[Dshield] Re: Re: [Larholm/PivX] Proxy attackers/hijackers

Rich Weissler Rich.Weissler at mail.wvu.edu
Mon Oct 20 18:10:41 GMT 2003


>>> dshield at pfunkjr.cotse.net 10/20/03 11:05AM >>>
> Now, I'm patching all our machines at work and home AND friends AND relatives, etc...
> So, I'm frustrated too.

*nod*

> Anyone who used the Internet during the late 1980s and very early 1990s (I'm
> too young to go back further. Hahaha - AND I have a really well built bridge
> over the Hudson for sale.) was communicating with academics, for the most
> part. There were no browsers - you used Gopher and ftp and email - nothing
> else was available! There were no bad actors and very few people (as
> compared with now...) outside of the US using the Internet. In those times,
> never even thought of firewalls. In 1993, I did use FPROT to disinfect my
> minister's DOS box that a local business donated to the church. Frankly I
> would (now and then...) use an anti-virus to scan my machine, but only when
> I thought about it.

Actually we had "THE Internet Worm", and "Christmas Tree" PROFS email virus.  But the difference was, in both cases, the person writing the attacks were doing it to see if it could even be done or because they thought it was a nice thing without thinking about the consequences.  There wasn't money in the 'net at the time.

> I digress... We're patching ALL these OSes now because there were NO SUCH
> THREATS back when they were released.

We are patching ALL the OSes, and all the hardware and everything else because the Internet isn't just used for education and non commercial traffic.  Back in the day, it was not PERMITTED to carry commercial traffic.  Now a lot of people make their living tied to the Internet -- including, I suspect, most of the people on this list.

> Remember - For every vulnerability that MS patches, another one will pop up.
> It's like trying to make your house "burglar proof" - it can't be done. Why?
> There are very determined criminals out there who will try to break in and
> steal you stuff or vandalize your place - Internet or otherwise.

But I can take reasonable precautions with physical security on my house.  I can lock the deadbolts on my front door, and basement, and put a bar in the sliding door.  Latching the windows will likely deter most criminals.  I don't have to worry about the lumber company coming back with a report that the 2x6s in my walls may not be secure, and a criminal with an old popsicle stick and walk right thru my walls.  To remain secure, I'll have to inject a new chemical into the walls to make then secure... but of course there was the story about Mr Smith down the road who had his ceiling collapse when he sprayed the chemical because he had floor joists made from a different manufacturer.

_I_ don't keep money or anything else of much value around my house.  I don't drive an expensive car.  I have a ten year old, seriously out of date router, providing filtering on my broadband Internet connection.  It isn't worth the effort to steal my stuff.

If I had something of value to seriously protect at work, I probably wouldn't use the same deadbolts and window latches to protect it.  I probably wouldn't use the same 2x6s to build my office building.  I'd probably buy something that was designed for that purpose.

The point is: I don't use the same products to protect my house that I would use to protect a business.

> Anyone been patching their expensive Cisco routers? I could go on about a
> myriad of other hardware and software manufacturers.

Yes.  But, as far as I know, Cisco didn't release seven patches last week.  

To speak for a lot of people, I think the frustration stems from the fact that we have been thru all this before.  It seems that Microsoft reported that security would be their top concern over a year ago.  Now they are saying that they have changed their priorities, and NOW it is their top concern, and they are really committed to making patch management easier.  And somehow I can't help feeling that in a year or so we will see another Microsoft press release report that after the latest Windows Worm that exploited a whole in yet another service that people are only peripherally aware of, that Microsoft is really concerned about security and that NOW they are going to take it seriously.

I'm not knocking Microsoft.   I use it daily.  I patch it weekly (or now monthly.)

Would it all be better if Microsoft didn't have the monopoly it does?  Perhaps not.  Some people who really had something to protect would have to pay big money to protect their systems (think: IBM mainframes in the heyday.)  Would it be flawless?  No.  But when someone attacked that system, it would impact a relatively few large systems.  Most home users would probably use a completely unrelated set of software products, which offered minimal security (think: Microsoft Bob.)  Without money from those large user groups, the rest of us would probably use a dozen or so other systems.  And of course there would be a lot of incompatibilities, and we would all spend a lot of time trying to get systems to talk to each other because some group of vendors decided to implement XML slightly different for product Z, and we would curse and swear about non-standard standards.

Would it be better?  No.  We would complain about different things.  In the meantime, I will continue to patch regularly on the systems for which I'm responsible, including work, home, my in-laws, etc.  I'll occasionally upgrade my operating systems, and other software, and in some cases I'll look at software that isn't Microsoft.  After MS Office XP crippled itself on me at home two weeks ago, I switched to Open Office on my main home computer.  I was tickled to find they now use XML natively for file formats, and PDF exports are built in.  Works in my 2x6 lumber house... but I know it may not work for everyone.

Rich Weissler
---
Hey!  And if you didn't know, I speak only for myself.  
...Well, at least until I get the orbital mind control lasers on-line. ;-)




More information about the list mailing list