RE: Win2k SP3

From: Rapaille Max (Max.Rapaille@nbb.be)
Date: 08/26/02 

Date: Mon, 26 Aug 2002 09:03:56 +0200
From: "Rapaille Max" <Max.Rapaille@nbb.be>
To: <SMiller@unimin.com>

Perhaps I'm Not paranoid enough ? ;-))

Anyway, I won't trust M$ for that, but as I said, it's only a mitigating factor, and I assume they won't go to far, knowing that some millions people watch them precisely, waiting for any clear sign of Spying, backdoring or threatening 'a la Cosa Nostra'...
Just a 0.02€

Max

-----Original Message-----
From: SMiller@unimin.com [mailto:SMiller@unimin.com]
Sent: samedi 24 août 2002 13:00
To: Rapaille Max
Cc: Chris Norris; Derek Hamilton; Rob Fogle; security-basics@securityfocus.com; Tim Donahue
Subject: RE: Win2k SP3

One item is in the EULA, a (at least by MS intent) legally binding contract, the other is an implementation detail. You cannot rescind your agreement to the EULA, but MS can change the implementation detail at any time at their discretion. And this gives you a level of comfort? La cosa nostra used to work this way: you owe a favor to a capo, who can call it in at any time in the future, any way he wants to... Scott Miller Mgr IS Support Unimin Corporation My opinions do not necessarily reflect those of my employer, and I have the scars to prove it...

                                                                                                           
                      "Rapaille Max"
                      <Max.Rapaille@nbb To: "Derek Hamilton" <derek@capweb.com>, "Tim
                      .be> Donahue" <TDonahue@haynesconstruction.com>, "Rob Fogle"
                                                <rob@deltaed.com>, "Chris Norris"
                      08/23/02 02:37 AM <chris.norris@cpnmedia.co.uk>,
                                                <security-basics@securityfocus.com>
                                               cc:
                                               Subject: RE: Win2k SP3
                                                                                                           

Hi,

Just my 0.02€...
Did you read the sentences before the extract we commonly see ?

 * If you choose to utilize the update features within the OS
   Product or OS Components, it is necessary to use certain
   computer system, hardware, and software information to
   implement the features. By using these features, you
   explicitly authorize Microsoft or its designated agent to
   access and utilize the necessary information for updating
   purposes. Bla bla bla...
I think this is to note that you just can choose not to use automatic update..

And extract from the Readme file :

You can configure your computer to receive these notifications if you are logged on as an administrator. Use Control Panel to select the options you want. If Automatic Updates is not configured within 24 hours after the service pack is installed, the network administrator or whoever is logged on locally as an administrator will be prompted to configure it. Automatic Updates will not download any updates until someone has configured it to do so.

So There are some "mitigating" factors...

Regards.

Max

-----Original Message-----
From: Derek Hamilton [mailto:derek@capweb.com]
Sent: jeudi 22 août 2002 00:06
To: Tim Donahue; 'Rob Fogle'; Chris Norris; security-basics@securityfocus.com
Subject: Re: Win2k SP3

> If it follows the same methods that Windows XP uses, then MS does not
> initiate the connection. The computer that SP3 is running on will
> contact MS to look for the latest updates (could be turned off in
> Windows XP, not sure about SP3)

You can disable the automatic update service through the services mmc and/or you can use the automatic update control panel applet to not allow the service to check for updates. The second option will not disable the service however. If you're really worried about it disabling the service is better.

Derek Hamilton
Director of Technology
Capitol WebWorks, LLC.

Visit our website! http://www.nbb.be

"DISCLAIMER: The content of this e-mail message should not be constructed as binding for the National Bank of Belgium (NBB) unless otherwise and previously stated. Besides, the opinions expressed in this message are solely those of the author and do not necessarily represent those of the NBB, which is particularly the case if the content of the present message, or part of it, is of a private nature or does not come whithin the professional scope of the author."

Visit our website! http://www.nbb.be

"DISCLAIMER: The content of this e-mail message should not be constructed as binding for the National Bank of Belgium (NBB) unless otherwise and previously stated.
Besides, the opinions expressed in this message are solely those of the author and do not necessarily represent those of the NBB, which is particularly the case if the content of the present message, or part of it, is of a private nature or does not come whithin the professional scope of the author."

Quantcast