G
Gerhard Beulke
Nah...Let's go back to PC DOS version 1.0.
Nah...Let's go back to PC DOS version 1.0.
N
null
Home users are the last in the blame game chain IMO. First comes the
a**holes that write and spread malicious code. Second is M$ for
continually releasing products unnecessarily unsafe for naive users to
use right out of the box.
It's often argued that M$ is merely giving users what they want ...
that users have a insatiable lust for all kinds of features. But I
believe M$ has actually created this lust ... with far too little
attention to security. IE and OE are bad enough disasters, but what
what really blows my mind is M$'s version of local networking. I
wouldn't touch it with a ten foot pole.
Art
http://www.epix.net/~artnpeg
R
Robert R Kircher, Jr.
GSV Three Minds in a Can said:
Finally someone says something that make since. A simple firewall would
have prevented this infection with or without the patch. I think I remember
an old adage that goes something like "an ounce of prevention"? ;-)
Lets face it, most home users (and even business users) don't even know they
should update their OS and software.
After reading the warning a month ago the very first thing I did was make
sure my firewall and the FWs of my clients blocked the proper ports. In
every case the ports blocked by default because the FWs are configured
properly to begin with, but I still made the effort to check.
XP has a built in FW that should be turned on by default and very difficult
for the novice user to turn off.
R
Robert R Kircher, Jr.
Oh BS. First off the next time you run across some perfect code post it
here.
Second, you sound like one of those people who put labels on baby walkers
warning parents not to use the walker near stairs. Well duhhhhh.
Somewhere along the line the consumer has to take on some responsibility.
In this case MS release a fix over a month ago. At that point it's up to
the user to do there part of the deal and use common since and update their
systems. (or in this case at least have a firewall).
What's really lacking is education. The average user has no idea that they
are exposed nor what that means nor what the impact can have on them and
others. In addition, they don't know how to update their systems or why
it's important. And that's even after they are hit. Instead, in this some
one else is responsible world, they just blame MS and continue to NOT update
there systems or add some sort of firewall or find out what other measures
they can use to protect themselves.
I think we need a bunch of Safe Computing PSAs to complement the Safe Sex
PSA. Instead of It's stupid to not use a condom the can say it's stupid not
to use a firewall, AV and update your system. ;-)
N
null
That aspect of the problem I've been concerned with for a number of
years. You've got head up your arse if you believe the situation with
"stupid users" is ever going to change. Millions of gnubies go on line
yearly. Frankly, I'm fed up with the pseudo experts who have learned a
few things and inflate their little egos by going around pointing
fingers at "stupid users".
And it's not going to change, so face facts.
Naive users don't tend to blame M$. It's the "know a little bit" types
that revel in doing that.
Lotsa luck
Go ahead and beat your head against the wall.Art
http://www.epix.net/~artnpeg
I
Ian.H [dS]
Gabriele said:
Yesyesyes =P
[tk@hybris:~]$ wget
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt
--01:18:05--
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt
=> `NetBSD-SA2003-011.txt'
Resolving ftp.netbsd.org... done.
Connecting to ftp.netbsd.org[204.152.184.75]:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD /pub/NetBSD/security/advisories ... done.
==> PORT ... done. ==> RETR NetBSD-SA2003-011.txt ...
No such file `NetBSD-SA2003-011.txt'.
Is this the issue regarding Realpath(3)?
No-one releases perfect code, least of all 100% of the time, but I'm
more than happy to put my trust into a group that produce much higher
quality in code than M$... and why is this? because the developers
aren't trying to push 5 new versions of their already screwed up OS out
every year and not trying to monopolose the market and become even more
greedy. Maybe if M$ took a step back and looked at things, maybe they'd
see this too, but you and I both know this isn't going to happen =(
Regards,
Ian
R
Robert R Kircher, Jr.
Comments inline.
I'm fed up with the pseudo experts who point their fingers at anything other
then people who at some point have to take responsibility for the
technology they use. Just think where we'd be if "experts" took that
position when Henry Ford introduced that thing called a Model T. We'd still
be blaming him for every auto accident that ever happened and we all be
dependent on some "expert" to drive us around.
As with any advancement in our history, our society has had to learn how to
use it responsibly. The only thing I agree with is that there will always
be stupid users like there will always be stupid drivers but I certainly
don't blame Ford, Chevy, or any other auto manufactures for these drivers
stupidity.
What I'm really fed up with is so called experts trying to protect their
importance (and inflate their egos) by NOT teaching users basic things about
the technology they use. They claim it's useless but what its is really all
about is job security. They're afraid they may suffer the same fate as the
TV repairman.
Again I guess we, as a society, haven learned to use other technologies in
the past thousands of years. Hey we've managed to learn how to use fire
with out burning down the world. C'mon, you are the one who needs to face
facts. The more people know the better they can deal with and use
technology and the list of stupid users gets smaller.
So you're one of the "know a little bits"?
quote: "Second is M$ for continually releasing products unnecessarily unsafe
for naive users to use right out of the box."
This was suppose to be a joke although there is some truth to the matter.
Here's another example; "Seat Belts save lives". "Firewalls save networks"
Don't be afraid to educate the masses. All you have to do is review your
history to know that you'll be better off if you do. And you'll never be
able to stop the masses from educating themselves. This experience has been
an education to many people. There are so many more and so little time.
;-)
I'm fed up with the pseudo experts who point their fingers at anything other
then people who at some point have to take responsibility for the
technology they use. Just think where we'd be if "experts" took that
position when Henry Ford introduced that thing called a Model T. We'd still
be blaming him for every auto accident that ever happened and we all be
dependent on some "expert" to drive us around.
As with any advancement in our history, our society has had to learn how to
use it responsibly. The only thing I agree with is that there will always
be stupid users like there will always be stupid drivers but I certainly
don't blame Ford, Chevy, or any other auto manufactures for these drivers
stupidity.
What I'm really fed up with is so called experts trying to protect their
importance (and inflate their egos) by NOT teaching users basic things about
the technology they use. They claim it's useless but what its is really all
about is job security. They're afraid they may suffer the same fate as the
TV repairman.
Again I guess we, as a society, haven learned to use other technologies in
the past thousands of years. Hey we've managed to learn how to use fire
with out burning down the world. C'mon, you are the one who needs to face
facts. The more people know the better they can deal with and use
technology and the list of stupid users gets smaller.
So you're one of the "know a little bits"?
quote: "Second is M$ for continually releasing products unnecessarily unsafe
for naive users to use right out of the box."
Lotsa luck
This was suppose to be a joke although there is some truth to the matter.
Here's another example; "Seat Belts save lives". "Firewalls save networks"
Don't be afraid to educate the masses. All you have to do is review your
history to know that you'll be better off if you do. And you'll never be
able to stop the masses from educating themselves. This experience has been
an education to many people. There are so many more and so little time.
;-)
Y
YK
Gerhard said:
I have a bunch of red flags you can use when you run in front of those new
fangled automobiles.
Y
YK
GSV said:
The IQ of the universe is a fixed constant. The world is not getting
dumber just more babies.
N
null
On Tue, 12 Aug 2003 20:57:29 -0400, "Robert R Kircher, Jr."
Your solution is to tell people to use av software and a firewall,
right? This newsgroup is frequented almost daily with people who use
av software and a firewall and are screaming for help with some virus
they got nailed with. Your level of education is going to to have to
extend far beyond that. In fact, I was just exchanging emails with a
very knowledegeable guy on virus matters who was behind a firewall and
had even disabled some unnecessary Win 2K internet services who got
nailed by the subject malware.
Users who get nailed are not necessarily stupid at all. Your analogies
suck in any event
I'm goddam tired of trying to do mission impossible, I'll tell you
that. As I said, be my guest and beat yoiur head up against the wall.
It takes far more technical savvy to achieve a decent level of
security than I think you imagine. And the vast majority of PC users
don't have the technical background.
What's needed are far more secure OS and apps right out of the box
which means less features. Whether or not such a balance will be
achieved remains to be seen.
Art
http://www.epix.net/~artnpeg
Your solution is to tell people to use av software and a firewall,
right? This newsgroup is frequented almost daily with people who use
av software and a firewall and are screaming for help with some virus
they got nailed with. Your level of education is going to to have to
extend far beyond that. In fact, I was just exchanging emails with a
very knowledegeable guy on virus matters who was behind a firewall and
had even disabled some unnecessary Win 2K internet services who got
nailed by the subject malware.
Users who get nailed are not necessarily stupid at all. Your analogies
suck in any event
I'm goddam tired of trying to do mission impossible, I'll tell you
that. As I said, be my guest and beat yoiur head up against the wall.
It takes far more technical savvy to achieve a decent level of
security than I think you imagine. And the vast majority of PC users
don't have the technical background.
What's needed are far more secure OS and apps right out of the box
which means less features. Whether or not such a balance will be
achieved remains to be seen.
Art
http://www.epix.net/~artnpeg
K
knurpsl
yikes, what a flame to a innocent question...
ok, the computer i was talking about is a corporate laptop,
by definiton i wouldn´t even be allowed to touch it in an
administrative way. Of course i do but,...
i have a private computer too, running win XP, Firewall+ avguard.
just found out today that i was infected as well, here. got rid of the
problem too.
At least this time Zonealarm warned me that some funny process
wanted to access the net.
So not only "dumb users" do not check the microsoft announcements,
but also Virus-protection programmers.
how much time do expect for anybody on this planet, to spend time
reading the latest news on Viruses and the millions of documents
M$ produces? I got other things to do pals!
And once and for all - i do not trust f**ing M$, which is why i deactivated
automatic updates, from Billy Boy on my computer.
Nobody know in which files exactly they have their fingers in, when they
roam aroundmy HD.
I´m stuck to M$, to a certain degree due to some software i wanna use, but i
got a second partition
running Linux, whenever i can i use it.
Not that i would monitor it, but how many Virus/Worm/Trojan Alerts are there
for the Mac
in comparison to Windows? Does that get anybody thinking?
ok, the computer i was talking about is a corporate laptop,
by definiton i wouldn´t even be allowed to touch it in an
administrative way. Of course i do but,...
i have a private computer too, running win XP, Firewall+ avguard.
just found out today that i was infected as well, here. got rid of the
problem too.
At least this time Zonealarm warned me that some funny process
wanted to access the net.
So not only "dumb users" do not check the microsoft announcements,
but also Virus-protection programmers.
how much time do expect for anybody on this planet, to spend time
reading the latest news on Viruses and the millions of documents
M$ produces? I got other things to do pals!
And once and for all - i do not trust f**ing M$, which is why i deactivated
automatic updates, from Billy Boy on my computer.
Nobody know in which files exactly they have their fingers in, when they
roam aroundmy HD.
I´m stuck to M$, to a certain degree due to some software i wanna use, but i
got a second partition
running Linux, whenever i can i use it.
Not that i would monitor it, but how many Virus/Worm/Trojan Alerts are there
for the Mac
in comparison to Windows? Does that get anybody thinking?
K
knurpsl
hey guys, just tried to install the thingy from Microsoft,
i select my system language in the checkbox of the download,
download and get a message that the download would not
match my systems language.
you guys make it sound so easy....
i select my system language in the checkbox of the download,
download and get a message that the download would not
match my systems language.
you guys make it sound so easy....
S
Sugien
Maybe now people will know why quite a few people have stayed with
Win98SE and resisted the urge to <caugh> <groan> Upgrade to winXPlode and I
never did like win2K or NT and why the saying for winME was "Friends don't
let friends use ME" from what I have seen and tested of the next incarnation
of Windows (Longhorn) they gave it the right name because it is not only
going to gouge the public for more cash for more a cosmetic update to an
existing OS then a functional change (even though it is more like *nix then
; but they will more or less be steer-ed into paying to upgrade to an OS
with more holes then XP.
As for this latest little worm, maybe the public should be thanking
their lucky stars instead of belly aching because they didn't take the time
to patch their machines when they were told weeks ago to do so. They should
feel lucky that the person whom discovered the hold chose to inform MS and
that M$ put out a patch otherwise this could be sever orders of magnitude
worse.
One other thing the public and business alike should be VERY GRATEFUL
to those that CHOSE to inform M$ about the hole; because if they were
instead Black Hat Hackers they most likely would NOT have informed M$ and
instead of creating a cheap worm that shows off by clogging up the mail
servers the worm could have just as easily have STEALTHY taken over machines
and made them zombies, or in the hacker jargon *Owned* and then those
countless systems with NO patch could have been used for anything the Black
Hats wanted. You can use your imagination on what they could have done;
because they would have been able to not only see data but change it, and
could have done so without ANYONE being any the wiser.
On the other hand that also says something for those that did discover
and report the hole to M$; but then CHOSE to release a POC which the
skiddies(Script Kiddies) cobbled together this; but then again I bet there
are still systems out there that are still not even patched for the old
file://c:\con\con bug, lol; but atlas even that is not a laughing mater;
because there are those out there that do a re-install and thinking they are
safe behind a corporate firewall figure they don't need any patches, yeal
right, gesh.
Win98SE and resisted the urge to <caugh> <groan> Upgrade to winXPlode and I
never did like win2K or NT and why the saying for winME was "Friends don't
let friends use ME" from what I have seen and tested of the next incarnation
of Windows (Longhorn) they gave it the right name because it is not only
going to gouge the public for more cash for more a cosmetic update to an
existing OS then a functional change (even though it is more like *nix then
; but they will more or less be steer-ed into paying to upgrade to an OS
with more holes then XP.
As for this latest little worm, maybe the public should be thanking
their lucky stars instead of belly aching because they didn't take the time
to patch their machines when they were told weeks ago to do so. They should
feel lucky that the person whom discovered the hold chose to inform MS and
that M$ put out a patch otherwise this could be sever orders of magnitude
worse.
One other thing the public and business alike should be VERY GRATEFUL
to those that CHOSE to inform M$ about the hole; because if they were
instead Black Hat Hackers they most likely would NOT have informed M$ and
instead of creating a cheap worm that shows off by clogging up the mail
servers the worm could have just as easily have STEALTHY taken over machines
and made them zombies, or in the hacker jargon *Owned* and then those
countless systems with NO patch could have been used for anything the Black
Hats wanted. You can use your imagination on what they could have done;
because they would have been able to not only see data but change it, and
could have done so without ANYONE being any the wiser.
On the other hand that also says something for those that did discover
and report the hole to M$; but then CHOSE to release a POC which the
skiddies(Script Kiddies) cobbled together this; but then again I bet there
are still systems out there that are still not even patched for the old
file://c:\con\con bug, lol; but atlas even that is not a laughing mater;
because there are those out there that do a re-install and thinking they are
safe behind a corporate firewall figure they don't need any patches, yeal
right, gesh.
S
Sugien
On Tue, 12 Aug 2003 20:57:29 -0400, "Robert R Kircher, Jr."
Your solution is to tell people to use av software and a firewall,
right? This newsgroup is frequented almost daily with people who use
av software and a firewall and are screaming for help with some virus
they got nailed with. Your level of education is going to to have to
extend far beyond that. In fact, I was just exchanging emails with a
very knowledegeable guy on virus matters who was behind a firewall and
had even disabled some unnecessary Win 2K internet services who got
nailed by the subject malware.
Users who get nailed are not necessarily stupid at all. Your analogies
suck in any event
I'm goddam tired of trying to do mission impossible, I'll tell you
that. As I said, be my guest and beat yoiur head up against the wall.
It takes far more technical savvy to achieve a decent level of
security than I think you imagine. And the vast majority of PC users
don't have the technical background.
What's needed are far more secure OS and apps right out of the box
which means less features. Whether or not such a balance will be
achieved remains to be seen.
Maybe now people will know why quite a few people have stayed with
Win98SE and resisted the urge to <cough> <groan> Upgrade to winXPlode and I
never did like win2K or NT and why the saying for winME was "Friends don't
let friends use ME" from what I have seen and tested of the next incarnation
of Windows (Longhorn) they gave it the right name because it is not only
going to gouge the public for more cash for more a cosmetic update to an
existing OS then a functional change (even though it is more like *nix then
; but they will more or less be steer-ed into paying to upgrade to an OS
with more holes then XP.
As for this latest little worm, maybe the public should be thanking
their lucky stars instead of belly aching because they didn't take the time
to patch their machines when they were told weeks ago to do so. They should
feel lucky that the person whom discovered the hold chose to inform MS and
that M$ put out a patch otherwise this could be sever orders of magnitude
worse.
One other thing the public and business alike should be VERY GRATEFUL
to those that CHOSE to inform M$ about the hole; because if they were
instead Black Hat Hackers they most likely would NOT have informed M$ and
instead of creating a cheap worm that shows off by clogging up the mail
servers the worm could have just as easily have STEALTHY taken over machines
and made them zombies, or in the hacker jargon *Owned* and then those
countless systems with NO patch could have been used for anything the Black
Hats wanted. You can use your imagination on what they could have done;
because they would have been able to not only see data but change it, and
could have done so without ANYONE being any the wiser.
On the other hand that also says something for those that did discover
and report the hole to M$; but then CHOSE to release a POC which the
skiddies(Script Kiddies) cobbled together this; but then again I bet there
are still systems out there that are still not even patched for the old
file://c:\con\con bug, lol; but atlas even that is not a laughing mater;
because there are those out there that do a re-install and thinking they are
safe behind a corporate firewall figure they don't need any patches, yeal
right, gesh.
F
Frans Meijer
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc
It's a bug appearing in virutally all *nix systems.
G
Gabriele Neukam
On that special day, Ian.H [dS], ([email protected]) said...
<sigh>
I missed the ".asc" at the end of the line, because of the word wrap in
the article (een without that .asc it went over three lines of text)
At least *some* realpath() issue. I can only report the article, but
don't completely understand it. It seems to allow access to areas that
should have been off limits.
I can understand this, the only problem with *this* bug is that it is
very fundamental, and present in all versions of BSD before May 22nd.
But they are much more eager to fix it, once the vulnerability is found.
I wish MS were that fast.
Gabriele Neukam
(e-mail address removed)
<sigh>
I missed the ".asc" at the end of the line, because of the word wrap in
the article (een without that .asc it went over three lines of text)
At least *some* realpath() issue. I can only report the article, but
don't completely understand it. It seems to allow access to areas that
should have been off limits.
I can understand this, the only problem with *this* bug is that it is
very fundamental, and present in all versions of BSD before May 22nd.
But they are much more eager to fix it, once the vulnerability is found.
I wish MS were that fast.
Gabriele Neukam
(e-mail address removed)
G
Gabriele Neukam
On that special day, Robert R Kircher, Jr., ([email protected])
said...
Which means, after having bought a new computer with XP on it, and no
information about its current patch status, I have to crank up my analog
modem, connect straight over the Atlantic Ocean ( on a pay per minute
basis) and stay online for several hours, only to set my computer into
standard conditions.
Why isn't there any free cdrom available in electro markets or newspaper
shops with the newest collection of original MS service patches, so that
I can update my machine without having to pay my ISP for thousands of
minutes online? The newspaper mags offer patch cd's more or less once a
year, which is way too rarely.
Gabriele Neukam
(e-mail address removed)
said...
Which means, after having bought a new computer with XP on it, and no
information about its current patch status, I have to crank up my analog
modem, connect straight over the Atlantic Ocean ( on a pay per minute
basis) and stay online for several hours, only to set my computer into
standard conditions.
Why isn't there any free cdrom available in electro markets or newspaper
shops with the newest collection of original MS service patches, so that
I can update my machine without having to pay my ISP for thousands of
minutes online? The newspaper mags offer patch cd's more or less once a
year, which is way too rarely.
Gabriele Neukam
(e-mail address removed)
G
Gabriele Neukam
On that special day, Robert R Kircher, Jr., ([email protected])
said...
If responsibility is the only important thing, why do we drive cars
which are very different from those Model T ones?
Airbag, retention system, anti blocking system, anti slip regulation,
and lotsa more. We are so responsible for our own driving, do we really
need all that electronic stuff in our cars?
According to your statement, it is only there to make us forget that we
are responsible for the computers/cars we use. But you forgot one
factor: there are a multiple greater number of cars and computers being
used by now, and whatever knowledgeable person may apply it, there is
always the probability that something will go wrong, and this
probability is rather high, as there are many other devices there to
collide with.
Bill Gates, we need a proper safety system, just as the cars have got
them. It is time to fulfil your promise for "safety programming".
Gabriele Neukam
(e-mail address removed)
said...
If responsibility is the only important thing, why do we drive cars
which are very different from those Model T ones?
Airbag, retention system, anti blocking system, anti slip regulation,
and lotsa more. We are so responsible for our own driving, do we really
need all that electronic stuff in our cars?
According to your statement, it is only there to make us forget that we
are responsible for the computers/cars we use. But you forgot one
factor: there are a multiple greater number of cars and computers being
used by now, and whatever knowledgeable person may apply it, there is
always the probability that something will go wrong, and this
probability is rather high, as there are many other devices there to
collide with.
Bill Gates, we need a proper safety system, just as the cars have got
them. It is time to fulfil your promise for "safety programming".
Gabriele Neukam
(e-mail address removed)
G
Gabriele Neukam
On that special day, knurpsl, ([email protected]) said...
I was on the international MS page for that patch, and was told to
change the language if needed. The field with the language options and
Go! button was at the top right, a bit hidden (in a psychological way).
| 1. Click the Download link to start the download, or choose a
different language from the drop-down list and click Go.
| 2. Do one of the following:
* To start the installation immediately, click Open or Run
this program from its current location.
* To copy the download to your computer for installation at a
later time, click Save or Save this program to disk.
Maybe that is what you are looking for?
http://www.microsoft.com/germany/ms/technetservicedesk/bulletin/bulletin
ms03-026.htm
(sorry for the wrap)
Gabriele Neukam
(e-mail address removed)
I was on the international MS page for that patch, and was told to
change the language if needed. The field with the language options and
Go! button was at the top right, a bit hidden (in a psychological way).
| 1. Click the Download link to start the download, or choose a
different language from the drop-down list and click Go.
| 2. Do one of the following:
* To start the installation immediately, click Open or Run
this program from its current location.
* To copy the download to your computer for installation at a
later time, click Save or Save this program to disk.
Maybe that is what you are looking for?
http://www.microsoft.com/germany/ms/technetservicedesk/bulletin/bulletin
ms03-026.htm
(sorry for the wrap)
Gabriele Neukam
(e-mail address removed)
I
Ian.H [dS]
Heh fair 'nuff.. I grabbed the file from another post which added the
..asc (I guess I should ahve used ftp rather than wget and I could have
found it on my own accord, heh).
Yup.. the one that I found out about the other day.
It is a nasty hole, as it affects all builds from the ports tree too
(_VERY_ commonly used), so it's not just the system that needs fixing
unfortunately.. that has caused me a fair amount of time to sort out =\
Still, IMHO; this is one (ok, rather large) issue.. compared to ########
(insert a large figure of your choice here) M$ issues =)
Yup, this is one of the major differences I think between the O-S
community and the windoze coders. O-S gets patched very quickly
(normally) but M$ seem somewhat oblivious, or have a strange "yeah..
and?" attitude towards their patching.
The other major issue again, IMHO; is that more people trust O-S patches
than M$ stuff, as O-S coders appear a _LOT_ less interested in what you
may have on your box. I think this is one of the reasons that such
things as codered, nimda, now msblast spread so well.. a lot is down to
ingorance of the user (for whatever reason) but also for the people that
are aware, the "what else are M$ gonna do while I patch this?" question
that hangs over many a head.
Regards,
Ian