Re: Cryptogram Comment

From: Tom St Denis (tomstdenis_at_iahu.ca)
Date: 08/15/04 

Date: Sun, 15 Aug 2004 04:45:41 GMT

Undisclosed wrote:
> Tom, do you bother to read your firewall or IDS logs?

I don't have a firewall. I have a NAT and I rely on it not to be an
insecure POS [yes it has latest firmware...]

> the majority of the people or worms who attempt to scan or fire exploits
> at my home systems are on Windows systems, most of which are probably
> unpatched and 0wned.

So?

> have you ever had to disinfect or maybe even reinstall M$ software for
> family and relatives that were in all likelyhood infected from other
> 0wned machines? Or had to go through setting up basic security for their
> machines?

Most of my family/friends either run Gentoo Linux or are smart enough not to
bother me with Windows questions. So this is largely moot.

Most of my friends with messed up XP installs either do it themselves [e.g.
run every game/tool/keygen/etc they can find] or run pirated copies of
tools which are usually beta/unpatched/etc. So I don't care if their
machines are broken.

> if we move to "just patching legit machines", we'll still have a huge
> amount of infected pirated machines out there.

So? They should take a hint and be more responsible for their computer.

> unpatched 0wned Windows machines are a huge threat to everyone on the
> Internet, if for DoS possibilities alone.

So? And this is microsofts fault? An unpatched Linux box can be just as
dangerous. So do we hold Linus personally responsible for an unpatched
2.2.0 box?

> there are botnets of infected Windows machines that are up to 100,000
> machines in size.

So?

> someone having a botnet of 10,000 machines is not even out of the
> ordinary.

So?

> want to know what aiming that army at the root DNS servers would do?

And how is any of this relevent to the idea that Windows should support
unlicensed users.

<snip>

> the fact we have this state of affairs is manifestly and clearly
> Microsoft's fault.

It clearly is not. Most if not all recent "outbreaks" are the result of a
CLEARLY DOCUMENTED BUG with a FIX that people are just TOO LAZY too apply.
This isn't a problem solely of Windows. I routinely rebuild and update
software on my Gentoo box. Everything from new browsers to new support
libs [like the recent libpng bug].

The problem with zombies is CLEARLY the end users who just don't maintain
their boxes.

> hell, I could even see cutting them some slack if they really tried, but
> MS has been willfully and knowingly blind to security for years, and
> this situation could have prevented, or at least greatly reduced, a long
> time ago.

I don't pretend to support microsoft. I think their software is ***. That
being said I run a Windows laptop which I've plugged into hostile networks
before and I've never been infected with any crap that I see people at my
college ROUTINELY get [like that damn blaster worm].

You can make a windows box relatively safe. Just the users are too lazy to
do so. It's just so easy to buy a Dell and never update it for the 7 years
you'll run it....

> when Bruce sells software who's infamous record of insecurity could
> bring down the Internet as we know it and knowingly fails to do due
> diligence with his software or algorithms... well, then he is
> responsible for issuing free patches.

Free patches to his customers. Why would Bruce offer patches to people who
pirate his software?

> otherwise your analogy is specious.

I don't see why. It makes perfect sense. Should Ford now do warranty fixes
on stolen cars/trucks? Should a landlord do repairs to rooms people squat
in? etc...

Clearly not. I mean an unmaintained ford truck could be deadly. So by your
logic Ford should repair it for the "good of mankind". Except we don't
live in fantasy "everyone is nice" world. Support costs money.

> I absolutely agree that MS has no legal requirement to make the patches
> available.

What are you talking about? I think MS is legally obliged to make the
patches available. I just think that means to PAYING CUSTOMERS.

> MS has $50 billion in the bank and a license to print money with the
> Windows and Office monopolies.
>
> this is not going to hurt them financially in the slightest.

It sets a dangerous precedent if people are forced to support people who
wrong them though. I mean I might as well steal your piano then force you
to pay for lessons. Or I'll steal your DVD player and force you to pay for
rentals so I can use it ... or...

BTW what's with replying with such a huge delay?

Tom