lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: yossarian at planet.nl (yossarian)
Subject: Anti-MS drivel

> I don't know how this works in the US but in Europe gas stations and
> fuel inlets are only compatible if you use the right fuel. I couldn't
> refuel my car with Diesel even if I wanted to.

Like I said - the other way around. Since the majority of cars is on petrol,
putting diesel in it is blocked by the size of the muzzle. I drive a
diesel - and lo!, I can put petrol in it. Of course there is the sticker.
Well, that does not seem to help much as the man from Hertz told me - a
reason why renting a diesel car is much more expensive. The point: people
make mistakes.
>
> > Who is to blaim - where are talking product liability
> > here, while most of us are not trained in legal matters - hence the
example.
>
> There is the difference between a consumer taking action to damage the
> product in contrast to the consumer NOT taking action to REPAIR a
> product the vendor shipped broken.

Shipped broken is a matter of definition. If it comes preinstalled you might
have a case, selecting the default options from a CD - then you don't. If it
is preinstalled, you should go for the vendor of the machine, not MS.

> > And remember - people are required to have formal training to drive a
> > car....
>
> Do you want to establish the same situation for PCs? Vendors will not be
> happy since this limits their market.

No. I would be jobless without stupid users. And the drivers license
thingie - well I drive some 300 Km per day to get to work, it doesn't seem
to help much anyway.

>
> > When I drove home after reading this thread, I tried to open the hood
while
> > driving - guess what? It does.
>
> It's mechanical, right? No electronic stuff between the lever you pull
> and the hood, right?

So? Precautions need not be electronical. And like you said, with the lever
under the drivers seat - well I had a car (Renault4) and the lever was in
the centre of the dashboard. True it is an old design, but the analogy just
proves that it takes ages to design idiot proof consumer products, wether
operating systems or cars. And I am quite sure that lessons are forgotten in
car design too. The Pinto is the most famous misdesign in cars, having the
fuel tank in a position where it would easily explode in a car accident. A
propos your OT: many of these differences in availability have to do with
safety regulations resulting in part from the Pinto. Maybe google for the
affair, it gives a good insight in product liability. I have never actually
seen a Pinto, living in the Old world as you do, but the example was used
when I went to law school in the 80s.

> [OT]
> Sorry, doesn't ring a bell. I'm not really into the American car market,
> sorry. I drive a car you can't buy in the States and there are even more
> cars in the States that are not for sale in Europe. It's amazing how a
> landscape can differ by just looking at the different types of cars,
> don't you think? :-)
> [/OT]

> If people wouldn't run as administrators in XP Home then the execution
> of malicious code would only be half as bad as it is.

XP Home is like it says, for home use. All it needs is a Do Not Do This At
Home sticker;-). What would you expect home users to do - hire an admin? I
know MCSE's come cheap these days, but in reality, they'll mess up any
system.
>
> You haven't understood this a bit. You are not doing the customer a
> favour when you let him be administrator by default. When end user
> applications need admin rights to run under Windows then this is serious
> design flaw that needs to be changed before demanding changes in users
> behaviour.

Well, end users do not like to log off to install software, and many home
users do that all the time. Bought a PC magazine lately? Allways a CD or DVD
with it. It usually is a hobby machine. Messing around is part of the fun,
but they don't want the risk. That's what I learned being a repairsman for a
computershop. And IMHO customers are usually wrong, but heck, it is their
money. You can run all normal Windows software under a normal user account
anyway - unless it is a certain AV tool -, but that is not what people want:
all the power but none of the risks. Gosh, just like the real world.

> Who do you want to sell PCs? Only companies with IT infrastructures?
> Only administrators? Computer Science students? Or the average guy on
> the street, the six year old, the granny?

> This is an economic question. Not a technical one. If you want to sell a
> product then it has to be aimed at a specific group of consumers. If
> they can't handle your design, then they'll eventually switch as soon as
> there is competition available that is doing better. We are about to get
> into this situation within this year and the next few years.

You are aiming to outlaw XP Home? The competition already exists, but people
do not change. I have seen many home users running XP Pro at home - never
seen XP Home in a Torrent or eDonkey - and allways as Admin.
>
> Yes. Let's blame MS for not closing down unnecessary services on
> consumer boxes by default. Finally you understood me.

Ever done a network audit - speaking on unnecessary services? I have and I
do, and still amazes me to see QoTD on an NT box... Techies are no better.
But I had already caught on to your point, I just don't think stupid people
will smarten up. Entropy: it will just get worse.

> But my "blame" isn't simple bashing. I expect MS to do better. If enough
> people raise their voice then MAYBE the next releases of Windows will
> improve things by not offering admin accounts by default for consumer
> versions or having all sorts of outside connections open by default.
>
So they can't install software?

> > Let's imagine a worm that propagates using something like older OpenSSH,
open FTP
> > directories accepting anon, and samba shares - use buffer overflows in
> > sendmail and apache for effective rights - and CORBA to root. It
contains a
> > mechanism for detecting the network lay-out, along the lines of p0f, and
a
> > tunneling mechanism for additional payload over a P2P like network, with
 a
> > TLS communication. And it would trigger at certain intervals ARP
flooding to
> > all systems with DNS and BootPS. At the end of the year it would tell
intel
> > processors it is a 286. To make the fun bigger it would find the
installed
> > certificates on the machine and use it to sign the trojans it installs.
> > Would networks crumble?
>
> That depends upon the quantity of infected machines trying to reproduce
> and spread the worm.

Exactly my point - there's just not enought critical mass like in MS.

> > Complaining about either stupid users or Outlook is not going to change
> > anything - fix your infra. And chop-bloody-chop with it!
>
> That may be right for you and me but not the average end consumer who
> doesn't want to "fix" anything and who doesn't have an "infra". He
> simply wants to use it. They expect their PC to work in the same way a
> TV set works. You switch it on and switch it off. That's the kind of
> "button pressing" they want to do. Not fixing stuff. It is our task to
> make this possible.

Don't know what you drive - to go back to the car analogy, but have you any
idea about how many callbacks there are, to fix design flaws? Ask an
independent dealer - probably get him drunk first since it is damaging to
business to tell, but there are scores.

> > If you are to build a virus, go for the greater numbers.
>
> No. Go for the weakest target. If I know 90% of all possible targets
> have an exploitable service running by default, then this is the weakest
> target.

90% of few machines does not make propagation. The weakest target is for a
focussed attack on a specific target.

> > So this is what it all boils down to - the risk of the monopoly.
>
> I don't worry about the monopoly. It's already seen its best days.
> Market powers are already in motion and by the end of this year the
> desktop market will show the first signs of changes.

Don't think so. Markets are not ruled by quality, but by distribution.

> > Since standardisation in OS and applications is corporate policy
everywhere, and globalization is real,
> > there will allways be a monopoly on the desktop with all its inherent
risks.
>
> This is where you will be proven wrong. With all the urge to
> standardisation, how do you explain the rising number of successful
> Linux vendors haven't found a way to standardise methods of packet
> management, a common Window-Manager and common widget sets and so on?

I really hope to be proven wrong, but I rarely see Linux or BSD in corporate
environments. Linux is mostly talk, no action in corporates. And the ones I
did encounter where usually completely unpatched, ancient and wide open.
Remember RedHat 5.6? Well i run into some of them during a very recent
audit. Guess what? They needed a ton of patches....

> If you fail to see how a few very simple measures by the vendor you and
> I have to apply anyway can improve the situation then I feel sorry for
> you. You may be able to fix the problems in your organisation but the
> real problem are those millions of unsupported end users connected to
> the Internet, having their Windows XP Home wide open for anything as
> soon as they forget to "sysadmin" it because they have a private life
> and a family at home.

I agree on usings simple measures where possible, but besides that, anything
slightly sophisticated is bound to elude the home user, whatever the OS.

And I don't consider the millions of unsupported users a problem, they can
get a support contract but just don't. They are on their own by choice.

Maybe i can help *my* organisation, well, as a contractor I see many
organisations and i hope to help them one by one. I can't help millions of
poor home users that don't no sh*te and don't care, and neither can anyone
else. I think it would be better to sue the home user than MS, for using
their personal property properly. Look at all the info ISP's give - on
security: sometimes it is extremely good and it is free. Then ask your ISP
how many hits these pages get. Those people should not own a computer, but
they do. And if you take away the options to mess around, well you are
advocating the NC.

<OT>
Shouldn't you be sleeping? It is the middle of the night!
</OT>


Powered by blists - more mailing lists