Re: My Windows XP system is 100% secure - nobody can get in

From: Don Jenkins (bigwheeze@hotmail.net)
Date: 02/22/03


From: Don Jenkins <bigwheeze@hotmail.net>
Date: Sat, 22 Feb 2003 02:22:06 -0800


Dave Thornburgh wrote:

> "Don Jenkins" <bigwheeze@hotmail.net> wrote in message
> news:3E5646D9.7050403@hotmail.net...
>
>
>>In the rest of your post you said you were going to give specifics,
>>then you proceeded to give generalities. You did not give even one
>>specific. You are a bullshitter. Any idiot can quote generalities
>>about computer security.
>>
>>Stay out of this thread if you either have no desire or are not
>>qualified to intelligently participate.
>>
>
> I owe you my most abject apology. I hadn't realized that you have your
> own home-made dictionary, with a different definition of both "specific"
> and "generality" than the rest of us use.
>
> You said I gave you not even one specific. Now who's full of it? I
> gave you highly targeted links to SANS, CERT, Bugzilla, etc. The
> documents referred to are highly detailed, extremely specific, verified
> and verifiable. They have information about the risk level, the mechanism,
> the effects, how to determine if they apply to you, and how to mitigate
> or eliminate the vulerability.
>
> As is almost always the case, I believe that the single biggest risk to
> the security of your computer is the luser currently sitting at your
> keyboard. I gave you a chance to move beyond your own generalities by
> raising SPECIFIC points that you could have answered. Do you maintain
> a strong password (and, for that matter, do you know that in XP, an
> 8-character password is much less secure than a 7-character one)? Have
> you disabled the resource sharing and anonymous login "features" of XP?
> Have you obtained and applied the patches recommended by the very vendors
> that you trust so generously?
>
> In case you didn't recognize that those were links that you were supposed
> to follow, I'll post excerpts from one of them. Can you please enlighten
> us about how this is not specific enough?
>
> And, your response was exactly what I predicted.
>
> --------------------------------------------
> from <http://www.kb.cert.org/vuls/id/591890> :
>
> Vulnerability Note VU#591890
> Buffer overflow in Microsoft Windows Shell
>
> Overview
> A remotely exploitable buffer overflow exists in the Microsoft Windows
> Shell. This buffer overflow is present in all versions of Windows XP,
> but it is not present in other versions of Windows.
>
> [snip]
>
> Several different attack vectors can be used to exploit this vulnerability.
>
> If a user opens a folder containing a file with malformed attributes,
> the Windows Shell will read the attributes automatically.
>
> If a user visits a web site hosting an audio file with malformed attributes
> and hovers their mouse over the malicious file, the Windows Shell will read
> the attributes automatically.
>
> Via email. Again, quoting from MS02-072:
> An attacker might embed a link to a share that contained the file in a frame
> that would display when the user opened the email. An attacker could also
> attach the file to an email message and send it to a user with a suggestion
> that the user save the file to their desktop. Once the file was present on
> the desktop, if the user hovered over the file with their mouse the
> vulnerability could be exploited. Finally, an attacker could include in an
> email message a link to a share that contained the file, along with a
> suggestion that the user click on the link. If the user clicked the link,
> the
> share would be displayed and the vulnerability could be exploited.
>
> II. Impact
> An attacker can either execute arbitrary code (any such code would run with
> the privileges of the victim) or crash the Windows Shell.
>
> III. Solution
> Apply a patch.
>
> ---------------------------------------------------
> [end of quote]
>
> And, if you've read this far, look again at the parenthetical note in the
> "Impact" section. If you are running as an admin, then the attacker
> inherits those admin rights. Specific enough for you? If not, then STFU.
>
> Dave
>
>
>

Again, you're an idiot. None of that stuff applies to me. Don't send
me off on wild goose chases. I've already done far too much of that,
mostly because of absolute idiots like you who scream the sky is falling.

If you think you have something SPECIFIC, then post it. If it's open
knowledge on those websites, then post it here. This is a computer
security newsgroup. You have nothing, you're a fraud.

Of course, executing any unknown program (regardless of the source)
on your computer could cause problems. You "experts" have no defense
against this. Worse, you frauds constantly recommend that people
install unknown programs on their system, "firewalls" and such from
MyBedroomCloset,Inc.

Don't tell me about well-known human problems, that are easy to avoid.

Again, go away idiot.