You buy a new computer, connect in to the internet and
proceed to download your choice of ant-virus software,
firewall, and possibly other security-enhancing stuff.
But in the half-hour or more it takes to do all that, your pc is
wide open, and with the frequency of probing attacks these
days, a variety of undesirable agents could be installed and
hidden before the anti-malware gets going.
So why don't computer retailers offer machines with anti-malware
stuff already installed ?
> You buy a new computer, connect in to the internet and
> proceed to download your choice of ant-virus software,
> firewall, and possibly other security-enhancing stuff.
> But in the half-hour or more it takes to do all that, your pc is
> wide open, and with the frequency of probing attacks these
> days, a variety of undesirable agents could be installed and
> hidden before the anti-malware gets going.
> So why don't computer retailers offer machines with anti-malware
> stuff already installed ?
Are you saying you managed to find a retailer that didn't preload
"trial" versions of Norton or McAfee's bloated security suites on?
> You buy a new computer, connect in to the internet and
> proceed to download your choice of ant-virus software,
> firewall, and possibly other security-enhancing stuff.
> But in the half-hour or more it takes to do all that, your pc is
> wide open, and with the frequency of probing attacks these
> days, a variety of undesirable agents could be installed and
> hidden before the anti-malware gets going.
And even if it would come up earlier, it couldn't fix the consequence of
such a horribly stupid mistake of connecting a machine the internet without
prior host configuration.
It can't fix user stupidity either. Now you're abusing Outlook Express as a
newsreader, which is an open invitation for malware.
> So why don't computer retailers offer machines with anti-malware
> stuff already installed ?
"Sebastian G." <seppi@seppig.de> wrote in message
news:60hdgmF1qbh4tU3@mid.dfncis.de...
>
>
> It can't fix user stupidity either. Now you're abusing Outlook Express as
> a newsreader, which is an open invitation for malware.
>
> "Sebastian G." <seppi@seppig.de> wrote in message
> news:60hdgmF1qbh4tU3@mid.dfncis.de...
> >
> >
> > It can't fix user stupidity either. Now you're abusing Outlook
> > Express as a newsreader, which is an open invitation for malware.
> >
>
> How ought I to read the newsgroups then ?
Hi Jim,
NNTP newsreading clients exist in many forms. One other popular one
is Mozilla Seamonkey, which is a suite that includes a newsreader.
Another popular one is XNews: http://xnews.newsguy.com/
Forte Agent was popular at one time. I don't use a gui newsreader
myself, but text mode is definitely not for everyone, so I won't
attempt to steer you there.
The group news.software.readers discusses such software.
Todd H. wrote:
> "Jim Hawkins" <jimhawkins@manx.net> writes:
>
>> "Sebastian G." <seppi@seppig.de> wrote in message
>> news:60hdgmF1qbh4tU3@mid.dfncis.de...
>>>
>>> It can't fix user stupidity either. Now you're abusing Outlook
>>> Express as a newsreader, which is an open invitation for malware.
>>>
>> How ought I to read the newsgroups then ?
>
> Hi Jim,
>
> NNTP newsreading clients exist in many forms. One other popular one
> is Mozilla Seamonkey, which is a suite that includes a newsreader.
> Another popular one is XNews:
> http://xnews.newsguy.com/
>
> Forte Agent was popular at one time. I don't use a gui newsreader
> myself, but text mode is definitely not for everyone, so I won't
> attempt to steer you there.
>
> The group news.software.readers discusses such software.
>
> Best Regards,
You can also use Mozilla Thunderbird (email program) as a
newsreader - works quite well.
>> It can't fix user stupidity either. Now you're abusing Outlook Express as
>> a newsreader, which is an open invitation for malware.
>>
>
> How ought I to read the newsgroups then ?
With a real newsreader? Through Google groups via a webbrowser? Via a
mail2news gateway and a mail client?
> From: "Jim Hawkins" <jimhawkins@manx.net>
>
>
> | How ought I to read the newsgroups then ?
> |
> | Jim Hawkins
> |
>
> His statements are overblown.
> OE has vulnerabilities but nothing major to worry about.
I wouldn't consider buffer overflows, script injection and arbitrary code
injection as overblown...
On Feb 1, 1:32*pm, "Jim Hawkins" <jimhawk...@manx.net> wrote:
> You buy a new computer, connect in to the internet and
> proceed to download your choice of ant-virus software,
> firewall, and possibly other security-enhancing stuff.
> But in the half-hour or more it takes to do all that, your pc is
> wide open, and with the frequency of probing attacks these
> days, a variety of undesirable agents could be installed and
> hidden before the anti-malware gets going.
> So why don't computer retailers offer machines with anti-malware
> stuff already installed ?
>
> Jim Hawkins
You could always just buy your firewall, anti-virus etc. off the
shelf at the store
"Sebastian G." <seppi@seppig.de> wrote in message
news:60hdgmF1qbh4tU3@mid.dfncis.de...
> Jim Hawkins wrote:
>
>> You buy a new computer, connect in to the internet and
>> proceed to download your choice of ant-virus software,
>> firewall, and possibly other security-enhancing stuff.
>> But in the half-hour or more it takes to do all that, your pc is
>> wide open, and with the frequency of probing attacks these
>> days, a variety of undesirable agents could be installed and
>> hidden before the anti-malware gets going.
>
>
> And even if it would come up earlier, it couldn't fix the consequence of
> such a horribly stupid mistake of connecting a machine the internet
> without prior host configuration.
>
> It can't fix user stupidity either. Now you're abusing Outlook Express as
> a newsreader, which is an open invitation for malware.
>
OE offers the facility to read newsgroups, so how is it 'abuse' to make use
of it ?
"Jim Hawkins" <jimhawkins@manx.net> wrote in news:13q6stgmm0m6883
@news.supernews.com:
> You buy a new computer, connect in to the internet and
> proceed to download your choice of ant-virus software,
> firewall, and possibly other security-enhancing stuff.
> But in the half-hour or more it takes to do all that, your pc is
> wide open, and with the frequency of probing attacks these
> days, a variety of undesirable agents could be installed and
> hidden before the anti-malware gets going.
> So why don't computer retailers offer machines with anti-malware
> stuff already installed ?
>
> Jim Hawkins
I once put a vulnerable machine on the network as a test. It was infected
in 8 seconds.
I once re-installed windows XP on a machine and forgot to unplug the
network cable.
I remembered and unplugged the cable before it got to the 'log in' screen.
The machine was already infected.
NEVER hook a vulnerable machine to the network. Download the latest AV
program and definitions on another machine and transport via CD or thumb
drive.
As of OE as a news reader or mail client, do you leave your car with the
engine running and the doors unlocked?
Microsoft[in the head] software was designed, from the ground up, like a
car with no ignition key and no locks on the doors.
Over the years, they have drilled holes in the door and used self tapping
screws to tack on hasps and loops to allow you to hang a padlock on the
door,
but 15 seconds with a screwdriver and the hasp is undone. 1 second with a
pry bar and the hasp is popped off.
Vista has spot welded the hasp onto the door but requires you to unlock 2
locks each time. After a while, most people will leave the locks off [or
press the 'go' button without reading the message].
--
bz
please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.
> NEVER hook a vulnerable machine to the network. Download the latest AV
> program and definitions on another machine and transport via CD or thumb
> drive.
How should that stop the compromise? Exactly not at all.
And why are you ignoring obvious things like
- downloading *patches* on another machine
- configuring the host properly
- using a host-based packet filter
Each of those would do the job. A virus scanner surely doesn't.
> As of OE as a news reader or mail client, do you leave your car with the
> engine running and the doors unlocked?
> Microsoft[in the head] software was designed, from the ground up, like a
> car with no ignition key and no locks on the doors.
> Over the years, they have drilled holes in the door and used self tapping
> screws to tack on hasps and loops to allow you to hang a padlock on the
> door,
> but 15 seconds with a screwdriver and the hasp is undone. 1 second with a
> pry bar and the hasp is popped off.
Once again total nonsense. OE is well-documented to not being intended to be
secure in a untrusted environment, so the only problem is that Microsoft
often creates the impression of the contrary.
> Vista has spot welded the hasp onto the door but requires you to unlock 2
> locks each time.
Even more nonsense. Windows Vista is well-documented to be insecure in an
untrusted environment.
"Sebastian G." <seppi@seppig.de> wrote in
news:60u896F1psmkgU1@mid.dfncis.de:
> bz wrote:
>
>
>> NEVER hook a vulnerable machine to the network. Download the latest AV
>> program and definitions on another machine and transport via CD or
>> thumb drive.
>
>
> How should that stop the compromise? Exactly not at all.
> And why are you ignoring obvious things like
> - downloading *patches* on another machine
> - configuring the host properly
> - using a host-based packet filter
Downloading a good AV and installing OFF LINE is always my first step.
It will help 'detect and defend' during the next step.
I was assuming that the install would be from at least an XP sp2 CD, then
the first step on line is to install the latest updates.
I would never walk away from a machine after just installing AV.
> Each of those would do the job. A virus scanner surely doesn't.
It usually does for us, long enough to make sure patches are up to date.
We usually have the patches and updates slipstreamed into the installation
CD.
But that just takes care of the vulnerabilities that microsoft has patched.
There are always other holes that they haven't patched.
>> As of OE as a news reader or mail client, do you leave your car with
>> the engine running and the doors unlocked?
>> Microsoft[in the head] software was designed, from the ground up, like
>> a car with no ignition key and no locks on the doors.
>> Over the years, they have drilled holes in the door and used self
>> tapping screws to tack on hasps and loops to allow you to hang a
>> padlock on the door,
>> but 15 seconds with a screwdriver and the hasp is undone. 1 second
>> with a pry bar and the hasp is popped off.
>
>
> Once again total nonsense. OE is well-documented to not being intended
> to be secure in a untrusted environment
Well documented for the Illuminati. Not for the average user or even
corporate decision maker.
If it were 'well KNOWN' rather than 'well documented', no one would buy the
stuff.
> , so the only problem is that
> Microsoft often creates the impression of the contrary.
Snake oil salesmen create an impression in the minds of the impressionable.
>> Vista has spot welded the hasp onto the door but requires you to unlock
>> 2 locks each time.
>
>
> Even more nonsense. Windows Vista is well-documented to be insecure in
> an untrusted environment.
And you think that a hasp spot welded to the door of a car with no other
protection would actually protect it from theft?
My point was that Vista is NOT secure, it just 'looks a little better'.
My point was that ms products are not secure.
You appear to be saying the same thing but disagreeing with how I said
things. That is your right.
So we agree to agree on ms being insecure and disagree on the best way to
say that.
--
bz
please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.
> "Sebastian G." <seppi@seppig.de> wrote in
> news:60u896F1psmkgU1@mid.dfncis.de:
>
>> bz wrote:
>>
>>
>>> NEVER hook a vulnerable machine to the network. Download the latest AV
>>> program and definitions on another machine and transport via CD or
>>> thumb drive.
>>
>> How should that stop the compromise? Exactly not at all.
>> And why are you ignoring obvious things like
>> - downloading *patches* on another machine
>> - configuring the host properly
>> - using a host-based packet filter
>
> Downloading a good AV and installing OFF LINE is always my first step.
> It will help 'detect and defend' during the next step.
It will help "detect" at best. It can't do anything to defend, by design.
>> Each of those would do the job. A virus scanner surely doesn't.
>
> It usually does for us, long enough to make sure patches are up to date.
Bullshit. Since the exploit takes place in RAM, it fails to close any
relevant attack vector.
>> Once again total nonsense. OE is well-documented to not being intended
>> to be secure in a untrusted environment
>
> Well documented for the Illuminati. Not for the average user or even
> corporate decision maker.
So then the complete documentation on IE/OE group policies and their
effective security design criteria are imagination? I read it, and i'm quite
fond that even a technical illiterate can understand the wordening clearly.
> If it were 'well KNOWN' rather than 'well documented', no one would buy the
> stuff.
The lack of willingness to RTFM is a social problem, though it doesn't
change the fact that RTFM is the only reasonable way to act. It just proves
that most computer users are unreasonable, at least with respect to computer
usage.
>> Even more nonsense. Windows Vista is well-documented to be insecure in
>> an untrusted environment.
>
> And you think that a hasp spot welded to the door of a car with no other
> protection would actually protect it from theft?
Almost. The shell security issue can be worked around, albeit this implies a
lot of unintended inconvience.
> > My point was that Vista is NOT secure, it just 'looks a little better'.
> My point was that ms products are not secure.
Which is wrong as well. I'd consider Windows XP and Windows Server 2003 as
well as all their server stuff as quite secure and reliable.
> So we agree to agree on ms being insecure and disagree on the best way to
> say that.
I know only exactly two supported Microsoft product which are considered as
insecure, but are not documented to be insecure in untrusted environments:
Windows 2000 and IIS (any version). All others are either considered
insecure without actually being insecure (but only grossly misunderstoof),
or are documented to not be secure anyway (so the violation of security is
only against hypothesized specifications).
"Sebastian G." <seppi@seppig.de> wrote in
news:60v5huF1t02cnU1@mid.dfncis.de:
> The lack of willingness to RTFM is a social problem, though it doesn't
> change the fact that RTFM is the only reasonable way to act. It just
> proves that most computer users are unreasonable, at least with respect
> to computer usage.
I remind the programmers I supervise that it is THEIR JOB to make things
easy for the user. It is NOT the user's job to make things easy for the
programmer.
Who's fault is it that the users have unreasonable expectations?
NOT the users. Maybe even not the programmers.
Software company management is at fault, especially the marketing division
and those that design the software and allow buffer overruns and invalid
data to be poked into holes in the operating system. Languages that allow
buffer overruns and make data validity checking difficult.
Of course, all the checks in the world will not prevent Joe or Sally User
from opening that e-mail 'greeting card' IF their e-mail program supports
HTML etc garbage.
'Easy for the user' should be 'easy to do what NEEDS to be done' not
'pretty' and 'easy for the ad men to use to pump their ads through'.
>>> Even more nonsense. Windows Vista is well-documented to be insecure in
>>> an untrusted environment.
>>
>> And you think that a hasp spot welded to the door of a car with no
>> other protection would actually protect it from theft?
>
>
> Almost. The shell security issue can be worked around, albeit this
> implies a lot of unintended inconvience.
inexpensive, foolproof, convenient
Pick one!
>
>> > My point was that Vista is NOT secure, it just 'looks a little
>> > better'.
>> My point was that ms products are not secure.
>
>
> Which is wrong as well. I'd consider Windows XP and Windows Server 2003
> as well as all their server stuff as quite secure and reliable.
True, provided they are a locked, guarded room with no connection to the
outside world.
>
>> So we agree to agree on ms being insecure and disagree on the best way
>> to say that.
>
>
> I know only exactly two supported Microsoft product which are considered
> as insecure, but are not documented to be insecure in untrusted
> environments: Windows 2000 and IIS (any version). All others are either
> considered insecure without actually being insecure (but only grossly
> misunderstoof), or are documented to not be secure anyway (so the
> violation of security is only against hypothesized specifications).
So, if the other two products were also 'documented to be insecure in
untrusted environments' then there would be a 'clean sweep'. And everyone
could be happy because the insecurity is documented, right?
--
bz
please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.
>>> My point was that ms products are not secure.
>>
>> Which is wrong as well. I'd consider Windows XP and Windows Server 2003
>> as well as all their server stuff as quite secure and reliable.
>
> True, provided they are a locked, guarded room with no connection to the
> outside world.
So that's why they got NSA C2 and CC EAL4+ evaluation?
> So, if the other two products were also 'documented to be insecure in
> untrusted environments' then there would be a 'clean sweep'.
For IIS, this would be true. For Windows 2000 the cause is a lack of
security patching support.
> And everyone could be happy because the insecurity is documented, right?
You can't claim insecurity when there weren't any security guarantees given
in first place.
"Sebastian G." <seppi@seppig.de> wrote in
news:610kufF1sem3cU1@mid.dfncis.de:
> bz wrote:
>
>
>>>> My point was that ms products are not secure.
>>>
>>> Which is wrong as well. I'd consider Windows XP and Windows Server
>>> 2003 as well as all their server stuff as quite secure and reliable.
>>
>> True, provided they are a locked, guarded room with no connection to
>> the outside world.
>
>
> So that's why they got NSA C2 and CC EAL4+ evaluation?
>
>> So, if the other two products were also 'documented to be insecure in
>> untrusted environments' then there would be a 'clean sweep'.
>
>
> For IIS, this would be true. For Windows 2000 the cause is a lack of
> security patching support.
>
>> And everyone could be happy because the insecurity is documented,
>> right?
>
>
> You can't claim insecurity when there weren't any security guarantees
> given in first place.
I am not a lawyer, but there is a concept under law that is called
something like 'fitness for purpose' or some such.
You sell someone a device that is supposed to do a task, say clean freshly
killed chickens
and it fails to perform the intended task, lets say it leave 1 in 1000
uncleaned,
there is something called an 'implied warranty of fitness'.
Microsoft's software FAILS the implied fitness for service AND they stop
supporting stuff like win95/98 and 2k when there are still multiple
vulnerabilities.
If it were not for the 'fine print' in the license, they would have been
sued into bankruptcy by now.
To even use their products, you are required to wave any recourse.
That makes me less than happy with their products.
The other thing that makes me unhappy with their products is needing to
clean up machines that have been compromised.
As the Judge on TV says, "Stick a fork in me, I'm done" on this subject.
I don't see any profit to continue our discourse.
Best regards and have a nice life.
--
bz
please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.
>> You can't claim insecurity when there weren't any security guarantees
>> given in first place.
>
> I am not a lawyer, but there is a concept under law that is called
> something like 'fitness for purpose' or some such.
>
> You sell someone a device that is supposed to do a task, say clean freshly
> killed chickens
> and it fails to perform the intended task, lets say it leave 1 in 1000
> uncleaned,
> there is something called an 'implied warranty of fitness'.
>
> Microsoft's software FAILS the implied fitness for service
They do?
> If it were not for the 'fine print' in the license, they would have been
> sued into bankruptcy by now.
The real cause is that warranty for fitness and alike is explicitly excluded
for software, which is quite reasonable to a certain extent. In the USA
totally, in Germany the only non-excludable warranty is for seriously
careless defects.
Inviting malware 
Linear Mode
