Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On 30-jan-04, at 7:20, Alexei Roudnev wrote: Second problem is directory structure. In Unix, when I configure IDS (osiris or Tripwire or Intact), I can just be sure, that 'bin' and 'etc' and 'sbin' and 'libexec' directories does not have any variable files - all non-static files are in /var (Solaris is an exception, they put some 'pid files into .etc, but even here, it is not a problem). But windose... you have not any directory which never changed, and I find few .dll files, changed every few days. Every application puts log and data files into it's own directory (with rare exception of applications, derived from Unix or written by people with Unix background). It makes terrible difficult to configure IDS, and makes system very vulnerable. Actually IMO putting all their crap in their own dir is a feature rather than a bug. I really hate the way unix apps just put their stuff all over the place so it's an incredible pain to get rid of it again. I think MacOS got it right: for most apps, installing just means dumping the icon wherever you want it to be, deinstalling is done by dropping it in the trash. The fact that the icon hides a directory with a bunch of different files in it is transparent to the user. And if an installer wants to mess with the system, a request to provide the administrator password comes up, even for users with administrator privilidges. Of course, it is all trade-off for functionality, but people overestimates it - many MS benefits come from it's dominance , not from functionality. I think MS's tradeoffs are mainly time to market vs even faster time to market. Hopefully they'll rip off Apple's ideas for their new stuff. Then add some zone alarm like stuff so apps can't mess with the network without the user's permission and we're in pretty good shape. And it all makes it a very good target for the viruses / worms. The fact that SMTP believes everything you tell it doesn't help either.
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Fri, 30 Jan 2004, Iljitsch van Beijnum wrote: Actually IMO putting all their crap in their own dir is a feature rather than a bug. I really hate the way unix apps just put their stuff all over the place so it's an incredible pain to get rid of it again. Putting all crap in the working directory is bad design (no way to separate read-only stuff from mutable). Unix/Linux design (all over the place) is pure and simple lack of discipline, or hack before thinking approach. Plan 9 nearly got it right, but for the lack of persistent mounts (it's all in an rc file, executed at each login). I think MacOS got it right: for most apps, installing just means dumping the icon wherever you want it to be, deinstalling is done by dropping it in the trash. The fact that the icon hides a directory with a bunch of different files in it is transparent to the user. That's UI. Inside it's the same Unix crap. I think MS's tradeoffs are mainly time to market vs even faster time to market. It's mostly We don't care, we don't have to, we're The Microsoft mentality. --vadim
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
Most Windows boxes are running with administrative privledges. That makes Windows a willing accomplice. The issue isn't that people click on attachments, but that there are no built in safeguards from what happens next. This is problem #1. Unfortunately, Windose is too complex and have too much legacy, so everyone must run as a administrator (try to install Visio without admin privileges...). Problem #2 - using extentions to select an application - may be, it's a very good idea, but it complicates virus (worm) problem. Problemm #3 - Monoculture.
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Wed, 28 Jan 2004, Alexei Roudnev wrote: Most Windows boxes are running with administrative privledges. That makes Windows a willing accomplice. The issue isn't that people click on attachments, but that there are no built in safeguards from what happens next. This is problem #1. Unfortunately, Windose is too complex and have too much legacy, so everyone must run as a administrator (try to install Visio without admin privileges...). The whole point of the infamous *.DLL was to provide local libraries for applications like unix *.lib.so files. This was corrupted by app vendors who were too deadline focused to install their DLL's in the application directory. Of course this was abetted by the ability of an application to write into the system directories. When NTFS came out an ordinary user could not write the system directory tree Hence most users are running as Administrator or equivalent so that they can write into the system tree. This was a bad design decision by MS _and_ application developers. This _is_ fixable by MS by simply not allowing apps to write into the system tree. This of course is a small matter of programming but it would really improve the overall security posture of Windows. Now there are well written applications which do install their DLL's into their own tree these apps can usually be recognized by _not_ requiring a reboot after installation. Problem #2 - using extentions to select an application - may be, it's a very good idea, but it complicates virus (worm) problem. Agreed However magic numbers in the header or having the execute permission bit set bring the same problem to the table. Problemm #3 - Monoculture. This greatly exacerbates problems 1 and 2 but is not so much of a problem on its own. i.e. Apache which has over 75% of the webserver market and is infrequently compromised. Problem #4 MS applications have an unfortunate predilection to run any bit of executable code they find. i.e. a WMA file can contain executable code which media player will happily execute. This is a perfect example of just because you can do something it does not necessarily follow that you _should_ do something. This dates back to [*]BASIC and the RUN command. It was somewhat useful 10+ years ago not so much today.
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Thu, 29 Jan 2004 07:41:20 -0500 (EST), you wrote: ... When NTFS came out an ordinary user could not write the system directory tree Hence most users are running as Administrator or equivalent so that they can write into the system tree. This was a bad design decision by MS _and_ application developers. This _is_ fixable by MS by simply not allowing apps to write into the system tree. This of course is a small matter of programming but it would really improve the overall security posture of Windows. Now there are well written applications which do install their DLL's into their own tree these apps can usually be recognized by _not_ requiring a reboot after installation. ... Actually, it's more of an issue in the registry than the file system; older apps tend to want to write the global HKLM, rather than the user-specific HKCU. But, regardless, Win2K and WinXP do have restricted-user modes that tie this stuff down quite well. They tend to be used in corporate environments. But for home users, it gets to be a pain in the butt, because it prevents a lot of things users want to do, like installing games, multimedia apps and spyware. You can't really have it both ways; if you can install apps, you can install viruses and trojans. I don't see this being much different regardless of the OS you run. And until you have earned some battle scars, you're not afraid of the pretty toys. It would be nice, though, if there were a legitimate 'su' analog in Windows -- sorry, runas doesn't cut it. Makes it hard to normally run restricted, and explicitly enable temporary privs sometimes... /kenw Ken Wallewein KM Systems Integration Phone (403)274-7848 Fax (403)275-4535 [EMAIL PROTECTED] www.kmsi.net
RE: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
[EMAIL PROTECTED] wrote: But, regardless, Win2K and WinXP do have restricted-user modes that tie this stuff down quite well. They tend to be used in corporate environments. Indeed, and the one reason being that the last thing the IT staff wants is users installing apps, because even if the user is not installing a worm or Trojan, installing software inevitably generates incompatibilities and demand for more support. But for home users, it gets to be a pain in the butt, because it prevents a lot of things users want to do, like installing games, multimedia apps and spyware. Yep. In XP home, it's easy to have several users on the same machine but by default they all have administrative rights. [EMAIL PROTECTED] wrote: Microsoft software is inherently less safe than Linux/*BSD software. This is because Microsoft has favored usability over security. This is because the market has responded better to that tradeoff. This is because your mom doesn't want to have to hire a technical consultant to manage her IT infrastructure when all she wants to do is get email pictures of her grandkids. Exactly. Michel.
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
Dave Temkin wrote: snip So? Had the virii been an application compiled for RedHat and everyone ran RedHat instead of Windows and they downloaded it using Evolution and double clicked on it, it would suddenly be RH's fault instead of MIcrosoft's? Or is it sendmail's fault because it was listening on port 25 and allowed the worm to connect to it? Newsflash: Even those using Netscape Mail, Lotus Notes, etc. on the PC were still potentially infected due to the nesting of the virii. The worm was not spread through any vulnerability in the operating system, unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user stupidity, and that'll follow any operating system that Dell/Gateway pre-installs for them. If everyone wants to flame MS, at least do it in a way that doesn't show your own ignorance. -Dave OT to me the problem is one of a mono culture. Too much of the same stuff everywhere. doesn't matter if it's MS-Windows. MacOS X or Debian GNU/Linux or bacon and eggs - too much of the same is bad for you.. /OT -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
: So? Had the virii been an application compiled for RedHat and : everyone ran RedHat instead of Windows and they downloaded it using : Evolution and double clicked on it, it would suddenly be RH's fault : instead of MIcrosoft's? I suspect the skill set/clue of RH users is at least an order higher that windows users. The main problem I see is many e-mail readers default to having the preview plain open and this will then run any app it finds. No clicking required. James Edwards Routing and Security Administrator [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
OT: Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
It's not completely the fault of anything except the end-user. It's like the Jimmy Buffet song says: Evolution is mean, there's no dumbass vaccine scott On Wed, 28 Jan 2004, Dave Temkin wrote: : : They rate of it is quite surprising. By the description, the trick : : method of infection does not seem all that different than past worms : : viri. Makes me wonder how many people in a room would reach into : : their purse/pocket on hearing, Wallet inspector : : Every single person that still opens these damn attachments! :-( : : IN WINDOWS! : : So? Had the virii been an application compiled for RedHat and : everyone ran RedHat instead of Windows and they downloaded it using : Evolution and double clicked on it, it would suddenly be RH's fault : instead of MIcrosoft's? Or is it sendmail's fault because it was : listening on port 25 and allowed the worm to connect to it? Newsflash: : Even those using Netscape Mail, Lotus Notes, etc. on the PC were still : potentially infected due to the nesting of the virii. : : The worm was not spread through any vulnerability in the operating system, : unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user stupidity, and : that'll follow any operating system that Dell/Gateway pre-installs for : them. If everyone wants to flame MS, at least do it in a way that doesn't : show your own ignorance. : : : -Dave :
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Jan 28, 2004, at 11:56 AM, james wrote: : So? Had the virii been an application compiled for RedHat and : everyone ran RedHat instead of Windows and they downloaded it using : Evolution and double clicked on it, it would suddenly be RH's fault : instead of MIcrosoft's? I suspect the skill set/clue of RH users is at least an order higher that windows users. The main problem I see is many e-mail readers default to having the preview plain open and this will then run any app it finds. No clicking required. Not sure why that is the case. Web browsers know better than to execute things, or at least to execute them in a sandbox, and there seems to be much more abuse capabilities in IE / Netscape than $RandomMailReader. How hard is it to tell a mail reader NEVER execute a binary? If someone really wants to run a program that was e-mailed to them, they can save the attachment and run it outside the mail reader or something. So things like virus.doc.exe won't get executed by $luser who thinks it was a word doc. There are ways around this (copy/paste an executable into a word doc, then type Click here! in the Word doc), but it might help. Might :) -- TTFN, patrick
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
RedHAT do not allow to run an attachment, even if attachment wish to be runned - it uses 'x' flag which is not attachment's attribute. Linus useers are niot Administrator's, so virus can not infect the whole system,... Etc etc (Why RedHAT? It is the worst Lunux amongs all. Use SuSe or Mandrake). : They rate of it is quite surprising. By the description, the trick / : method of infection does not seem all that different than past worms : viri. Makes me wonder how many people in a room would reach into their : purse/pocket on hearing, Wallet inspector Every single person that still opens these damn attachments! :-( IN WINDOWS! So? Had the virii been an application compiled for RedHat and everyone ran RedHat instead of Windows and they downloaded it using Evolution and double clicked on it, it would suddenly be RH's fault instead of MIcrosoft's? Or is it sendmail's fault because it was listening on port 25 and allowed the worm to connect to it? Newsflash: Even those using Netscape Mail, Lotus Notes, etc. on the PC were still potentially infected due to the nesting of the virii. The worm was not spread through any vulnerability in the operating system, unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user stupidity, and that'll follow any operating system that Dell/Gateway pre-installs for them. If everyone wants to flame MS, at least do it in a way that doesn't show your own ignorance. -Dave
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Wed, Jan 28, 2004 at 12:07:36PM -0500, Patrick W.Gilmore said something to the effect of: On Jan 28, 2004, at 11:56 AM, james wrote: Not sure why that is the case. Web browsers know better than to execute things, or at least to execute them in a sandbox, and there seems to be much more abuse capabilities in IE / Netscape than $RandomMailReader. How hard is it to tell a mail reader NEVER execute a binary? If w00t. someone really wants to run a program that was e-mailed to them, they can save the attachment and run it outside the mail reader or something. So things like virus.doc.exe won't get executed by $luser who thinks it was a word doc. I don't think it's that it's hard, so much as inconvenient. C-level-officer types ;) want point-and-click to open and launch, not to be ordered to port and manipulate attachments to access them. And since that might be too much effort...heck...why not give users a peep-hole preview function that allows them to split the screen and peak into the email without clicking on anything at all? Back-office IT heads would roll if that went away... We _can_ thank M$ for setting the bar on this one; no one expected irresponsible features like instant access to attached goodies until the Internet-for-Idiots and SMTP-for-the-generally-challenged revolutions were ushered in to the sounds of Where do you want to go today, and how much do you want to break/spend/consume while you're there? I wish I could end this with Friends don't let friends use Outlook, but I have to agree that the fault still lies primarily in the users that continually refuse to heed the warnings of A) shut that preview pain^N^Nne shee-yit off B) don't execute attachments in email, even/especially if it looks like it might be a really k00l screen saver... Long live mutt. ;) ymmv, --ra -- K. Rachael Treu, CISSP [EMAIL PROTECTED] ..this email has been brought to you by the letters 'v' and 'i'.. There are ways around this (copy/paste an executable into a word doc, then type Click here! in the Word doc), but it might help. Might :) -- TTFN, patrick
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
Unfortunately, Microsoft products seem to have a default which is set to hide file extensions and to make it very difficult to see 'multiple extensions' like the '.docmany spaces.pif' in the current worm, it is somewhat easier to dress a vampire in gerbil clothing in these systems than in others. -- -=[L]=-
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Wednesday 28 January 2004 08:37, Dave Temkin wrote: So? Had the virii been an application compiled for RedHat and everyone ran RedHat instead of Windows and they downloaded it using Evolution and double clicked on it, it would suddenly be RH's fault instead of MIcrosoft's? If RedHat, by default had you running as root rather than an unprivledged user, it sure would be. Most Windows boxes are running with administrative privledges. That makes Windows a willing accomplice. The issue isn't that people click on attachments, but that there are no built in safeguards from what happens next. -- Robin Lynn Frank | Director of Operations | Paradigm-Omega, LLC Cry havoc, and let slip the dogs of war! Email acceptance policy: http://paradigm-omega.com/email_policy.php You're the second person to say that and it's still wrong. The virii, once resident, opens a connection to port 25 on an open SMTP server, whether it be the user's ISP relay or local server. Sure, it can't install itself into /etc/init.d, but it sure can launch itself bg instead of fg and be running until the user either kills it or reboots the box. Also, for reference to other people - the preview pane does *not* allow the execution of attachments unless they're double-clicked on and acknowledged. Again - we're not talking about another OS or Outlook exploit, only a stupid user exploit. -- David Temkin
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
: Also, for reference to other people - the preview pane does *not* allow : the execution of attachments unless they're double-clicked on and : acknowledged. Again - we're not talking about another OS or Outlook : exploit, only a stupid user exploit. The feature has been fixed but it **did** at one point run apps. James Edwards Routing and Security Administrator [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
: Also, for reference to other people - the preview pane does *not* allow : the execution of attachments unless they're double-clicked on and : acknowledged. Again - we're not talking about another OS or Outlook : exploit, only a stupid user exploit. The feature has been fixed but it **did** at one point run apps. James Edwards Routing and Security Administrator [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965 Right, and at multiple points bind and sendmail allowed the execution of code from remote systems without the system owner interacting at all. What's that got to do with today? -- David Temkin
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
: What's that got to do with today? I might be reaching here, but I understand some people never upgrade or patch.
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of james Sent: Wednesday, January 28, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today : What's that got to do with today? I might be reaching here, but I understand some people never upgrade or patch. True, but that happens regardless of the OS. I'm sure if we looked really hard we could find some ancient versions of bind or sendmail (complete with open relays (speak of old bad defaults...)
Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
I suspect the skill set/clue of RH users is at least an order higher that windows users. really, based on experience that would be surprising, rh is now so easy to get and install, securing it is still problematic for most users The main problem I see is many e-mail readers default to having the preview plain open and this will then run any app it finds. No clicking required. hmm i've not checked, i thought this virus came as executables so you need to click a couple boxes before it will run,. Steve James Edwards Routing and Security Administrator [EMAIL PROTECTED] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
