[Dshield] Re: [Larholm/PivX] Proxy attackers/hijackers

John Sage jsage at finchhaven.com
Sat Oct 18 22:15:35 GMT 2003


Rebuttal is futile.

Note: hardly impossible, merely futile.

On Sat, Oct 18, 2003 at 12:39:52PM -0700, Thor Larholm wrote:
> > From: "John Sage" <jsage at finchhaven.com>
> > A thought or two..
> 
> John, your thoughts are appreciated, I'll try to address the points that are
> relevant to the list and not just dirt throwing.

"dirt throwing"?

Please.

An utterly irrelevant pejorative. You just don't like what I'm saying.
 
> > http://www.pivx.com/larholm/unpatched/
> 
> When I first started listing unpatched Internet Explorer vulnerabilities,
> Microsofts attitude and commitment to security was on a completely different
> level. At times, it could be difficult to even notify them about new
> vulnerabilities. That is why I made the page, to apply public scrutiny and
> pressure on Microsoft for them to fix the vulnerabilities and change their
> approach.

Read: it took the Giant of Redmond a while to realize that bad PR
might actually have a negative effect upon its bottom line.

But wait!

How long ago was the (in)famous "Trustworthy Computing" initiative
launched?

hmm.. Let me see:

Total packets to port  135 in alert.full-Oct.18.2003.07:07: 2544
Total packets to port  137 in alert.full-Oct.18.2003.07:07:  188
Total packets to port  139 in alert.full-Oct.18.2003.07:07:  200
Total packets to port  443 in alert.full-Oct.18.2003.07:07:    5
Total packets to port  445 in alert.full-Oct.18.2003.07:07:  326
Total packets to port 1433 in alert.full-Oct.18.2003.07:07:  349
Total packets to port 1434 in alert.full-Oct.18.2003.07:07:   15

and:

To: root at greatwall.finchhaven.net
Date: Sat, 18 Oct 2003 14:15:06 -0700
Subject: Nachia ping report

 1288 since 07:07:43 -0700


Quick Quiz: which of these *might* represent non-Micro$oft-specific
probes? 


> I believe that goal has been accomplished and the page has served
> its purpose.

Yeah. We have the benefits of "Trustworthy Computing" all around us.

> The MSRC division is now quick and effective both in responding and gathering
> neccessary ressources to fix all the short-term critical
> vulnerabilities, the IE 
> Security team is working on very promising architectural changes for the
> long-term solutions and I know that all of the unpatched
> vulnerabilities left on 
> my list are having patches produced.

Finally. Damn well about time. (If you believe Micro$oft, and I remain
utterly unconvinced. But I'm sure that those of you who are in tight
with The Beast know better).

> What more could you want from the list after having accomplished
> that, except to 
> bash Microsoft? We want to be a part of the solution and help secure Windows
> systems.

"having accomplished"?

Please? The battle is over? huh? who won?

It's this simple: PivX knows which side of its bread the butter is on,
and is working overtime to keep it's bread face up.

/* snip */

> We are moving on to new initiatives and efforts that can promote
> security,

Marketdroid-speak, worth of The Beast, itself.

> and part of that is our mailinglist where we will be exclusively
> announcing most of
> our research. Any of the thousands of visitors to Unpatched we had
> each day are 
> very welcome to subscribe and stay up-to-date on our dedicated security
> research.

And get an advert with every update..

..or would it be an update with every advert? Hard to say.

My money's on more advertising than information.

> > A once-a-month release of patches? You're talking gigabytes.
> 
> Let's be serious for a second and take their first monthly patch
> schedule as an 
> example, 10-20 MB.

"Let's be serious for a second..."

You can't be serious! bzzzt... Nice try.

That most recent patch was preceded how recently by another? Days?
Hours? Not by 30 days!

How big will they be, spread out 30 days apart? You evade the reality,
poorly.

And that 30-days-worth of patches will choke the home user, broadband
or no.

*All* of the probes shown, above, are local to my immediate 12.82.x.x
as a dialup into AT&T, or local to AT&T's 12.8x.x.x 

In Micro$oft's and PivX's brave new world, each and everyone of them
will need 30 days worth of patches every month to keep current. In one
chunk, that's going to choke off all other usage of their connection
until the monstrosity is downloaded, installed, and their system is
rebooted over and over and over.

Who the hell is going to do that?

No one.

> > And of course, you'll be wide open 'till the next month's patch is
> > released, but that's no problem, in some people's minds. I'm sure that
> > the "security companies" that have bought into Micro$oft's newest
> > "innovation" will have something to sell you.

I stand by that statement, and what it represents: business for those
on the proper (Read: Micro$oft) side of the fence.

> If you had been reading any media during the last month that even remotely
> covered Microsofts announcement, you would also have noticed part of that sea
> change we are talking about. In the past, Microsoft has discovered new
> vulnerabilities, patched them and distributed them. This reactive approach is
> not much unlike current antivirus vendors, and equally effective at stopping
> future threats - how many AV products were able to stop just a single of the
> latest few major outbreaks?

Reading what media? The same media that has been falling all over
itself to kiss Micro$oft's *ss all these years?

feh..

I canceled my subscription to "PC Magazine" over ten years ago...

> As opposed to this traditional reactive approach, Microsoft is now going
> proactive and taking great efforts to protect Windows installations
> even without 
> patches installed. They will improve the perimeter (think personal firewall),
> reduce the likelihood of successful IE exploits, implement new stack
> protections 
> and change their email clients. All this to go beyond patch management.

And you believe Micro$oft? Where's that bridge I've got...

And if by some very, very faint chance any of that is true: Damn well
'way past time; *if* they actually do anything.

I mean, where the hell has Micro$oft been? This is October of 2003,
fer crissakes.

> > In closing:
> >
> > "If it's good enough for PivX and Micro$oft, it's good enough for
> > you!"
> 
> When you start misspelling PivX just to state a political belief,
> I'll buy you a 
> beer.

Two thoughts:

1) I sincerely hope that PivX never reaches the depths of infamy that
Micro$oft has so blindly created for itself.

2) No thanks. I don't drink.



- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.




More information about the list mailing list