Re: lets vote for better security

From: Roland Hall (nobody_at_nowhere)
Date: 04/12/05 

Date: Mon, 11 Apr 2005 20:04:52 -0500

"Karl Levinson, mvp" wrote in message
news:%23V2Ul0pPFHA.3788@tk2msftngp13.phx.gbl...
:
: "Roland Hall" <nobody@nowhere> wrote in message
: news:egn0nmoPFHA.1176@TK2MSFTNGP12.phx.gbl...
:
: > : As you know, what I and the OP wanted to be able to do is eliminate IE
: and
: > : OE-related security vulnerabilities.
: >
: > That'll never happen. They're written in C++. It's an endless list.
: > Stever Balmer already said, in a keynote, "Well, you'd think we'd know
how
: > to write software without buffer overflows..." (
:
: You've misread what I said.

I'll grant you anything is possible and I have done that before. Now
reading on...

: What the OP wanted to do was a way to remove IE
: and OE vulnerabilities from Windows, e.g. by having a way to disable IE
and
: OE.

And how is that accomplished when IE is part of the OS? Has everyone been
asleep? Do we not remember the battle between Netscape (weenie programmers)
the DoJ and MSFT? What WAS the deciding factor? IE IS NOT JUST A BROWSER!
(emphasis implied)

: > : It seems obvious to me that something
: > : is very wrong with all MS customers worldwide being required to
install,
: > and
: > : thoroughly test, IE and OE patches onto production servers every 30 to
: 60
: > : days, when IE shouldn't be there in the first place.
: >
: > But there is no requirement to install and update every 30 to 60 days on
: any
: > MSFT OS.
:
: You're nitpicking.

You're right. I nitpick when we're discussing what is true and what is
false. True and false is a black and white argument, not gray. Gray is for
Liberals and security professionals who occassionally wear a black hat.

: MS customers are required to either patch their servers
: for IE vulnerabilities roughly every 60 days, or accept the risk of
leaving
: their server unpatched and running vulnerable code.

What happened to the home users and your statement is false. The risk is
there whether you patch or not AND, read this close because I've repeated it
too many times already, your web server should not be your first/last line
of defense.

It's the same argument in development for user input. Why try to strip out
every character you don't want when it's much easier to only allow the ones
you do? If I only want digits with a length from 6-10, why would I ever
accept any input less than 6 or greater than 10 that had any characters
other than 0-9?

If I don't anyone from Brazil to directly access my network, using IPSec I
can restrict the whole 200.x.x.x IP block.

: > : I know, but that doesn't sway me. Since most people don't use most of
: > those
: > : vendors, why should there be no possible way for such users to disable
: > : MSHTML?
: >
: > Most people? You know what most people use and don't use? You must be
: very
: > popular. I guess that means most on NNTP are full of it most of the
time.
:
: You're nitpicking again.

Most to mean means more than 50%. If you're going to say most, then you
need facts to back it up. Using most just to make it sound colorful is
lying. We'll call it exaggerating if you want. If you prepend it with, "I
believe..." then that means you are saying you don't know for sure, but it
makes logical sense to you that...blah blah blah. In that case, I have no
argument. I take issue with what you say and how you say it. It's not a
good argument to quote facts if you don't support them. How can that be
nitpicking?

: OK, if it pleases you, change the word "most" with
: "many."

Fine. How many? Many, in db terms, means more than one. So, you're saying
more than one? Two is more than one. Three is more than one. While two
may be a couple and three may be a few, what is four? Is four many? Many
is vague and relative to some number. Why not just say, "I believe..."?

: You still haven't done anything to refute my actual argument.

Your argument is purely conjecture of marketing. You've shown no facts and
no support for your statements.

: Many
: people say "Microsoft can't give us a way to disable feature X, because
some
: people use that."

Some people do that. Now, which people say that? What is their goal or
agenda? Are they an open source advocate looking for attention? Are they a
legitimate customer? What is their level of aptitude with computer
technology, desktop/server OSs, troubleshooting abilities, etc.?

In the 80s, I had a guy say to me when I was trying to sell him Excel over
Lotus 1-2-3. "Oh, I'll never use all that. I just want it to do this." I
said, "Well, you have 3 options. 1. You can purchase Lotus 1-2-3 which
will not do 100% of everything you want it to do. 2. You can purchase Excel
for the same price which will do that and more. 3. You can write your own
to do only what you want. Unless you're a programmer, I'd opt for option 2
which will give you the best value for your money." What happened? He
purchased Lotus 1-2-3 because he wanted to do it his way. Three days later
he brought it back, swapped it for Excel, the full version of Windows, a
mouse, mouse pad and a box of diskettes.

You're giving the same argument and you have three choices.

1. Use an OS other than Windows and related applications.
2. Use Windows and it's applications.
3. Write your own.

Until you're ready to switch to something you will be happier with, you're
just bitching. Take a stand and follow through. I understand that's not
something you're wanting to consider but consider this. I'm running roughly
the same thing you are and I'm not infected, not compromised and yet I get
attempts all day long.

I've learned to pick my battles. I've also learned some things cannot be
changed by one person. IF is a very big word. I would be most happiest if
MSFT would do just one thing. Give me full access to everything loading
with an option to pause, ignore, delete, modify on the fly during the boot.
Work with the hardware manufacturers and require it to work with a manual
hardware device that is not electronic. MAC used to have one. It was
called the programmers switch and it was made out of plastic! It didn't do
everything I just listed but it did let me use that with an application
written by ICOM Simulations to view applications in memory, while running,
forwards and backwards. Pretty cool.

: Well, that's a truly terrible argument. Leaving
: everything enabled by default is how we got into this security mess in the
: first place.

Then MSFT started disabling things by default and a lot of the community
bitched. Some people cannot be pleased.

: > : Giving users a way to disable IE, and/or making IE disabled by
default,
: > : doesn't hurt those vendors at all really.
: >
: > IE is part of the OS. Perhaps you'd just like a big list of
: enable/disable
: > everything in an OS available to everyone. Would that make it easy?
: Fine.
: > Run this app: regedit.exe.
:
: What is your point? Are you a troll? This statement makes no sense.

Ah, personal attacks when you run out of argument. If you want to make some
modifications that you cannot easily do in the GUI, the registry is your
friend. Sorry it makes no sense to you as much as it does to me.

: Me: I don't want IE to be integrated with the OS any more.
: You: You can't do that, because IE is integrated with the OS.

Then write your own! You can call it MY IE, IE IE, IE... my sharona...

: > MSDE is a security risk? Since when is an app responsible for the
primary
: > security of a system? What security model are you using?
:
: Yes, MSDE is a security risk. You've heard of SQL Slammer?

SQL Slammer which was a DoS attack on a buffer overflow in MS SQL and MSDE?
So, your argument is that any app that could potentially have a buffer
overflow should not be installed? Considering buffer overflows come from C,
any app then written in C could be dangerous and therefore not installed.

: MSDE replicates many of the features of SQL Server, including listening
for
: inbound connections.

Do you know what MSDE is? Yes, that's right, SQL Server. DE = Developer's
Edition (desktop engine)

: It sounds like you're arguing that SQL Server is "just
: an app"

Not sure what "just an app" is. MSDE is an application server.

: and it shouldn't have any security features,

Like what?

: all the security
: features should be built into the Windows core. That argument doesn't
make
: any sense to me.

No. I think the Windows core should deal with just that, core issues. MSFT
has a security product.

: > : I'm not saying that Mozilla is more secure than MSHTML, nor do I
really
: > : believe that. I *am* saying that Windows is less secure because you
: can't
: > : disable powerful and risky components you aren't using, like MSHTML.
: >
: > Security shouldn't begin and end with your app.
:
: Well, you said that IE is part of the OS, so we're not talking about an
app,
: but the OS.

Security shouldn't begin and end with your OS.

: > : > > WSH that made the iloveyou virus and others possible gets
: > : > > reinstalled by a variety of install programs.
: > : >
: > : > Which is alleviated when using anti-virus software with script
: > : > blocking/scanning.
: >
: > Which was never possible if you practiced safe computing.
:
: Relying on user practices to keep the OS secure is pretty weak and
: ineffectual, especially in an enterprise.

Oh puhleease. Anyone allowing the users to make decisions in an enterprise
environment is an idiot or working for one. Your users are you biggest
threat.

: Blaming the user doesn't help
: here, especially when a simple change in the OS would have mitigated the
: problem.

Blaming the OS doesn't help here when educating the user would have
mitigated the problem.

: Maybe you weren't around during the ILOVEYOU virus/worm, but an awful lot
of
: large and small enterprises were affected by it.

Considering I've been in the computer industry since 1979, I'd say you've
missed that one by a hair.

: > : None of that does anything whatsoever to block VBS files that arrive
via
: > : NetBIOS file share, P2P, from a .ZIP file, by an attacker putting it
: onto
: > : the computer, etc. etc.
: >
: > P2P? Why would you allow peer-peer in a domain model? Why is the share
: > open? How does a vbs in a zip hurt you? Why is the system that is
: allowed
: > to have access to your open as a sieve system not secure and running AV
: that
: > will scan the zip? Ever hear of IPSec?
: >
: > Is this how it works? Just forget all security matters and discuss
: > possibilities that have no security applied whatsoever?
:
: No, you've misread my entire statement. Netbios viruses don't just spread
: via unsecured shares.

I've never heard of a NetBIOS virus. Perhaps you're not referring to a
virus?!

: IPsec does nothing to protect someone who uses
: Explorer to browse the X: drive and encounters a virus file there.

How does anyone connect remotely when IPSec restricts it?

: P2P
: would primarily be used at home environments, I didn't say it was used in
: corporate environments.

You're right. You didn't say. It's not very clear because of the blend of
home/corporate statements.

: > : That doesn't sway me either. I never said WSH or IE should be
disabled
: by
: > : Microsoft post-Windows install, nor will it. It should be disabled in
: the
: > : default installation and be disable-able by Group Policy.
: >
: > Group policy? How many home users are familiar with Group Policy?
:
: As you said earlier, how many home users do you know? If you won't let me
: make assumptions about home use, then neither can you.

I asked a question. Where do you see an assumption in my question?

: Why do you assume I'm talking only about home users in some sections and
: only about corporate users in other sections?

Because you mentioned both with no clear distinction between the two.

: > : I meant that while it may or may not be possible to disable some of
: these
: > : via Group Policy, you either have to download and import a MS template
: to
: > do
: > : so, or write your own template to do so. It shouldn't be this hard to
: do
: > : something that to me seems so natural... e.g. disable functionality
you
: > : don't need or use, both on a single system and remotely across an
large
: > : enterprise. By "button," I meant a GUI object, such as a checkbox in
a
: GP
: > : MMC console.
: >
: > Some things are not easily done for several reasons:
: >
: > 1. They're dangerous. N00bs shouldn't have easy access. Easy access +
: > ignorance = support call
:
: Like you said, putting a checkbox into group policy is not easy access for
: "n00bs."

I didn't say that, you did. Obviously clicking a checkbox is an easy task.
I could teach my dog to do it. She's really smart BTW. Educating the user
re: group policies, how to get into it, where to go in it, why they should
do it here and explaining what each feature is, even though it is listed
right on the screen and then giving the confidence of what they just did
won't affect them being able to chat in Yahoo Messenger would not be
trivial.

: > 2. If you can change it easily, so can your attacker.
:
: Like you said earlier, "If they can change group policy, they already have
: access!!!"

You chose group policy. Look, I considering doing anything on the computer
relatively simple. It's knowledge of what you're doing, what is affected,
knowing if that is enough and what to do in case it fails that makes it
difficult and what separates the capable, the incapable and skeered.

There are 3 types of people in the world...
.... those that make things happen
.... those that watch things happen
.... those that wonder what happened.

I should probably add a 4th...
.... those that just bitch!

but that's usually spread across 2 and 3.

You're argument assumes proper security measures are not in place and in
response to me you've listed one buffer overflow. 

-- 
Roland Hall
/* This information is distributed in the hope that it will be useful, but 
without any warranty; without even the implied warranty of merchantability 
or fitness for a particular purpose. */
Online Support for IT Professionals - 
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS: 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS: 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382