Trustworthy Computing inaction... Oops, of course I mean "in action"

[Mike Terenni]

x-no-archive: yes

Worm Blasts Windows Users Worldwide:
http://www.internetnews.com/dev-news/article.php/2247801

 

[Mike Terenni]

x-no-archive: yes

So, if I was out of town for three weeks, then came home and turned my
PC on and got blasted with this thing, it's my fault for not beaming in
from Europe just to check for new patches?

What was that argument again?

 

[JH]

Agreed. The fact that MS released operating systems with this massive of a
security hole in them is totally unacceptable, and they should receive 99%
of the blame.

This is looking like the most damaging virus yet, and seems at least right
now to be far worse than Lovebug. MS deserves a class action lawsuit to be
filed against them, because the shoddy security in products they release is
near criminal.

 

[EGMcCann]

Gee, ONE, way out of the way, "what if." Why not say "What if I were on Mir
for six months and couldn't do any updates?"

Most of these people AREN't network admins, AREN'T on a desert island for a
year, etc. They just couldn't be bothered to DOUBLE CLICK AN ICON when it
said "Updates are ready to be installed."

--
If you have to ask if your copy of XP is 32 or 64 bit, it's 32.
Getting Messenger popups? Turn on your firewall!
Patch from Microsoft:
http://tinyurl.com/h84v
More info from MS:
www.microsoft.com/security/incident/blast.asp

(Stolen with pride from Gary Thorn... thanks!)

 

[EGMcCann]

Yeah, just IGNORE the patch they put out A MONTH AGO.

--
If you have to ask if your copy of XP is 32 or 64 bit, it's 32.
Getting Messenger popups? Turn on your firewall!
Patch from Microsoft:
http://tinyurl.com/h84v
More info from MS:
www.microsoft.com/security/incident/blast.asp

(Stolen with pride from Gary Thorn... thanks!)

 

[Mike Terenni]

x-no-archive: yes

What if people are sick of installing updates every other day, and
hoping their systems aren't FUBAR afterward? I've had trouble with
several of the latest WinXP patches. Every one of them is a roll of the
dice, and I for one am damn sick of it.

Lots of home users fire up their PC every day or two, check their email,
and not much else. They don't even notice that stupid blue icon in the
tray, and even if they do, they don't know what it is. Now I *do* know
what it is, but I've worked on a hell of a lot of *other* machines, and
talked with their owners, and they have no clue.

"Did you know there were updates to install?"

"Huh?"

I am totally sick of the idiots who insist on double clicking every damn
attachment they get in their email, but this is a bit different,
wouldn't you say? The biggest vulnerability ever discovered in Windows?
One that has been around since WinNT4 was released?

Keep on blaming the victim.

 

[kurttrail]

The update has been on the Microsoft site since 16th July. Of
course, if folks don't bother to download and install it, what can
anyone do?

Cari
www.coribright.com

MS doesn't go looking for flaws, just waits till others find them first,
otherwise Windows Server 2003 wouldn't have need to be patched for this
too!

Apologize for MS, if that rocks your boat, but this buffer overrun has
been in Windows since NT4, and was released in MS's first OS that was
released under the banner of "Trustworthy Computing!"

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.kurttrail.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei!"

 

[Mike Terenni]

x-no-archive: yes

Yeah, just IGNORE the patch they put out A MONTH AGO.

What about right now? What if I needed to get the patch now? What if I
don't like Automatic Updates? I can't even access Windows Update right
now. The malware in question is committing a DoS attack against the
Windows Update servers.

 

[purplehaz]

Well first you can't get the virus by just turning on your computer. It gets
transmitted on kazza file sharing servers. So if you're out of town for
three weeks, when you get home, before firing up kazza to steal copyrighted
material you should goto windows update and install the updates. Windows
update should be done once a week or at least once every two weeks. That's
just a fact of computing(with any os, even linux and macs need patches). So
if your gone for that long, when you get back before you start downloading,
surfing, or checking email, goto windows update, get patched, and you're all
set.
So, yes it would be your fault in the situation you describe.
What was your argument again? (Cari was right on)

 

[Mike Terenni]

x-no-archive: yes

MS doesn't go looking for flaws, just waits till others find them
first, otherwise Windows Server 2003 wouldn't have need to be patched
for this too!

Apologize for MS, if that rocks your boat, but this buffer overrun has
been in Windows since NT4, and was released in MS's first OS that was
released under the banner of "Trustworthy Computing!"

I see nothing wrong with the "Trustworthy Computing" banner. Doesn't it
just mean "You can trust it to be insecure"?

 

[R. McCarty]

Patches are available outside of Windows Update by going
to the Microsoft Security Website.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/default.asp
You can locate the specific bulletin and then download the
patch for your specific operating system and version.
I checked the above mentioned site a few moments ago and
it is still available.

 

[kurttrail]

Well first you can't get the virus by just turning on your computer.
It gets transmitted on kazza file sharing servers. So if you're out
of town for three weeks, when you get home, before firing up kazza to
steal copyrighted material you should goto windows update and install
the updates. Windows update should be done once a week or at least
once every two weeks. That's just a fact of computing(with any os,
even linux and macs need patches). So if your gone for that long,
when you get back before you start downloading, surfing, or checking
email, goto windows update, get patched, and you're all set.
So, yes it would be your fault in the situation you describe.
What was your argument again? (Cari was right on)

You can get it by just turning on your computer and connecting to the
internet, and stay connected for 25 minutes.

http://tech.msn.com/ip/msnart1000.asp

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.kurttrail.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei!"

 

[GSV Three Minds in a Can]

x-no-archive: yes

So, if I was out of town for three weeks, then came home and turned my
PC on and got blasted with this thing, it's my fault for not beaming in
from Europe just to check for new patches?

What was that argument again?

That would assume that you never bothered to have a firewall, as well as
not bothering to do the update (and it's more like 4 weeks).

 

[Nicholas]

A "prudent person" would always have a firewall enabled.
Those who had their firewall enabled, and had not yet downloaded
the security update, were unaffected by the worm.
--
Nicholas

--------------------------------------------------------------------------


| x-no-archive: yes
|
| So, if I was out of town for three weeks, then came home and turned my
| PC on and got blasted with this thing, it's my fault for not beaming in
| from Europe just to check for new patches?
|
| What was that argument again?

 

[Mike Terenni]

x-no-archive: yes

Well first you can't get the virus by just turning on your computer.
It gets transmitted on kazza file sharing servers. So if you're out
of town for three weeks, when you get home, before firing up kazza to
steal copyrighted material you should goto windows update and install
the updates. Windows update should be done once a week or at least
once every two weeks. That's just a fact of computing(with any os,
even linux and macs need patches). So if your gone for that long,
when you get back before you start downloading, surfing, or checking
email, goto windows update, get patched, and you're all set.
So, yes it would be your fault in the situation you describe.
What was your argument again? (Cari was right on)

I just tried to get to Windows Update, and I *can't*. This worm commits
a DoS attack against the WU servers, plus everyone else in the world is
trying to get this "patch that shouldn't be necessary". So, if I can't
access WU, I should just hang out and not use my system until I can?

But actually, you lost all credibility when you said "[Y]ou can't get
the virus by just turning on your computer. It gets transmitted on
kazza file sharing servers." What actually happens with the
vulnerability in question is that a malformed RPC message is sent to the
target machine. It has nothing to do with Kazaa. It *does* happen just
by being online.

 

[Nicholas]

A "prudent person" would always have a firewall enabled.
Those who had their firewall enabled, and had not yet downloaded
the security update, were unaffected by the worm.

--
Nicholas

-------------------------------------------------------------------------------------


| x-no-archive: yes
|
| What about right now? What if I needed to get the patch now? What if I
| don't like Automatic Updates? I can't even access Windows Update right
| now. The malware in question is committing a DoS attack against the
| Windows Update servers.

 

[purplehaz]

You can get it by just turning on your computer and connecting to the
internet, and stay connected for 25 minutes.

http://tech.msn.com/ip/msnart1000.asp

Ok, thanks for the info Kurt. But doesn't a firewall, which everyone should
have, keep you safe while you get the updates?

 

[Mike Terenni]

x-no-archive: yes

So, what if ZoneAlarm crashes on me? What if it was accidentally
misconfigured? What if I was running DMZ and forgot? What if some
malware disabled my firewall?

Some of these are easy to meet with "Then it's your fault!" replies, but
let's be honest here--we're all human. Should a simple slip of the mind
mean your system is FUBAR? I happen to think a firewall should be just
a second line of defense--with a solid OS being the first. The
Microsoft apologists seem to think that the entire oner is on the
customer. It's ridiculous.

 

[John Liebson]

The update has been on the Microsoft site since 16th July. Of course, if
folks don't bother to download and install it, what can anyone do?

Cari
www.coribright.com

Evidently people do NOT bother. For example, some twenty-five vehicle
license offices in Maryland shut down today due to the failure to
install the patch, according to one Google News report.

 

[kurttrail]

A "prudent person" would always have a firewall enabled.
Those who had their firewall enabled, and had not yet downloaded
the security update, were unaffected by the worm.

Most software firewalls wouldn't have protected most people that use
FrontPage! I use both hardware & software firewalls, and locked down
the RPC ports in both. Early this morning, I started up FrontPage, and
Norton Internet Security gave me a message telling me it block an
application from listening to ports that I blocked manually to stop any
RPC funny business! If I hadn't made my own firewall rule, Norton's
Auto-Config of programs would have let FrontPage listen until it heard
from BLASTER. And I'm sure there are a few other programs that do the
same thing.

--
Peace!
Kurt
Self-anointed Moderator
microscum.pubic.windowsexp.gonorrhea
http://microscum.kurttrail.com
"Trustworthy Computing" is only another example of an Oxymoron!
"Produkt-Aktivierung macht frei!"