Re: Cryptogram Comment

From: Undisclosed (nomail_at_dontbeaweaselspammer.com)
Date: 08/15/04 

Date: Sat, 14 Aug 2004 22:53:51 -0400

Tom St Denis wrote:

> [I emailed a similar message to Bruce himself but I figure I'll pick on him
> here as well].
>
> In his latest Cryptogram Bruce took up the position on the WinXP SP2 patches
> that it was Microsofts duty to provide the patches for all WinXP users
> [licensed and unlicensed]. Citing that the security and well being of the
> Internet depends on it. As if Microsoft, a for-profit entity, is
> responsible for the well being of illegal installations.
>
> Let's not forget that if you run an unpatched computer [running any OS] wide
> open to the net that *you* are responsible for what happens not the OS
> vendor. The fact that Microsoft *does* provide patches to *paying*
> customers should be sufficient. Providing patches to non-paying customers
> just encourages them to never buy a copy [even though an OEM copy isn't
> that expensive].
>
> Well, fine. If private for-profit corporations must secure free-loading
> non-paying customers, I hereby, in public demand that Counterpane visit my
> house and audit my home network. I, of course, won't pay Counterpane but
> I'll demand it none the less.
>
> While I personally hate Windows [on various levels none of which have to do
> with their license policies] I find it rather trivial that such a mouth
> piece could find it justified to fire off a quick snide remark without
> really giving it much thought [as to what it implies].
>
> Tom

Tom, do you bother to read your firewall or IDS logs?

the majority of the people or worms who attempt to scan or fire exploits
at my home systems are on Windows systems, most of which are probably
unpatched and 0wned.

have you ever had to disinfect or maybe even reinstall M$ software for
family and relatives that were in all likelyhood infected from other
0wned machines? Or had to go through setting up basic security for their
machines?

if we move to "just patching legit machines", we'll still have a huge
amount of infected pirated machines out there.

unpatched 0wned Windows machines are a huge threat to everyone on the
Internet, if for DoS possibilities alone.

there are botnets of infected Windows machines that are up to 100,000
machines in size.

someone having a botnet of 10,000 machines is not even out of the ordinary.

want to know what aiming that army at the root DNS servers would do?

let's see, assume 256kbps up on average 0wned machine (probably a way
lowball estimate), 256k * 100,000 = 25,000 mbps of bandwidth.

that's more than enough to choke the 16 root servers, ISP backbone
provider running a root DNS server be damned.

or maybe someone could do a distributive scan of the Net from the botnet
(hell, people done basic decent mapping from a single-box slow
fiber-level connection with scanrand) to find all the proxies they
could want, and then use the botnet to start bouncing long chains of
traffic through and between different proxies, preferably chaining from
proxy to proxy.. tracking down the 100,000 machines to stop the flood
and shutting them off would be a REALLY fun job. Or alternatively, you
could shut down millions of proxies.

the fact we have this state of affairs is manifestly and clearly
Microsoft's fault.

hell, I could even see cutting them some slack if they really tried, but
MS has been willfully and knowingly blind to security for years, and
this situation could have prevented, or at least greatly reduced, a long
time ago.

when Bruce sells software who's infamous record of insecurity could
bring down the Internet as we know it and knowingly fails to do due
diligence with his software or algorithms... well, then he is
responsible for issuing free patches.

otherwise your analogy is specious.

I absolutely agree that MS has no legal requirement to make the patches
available.

however, as a paying customer of MS (I use Windows along with several
other more pleasant OS's), they would be screwing ME if they did not
release the patches to improve the general health of the Internet.

MS has $50 billion in the bank and a license to print money with the
Windows and Office monopolies.

this is not going to hurt them financially in the slightest.

Relevant Pages

  • Re: Cryptogram Comment
    ... >> bother me with Windows questions. ... >> machines are broken. ... Just like if you don't know to tune up your car every year then you ... > and Linux and other open OS's make all patches FREE to redistribute. ...
    (sci.crypt)
  • Re: Cryptogram Comment
    ... Or had to go through setting up basic security for their ... > bother me with Windows questions. ... > machines are broken. ... and Linux and other open OS's make all patches FREE to redistribute. ...
    (sci.crypt)
  • Re: Manually run Auto-Update
    ... Auto-Update downloads it's patches ... > (requiring only the occasional reboot) - the problem arises where the ... The machines ARE connected to the ... Windows) ...
    (microsoft.public.windowsupdate)
  • Re: printer problems since patch Tuesday
    ... Printer problems here too after WSUS patch. ... Only our Windows 2000 Pro ... machines are seeing it and it is with Dell 5100 and 5300 printers. ... > IBM/Lexmark printers may be not compatible with latest patches for Windows ...
    (microsoft.public.win2000.printing)
  • Re: Slow Network Logon
    ... > I have a windows 2003 server. ... Pre windows 2000 machines ... The user profiles are less than 10MB large. ... Thanks, Tom ...
    (microsoft.public.windows.server.networking)