Re: Does anyone else get pop up messages when not logged on
From: Charles Otstot (saries@nc.rr.com)
Date: 11/15/02
- Next message: Kara: "Anti-virus program"
- Previous message: lappy: "NEED REAL ASSISTANCE, Please !!! (ill. op's)"
- In reply to: Gary Flynn: "Re: Does anyone else get pop up messages when not logged on"
- Next in thread: Juergen Nieveler: "Re: Does anyone else get pop up messages when not logged on"
- Reply:(deleted message) Juergen Nieveler: "Re: Does anyone else get pop up messages when not logged on"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Charles Otstot" <saries@nc.rr.com> Date: Fri, 15 Nov 2002 14:49:07 -0500
Gary,
I understand your position, and in many aspects agree with you, however, I
do believe that we must look at whether Microsoft's delivery of products is
appropriate from a historical perspective.
Think back to the introduction of Windows 95. The all-encompassing, ever
dangerous "Internet" really didn't exist. There were those of us who used
and occupied this great, seemingly amorphous network, but the majority of
computer users had no interaction with the 'net, much less a continuous
connection. Security issues primarily focused on corporate networks and the
effects of the occassional virus (the virus focus was often overplayed,
recall the bust that was Michelangelo). Relatively little attention was paid
to external attackers as relatively few organizations had internet
connections. Microsoft, as had long been it's philosophy, was designing OSes
and applications with an eye towards enabling users. This approach worked at
that time, network configuration was simplified. PC prices continued to
fall, and corporations discovered the ability to use the internet backbone
to connect their offices.Ultimately, within the last two years, broadband
connections (in the guise of cable modems and DSL connections). *Now* we
have a security problem, not so much because Microsoft was being
irresponsible, but because the market environment changed quickly and
dramatically.
It seems to me, that reviewing the industry's evolution over the last 5-7
years, that Microsoft hasn't necessarily acted irresponsibly (certainly the
final design of Windows 2000 was completed before security was quite as big
an issue as it is today), rather, Microsoft simply took a long time to
change course and design philosophy. This would not be unusual for a large
organization like Microsoft.
At the risk of sounding snooty, I do want to bring up something in your
"Windows Messenger Service PopUp SPAM" article. You indicate that Q330904
recommends using a firewall in lieu of disabling the Messenger Service. In
fact, the recommendation in the KB article is much broader than you suggest.
The KB article recommends blocking "...NetBIOS traffic, instead of merely
just turning off the Messenger service." Closing the ports recommended by
Microsoft effectively configures your network for protection against many
NetBIOS-based attacks, not just abuse of the Messenger Service. Nowhere in
the article does Microsoft recommend *against* turning off the Messenger
Service, it does indicate areas one might encounter problems if the service
is disabled (this certainly seems responsible to me). It seems to me that
this *is* appropriate advice for the many users who (like the home users you
spoke of) have no access to technical support and lack the knowledge to
*properly* harden a server. Telling Bob Smith he should only activate those
services he needs is well beyond his technical ability, he's more likely to
turn everything on to be certain his needs are met instead of taking the
(potentially) lengthy time he'll need to configure *only* necessary
services. Similarly, the home user will turn everything on and is highly
unlikely to spend the $$ to hire a professional to configure his/her system.
Charlie O.
"Gary Flynn" <flynngn@jmu.edu> wrote in message
news:3DD50F13.D9B7DC1E@jmu.edu...
>
> Too Hot wrote:
> >
> > Personally, and I do stress IMO, overall, Gary gives a very professional
> > impression (from the one page I've read). However, I feel the underlying
> > criticisms taint the whole article and depletes my desire to read on. I
> > hope Gary is able to take my words as the constructive criticism it was
> > meant to be but I'll try to chose my words more carefully in future :)
>
> We all view the world differently :)
>
> I don't like putting editorial information in technical articles
> either. But so many technical alerts and advisories deal with
> only the immediate problem and not the underlying causes. I like
> to take the opportunity to question some of the strategies
> and assumptions that lead up to the immediate problem in hopes
> that we don't continue to repeat the same mistakes.
>
> If customers are given the information on which to make an informed
> choice, maybe they'll be willing to demand a little less "make it
> easy for me to do anything I want regardless of the consequences"
> and a little more "I can accept the need for some extra steps if
> I want to do things that open me up to more risk".
>
> --
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
>
> Please R.U.N.S.A.F.E.
> http://www.jmu.edu/computing/runsafe
- Next message: Kara: "Anti-virus program"
- Previous message: lappy: "NEED REAL ASSISTANCE, Please !!! (ill. op's)"
- In reply to: Gary Flynn: "Re: Does anyone else get pop up messages when not logged on"
- Next in thread: Juergen Nieveler: "Re: Does anyone else get pop up messages when not logged on"
- Reply:(deleted message) Juergen Nieveler: "Re: Does anyone else get pop up messages when not logged on"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
