> Hey Microsoft -- this would a HINT for inbound type files: > $ chmod 700 a.exe
Similarly, deny Execute permssions in %temp% to regular users and even power users with NTFS permissions. Sure this isn't done by default, but it only needs to be set once.
In a corporate environment under Win2K or XP, you can deny Execute permissions for the entire Documents and Settings folder, where each user's %temp% is stored, and also for %systemroot%\temp if you actually still run 16-bit programs.
I've said this before and I'll say it again. Run a current version of Windows and run your programs as a regular user, not as a "power user" or as "administrator."
Then the evil e-cards can't overwrite wmplayer.exe or anythingelse.exe because regular users don't have write access to the Windows directory or the Program Files directory, where they're stored.
The same thing can happen to an idiot running Mozilla under Linux as root, or running Opera under BSD as root. Everyone here keeps missing the underlying problem because of their anti-M$ bias. Get a clue, folks. If you do stupid stuff as root you're going to break your machine no matter what OS it runs.
Win98 is supposed to be gone, or no longer supported.
Assuming that, and that your WinLusers are running current versions of Windows with actual security, and they're running as regular users, a web page CAN'T overwrite anything because regular users don't have write permissions in %systemroot% or in Program Files.
Problem solved. Without a script blocker or any other third-party garbage.
Don't write me off as completely pro-Microsoft though - I'm still running WMP 6.4. As long as the WM9 and earlier codecs work for 6.4 and later, why upgrade?
Don't discount that KB article. I've used site whitelisting (Trusted Sites) since IE4 and website designers are designing for it.
When a site puts all of its servers in the same second-level or third-level domain name (microsoft.com or lpl.mb.ca for instance) you can add the entire domain to Trusted Sites, and get all of that site's functionality without exposing your browser to abuse by scripts on other sites, ie: banner advertisers.
Microsoft forgot to mention that wildcards work in Trusted Sites too. If you turn off "Require HTTPS" you can add "*.microsoft.com" without a specific protocol (like http:// etc).
The only multi-domain example I can think of is Hotmail, and that requires the following entries in Trusted Sites:
*.hotmail.com or *.hotmail.(your ccTLD if valid) *.passport.com *.passport.net
When combined with MSN Messenger you need to add:
*.msn.com
That might sound scary, but really, it's not going to break your browser or submit control to The Bill Net.
What equivelant functionality exists for Netscape 7, Opera, etc?
Digital Pearl Harbor? The former Presidential Fearmonger should've trademarked that term back in 2000. He could've spared us from this abuse. Or maybe all of the fearmongers could've read this for some good material. Or something.
The author insults my intelligence by cheapening the memory of Pearl Harbor.
Having dealt with app developers who insisted on installing in C:\(appname) with no means to change the path, or using Windows Installer but not having a copy of the.msi image handy for the next user who logs on and uses their app (auto-repair), it boggles my mind that some developers, at least for Win32, can't code for security even though it's easy to do.
1) Write settings in HKEY_CURRENT_USER 2) Store user data and documents in %USERPROFILE% or whatever "My Documents" points to 3) Install in whatever the Registry says is the Program Files folder (not always C:\ by the way, guys!) 4) Store machine-specific stuff in %ALLUSERSPROFILE%, and if that returns "Access Denied," save it in %USERPROFILE% anyway 5) If you install from the web and use MSI images, store a copy of the.msi somewhere convenient like your install directory, so restricted users can run the MSI auto-repair facility if needed (MSN Messenger does this)
I'm sure I can think of a few others. Hell, it's possible to make QUAKE (All versions!) multi-user and restricted-user-safe. If that's possible, then making your application multi-user and restricted-user-safe is possible too. And you won't be giving folks like me a headache.
So does this make Nokia the next Microsoft for releasing an insecure OS for cell phones? After all, Nokia's only giving their customers what they want, right?
Their phones and the games that run on them are becoming ubiquitous. Does this sound familiar to anyone? Come on, this HAS to sound familiar. And I'm led to understand that some non-Nokia phones can run Nokia software.
I guess their customers, like Microsoft's customers, have little or no regard for security. I suppose we'll start seeing McAfee for cell phones soon, and it will only be able to catch new cell phone viruses after the fact. But that doesn't matter because McAfee will continue to get fat from selling update subscriptions, and carriers will get fat from the extra air time used to download them. Everyone wins... except the hapless customer. But hey, it was what the hapless customer wanted, right?
You turned off Scripting for all but "trusted sites," long ago, right? I did. Your users run IE as restricted users, right? Mine do. You used firewalls to block SMB Messenger pop-ups long ago, and indirectly saved your company from Blaster and Welchia before the fact, right? I did.
Or you just dumped Microsoft and made all of your company's staff used Linux or BSD long before the fact, right? And you caught Ramen, Lion, Lindoze and those other dangerous Linux viruses before the fact, right?
Or were you caught with your pants down?
If one of these exploits affects one of the PCs in your care, YOU are the one to blame for letting it through. Not your anti-virus software vendor, not your operating system software vendor, not your firewall vendor. You might think it's not your fault, but will your boss believe you?
Let's taunt the Microsoft bashers... again
on
20 Years of Virii
·
· Score: 1
"The Internet itself is the true 'common' threat, not Microsoft. You can't blame Bill Gates for the success of a Linux worm... "
That statement says Microsoft supports imaged copies of specific versions of Windows that also use the Sysprep utility.
It also has the side effect of making sure you have all of your OS licenses. Or is that a problem?:-p
Sysprep is your friend if you have a pile of apps and want to reinstall multiple copies of them quickly. I use Symantec Ghost myself, and the image in question has Win2K, Office 2K, a bunch of 16-bit apps, Acrobat Reader, a bunch of 32-bit apps to go with said 16-bit apps, IE6, and other stuff I forget or don't want to disclose at this time, and Sysprep makes these all imageable.
In that sense it doesn't matter WHAT imaging software you use to make a mass copy of Windows, as long as you Sysprep it before the fact.
As for disaster recovery backups of a single workstation, the included NTBACKUP still is tried and true. Though I liked the NT4 version better than the Win2K version.
If you want to sue someone, how about the idiots that bother to open the attachments, or scream at Microsoft for putting in the best anti-virus software they could make into Outlook 2K - the inability to open executables in e-mail? Or who scream at the admins who install the updates?
> Spam.com: Hello, [mta.com], [realhost.com] has mail to send. > Mta.com: (resolves 'realhost.com') > Mta.com: Hello, [realhost.com]; you have mail to send me. > Realhost.com: [Mta.com], I don't have any mail to send you.
Sounds like DMP:
http://www.pan-am.ca/dmp/
This has been in development for five months and will be submitted to the RFC editor later this week.
Having not read the Bandlink website, if I were going to design something like this, I'd do it thusly, assuming a Win32 (9x/ME/NT/2K/XP) machine:
* The data track would be the last track on the disk, not the first as most combination CDs are, so playing in a normal CD player wouldn't alert the user. Al Yankovic's Running With Scissors CD is one such disk.
* The autorun program would launch the default CD player (either by doing a "start (trackno).cda" or by poking in the Registry to find out what the player is), thereby not triggering any installation monitors.
* The program would then monitor the CD-ROM device somehow, through ASPI or a similar interface (NT SCSI direct like NTBACKUP uses?) so it knows what tracks are being played regardless of what software's playing them.
* Phone home to a host answering on Port 80, which no one blocks anyway.
It could be defeated by using a digital read/playback CD player as the default, like Windows Media Player's, but WMP's so abusable it's not funny. And even then a CD-ROM monitor could pick up what track is being read if not played.
I don't run any ad blocking software, but I do two things to avoid this waste of bandwidth:
* Use the "trusted sites" zone in IE5 to list sites and even whole domains whose scripts I'll allow to run, such as "https://*.mybank.com/", and then turn off all scripting for the other zones. * Run a local proxy server that refuses to serve certain URLs, such as "http://*/ads/*". I have a pretty long list of URL patterns now.
The 1wrestling.com site comes up ok on this setup - probably because the Javascript that looks for ad blockers doesn't run.:-) Mind you, some sites now refuse to load any content unless you enable Javascript, but that's a clue that they're full of bandwidth-wasting garbage and not with my time anyway. The proxy would be hard to defeat unless some of the scripts can look for cookies set by some of the banner sites.
There was a mention of using a VPN scheme to secure your wireless LAN, which would be fine to protect your own data but still allows 'visitors' to piggyback their own networks on top of yours. This still allows the 'visitor' to take an IP address from your DHCP server and talk to the other machines.
This thought might not solve the piggyback problem but it might go a step further in securing your data. Use a PPPoE server (such as a Win2K box running RASPPPoE) to hand out network addresses and require all your clients to connect using some form of PPPoE (again, such as RASPPPoE) which can be reasonably protected using MD5 CHAP for passwords and encrypted packets.
The only thing exposed then are MAC addresses, so 'visitors' could still piggyback their own network on top of yours, but they're not taking up IP addresses or able to see *anything* on your network except other MAC addresses.
And if you wanted to be really smart you could have a probe program (too bad one doesn't exist yet) that could compare a MAC address to a matching PPPoE connection, say every ten minutes. If a MAC address doesn't have a corresponding PPPoE connection, it's blacklisted for a while and the port is freed for a legitimate client.
No joke. I installed the 30-day trial version of VirusScan 6 so I could clean out viruses from two friends' machines. I hooked up their HDs to my system and removed the viruses they had. Then I went to uninstall it and couldn't. "This software could not be uninstalled," or some such thing. It seemed to lose the information needed on how to uninstall itself.
Then it started pestering me about every file I tried to open. "This installation of virusscan has expired." I tried disabling their services in the Services panel. That worked some but then I wanted to get rid of the "scan for viruses" menus. I tried reinstalling - it wouldn't reinstall, not because it had expired, but because it couldn't find the original files to replace. Presumably one of the "updates" corrupted both the uninstaller and any ability to reinstall so I could uninstall.
While the machine was still working, I didn't appreciate seeing 'Preparing to install...' three times before viewing any website. I got sick of it. FORMAT C:.
OK not quite, but I did rename my winnt and program files folders and reinstalled.
Up to that point, my Win2K installation was running without incident since early Spring 2001. Not one reinstall, not one registry hack, not one virus. It took antivirus software to mess up my installation. Thanks McAfee. Where do I send the bill?
Geez, even MS Outlook SR2 has better antivirus protection. It doesn't allow you to even *see* executables, never mind run them or automagically open them when you open the e-mail, and you *can't disable that.* Echoes of "scanprot"[1] ring through my mind.
[1] This was the name of a document that MS released which contained a macro to disable running other macros in.doc files. Later on, MS Word 95 and all versions of Word since then had a switch to disable macros built in. That make it twice that MS provided better antivirus protection than the antivirus companies.
Have anti-virus software installed that checks avery 2 or 3 hours for updates.
OK, so how long before you recommend to admins that they update every hour? Or require continuous persistent updating?
Not only is there not enough bandwidth at an admin's site to handle the anti-virus updates alone (never mind vendor patches), the anti-virus firms don't have enough bandwidth to service all those admins all at once.
Depending on the kind of customers you're trying to attract, you could develop an ISP that purely delivered connectivity and attract geeks who will be grateful for the open window to the net.
Or you could develop a full kit so that even Your Mom[tm] could set it up and use it.
Or you could try something in between. Or offer more than one type of service. Or whatever you want.
Keep in mind that the remaining market in most cities consists of new people who barely know what a Start Button is on their screen. If you want to get lots of customers you'll have to cater to this crowd and support them a little. AOL might be filled with idiots, but those idiots are paying customers. It's because their kit is almost idiot proof, and it took them seven editions to get there.
I'm not sure how an audio/video site can afford to store all their content three times over, and while we're at it different bit rates too, so the 56kinda people can use it.
What I'd like to see is something that could encode a media clip in realtime as the user downloads it for whatever player they're using. Pretty far fetched, admittedly, having converted stuff between formats before (and having uncompressed and then recompressed it) but is storage more expensive than CPU time?
Slashdot Mirror
> Hey Microsoft -- this would a HINT for inbound type files:
> $ chmod 700 a.exe
Similarly, deny Execute permssions in %temp% to regular users and even power users with NTFS permissions. Sure this isn't done by default, but it only needs to be set once.
In a corporate environment under Win2K or XP, you can deny Execute permissions for the entire Documents and Settings folder, where each user's %temp% is stored, and also for %systemroot%\temp if you actually still run 16-bit programs.
I've said this before and I'll say it again. Run a current version of Windows and run your programs as a regular user, not as a "power user" or as "administrator."
Then the evil e-cards can't overwrite wmplayer.exe or anythingelse.exe because regular users don't have write access to the Windows directory or the Program Files directory, where they're stored.
The same thing can happen to an idiot running Mozilla under Linux as root, or running Opera under BSD as root. Everyone here keeps missing the underlying problem because of their anti-M$ bias. Get a clue, folks. If you do stupid stuff as root you're going to break your machine no matter what OS it runs.
Win98 is supposed to be gone, or no longer supported.
Assuming that, and that your WinLusers are running current versions of Windows with actual security, and they're running as regular users, a web page CAN'T overwrite anything because regular users don't have write permissions in %systemroot% or in Program Files.
Problem solved. Without a script blocker or any other third-party garbage.
...and if I was stupid enough to actually install the crapware the strange website/email/stranger gave me.
heh heh heh
Don't write me off as completely pro-Microsoft though - I'm still running WMP 6.4. As long as the WM9 and earlier codecs work for 6.4 and later, why upgrade?
We accept everything by default. Important capabilities like mail forwarding rely on it. It's time to change that.
Sure it isn't needed, but it sure seems everyone has a toolbar they want us to install. Google included.
"Even if it turns out that the writter is a Linux fanatic, you can't hold the whole community responsibe for the actions of one individual."
"It shows once again that windows is a virus ridden insecure platform."
Maybe you can't hold a whole community responsible for something, but you can sure hold another community responsible for it.
Don't discount that KB article. I've used site whitelisting (Trusted Sites) since IE4 and website designers are designing for it.
When a site puts all of its servers in the same second-level or third-level domain name (microsoft.com or lpl.mb.ca for instance) you can add the entire domain to Trusted Sites, and get all of that site's functionality without exposing your browser to abuse by scripts on other sites, ie: banner advertisers.
Microsoft forgot to mention that wildcards work in Trusted Sites too. If you turn off "Require HTTPS" you can add "*.microsoft.com" without a specific protocol (like http:// etc).
The only multi-domain example I can think of is Hotmail, and that requires the following entries in Trusted Sites:
*.hotmail.com or *.hotmail.(your ccTLD if valid)
*.passport.com
*.passport.net
When combined with MSN Messenger you need to add:
*.msn.com
That might sound scary, but really, it's not going to break your browser or submit control to The Bill Net.
What equivelant functionality exists for Netscape 7, Opera, etc?
Digital Pearl Harbor? The former Presidential Fearmonger should've trademarked that term back in 2000. He could've spared us from this abuse. Or maybe all of the fearmongers could've read this for some good material. Or something.
The author insults my intelligence by cheapening the memory of Pearl Harbor.
If you're one of those /. readers running your own mail server because your ISP's mail server sucks, re-read your ISP's terms of service some time.
And then pay $US100/month for static IP and permission to run a server. Then AOL won't block you anymore.
Having dealt with app developers who insisted on installing in C:\(appname) with no means to change the path, or using Windows Installer but not having a copy of the .msi image handy for the next user who logs on and uses their app (auto-repair), it boggles my mind that some developers, at least for Win32, can't code for security even though it's easy to do.
.msi somewhere convenient like your install directory, so restricted users can run the MSI auto-repair facility if needed (MSN Messenger does this)
1) Write settings in HKEY_CURRENT_USER
2) Store user data and documents in %USERPROFILE% or whatever "My Documents" points to
3) Install in whatever the Registry says is the Program Files folder (not always C:\ by the way, guys!)
4) Store machine-specific stuff in %ALLUSERSPROFILE%, and if that returns "Access Denied," save it in %USERPROFILE% anyway
5) If you install from the web and use MSI images, store a copy of the
I'm sure I can think of a few others. Hell, it's possible to make QUAKE (All versions!) multi-user and restricted-user-safe. If that's possible, then making your application multi-user and restricted-user-safe is possible too. And you won't be giving folks like me a headache.
So does this make Nokia the next Microsoft for releasing an insecure OS for cell phones? After all, Nokia's only giving their customers what they want, right?
Their phones and the games that run on them are becoming ubiquitous. Does this sound familiar to anyone? Come on, this HAS to sound familiar. And I'm led to understand that some non-Nokia phones can run Nokia software.
I guess their customers, like Microsoft's customers, have little or no regard for security. I suppose we'll start seeing McAfee for cell phones soon, and it will only be able to catch new cell phone viruses after the fact. But that doesn't matter because McAfee will continue to get fat from selling update subscriptions, and carriers will get fat from the extra air time used to download them. Everyone wins... except the hapless customer. But hey, it was what the hapless customer wanted, right?
You turned off Scripting for all but "trusted sites," long ago, right? I did. Your users run IE as restricted users, right? Mine do. You used firewalls to block SMB Messenger pop-ups long ago, and indirectly saved your company from Blaster and Welchia before the fact, right? I did.
Or you just dumped Microsoft and made all of your company's staff used Linux or BSD long before the fact, right? And you caught Ramen, Lion, Lindoze and those other dangerous Linux viruses before the fact, right?
Or were you caught with your pants down?
If one of these exploits affects one of the PCs in your care, YOU are the one to blame for letting it through. Not your anti-virus software vendor, not your operating system software vendor, not your firewall vendor. You might think it's not your fault, but will your boss believe you?
"The Internet itself is the true 'common' threat, not Microsoft. You can't blame Bill Gates for the success of a Linux worm... "
-- Rob Rosenberger
Do you use Ximian instead of Outlook? Beware.
That statement says Microsoft supports imaged copies of specific versions of Windows that also use the Sysprep utility.
:-p
It also has the side effect of making sure you have all of your OS licenses. Or is that a problem?
Sysprep is your friend if you have a pile of apps and want to reinstall multiple copies of them quickly. I use Symantec Ghost myself, and the image in question has Win2K, Office 2K, a bunch of 16-bit apps, Acrobat Reader, a bunch of 32-bit apps to go with said 16-bit apps, IE6, and other stuff I forget or don't want to disclose at this time, and Sysprep makes these all imageable.
In that sense it doesn't matter WHAT imaging software you use to make a mass copy of Windows, as long as you Sysprep it before the fact.
As for disaster recovery backups of a single workstation, the included NTBACKUP still is tried and true. Though I liked the NT4 version better than the Win2K version.
If you want to sue someone, how about the idiots that bother to open the attachments, or scream at Microsoft for putting in the best anti-virus software they could make into Outlook 2K - the inability to open executables in e-mail? Or who scream at the admins who install the updates?
t tp://www.vmyths.com/rant.cfm?id=376&page=4
http://www.vmyths.com/rant.cfm?id=321&page=4
h
> Spam.com: Hello, [mta.com], [realhost.com] has mail to send.
> Mta.com: (resolves 'realhost.com')
> Mta.com: Hello, [realhost.com]; you have mail to send me.
> Realhost.com: [Mta.com], I don't have any mail to send you.
Sounds like DMP:
http://www.pan-am.ca/dmp/
This has been in development for five months and will be submitted to the RFC editor later this week.
Having not read the Bandlink website, if I were going to design something like this, I'd do it thusly, assuming a Win32 (9x/ME/NT/2K/XP) machine:
* The data track would be the last track on the disk, not the first as most combination CDs are, so playing in a normal CD player wouldn't alert the user. Al Yankovic's Running With Scissors CD is one such disk.
* The autorun program would launch the default CD player (either by doing a "start (trackno).cda" or by poking in the Registry to find out what the player is), thereby not triggering any installation monitors.
* The program would then monitor the CD-ROM device somehow, through ASPI or a similar interface (NT SCSI direct like NTBACKUP uses?) so it knows what tracks are being played regardless of what software's playing them.
* Phone home to a host answering on Port 80, which no one blocks anyway.
It could be defeated by using a digital read/playback CD player as the default, like Windows Media Player's, but WMP's so abusable it's not funny. And even then a CD-ROM monitor could pick up what track is being read if not played.
I don't run any ad blocking software, but I do two things to avoid this waste of bandwidth:
:-) Mind you, some sites now refuse to load any content unless you enable Javascript, but that's a clue that they're full of bandwidth-wasting garbage and not with my time anyway. The proxy would be hard to defeat unless some of the scripts can look for cookies set by some of the banner sites.
* Use the "trusted sites" zone in IE5 to list sites and even whole domains whose scripts I'll allow to run, such as "https://*.mybank.com/", and then turn off all scripting for the other zones.
* Run a local proxy server that refuses to serve certain URLs, such as "http://*/ads/*". I have a pretty long list of URL patterns now.
The 1wrestling.com site comes up ok on this setup - probably because the Javascript that looks for ad blockers doesn't run.
There was a mention of using a VPN scheme to secure your wireless LAN, which would be fine to protect your own data but still allows 'visitors' to piggyback their own networks on top of yours. This still allows the 'visitor' to take an IP address from your DHCP server and talk to the other machines.
This thought might not solve the piggyback problem but it might go a step further in securing your data. Use a PPPoE server (such as a Win2K box running RASPPPoE) to hand out network addresses and require all your clients to connect using some form of PPPoE (again, such as RASPPPoE) which can be reasonably protected using MD5 CHAP for passwords and encrypted packets.
The only thing exposed then are MAC addresses, so 'visitors' could still piggyback their own network on top of yours, but they're not taking up IP addresses or able to see *anything* on your network except other MAC addresses.
And if you wanted to be really smart you could have a probe program (too bad one doesn't exist yet) that could compare a MAC address to a matching PPPoE connection, say every ten minutes. If a MAC address doesn't have a corresponding PPPoE connection, it's blacklisted for a while and the port is freed for a legitimate client.
No joke. I installed the 30-day trial version of VirusScan 6 so I could clean out viruses from two friends' machines. I hooked up their HDs to my system and removed the viruses they had. Then I went to uninstall it and couldn't. "This software could not be uninstalled," or some such thing. It seemed to lose the information needed on how to uninstall itself.
.doc files. Later on, MS Word 95 and all versions of Word since then had a switch to disable macros built in. That make it twice that MS provided better antivirus protection than the antivirus companies.
Then it started pestering me about every file I tried to open. "This installation of virusscan has expired." I tried disabling their services in the Services panel. That worked some but then I wanted to get rid of the "scan for viruses" menus. I tried reinstalling - it wouldn't reinstall, not because it had expired, but because it couldn't find the original files to replace. Presumably one of the "updates" corrupted both the uninstaller and any ability to reinstall so I could uninstall.
While the machine was still working, I didn't appreciate seeing 'Preparing to install...' three times before viewing any website. I got sick of it. FORMAT C:.
OK not quite, but I did rename my winnt and program files folders and reinstalled.
Up to that point, my Win2K installation was running without incident since early Spring 2001. Not one reinstall, not one registry hack, not one virus. It took antivirus software to mess up my installation. Thanks McAfee. Where do I send the bill?
Geez, even MS Outlook SR2 has better antivirus protection. It doesn't allow you to even *see* executables, never mind run them or automagically open them when you open the e-mail, and you *can't disable that.* Echoes of "scanprot"[1] ring through my mind.
[1] This was the name of a document that MS released which contained a macro to disable running other macros in
OK, so how long before you recommend to admins that they update every hour? Or require continuous persistent updating?
Not only is there not enough bandwidth at an admin's site to handle the anti-virus updates alone (never mind vendor patches), the anti-virus firms don't have enough bandwidth to service all those admins all at once.
I think Rob Rosenberger described it best.
Depending on the kind of customers you're trying to attract, you could develop an ISP that purely delivered connectivity and attract geeks who will be grateful for the open window to the net.
Or you could develop a full kit so that even Your Mom[tm] could set it up and use it.
Or you could try something in between. Or offer more than one type of service. Or whatever you want.
Keep in mind that the remaining market in most cities consists of new people who barely know what a Start Button is on their screen. If you want to get lots of customers you'll have to cater to this crowd and support them a little. AOL might be filled with idiots, but those idiots are paying customers. It's because their kit is almost idiot proof, and it took them seven editions to get there.
I'm not sure how an audio/video site can afford to store all their content three times over, and while we're at it different bit rates too, so the 56kinda people can use it.
What I'd like to see is something that could encode a media clip in realtime as the user downloads it for whatever player they're using. Pretty far fetched, admittedly, having converted stuff between formats before (and having uncompressed and then recompressed it) but is storage more expensive than CPU time?