[Dshield] Re: Re: [Larholm/PivX] Proxy attackers/hijackers

Kenneth Coney superc at visuallink.com
Mon Oct 20 05:48:24 GMT 2003


<Rant begins.>
Been doing it.  5 different PCs.  One at a time, each time new patches come 
out, all dial up.  A ROYAL pain in the *ss!  Especially when the update 
site goes down, or decides that my IE browser is NOT an IE browser, when it 
is.  Grrrr.  Not to mention my favorite ".., an unknown error has prevented 
the installation of..," usually seen during the installation after an hour 
of supposedly downloading a patch.

MS has been aware for years that they built a system with holes someone can 
drive trucks through and they ignored it inspite of the warnings from 
Gibson, CERT, and dozens of others.  None of the viruses of recent years 
would have happened if MS hadn't been ignoring vulnerabilities they have 
been allowing since the days of Win 95 (if not 3.1 or DOS).  In terms of 
lost productivity, with just time spent acquiring patches for the different 
machines, I must have easily lost 200+ hours this year.  Time = money 
(i.e., lost wages, or time lost when earnings could have been being 
earned).  Add to that the dozens of hours wasted waiting for the email AV 
software to deal with the 40 - 60 Swen and Klez attacks before I can see 
each day's email and MS's carelessness or caviler attitude has cost me 
thousands of dollars of valuable time this year alone.  That's just me and 
I am not even addressing other firewall or Trojan issues.  I know of people 
who couldn't get a patch before Blaster got them.  How much money did they 
lose in down time?  How much did Klez cost us in down time and technical 
support?  There is an 800 Mhz paperweight over in the corner of this room, 
there because a hole left by MS allowed a CMOS eating virus in last year. 
I lost a solid month on that one.  We still don't have the definitive cause 
of the big power outage.  If a laptop contaminated by Blaster or similar, 
due to MS ignoring a security issue known about a very long time ago (i.e., 
the stupidity of allowing remote access procedures (RPC)), was involved in 
that outage on some level (the question of why the Ohio power companies 
computers didn't react or alert to the alarm states the brownouts caused 
has yet to be publicly revealed) then how much did MS cost everyone that 
week?  AND there is no end in sight.  "Additional patches are under 
development..."  Yeah, right.

What's my point?  Simply that MS and Bill Gates (he was in charge when this 
nightmare began back in the Win 95 days, so, stock sale or not, he is still 
culpable in my opinion) owe us all money.  Big time.  The very least they 
could do is start mailing out FREE security upgrade patch CDs to each and 
every person and address who has registered any piece of MS software since 
Windows 95 was introduced.  They could do it any way they want, by software 
registration, or (smartest in my opinion) mail everyone the 11 disk CD 
album, i.e., a Win 95 patch CD, a Win 98 patch CD (or three), a Win NT 
patch CD, a Win XP patch CD set, an Office 97 patch CD, a free Office 2000 
patch CD, etc., et al with simple instructions to run each disk as needed. 
  They already got everyone's address when we registered everything, and 
the proof of that is the dumb advertisements we have seen in the mail from 
them.  No further action should be needed on our part.  Hey, even if 
someone has moved, what's the downside?  Some house gets two sets?  If they 
do this and you didn't get yours, you can have my patch disk album when I 
am done with them.  This will cost MS some profit dollars, sure, but it is 
profit they don't deserve because they released a product that they knew 
was unsafe and it won't cost them nearly as much as future litigation's 
could.  <Rant done.>


Subject: Re: [Dshield] Re: [Larholm/PivX] Proxy attackers/hijackers
From: "Tom Liston" <tliston at premmag.com>
Date: Sun, 19 Oct 2003 10:14:42 -0500
To: General DShield Discussion List <list at dshield.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18 Oct 2003 at 12:39, Thor Larholm wrote:


 >> Let's be serious for a second and take their first monthly patch schedule
 >> as an example, 10-20 MB.


Expecting a home user, who is already apathetic about security to download
10 - 20 MB of patches over a dial-up is foolish.  Admittedly John's
"gigabytes" is an exaggeration, but 10 - 20 MB is still unacceptable.

- -TL





More information about the list mailing list