Apr 2004 22:16:58 + Paul Vixie [EMAIL PROTECTED] wrote: [(*) wierd could mean streams of tcp/syn or tcp/rst, or forged source addresses, or streams of unanswered udp, or streams of ourbound tcp/25, or udp/137..139, or who knows what it'll be by this time next month?] Precisely. It could be most anything and likely will be eventually. Why not stop the hacks that are filtering, whitelists and rate limiting and just replace end hosts with dumb terminals, the links with fixed rate channels and in the network place all the controls and content? Instead of network service providers we would mostly be a collection of systems operators. inside the headend, or whatever), it's going to get done by the dreaded giant merciless monster known as market forces. This and the installed base is probably why the above won't occur over night, but things are veering in that direction. While end users will resist many attempts to remove their freedom of bits, freedom of cpu and freedom of connectivity, what is being designed, or better, re-designed is a network with a very fragile infrastructure. This is good for no one. The ideas about tussle (D. Clark, et al) are a way to think about the problems and solutions, but still the difficulty, because of market forces and installed base, is how to get there from here. John
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004, Dr. Jeffrey Race wrote: : On Mon, 19 Apr 2004 06:12:16 -0400, Chris Brenton wrote: : : An uneducated : end user is not something you can fix with a service pack. : : A profound point, again highlighting the fact that there : are no technical solutions to this problem. (Though : technical measures to enhance traceability are a big help.) : : So, the logical inference is training and licensing to : get internet access. When I was 16 in Connecticut many : many years ago, we had to take a driver-training course : (given by a policeman) to get a driver's license. : : I see no discussion about this approach, here or elsewhere. Think globally. Even though this forum has NA as its heading, we need to think globally when suggesting solutions. You'll never get any sort of licensing globally nor will you EVER get end users (globally) educated enough to stop doing the things that they do which allow these events to continually occur. scott
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004 17:07:45 -1000 (HST), Scott Weeks wrote: Think globally. Even though this forum has NA as its heading, we need to think globally when suggesting solutions. You'll never get any sort of licensing globally nor will you EVER get end users (globally) educated enough to stop doing the things that they do which allow these events to continually occur. We are in violent agreement about this. Since many gateway service providers will not prevent insufficiently skilled users from connecting to the internet and injuring others, the only remaining solution, as far as I can see, is cutting connectivity with those enablers. That is the proposal I advanced in http://www.camblab.com/misc/univ_std.txt. The logic seems quite simple: either fix all the users (impossible as you state) or keep them off the net (which you say many SPs won't do; I believe some will but many won't) so the only solution is to cut the latter off. If you are not willing to do that, then you will just have to accept the spam and we might as well stop whining about it. It is your choice. Jeffrey Race
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
: Think globally. Even though this forum has NA as its heading, we need to : think globally when suggesting solutions. You'll never get any sort of : licensing globally nor will you EVER get end users (globally) educated : enough to stop doing the things that they do which allow these events to : continually occur. : : Since many gateway service providers will not prevent insufficiently : skilled users from connecting to the internet and injuring others, the : only remaining solution, as far as I can see, is cutting connectivity : with those enablers. That is the proposal I advanced in : http://www.camblab.com/misc/univ_std.txt. : : The logic seems quite simple: either fix all the users (impossible : as you state) or keep them off the net (which you say many SPs won't : do; I believe some will but many won't) so the only solution is to : cut the latter off. Neither can happen. That's just another way of saying make all your users skilled or go out of business. For example, cutting granny out of the $9.95 dialup service is comitting hari-kari for those that do that type of business. You'll never get her to complete training so she can send baby pictures to all her friends. Especially all the grannies in all the countries globally. : If you are not willing to do that, then you will just have to accept : the spam and we might as well stop whining about it. It is your : choice. While I'm listening to all the smart (and many not so) folks figure it out, I can press d quickly. I'm not whining, I'm listening intently... :-) scott
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
- Original Message - From: Scott Weeks [EMAIL PROTECTED] To: Dr. Jeffrey Race [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 1:07 PM Subject: Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT) Think globally. Even though this forum has NA as its heading, we need to think globally when suggesting solutions. You'll never get any sort of licensing globally nor will you EVER get end users (globally) educated enough to stop doing the things that they do which allow these events to continually occur. I would like to point out one little area of concern in this discussion for me - that was the critical update for Win XP of March 28th, 2002 in it's original output, not the amended one. I don't know how many of your clients were affected by this but I had to rush about in circles like a duck with a broken wing simply because some users had altered their own settings, regardless of policy at each company, so that they could apply updates for themselves. Consequently some XP (and I believe W2K as well but I didn't see this on a W2K machine personally) setups just went down in a heap and it took some time to fix them all. So, while considering global solutions, if anyone were to seriously decide all Windows machines will now be auto updated whether you like it or not, I would definitely put a block on Windows web sites - as I had to do at that time - so that no-one could get an update I didn't apply. Since that time, any XP update gets tested on a machine that doesn't matter should it go down prior to installation. We are all so busy, here, looking at ways to solve a problem that is already there. It should be stopped prior to it coming out and fixed at that point. This means REAL beta testers, not whatever is going on in MS right now. There should also be consequences. That implies a lot of people in I.T. acting as one mind and enforcing something upon MS. That is where we will always fail. Like the untended hard drive, we are too fragmented. Greg.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Mon, 19 Apr 2004 17:53:45 -1000 (HST), Scott Weeks wrote: Neither can happen. That's just another way of saying make all your users skilled or go out of business. The SPs whose business model entails externalizing the costs SHOULD go out of business
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Yes. Unfortunately, one day 1,000,000 users will find in their mail boxes fully automated CD with 'Microsoft Update' on the label and 1,000 viruses / trojans inside. -:) Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? It shouldn't be just windows update which of course doesn't patch office etc., it should be a fully automated cd that the user pops in and it autoupdates ALL MICROSOFT PRODUCTS that are installed and it should do it without asking for the stupid office CDs.. Geo.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
I agree. 90% users CAN NOT UPDATE. How? - (1) updates are too big to be diownloaded by modem , which fail every 20 - 40 minutes (which is common in many countries); - (2) if you connect to Internet for update, you are infected by virus much faster than you install update. I saw it. Home user install Win2K, then connect to internet to get update... and catch virus. ** Reply to message from Drew Weaver [EMAIL PROTECTED] on Mon, 19 Apr 2004 13:42:53 -0400 -- Jeff said -- Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? To which I reply: It is somewhat unreasonable to think that ISPs should be responsible for the security of its users' systems on a systematic basis. Responsible? No. Able to assist in maintaining that security (and thus that of the ISP's network)? Yes. Another reason the idea of a 'CD with updates' most likely wouldn't be effective is because by the time the ISP produced the CD, the user got the CD, and installed it, the patches would most likely not be the most recent available. I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service. Also, do you realize how much the 'average technical school graduate type' makes just from acquaintances who complain that their computers are slow, by simply removing whatever flavor of the month backdoor spam proxy virus Ah, now you are talking about why I happily promote Ad-Aware and Spybot. I bet a good number of 'tech service calls' that companies such as PC On Call and people who service residences get could've been avoided by patching in a reasonable time period. And your problem with the local ISP having this stuff available for their users is? However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of Remote execution or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up. From this interesting pattern I would surmise that users want their ISPs to be hands-off unless the problem that they're causing is effecting them directly. End users on the Internet see their connectivity as a right, and not a privilege. I remember when I was 13 (that was only 11 years ago) Some of ours are like that. Most seem to realize their limitations and are happy to know that at some level we are looking out for them. BTW, for me 13 was many more years ago than that... RTM wasn't even in college yet, I imagine. and I signed up for my Freenet account at the Columbus Public Library (I believe it was, ? still is? Through OSU), they really made me feel like it was a privilege to be using the Internet, and I honored that. Dial-up, or using their systems at the library? And you weren't paying for the privilege, at least not directly. Its just difficult to explain from a professional level what the effects these peoples' behavior (or lack there of) is having on the rest of the community. Think of it like people who drive monster SUV's, they can afford the gas, and the insurance so they don't believe that the harm that these beasts do to our environment matter, because again its their god given right to drive them. That's a whole 'nuther horse to kill there. -- Jeff Shultz Network Technician Willamette Valley Internet
Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Sun, 18 Apr 2004, Doug White wrote: I likewise would like to see a better way - but changing the whole internet is completely illogical. Educating the masses is the same. As soon as I see a solution that will work, I will probably try to implement it on my system. Abbot and Costello do Internet security. Who's on first, what's on second, I don't know is on third base. When the Morris worm was release, there wasn't a patch available. Since then essentially every compromised computer has been via a vulnerability with a patch available or misconfiguration (or usually lack of configuration). As far as improvements go, Microsoft's XP SP2 is a great improvement. If you have a Window's machine, implementing XP SP2 could help with a lot of the stupid vulnerabilities. Unfortunately less than 50% of Internet users have XP. Should ISPs start requiring their users to install Windows XP SP2?
RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Sean Donelan Should ISPs start requiring their users to install Windows XP SP2? Most of those of us that work with m$ products on a daily basis are not too hot about installing beta code in production. A week after m$ releases it, and after carefully listening to the volume of screams coming from the street, we shall see. Michel.
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
On Sun, 18 Apr 2004 23:16:36 -0400 (EDT) Sean Donelan [EMAIL PROTECTED] wrote: Should ISPs start requiring their users to install Windows XP SP2? IMHO: Not if they want to stay in business. Our customer base is probably 80%Win 9x users. I can't speak for everybody else, but I would be willing to bet that a majority of ISP's have a good chunk of their customer base running Win 9x-based operating systems. If the ISP I work for was to make a minimum system requirement like that, we'd go out of business overnight. We don't even use Windows XP on our corporate LAN yet -- we're still running Win2K SP4. Let's face it -- this shouldn't have to be the ISP's problem. Microsoft needs to quit rushing out new OS releases without properly straining them and stress testing to find as many holes as they can. They need to start cracking down on themselves and really start worrying about securing their OS and patching it as much as possible before throwing it to market. I understand that they won't find EVERY possible hole, but the last few years, as far as bugs in their software goes, they have an extremely poor track record. Since about the NT4 days, it's been horrible. Service pack after service pack, etc. We have our machines setup to autotmatically tell us when new updates are available. It's pretty disheartening when you install 4 patches one day, and then 2 days later you have to go through installing another 3 - 4 patches just to ensure your machine is keeping updated with patches to fix their shoddy software. --Brandon
Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Brandon Shiers wrote: Let's face it -- this shouldn't have to be the ISP's problem. Microsoft needs to quit rushing out new OS releases without properly straining them and stress testing to find as many holes as they can. They need to start cracking down on themselves and really start worrying about securing their OS and patching it as much as possible before throwing it to market. It´s very challenging to say that the world´s most profitable company should do anything significantly different. Putting out releases and letting marketing to address security concerns brings in billions. Not putting out release will make less money. This is not that they would not be trying their best. There is just a very justifiable business decision between what we would like the best to be and what it needs to be to keep their money machine running. It´s another instance of the reason why ISP´s supposedly cannot afford to take out both backdoored and legit abusers at source but the Internet is in defensive mode of operation. Pete
