From: mvp at joeware.net (joe)
Subject: lame bitching about xpsp2

It is interesting how far this has drifted off topic. First off let me try
to bring back, then further below give clarification on the previous post.

Most of the posts on SP2 seem to be, wahhh, someone else had a problem and
that isn't right or this doesn't work like *nix and that isn't right. 

Folks this is the thing you all have been beating on MS for for some time.
They go off and do it or at least start to do it and you still whine about
it. Don't whine that it isn't perfect or it doesn't look/work like <insert
favorite OS here>. It won't ever be. Deal with the reality of the situation.
Now that we are past that, do you have a real issue or do you want to
blather? 

If you want to complain about functionality, what specific change do you
think should be made to make the system more secure. For instance, don't
complain about add-ons, talk about ways that could be used to make it better
because I have a hunch we won't get rid of add-ons in IE no matter how much
some of wouldn't mind it not having that functionality. 

Personally if I have to have IE on a system, I would like to see that
requirement be for a very basic core hello world version and not one that is
jammed to the gills with features and add-ons and complexity. I don't
believe IE is a core component of the OS, yes I know I know, lawsuit, judges
say so, etc. Courts don't know tech. MS had a specific goal, get over it. It
is reality, IE isn't core. 

So if they are going to force add-ons and such, then maybe they need better
add-on management. And low and behold they do have some better management in
XPSP2, not much, but at least they are looking that way now which they
weren't before. That is 100% better at least. Is it perfect, no. Is it
better, yes. Could it be better still? Yes. For instance you could do some
of the following:

0. Add-ons shouldn't install unless I specifically say so. (see KB883256 on
managing add-ons in SP2 - "When you visit a Web site, Internet Explorer
add-ons may be downloaded automatically, or you may be prompted to download
an add-on")
1. Log where the add-on came from. Did I get asked if I wanted it installed?
Did I say yes? If not, why did this install anyway?
2. Log the add-on usage. What web sites, when, etc.
3. We should be able to remove an add-on from the Manage Add-ons dialog, not
just be able to disable. What is with the having to restart IE, kill the
add-on from running when I say I don't want it. 
4. I should be able to say, don't ever install this when I am asked if I
want to install one and then it will never even prompt me for it again. Re:
Cookie blocking. Have the list I can look at to see what I have in this
blocked state. 
5. Full path to the file and what else got updated for this add-on when it
was installed (reg entries, folders, etc)
6. Ability to block websites based on add-ons they want you to use.
7. Sandbox for add-ons to run in with no ability to modify the system to get
out. You stop IE, all the add-ons stop as well.
8. Sandbox the disk and registry where this stuff gets installed, I specify
the location (it can specify a subfolder under it). I specify the
permissions on the files and folders and reg entries and it can't change
them. 
9. Have a safety status for each add-on, you *can* tell the OS to update on
some frequency. It updates by going to the MS site AND say your favorite AV
site (this is changeable only by typing it in directory or through Domain
Policy) and it compares CLSIDS against their lists. If the add-on hasn't
been checked, it is grey status. If it is checked and known good, green.
Checked but not sure or unknown, yellow (maybe red if you are paranoid).
Checked and known bad and it is red. 
10. Tied with 7 is a way to automatically update the status and set your
worry level. Disable if yellow, disable if grey, disable if red, don't ever
disable just warn. 

Right now we have the options of allow installs of anything, allow installs
of only the ones I pre-allow, don't allow any installs. For the most part
home users will go with the first, especially since it is the default. I
think there should be even more pain and communication with the user about
it with no possibility of install without at least asking. 


Anyway, we as security aware people should be pushing users to test this and
deploy it. If they don't have test systems, don't tell them not to install,
tell them to install and work through it. Telling them not to install
doesn't help anyone, including themselves. If you want tell them to install
whatever OS you feel is better, in the meanwhile tell them until they do,
they should install SP2 on their XP systems. As we get people to XP SP2 or
your favorite alternate OS (I honestly really don't care which just make
sure you teach the people how to patch if you move them from Windows, if on
Windows set their autoupdate for them if they don't know how to patch) then
hopefully some of the crazy, stupid stuff zipping around the internet will
decrease a little. 




====
OT Stuff

Anyway let me clarify a couple of things that the poster is incorrectly
assuming and/or attributing to me.

> If only a #define statement were copied they wouldn't 
> be obligated to disclose it's source.

When I say "they still have to acknowledge the source" it means that execs
worrying about lawsuits would much rather quote a source of information or
code, no matter how small, than risk going to court because someone else
perceives its use without acknowledgment. The point at which they wouldn't
feel ANY need to do so is if they purchased rights to the code which may
possibly be the reason you see so few references to other vendors who have
obviously contributed to Windows. The fact that they implement a standard ip
at all means there is some sort of derivation path somehow back to Berkeley,
whether it comes through code bought from another company or directly used
from BSD.

I did not say that the only use was a #define, what I said was that would be
enough to get MS to document it if they didn't otherwise outright own the
rights. If you pick up a #define straight out of someone else's file without
change, you are borrowing their work. It is small, but you are still
borrowing. Someone may come looking because they may think it is more than a
#define especially if the define betrays functionality not publicly
documented. Not saying that is the case here so try not to read into what I
am trying to say other than acknowledging use of someone else's code can
occur even if it is some small piece, even if they aren't legally required. 

I agree that having code doesn't tell you lineage. You can look at it and
look at something that you think it is derived from and get a possible
answer but it would be difficult to ever prove it was or wasn't lifted
unless it was verbatim up to and including the same silly misspellings and
such. However, if the code documents its sources such as "the main body of
this code came from such and such corporation" or these lines came from such
and such a file in such and such distribution, you can either believe it is
all a lie or you can go with Occam's razor. I choose the latter. I do,
however, admit that I don't feel MS is evil Satan spawn trying to take my
first born and my freedom of choice away. Once I don't have the option to
buy or otherwise get a hold of alternate Operating Systems that are
available then I may change my opinion. I don't see that ever happening
though I do expect some collapse of the number available based on infighting
and business/funding model. 


> The existance of an alternative does not make the 
> alternative readily available.  You need a readily 
> available alternative to prove your point, and right 
> now that doesn't exist. 

I would say this is a pretty poor comment on our current position. The fact
that you had issues getting what you wanted from where you wanted doesn't
mean alternatives are not readily available.


> The only problem I see there is that the BSD people 
> didn't have the foresight to license their code under 
> the GNU GPL

I think this could only have hurt its use and deployment. Many large
businesses do not like GNU. Many people don't like it. I don't like it. I
will never use GNU code within my code, I will rewrite what I need from
scratch if I need it badly enough. I won't share my source, I tried, it
turned out to be more pain than it was worth. I will use GNU licensed
software because I like some of the stuff out there but I would use it even
if it weren't GNU. I don't see why I should have the right to look at the
source in order to use software. I am using the software by my choice, no
one forces me to sit at a computer.


> They've already been declared a monopoly.

This one always made me chuckle. The whole thing is based on the concept
that there is no commercially viable alternative to Windows. This doesn't
seem to be what the OSS and Apple vendors think or say. Munich doesn't think
so... Google doesn't think so. If this were the actual truth, you wouldn't
see Red Hat, Suse/Novell, Mandrake, etc doing what they do. I didn't think
this was accurate in 99 and don't think so now. You obviously don't think so
if you went to so much trouble to get an alternative, it is obviously a
viable alternative to you and it sounds like IBM was trying to make it
profitable for them. Another piece that is hilarious is

"While Microsoft may not be able to stave off all potential 
paradigm shifts through innovation, it can thwart some and 
delay others by improving its own products to the greater 
satisfaction of consumers."

Holy cow, they can maintain customers by making a better product, that
certainly is a monopoly and hurting the consumers. THEY MUST BE STOPPED!



  joe



-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Barry
Fitzgerald
Sent: Tuesday, August 17, 2004 2:34 PM
To: joe
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] lame bitching about xpsp2

joe wrote:

Powered by blists - more mailing lists