ID Serve -- a simple Internet server identification utility.

Hi Gang,

From time to time we are asked if there's any way for someone to 
determine the make, model, and version of publicly accessible 
Internet server software.  This is the sort of thing that's easy to 
determine when armed with a packet sniffer, but which isn't generally 
available through the typical Internet client user interface.

Earlier this year, after the FBI released the news of the Russian 
organized crime ring that was systematically breaking into IIS 
systems using four old and long-known vulnerabilities (and I wrote 
PatchWork to check for those), the rate of those questions increased. 
After that came the multiple rounds of IIS worms, which appeared to 
concern people even more.

Two weeks ago I was tied up doing some research for a potential 
project and I was waiting for returned phone calls and eMail. I 
couldn't focus enough to work on the kernel-level device drivers 
which I needed for LeakTest v2, so I decided to fill the time by 
whipping out a simple project that had been floating around in the 
back of my mind for a while.  I wrote "ID Serve" ...

			http://grc.com/id/idserve.htm

If it is something that's useful to you, for whatever purpose you 
apply it, then my "filler time" will have been well spent.  I'll be 
glad to have it around to satisfy my curiosity, and to provide to 
anyone who asks about remote server identification in the future. I 
think it makes a nice and simple addition to anyone's Internet 
security and privacy toolkit.

All the best.

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/23/2001 8:22:00 AM
grc.news.feedback 4181 articles. 0 followers. Follow

288 Replies
1665 Views

Similar Articles

[PageSpeed] 7

Steve Gibson wrote:
> Two weeks ago I was tied up doing some research for a potential
> project and I was waiting for returned phone calls and eMail. I
> couldn't focus enough to work on the kernel-level device drivers
> which I needed for LeakTest v2, so I decided to fill the time by
> whipping out a simple project that had been floating around in the
> back of my mind for a while.  I wrote "ID Serve" ...
> 
>                         http://grc.com/id/idserve.htm

Quibble time, Steve, since you didn't give us a chance to proof the
text.

You write:
   Although the make, model, and version of most web site's server
software

Awkward at best. Try: 
   Although the software make, model and version running most web sites'
servers ...

Similarly: 
   but it is generally never shown to the user.

Perhaps: 
   but is rarely shown to the user. (better still, "seen by the user.")

Again:
   So ID Serve can also connect with any other type of non-web server 

I believe you mean, "with any type of non-web server" or "with any other
type of server"

*******
Quibbles aside, thanks again.

(I wonder how many will run it first on their own sites - the way that
pens are tested by writing the tester's name.)

Mike
-- 
mrichter@cpl.net
http://www.mrichter.com/
0
Mike
12/23/2001 10:49:00 AM
Suggestions:
1.  AudioClickOff (cmdline switch?)
2.  Close - for unresponsive site, eg. grc.com:21
3.  Ignore all nags that GRC doesn't know what time it is.

Sjur
0
Sjur
12/23/2001 11:13:00 AM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.168f3428f0991a6e98a109@207.71.92.194...
[...]
http://grc.com/id/idserve.htm
[...]
Looks good Steve.

I like the interface on the 2nd tab. Those number icons are attractively
done.

I guess the variety of servers whose software is queriable can only
increase. *grin*

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/23/2001 12:16:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.168f3428f0991a6e98a109@207.71.92.194...
> If it is something that's useful to you, for whatever purpose you
> apply it, then my "filler time" will have been well spent.  I'll be
> glad to have it around to satisfy my curiosity, and to provide to
> anyone who asks about remote server identification in the future. I
> think it makes a nice and simple addition to anyone's Internet
> security and privacy toolkit.

It's certainly useful, and good for playing about with (i.e. seeing what
servers are running what).  Why couldn't it have been built into the web
browsers to start with, though?

Anyway, I've ended up putting it on IE's context menu, along with the
Network Tracer, so I can now run either on whatever site I'm looking at.
--
Robert Bradley

I am not a mindreader, so I don't know everything.
0
Robert
12/23/2001 12:50:00 PM
"Robert Bradley" <robert.bradley_family@btinternet.com> wrote in message
news:a04ngl$2k9g$1@news.grc.com...
> "Steve Gibson" <support@grc.com> wrote in message
> news:MPG.168f3428f0991a6e98a109@207.71.92.194...
> > If it is something that's useful to you, for whatever purpose you
> > apply it, then my "filler time" will have been well spent.  I'll be
> > glad to have it around to satisfy my curiosity, and to provide to
> > anyone who asks about remote server identification in the future. I
> > think it makes a nice and simple addition to anyone's Internet
> > security and privacy toolkit.

Here is a web page that does the same thing except it won't accept an IP
address.

http://www.securityspace.com/sprobe/probe.html
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/23/2001 2:37:00 PM
Cute little utility, Steve!

I don't think Mosaic/Netscape/Mozilla ever included this info.  Heaven
help MSIE's useless "Properties" that can't even get a last-modified
date right.

I have a suggestion if you ever re-visit this guy (and it probably
won't bloat it 100 bytes).  Since you already have commandline in
place, include something like a /p option that looks up the current
contents of the text paste buffer.  I wouldn't default this (avoid
going to a site by surprise).  What I'd then setup is idtest.exe /p as
a hotkey then it becomes a powerful on-the-fly lookup utility.

Bill
-- 
"Give a man a fish and he eats for a day.  Teach a man to fish and
 he gets hit by a nuclear submarine."    -Ancient Japanese Proverb
0
Bill
12/23/2001 2:58:00 PM
Thanks Mike!

Good Quibbles, I've updated the text.  :)

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/23/2001 5:43:00 PM
Sjur,

> 1.  AudioClickOff (cmdline switch?)

How about a version with no sound??  <grin>

> 2.  Close - for unresponsive site, eg. grc.com:21

I considered that, and I changed the UI to add the "cancel" button, 
but I didn't like the way it looked.  Since ID Serve can also be used 
as a simple port probe, I wanted to let a connection timeout so that 
we could declare it "stealth".  As I've been poking around the Net 
I've seen servers that take quite a while to connect.

> 3.  Ignore all nags that GRC doesn't know what time it is.

<<grin>>  Thanks for that one.  I fixed it!!  :)

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/23/2001 6:16:00 PM
Hi Sam,

> [...]
> http://grc.com/id/idserve.htm
> [...]
> Looks good Steve.
> 
> I like the interface on the 2nd tab. Those number icons are
> attractively done.

Thank you Sam. I also really like the simple and clean look of the 
second tab.  And I originally had some much less attractive numerals 
and decided that they "stood out" for being ugly.  <g>  So I spent 
some time to come up with something really nice.  I'm super-pleased 
with them.

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/23/2001 6:19:00 PM
> Here is a web page that does the same thing except it won't
> accept an IP address.
> 
> http://www.securityspace.com/sprobe/probe.html

I don't think that's what Robert Bradley meant.  He was asking why 
this information wasn't being displayed by existing web browsers when 
going to a web site.

And, FWIW, I think that if you consider all of what ID Serve can be 
used for (with port overrides, other non-http protocols, and display 
of a port's Open/Closed/Stealth status) you'll see that the web page 
does things that ID Serve does not, and that ID Serve does things the 
web page does not.  So it's not quite right to say that it "does the 
same thing."  :)

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/23/2001 6:26:00 PM
Robert,

> It's certainly useful, and good for playing about with (i.e.
> seeing what servers are running what).  Why couldn't it have
> been built into the web browsers to start with, though?

It sure could have been ... but back when all this was being created 
no one thought that end-users would care what server software was 
running any particular site.  Clearly that's not necessarily the case 
these days.

> Anyway, I've ended up putting it on IE's context menu, along
> with the Network Tracer, so I can now run either on whatever
> site I'm looking at.

Cool.  :)

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/23/2001 6:28:00 PM
........ but -- I didn't get you anything. <g>

Thank you for the nice little app. I can think of *many* uses for this
little jewel.

Phil
0
Phil
12/23/2001 7:13:00 PM
Caution!  There is a Risk Factor associated with running this program
after Jan 1. <g>

Sjur
--
RR THE WORLD WONDERS
0
Sjur
12/23/2001 7:37:00 PM
> Caution!  There is a Risk Factor associated with running
> this program after Jan 1. <g>

<<grin>>  Whoops!  I hate it when that happens!
(When I leave the pre-release expiration stuff in the code!)

Thanks for the catch Sjur!

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/23/2001 8:01:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.168fc1a378bb6deb98a10f@207.71.92.194...
>
> > Here is a web page that does the same thing except it won't
> > accept an IP address.
> >
> > http://www.securityspace.com/sprobe/probe.html
>
> I don't think that's what Robert Bradley meant.  He was asking why
> this information wasn't being displayed by existing web browsers when
> going to a web site.

That was what I meant.  It shouldn't be difficult to add, but until now, no
one has cared about viewing headers for HTTP.
--
Robert Bradley

I am not a mindreader, so I don't know everything.
0
Robert
12/23/2001 10:10:00 PM
grc.com: GRC Custom Hybrid NanoProbe Engine/1.57 (experimental) on Windows 2000

Uptime:Windows 2000 max 53.66 days latest 33.11days

Windows 2000  GRC Custom Hybrid NanoProbe Engine/1.57 (experimental)  15-Dec-2001  207.71.92.193   Verio, Inc. Windows 2000  GRC Custom Hybrid NanoProbe Engine/1.22  13-Dec-2001  207.71.92.193      
Windows 2000  Microsoft-IIS/5.0  19-Sep-2001  207.71.92.193     
Windows 2000  unknown  17-Sep-2001  207.71.92.193 .  
Windows 2000  Microsoft-IIS/5.0  7-Jun-2001  207.71.92.195     
Windows 2000  Microsoft-IIS/5.0  13-Jan-2001  207.71.92.193    
NT4/Windows 98  Microsoft-IIS/4.0  3-Nov-2000  207.71.92.19 
0
756373323932303532
12/23/2001 10:12:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.168fc21b785264c698a110@207.71.92.194...
> Robert,
> > Anyway, I've ended up putting it on IE's context menu, along
> > with the Network Tracer, so I can now run either on whatever
> > site I'm looking at.
>
> Cool.  :)

I've put a simple copy of it at
www.btinternet.com/~bradley_family/idserve.zip, if anyone's interested, but
under NT, the paths to the files will need altering in "add to IE.reg".
Unless, of course, you create the entire c:\windows\web\ path. :)
--
Robert Bradley

I am not a mindreader, so I don't know everything.
0
Robert
12/23/2001 10:13:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.168f3428f0991a6e98a109@207.71.92.194...
>
> If it is something that's useful to you, for whatever purpose you
> apply it, then my "filler time" will have been well spent.  I'll be
> glad to have it around to satisfy my curiosity, and to provide to
> anyone who asks about remote server identification in the future. I
> think it makes a nice and simple addition to anyone's Internet
> security and privacy toolkit.
>

Useful and fun.  Thanks for this nice Christmas gift.  Any possibility you
could add an option to make it silent?

M.P.
0
Martin
12/23/2001 10:18:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.168f3428f0991a6e98a109@207.71.92.194...
> Hi Gang,
>
> From time to time we are asked if there's any way for someone to
> determine the make, model, and version of publicly accessible
> Internet server software.  This is the sort of thing that's easy to


Nice little utility!

I too had been asked by several people for a simple tool to compile a list
of web server software for inventory analysis so I wrote "WotWeb"
(http://keir.net/wotweb.html) a couple of months ago. It only deals with
web servers but can scan entire ranges and shows the response codes and
authorization levels if the system is password protected. I have chosen to
provide a fixed list of ports to use rather than a user supplied one since
it is geared solely toward HTTP services. Double-click an entry and it'll
launch your browser on that site.

Here's some interesting HTTP compliant web services to try (that could
also be done with IDServe):

1214.
This is Morpheus, the file sharing program. The banner comes back as
something like "KazaaClient Aug 29 2001 19:44:27".

5000.
An indication that the system is probably using UpNP. It will return an
error code of 400 with an unknown server type. Better install that XP
patch right now!

8080.
Often this is a cable/DSL router such as the Linksys BEFSR with the web
admin page enabled, which is usually a bad thing. Can you guess how many
poor Linksys users I've found thinking they are all secure but have their
web admin page available with the default password still intact? Ouch!
This one would probably be a good addition to ShieldsUp!

Anyway, if you use it don't go crazy. But it is fun ;-)

-Robin
0
Robin
12/23/2001 11:38:00 PM
"Robin Keir" <robin@keir.net> wrote in message
news:a05sea$rsq$1@news.grc.com...
> "Steve Gibson" <support@grc.com> wrote in message
> news:MPG.168f3428f0991a6e98a109@207.71.92.194...
> > Hi Gang,
> >
> > From time to time we are asked if there's any way for someone to
> > determine the make, model, and version of publicly accessible
> > Internet server software.  This is the sort of thing that's easy to
>
>
> Nice little utility!
>

..... and the same can be said for yours, Robin. I certainly am glad you and
Steve are "good guys". :)

BTW, I really like your new site -- design wise AND speed. It is orders of
magnitude faster on my poor little dial-up than your old site. Nicely done!

Phil
0
Phil
12/24/2001 12:33:00 AM
Very cool robin!!

The scanning for port 5000 will come in handy for enterprise folks 
who want to find any and all vulnerable XP's.  (If any enterprise 
folks have been silly enough to deploy XP so soon. :)

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/24/2001 1:32:00 AM
Robin,

> 8080.
> Often this is a cable/DSL router such as the Linksys BEFSR with the web
> admin page enabled, which is usually a bad thing
>
What's the alternative.....or the fix?
 
     
     Jim Lilly 
     Using Virtual-Access(OLR) & Win'98SE/WinXP Pro
0
A1PCfixer
12/24/2001 2:00:00 AM
I can't really think of a legitimate need to have the admin web page open
to everybody on the Internet. You should normally have it disabled by
making sure you have Remote Management disabled on the Advanced | Filters
page. If you must have remote admin enabled you should most definitely not
keep the default password, you should change it to something very hard to
guess. If somebody can come along to your Linksys box and enter the
default password they can then set all the computers behind your
firewall/router to be visible and start attacking them.

-Robin


"A1PCfixer" <a1pcfixer@hotmail.com> wrote in message
news:VA.000001a3.020c06a1@hotmail.com...
> Robin,
>
> > 8080.
> > Often this is a cable/DSL router such as the Linksys BEFSR with the
web
> > admin page enabled, which is usually a bad thing
> >
> What's the alternative.....or the fix?
>
>
>      Jim Lilly
>      Using Virtual-Access(OLR) & Win'98SE/WinXP Pro
>
0
Robin
12/24/2001 2:23:00 AM
Steve Gibson <support@grc.com> wrote:
>Robert,
>
>> It's certainly useful, and good for playing about with (i.e.
>> seeing what servers are running what).  Why couldn't it have
>> been built into the web browsers to start with, though?
>
>It sure could have been ... but back when all this was being created
>no one thought that end-users would care what server software was
>running any particular site.  Clearly that's not necessarily the case
>these days.
>

Steve,

Would it be a good idea to make it possible to run ID Serve in the 
background and check each URL in the browsers address line? For instance 
as a tray icon showing the info as a tooltip?

{...]
-- 
_______________________________________________________________________
Eric Erades                                           P C H E L P E R S

Website:  http://www.pchelpers.org/
News   :  news://news.pchelpers.org
Email  :  pchelpers@pchelpers.org
0
Eric
12/24/2001 4:38:00 AM
Robin,

> have Remote Management disabled on the Advanced | Filters
> page
>
Ahhhh...OK. Not something I have need of as yet.

> most definitely not
> keep the default password
>
Agreed!
Thanks for the info.
 
     
     Jim Lilly 
     Using Virtual-Access(OLR) & Win'98SE/WinXP Pro
0
A1PCfixer
12/24/2001 5:00:00 AM
"Robert Bradley" <robert.bradley_family@btinternet.com> wrote in
<news:a05njj$m3q$1@news.grc.com>: 

> That was what I meant.  It shouldn't be difficult to add, but
> until now, no one has cared about viewing headers for HTTP.

That's why I run everything through Proxomitron, and leave the "log 
window" open in the background. Sorry, I just can't pass up a chance 
to plug my favorite (free!) software.

http://proxomitron.cjb.net/

-- 
Jonah

Newbies, take a look at: http://grc.com/discussions.htm
0
Jonah
12/24/2001 8:08:00 AM
This is a really cool utility and more than useful. Found out some
surprising information already and I'm just getting started! Thanks very
much, Steve.  :)

G.


> If it is something that's useful to you, for whatever purpose you
> apply it, then my "filler time" will have been well spent.  I'll be
> glad to have it around to satisfy my curiosity, and to provide to
> anyone who asks about remote server identification in the future. I
> think it makes a nice and simple addition to anyone's Internet
> security and privacy toolkit.
0
Gorham
12/24/2001 2:44:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.168f3428f0991a6e98a109@207.71.92.194...

> http://grc.com/id/idserve.htm

Steve,

Could you put the IDServe version number in the display so we can check it
when someone posts the output?

Initiating server query ...

Looking up IP address for domain: www.army.mil

The IP address for the domain is: 140.183.234.10

Connecting to the server on standard HTTP port: 80

[Connected] Requesting the server's default page.

The server returned the following response headers:

HTTP/1.1 200 OK

Server: WebSTAR/4.2 ID/70636

Connection: Close

Date: Mon, 24 Dec 2001 16:35:14 GMT

Content-Type: text/html

Content-Length: 22375

Last-Modified: Fri, 21 Dec 2001 20:42:33 GMT

Quersy complete.
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/24/2001 4:39:00 PM
> This is a really cool utility and more than useful. Found out some
> surprising information already and I'm just getting started! Thanks
> very much, Steve.  :)

I am delighted that you like it.  Thanks for the feedback.

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/24/2001 4:54:00 PM
Eric,

> Would it be a good idea to make it possible to run ID Serve in
> the background and check each URL in the browsers address line?
> For instance as a tray icon showing the info as a tooltip?

Probably the best place for that sort of continual monitoring would 
be in a browser add-on ... in the case of IE, as so-call "Browser 
Helper Object" (BHO).

If there's sufficient interest in the idea, or if web server 
identification it becomes increasingly important to end users, I 
could *certainly* add that functionality to the future GRC NetFilter 
product.  It will already be monitoring and interpreting all of the 
flow to and from the outside world, so making it "server aware" would 
be a simple addition.

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/24/2001 5:15:00 PM
Jonah wrote:
> 
> "Robert Bradley" <robert.bradley_family@btinternet.com> wrote in
> <news:a05njj$m3q$1@news.grc.com>:
> 
> > That was what I meant.  It shouldn't be difficult to add, but
> > until now, no one has cared about viewing headers for HTTP.
> 
> That's why I run everything through Proxomitron, and leave the "log
> window" open in the background. Sorry, I just can't pass up a chance
> to plug my favorite (free!) software.
> 
> http://proxomitron.cjb.net/
> 
> --
> Jonah
> 
> Newbies, take a look at: http://grc.com/discussions.htm

I have been waiting for someone to mention this!  Wish I had an 
equivalent favorite program for Linux. I might have considered
writing one, but by design work on impulse engines is taking most
of my free time.

                  Best regards,
                          -maxm
0
maxm
12/24/2001 5:57:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.16910274ec28362e98a120@207.71.92.194...
> Eric,
>
> > Would it be a good idea to make it possible to run ID Serve in
> > the background and check each URL in the browsers address line?
> > For instance as a tray icon showing the info as a tooltip?
>
> Probably the best place for that sort of continual monitoring would
> be in a browser add-on ... in the case of IE, as so-call "Browser
> Helper Object" (BHO).

I was thinking of a similar idea, using a proxy server to get the headers,
and the BHO to display them.  Like you said, NetFilter could easily do it,
with a few alterations.
--
Robert Bradley

I am not a mindreader, so I don't know everything.
0
Robert
12/24/2001 6:27:00 PM
Hi maxm,

Nice to see you again!  :)

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/24/2001 6:33:00 PM
> Steve,
> 
> Could you put the IDServe version number in the display
> so we can check it when someone posts the output?
> 
> Initiating server query ...

I suppose that I could put it in the first line ...

"Initiating ID Serve v1.00 query ..."  But I sort of resist clogging 
up the output with the version number.  Let's see how it goes with 
anything else that people find.  :)

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/24/2001 6:36:00 PM
Steve Gibson wrote:
> 
> Hi maxm,
> 
> Nice to see you again!  :)
> 
> --
> _________________________________________________________________
> Steve Gibson,                         at work on: < "ID Serve" >

I can't help persistently lurking. It is an addiction that many of
us here have. I'm going to have to finally get around to repairing
my windows boot partition so I can play with this new gizmo.

       Best regards,
               -maxm

P.S. I'm not kidding about the "inertial propulsion engine". After
     helping keep a roof over my head it will be public domain!
0
maxm
12/24/2001 7:06:00 PM
Steve Gibson wrote:
> If it is something that's useful to you, for whatever purpose you
> apply it, then my "filler time" will have been well spent.  I'll be
> glad to have it around to satisfy my curiosity, and to provide to
> anyone who asks about remote server identification in the future. I
> think it makes a nice and simple addition to anyone's Internet
> security and privacy toolkit.
> 
> All the best.
> 
> --
> _________________________________________________________________
> Steve Gibson,                         at work on: < "ID Serve" >
Am I to understand that ID serve only checks the server that the ip
address is from and not the actual ip address or machine.The one query
below is my own ip address.I tried this with both my ZA on and off and
got same results.My ZA did not get alerted.I answered my own question
:o}
So my ISP is blocking any info on it's server software that is uses.
This answers the question about a timeout or connection refusal.The
query took only seconds.Maybe adding a traceroute like function,showing
route back to server,maybe not. This may be useful on spam hunting.
So I would need to protect my server/proxy from giving out this info via
a firewall or a denial of any such request.
Thanks great utility, Steve I learn more and more every day about
security and how to use "my computer" as you would say.

Initiating server query ...
Looking up the domain name for IP: 151.198.143.70
The domain name for the IP address is:
pool-151-198-143-70.mad.east.verizon.net
Connecting to the server on standard HTTP port: 80
The port is closed, so our connection attempt was refused.
Query complete.
0
Joe
12/24/2001 7:44:00 PM
> P.S. I'm not kidding about the "inertial propulsion engine".
> After helping keep a roof over my head it will be public domain!

Huh?  I wasn't sure what an "impulse engine" was, and I'm still not.  
But we'd all love to know what's up your sleeve.  :)

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/24/2001 7:55:00 PM
> I was thinking of a similar idea, using a proxy server to get
> the headers, and the BHO to display them.  Like you said,
> NetFilter could easily do it, with a few alterations.

Actually, the Browser Helper Object would need no help from any other 
proxy or anything.  All BHO's have full access to everything going on 
in the browser.

-- 
_________________________________________________________________
Steve Gibson,                         at work on: < "ID Serve" >
0
Steve
12/24/2001 7:56:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.16910274ec28362e98a120@207.71.92.194...
> Eric,
>
> > Would it be a good idea to make it possible to run ID Serve in
> > the background and check each URL in the browsers address line?
> > For instance as a tray icon showing the info as a tooltip?
>
> Probably the best place for that sort of continual monitoring would
> be in a browser add-on ... in the case of IE, as so-call "Browser
> Helper Object" (BHO).

Another place to put it would be watching "get" requests outbound, if you
are going to be monitoring traffic at the packet level anyways. Of course,
that wouldn't differentiate between pages requested by the user and those
embedded on a page, but it would be more "generic". I only mention this as I
believe you had said you wanted NetFilter to be fairly generic, and capable
of functioning with any browser or supported client-type.

One could also modify windows' "properties" handler for html pages, but I
think that could also be browser version-dependent, and more work that it is
worth.

> If there's sufficient interest in the idea, or if web server
> identification it becomes increasingly important to end users, I
> could *certainly* add that functionality to the future GRC NetFilter
> product.  It will already be monitoring and interpreting all of the
> flow to and from the outside world, so making it "server aware" would
> be a simple addition.

I could readily picture a single link added to each page to allow fetching
of "properties" about that page from NetFilter (I believe proxomitron can do
something similar to this), some other in-stream modification, or a separate
"window" of some sort. I know you'll find a cool solution.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/25/2001 3:15:00 AM
Just out of curiosity:  what information does ID Serve send to the server?
0
F
12/25/2001 6:45:00 AM
Hi F.C. ...

> Just out of curiosity:  what information does ID Serve send
> to the server?

It sends NOTHING about the user, just a set of "fake" and always the 
same browser request headers.  If also never sends a cookie even if 
your system has one for the site.

HOWEVER ... since ID Serve *does* look like a standard query for the 
site's default web page, it will make a standard log entry on the 
site ... similar to if you had visited with a full browser.

-- 
_________________________________________________________________
Steve Gibson,    at work on: < http://grc.com/files/IDServe.exe >
0
Steve
12/25/2001 7:03:00 AM
I really like having this utility available at startup, just a click
away when I need to check for an IP address or whois...:))  No longer
have to open another browser window to check samspade or etc.  Thank
you!!  

(Very cool idea, Steve...might seem simplistic to some as to why you'd
spend your time on it, but I'm finding it so convenient.  And fun. 
Thanks once again for making the complex more simplified. :)

So...LeakTest 2.0??  (Just wondering...)
0
sock
12/25/2001 9:33:00 AM
sock puppet wrote:
> 
> I really like having this utility available at startup, just a click
> away when I need to check for an IP address or whois...:))  No longer
> have to open another browser window to check samspade or etc.  Thank
> you!!

But I also noticed when I checked on a site, that AtGuard threw up a
javascript warning.  I have javascripting disabled in Netscape
4.79...This is the first time I've seen that on a site queried with ID
Serve.  Maybe it's obvious to others, but not to me, that this is
basically harmless?
0
sock
12/25/2001 9:40:00 AM
> I really like having this utility available at startup, just
> a click away when I need to check for an IP address or whois...:))
> No longer have to open another browser window to check samspade
> or etc.  Thank you!!

Exactly so.  You're very welcome.  I'm delighted that you like it.

> (Very cool idea, Steve...might seem simplistic to some as to why
> you'd spend your time on it, but I'm finding it so convenient.
> And fun. Thanks once again for making the complex more simplified. :)

Yes, I well understand that some folks might wonder why I'm "wasting 
my time" with something so simple, and something that *can* be done 
through other existing means.

But it was a loose end that had been dangling from some time, it took 
me almost no time during a period when I was unable to get anything 
more difficult done due to lack of available concentration, I felt 
that it would usefully advance several "causes" ... and I liked it 
MORE than any other solutions as well.  :)

> So...LeakTest 2.0??  (Just wondering...)

That's happening as soon as possible.  I will be completing my new 
person page which has a project sequence chart so that people will 
know where I am, what I'm doing, and where I've headed.

As you can see from the current sig in my note, I wrote something 
ELSE yesterday <<grin>> that now needs a supporting web page, then I 
have some other "basic research" to do, which everyone here will be 
invited to participate in.

More soon ...

-- 
_________________________________________________________________
Steve Gibson,      at work on: < http://grc.com/files/UnPnP.exe >
0
Steve
12/25/2001 9:28:00 PM
> But I also noticed when I checked on a site, that AtGuard threw
> up a javascript warning.  I have javascripting disabled in Netscape
> 4.79...This is the first time I've seen that on a site queried
> with ID Serve.  Maybe it's obvious to others, but not to me,
> that this is basically harmless?

Right.  Good point.  Since ID Serve is not a web client it doesn't 
care AT ALL about any of the content of a site's pages.  100% safe.

-- 
_________________________________________________________________
Steve Gibson,      at work on: < http://grc.com/files/UnPnP.exe >
0
Steve
12/25/2001 9:30:00 PM
Steve Gibson wrote:
> 
> > I really like having this utility available at startup, just
> > a click away when I need to check for an IP address or whois...:))
> > No longer have to open another browser window to check samspade
> > or etc.  Thank you!!
> 
> Exactly so.  You're very welcome.  I'm delighted that you like it.

Ever since I activated the firewall aspect of AtGuard, rather than just
the privacy controls, I'm astonished at all the *redirects* that are
occurring whenever I go to a site.  Huh??  :((   

With "ID Serve" right in systray, I can quickly query who the hell it is
trying to get in on the act.  And decide if I want to allow it!  So
convenient...

THANKS again, for this.  COOL. :D~
0
sock
12/25/2001 10:12:00 PM
Robert: the readme.txt in the zip refers to:

4.

Place both trace.bat ...

I cannot find "trace.bat" in either the IDServe.exe or
www.btinternet.com/~bradley_family/idserve.zip.  Please tell...
I'm excited about this easy-to-access IE context menu.

Tnx :D

"Robert Bradley" <robert.bradley_family@btinternet.com> wrote in message
news:a05njk$m3q$2@news.grc.com...
> "Steve Gibson" <support@grc.com> wrote in message
> news:MPG.168fc21b785264c698a110@207.71.92.194...
> > Robert,
> > > Anyway, I've ended up putting it on IE's context menu, along
> > > with the Network Tracer, so I can now run either on whatever
> > > site I'm looking at.
> >
> > Cool.  :)
>
> I've put a simple copy of it at
> www.btinternet.com/~bradley_family/idserve.zip, if anyone's interested,
but
> under NT, the paths to the files will need altering in "add to IE.reg".
> Unless, of course, you create the entire c:\windows\web\ path. :)
> --
> Robert Bradley
>
> I am not a mindreader, so I don't know everything.
0
packrat
12/26/2001 6:54:00 PM
"packrat" <packrat@gtonet.net> wrote in message
news:a0d90r$1u9n$1@news.grc.com...
> Robert: the readme.txt in the zip refers to:
>
> 4.
>
> Place both trace.bat ...
>
> I cannot find "trace.bat" in either the IDServe.exe or
> www.btinternet.com/~bradley_family/idserve.zip.  Please tell...
> I'm excited about this easy-to-access IE context menu.

This is where it is.

http://www.pc-help.org/trace.htm
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/26/2001 7:03:00 PM
In article <MPG.168f3428f0991a6e98a109@207.71.92.194>, Steve Gibson 
transmitsitlikethis:


> 			http://grc.com/id/idserve.htm


Thanks for all the fish!  :) 
0
waves
12/26/2001 11:44:00 PM
Would have sent this via email, but you do not exist on my localhost
anymore...

waves wrote:
> 
> In article <MPG.168f3428f0991a6e98a109@207.71.92.194>, Steve Gibson
> transmitsitlikethis:
> 
> >                       http://grc.com/id/idserve.htm
> 
> Thanks for all the fish!  :)

Good to see you are still around! I have been thinking about searching for
your posts. I thought you might like this sig. that i stole.

=================================================================
"Give a man a fish and he eats for a day.  Teach a man to fish and
 he gets hit by a nuclear submarine."    -Ancient Japanese Proverb
=================================================================
or
=================================================================
You cannot teach a man anything; you can only help him find it within 
himself. 
*Galileo {1564-1642 Italian Astronomer & Mathematician}
=================================================================
and

=================================================================
Don't get mad, get Linux
=================================================================
one more...
=================================================================
   If Bill Gates had a dime for every time a Windows box crashed...
                ...Oh, wait a minute, he already does.
=================================================================

               Best regards,
                       -maxm
0
maxm
12/27/2001 1:11:00 AM
In article <3C2A753D.FABF91E4@sneakemail.com>, maxm 
transmitsitlikethis:

> Would have sent this via email, but you do not exist on my localhost
> anymore...

?
0
waves
12/27/2001 3:25:00 AM
waves wrote:
> 
> In article <3C2A753D.FABF91E4@sneakemail.com>, maxm
> transmitsitlikethis:
> 
> > Would have sent this via email, but you do not exist on my localhost
> > anymore...
> 
> ?

Windoze crashed one to many times, so I changed to Linux. I used to have
your email addy, but it is too much trouble to do sector searches for so
much lost info. Your "waves <waves@127.0.0.0>" addy is not much help. Just
thought I would say hi here...

  The ping you would not soon forget!
0
maxm
12/27/2001 3:42:00 AM
Steve Gibson wrote:
> Two weeks ago I was tied up doing some research for a potential
> project and I was waiting for returned phone calls and eMail. I
> couldn't focus enough to work on the kernel-level device drivers
> which I needed for LeakTest v2, so I decided to fill the time by
> whipping out a simple project that had been floating around in the
> back of my mind for a while.  I wrote "ID Serve" ...
> 
>                         http://grc.com/id/idserve.htm

This utility has worked well for me so far. I like the fact that I can
enter an IP (xxx.xxx.xxx.xxx), and it is resolved. Would it not be cool
if this utility could report a RANGE of IPs, from a given source? I find
I want to chop off much of the world, like OS detection from China. Such
a report would help.
0
JohnO
12/27/2001 6:51:00 AM
"Robert Wycoff" <rwycoff@houston.rr.com> wrote in message
news:a0d9ef$1usv$1@news.grc.com...

> This is where it is.
>
> http://www.pc-help.org/trace.htm

Thanks for posting it first - I'll probably add the addresses to the text
file later...

--
Robert Bradley

I am not a mindreader, so I don't know everything.
0
Robert
12/27/2001 12:40:00 PM
"JohnO" <johnoker@dnai.com> wrote in message
news:3C2AC50C.10E5B3AB@dnai.com...
> Steve Gibson wrote:
> > Two weeks ago I was tied up doing some research for a potential
> > project and I was waiting for returned phone calls and eMail. I
> > couldn't focus enough to work on the kernel-level device drivers
> > which I needed for LeakTest v2, so I decided to fill the time by
> > whipping out a simple project that had been floating around in the
> > back of my mind for a while.  I wrote "ID Serve" ...
> >
> >                         http://grc.com/id/idserve.htm

> This utility has worked well for me so far. I like the fact that I can
> enter an IP (xxx.xxx.xxx.xxx), and it is resolved. Would it not be cool
> if this utility could report a RANGE of IPs, from a given source? I find
> I want to chop off much of the world, like OS detection from China. Such
> a report would help.

There are additional tools that will do what you want.  I'm not positive I
know what you want, but you can find out about ranges of IP addresses here.

http://www.teamvall.demon.co.uk/IPAApagebusiness.htm

This site is down.

http://www.ipindex.net

These two sites may help.

http://www.samspade.org/

http://network-tools.com/
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/27/2001 12:58:00 PM
"Steve Gibson" <support@grc.com> wrote in message:

> [...] (If any enterprise folks have been silly
> enough to deploy XP so soon. :)


Don't you mean, "if any enterprise folks have been silly enough to not patch the exploit
found in XP"?  The fact they deployed XP is neither here nor there so long as they keep it
up to date and secure.

Steve, it was *YOU* who said the security holes never become a real world threat until
some hacker designs an easy to use tool.  Now, it's become convienient to contradict that
statement simply because it's trendy to be anti-Microsoft.  Yeaaa!  :-/

....or they can run UnPnP, which follows the logic of just chop off your hands to prevent
even the possibility of committing any further evil.  :-/

Geezus.

-S
0
Stefan
12/27/2001 2:41:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0feim$151h$1@news.grc.com...
> "Steve Gibson" <support@grc.com> wrote in message:
>
> > [...] (If any enterprise folks have been silly
> > enough to deploy XP so soon. :)
>
>
> Don't you mean, "if any enterprise folks have been silly enough to not
patch the exploit
> found in XP"?  The fact they deployed XP is neither here nor there so long
as they keep it
> up to date and secure.

I think what Steve is saying is that a couple months likely isn't long
enough to fully "audit" a brand-new OS _anyways_, so installing it in an
enterprise system so soon would be foolish, exploits aside.

> Steve, it was *YOU* who said the security holes never become a real world
threat until
> some hacker designs an easy to use tool.  Now, it's become convienient to
contradict that
> statement simply because it's trendy to be anti-Microsoft.  Yeaaa!  :-/

Even if it isn't a "Real world threat", it could be soon. I still think you
have misread what Steve wrote though.

> ...or they can run UnPnP, which follows the logic of just chop off your
hands to prevent
> even the possibility of committing any further evil.  :-/

A tertiary, and quite useless at present, hand that you have around just _in
case_ you happen to find a use for it. If you only have it around for the
possibility of it doing some good, it seems consistent to get rid of it for
a possibility of "evil".

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/27/2001 10:54:00 PM
"Sam Schinke" <arishae.NO@SPAM.icqmail.com> wrote
> "Stefan" <no.sp@m.please.com> wrote in message
> > ...or they can run UnPnP, which follows
> > the logic of just chop off your hands to prevent
> > even the possibility of committing any further evil.  :-/
wasn't there a movie about an evil hand ... ?
> A tertiary, and quite useless at present, hand that you have around just
_in
> case_ you happen to find a use for it. If you only have it around for the
> possibility of it doing some good, it seems consistent to get rid of it
for
> a possibility of "evil".
heh. more like the hand that you can unbolt and put in the
drawer until such a time that you actually have a good
use for it. [then ya use UnPnP to reattach it].
0
wyn
12/27/2001 11:19:00 PM
"wyn" wrote in message:

> heh. more like the hand that you can unbolt and put in the
> drawer until such a time that you actually have a good
> use for it. [then ya use UnPnP to reattach it].


As per that last part in []'s....  you do know that UnPnP isn't doing anything magical,
right?  We're only talking about disabling a service...

In Windows XP:
  1. Click the "Start" button
  2. Go to the "Control Panel" tab and press it
  3. Go to the "Administrative Tools" folder and double click on it
  4. Go to the "Services" icon and double click on it. It looks like two gears interlocked
with each other
  5. Scroll down until you see the "Universal Plug and Play Device Host" service and double
click on it
  6. A window will pop up with several tabs, on the "General" tab there will be a field
called "Startup Type"
  7. In the "Startup Type:" field change the option to "Disabled" and click "Ok"

Voila!

-S
0
Stefan
12/28/2001 12:12:00 AM
"Sam Schinke" wrote in message:

> I think what Steve is saying is that a couple months likely isn't long
> enough to fully "audit" a brand-new OS _anyways_, so installing it in an
> enterprise system so soon would be foolish, exploits aside.

Well, that's not what he said, is it?  And if it was, well, why not?  What's the magical day
that it becomes ok to roll out?  as far as I'm concerned, that's what beta testing is for.
Roll out on day 1.  whooppee.  This, and every MS exploit ever found, is patched by a 3
second trip to Microsoft.com...  Yes, exploits will be found.  Yes, some very nasty ones may
be found early.  I've never tried to deny that.  Was this not patched the exact same day it
was publicly announced?  Aye...  it was.  So drop it already.  It's a non issue for anyone
serious about their own computer security.


> Even if it isn't a "Real world threat", it could be soon. I still think you
> have misread what Steve wrote though.

Not to anyone with an up-to-date, secure, patched system, it won't be...  And don't pull out
the what if you're the target of a DDoS attack crap...  crackers already had a bagillion and
one ways to comandeer a machine...  this is just one more way of doing it.  If you were
going to be a targetm you didn't need *this* exploit to become that target.



> A tertiary, and quite useless at present, hand that you have around just _in
> case_ you happen to find a use for it. If you only have it around for the
> possibility of it doing some good, it seems consistent to get rid of it for
> a possibility of "evil".

I'll agree it should have been disabled by default.  I mean, if I agree on the "no raw
sockets in XP" issue, I'd look mighty dumb trying to argue that this should have on by
default.  It shouldn't have.  The flip side of the coin is that if MS shuts off everything
by default (like *nux), they get accused of making it not user friendly enough (like *nux)
and almost nobody out there will ever buy or use their product (like *nux).  It's a loose -
loose for them.  It's like nobody else ever sees that.

Steve spends most of the page whaling how MS didn't announce this far enough before
christmas...  SO WHAT!  ...as if he wouldn't have found something else to bitch about if
they had announced it earlier.  After the david and goliath raw sockets issue, the guy's on
a mission to debunk MS security in any way he can.  So, he jumps on the first exploit and
rides the coat tails of the FBI and eEye while adding another MS hate-page to the
Internet...  :-/  I didn't swalloe the other 3 billion, why start wit this one?

-S
0
Stefan
12/28/2001 12:33:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0ghdn$2en9$1@news.grc.com...
>
> "Sam Schinke" wrote in message:
>
> > I think what Steve is saying is that a couple months likely isn't long
> > enough to fully "audit" a brand-new OS _anyways_, so installing it in an
> > enterprise system so soon would be foolish, exploits aside.
>
> Well, that's not what he said, is it?

No, it isn't. He only said "(If any enterprise folks have been silly enough
to deploy XP so soon. :)"

You read it your way, I'll read it mine. I think he has said that it would
be silly to deploy XP so soon, what about you?

> And if it was, well, why not?  What's the magical day
> that it becomes ok to roll out?  as far as I'm concerned, that's what beta
testing is for.

I wouldn't waste my time in an enterprise setting by evaluating beta
software and then expect not to have to also evaluate the eventual "gold"
code. The day when it is ok to "roll out" is the day you have fully
evaluated the code you are considering rolling out. I would fully expect an
IT department that rolled out XP to have rolled it out with many services
and default behaviours turned off (when there is no need for them at all) or
modified (when the defaults aren't appropriate). I don't think there is a
need yet for UPnP in most enterprise environments.

> Roll out on day 1.  whooppee.  This, and every MS exploit ever found, is
patched by a 3
> second trip to Microsoft.com...

*g* You mean every exploit ever patched by MS, right?

> Yes, exploits will be found.  Yes, some very nasty ones may
> be found early.  I've never tried to deny that.  Was this not patched the
exact same day it
> was publicly announced?

It had been discovered two months prior, though. I shudder to think how
things would have been if someone less cooperative with MS than EEye had
discovered the hole.

> Aye...  it was.  So drop it already.  It's a non issue for anyone
> serious about their own computer security.

*g* I agree, seeing as anyone "serious" about their computer's security
would have all these unnecessary "default" services disabled. It is a big
issue for those who don't keep their ear to the ground about OS security
though.

> > Even if it isn't a "Real world threat", it could be soon. I still think
you
> > have misread what Steve wrote though.
>
> Not to anyone with an up-to-date, secure, patched system, it won't be...
And don't pull out
> the what if you're the target of a DDoS attack crap...  crackers already
had a bagillion and
> one ways to comandeer a machine...  this is just one more way of doing it.
If you were
> going to be a targetm you didn't need *this* exploit to become that
target.

The fact remains that this is one of the more serious exploits out there,
and that for volume of exploitable installations it is or will soon be one
of the most widely installed to date. I honestly do not expect a significant
portion of XP users to succesfully patch their machines. But that gets back
into the whole issue of who is responsible for this sort of thing.

> > A tertiary, and quite useless at present, hand that you have around just
_in
> > case_ you happen to find a use for it. If you only have it around for
the
> > possibility of it doing some good, it seems consistent to get rid of it
for
> > a possibility of "evil".
>
> I'll agree it should have been disabled by default.  I mean, if I agree on
the "no raw
> sockets in XP" issue, I'd look mighty dumb trying to argue that this
should have on by
> default.  It shouldn't have.  The flip side of the coin is that if MS
shuts off everything
> by default (like *nux), they get accused of making it not user friendly
enough (like *nux)
> and almost nobody out there will ever buy or use their product (like
*nux).  It's a loose -
> loose for them.  It's like nobody else ever sees that.

I have never heard a user complain of lack of friendlyness when turning
something they want back on is done with such a childishly easy GUI as in
XP. It's not loose-loose. MS has so much money obviously invested in UI
research, and it has payed off in usability and "friendlyness".

*nux doesn't do this at ALL, and turning anything on in *nux also requires
hours of configuring what you are turning on, though I imagine *nux versions
of UPnP will be fairly simple to enable (being that it's not a terribly
complex service).

> Steve spends most of the page whaling how MS didn't announce this far
enough before
> christmas...  SO WHAT!  ...as if he wouldn't have found something else to
bitch about if
> they had announced it earlier.

I honestly think the pages would have been shorter, and stuck to the "MS
isn't security aware" line, had this patch been released a month or a week
after it was discovered.

You don't see any "convenience" in patching four days before christmas? I
sincerely doubt that it would have taken two months to write and test this
patch when it only needs to be tested on a couple of OS's (unlike some other
patches), especially given that MS has issued patches on other issues FAR
faster.

> After the david and goliath raw sockets issue, the guy's on
> a mission to debunk MS security in any way he can.

I think that has been done for him, personally.

> So, he jumps on the first exploit and

This isn't the first exploit, though. It IS the first expoit that prompted
the FBI to urge consumers to uninstall services though.

> rides the coat tails of the FBI and eEye while adding another MS hate-page
to the
> Internet...  :-/  I didn't swalloe the other 3 billion, why start wit this
one?

I think he has done much more with those pages than just ride coat-tails,
but hey, that's just me.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/28/2001 1:57:00 AM
"Sam Schinke" wrote in message:

[...]

> > Roll out on day 1.  whooppee.  This, and every MS
> > exploit ever found, is patched by a 3
> > second trip to Microsoft.com...
>
> *g* You mean every exploit ever patched by MS, right?

They've patched every exploit that they've found.  The fact that exploits exist that have
never been found or patched is a non-issue.  Who is harmed by a "never been found" bug?
Uhm, no one.


> It had been discovered two months prior, though. I shudder to think how
> things would have been if someone less cooperative with MS than EEye had
> discovered the hole.

Yes...  I couldn't agree more.  People seeking the spotlight rather then trying to improve
product security are a real danger to the security of the computer world.  It's a good thing
this was found by eEye and not someone less concerned about the overall security of the
computing world...  like.... uhhhmmm....  well, like Steve, now that you mention it:
http://grc.com/lt/disclosure.htm

[Steve referring to software vendors]:
*******************************
"they reacted, in some cases, by defensively claiming that I had an obligation to secretly
inform them in advance before revealing these facts to the public. I disagree..."
    - Steve Gibson

*******************************

Who's really helping computer security?  Steve?  With an attitude like that?  hmph.
Whatever.


> *g* I agree, seeing as anyone "serious" about their computer's security
> would have all these unnecessary "default" services disabled. It is a big
> issue for those who don't keep their ear to the ground about OS security
> though.

Patching the hole is protection enough.  We don't *need* to get disable-happy with every
service on the system that we're not using.  An open port is *not* a security issue unless
there's something bad behind it.  By your logic, when a hole is found in IIS, the solution
is to shut off the webserver and block port 80.  Weeeeeeee...  Hey...  It stopped working...
Hmmmm...  Or did you manage to invent a sharp, pointy Internet packet?  :-)  For those who
don't "keep their ear to the ground about OS security"...  I've been very clear about my
opinion on them...  piss on them.  If you're in a situation to "need" security, you better
PUT yourself in a situation to "provide" security.  If not, enjoy your slow, painful
e-death.


> The fact remains that this is one of the more serious exploits out there,
> and that for volume of exploitable installations it is or will soon be one
> of the most widely installed to date. I honestly do not expect a significant
> portion of XP users to succesfully patch their machines. But that gets back
> into the whole issue of who is responsible for this sort of thing.

*G*.  he he he.  You're finally learning what I'm all about Sam.  congrats.  :-)


> I have never heard a user complain of lack of friendlyness when turning
> something they want back on is done with such a childishly easy GUI as in
> XP. It's not loose-loose. MS has so much money obviously invested in UI
> research, and it has payed off in usability and "friendlyness".

Well, you've never heard that complaint because, with MS, it's all *on* by default.  Hadn't
you noticed?  That's why we're having this conversation.  Just wait until the day it's all
off by default, then I'll be right.  :-)


> *nux doesn't do this at ALL, and turning anything on in *nux also requires
> hours of configuring what you are turning on.

BAH!  That's crap.  Do you even use Linux?  In my first two weeks I set up a maching to
access the net through an NT proxy server, run a web server, telnet server, mail server, and
FTP server...  Now, all that was done having never seen the OS before.  I just have a fairly
fast learning period on most stuff.  Now, you can spend hours of configuration to "tweak" it
to run the most efficiently, but there's no hours of configuration just to turn them on.
It's typically little more then changing a line or two in the "*.conf" file related to the
service you're trying to run.


> I honestly think the pages would have been shorter, and stuck to the "MS
> isn't security aware" line, had this patch been released a month or a week
> after it was discovered.

Again, who cares?  They patched it before anyone malicious exploited it...  enough said.


> You don't see any "convenience" in patching four days before christmas?

Oh please...  I'm not stupid either.


> I sincerely doubt that it would have taken two months to write and test this
> patch

I figure it'd take them two days... if they're slow.  It was a buffer overflow exploit...  I
can only assume they've learned how to patch these things by now... even if they still can
smarten up enough to stop putting them in.


> when it only needs to be tested on a couple of OS's (unlike some other
> patches), especially given that MS has issued patches on other issues FAR
> faster.

Again, I wasn't in disagreement...  I just don't think it matters.  MS is a company that
holds a much larger resposibility to it's share holders then it does to it's customers.
They're going to do what they need to do to make money.  If you haven't figured that out,
stop buying their products, because you're only misleading yourself.  It's not like they're
selling snake oil...  It's still an awesome product.  The public likes to take something
SMALL and blow it WAY out of proportion...  Look at all the Y2K panic over NOTHING two years
ago.  People love freaking out over nothing.  Buy the OS, download the patch, disable the
service, whatever you want to do...  it's still very secure for anyone who needs it to be.
What's the big deal?  The sky honestly isn't falling.  Let's all remove the tinfoil hat and
relax a bit.  Nobody cried bloody murder when Novell made their slip-up:
http://www.theregister.co.uk/content/55/23182.html  Where's Steve's nifty 20k-byte program
to protect us from Novell's stupidity?  But we're not anti-MS at all, are we?  Naaahhhhhh.


> > After the david and goliath raw sockets issue, the guy's on
> > a mission to debunk MS security in any way he can.
>
> I think that has been done for him, personally.

It's still a perfectly secure OS **for anyone who wants it to be**.



> I think he has done much more with those pages than just ride coat-tails

Like what?  I've read the eEye release, the FBI warnings, and the Microsoft statements.  He
offered nothing new aside from the anti-MS stuff.

-S
0
Stefan
12/28/2001 4:17:00 AM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.168f3428f0991a6e98a109@207.71.92.194...
> Hi Gang,
>

> _________________________________________________________________
> Steve Gibson,                         at work on: < "ID Serve" >

Initiating server query ...
<Snip>

*Last-Modified: Wed, 23 Aug 2000 19:45:13 GMT*

<Snip>
Query complete.

Just wondering. Does the Last-Modified date change when a security
update is installed?

ed
0
ed
12/28/2001 4:30:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0guhc$2u10$1@news.grc.com...
> "Sam Schinke" wrote in message:
>
> [...]
>
> > > Roll out on day 1.  whooppee.  This, and every MS
> > > exploit ever found, is patched by a 3
> > > second trip to Microsoft.com...
> >
> > *g* You mean every exploit ever patched by MS, right?
>
> They've patched every exploit that they've found.  The fact that exploits
exist that have
> never been found or patched is a non-issue.  Who is harmed by a "never
been found" bug?
> Uhm, no one.

Stephen,

It depends on how you define "never been found".  If a system crashes and
you can't find the bug that causes it to crash, isn't it "not found"?  And
until it is found and fixed, it *can* do harm.
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/28/2001 4:34:00 AM
"Robert Wycoff" <Don't.use.Lockdown@any.price> wrote in message
news:a0gvb6$2v3e$1@news.grc.com...

Hi Robert,

> It depends on how you define "never been found".  If a system crashes and
> you can't find the bug that causes it to crash, isn't it "not found"?  And
> until it is found and fixed, it *can* do harm.

That is one way to look at it, but if someone using Steve's utility *re-enables*
the device UPnP via the utility ~ who is responsible for letting an UNPATCHED
machine loose on the Internet again?  This cures nothing...it only postpones.
Or is that not a concern to anyone.  They will click disable and forget about it.

The patch should be applied, then it should say "you have correctly applied the
patch for UPnP" or "your computer is not secured against UPnP exploits, here
is a link to the patch".  THEN....would you like to disable the UPnP service as
a further safeguard.
Or is that not a concern to anyone.

The patches for Win98/ME/XP can be found here;
http://makeashorterlink.com/?L5794114

'Seek and ye shall find'
NT Canuck
0
NT
12/28/2001 12:25:00 PM
On Thu, 27 Dec 2001 18:33:17 -0600,  "Stefan" <no.sp@m.please.com>
threw these bits into the ether:

>After the david and goliath raw sockets issue, the guy's on
>a mission to debunk MS security in any way he can.

Hardly. He has been debunking their security issues for several years.
As he should. I am glad he does. Two benefits. 1 - He is smart enough
about the innards to get into things. 2 - He is well respected and
gets attention.

>So, he jumps on the first exploit and
>rides the coat tails of the FBI and eEye while adding another MS hate-page to the
>Internet...  :-/  I didn't swalloe the other 3 billion, why start wit this one?

So what?? Don't read the Hate M$ sites.
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/28/2001 12:27:00 PM
"NT Canuck" <ntcanuck@hotmail.com> wrote in message
news:a0hr0f$n3j$1@news.grc.com...

[qed]

> That is one way to look at it, but if someone using Steve's utility
*re-enables*
> the device UPnP via the utility ~ who is responsible for letting an
UNPATCHED
> machine loose on the Internet again?  This cures nothing...it only
postpones.
> Or is that not a concern to anyone.  They will click disable and forget
about it.
>
> The patch should be applied, then it should say "you have correctly
applied the
> patch for UPnP" or "your computer is not secured against UPnP exploits,
here
> is a link to the patch".  THEN....would you like to disable the UPnP
service as
> a further safeguard.
> Or is that not a concern to anyone.
>
> The patches for Win98/ME/XP can be found here;
> http://makeashorterlink.com/?L5794114

NT,

Do I understand your point; you are saying Steve should go further with what
he has written on his web site?
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/28/2001 2:55:00 PM
"[The Hon. Rev. joWazzoo] " <LumberCartel@Lart.com> wrote in message:

> Hardly. He has been debunking their security issues for several years.
> As he should. I am glad he does. Two benefits. 1 - He is smart enough
> about the innards to get into things. 2 - He is well respected and
> gets attention.

For several years, eh?  :-)  ok then...  What, exactly, (before the raw sockets issue) was
he doing to debunk MS security?  I was around the site back then.  I recall the only thing
that ever even had to do with Microsoft was ShieldsUp and PatchWork, and neither of them
are anti-MS in nature.  ShieldsUp is showing a vulnerability in the NetBIOS networking
protocol, and doing some port scanning, but it's far from being anti-MS in nature.  I
quite enjoyed most of Steve's work back then...  Leaktest, the SpyWare research, all the
little apps he'd made...  all, very cool, targeted little apps.  There was hardly any of
what there is littering the site today.  However, it's trendy to be Anti-MS, and Steve has
only recently jumped on that bandwagon.  Patchwork was designed to show people MASSIVE
HOLES in their Microsoft NT Server.  That would have certainly been Steve's chance to
debunk MS and their lack of Security, but read the page for it:
http://grc.com/pw/patchwork.htm  He never spent the entire time whining about Microsoft
back when he made it.  Why does he do it with EVERYTHING now?  I liked the old Steve.
Now, he makes a product and spends more time insulting MS on the supporting web page then
he spends talking about the program he just made.  For some time now, it's been the cause
for my growing disenchantment with Mr. Gibson.  I'm just never "wowed" anymore because I
spend too much time surfing through personal opinion, anti-MS propaganda crap like this
(and he never did this sort of stuff before the raw sockets issue came along):

'Microsoft Security' - It takes every last bit of strength I have not to label those two
words "The Oxymoron that Keeps on Giving".
 - Steve Gibson

This goes to the heart of Microsoft's lack of understanding, or lack of honest concern,
about security.  And that's the bigger problem here.
 - Steve Gibson

It seems clear that Microsoft has their own agenda - whatever it may be - and that agenda
appears not to be concerned with their users' Internet security.
 - Steve Gibson

Unfortunately, today we see only the operation of blind self-interest from Microsoft...
 - Steve Gibson

With a bit of horror, I learned that Microsoft's developers have no understanding of
security.
 - Steve Gibson

Blah blah blah blah blah blah blah blah...  what's the point?  Microsoft, to make a
profit, needs to be concerned with what their customers are concerned with.  THAT'S HOW
YOU STAY IN BUSINESS; BY PLEASING YOUR CUSTOMERS!  Now, they're the biggest company on
Earth, so they must be doing something right, no?  Or do they put a gun to people's heads
and FORCE them to buy their products?  HA!  If they were doing everything all wrong,
nobody would buy their products.  Steve quite literally calls them a bunch a flaming
idiots who are running around all willy-nilly trying to destroy the world.  Whatever.  I
have little use for it.  Bring the old Steve back...  I'll be a supporter again.


> So what?? Don't read the Hate M$ sites.

That's sort of like saying, "don't watch a bad movie".  You need to see it before you know
it was bad.  At one time, Steve's work didn't stink of anti-MS propaganda the way it does
now.  I can deal with his "research", but the million-and-one pot shots he takes at them
are just plain silly.

-S
0
Stefan
12/28/2001 3:01:00 PM
"Robert Wycoff" <Don't.use.Lockdown@any.price> wrote in message
news:a0i3nf$102n$1@news.grc.com...

Hi Robert,

> Do I understand your point; you are saying Steve should go further with what
> he has written on his web site?

The Webpage itself is reasonable.

It is the utility itself 'Plug n' Pray' that I feel should address whether the
UPnP service is "fixed/patched", before attempting to disable the service.

I'd also be interested in whether eEye (who made initial UPnP report) now
considers WinXP to be *secure*, after all...calling it insecure was ok.

'Seek and ye shall find'
NT Canuck
0
NT
12/28/2001 3:15:00 PM
"NT Canuck" <ntcanuck@hotmail.com> wrote in message news:a0i4va$11i7$1@news.grc.com...

> The Webpage itself is reasonable.

To add a second thought;

Actually, I would greatly enjoy it if the webpage provided supporting
evidence of the vulnerability (reproducible) as he did with the Real
Network's issues.  That was something we all could relate with.

'Seek and ye shall find'
NT Canuck
0
NT
12/28/2001 3:24:00 PM
On Fri, 28 Dec 2001 09:01:28 -0600,  "Stefan" <no.sp@m.please.com>
threw these bits into the ether:

>For several years, eh?  :-)  ok then...  What, exactly, (before the raw sockets issue) was
>he doing to debunk MS security?  I was around the site back then.

I guess I was focusd on his Nwsgroup postings...

And I was not referring to being ant-Microsoft...fwiw, I have used
their products since 1981. Always hated their guts for their arrogance
among other things :-))

>I quite enjoyed most of Steve's work back then...  Leaktest, the SpyWare research, all the
>little apps he'd made...  all, very cool, targeted little apps.  There was hardly any of
>what there is littering the site today.  However, it's trendy to be Anti-MS, and Steve has
>only recently jumped on that bandwagon.

Well - he will have to speak for himself...maybe he just got pushed
over the proverbial edge having been bitten by IIS and getting DDoSed
and so on..

>Patchwork was designed to show people MASSIVE
>HOLES in their Microsoft NT Server.  That would have certainly been Steve's chance to
>debunk MS and their lack of Security, but read the page for it:
>http://grc.com/pw/patchwork.htm  He never spent the entire time whining about Microsoft
>back when he made it.  Why does he do it with EVERYTHING now? 

Dunno ... Steve:-)) ??

>I liked the old Steve.
>Now, he makes a product and spends more time insulting MS on the supporting web page then
>he spends talking about the program he just made.  For some time now, it's been the cause
>for my growing disenchantment with Mr. Gibson.  I'm just never "wowed" anymore because I
>spend too much time surfing through personal opinion, anti-MS propaganda crap like this
>(and he never did this sort of stuff before the raw sockets issue came along):

Like I said - maaybe that pushed him over the edge...


>This goes to the heart of Microsoft's lack of understanding, or lack of honest concern,
>about security.  And that's the bigger problem here.
> - Steve Gibson

That is a true statement in my humble opinion...

>It seems clear that Microsoft has their own agenda - whatever it may be - and that agenda
>appears not to be concerned with their users' Internet security.
> - Steve Gibson

Also agree...

>Unfortunately, today we see only the operation of blind self-interest from Microsoft...
> - Steve Gibson

Agree

>Bring the old Steve back...  I'll be a supporter again.

Well - I don't take the personal approach you do, but I guess I like
the old Steve better too. FWIW, I have known Steve indirely since the
80's - InfoWorld author and an ancient SpinRite versiomn 1.**
somthing...

>That's sort of like saying, "don't watch a bad movie".  You need to see it before you know
>it was bad.  At one time, Steve's work didn't stink of anti-MS propaganda the way it does
>now.  I can deal with his "research", but the million-and-one pot shots he takes at them
>are just plain silly.

Well - we all can have our opinions. I respect that. I don't agree
necessarily - like I said I hate M$. ;-)) You obviously have ben
assimilated - just what they want and like...

I do think though that you have some good points. Maybe Steve will se
this thread....
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/28/2001 3:32:00 PM
On Fri, 28 Dec 2001 09:01:28 -0600, "Stefan" <no.sp@m.please.com>
wrote, in part:
>
>Blah blah blah blah blah blah blah blah...  what's the point?  Microsoft, to make a
>profit, needs to be concerned with what their customers are concerned with.  THAT'S HOW
>YOU STAY IN BUSINESS; BY PLEASING YOUR CUSTOMERS!  Now, they're the biggest company on
>Earth, so they must be doing something right, no?  Or do they put a gun to people's heads
>and FORCE them to buy their products?  HA!  If they were doing everything all wrong,
>nobody would buy their products.  Steve quite literally calls them a bunch a flaming
>idiots who are running around all willy-nilly trying to destroy the world.  Whatever.  I
>have little use for it.  Bring the old Steve back...  I'll be a supporter again.
>

Thank you for your post.

I think Steve's primary concern is about technology that is inherently
damaging to its users. In my opinion, since Microsoft has a monoploy
and a commanding position in the industry, bad choices on their part
can affect us all. It seems then that unless one goes through life
with their head buried in their posterior, one cannot do any serious
work involving security without commenting about Microsoft's
contributions to the problems that are attributable to their practices
and policies.
0
use
12/28/2001 4:01:00 PM
"[The Hon. Rev. joWazzoo] " wrote in message:

[...]

You make a lot of good points...

> I guess I was focused on his Newsgroup postings...

That could be...  I never found my way into the newsgroups until about 1/2 a year ago or
whenever the raw sockets issue all started.  Before that, I only ever read the web pages
since some time in '99 when I found the place.  Still, his style of web-page writing has
really started leaning towards the anti-MS side of the world in the past year.  You
obviously also know that it wasn't like this originally.


> And I was not referring to being ant-Microsoft...fwiw, I have used
> their products since 1981. Always hated their guts for their arrogance
> among other things :-))

That's what I don't get.  You do know you have other options, right?  Linux isn't that
hard to use.  Go get a copy the latest Mandrake release and fire it up...  I hear it's
great.  Instead, you claim to "hate" something in the same sentence where you claimed to
use it for the last 20 years.  It's like picking a food you hate and having it or supper
for 20 years straight.  I don't get it...  I know a few guys who work on nothing but Linux
and make a damn good living doing it, so I'm not just talking out of my ass here.
Nothing's worse then listening to them harp about Microsoft, but hey, at least they've
exercised their right to use something else.  That, I can at least respect as far as the
"I hate MS" crowd goes.


> Well - he will have to speak for himself...maybe he just got pushed
> over the proverbial edge having been bitten by IIS and getting DDoSed
> and so on..

Oh, I certainly think you're right there.  However, the time has come to step back, look
at the way he writes things now and begin a push towards the "old Steve" style of writing.
Present the facts, and stay a little more neutral while doing it.  The world does not need
another loud anti-MS voice to scream about every slip-up they make.  Consider this...
here's a quote from Bill Gates on the "Old Steve":

*********************************
"Steve is a technical guy who brings complex issues down to Earth. Throughout the years
his opinions and insight have served as important benchmarks for the personal computer
industry."
- Bill Gates, Chairman, Microsoft Corporation
*********************************

Do you think *anyone* down at Microsoft&Co would say something like that about him now?  I
doubt it.  I REALLY REALLY doubt it.
Another thing to consider.  Look at the three main groups involved with this latest
exploit.  Microsoft, eEye, and the FBI.  Now, forget Microsoft because they'd never insult
themselves.  Let's just look at eEye, and the FBI.  Neither of those groups felt the need
to make a statement like:  "With a bit of horror, I learned that Microsoft's developers
have no understanding of security", so why does Steve do it?  Furthermore, why did he
never do it before in his older web pages?  (unless you're right about finally being
pushed over the edge by the DDoS attacks, et al...)

> Well - I don't take the personal approach you do, but I guess I like
> the old Steve better too. FWIW, I have known Steve indirely since the
> 80's - InfoWorld author and an ancient SpinRite versiomn 1.**
> somthing...

I enjoy almost anything informative that tries very hard to stay "neutral".  That's why I
kept coming back here time and again.  As soon as any write-up moves towards the extreme
end of either end of the scale, it loses credibility to me.  That's, again, why I think
anti-GRC schmucks like TC Greene are a waste of skin.  They're so busy insulting Steve
that they never open their friggin eyes and see all the great work he's done.


> Well - we all can have our opinions. I respect that. I don't agree
> necessarily - like I said I hate M$. ;-)) You obviously have been
> assimilated - just what they want and like...

Assimilated?  Nah...  I was born into the borg-like ways of the MS empire.  :-)  he he
he...  Nah...  I just look at all of it in the REAL world.  Don't ask for the moon, and
you won't be disappointed when you don't get it.  It's very complex software. THERE WILL
BE BUGS!  THERE WILL BE EXPLOITS!  It happens to EVERYONE in the industry, NOT JUST
MICROSOFT!  However, MS is the giant, and giants always bring out giant killers, and giant
killers annoy me.  So roll with it one day at a time, keep your software current, do what
you can to maintain a secure system, and if, at any time, you "hate" the product you
use...  stop using it, or use something else.


> I do think though that you have some good points. Maybe Steve will see
> this thread....

Yea...  I'd be interested in hearing a reason for the increase in anti-MS attitude over
the previous year.  I suspect you're right...  who knows.

-S
0
Stefan
12/28/2001 4:24:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
That's sort of like saying, "don't watch a bad movie".  You need to
see it before you know
> it was bad.  At one time, Steve's work didn't stink of anti-MS
propaganda the way it does
> now.  I can deal with his "research", but the million-and-one pot
shots he takes at them
> are just plain silly.

> -S  36500

Hmm a million (and one) pot shots,
don't have a calculator handy, but say at 100 per day, 365 days a
year,
well shite that'd make him 25 years potting at Microsoft.
I guess your MS apologisings are sure going to keep you busy for the
next what, say 25 years.
How's your stamina ?
Cheers
Tommy
0
Tommy_k
12/28/2001 4:25:00 PM
On Fri, 28 Dec 2001 10:24:03 -0600,  "Stefan" <no.sp@m.please.com>
threw these bits into the ether:

>That's what I don't get.  You do know you have other options, right?

In some cases, now yes...

>Instead, you claim to "hate" something in the same sentence where you claimed to
>use it for the last 20 years.  It's like picking a food you hate and having it or supper
>for 20 years straight.  I don't get it...

VisiCalc only ran well on IBM PC type machines running MS basd OS. (I
had an Appl III and it was a pic of junk.)

Lotus 1-2-3 only ran under M$ based OS

dBASE only ran undr M$ based OS

And so on...

My clients often dictate what I have to use....

>I know a few guys who work on nothing but Linux
>and make a damn good living doing it, so I'm not just talking out of my ass here.

I know...

>Nothing's worse then listening to them harp about Microsoft, but hey, at least they've
>exercised their right to use something else.  That, I can at least respect as far as the
>"I hate MS" crowd goes.

There is NO excuse for many of the M$ based problems - NONE. Not when
you are as big as they are....

>Oh, I certainly think you're right there.  However, the time has come to step back, look
>at the way he writes things now and begin a push towards the "old Steve" style of writing.
>Present the facts, and stay a little more neutral while doing it.  The world does not need
>another loud anti-MS voice to scream about every slip-up they make. 

You may have a good point.

>themselves.  Let's just look at eEye, and the FBI.  Neither of those groups felt the need
>to make a statement like:  "With a bit of horror, I learned that Microsoft's developers
>have no understanding of security", so why does Steve do it?  Furthermore, why did he
>never do it before in his older web pages?  (unless you're right about finally being
>pushed over the edge by the DDoS attacks, et al...)

If this reducs his effectiveness, then we all lose.

>I enjoy almost anything informative that tries very hard to stay "neutral".  That's why I
>kept coming back here time and again.  As soon as any write-up moves towards the extreme
>end of either end of the scale, it loses credibility to me.  That's, again, why I think
>anti-GRC schmucks like TC Greene are a waste of skin.  They're so busy insulting Steve
>that they never open their friggin eyes and see all the great work he's done.

Excellant points!!

>Yea...  I'd be interested in hearing a reason for the increase in anti-MS attitude over
>the previous year.  I suspect you're right...  who knows.

Maybe I can get his attention....
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/28/2001 4:39:00 PM
"Security Conscious" wrote in message:

> Thank you for your post.

Oh, you're very welcome.  :-)


> I think Steve's primary concern is about technology that is inherently
> damaging to its users.

Ok, however no Microsoft product is inherently damaging to it's users.  If it was, they
wouldn't be using it.  That sort of over-exaggerating is what I'm talking about.  People
take a few bugs/exploits and then use them to paint a picture of "technology that is
inherently damaging to its users".  It's just not true.  In fact, on the whole, it's very
helpful to it's users.  The only harm it could ever do them is if they fail to protect
themselves at some point in time by not caring about their own security enough.  Look at
where Microsoft has taken the computer world over the last 10 years.  I don't see what's
"inherently damaging to its users" about their contributions to computer technology.
However, I do see a lot of "good" they've done, despite a few snags along the way.


> In my opinion, since Microsoft has a monoploy
> and a commanding position in the industry, bad choices on their part
> can affect us all.

True, but they're not *chosing* to put exploits in.  Come on... be fair...  They're trying
their best to make a secure product that's easy to use for anyone out there.  It's a
tug-o-war between security and ease-of-use and they loose if they go too far in either
direction.  Unfortunatly, to make the machine easy for grandpa to use, they turn a lot of
stuff on by default.  They have a nasty habbit of even turning on the things that grandpa
will never use.  I won't deny that they could do better, but hindsight is always 20/20.
Nobody said a damn thing bad about UPnP *before* the exploit was announced.  It's so easy
to point out mistakes in hindsight.  Where were the people complaining about UPnP before
the exploit was found?  Where were they?  Huh?  As for Microsoft, too often they let
ease-of-use win out over maximum security, but it's always been like that.  ALWAYS.
That's what made MS popular and gave Linux the reputation of not being user friendly
enough.  So, they make the OS that's easy to use and they make it very easy to keep
up-to-date and secure.  Unfortunatly (despite how terribly EASY it is to do) people still
don't do a good enough job of keeping it up to date.  That's their fault, not Microsoft's.
Every system I *EVER* install from scratch is completely up-to-date before it's ever
handed off to the person I'm setting it up for.  I then show them how to keep it
up-to-date.  If they can't follow that simple of instructions, how is that MS's fault?


> It seems then that unless one goes through life
> with their head buried in their posterior, one cannot do any serious
> work involving security without commenting about Microsoft's
> contributions to the problems that are attributable to their practices
> and policies.

Well, these security issues only become real world threats because of people who go
through life with their head buried in their posterior.  If everyone kept their machine
up-to-date, this exploit issue would be a non-issue, wouldn't it?  :-)

-S
0
Stefan
12/28/2001 4:56:00 PM
"Tommy_k" wrote in message:

> Hmm a million (and one) pot shots,
> don't have a calculator handy, but say at 100 per day, 365 days a
> year,
> well shite that'd make him 25 years potting at Microsoft.
> I guess your MS apologisings are sure going to keep you busy for the
> next what, say 25 years.
> How's your stamina ?
> Cheers
> Tommy


http://www.dictionary.com/cgi-bin/dict.pl?term=figure%20of%20speech

:-)

-S
0
Stefan
12/28/2001 4:59:00 PM
"[The Hon. Rev. joWazzoo] " wrote in message:

> >That's what I don't get.  You do know you have other options, right?
>
> In some cases, now yes...

Some?  Most.  The most poular office-ware is MS-Office.  MAC has it's own MS-Office suite
I hear (However, I've never seen it because I don't play with "fruit" computers), and
Linux distos come with StarOffice which open MS Office apps (mostly).  That covers
80-some% of the businesses out there.  The ones who don't use MS Office are probably using
Corel Office, and it runs on Linux too.  :-)  Most databases either work or can be easily
converted to something that works on Linux. etc, etc, etc...


> VisiCalc only ran well on IBM PC type machines running MS basd OS. (I
> had an Appl III and it was a pic of junk.)
> Lotus 1-2-3 only ran under M$ based OS
> dBASE only ran undr M$ based OS
> And so on...
> My clients often dictate what I have to use....

Fair enough, but you don't need to EVER connect your MS computer to the Internet if you
don't want to.  So, any exploits it has in it can't hurt you in that case.  Just hook a
Linux box to the net, and keep the MS box off the Internet when you're doing work for your
customers.  You can still MAINLY run something else...  even if you need an MS box kicking
around for working with.  :-)  (no matter how hard you try, you can't win the "I was
forced to use MS argument"... at least not anymore)


> There is NO excuse for many of the M$ based problems - NONE. Not when
> you are as big as they are....

You say that like bigger = better.  That's typically not the case in any business.  Bigger
usually equals confusion as a whole and messy bureaucracy bu11Sh!t behind every little
decision that needs to be made quickly.  I work in a rather small company that does quite
a bit of work for the government, so I run up against the dyslexic Robin Hood bureaucratic
crap on a semi-daily basis.  they can't scratch their @$$ without first getting approval
at 18 different levels.  Smaller is certainly better (well, as far as *company* size
goes...  *G*... he he he).

Pleasure talkin to ya.  :-)

-S
0
Stefan
12/28/2001 5:23:00 PM
Hello Stefan:

Please allow me to summarize the discussion as I see it:

-You criticize Steve for criticizing Microsoft

-I said that it is appropriate to criticize Microsoft because they
have some responsibility for security problems.

-You say that Microsoft doesn't deliberately create vulnerabilities,
Microsoft makes neat products, and that  problems are caused by users
who do not keep up with all of the fixes needed by the neat products
to fix vulnerabilities that were not deliberately created.

You haven't addressed my point, why can't Steve criticize Microsoft?

Is it because:

- he is wrong
- he does it too much 
- others are not interested
- Bill Gates gets ulcers
- all of the above
- none of the above
0
use
12/28/2001 5:52:00 PM
"Security Conscious" wrote in message:

> Please allow me to summarize the discussion as I see it:

Okeedookee


> -You criticize Steve for criticizing Microsoft

No.  I criticize Steve for flaming away about Microsoft and saying things like they "don't
understand security".  I'm fairly certain that they understand security even if it's
unfortunatly often compromised by their desire to make easy-to-use software.


> I said that it is appropriate to criticize Microsoft because they
> have some responsibility for security problems.

You can criticize Microsoft for any problem that's being exploited and they haven't done
everything they can to fix it.  To criticize them for making the problem in the first
place is no more appropriate than it is to call people flaming retards for not being able
to hit the Windows Update button and keep their machine up-to-date and secure.  Their job,
compared to MS's job, is easy.


> -You say that Microsoft doesn't deliberately create vulnerabilities,

Yup.  That sounds like something I said.


> Microsoft makes neat products, and that  problems are caused by users
> who do not keep up with all of the fixes needed by the neat products
> to fix vulnerabilities that were not deliberately created.

How hard is it to "keep up"?  You need to hit a button, a few check boxes, a few more
buttons, and reboot.  I could teach a drunk retarded monkey to do it.


> You haven't addressed my point, why can't Steve criticize Microsoft?

For the EXACT same reasons people here seem to think TC Greene shouldn't criticize Steve.
You feel free to figure out whatever the hell that reason is, and get back to me on it.
Personally I'd say that reason is overlooking all the great work being done in order to
bitch and cry about something small and pointless that means nothing when you sit back and
look at the big picture.

-S
0
Stefan
12/28/2001 6:14:00 PM
Tommy_k wrote in message ...
>
>Hmm a million (and one) pot shots,
>don't have a calculator handy, but say at 100 per day, 365 days a
>year,
>well shite that'd make him 25 years potting at Microsoft.
>I guess your MS apologisings are sure going to keep you busy for the
>next what, say 25 years.
>How's your stamina ?
>Cheers
>Tommy
>
>

Tommy,
               Why bother? It's like the zoo, we really should not feed
them :-)

Happy New year Everyone!


Charlie.

Wymsey Village Web
www.wymsey.co.uk
As seen on TV!
0
CharlieBoy
12/28/2001 7:18:00 PM
On Fri, 28 Dec 2001 12:14:37 -0600, "Stefan" <no.sp@m.please.com>
wrote: in part:
>
>> You haven't addressed my point, why can't Steve criticize Microsoft?
>
>For the EXACT same reasons people here seem to think TC Greene shouldn't criticize Steve.
>You feel free to figure out whatever the hell that reason is, and get back to me on it.
Answering my question by inviting me to figure out the answer isn't
very helpful.

>Personally I'd say that reason is overlooking all the great work being done in order to
>bitch and cry about something small and pointless that means nothing when you sit back and
>look at the big picture.
>
I assume that by something small and pointless you mean continuing to
market an OS for thirty days after you have been told that it has a
serious security vulnerability without informing your customers, or to
be found by the US Federal Court to have acted in conflict with the US
statutes relating to the restriction of trade. 

I do not agree that Microsoft is doing great work given its inability
to create useful applications that are not rife with security issues.
And, to say that the security/privacy problems Steve is dealing with
are pointless in view of the great work they are doing could make the
situation even worse.

My concern is that if Microsoft is left to its own devices, it will
continue to create more problems than can be solved by the Steve
Gibsons of the world.
0
use
12/28/2001 7:42:00 PM
"Security Conscious" wrote in message:

> >> You haven't addressed my point, why can't Steve criticize Microsoft?
> >
> >For the EXACT same reasons people here seem to think TC Greene shouldn't criticize
Steve.
> >You feel free to figure out whatever the hell that reason is, and get back to me on it.
>
> Answering my question by inviting me to figure out the answer isn't
> very helpful.

Well then why not read the very next sentence I typed... you know...  the one where I
started out by saying "Personally I'd say that reason is..."  :-/


> I assume that by something small and pointless you mean continuing to
> market an OS for thirty days after you have been told that it has a
> serious security vulnerability without informing your customers

So what?  Who was harmed by it during that time?  Nobody.  Nobody even knew it existed
except eEye and Microsoft before they announced it.  I already addressed that point
earlier in the thread.


> or to be found by the US Federal Court to have acted in conflict with
> the US statutes relating to the restriction of trade.

What in the flying blue hell does that have to do with security in their application
developement?  :-/


> I do not agree that Microsoft is doing great work given its inability
> to create useful applications that are not rife with security issues.

What security issues?  Look at all the major exploits that have nailed the computer world.
Microsoft had patched all of them before they ever harmed anyone.  Most of the time you
have a 2 month window in which to apply the patch before it becomes a real threat to
anyone.  The patch for Nimda was out *6 months* before Nimda itself was out...

You find me anyone who was hit by Code Red, I'll show you how it was their own fault.
You find me anyone who was hit by Nimda, I'll show you how it was their own fault.
You find me anyone who was hit by Goner, I'll show you how it was their own fault.
You find me anyone who was hit by Sircam, I'll show you how it was their own fault.
You find me anyone who was hit by Magistr, I'll show you how it was their own fault.
You find me anyone who was hit by LoveBug, I'll show you how it was their own fault.
You find me anyone who was hit by Melissa, I'll show you how it was their own fault.
You find me anyone who was hit by _________, I'll show you how it was their own fault.

and in a few more weeks...

You show me anyone hit by the XP UPnP exploit, I'll show you how it was their own fault.


> And, to say that the security/privacy problems Steve is dealing with
> are pointless in view of the great work they are doing could make the
> situation even worse.

What did Steve deal with?  eEye found it, and Microsoft patched it.  The FBI released a
warning to shut it off.  Millions of people world-wide have protected themselves without
so much as knowing Steve even exists.


> My concern is that if Microsoft is left to its own devices, it will
> continue to create more problems than can be solved by the Steve
> Gibsons of the world.

That sounds really nice, but Steve didn't discover OR fix this problem.  Try again.  eEye
discovered it, and Microsoft fixed it.  For the record, don't call UnPnP a "fix".  That's
like writing a program to shut off IIS, and calling it a "fix" for Code Red.  All it does
is shuts off UPnP by disabling the service in XP.  Hell, You don't even need UnPnP to do
that, just do this:

1. Click the "Start" button
2. Go to the "Control Panel" tab and press it
3. Go to the "Administrative Tools" folder and double click on it
4. Go to the "Services" icon and double click on it.
5. Double click on "Universal Plug and Play Device Host" service.
6. Select the "General" tab there will be a field called "Startup Type"
7. In the "Startup Type:" field change the option to "Disabled" and click "Ok"

VOILA!  Now, it's cute that some people need a little program to accomplish something that
simple.  I quite honestly don't. It's fine if you need it, but that doesn't make it a fix.

-S
0
Stefan
12/28/2001 8:35:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0inm8$1mop$1@news.grc.com...
>
> 1. Click the "Start" button
> 2. Go to the "Control Panel" tab and press it
> 3. Go to the "Administrative Tools" folder and double click on it
> 4. Go to the "Services" icon and double click on it.
> 5. Double click on "Universal Plug and Play Device Host" service.
> 6. Select the "General" tab there will be a field called "Startup Type"
> 7. In the "Startup Type:" field change the option to "Disabled" and click
"Ok"
>
> VOILA!  Now, it's cute that some people need a little program to
accomplish something that
> simple.  I quite honestly don't. It's fine if you need it, but that
doesn't make it a fix.
>

Hey Mr. KnowEverything,

Better kill SSDP while you are at it. That's the little booger that opens
the ports.

Phil
0
Phil
12/28/2001 8:42:00 PM
"Phil Youngblood" wrote in message:

> Hey Mr. KnowEverything,
>
> Better kill SSDP while you are at it. That's the little booger that opens
> the ports.
>
> Phil


The better question is why do you think an open port is a problem???  It's just port.  Who
cares?  Get a port scanner and you'll find thousands of open ports all over the Internet.
OH DEAR GOD!!!  WE'RE ALL GONNA DIE!!!  :-)  The very dangerous port 80 allows information
to come and go from your machine while you think you're only surfing the net.  AHHHHH!  I
already said earlier in this thread (and several times in the past):

"An open port is *not* a security issue unless there's something bad behind it."
    -Me

that particular quote of 'myself' is in my reply to Sam a little ways back in this thread
in this message:
Message-ID: <a0guhc$2u10$1@news.grc.com>

For the record, I'm not Mr. KnowEverything.  I'd rather be called Mr.
ApplysSomeCommonSenseBecauseTheSkysNotFalling.  :-)

ttyl,
-Stefan.
0
Stefan
12/28/2001 8:53:00 PM
On Fri, 28 Dec 2001 14:35:00 -0600, "Stefan" <no.sp@m.please.com>
wrote, in part:

>> I assume that by something small and pointless you mean continuing to
>> market an OS for thirty days after you have been told that it has a
>> serious security vulnerability without informing your customers
>
>So what?  Who was harmed by it during that time?  Nobody.  Nobody even knew it existed
>except eEye and Microsoft before they announced it.  I already addressed that point
>earlier in the thread.
That does not mean that it otherwise would not have been discovered,

What about the ethics of selling a product without disclosing this to
a customer? Where did you answer this?


>> or to be found by the US Federal Court to have acted in conflict with
>> the US statutes relating to the restriction of trade.
>
>What in the flying blue hell does that have to do with security in their application
>developement?  :-/

With a monopoly market, associated retailers have limited choices. The
flying blue hell problem is that OEMs are obliged to load everything
included in the Microsoft OS warts and all.
>
>
>> I do not agree that Microsoft is doing great work given its inability
>> to create useful applications that are not rife with security issues.
>
>What security issues?  Look at all the major exploits that have nailed the computer world.
>Microsoft had patched all of them before they ever harmed anyone.

Bovine Excreta. I can introduce you to a retired school teacher that
lost major junks of her genalogical research because of a virus made
possible because of Outlook Express
 
>Most of the time you
>have a 2 month window in which to apply the patch before it becomes a real threat to
>anyone.  The patch for Nimda was out *6 months* before Nimda itself was out...
>
>You find me anyone who was hit by Code Red, I'll show you how it was their own fault.
>You find me anyone who was hit by Nimda, I'll show you how it was their own fault.
>You find me anyone who was hit by Goner, I'll show you how it was their own fault.
>You find me anyone who was hit by Sircam, I'll show you how it was their own fault.
>You find me anyone who was hit by Magistr, I'll show you how it was their own fault.
>You find me anyone who was hit by LoveBug, I'll show you how it was their own fault.
>You find me anyone who was hit by Melissa, I'll show you how it was their own fault.
>You find me anyone who was hit by _________, I'll show you how it was their own fault.
You cannot have it both ways by aying on the one hand Microsoft
software is so easy to use while on the other hand saying well we
cannot help it if you do follow up on our confusing regime of patches
and turn off our nifty features like ActiveX and VB scripting.
>
>and in a few more weeks...
>
>You show me anyone hit by the XP UPnP exploit, I'll show you how it was their own fault.
>
>
>> And, to say that the security/privacy problems Steve is dealing with
>> are pointless in view of the great work they are doing could make the
>> situation even worse.
>
>What did Steve deal with?  eEye found it, and Microsoft patched it.  The FBI released a
>warning to shut it off.  Millions of people world-wide have protected themselves without
>so much as knowing Steve even exists.
>
How can you say this?

>> My concern is that if Microsoft is left to its own devices, it will
>> continue to create more problems than can be solved by the Steve
>> Gibsons of the world.
>
>That sounds really nice, but Steve didn't discover OR fix this problem.  Try again.  eEye
>discovered it, and Microsoft fixed it.
60 days later

>  For the record, don't call UnPnP a "fix".  That's
>like writing a program to shut off IIS, and calling it a "fix" for Code Red.  All it does
>is shuts off UPnP by disabling the service in XP.  Hell, You don't even need UnPnP to do
>that, just do this:
>
>1. Click the "Start" button
>2. Go to the "Control Panel" tab and press it
>3. Go to the "Administrative Tools" folder and double click on it
>4. Go to the "Services" icon and double click on it.
>5. Double click on "Universal Plug and Play Device Host" service.
>6. Select the "General" tab there will be a field called "Startup Type"
>7. In the "Startup Type:" field change the option to "Disabled" and click "Ok"
>
>VOILA!  Now, it's cute that some people need a little program to accomplish something that
>simple.  I quite honestly don't. It's fine if you need it, but that doesn't make it a fix.
>
You are one smug dude. Even though you don't need Steve's help, there
are many that do
0
use
12/28/2001 9:29:00 PM
"Security Conscious" wrote in message:

> That does not mean that it otherwise would not have been discovered,

Ok, but it wasn't.  If it had been, I'm sure they'd have blasted out the patch that same
afternoon.  I NEVER denied the fact that they could have told people about it sooner.  I
never denied that they held off to protect their holliday sales season.  I think they
chose not to tell anyone in order to avoid some freak-out session comparable to Y2K
all-for-nothing hype two years ago.  People LOVE to freak out over stuff.  I don't blame
MS for waiting until a slow sales season to release the possible freak-out news.  It's
still a great product.  God forbid they try to make money.  How long did Ford try to
cover-up the Explorer tire recall last year?  And Windows XP isn't KILLING people when it
blows up on the highway...  It's just a piece of software, man!  good gawd.  Install a
patch, disable the service, and move on with life.


> What about the ethics of selling a product without disclosing this to
> a customer? Where did you answer this?

I did answer it.  I said "so what".  This is Microsoft Windows we're talking about folks!
There WILL be bugs.  There WILL be exploits.  When you buy during the first month it's
gone gold, you should KNOW it'll have bugs that will one day need to be patched!  WTF?!?!?
Did you think that XP was never going to have a security hole in it that required a patch?
If not, they who cares when you find out it does have holes that require a patch?  Just
patch it and move on.


> With a monopoly market, associated retailers have limited choices. The
> flying blue hell problem is that OEMs are obliged to load everything
> included in the Microsoft OS warts and all.

retailers have limited choices?  BULL!  Retailers can sell whatever the hell they want to
sell.  They *choose* to sell Microsoft products because it's what everybody wants to buy.
There's no FORCE here.  It's a choice.  Why do people keep beating that dead horse?  Does
Microsoft execute people for using other software?  I don't get it.


> Bovine Excreta. I can introduce you to a retired school teacher that
> lost major junks of her genalogical research because of a virus made
> possible because of Outlook Express

What virus?  I'm willing to bet that if it was even possible to make a patch for it, then
the patch was released before the virus ever got to her.  If not, it was probably a
malicious trojan (as opposed to a virus) that reqired her to execute an attachment... and
you can't install a patch to protect people from their own silliness (running malicious
programs and what not).  If it was something like "Nimda" (that didn't require her to run
an attachment), it would have probably not effected her on a completely up-to-date system.
It didn't just pop into her machine because she turned it on and sneezed on the screen, so
I'm guessing you can't pass the buck over to Microsoft.  Furthermore, if her research was
all that important, it should have been backed up to another computer.  You can even get
web-based file-storage to copy important files to if you don't have a second computer to
back your files up on.  I know, because I use such a service to keep a complete inventory
of everything I own (in an eXcel spreadsheet) should I ever be broken into (robbed) or
have my house burn down, etc, etc and need to file an insurance claim.

Granted, you think it makes more sense to just blame Microsoft when the machine becomes
infected...  like Bill Gates came over and installed a virus on her machine.  It's like
driving until you run out of gas, then blaming the company that made the car.  It seems
like common sense that you need to keep you car full of gas, but it's somehow rocket
science to keep your computer up-to-date.


> You cannot have it both ways by aying on the one hand Microsoft
> software is so easy to use while on the other hand saying well we
> cannot help it if you do follow up on our confusing regime of patches
> and turn off our nifty features like ActiveX and VB scripting.

CONFUSING REGIME OF PATCHES?!?!?  WTF?!?  Come on!  How hard is it really to hit the
Windows Update button and click on all the "critical updates".  They even have that
"keeping windows up to date automagically" program for people too lazy to check in with
website regularily.  My mom can do it, and she can't even figure out copy&paste after
being told 35 times.  There's NOTHING at all confusing about keeping the system up to
date.  NOTHING.  You can't call that "having it both ways".  I call that understanding the
way computer technology operates.  Anyone in a position to require security, better put
themselves in a position to provide that security.  If not...  :-/


> >What did Steve deal with?  eEye found it, and Microsoft patched it.  The FBI released a
> >warning to shut it off.  Millions of people world-wide have protected themselves
without
> >so much as knowing Steve even exists.
> >
>
> How can you say this?

How can you disagree?  Of the 7 million copies of XP sold, do you think that all 7 million
people will need to know about GRC.com before they can protect themselves from the UPnP
exploit?  Hardly.  That's all I'm saying.


> You are one smug dude.

Yes.  you noticed?


> Even though you don't need Steve's help, there
> are many that do

Wrong.  There are many (MANY MANY MANY) people who *APPRECIATE* Steve's help, and that's
why I keep coming back to this site...  Because I honestly like the work he does.  It's
interesting, and he's a great writer.  However, don't confuse "appreciate" with "need".
Steve does great work, but there isn't a lot here that you couldn't get somewhere else.
My favorite work of Steve's is probably the "real networks/Spyware" pages because I did
learn all that only from him.  I'd never seen it anywhere else before reading it at GRC
(that's not to say it doesn't exist anywhere else though - I don't know if it does or
not).  Granted, I hated the RealPlayer and never used it even before reading Steve's
write-up.  This is just a realistic attempt to explain that Steve didn't find or fix this
exploit.  eEye found it, Microsoft fixed it.  Steve only wrote a program that disables two
XP services.  Despite the fact Steve helps an awful lot of people, the world really would
exist without him.  It would probably even keep spinning around the sun the way it has for
millions of years.

-S
0
Stefan
12/28/2001 10:33:00 PM
Stefan,

> Don't you mean, "if any enterprise folks have been silly enough
> to not patch the exploit found in XP"?  The fact they deployed
> XP is neither here nor there so long as they keep it up to date
> and secure.

No, that's not what I mean.  What I said is what I mean.

If you look around the industry you'll find that the common wisdom 
and advice being given is for anyone serious about security and 
stability to avoid Windows XP.


> Steve, it was *YOU* who said the security holes never become a
> real world threat until some hacker designs an easy to use tool.
> Now, it's become convienient to contradict that statement simply
> because it's trendy to be anti-Microsoft.  Yeaaa!  :-/

No, you are misquoting what I said ... and I think you know it.

> ...or they can run UnPnP, which follows the logic of just chop
> off your hands to prevent even the possibility of committing any
> further evil.  :-/

It's clear that you're just trolling here.  But so long as people 
enjoy bantering back and forth with you I think that's fine.

-- 
_________________________________________________________________
Steve Gibson,      at work on: < http://grc.com/UnPnP/UnPnP.htm >
0
Steve
12/28/2001 10:37:00 PM
Stefan,

> As per that last part in []'s....  you do know that UnPnP
> isn't doing anything magical, right?  We're only talking
> about disabling a service...
> 
> In Windows XP:
>   1. Click the "Start" button
>   2. Go to the "Control Panel" tab and press it
>   3. Go to the "Administrative Tools" folder and double click on it
>   4. Go to the "Services" icon and double click on it. It looks like two gears interlocked
> with each other
>   5. Scroll down until you see the "Universal Plug and Play Device Host" service and double
> click on it
>   6. A window will pop up with several tabs, on the "General" tab there will be a field
> called "Startup Type"
>   7. In the "Startup Type:" field change the option to "Disabled" and click "Ok"
> 
> Voila!

Whoops!  You've just made my point.  You have just disabled
the WRONG service.  I wrote UnPnP to prevent such mistakes.  :)

-- 
_________________________________________________________________
Steve Gibson,      at work on: < http://grc.com/UnPnP/UnPnP.htm >
0
Steve
12/28/2001 10:39:00 PM
You really need to take a deep breadth and a break...You seem to Love
Micro$ux as much as you allege that Steve hates it.

To each his own.

>CONFUSING REGIME OF PATCHES?!?!?  WTF?!?  Come on!  How hard is it really to hit the
>Windows Update button

What is a windows Update button??
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/28/2001 10:40:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0guhc$2u10$1@news.grc.com...
> "Sam Schinke" wrote in message:
>
> [...]
>
> > > Roll out on day 1.  whooppee.  This, and every MS
> > > exploit ever found, is patched by a 3
> > > second trip to Microsoft.com...
> >
> > *g* You mean every exploit ever patched by MS, right?
>
> They've patched every exploit that they've found.  The fact that exploits
exist that have
> never been found or patched is a non-issue.  Who is harmed by a "never
been found" bug?
> Uhm, no one.

There is a difference between never been found, and known about by non-MS
people. Component XYZ is not secure against those hacks. I'm not sure if
there are any currently, but they have existed at one time or another.

[...]
> [Steve referring to software vendors]:
> *******************************
> "they reacted, in some cases, by defensively claiming that I had an
obligation to secretly
> inform them in advance before revealing these facts to the public. I
disagree..."
>     - Steve Gibson
>
> *******************************
>
> Who's really helping computer security?  Steve?  With an attitude like
that?  hmph.
> Whatever.

There are different attitudes in the security industry. Many many respected
security voices are pro "open disclosure". I see arguments going both ways,
and when confronted with a patch that has taken months to get published, I
sometimes think it might be better to disclose publicly and have it patched
in weeks.

Of course, two months for an exploit that hasn't gone "wild" isn't the end
of the world, but "closed disclosure" does allow the manufacturer to
manipulate their patch releases to the detriment (oftentimes) of consumers
such as appears to have occured.

> > *g* I agree, seeing as anyone "serious" about their computer's security
> > would have all these unnecessary "default" services disabled. It is a
big
> > issue for those who don't keep their ear to the ground about OS security
> > though.
>
> Patching the hole is protection enough.  We don't *need* to get
disable-happy with every
> service on the system that we're not using.  An open port is *not* a
security issue unless
> there's something bad behind it.  By your logic, when a hole is found in
IIS, the solution
> is to shut off the webserver and block port 80.  Weeeeeeee...  Hey...  It
stopped working...

Note my use of the word "unnecessary". It is vital to my point. Don't
disable IIS on your production webservers, by all means, but is it needed on
every workstation in the LAN? No.

Similar logic, when applied to UPnP leads be to believe there is no reason
anyone at this point should need it enabled. Has anyone even SEEN a UPnP
enabled appliance this year?

> Hmmmm...  Or did you manage to invent a sharp, pointy Internet packet?
:-)  For those who
> don't "keep their ear to the ground about OS security"...  I've been very
clear about my
> opinion on them...  piss on them.  If you're in a situation to "need"
security, you better
> PUT yourself in a situation to "provide" security.  If not, enjoy your
slow, painful
> e-death.

One of the ways to do that is to disable unused and unneeded services to
reduce the "workload" of maintaining them. A disabled service can have no
network-based exploits.

> > The fact remains that this is one of the more serious exploits out
there,
> > and that for volume of exploitable installations it is or will soon be
one
> > of the most widely installed to date. I honestly do not expect a
significant
> > portion of XP users to succesfully patch their machines. But that gets
back
> > into the whole issue of who is responsible for this sort of thing.
>
> *G*.  he he he.  You're finally learning what I'm all about Sam.
congrats.  :-)

Well, I still disagree to some extent, but I see no need to rehash it all.

> > I have never heard a user complain of lack of friendlyness when turning
> > something they want back on is done with such a childishly easy GUI as
in
> > XP. It's not loose-loose. MS has so much money obviously invested in UI
> > research, and it has payed off in usability and "friendlyness".
>
> Well, you've never heard that complaint because, with MS, it's all *on* by
default.  Hadn't
> you noticed?  That's why we're having this conversation.  Just wait until
the day it's all
> off by default, then I'll be right.  :-)

We'll see with IIS 6 I guess. By all reports it will have everything off by

> > *nux doesn't do this at ALL, and turning anything on in *nux also
requires
> > hours of configuring what you are turning on.
>
> BAH!  That's crap.  Do you even use Linux?

I don't currently, but I have installed several builds of it. I couldn't
keep using it thanks to problems with my modem. The linux drivers for it
were barely adequate at the time. I'll probably install again now that some
time has passed though.

> In my first two weeks I set up a maching to
> access the net through an NT proxy server, run a web server, telnet
server, mail server, and
> FTP server..

Two weeks as compared to how long on a windows machine?

>.  Now, all that was done having never seen the OS before.  I just have a
fairly
> fast learning period on most stuff.  Now, you can spend hours of
configuration to "tweak" it
> to run the most efficiently, but there's no hours of configuration just to
turn them on.
> It's typically little more then changing a line or two in the "*.conf"
file related to the
> service you're trying to run.

Still, harder than enabling stuff in windows, I'd say. Of course, I may very
well be biased, given that I am so used to the windows interface.

> > I honestly think the pages would have been shorter, and stuck to the "MS
> > isn't security aware" line, had this patch been released a month or a
week
> > after it was discovered.
>
> Again, who cares?  They patched it before anyone malicious exploited it...
enough said.

I'd rather have my patches sooner. It's a gamble holding off on releasing
the patch.

[...]
> Again, I wasn't in disagreement...  I just don't think it matters.  MS is
a company that
> holds a much larger resposibility to it's share holders then it does to
it's customers.

And that is a problem. Their income is from their customers. Loosing
customers should concern the shareholders.

> They're going to do what they need to do to make money.  If you haven't
figured that out,
> stop buying their products, because you're only misleading yourself.  It's
not like they're
> selling snake oil...  It's still an awesome product.

Yeah, it's an awesome product, but what people bought is still broken.

> The public likes to take something
> SMALL and blow it WAY out of proportion...  Look at all the Y2K panic over
NOTHING two years
> ago.

I think it's a bit misguided to say for sure that things would have been
fine if no effort had been put into the y2k problem. We can never know how
things would have been, only that we did put in effort and things were fine.

> People love freaking out over nothing.  Buy the OS, download the patch,
disable the
> service, whatever you want to do...  it's still very secure for anyone who
needs it to be.
> What's the big deal?  The sky honestly isn't falling.  Let's all remove
the tinfoil hat and
> relax a bit.  Nobody cried bloody murder when Novell made their slip-up:
> http://www.theregister.co.uk/content/55/23182.html  Where's Steve's nifty
20k-byte program
> to protect us from Novell's stupidity?  But we're not anti-MS at all, are
we?  Naaahhhhhh.

Novell's slip is minute compared to Microsoft. No comparison. Zero. Sorry.
Not to mention that the application of theirs that had an exploit was only
exploitable if it is being used, and the exploit only exposed login
passwords for mailboxes, AND it required the application to be in a
non-default state IIRC. Now if it had exposed root passwords...

> > > After the david and goliath raw sockets issue, the guy's on
> > > a mission to debunk MS security in any way he can.
> > I think that has been done for him, personally.
> It's still a perfectly secure OS **for anyone who wants it to be**.

Even so, confidence in MS security is no doubt down. I'd even say MS has
managed to "debunk" confidence in their security by making such a big error
(and it is a big error).

> > I think he has done much more with those pages than just ride coat-tails
>
> Like what?  I've read the eEye release, the FBI warnings, and the
Microsoft statements.  He
> offered nothing new aside from the anti-MS stuff.

He's offered a GUI to enable and disable UPnP, not that the FBI's directions
are difficult to follow or anything. Many of the media reports I saw didn't
include them, with just a link to the FBI's page. A link to "run this little
app to disable it" is probably going to be more attractive to people, I
think.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/28/2001 10:43:00 PM
"NT Canuck" <ntcanuck@hotmail.com> wrote in message
news:a0i4va$11i7$1@news.grc.com...
[...]
> It is the utility itself 'Plug n' Pray' that I feel should address whether
the
> UPnP service is "fixed/patched", before attempting to disable the service.

If not that (which could be a fairly significant effort) a link to the patch
would be reasonable, I agree.

> I'd also be interested in whether eEye (who made initial UPnP report) now
> considers WinXP to be *secure*, after all...calling it insecure was ok.

Their writeup on UPnP mentioned several other potential security "issues"
they had with it, but were beyond the scope of the vulnerability disclosed,
so I imagine they would advocate removing UPnP.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/28/2001 10:49:00 PM
"Steve Gibson" <support@grc.com> wrote in message:
>
> Whoops!  You've just made my point.  You have just disabled
> the WRONG service.  I wrote UnPnP to prevent such mistakes.  :)


Ok, the steps I offered don't include shutting down the Simple Service Discovery Protocol
(SSDP) Service.  But my little 7-step instructions weren't actually mine.  Nope.  They
came from the National Infrastructure Protection Center:

http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm

I suspect, they know what they're talking about...  even if you don't think *I* do.
Furthermore, it's still a non-issue after the patch is installed (yes...  until the NEST
exploit comes along)  Be sure to read THIS particular paragraph:

*****************************
The second vulnerability is in the Simple Service Discovery Protocol (SSDP) that allows
new devices on a network to be recognized ***BY COMPUTERS RUNNING UPnP*** by sending out a
broadcast UDP packet. Attackers can use this feature to send false UDP packets to a
broadcast address hosting vulnerable Windows systems. Once a vulnerable system receives
this message, it will respond to the spoofed originating IP address. This can be exploited
to cause a distributed denial of service attack.
*****************************

-S
0
Stefan
12/28/2001 10:50:00 PM
I was wondering when Mr. BetterTakeYourMeds was going to reveal his
trollness.

Biggest problem is, other than all the time he has, is his outstanding wit
and intellect.

Powers used for the dark side, unfortunately.

I've seen the goodness, I know it's there. It's just hidden real well.




--

Mark Strelecki,  ACP          BE6.2600.011208
Computing and Programming Since 1975  http://www.strelecki.com
Protect Your Rights -- Fight UCITA   http://www.4cite.org
0
Mark
12/28/2001 10:50:00 PM
"Sam Schinke" <arishae.NO@SPAM.icqmail.com> wrote in message
news:a0ivje$1vi2$1@news.grc.com...

> > I'd also be interested in whether eEye (who made initial UPnP report) now
> > considers WinXP to be *secure*, after all...calling it insecure was ok.
>
> Their writeup on UPnP mentioned several other potential security "issues"
> they had with it, but were beyond the scope of the vulnerability disclosed,
> so I imagine they would advocate removing UPnP.

Ok Sam, so lets say that UPnP is disabled...then does it meet eEyes standard
for a secure OS *at time of testing*...which is all I want to know.

In other words...the medicine has been applied...will the patient live?

'Seek and ye shall find'
NT Canuck
0
NT
12/28/2001 10:54:00 PM
"[The Hon. Rev. joWazzoo] " wrote in message:

> You really need to take a deep breadth and a break...You seem to Love
> Micro$ux as much as you allege that Steve hates it.

Well, he takes joy in insulting them enough.  What other impression am I to get from
everything he says about MS Security?


> To each his own.

I suppose.


> What is a windows Update button??

The very top of your Start Menu.  :-)  "button"/"menu item"... potato/pototo.

ttyl,
-Stefan.
0
Stefan
12/28/2001 10:55:00 PM
Stefan,

> > I honestly think the pages would have been shorter, and
> > stuck to the "MS isn't security aware" line, had this
> > patch been released a month or a week after it was discovered.
> 
> Again, who cares?  They patched it before anyone malicious
> exploited it...  enough said.

Stefan, you're obviously a bright, but contentious, guy. So I know 
that you know that the fact that Microsoft created a security update 
is *VERY* different from the fact that the problem is gone.

The Russian hackers who were breaking into IIS servers and stealing 
consumer credit cards were using well known -- and "patched" -- 
vulnerabilities that had been know FOR YEARS.

The CodeRed and Nimda worms were ALL using known and established 
exploits for which Microsoft had issued PATCHES.

Whoops.

It seems that having Microsoft patching their system is NOT the same 
as not having problems in the first place -- and also -- more 
significantly -- not running UNNECESSARY Internet services which 
create the *opportunity* for these problems and exploits.

-- 
_________________________________________________________________
Steve Gibson,      at work on: < http://grc.com/UnPnP/UnPnP.htm >
0
Steve
12/28/2001 10:58:00 PM
On Fri, 28 Dec 2001 16:55:50 -0600,  "Stefan" <no.sp@m.please.com>
threw these bits into the ether:

>> What is a windows Update button??
>
>The very top of your Start Menu.  :-)  "button"/"menu item"... potato/pototo.

Heh ... so easy to do. Looked at it for years and never saw it before.
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/28/2001 10:59:00 PM
" Mark Strelecki, ACP, Atlanta, GA" wrote in message:


> I was wondering when Mr. BetterTakeYourMeds was going to reveal his
> trollness.

right on cue.


> Biggest problem is, other than all the time he has, is his outstanding wit
> and intellect.

I wouldn't say I'm outstanding at anything.  I'd say I know enough to keep myself
employeed.  And hey. I just got a $7000 xmas bonus and a $500/m raise earlier today, so
obviously I'm still impressing the right people in my life.  :-)  he he he  (sorry I had
to brag there...  I've been on cloud nine all afternoon...  it was bound to leak out
somewhere)


> Powers used for the dark side, unfortunately.

Nah..  I know I come off strong-tempered a lot.  It's usually never intended the way it's
taken  (although, yes, sometimes it is)


> I've seen the goodness, I know it's there. It's just hidden real well.

You found it?  where?  ;-)


-S
0
Stefan
12/28/2001 11:00:00 PM
"NT Canuck" <ntcanuck@hotmail.com> wrote in message
news:a0ivt0$1vpe$1@news.grc.com...
> "Sam Schinke" <arishae.NO@SPAM.icqmail.com> wrote in message
> news:a0ivje$1vi2$1@news.grc.com...
>
> > > I'd also be interested in whether eEye (who made initial UPnP report)
now
> > > considers WinXP to be *secure*, after all...calling it insecure was
ok.
> >
> > Their writeup on UPnP mentioned several other potential security
"issues"
> > they had with it, but were beyond the scope of the vulnerability
disclosed,
> > so I imagine they would advocate removing UPnP.
>
> Ok Sam, so lets say that UPnP is disabled...then does it meet eEyes
standard
> for a secure OS *at time of testing*...which is all I want to know.
>
> In other words...the medicine has been applied...will the patient live?

No idea. *g*

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/28/2001 11:08:00 PM
"Steve Gibson" <support@grc.com> wrote in message:

> > Again, who cares?  They patched it before anyone malicious
> > exploited it...  enough said.
>
> Stefan, you're obviously a bright, but contentious, guy. So I know
> that you know that the fact that Microsoft created a security update
> is *VERY* different from the fact that the problem is gone.

Thanks for the compliment (no, that's *not* sarcasm).  I hear ya Steve, but come on.  It's
ALL they can do is to make a patch and hope people install it.  Short of some derranged
Code Green type fix-up scheme, where's their other options?


> The Russian hackers who were breaking into IIS servers and stealing
> consumer credit cards were using well known -- and "patched" --
> vulnerabilities that had been know FOR YEARS.

To the company being invaded:  They should be more secure then.  It doesn't make it
Microsoft's fault.

To the people who have the CC#'s stolen:  That's why law makes you only liable for no more
than $50 of a fraudulent purchase (and be careful about who gets your CC# -- that's why
IDServe is GREAT...  :-)  It's nothing special/new  --I already had a similar program--
but it's lets people see who they're dealing with)



> The CodeRed and Nimda worms were ALL using known and established
> exploits for which Microsoft had issued PATCHES.

dido to what I just said.  What more can MS do?



> It seems that having Microsoft patching their system is NOT the same
> as not having problems in the first place

But hindsight is 20/20.  NOBODY complained about UPnP, before the exploit was announced.
Why not?  Because hindsight is...  :-)


> -- and also -- more
> significantly -- not running UNNECESSARY Internet services which
> create the *opportunity* for these problems and exploits.

I agree.  I honestly honestly honestly do.  Again...  hindsight...

ttyl,
-S
0
Stefan
12/28/2001 11:10:00 PM
"NT Canuck" <ntcanuck@hotmail.com> wrote in message
news:a0ivt0$1vpe$1@news.grc.com...
> "Sam Schinke" <arishae.NO@SPAM.icqmail.com> wrote in message
> news:a0ivje$1vi2$1@news.grc.com...
>
> > > I'd also be interested in whether eEye (who made initial UPnP report)
now
> > > considers WinXP to be *secure*, after all...calling it insecure was
ok.
> >
> > Their writeup on UPnP mentioned several other potential security
"issues"
> > they had with it, but were beyond the scope of the vulnerability
disclosed,
> > so I imagine they would advocate removing UPnP.
>
> Ok Sam, so lets say that UPnP is disabled...then does it meet eEyes
standard
> for a secure OS *at time of testing*...which is all I want to know.
>
> In other words...the medicine has been applied...will the patient live?

NT,

I *think* I am following what you are saying.  <g>

One answer I thought of was "it meets the standard until another security
vulnerability is found".

Isn't it *very* likely that another security vulnerability will be found in
XP, based on the track record of previous MS O/S's?

I don't want to bash MS here; I am just trying to state what I think the
reality is.
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/28/2001 11:10:00 PM
In message <a0iop5$1ntq$1@news.grc.com>, Stefan <no.sp@m.please.com> 
kicked in with

>"An open port is *not* a security issue unless there's something bad 
>behind it."

Just like an unlocked door is not an issue unless someone with bad 
intentions enters through it? . . .
But isn't the reality that an unlocked door _is_ a security issue 
because there are a few people around with less than immaculate 
'attitude'. Saying and wishing things to be different does not _make _ 
it different . . .

The sky is not falling indeed, but the issue is real nonetheless, and 
BTW I may have missed something but I didn't see someone claiming the 
sky to be falling. It looks to me that you're reading quite a bit of 
'drama' where there is none . . .
-- 
Fungus (a.k.a Urgje / BomBom the Magnificent)
PGP Key ID:0xDDD4F1E2
[urgje at dds dot nl]
0
Fungus
12/28/2001 11:11:00 PM
Hi Mark,

> I was wondering when Mr. BetterTakeYourMeds was going to
> reveal his trollness.
> 
> Biggest problem is, other than all the time he has, is
> his outstanding wit and intellect.
> 
> Powers used for the dark side, unfortunately.
> 
> I've seen the goodness, I know it's there. It's just hidden
> real well.

Well, some, if not many, of Stefan's points are things I can see and 
somewhat agree with.  But he and I do disagree about the proper 
handling of this industry's convicted and illegal monopolist that is 
promoting, marketing, and selling known-insecure and proven dangerous 
software to unsuspecting masses.

I, and many others, have tried talking with them, but that doesn't 
work.  So sharing my perspective with those "consumer masses", and 
working to bring about that change by showing Microsoft that people 
DO CARE, is the only approach left to me.

So many people tell us that they are glad for what I'm doing, and for 
the way I'm working to create some accountability from Microsoft that 
I know the few "Stefans" and "Thomas Greenes" are a diminishingly 
insignificant minority.

I'm sure that Stefan is probably right about how Microsoft feels 
about me.  And I wish that weren't the case.  But I care passionately 
about this PC industry and our current administration has given them 
a blank check for any conduct they choose.

They were just asked by several other leading security groups to 
place information on their site for disabling the Universal Plug n' 
Play facility and they refused.

Stefan may not agree with me, which is fine, but running this server 
in WinME and WinXP machines BY DEFAULT -- when there are no UPnP 
devices on the network -- is incredibly irresponsible and 
indefensible -- whether or not there are any known vulnerabilities.  
The other Internet server running in most Windows machines was called 
"File and Printer Sharing" ... and we all know what a problem that 
was.

So, do I feel strongly about this?  Yes.

Do those feelings show in my writing and web pages?  Yes.

Do I have any motive beyond getting Microsoft to change their 
behavior?  No.

Do I think it's CRITICAL that they change their behavior and start 
taking Internet security seriously?  Yes, more than anything else.

-- 
_________________________________________________________________
Steve Gibson,      at work on: < http://grc.com/UnPnP/UnPnP.htm >
0
Steve
12/28/2001 11:19:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0ias7$18hf$1@news.grc.com...
[...]
> Where were the people complaining about UPnP before
> the exploit was found?  Where were they?  Huh?
[...]

I recall a few posts somewhere along the line of "Lets wait and see if this
one is secure" back when it was in ME.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/28/2001 11:20:00 PM
In article <MPG.16969901379c797e98a18d@207.71.92.194>, support@grc.com 
says...
<snip>
> The Russian hackers who were breaking into IIS servers and stealing 
> consumer credit cards were using well known -- and "patched" -- 
> vulnerabilities that had been know FOR YEARS.
> 
> The CodeRed and Nimda worms were ALL using known and established 
> exploits for which Microsoft had issued PATCHES.
> 
> Whoops.

Yes, and how many wu-ftp, sendmail, rpc, lpd, telnet, and now ssh 
problems that are all PATCHED are still affecting a MULTITUDE of Solaris 
and other *NIX boxes ? I have seen estimates that perhaps more than 50 
percent of ssh servers out there have not been patched. Can you say 
remote root level exploit ? How many updates of SSH have come out in the 
last 2 months, 3 ?

> 
> It seems that having Microsoft patching their system is NOT the same 
> as not having problems in the first place -- and also -- more 
> significantly -- not running UNNECESSARY Internet services which 
> create the *opportunity* for these problems and exploits.

You think UPNP is UNNECESSARY, and right *now* I tend to agree with you. 
But MS was doing what thier CUSTOMERS want in implementing it - i.e. 
DUMBING DOWN the level of ability one needs to conifgure a printer, fax, 
scanner, camera or other peripheral. Sure, they can tell people how to 
turn it on when they need it. But that DEFEATS the purpose of having an 
easy to use , non-computer-literate friendly OS right out of the box.

I have said it before, and I'll say it again - MS is GUILTY of trying to 
make thier OS too EASY TO USE, because that seems to be what the 99.7 
percent of the people out there ( not in here ) want and NEED. They bend 
over backwards keeping backwards compatibility for thier users, which 
also causes problems.

MS may not be the greatest thing since sliced bread, and many may not 
agree with thier business practices. But considering that a *majority* 
of people in these newsgroups continue to use it ( and bash it, and 
waste months of thier lives continually tweaking and fiddling with it to 
'close all thier ports', must say something.

My advice to all of you - buy a Mac.

-- 
Bloated Elvis
0
Bloated_Elvis
12/28/2001 11:25:00 PM
"Fungus" wrote in message:

> >"An open port is *not* a security issue unless there's something bad
> >behind it."
>
> Just like an unlocked door is not an issue unless someone with bad
> intentions enters through it? . . .

A PORT IS *NOT* an unlocked door.  It's a perfectly locked door unless you were dumb enough
to leave a key sticking in the knob.

> But isn't the reality that an unlocked door _is_ a security issue
> because there are a few people around with less than immaculate
> 'attitude'. Saying and wishing things to be different does not _make _
> it different . . .

Uh huh...  It's still not an unlocked door.  Try again.


> The sky is not falling indeed, but the issue is real nonetheless, and
> BTW I may have missed something but I didn't see someone claiming the
> sky to be falling. It looks to me that you're reading quite a bit of
> 'drama' where there is none...

Maybe you should read it again.  There's ceratinly drama.

-S
0
Stefan
12/28/2001 11:36:00 PM
In message <a0j2f5$22ui$1@news.grc.com>, Stefan <no.sp@m.please.com> 
kicked in with
>> >"An open port is *not* a security issue unless there's something bad
>> >behind it."
>>
>> Just like an unlocked door is not an issue unless someone with bad
>> intentions enters through it? . . .
>
>A PORT IS *NOT* an unlocked door.  It's a perfectly locked door unless 
>you were dumb enough to leave a key sticking in the knob.

Weren't you talking about an 'open port' . . .
-- 
Fungus (a.k.a Urgje / BomBom the Magnificent)
PGP Key ID:0xDDD4F1E2
[urgje at dds dot nl]
0
Fungus
12/28/2001 11:43:00 PM
But Stefan,

They *could* have shut down the service NOW.  With this patch.

And it has been suggested ... but they have said no.  So this was an 
opportunity for them to fix this.  No reason not to.  But they are a 
stubborn company.

The computing infrastructure of the world is not theirs to own.  They 
are becoming a public utility and they have a responsibility that 
extends beyond their own agendas.  And certainly beyond their own 
egos and stubbornness.

None of that requires any hindsight, just some foresight.

-- 
_________________________________________________________________
Steve Gibson,      at work on: < http://grc.com/UnPnP/UnPnP.htm >
0
Steve
12/28/2001 11:50:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.16969ddb8f6190d998a18f@207.71.92.194...

> Well, some, if not many, of Stefan's points are things I can see and
> somewhat agree with.

And the same to you, and many of your points.


> But he and I do disagree about the proper
> handling of this industry's convicted and illegal monopolist that is
> promoting, marketing, and selling known-insecure and proven dangerous
> software to unsuspecting masses.

melodramatic?  IMHO  :-/


> I know the few "Stefans" and "Thomas Greenes" are a diminishingly
> insignificant minority.

Don't group me in with that PhuckWit.  Every time someone disagee's with you, it doesn't
mean we're a TC Greene.  I've been *very* clear about TC Greene and my opinions of him.
I've also been VERY complimentry (sp?) about *your* work...  just not the way you often go
about sayinf and doing some certain things.


> I'm sure that Stefan is probably right about how Microsoft feels
> about me.  And I wish that weren't the case.  But I care passionately
> about this PC industry and our current administration has given them
> a blank check for any conduct they choose.

The chose to do what makes them money, not what makes security people happy.  The
resposibility of security always has and always will lie in the hands of the end user.  BE
RESPONSIBLE!


> They were just asked by several other leading security groups to
> place information on their site for disabling the Universal Plug n'
> Play facility and they refused.

It's like diasbling *any* service...  how hard is that?


> Stefan may not agree with me, which is fine, but running this server
> in WinME and WinXP machines BY DEFAULT

IT DOES NOT RUN in WinME by default!!!  COME ON!!!  At least tell the truth!  Geezus! Read
up, eh? http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm
You'll see this line:
********************************
Windows ME provides native support for UPnP, but it is neither installed nor running by
default.
********************************


> -- when there are no UPnP
> devices on the network -- is incredibly irresponsible and
> indefensible -- whether or not there are any known vulnerabilities.

yes, I agree...  I always have.  However, hindsight is 20/20... yet again.


> The other Internet server running in most Windows machines was called
> "File and Printer Sharing" ... and we all know what a problem that
> was.

And they have poor forsight to go with their 20/20 hindsight.  Oh well.  Don't compare a
buffer overflow to a "wide-open" network protocol.


> So, do I feel strongly about this?  Yes.

As do I


> Do those feelings show in my writing and web pages?  Yes.

But when I do it in the newsgroup, you say I'm trolling.  why?


> Do I have any motive beyond getting Microsoft to change their
> behavior?  No.

I never said you did.


> Do I think it's CRITICAL that they change their behavior and start
> taking Internet security seriously?  Yes, more than anything else.

And we both agree on that.  I just don't cry over spilled milk.  It's done, it's patched,
let's move on.

-S
0
Stefan
12/28/2001 11:51:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
> "Tommy_k" wrote in message:

> > Hmm a million (and one) pot shots,
> > don't have a calculator handy, but say at 100 per day, 365 days a
> > year,
> > well shite that'd make him 25 years potting at Microsoft.
> > Tommy

> http://www.dictionary.com/cgi-bin/dict.pl?term=figure%20of%20speech

> :-)

 -S

Aha, Stefan, okay, so what you're telling me is that you and Steve use
'figure of speech' to portray your 'arguments' - hmm, so why are yours
more important, or is this a vague apology  :-))

PS my 'browser settings' won't let me open that site, possibly cos
it's full of pop-ups, no?

Cheers
Tommy
Osama bin Ladin unwittingly repeated history when he
used a phrase uttered by Gen. Custer,

"Where did all these fecking Tomahawks come from?"
0
Tommy_k
12/28/2001 11:54:00 PM
Hi Bloated,

> I have said it before, and I'll say it again - MS is GUILTY of
> trying to make their OS too EASY TO USE, because that seems to
> be what the 99.7 percent of the people out there ( not in here )
> want and NEED. They bend over backwards keeping backwards
> compatibility for their users, which also causes problems.

I agree with you.

But, for example, why accept a packet from outside the subnet?

Or why not send out replies with a TTL of only 5 or 6 so that the 
server can't be used as a DoS or DDoS attack tool?

There are very real things that they could have done.  But it really 
seems that they just don't care.  Even NOW they don't care.

That's my complaint.

I don't believe that they really care about security.  How many eMail 
viruses must we all endure before scripting gets turned OFF by 
default?  Who the hell ever needed scripting in eMail?

It's that they don't care that's the problem.

-- 
_________________________________________________________________
Steve Gibson,      at work on: < http://grc.com/UnPnP/UnPnP.htm >
0
Steve
12/28/2001 11:55:00 PM
"CharlieBoy" <civermee@tcp.co.uk> wrote in message
 Tommy,
               Why bother? It's like the zoo, we really should not
feed
> them :-)
>
> Happy New year Everyone!

> Charlie.

> Wymsey Village Web
> www.wymsey.co.uk

Happy new year to yourself Charlie
Tofu hunters indeed :-)
Tommy
0
Tommy_k
12/28/2001 11:57:00 PM
HI Stefan,

> Ok, the steps I offered don't include shutting down the Simple
> Service Discovery Protocol (SSDP) Service.  But my little
> 7-step instructions weren't actually mine.  Nope.  They
> came from the National Infrastructure Protection Center:
> 
> http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm
> 
> I suspect, they know what they're talking about...  even if
> you don't think *I* do.

No.  I have informed the NIPC about their error but there's no one 
around there this week.  I expect that they'll fix it as soon as 
someone gets back after New Years.

> Furthermore, it's still a non-issue after the patch is installed
> (yes...  until the NEXT exploit comes along)

Right, so what's wrong with being preemptive?

> Be sure to read THIS particular paragraph:
> 
> *****************************
> The second vulnerability is in the Simple Service Discovery Protocol (SSDP) that allows
> new devices on a network to be recognized ***BY COMPUTERS RUNNING UPnP*** by sending out a
> broadcast UDP packet. Attackers can use this feature to send false UDP packets to a
> broadcast address hosting vulnerable Windows systems. Once a vulnerable system receives
> this message, it will respond to the spoofed originating IP address. This can be exploited
> to cause a distributed denial of service attack.
> *****************************

The Universal Plug and Play Device Host is a dependent service.  It 
depends upon and is started by the SSDP (Simple Service Discovery 
Protocol) Discovery Service.  It's the SSDPDS which is running in a 
Windows XP machine.  The UPNPDH service isn't even running.  Since 
the UPNPDH service depends upon the SSDPDS, shutting down and 
disabling the SSDPDS handles the whole problem.  :)

And also note that it was the DoS and DDoS potential for this exploit 
(SSDS) which was the aspect which most concerned the NIPC.

>----------------------------------------------------------------

Also, Stefan ... could we induce you to set a line-wrap of, perhaps, 
70 characters?  Your lines shoot off the page and reading your notes 
requires horizontal scrolling and replies get messy.

Thanks!  :)

-- 
_________________________________________________________________
Steve Gibson,      at work on: < http://grc.com/UnPnP/UnPnP.htm >
0
Steve
12/29/2001 12:03:00 AM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.1696a52cd62879ac98a190@207.71.92.194...

> They *could* have shut down the service NOW.  With this patch.

But MANY people, myself included, do not think the most drastic measure is the smartest.
What happens when these UPnP devices become popular two years from now?  Turn it back on?
Why will it be more secure then, then it is now?  Hmmm?


> And it has been suggested ... but they have said no.  So this was an
> opportunity for them to fix this.  No reason not to.  But they are a
> stubborn company.

thinking ahead maybe?  Why shut off something if it's going to be flipped back on in two
years?  Just fix it properly now and leave it running.  It's no threat unless someone
invents a sharp, pointy Internet packet, right?  :-)


> The computing infrastructure of the world is not theirs to own.

the UPnP is NOT the computing infrastructure of the world.  Don't say it is.


> They are becoming a public utility

If you say so, it must be true.  I thought they were just a company.  :-/


> and they have a responsibility that
> extends beyond their own agendas.

Their own agenda...  to destroy the world perhaps?  To disagree with Steve Gibson on
everything he says perhaps?  To try and steer computer technoloy to a better tomorrow
perhaps?  To make an omlet, you break a few eggs perhaps...  some of those eggs make a nasty
mess they need to clean up, but you patch em up and keep on trucking.  I always try to
consider the possibilty that I'm wrong...  I've admitted to being wrong in here more then
once.  I don't think you do that, IMHO.  How do YOU really really know what's the right
decision here?  I honestly don't.  I'm taking my best guess and running with the ball, but
I've got an OK batting average so far.  :-)


> And certainly beyond their own
> egos and stubbornness.

Biting my tongue...


> None of that requires any hindsight, just some foresight.

And in that, they've got you beaten in spades.  Who, 10 years ago, could have laid out a
plan to do what Microsoft has done in the last 10 years?  *that's* forsight.  They've hit
some MASSIVE snags along the way, and they'll hit more, but you can't disagree with the big
picture they've unfolded to the world.  If you had that forsight, why didn't you warn us
about the UPnP *BEFORE* the exploit came out?  Because we're all working with *nothing but
hindsight*, and it's easy to bash those with a vision, when they hit a bump in the road.

-S
0
Stefan
12/29/2001 12:07:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0iop5$1ntq$1@news.grc.com...
>
> For the record, I'm not Mr. KnowEverything.  I'd rather be called Mr.
> ApplysSomeCommonSenseBecauseTheSkysNotFalling.  :-)
>


Ladies and Gentlemen and Children of ALLLLLL Ages. Welcome to the Stefan
Show. (or is it "Stephen")

Are you tired of ----

..... winning friends and influencing people?
..... having problems at parties because you have a good personality?
..... actually having some friends?
..... people taking serious consideration of your opinions?

Wouldn't you really rather ----

..... be an obnoxious jerk?
..... have people shaking their heads in pity?
..... have the exciting possibility that someone will punch you in the nose
every time you go out in public?

All you need do is take Stefan's "Two Steps to Clowndom" debating class and
you will be well on your way. Just $.02 + VAT CA

(I certainly hope your IIs server is locked down tighter that your posts
would indicate. It appears wide open)
0
Phil
12/29/2001 12:08:00 AM
"Fungus" <fungus@at.work> wrote in message
news:v9rSQFKeOQL8EwXf@fung.oids...
[...]
> Weren't you talking about an 'open port' . . .

Or even an open port with one system-level exploit and three DoS or DDoS
exploits in the past. Who knows what will be in the future.

Regards,
Sam

--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 12:08:00 AM
Stefan wrote:
> 
> "Steve Gibson" <support@grc.com> wrote in message:
> 

> > The CodeRed and Nimda worms were ALL using known and established
> > exploits for which Microsoft had issued PATCHES.
> 
> dido to what I just said.  What more can MS do?

They can test for buffer overflow vunerabilities.  You're
right about hindsight.  It's hindsight that tells us that
buffer overflow vulnerabilities are one of the most common
programming vulnerabilities.

Steve Ballimer knows this very well.  He's been reported to
have said, "You would think we could figure out how to fix
buffer overflows by now."
http://www.thirdpig.com/white%20paper.zip

Of course, this is very different from design
vulnerabilities, for which you're point is valid (ie, you
can test for the presence of bugs, but you can't test for
their absence).


> 
> > It seems that having Microsoft patching their system is NOT the same
> > as not having problems in the first place
> 
> But hindsight is 20/20.  NOBODY complained about UPnP, before the exploit was announced.
> Why not?  Because hindsight is...  :-)

Hindsight is what tells us that we should test our code for
buffer overflow vulnerabilities.  It's a very common error. 
It's such a common error that my C compiler has switches you
can set that will warn you when you use commands (such as
gets()) that are know to introduce buffer overflow
vulnerabilities when not used carefully.

> 
> > -- and also -- more
> > significantly -- not running UNNECESSARY Internet services which
> > create the *opportunity* for these problems and exploits.
> 
> I agree.  I honestly honestly honestly do.  Again...  hindsight...

And again, it's hindsight that tells us that we should test
for errors that we made last time.

PS, on a completely unrelated issue, could you please wrap
you outgoing text to some sane value, such as 60 - 70
characters?
0
Kenneth
12/29/2001 12:10:00 AM
"Fungus" wrote in message:

> >A PORT IS *NOT* an unlocked door.  It's a perfectly locked door
unless
> >you were dumb enough to leave a key sticking in the knob.
>
> Weren't you talking about an 'open port' . . .

Yes, but just because the port is open doesn't mean you can do
anything malicious to me.  You can try.  It doesn't mean you'll get
in.  An open port is like a door lock.  You still need a key to get
in.  Sometimes the key is an exploit, sometimes it's a password, but
the sheer existance of a port isn't a door to slaughter someone's
system just because it's there and open.

-S
0
Stefan
12/29/2001 12:12:00 AM
"Steve Gibson" <support@grc.com> wrote in message:

> > Don't you mean, "if any enterprise folks have been silly enough
> > to not patch the exploit found in XP"?  The fact they deployed
> > XP is neither here nor there so long as they keep it up to date
> > and secure.
>
> No, that's not what I mean.  What I said is what I mean.
>
> If you look around the industry you'll find that the common wisdom
> and advice being given is for anyone serious about security and
> stability to avoid Windows XP.

you got a decent refrence on that?  It sounds like the words of the
same people who said avoid Win9x, WinNT, and Win2k.  You know...
those goofy people who think *nux is somehow bulletproof.  Boy, do I
have bad news for them.  :-)


> > Steve, it was *YOU* who said the security holes never become a
> > real world threat until some hacker designs an easy to use tool.
> > Now, it's become convienient to contradict that statement simply
> > because it's trendy to be anti-Microsoft.  Yeaaa!  :-/
>
> No, you are misquoting what I said ... and I think you know it.

That's VERY close to what you said.  You were talking about the ARP
eves-dropping attacks and said something to the effect of these
problems never becoming a real world threat until some hacker designs
an easy-to-use tool.  That's not word-for-word, but it's CERTAINLY NOT
changing the idea of what you said.  If it applies there, it applies
here.  If you REALLY want me to, I'll hunt around for the exact quote
verbatim, but I don't see the point.


> > ...or they can run UnPnP, which follows the logic of just chop
> > off your hands to prevent even the possibility of committing any
> > further evil.  :-/
>
> It's clear that you're just trolling here.  But so long as people
> enjoy bantering back and forth with you I think that's fine.

saying someone is "trolling" is just a great defence against someone
who disagrees with you.  If I were Microsoft, I might go as far as to
say....  :-)


-S
0
Stefan
12/29/2001 12:20:00 AM
> > But he and I do disagree about the proper handling of this
> > industry's convicted and illegal monopolist that is promoting,
> > marketing, and selling known-insecure and proven dangerous
> > software to unsuspecting masses.
> 
> melodramatic?  IMHO  :-/

Accurate?  :)


> > I know the few "Stefans" and "Thomas Greenes" are a diminishingly
> > insignificant minority.
> 
> Don't group me in with that PhuckWit.  Every time someone
> disagee's with you, it doesn't mean we're a TC Greene.  I've
> been *very* clear about TC Greene and my opinions of him.

I'm sorry, but I haven't read all of your postings closely.  I wish I 
had the time to, but I'm trying to write software and maintain a 
growing web site ... etc. etc.


> I've also been VERY complimentry (sp?) about *your* work...
> just not the way you often go about saying and doing some
> certain things.

Fair enough.


> > I'm sure that Stefan is probably right about how Microsoft
> > feels about me.  And I wish that weren't the case.  But I
> > care passionately about this PC industry and our current
> > administration has given them a blank check for any conduct
> > they choose.
> 
> They choose to do what makes them money, not what makes
> security people happy.  The resposibility of security always
> has and always will lie in the hands of the end user.  BE
> RESPONSIBLE!

But that's my entire message.  So ... I'm passionate about it.


> > They were just asked by several other leading security
> > groups to place information on their site for disabling
> > the Universal Plug n' Play facility and they refused.
> 
> It's like diasbling *any* service...  how hard is that?

But YOU disabled the wrong one, and you read instructions for 
disabling the wrong one.  The point of "UnPlug n' Pray" is to prevent 
such mistakes.


> > Stefan may not agree with me, which is fine, but running
> > this server in WinME and WinXP machines BY DEFAULT
> 
> IT DOES NOT RUN in WinME by default!!!  COME ON!!!  At least
> tell the truth!  Geezus! Read
> up, eh? http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm
> You'll see this line:
> ********************************
> Windows ME provides native support for UPnP, but it is neither
> installed nor running by default.
> ********************************

I've been hearing from people all day -- hundreds in eMail -- who 
have been shocked to find UPnP installed and running in their 
machines even though they NEVER installed it.  The NIPC is repeating 
what someone else told them -- probably Microsoft -- but the REALITY 
is PROVING to be entirely different.


> > -- when there are no UPnP devices on the network -- is
> > incredibly irresponsible and indefensible -- whether or
> > not there are any known vulnerabilities.
> 
> yes, I agree...  I always have.  However, hindsight is
> 20/20... yet again.

But it requires nothing to turn it off NOW.  But Microsoft isn't.  
This is why the NIPC has gone on record and explicitly recommended 
for people to turn it off themselves.

Microsoft is now DELIBERATELY doing this.  That can't be excused by a 
lack of foresight.


> > The other Internet server running in most Windows machines
> > was called "File and Printer Sharing" ... and we all know
> > what a problem that was.
> 
> And they have poor forsight to go with their 20/20 hindsight.
> Oh well.  Don't compare a buffer overflow to a "wide-open"
> network protocol.

But Stefan, I don't know how closely you read the exploit details. 
The DoS and DDoS attacks have nothing to do with a buffer overrun. 
The possibility for THOSE attacks are inherently built into the UPnP 
specification.  They are caused because a device (a malicious device 
in this case) can give Windows XP *any* URL -- anywhere on the 
Internet -- to download its XML specifications.  And the XML spec can 
contain circular references! ... so it's possible -- by design -- to 
setup Windows XP machines as Denial of Service attack generators.

This would never have been a problem if that service were turned off 
by default and the UPnP instructions explained what button to press 
to turn it on.

But now we have more than ten million vulnerable and insecure servers 
out on the Internet ... wide open and waiting for hacker exploits.


> > Do those feelings show in my writing and web pages?  Yes.
> 
> But when I do it in the newsgroup, you say I'm trolling.  why?

Ah, well, happily, our dialog has taken on a much different tone now 
from yours earlier.  :)


> > Do I have any motive beyond getting Microsoft to change their
> > behavior?  No.
> 
> I never said you did.

Just stating it for the record.


> > Do I think it's CRITICAL that they change their behavior and start
> > taking Internet security seriously?  Yes, more than anything else.
> 
> And we both agree on that.  I just don't cry over spilled milk.
> It's done, it's patched, let's move on.

But Microsoft hasn't modified their conduct.  This will happen again 
and again ... and it *could* be avoided.

-- 
_________________________________________________________________
Steve Gibson,      at work on: < http://grc.com/UnPnP/UnPnP.htm >
0
Steve
12/29/2001 12:21:00 AM
"Sam Schinke" wrote in message:

> There is a difference between never been found, and known about by
non-MS
> people. Component XYZ is not secure against those hacks. I'm not
sure if
> there are any currently, but they have existed at one time or
another.

I'm assuming they're few and far between and get patched very soon
after they're exploited to any real extent.



> There are different attitudes in the security industry. Many many
respected
> security voices are pro "open disclosure". I see arguments going
both ways,
> and when confronted with a patch that has taken months to get
published, I
> sometimes think it might be better to disclose publicly and have it
patched
> in weeks.

Oh my...  you think that would have been better?  That's just makes it
a RACE between the crackers and MS programmers to see who can exploit
it or patch it before the other.  I disagree.  "shhhhh" is the way to
go.  That's just me.


> Note my use of the word "unnecessary". It is vital to my point.
Don't
> disable IIS on your production webservers, by all means, but is it
needed on
> every workstation in the LAN? No.

hahahaha.  Touch�.  Alas, I die.


> Similar logic, when applied to UPnP leads be to believe there is no
reason
> anyone at this point should need it enabled. Has anyone even SEEN a
UPnP
> enabled appliance this year?

So it'll somehow be safer in 2 years when the UPnP appliances are
common and the service gets flipped on, on 30 million systems?


> One of the ways to do that is to disable unused and unneeded
services to
> reduce the "workload" of maintaining them. A disabled service can
have no
> network-based exploits.

I never said it could.  However, a fully patched, and up-to-date
service is about 99.999997% sure to be quite safe until the next
exploit is discovered and as long as you patch it up then, you're
still 99.999997% safe.  Hackers typically only go after known
exploits.  You know that's true.  If you disagree, I'll just dig up
another quote from Steve and we can keep playing this game.  You seem
to agree with him more than me anyway.  :-)


> > *G*.  he he he.  You're finally learning what I'm all about Sam.
> congrats.  :-)
>
> Well, I still disagree to some extent, but I see no need to rehash
it all.

Please no.  I want to have a life one day.  :-)  You know where I
stand, and I know where you stand (and I can respect that even if I
don't agree), but let's just drop that part of the debate (even though
it the building block for every other debate we have).


> We'll see with IIS 6 I guess. By all reports it will have everything
off

Every little part or it, or just ISS in general?  Because if it's one
switch that turns EVERYTHING on, you're no further ahead.


> > In my first two weeks I set up a maching to
> > access the net through an NT proxy server, run a web server,
> > telnet server, mail server, and
> > FTP server..
>
> Two weeks as compared to how long on a windows machine?

If I'd never EVER seen windows before, it certainly wouldn't have
taken less then 2 weeks.  When I installed Linux at the beginning of
that two weeks, I didn't even know how to run "xconfigurator" to
change the screen resolution.  I though GNOME was a little elf you use
as a lawn ornament.  I thought I did OK despite the fact that I could
do the same on a Windows box in an hour.


> Still, harder than enabling stuff in windows, I'd say. Of course, I
may very
> well be biased, given that I am so used to the windows interface.

It's pretty easy.  You just read old postings from the user forums at
redhat.com and copy the examples left by nice people.  It really takes
almost no time at all to turn stuff on by editing a *.conf file and
restarting your daemons again and again and again...


> I'd rather have my patches sooner. It's a gamble holding off on
releasing
> the patch.

this from the guy who said there's no need to inform MS in secret
before announcing the exploit publicly.  :-/


> And that is a problem. Their income is from their customers. Loosing
> customers should concern the shareholders.

The only customers they loose are uptight security freakaholics.  :-)
*G*


> Yeah, it's an awesome product, but what people bought is still
broken.

broken... but easily fixed with minimal effort.


> I think it's a bit misguided to say for sure that things would have
been
> fine if no effort had been put into the y2k problem.

Of course, but did you see the freak-out over nothing?  people
building bunkers, buying water, power generators, etc, etc.  My
personal favorite freak artist was a guy named Gary North
(garynorth.com)  He thought the power grid would collapse because of
Y2k and with his masters degree in sociology, he more or less
predicted WWIII by the time it was done.  He got pretty quite on Jan
1st, 2000.


> We can never know how
> things would have been, only that we did put in effort and things
were fine.

I no effort had been put in, Gary North would have been right.  But
give the human race a little credit for heaven sakes.  People were
talking about nuclear missles being launched by accident.  come on.


> Novell's slip is minute compared to Microsoft. No comparison. Zero.
Sorry.

Of course you'd say that.


> Not to mention that the application of theirs that had an exploit
was only
> exploitable if it is being used, and the exploit only exposed login
> passwords for mailboxes,

Oh, is that all?  In a MILITARY GRADE network OS...  is that ALL it
did?  Sheesh...  and I was worried.  :-/


> AND it required the application to be in a
> non-default state IIRC.

I don't think you "RC".


> Even so, confidence in MS security is no doubt down.

Here.  that's about it.


> I'd even say MS has
> managed to "debunk" confidence in their security by making such a
big error
> (and it is a big error).

Yea, but most clueless lemmings don't really care that much.  It's
just a big deal to people like the people who hand out here.


> He's offered a GUI to enable and disable UPnP, not that the FBI's
directions
> are difficult to follow or anything. Many of the media reports I saw
didn't
> include them, with just a link to the FBI's page.

Windows isn't a GUI?  Ok...


> A link to "run this little
> app to disable it" is probably going to be more attractive to
people, I
> think.

It's that "run this little app" attitude that gets most people a
virus/trojan/worm.  :-)

ttyl,
-Stefan.
0
Stefan
12/29/2001 12:46:00 AM
Stefan wrote:

> saying someone is "trolling" is just a great defence against someone
> who disagrees with you.

Do you think so?  You think that disregarding someone's
argument, and introducing an irrelevent observation as a
good defence?  I don't think so.  Furthermore, I don't think
that Steve had used that observation as a defence.  My
reasoning here is that Steve seems to be addressing your
points.
0
Kenneth
12/29/2001 12:51:00 AM
"Steve Gibson" wrote in message:

> > my little
> > 7-step instructions weren't actually mine.  Nope.  They
> > came from the National Infrastructure Protection Center:
> >
> > http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm
> >
> > I suspect, they know what they're talking about...  even if
> > you don't think *I* do.
>
> No.  I have informed the NIPC about their error but there's no one
> around there this week.  I expect that they'll fix it as soon as
> someone gets back after New Years.

*IF* you're right, and *IF* they change it, then I completly
appologise.  I'll have to do some more reading.  However, I don't
think you can blame me for reading up and believing the words of the
"National Infrastructure Protection Center" over "Steve Gibson".  But
as I said, if that's true (and you're right), you have my sincerest
appology and admiration for correcting them.

....But if you're wrong... he he he  :-)


> > Furthermore, it's still a non-issue after the patch is installed
> > (yes...  until the NEXT exploit comes along)
>
> Right, so what's wrong with being preemptive?

Well, how is it preemptive if this service is flipped back on on 90%
of the systems in 2 years is UPnP devices become the next big "thing"?
And who are you, me, we to say they won't be the next big "thing"?  If
anything, shutting it off EVERYWHERE might stamp out the development
of cool new UPnP devices that haven't even been invented yet.


> The Universal Plug and Play Device Host is a dependent service.  It
> depends upon and is started by the SSDP (Simple Service Discovery
> Protocol) Discovery Service.  It's the SSDPDS which is running in a
> Windows XP machine.  The UPNPDH service isn't even running.  Since
> the UPNPDH service depends upon the SSDPDS, shutting down and
> disabling the SSDPDS handles the whole problem.  :)

Ok,  BUT  (I'm asking now)...  Is the system still in danger of THE
CURRENT EXPLOIT (not an "in the future" statement please) if you only
shut down the UPNPDH, and not the SSDP?  From my understanding, the
SSDP couldn't even be used to send out bogus UDP packets so long as
the UPNPDH was shut down.  I stand to be corrected on that.  Since
you've (maybe) trashed my main source of information, I'm back in
"learning" mode on this issue so I'm quite willing to listen to what
you say on this part.  So what say you?


> And also note that it was the DoS and DDoS potential for this
exploit
> (SSDS) which was the aspect which most concerned the NIPC.

Yea, but (again) can it be used like that if the UPNPDH is disabled?
If not, who cares.  Well, I don't...  I'm sure you do.  suprise.  :-)


> Also, Stefan ... could we induce you to set a line-wrap of, perhaps,
> 70 characters?  Your lines shoot off the page and reading your notes
> requires horizontal scrolling and replies get messy.

done and done.  sorry.  I have a 21" monitor at 1280x960, so it looked
better to me this way and it kept my URL's from wrapping over.  I
wasn't thinking of everyone else here.  :-(

-S
0
Stefan
12/29/2001 1:01:00 AM
In article <MPG.1696a8464d0a763498a192@207.71.92.194>, support@grc.com 
says...
> No. 
> 
Too COOL!
-- 
l'bodacious - I love this place [earth].
0
You
12/29/2001 1:03:00 AM
That's funny.  It didn't have a damn thing to do with the topic, and
it's not even close to true... but it's still funny.  Look at your
post and ask yourself who's the asshole here with problems making
friends?  :-/

God fobid I have a mind of my own and don't trot through life like a
blind lemming in a game of follow the leader...  like you.

-S


"Phil Youngblood" wrote in message:

> Ladies and Gentlemen and Children of ALLLLLL Ages. Welcome to the
Stefan
> Show. (or is it "Stephen")
>
> Are you tired of ----
>
> .... winning friends and influencing people?
> .... having problems at parties because you have a good personality?
> .... actually having some friends?
> .... people taking serious consideration of your opinions?
>
> Wouldn't you really rather ----
>
> .... be an obnoxious jerk?
> .... have people shaking their heads in pity?
> .... have the exciting possibility that someone will punch you in
the nose
> every time you go out in public?
>
> All you need do is take Stefan's "Two Steps to Clowndom" debating
class and
> you will be well on your way. Just $.02 + VAT CA
>
> (I certainly hope your IIs server is locked down tighter that your
posts
> would indicate. It appears wide open)
0
Stefan
12/29/2001 1:07:00 AM
"Tommy_k" wrote in message:

> Aha, Stefan, okay, so what you're telling me is that you and Steve
use
> 'figure of speech' to portray your 'arguments' - hmm, so why are
yours
> more important, or is this a vague apology  :-))

an apology?  no.  Don't use "figure of speech" to defend everything he
said.  That's like me saying "you're an idiot", then saying "but
that's just a figure of speech".  It doesn't work that eay.  A figure
of speech needs to be somewhat obvious if you plan to use it as an
effective tool.  The fact that we're even disgussing it is a bigger
waste of time...  or did you think I really meant a million-and-one?
Like I counted them all?


> PS my 'browser settings' won't let me open that site, possibly cos
> it's full of pop-ups, no?

One pop-up.  I hate them to, but I tollerate them.


-S
0
Stefan
12/29/2001 1:16:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0j7ra$29le$1@news.grc.com...
> That's funny.  It didn't have a damn thing to do with the topic, and
> it's not even close to true... but it's still funny.  Look at your
> post and ask yourself who's the asshole here with problems making
> friends?  :-/
>
> God fobid I have a mind of my own and don't trot through life like a
> blind lemming in a game of follow the leader...  like you.
>

ROTFLMAO

Exactly what leader are you talking about? Steve? He has some damn good
ideas and, unlike you, is actually a very helpful and straight-forward
individual. Don't really think you can say I am a "follower" though. I
use -- and very much like -- the hated os, XP Pro. You need another hobby.

You really *are* pitiful. Post away, fool -- I will see you no more.
0
Phil
12/29/2001 1:29:00 AM
"Steve Gibson" wrote in message:

> > melodramatic?  IMHO  :-/
>
> Accurate?  :)

IYO...

agreeing to disagree?  :-)


> I'm sorry, but I haven't read all of your postings
> closely.  I wish I had the time to, but I'm trying to
> write software and maintain a  growing web site

Fair enough.


> > They choose to do what makes them money, not what makes
> > security people happy.  The resposibility of security always
> > has and always will lie in the hands of the end user.  BE
> > RESPONSIBLE!
>
> But that's my entire message.  So ... I'm passionate about it.

Ok, but my entire message is that you can put a seatbelt in a car, you
just can't make anyone wear it.  That seatbet *IS* there, but don't
blame Ford it nobody uses it...  Thanks to your work, more people are
putting it on.  The ones who don't...  well, we can't blame MS for
them, can we?  Well, I can't, anyway...  When people take
resposibility for their own system, the problems go away.



> > > They were just asked by several other leading security
> > > groups to place information on their site for disabling
> > > the Universal Plug n' Play facility and they refused.
> >
> > It's like diasbling *any* service...  how hard is that?
>
> But YOU disabled the wrong one, and you read instructions for
> disabling the wrong one.  The point of "UnPlug n' Pray" is to
prevent
> such mistakes.

Well, IMHO, once the patch is installed, it's a non-issue anyway.  I
did say fairly clearly that I don't see the point in shutting it off.
I only passed on what I read to others.  That said...  I already asked
somewhere else, can it still be used for the CURRENT exploit if you
only disable the UPnP service?  From my understanding (which may be
wrong) the DDoS exploit on the second service wasn't an issue so long
as you have the UPnP service disabled.


> > ********************************
> > Windows ME provides native support for UPnP, but it is neither
> > installed nor running by default.
> > ********************************
>
> I've been hearing from people all day -- hundreds in eMail -- who
> have been shocked to find UPnP installed and running in their
> machines even though they NEVER installed it.  The NIPC is repeating
> what someone else told them -- probably Microsoft -- but the REALITY
> is PROVING to be entirely different.


Nope nope nope nope nope.  I am sitting (right now) on a dual-boot
WinMe/Win2k system, so I (right now) went through the hassle of
rebooting it and brought it up in WinME.  I just (right now) ran
UnPnP, and it tells me that "UPnP is Safely Disabled".  I haven't
booted up into WinME in over 2 months, so it's not like I patched it
myself.  Sorry Steve.  It's disabled by default, because I sure as
hell didn't turn it off.  I wasn't even booted up into it until I went
to check this for myself.


> But it requires nothing to turn it off NOW.
> But Microsoft isn't.  This is why the NIPC
> has gone on record and explicitly recommended
> for people to turn it off themselves.

But it's still going a step beyond what is needed.  Steve... come on
man...  Anyone who is smart enough to go out of their way to shut it
off now is smart enough to patch it (and patch any future exploits
that are found).  I know we don't agree, but that's just where I stand
on that.  Your solution isn't *currently* more secure than mine.  When
(*IF*) the next exploit comes along, the same rules will apply.


> Microsoft is now DELIBERATELY doing this.  That can't be
> excused by a lack of foresight.

The patch...  fixes the exploit.  That's all it needs to do.  It does.


<TIME OUT>
HAHAHAAA...  My little "Keep Windows Up To Date" thing just spit up a
big message on the corner of my screen telling my I need to go get a
critical update.  :-)  Gee...  I wonder what it could be.  :-) ha
hahah  (like I said, I haven't booted up into WinMe in close to 2
months)
</TIME OUT>


> But Stefan, I don't know how closely you read the exploit details.
> The DoS and DDoS attacks have nothing to do with a buffer overrun.
> The possibility for THOSE attacks are inherently built into the UPnP
> specification.  They are caused because a device (a malicious device
> in this case) can give Windows XP *any* URL -- anywhere on the
> Internet -- to download its XML specifications.  And the XML spec
can
> contain circular references! ... so it's possible -- by design -- to
> setup Windows XP machines as Denial of Service attack generators.

But the patch fixes that.  It doesn't need to be turned off if it's
patched.  It's fixed.  If another one comes along, we'll patch it
also.  That was my whole point anyway.  I somehow was dragged off into
explaining that all UnPnP does is disable services (even if I said the
wrong ones).  People seemed to think it was exclusive
do-something-magical Steveware.  I'm not insulting the app.  I love
it.  It lets you *SEE* if your machine is patched or not.  That's
great for millions of people out there.  However, it's still...  just
disabling a service.



> This would never have been a problem if that service
> were turned off by default

Well, at least not until 30 million systems turned it on 2 years from
now.



> and the UPnP instructions explained what button to press
> to turn it on.

I agree, but that attitude got Linux it's anti-user-friendly
reputation, and Microsoft is involved in a self tog-o-war between
ease-of-use and security.  When they slip in either direction and they
get burnt.  I admit it completely... THEY SLIPPED.  Oh well.



> But now we have more than ten million
> vulnerable and insecure servers out
> on the Internet ... wide open and waiting
> for hacker exploits.

9,999,999.  Not mine.  Ain't it Kewl.  :-)



> > > Do those feelings show in my writing
> > > and web pages?  Yes.
> >
> > But when I do it in the newsgroup, you say
> > I'm trolling.  why?
>
> Ah, well, happily, our dialog has taken on a
> much different tone now from yours earlier. :)

I'm not talkin a whole lot different then I ever have, but ok.



> But Microsoft hasn't modified their conduct.
> This will happen again

EXACLTY my point.  So why in the blue hell can't people run the
Windows Update?  They KNOW it's happened before (the exploits), and
they KNOW it'll happen again.  So patch your system.



> and again ... and it *could* be avoided.

Nah....  there'll always be *something* like this.  The only way it
can be avoided is if MS locks down the system so hard that people
start getting P-ed off at it's a linux-like un-user-friendly default
settings.  Even then Linux has enough security issues...  why wouldn't
MS even in a total lock-down setup?  It's the old ease-of-use VS
security tog-o-war flying in our face one more time.

Do you have a mother who's brain dead on computers?  I do.  I get
annoyed enough by her stupid phone calls asking questions about
copy&paste for the 30th time.  If Microsoft makes this any harder to
use, I'll probably kill her one day.  You'll see an article in 'the
Reg' about a guy who killed his mother with a monitor.  It's that bad!
Yet, she can run the Windows Update like you never seen.  Ain't that
kewl too?  :-)

-S
0
Stefan
12/29/2001 3:18:00 AM
What is your purpose here?  I showed up to discuss this XP exploit.
You showed up to piss on anyone who disagrees with you.  You seem to
have twisted everything I've said into a personal attack on you and
that's fine.  It might-as-well be.  You were a waste of good keystroke
energy anyway.

-S


"Phil Youngblood" wrote in message:

> ROTFLMAO
>
> Exactly what leader are you talking about? Steve? He has some damn
good
> ideas and, unlike you, is actually a very helpful and
straight-forward
> individual. Don't really think you can say I am a "follower" though.
I
> use -- and very much like -- the hated os, XP Pro. You need another
hobby.
>
> You really *are* pitiful. Post away, fool -- I will see you no more.
0
Stefan
12/29/2001 3:26:00 AM
"Steve Gibson" <support@grc.com> wrote in message:

> Or why not send out replies with a TTL of only 5 or 6 so that the
> server can't be used as a DoS or DDoS attack tool?

Good question.  You got me doing a little reading Steve...  Maybe...
they DID do that.  Hmmmmmm....

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q315056

Roll down to the heading "Regulating Device Description Downloads
Based on Router Hops"


You'l see all this
************************
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV\Parameter
s
Value name: TTL
Data type: REG_DWORD

If the target is separated from the local computer by more than the
specified number of router hops, a download is not attempted. By
default (no registry value set), the UPnP service traverses a maximum
of 4 router hops in pursuit of a device description.
************************

Do you see those two little words in there: ***BY DEFAULT***  They
appear shortly before the phrase "maximum of 4 router hops in pursuit
of a device description".

-S
0
Stefan
12/29/2001 4:00:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0j6j6$27sq$1@news.grc.com...
>
> "Sam Schinke" wrote in message:
>
> > There is a difference between never been found, and known about by
> non-MS
> > people. Component XYZ is not secure against those hacks. I'm not
> sure if
> > there are any currently, but they have existed at one time or
> another.
> I'm assuming they're few and far between and get patched very soon
> after they're exploited to any real extent.

Yeah. I'm assuming the same, but it pays to be aware that it can and does
occasionally happen. If you have fewer services running, the chances of it
happening to you are much lower.

> > There are different attitudes in the security industry. Many many
> respected
> > security voices are pro "open disclosure". I see arguments going
> both ways,
> > and when confronted with a patch that has taken months to get
> published, I
> > sometimes think it might be better to disclose publicly and have it
> patched
> > in weeks.
>
> Oh my...  you think that would have been better?  That's just makes it
> a RACE between the crackers and MS programmers to see who can exploit
> it or patch it before the other.  I disagree.  "shhhhh" is the way to
> go.  That's just me.

I think MS should have patched it immediately. I think a week (or two if the
vendor appears cooperative) advance notice of an exploit discovery is
sufficient. Allowing the vendor to wait two months also strikes me as
irresponsible. Perhaps not as irresponsible as either not informing the
vendor or making a full public disclosure, but a "closed" disclosure is by
no means my ideal disclosure model.

> > Note my use of the word "unnecessary". It is vital to my point.
> Don't
> > disable IIS on your production webservers, by all means, but is it
> needed on
> > every workstation in the LAN? No.
> hahahaha.  Touch�.  Alas, I die.

*g*

> > Similar logic, when applied to UPnP leads be to believe there is no
> reason
> > anyone at this point should need it enabled. Has anyone even SEEN a
> UPnP
> > enabled appliance this year?
>
> So it'll somehow be safer in 2 years when the UPnP appliances are
> common and the service gets flipped on, on 30 million systems?

Perhaps not, though I imagine most problems will have been ironed out by
then. But for the intervening two years, you'll be much safer AND when you
finally do enable it, it will have been audited for a long time.

As to any difficulty re-enabling UPnP, the manufacturers of a UPnP appliance
can just include UNPnP (being that it's freeware, or was that IDServe?) with
their install files for the client-side stuff and script it to re-enable
UPnP transparently.

> > One of the ways to do that is to disable unused and unneeded
> services to
> > reduce the "workload" of maintaining them. A disabled service can
> have no
> > network-based exploits.
>
> I never said it could.  However, a fully patched, and up-to-date
> service is about 99.999997% sure to be quite safe until the next
> exploit is discovered and as long as you patch it up then, you're
> still 99.999997% safe.  Hackers typically only go after known
> exploits.  You know that's true.

Heh. I'd rather disable the service for two years (or whatever arbitrary
period passes until I do use it) and not have to keep it up-to-date for that
period. One update at the end will work just as well. With all services
disabled in XP, I can see no reason to have to update anything, really.
Well, ok, if you don't use an email client or anything.. hmm..

> If you disagree, I'll just dig up
> another quote from Steve and we can keep playing this game.  You seem
> to agree with him more than me anyway.  :-)

Heh. I agree that most hackers only use known exploits, even if _some_
hackers do develop an exploit and keep it to themselves for maximum benefit
until noticed and patched. It's those guys I'd worry about with an
up-to-date system. Disabling a service will protect you against that when
depending on patches being out on time won't. Disabling the service will
also protect you against those times when MS doesn't add the patch to
windowsupdate right away, or when someone goes "full disclosure".

[...]
> > We'll see with IIS 6 I guess. By all reports it will have everything
> off
>
> Every little part or it, or just ISS in general?  Because if it's one
> switch that turns EVERYTHING on, you're no further ahead.

The impression I got was that IIS 6 was going to have all extensions off by
default, and be just a "simple" http server. How you enable bits and pieces
wasn't apparent, but I'm sure it will be similar to how you disable them
currently (seeing as the interface is already there and familiar)

[...]
> > I'd rather have my patches sooner. It's a gamble holding off on
> releasing
> > the patch.
>
> this from the guy who said there's no need to inform MS in secret
> before announcing the exploit publicly.  :-/

Yeah. I think there needs to be a middle-ground on disclosure. Open
disclosure doesn't work very well, nor does "fire and forget". The
disclosing party needs to ride MS and eventually go public if MS is dragging
their feet. I think two weeks is reasonable, or even a month, but two months
is pushing it.

>
> > And that is a problem. Their income is from their customers. Loosing
> > customers should concern the shareholders.
>
> The only customers they loose are uptight security freakaholics.  :-)
> *G*

I've seen a few people come here after seeing the news and seeming pretty
upset.

[...]
> > I think it's a bit misguided to say for sure that things would have
> been
> > fine if no effort had been put into the y2k problem.
>
> Of course, but did you see the freak-out over nothing?  people
> building bunkers, buying water, power generators, etc, etc.  My
> personal favorite freak artist was a guy named Gary North
> (garynorth.com)  He thought the power grid would collapse because of
> Y2k and with his masters degree in sociology, he more or less
> predicted WWIII by the time it was done.  He got pretty quite on Jan
> 1st, 2000.

Yeah, hysteria bad, constructive activity good, as a general policy (gas
masks anyone? :P).

> > We can never know how
> > things would have been, only that we did put in effort and things
> were fine.
>
> I no effort had been put in, Gary North would have been right.  But
> give the human race a little credit for heaven sakes.  People were
> talking about nuclear missles being launched by accident.  come on.

Hehe. I think it's good to mention the worst case, but it's always good to
say "with the effort I anticipate, this will not happen", in those cases
where the problem is well anticipated. chuckle.

> > Novell's slip is minute compared to Microsoft. No comparison. Zero.
> Sorry.
>
> Of course you'd say that.

Yep. Different quality of exploit.

> > Not to mention that the application of theirs that had an exploit
> was only
> > exploitable if it is being used, and the exploit only exposed login
> > passwords for mailboxes,
>
> Oh, is that all?  In a MILITARY GRADE network OS...  is that ALL it
> did?  Sheesh...  and I was worried.  :-/

I'm wondering what it is about a "military grade" os that makes it so
special.

> > AND it required the application to be in a
> > non-default state IIRC.
>
> I don't think you "RC".

That's why I said if. *g*

Looking here, I can't really tell.
http://support.novell.com/padlock/details.htm

It looks like there are four "modes" of operation, two of which are
vulnerable and two which are not, but I can't tell with absolute certainty
which one is the default.

> > Even so, confidence in MS security is no doubt down.
> Here.  that's about it.

Not just here, I'd imagine. Anywhere that hears about security stuff. And
any of the un-schooled masses who happen to hear of it also.

[...]
> > He's offered a GUI to enable and disable UPnP, not that the FBI's
> directions
> > are difficult to follow or anything. Many of the media reports I saw
> didn't
> > include them, with just a link to the FBI's page.
>
> Windows isn't a GUI?  Ok...

The way to disable it in windows is what, 7-8 steps. This is one step (or
two if you include clicking on the link).

> > A link to "run this little
> > app to disable it" is probably going to be more attractive to
> people, I
> > think.
>
> It's that "run this little app" attitude that gets most people a
> virus/trojan/worm.  :-)

Ironic, isn't it? I'm hoping Steve will drop a digital signature onto his
"gold" version largely for this reason.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 4:10:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0jhup$2jvh$1@news.grc.com...
[...]
> ************************
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV\Parameter
> s
> Value name: TTL
> Data type: REG_DWORD
>
> If the target is separated from the local computer by more than the
> specified number of router hops, a download is not attempted. By
> default (no registry value set), the UPnP service traverses a maximum
> of 4 router hops in pursuit of a device description.
> ************************
>
> Do you see those two little words in there: ***BY DEFAULT***  They
> appear shortly before the phrase "maximum of 4 router hops in pursuit
> of a device description".

I wonder though, if that is the real-world behaviour of the UPnP service in
it's original form. It looks like this may have been added by the patch.
Perhaps someone with a "clean" version could confirm? The EEye bulletin
details how to trigger that one, at least.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 4:14:00 AM
"Sam Schinke" <arishae.NO@SPAM.icqmail.com> wrote in message
news:a0jiku$2kjv$1@news.grc.com...
> "Stefan" <no.sp@m.please.com> wrote in message
> news:a0jhup$2jvh$1@news.grc.com...
> [...]
> > ************************
> > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV\Parameter
> > s
> > Value name: TTL
> > Data type: REG_DWORD
> >
> > If the target is separated from the local computer by more than the
> > specified number of router hops, a download is not attempted. By
> > default (no registry value set), the UPnP service traverses a maximum
> > of 4 router hops in pursuit of a device description.
> > ************************
A closer read reveals this:

"The patch that is provided in Microsoft Security Bulletin MS01-059
introduces new functionality to limit the ability of a Universal Plug and
Play-capable computer to be used in distributed denial-of-service attacks.
The purpose of this article is to list the new functions and describe how to
use them most effectively."

So it is "by default on a patched system". Hindsight I guess. Now to get
them to make their install CD's writable, or to send out new ones for any
major patches, so it can be "clean" right from the start. *g*

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 4:18:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0jfgh$2h8t$1@news.grc.com...
> > This will happen again
>
> EXACLTY my point.  So why in the blue hell can't people run the
> Windows Update?  They KNOW it's happened before (the exploits), and
> they KNOW it'll happen again.  So patch your system.
>
>
>
> > and again ... and it *could* be avoided.

I would of loved to have had that  patch a year ago. For crying_ out_
loud a whole damn year! Drove myself crazy trying to close
ports 1900 & 5000, unchecked plug and play...still in the background
....blocked in my firewall ...still in the background........
I like that poor soul who recently posted in Security thought I had a
trojan called 'socket de trois'. I even went to that site and d/l the
patch for it!

> Nah....  there'll always be *something* like this.  The only way it
> can be avoided is if MS locks down the system so hard that people
> start getting P-ed off at it's a linux-like un-user-friendly default
> settings.

Why? Why? Why? Why do script kiddies have to find MS' vulnerabilities?
Maybe they are employing the wrong people. Maybe they really don't care
what they send out in the assembly lines, straight to grandmas house,
who is on a fixed income, who couldn't afford the extended warranty,
and one of the exploits crashed her machine!

>  Even then Linux has enough security issues...  why wouldn't
> MS even in a total lock-down setup?  It's the old ease-of-use VS
> security tog-o-war flying in our face one more time.
>
> Do you have a mother who's brain dead on computers?  I do.  I get
> annoyed enough by her stupid phone calls asking questions about
> copy&paste for the 30th time.  If Microsoft makes this any harder to
> use, I'll probably kill her one day.  You'll see an article in 'the
> Reg' about a guy who killed his mother with a monitor.  It's that
bad!
> Yet, she can run the Windows Update like you never seen.  Ain't that
> kewl too?  :-)
>
> -S
>
Your mom is lucky she has such a good patient boy to call .
How about moms who don't have such a diligent son to call?
Or grandmas who just wanted to correspond with their grandchildren.
If MS is targeting these users then they should make sure these users
have secure machines...just that simple.....A


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.311 / Virus Database: 172 - Release Date: 12/27/2001
0
Anomie
12/29/2001 4:19:00 AM
"Sam Schinke" wrote in message:


> Perhaps not, though I imagine most problems will have been ironed
out by
> then. But for the intervening two years, you'll be much safer AND
when you
> finally do enable it, it will have been audited for a long time.

Yea, but are people going to learn how to keep their system up-to-date
two years from now?  :-)  Problem now or problem then is still a
problem.



> Heh. I'd rather disable the service for two years (or whatever
arbitrary
> period passes until I do use it) and not have to keep it up-to-date
for that
> period. One update at the end will work just as well.

You say that like you turned it off BEFORE the exploit was found.  Did
you?  No.  But you also have 20/20 hindsight.  Congrats.  :-)



>With all services
> disabled in XP, I can see no reason to have to update anything,
really.
> Well, ok, if you don't use an email client or anything.. hmm..

Or run an exe, or.... well... turn it on and visit the "wrong"
webpage.  :-)  Have I EVER denied Windows ______  was full of holes?
No...  Hence my constant nagging the people MUST keep it 100% up to
date.




> Heh. I agree that most hackers only use known exploits, even if
_some_
> hackers do develop an exploit and keep it to themselves for maximum
benefit
> until noticed and patched. It's those guys I'd worry about with an
> up-to-date system.

You actually sit around and worry about that?  <sarcasm>I worry about
aliens stealing my brainwaves.  I mean, there here n' all, and if
they're taking brainwaves, I can see why they'd be after
mine</sarcasm>  :-)

My philosophy on life:  Sh!t happens.  When it does, wipe it up.



> Disabling a service will protect you against that when
> depending on patches being out on time won't. Disabling the service
will
> also protect you against those times when MS doesn't add the patch
to
> windowsupdate right away, or when someone goes "full disclosure".

So you did disable it BEFORE the exploit was found?  Or is this
another one of those hindsight things?  :-)



> The impression I got was that IIS 6 was going to have all extensions
off by
> default, and be just a "simple" http server. How you enable bits and
pieces
> wasn't apparent, but I'm sure it will be similar to how you disable
them
> currently (seeing as the interface is already there and familiar)

Kewl.



> > > And that is a problem. Their income is from their customers.
Loosing
> > > customers should concern the shareholders.
> >
> > The only customers they loose are uptight security freakaholics.
:-)
> > *G*
>
> I've seen a few people come here after seeing the news and seeming
pretty
> upset.

People upset?  Gee...  That's a new development.  :-)  (that doesn't
make them a "lost customer")



> Yeah, hysteria bad, constructive activity good, as a
> general policy (gas masks anyone? :P).

In the wake of 9/11, my brother's boss bought a gas mask, anthrax
antibiotics (off the Internet...  :-/ ), and was looking into having
his house plastic wrapped.  No kidding.  :-)  I wonder if he disabled
the UPnP and SSDP services.  :-)



> > > Not to mention that the application of theirs that had an
exploit
> > was only
> > > exploitable if it is being used, and the exploit only exposed
login
> > > passwords for mailboxes,
> >
> > Oh, is that all?  In a MILITARY GRADE network OS...  is that ALL
it
> > did?  Sheesh...  and I was worried.  :-/
>
> I'm wondering what it is about a "military grade" os that makes it
so
> special.

Simple.  Novell is used by the military, because it's supposeed to be
ABSOLUTLY secure.  Now, if they let a massive bug slide into their
software, you'll have to figive me for assuming the same can happen to
the grandpa-OS-of-choice maker, Microsoft.  I have 8 (useless?) Novell
certificates, and believe you-me...  If that's not a company high on
it's own security, then one such company doesn't exist.  They're all
loony.  Despite being a Novell trained machine...  I hate it, and
haven't touched it in a few years now.  By now I can only assume my
out-dated Novell skills are useless.  However, that's the background
on why I say "military grade"...  They really are proud of that.  they
even had a military guy come give an hour long lecture with the "We
Want You!" pitch tossed in at the end.  thanks, but no thanks.  I
don't need to be hooking up networks in Afghanistan.



> > > Even so, confidence in MS security is no doubt down.
> > Here.  that's about it.
>
> Not just here, I'd imagine. Anywhere that hears about security
stuff. And
> any of the un-schooled masses who happen to hear of it also.

Yea, but 95%+ of the folks out there in the world aren't qualified to
have an opinion anyway.



> The way to disable it in windows is what, 7-8 steps. This
> is one step (or two if you include clicking on the link).

Six if you include opening your browser, loading grc.com, clicking
past the opening page, clicking the link to UnPnP, running the
program, and disabling the service.  :-)  that may sound silly, but
read my 7 steps.  "Click the Start menu" is one of them... I could
have changed it to:

1. Open "Services" from the Administration Control Panel.
2. Disable UPnP and SSDP servies.

There, now it's two steps.  :-)



> Ironic, isn't it? I'm hoping Steve will drop a digital
> signature onto his "gold" version largely for this reason.

I trust Steve...  That is to say, I'll run his programs with so much
as a virus check or guniea pig test, but he's one of VERY few, and it
took quite a while to reach that point.  Consider the guy would
DESTROY his entire reputation if there was ever anything questionable
in his apps, so...  I think it's all safe all the time.  why not?


-S
0
Stefan
12/29/2001 4:56:00 AM
"Anomie" wrote in message:

> I would of loved to have had that  patch a year ago. For crying_
out_
> loud a whole damn year! Drove myself crazy trying to close
> ports 1900 & 5000, unchecked plug and play...still in the background
> ...blocked in my firewall ...still in the background........

There was nothing at Microsoft.com just doing a search on "port 5000"?
:-/  I find that hard to believe.



> Why? Why? Why? Why do script kiddies have to find MS'
vulnerabilities?

eEye ain't no "script kiddies", as you call them.  In fact the whole
term really applies only to people who DON'T *find* the holes...  they
just exploit them using pre-made tools.



> Your mom is lucky she has such a good patient boy to call .

As some will quickly say...  I ain't all that patient.  Phrases like
"I already f***ing told you that three days ago" come out fairly
often.  Don't feel bad for her...  She's more foul mouthed than I
am...  That's probably why I am the way I am actually....  We're
putting the "fun" back in "disfunctional".


> How about moms who don't have such a diligent son to call?

They can call *you*.  :-)


> Or grandmas who just wanted to correspond with their grandchildren.

Funny you say that.  e got my Grandma (who's 76) a computer to use
e-mail on.  We set it up with no login screen, put explorer in the
StartUp folder, made the dial-in automatic, put hotmail as the home
page, permanent login to hotmail, etc, etc.  This was basically a turn
the machine on, and it goes straight into hotmail system.  It was that
easy.  Well, I've gotten a billion dumb calls, but my favorite was
left on my answering machine and sounded like this:

"Hi...  I'm getting an error on this here computer thing.  I turn it
on and it says, primary H-D-C failure.  press F-1 to enter setup.  I
tried pressing the small 'f' and then '1', but that didn't work, so I
tried pressing the capital 'F' and then '1', but that doesn't work
either.  It's just stuck here now.  Call me when you get home.  Bye"
<click>

That's what I have to deal with.  So, when I say Microsoft needs to be
made easy-to-use, by damnit, I mean it NEEDS to be made EASY to use.
:-)


> If MS is targeting these users then they should make sure these
users
> have secure machines...just that simple.....A

Simple?  if it was Simple, I think they'd have done it.  Think of the
PR victory that would have been.  :-)

-S
0
Stefan
12/29/2001 5:12:00 AM
"Sam Schinke" wrote in message

> So it is "by default on a patched system". Hindsight I guess. Now to
get
> them to make their install CD's writable, or to send out new ones
for any
> major patches, so it can be "clean" right from the start. *g*

Oh sorry..  I really should have qualified that statement better.  I
WAS talking about on a patched system.  Heck, if that's the default on
an unpatched system...  EVEN BETTER!  :-)  I don't think it is though.
You see, Steve said this:

********************
I don't believe that they really care about security.  How many eMail
viruses must we all endure before scripting gets turned OFF by
default?  Who the hell ever needed scripting in eMail?
********************

....so I went to see if MS had done anything of the sort in their
patch.  Sure enough, they *DID* (hell, it suprised me too!)  :-)  So
I, once again, don't agree with Steve saying something like "I don't
believe that they really care about security", because they CLEARLY do
care about it.  Not only does the patch fix the exploit, it sets the
TTL down to 4 so not even future exploits can be used to DDoS someone.
YEAAAA!!  So, if you install the patch and follow THE EXACT 7-STEP
PROCEDURE I GAVE (despite the fact Steve says I disabled the wrong
service), you will have a patched system that is immune to current
exploits and is also not capable of an (over 4-hop) DDoS attack.

-S
0
Stefan
12/29/2001 5:25:00 AM
"Kenneth Doyle" wrote in message:


> > saying someone is "trolling" is just a great defence against
someone
> > who disagrees with you.
>
> Do you think so?  You think that disregarding someone's
> argument, and introducing an irrelevent observation as a
> good defence?

No.. and I didn't do that either.


> I don't think so.  Furthermore, I don't think
> that Steve had used that observation as a defence.

No more than I was using my rebut as offence.


> My reasoning here is that Steve seems to
> be addressing your points.

I'm fairly sure I was addressing his.


-S
0
Stefan
12/29/2001 5:33:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0jl8l$2nbb$1@news.grc.com...
> "Sam Schinke" wrote in message:
>
>
> > Perhaps not, though I imagine most problems will have been ironed
> out by
> > then. But for the intervening two years, you'll be much safer AND
> when you
> > finally do enable it, it will have been audited for a long time.
>
> Yea, but are people going to learn how to keep their system up-to-date
> two years from now?  :-)  Problem now or problem then is still a
> problem.

Well, I guess the same problem will be apparent. I am assuming that with no
changes to a service, two years is enough time for any bugs in it to be
found, or at least that they will be found at a greatly diminished rate.

> > Heh. I'd rather disable the service for two years (or whatever
> arbitrary
> > period passes until I do use it) and not have to keep it up-to-date
> for that
> > period. One update at the end will work just as well.
>
> You say that like you turned it off BEFORE the exploit was found.  Did
> you?  No.  But you also have 20/20 hindsight.  Congrats.  :-)

No, I never had it installed or near my computer. But when I did install my
current OS, I disabled anything that tries to listen on ports, or where I
was unable to do that, but wanted to use to software regardless, I made sure
it was firewalled. Even though I am not aware of any exploits against any of
that software.

[...]
> > Heh. I agree that most hackers only use known exploits, even if
> _some_
> > hackers do develop an exploit and keep it to themselves for maximum
> benefit
> > until noticed and patched. It's those guys I'd worry about with an
> > up-to-date system.
>
> You actually sit around and worry about that?  <sarcasm>I worry about
> aliens stealing my brainwaves.  I mean, there here n' all, and if
> they're taking brainwaves, I can see why they'd be after
> mine</sarcasm>  :-)
>
> My philosophy on life:  Sh!t happens.  When it does, wipe it up.

Yeah. I speak of course, about someone who has something worth stealing and
is likely to be targeted by a real "pro". Not you or I, as we're not going
to have a first-rate exploit wasted on us.

> > Disabling a service will protect you against that when
> > depending on patches being out on time won't. Disabling the service
> will
> > also protect you against those times when MS doesn't add the patch
> to
> > windowsupdate right away, or when someone goes "full disclosure".
>
> So you did disable it BEFORE the exploit was found?  Or is this
> another one of those hindsight things?  :-)

I have all services I do not use disabled on my machine, and when some new
software I use tries to open a port, I make sure it's firewalled unless I
need that port open for some reason. Period. I would have done the same with
XP, except perhaps to connect and reasearch how to safely disable things.

> > The impression I got was that IIS 6 was going to have all extensions
> off by
> > default, and be just a "simple" http server. How you enable bits and
> pieces
> > wasn't apparent, but I'm sure it will be similar to how you disable
> them
> > currently (seeing as the interface is already there and familiar)
>
> Kewl.

Yeah. Definately a BIG step in the right direction.

[...]
> > I've seen a few people come here after seeing the news and seeming
> pretty
> > upset.
>
> People upset?  Gee...  That's a new development.  :-)  (that doesn't
> make them a "lost customer")

Well, they were upset that they JUST got XP and already there are problems.
Of course, I doubt they'll change OS, or buy linux next time, but some
might.

> > Yeah, hysteria bad, constructive activity good, as a
> > general policy (gas masks anyone? :P).
>
> In the wake of 9/11, my brother's boss bought a gas mask, anthrax
> antibiotics (off the Internet...  :-/ ), and was looking into having
> his house plastic wrapped.  No kidding.  :-)  I wonder if he disabled
> the UPnP and SSDP services.  :-)

I betcha he went and hid under his desk after reading about raw sockets ;)

[...]
> > > > Even so, confidence in MS security is no doubt down.
> > > Here.  that's about it.
> >
> > Not just here, I'd imagine. Anywhere that hears about security
> stuff. And
> > any of the un-schooled masses who happen to hear of it also.
>
> Yea, but 95%+ of the folks out there in the world aren't qualified to
> have an opinion anyway.

Ah, so they should remain lemmings? nice.

[...]
> There, now it's two steps.  :-)

I can make UnPnP a couple steps with a direct link, shrug.. I bet you could
find the command-line command to disable UPnP though by calling the right
dll with the right parameters.

> > Ironic, isn't it? I'm hoping Steve will drop a digital
> > signature onto his "gold" version largely for this reason.
>
> I trust Steve...  That is to say, I'll run his programs with so much
> as a virus check or guniea pig test, but he's one of VERY few, and it
> took quite a while to reach that point.  Consider the guy would
> DESTROY his entire reputation if there was ever anything questionable
> in his apps, so...  I think it's all safe all the time.  why not?

Sure, same. I'd be concerned about someone abusing the trust we put in him
though, and redistributing doctored executables instead of a link.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 8:04:00 AM
On Fri, 28 Dec 2001 15:55:52 -0800,  Steve Gibson <support@grc.com>
threw these bits into the ether:

>I don't believe that they really care about security.  How many eMail 
>viruses must we all endure before scripting gets turned OFF by 
>default?  Who the hell ever needed scripting in eMail?

Heh. Freaking unbelievable...which is another reason why in my shop we
continue to use Eudora 3.05 for email. Outlook is BANNED.
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/29/2001 1:17:00 PM
On Fri, 28 Dec 2001 18:07:39 -0600,  "Stefan" <no.sp@m.please.com>
threw these bits into the ether:

>And in that, they've got you beaten in spades.  Who, 10 years ago, could have laid out a
>plan to do what Microsoft has done in the last 10 years?  *that's* forsight. 

No...your statement is BS. 100% BS.

Why you are so enamored with a monopoly is beyond me. Bill Gates is no
visionary - a fairly smart chap, but nothing more. And smart enough to
take advantage of a monopoly position. Go back and check the records
and you will see that M$ux was LATE in getting on the Internet
bandwagon. And what did they do with their monopoly position once they
realized a few yeas ago (several years late in many people's opinion)
that the Internet was the way to go??

Why they tied their Operating System in with application software so
that a User of Windoze who wanted to "surf the net" could only do so
easily with Micro$ux software - net browser, news and email - the big
3. Did Netscape and the other app vendors have the ability to hook
their sw into the OS code - like M$ux? Of course not!

And go back and check the records - 

1 - HE was not the sharp cooki that got M$ux going - it was his
sidekick that did the coding in the beginning on the Altair (think
that is right - it may have been the Imsaii).

2 - He and M$ux didn't even write MS-DOS - they bought it from Seattle
Computer. Who in turn had essentially hacked the OS developed by a
firm in the Silicon Valley whos name now escapes.

I imagine that I can safely say that I was likely computing before you
were born. Micro$ux has done nothing other than:

1 - ride the net wave
2 - take advantage of their monopoly

Any firm in their position could have done the same thing.

>They've hit some MASSIVE snags along the way, and they'll hit more, but you can't disagree with the big
>picture they've unfolded to the world.

Horse puckies. Any monopolist in their position could do the same
thing. 

>If you had that forsight, why didn't you warn us
>about the UPnP *BEFORE* the exploit came out?

If Micro$ux is so freaking smart - why did Bill Gates allow this to
get out? 
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/29/2001 1:45:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.1696a662f97f60fb98a191@207.71.92.194...
> Hi Bloated,
>
> > I have said it before, and I'll say it again - MS is GUILTY of
> > trying to make their OS too EASY TO USE, because that seems to
> > be what the 99.7 percent of the people out there ( not in here )
> > want and NEED. They bend over backwards keeping backwards
> > compatibility for their users, which also causes problems.
>
> I agree with you.
>
> But, for example, why accept a packet from outside the subnet?

It would make slightly more sense (in home systems) to use a ZA style local
zone.  Bind to the LAN adapters, and if an Internet connection uses it (such
as DSL), drop the ports.  Oh, and don't bind to dial-up adaptors.

>
> Or why not send out replies with a TTL of only 5 or 6 so that the
> server can't be used as a DoS or DDoS attack tool?
>

Useful for the UDP replies, but the HTTP requests are probably designed to
access the manufacturer's Web site to fetch drivers.  The UPnP stack visits
the url in the "Location:" header.
--
Robert Bradley

I am not a mindreader, so I don't know everything.
0
Robert
12/29/2001 2:09:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0j4jj$25jj$1@news.grc.com...

> Yes, but just because the port is open doesn't mean you can do
> anything malicious to me.  You can try.  It doesn't mean you'll get
> in.  An open port is like a door lock.  You still need a key to get
> in.  Sometimes the key is an exploit, sometimes it's a password, but
> the sheer existance of a port isn't a door to slaughter someone's
> system just because it's there and open.

Stephan,

I'm not following you.  Are you saying that open shares are not a problem?

http://www.nsfocus.com/english/homepage/sa_05.htm
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/29/2001 2:16:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0j52r$2678$1@news.grc.com...

> > If you look around the industry you'll find that the common wisdom
> > and advice being given is for anyone serious about security and
> > stability to avoid Windows XP.
>
> you got a decent refrence on that?  It sounds like the words of the
> same people who said avoid Win9x, WinNT, and Win2k.  You know...
> those goofy people who think *nux is somehow bulletproof.  Boy, do I
> have bad news for them.  :-)

http://www.idg.net/ic_723536_6192_1-3121.html
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/29/2001 2:30:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0j3cq$245s$1@news.grc.com...

> > Stefan may not agree with me, which is fine, but running this server
> > in WinME and WinXP machines BY DEFAULT
>
> IT DOES NOT RUN in WinME by default!!!  COME ON!!!  At least tell the
truth!  Geezus! Read
> up, eh? http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm
> You'll see this line:
> ********************************
> Windows ME provides native support for UPnP, but it is neither installed
nor running by
> default.
> ********************************

Stephan,

Then why do so many people come here asking about how to close port 5000?
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/29/2001 2:31:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
Steve >>
> > But Stefan, I don't know how closely you read the exploit details.
> > The DoS and DDoS attacks have nothing to do with a buffer overrun.
> > The possibility for THOSE attacks are inherently built into the
UPnP
> > specification.  They are caused because a device (a malicious
device
> > in this case) can give Windows XP *any* URL -- anywhere on the
> > Internet -- to download its XML specifications.  And the XML spec
> can
> > contain circular references! ... so it's possible -- by design --
to
> > setup Windows XP machines as Denial of Service attack generators.
>

Hmm - so you do work for Microsoft, Stefan -
You could have stated that in the first place, would have saved a few
people a whole lot of trouble don't you think.
Ce sera sera :-))
PS you still good friends with Sandi ?

Cheerio and safe hexing
Tommy

> But the patch fixes that.  It doesn't need to be turned off if it's
> patched.  It's fixed. *** If another one comes along, we'll patch
it***
> also.  That was my whole point anyway.
0
Tommy_k
12/29/2001 3:12:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.1696a662f97f60fb98a191@207.71.92.194...

> Who the hell ever needed scripting in eMail?

Hi Steve,

Prior to about 1997 there wasn't much call for scripting support
it OE or any other email application.  Today we see Christmas
Cards, Birthday Cards, animated Cartoons and MSAgent
interactive vocal scripts with performances which include
fetching email and reading email for fun or for the disabled.

Some (of 100's) Examples;
http://www.microsoft.com/msagent/resources.htm
http://agent.microsoft.com/agent2/sdk/samples/html/peedypza.htm
http://agentwebs.ath.cx:5500/grandpajim/index.htm
http://www.e-clips.com.au/productview.cfm?productid=31

While it is true that many of these things could be sent via
attachments (zip files), well...Web Pages could also be text only!
Myself...I don't want to go back in time to 1991.

Some programmers and a few businesses take great advantage
of the enriched media opportunities afforded by jscript support
and MSAgent technology.  I agree that it's not for everyone.
FWIW...Speech and MSAgent technology is almost completely
free from Microsoft (just have to register), I intend to use it.

But at some time and point ~ do we challenge new frontiers, or
do we hide from them?  I guess a toggle on OE that says
"adventure mode" might be appropriate (Steve?), but then why buy a
known and recognized *Multimedia OS* if you are going to cripple it?

'Seek and ye shall find'
NT Canuck
0
NT
12/29/2001 3:29:00 PM
In message <a0jfgh$2h8t$1@news.grc.com>, Stefan <no.sp@m.please.com> 
kicked in with

>When people take resposibility for their own system, the problems go 
>away.

Hi Stefan,

Although I agree with you on the general principle:
Many do what you suggest, but looking at the general user of Microsoft 
OS you _know_ that they know far too little to 'take responsibility' and 
most of them are just not interested / inclined to spend the appropriate 
time anyway.
So should you just leave them (or others) 'in danger'? I'd say no!

Like there are systems that make it impossible _not_ to put on the 
safety belt, I agree with Steve: 'Dangerous' default settings of the OS 
that are not necessary for the proper basic workings of the system 
should be 'belt-on' by default! If they want to use it; make it a bit 
harder; have them study what they are doing! Just like you have to pass 
tests in order to be allowed to drive a car, maybe the time has come to 
do the same for PC use. In order to be allowed to use the full potential 
of the system you have to work and study for it and _than_ be 
accountable for the results too! But this may not accord with 
Microsoft's policy <bEg>

Apologies for the 'rant' . . .  ;-))
-- 
Fungus (a.k.a Urgje / BomBom the Magnificent)
PGP Key ID:0xDDD4F1E2
[urgje at dds dot nl]
0
Fungus
12/29/2001 3:31:00 PM
On Sat, 29 Dec 2001 09:29:46 -0600,  "NT Canuck"
<ntcanuck@hotmail.com> threw these bits into the ether:

snip some good stuff...

> I guess a toggle on OE that says
>"adventure mode" might be appropriate (Steve?), but then why buy a
>known and recognized *Multimedia OS* if you are going to cripple it?

And have it otherwise disabled at default - sounds good to me :-))
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/29/2001 4:37:00 PM
"Tommy_k" <tommy_kins@ntlworld.ie> wrote in message
news:a0kra0$r3g$1@news.grc.com...
>
> Hmm - so you do work for Microsoft, Stefan -
> You could have stated that in the first place, would have saved a
few
> people a whole lot of trouble don't you think.
> Ce sera sera :-))
> PS you still good friends with Sandi ?
>
> Cheerio and safe hexing
> Tommy

Tommy, do you EVER add anything to the conversation, or just toss out
these useless, pointless tidbits or annoying, mindless dribble?

-S
0
Stefan
12/29/2001 4:50:00 PM
"Fungus" wrote in message:

> Although I agree with you on the general principle:
> Many do what you suggest, but looking at the
> general user of Microsoft OS you _know_ that
> they know far too little to 'take responsibility' and
> most of them are just not interested / inclined to
> spend the appropriate time anyway.

But you're arguing MY point now.  Read what you just wrote: "they know
far too little to 'take responsibility' and most of them are just not
interested / inclined to spend the appropriate time anyway."  Now,
find me ONE SINGLE other product where users can make a large
purchase, be clueless as snot, hurt THEMSELVES, and the whole world
will blame the manufacturer, not the user.  Actually, cigarette
companies come to mind now that I think about it, but I agree with the
cigarette companies also (big shocker, eh?).  Anyway... back on
topic...  I'm not talking about a defective product.  I'm talking
about a product that NEEDS constant maintenence.  When a plane falls
out of the sky because a mechanic did something wrong, nobdy complains
to Boeing about it.  It NEEDS constant maintenence.  Furthermore,
Microsoft admits that!  That's why they make products like "keeping
Windows up to date...."  Finally, you *all* know it's true!  However
you'd rather blame MS then the much more obvious solution which is to
blame the user.


> So should you just leave them (or others) 'in danger'?
> I'd say no!

Nobody's been left in danger.  There's a patch.  If your boat is
sinking, and I offer you a patch that you can't put on, don't cry to
me after it's sank.


> Like there are systems that make it impossible _not_
> to put on the safety belt

Great.  Now where was the UPnP warning BEFORE the exploit was found?
You people are so quick to jump on Microsoft (in hindsight) that you
miss the plain-as-day fact that basically NOBODY talked about a
potential security threat that this service exposed *before* eEye made
their public announcement.  It's ok to ask MS to have perfect forsight
while nobody else did either.



> I agree with Steve: 'Dangerous'
> default settings of the OS that are not necessary for the
> proper basic workings of the system should be 'belt-on'
> by default!

It is.  In this case, the seat belt is the Windows Update utility.
It's there, it's on, it's waiting to be used.  Go hard!  :-)




> Just like you have to pass tests in order to
> be allowed to drive a car, maybe the time
> has come to do the same for PC use.

ROTFLMAO



> But this may not accord with
> Microsoft's policy <bEg>

....Or the 95% of the population too stupid to pass the tests. (my
point, AGAIN, being that it's not Microsoft's fault their too stupid
to pass these theoretical "tests")



> Apologies for the 'rant' . . .  ;-))

Look who you're apologizing to.  Probably not necessary.  :-)


-S
0
Stefan
12/29/2001 6:27:00 PM
"Steve Gibson" <support@grc.com> wrote in message
news:MPG.1696a662f97f60fb98a191@207.71.92.194...
> Or why not send out replies with a TTL of only 5 or 6 so that the
> server can't be used as a DoS or DDoS attack tool?

From upnp.org regarding the UPnP protocols:
"To limit network congestion, the time-to-live (TTL) of each IP packet for
each multicast message must default to 4 and should be configurable."

Now, whether MS have actually chosen to enforce this TTL I haven't
checked, but its in the "spec".

http://www.upnp.org/download/UPnPDA10_20000613.htm

-Robin
0
Robin
12/29/2001 6:49:00 PM
"[The Hon. Rev. joWazzoo] " wrote in message:

> > And in that, they've got you beaten in
> > spades.  Who, 10 years ago, could have laid out a
> > plan to do what Microsoft has done in the last 10
> > years?  *that's* forsight.
>
> No...your statement is BS. 100% BS.

To you.  Not me.  This is all about opinions anyway, isn't it?  I
mean, I KNOW nothing I'm saying is 100% correct, but you need to see
that nothing you say is 100% correct either.  It's all opinion from
where we're looking at it.  Before you tell someone they're 100% wrong
you ought to consider that there really isn't a black-and-white right
and wrong.  Furthermore, neither of us is more qualified than the
other to be the official authority on the topic anyway.  It's just a
discussion.



> Why you are so enamored with a monopoly is beyond me.

I dunno.  I'm turned on by powerful people?  :-)



> Bill Gates is no visionary - a fairly smart chap, but
> nothing more.

That's an easy statement to make while you're on the bottom of the
ladder and he's on the top of it.  If you really knew better, why
aren't you up there?



> And smart enough to take advantage
> of a monopoly position.

Nay.  Smart enough to *BUILD* a monopoly position.  Furthermore, smart
enough to *KEEP* it.



> Go back and check the records
> and you will see that M$ux was
> LATE in getting on the Internet
> bandwagon.

Exactly.  That makes it HARDER to take over.  Typically a business is
easiest when you're the first person in, because you have nobody to
compete with.  Microsoft came in after-the-fact and took over.  That's
not easy to do.



> And what did they do with their monopoly
> position once they realized a few yeas ago
> (several years late in many people's opinion)
> that the Internet was the way to go??

Oh, you noticed?



> Why they tied their Operating System in with
> application software so that a User of Windoze
> who wanted to "surf the net" could only do so
> easily with Micro$ux software - net browser,
> news and email - the big 3.

I thought they included Internet Explorer so users would have a way to
go download Netscape and install it.  :-)  Think about that.  We ALL
know that 95% of the folks out there aren't knowledgable enough to FTP
out from a DOS prompt to download a browser.  If it wasn't for
Explorer in there by default, how are they supposed to go get
Netscape?  You never thought of that, did you?  Furthermore, why don't
you complain about Linux distributors for bundling the Konquer web
browser into the KDE?  Same sh!t, different pile, really.  Also, why
was it *not* ok for MS to bundle a web browser, but everyone thinks
they should have bundled a BETTER (2-way) firewall into XP?  Which
software did you all want bundled, and which software are you wanting
to burn them at the stake for bundling?  You wanna clear that up for
me?


> Did Netscape and the other app vendors have the
> ability to hook their sw into the OS code - like
> M$ux? Of course not!

HA HA HA.  I suggest you go get a copy of RedHat my friend.  You just
put your foot in your mouth.



> And go back and check the records -
>
> 1 - HE was not the sharp cooki that got M$ux going - it was his
> sidekick that did the coding in the beginning on the Altair (think
> that is right - it may have been the Imsaii).

Bill Gates "sidekick" when they started the company was Paul Allen.
Frankly, I don't know what the hell you're talking about, but I won't
say your wrong as I don't know who all was there.  However, Walter
Disney didn't built Disney World all by himself, why the hell do you
think Bill Gates should have had to write all the code by himself?


> 2 - He and M$ux didn't even write MS-DOS - they
> bought it from Seattle Computer. Who in turn had
> essentially hacked the OS developed by a firm in
> the Silicon Valley whos name now escapes.

If you really want to nit-pick, (*I THINK*) the entire Windows GUI
concept was taken from Xwindows on unix systems that was built in the
late 70's.  I don't know if there was anything before or after.  I
think it was MIT students...  I'm not sure of that either.  I know
Xerox played a major roll in there somewhere also.  Anyway you look at
it, it was NOT Microsoft who came up with it.  My point?  You don't
need to invent the wheel to make money selling the wheel.  Boeing
didn't invent the airplane.  GM didn't invent the car.


> I imagine that I can safely say that I was likely computing before
you
> were born. Micro$ux has done nothing other than:
>
> 1 - ride the net wave
> 2 - take advantage of their monopoly

1 - *built* the wave
2 - *built* the monopoly

*BIG* difference.


> Any firm in their position could have done the same thing.

Any firm in their position?  what position?  brand new and starting
out with nothing?  So why didn't you do it?  You could be a
billionaire with your own Island in the pacific, and not sitting in a
GRC newsgroup talking to me.


> > They've hit some MASSIVE snags along the way, and
> > they'll hit more, but you can't disagree with the big
> > picture they've unfolded to the world.
>
> Horse puckies. Any monopolist in their position could do the same
> thing.

AGAIN, you don't START with a Monopoly...  you build it.  It wasn't
just handed to them on a golden platter.


> If Micro$ux is so freaking smart - why did Bill Gates
> allow this to get out?

"this"?
this = the exploit?  OR
this = the knowledge the exploit exists?

Either way...  I've already addressed that issue a million times.
Bugs are a part of software development.  Welcome to life.


ttyl,
-Stefan.
0
Stefan
12/29/2001 7:02:00 PM
"Robin Keir" wrote in message:

> "To limit network congestion, the time-to-live (TTL) of each IP
packet for
> each multicast message must default to 4 and should be
configurable."
>
> Now, whether MS have actually chosen to enforce this TTL I haven't
> checked, but its in the "spec".
>
> http://www.upnp.org/download/UPnPDA10_20000613.htm
>
> -Robin


If they didn't do it originally, they did do it in the patch:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q315056

However, if it's in the spec, the *should* have done it originally.
I'm not sure yet as to if they did or not.  After reading the MS page,
I was assuming it's part of the patch (or why did they even mention
it?), but I suppose there's no guarantee that it wasn't in there
before.  eEye certainly didn't mention the limitation when they were
talling the world it could be used to generate a DDoS attack.  If it
is the default on an unpatched system, I have to say that was VERY
irresponsible of eEye to ignore that fact while telling the world it
could be exploited and used to generate a DDoS.

-S
0
Stefan
12/29/2001 7:08:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0jm64$2obe$1@news.grc.com...
> "Anomie" wrote in message:
>

> > If MS is targeting these users then they should make sure these
> users
> > have secure machines...just that simple.....A
>
> Simple?  if it was Simple, I think they'd have done it.  Think of the
> PR victory that would have been.  :-)
>
> -S
>
My point exactly...PR ...what PR?  The only time they roll out the PR
is when  a
new system is introduced.

How about this for PR...OE setup wizard starts...Letting the user know
all the issues with using it ...settings to minimize the
dangers..patches that they should   regularly check for . Gramps has
just been educated and the fault lies with him if he gets infected
opening a file attachment.

My car has a warning blinking light and 3 rings, to let me know I'm not
belted.

Every person knows the issues of using or not using your
seatbelt.duh...
And if I have an accident with my seatbelt on, and the seatbelt is
faulty, I hold the manufacturer responsible:-)

I'm only trying to make this point Stef, these issues have cost many
people a lot of money. My guess is many elderly who couldn't afford it.
What's wrong with a little disclosure to these issues upfront, we'd all
be that much wiser for it. And not just that 'press the update button,
trusts us on this.'.....mentality.

A




---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.311 / Virus Database: 172 - Release Date: 12/27/2001
0
Anomie
12/29/2001 7:39:00 PM
"Sam Schinke" wrote in message:


> Well, I guess the same problem will be apparent. I
> am assuming that with no changes to a service, two
> years is enough time for any bugs in it to be found,
> or at least that they will be found at a greatly diminished
> rate.

Sam, every now any then you say things that sound really good until
you think about it for a second or two...
In two years:

no changes to a service?  Not likely

enough time for any bugs in it to be found?  There won't be any bugs
in 2 years>  or there won't be any bugs in two years if Microsoft
doesn't design anything new?  Either way... :-/

they will be found at a greatly diminished rate?  Yea, we find them
less today then we did 2 years ago...  :-/  Wait a sec...  they're
still releasing service packs for NT4 which was released HOW long ago?


> No, I never had it installed or near my computer. But
> when I did install my current OS, I disabled anything
> that tries to listen on ports, or where I was unable to
> do that, but wanted to use to software regardless, I
> made sure it was firewalled.  Even though I am not
> aware of any exploits against any of that software.

Hey, you never know when that sharp, pointy Internet packet is going
to come along.  You'll want to be ready for it.  :-)


> Yeah. I speak of course, about someone who has
> something worth stealing and is likely to be targeted
> by a real "pro". Not you or I, as we're not going
> to have a first-rate exploit wasted on us.

Isn't this exactly the reason to back up my "don't worry so damn much"
theory?  :-)


> I have all services I do not use disabled on my machine, and
> when some new software I use tries to open a port, I make
> sure it's firewalled unless I need that port open for some reason.
> Period. I would have done the same with XP, except perhaps
> to connect and reasearch how to safely disable things.

Why?  if you don't think a pro would waste a first-rate exploit on
you?



> > Kewl.
>
> Yeah. Definately a BIG step in the right direction.

I can agree with that.  Will see how the masses deal with all-off
configuration.



> Well, they were upset that they JUST got XP and already
> there are problems.  Of course, I doubt they'll change OS,
> or buy linux next time, but some might.

:-)  exactly.


[...]

> > Yea, but 95%+ of the folks out there in the world
> > aren't qualified to have an opinion anyway.
>
> Ah, so they should remain lemmings? nice.

No, but you know what I was saying.  It's a double edged sword.  If
that 95% of the population was educated enough to share a VAILID
opinion on security, then they MUST also be smart enough to keep their
own machine secure.  Now, if that were the case, there would STILL be
no problem because everyone's machine would be up-to-date and secure.
Either way you swing it, I'm not the one being hit by that sword.  You
are.  :-)


> I can make UnPnP a couple steps with a direct link, shrug.
> I bet you could find the command-line command to disable
> UPnP though by calling the right dll with the right parameters.

Are we REALLY going to debate how ~few~ steps we can shrink a
step-by-step procedure into?  :-)  Ok then...  fair enough.  You win,
ok?


> > I trust Steve...
>
> Sure, same. I'd be concerned about someone abusing the trust we put
in him
> though, and redistributing doctored executables instead of a link.

I wouldn't run anything that wasn't a direct download from
://grc.com/~~~~~/~~~~~.exe  If is was an attachement to a newgroup
posting, or something in an e-mail, I'd just ignore it.  It's too easy
to fake the appearance of either of those.  Gimme your address and
I'll send you an e-mail *from* support@grc.com if you want me to
(well, certainly *appearing* to from that address anyway).  Any
schmuck can forge an SMTP header with minimal effort and relay it off
an open server somewhere on the Internet.  When you get it, it won't
be from the right mail server IP as Steve's e-mail (unless Steve's
mail server has an open-relay problem that I can exploit - but I
HIGHLY doubt that), but most people only look at the e-mail address
itself before they decide to trust it or not.

ttyl,
-Stefan.
0
Stefan
12/29/2001 7:42:00 PM
"Anomie" wrote in message:

> > Simple?  if it was Simple, I think they'd have done it.
> > Think of the
> > PR victory that would have been.  :-)
> >
> My point exactly...PR ...what PR?  The only time they
> roll out the PR is when a new system is introduced.

PR, as in "Public Relations"...  All I was saying is it would make
them look good if they could eliminate all the bugs, so if it was
possible, they'd do it.


> How about this for PR...OE setup wizard starts...Letting
> the user know all the issues with using it ...settings to
> minimize the dangers..patches that they should   regularly
> check for . Gramps has just been educated and the fault
> lies with him if he gets infected opening a file attachment.

GREAT IDEA!  They can tack it onto the end of the EULA that nobody
reads, that way they only need to ignore one annoying "next" screen
instad of two.  :-)



> My car has a warning blinking light and 3 rings, to let me
> know I'm not belted.

Did you need that bell warning to figure out you weren't wearing a
belt?  Just curious...  What kinda car?  Is it a Ford?  I bought a
brand new Mustang Convertable a few months ago and is has that
annoying as bell going off when you don't do the belt up.  It's DAMN
annoying.  I shut the warning sensor off.  :-)  Getting back on
topic....  that warning bell (if you need such a thing) is bascially
the same idea as the "keeping windows up to date automagically"
program.  By the way, in WinMe, that up-to-date reminder is ON
default.



> Every person knows the issues of using or not using
> your seatbelt.duh... And if I have an accident with
> my seatbelt on, and the seatbelt is faulty, I hold the
> manufacturer responsible:-)

Yea, but as far as Microsoft goes, we're not talking about a faulty
seatbelt.  It's a perfectly working security patch.  If you download
and install it, it WILL block the exploit.  If it didn't work, only
THAT would make it faulty.  Luckily, it works.  :-)


> I'm only trying to make this point Stef, these issues have
> cost many people a lot of money.

And I'm only trying to make the point that it's there fault for not
protecting themselves.  And I'm VERY persistant about this point...
you might of noticed.  :-)


> My guess is many elderly who couldn't afford it.

:-/  couldn't afford what?  The Windows Update is free.  Now, if they
couldn't afford Internet access, who cares...  their machine wasn't in
danger anyway.  Unless you can hack a system not hooked to the
network.  :-)


> What's wrong with a little disclosure to these issues
> upfront, we'd all be that much wiser for it. And not
> just that 'press the update button, trusts us on this.'
>.....mentality.

It's all FULLY disclosed.  What are you talking about.  Microsoft
fully explains EVERY critical update they release.  If you want to
talk about people not giving FULL disclosure, look at Novell:
http://www.theregister.co.uk/content/55/23182.html

-S
0
Stefan
12/29/2001 7:56:00 PM
Stefan wrote:


 >Furthermore, why don't
> you complain about Linux distributors for bundling the Konquer web
> browser into the KDE?  Same sh!t, different pile, really. 
-- 

Konqueror, Netscape, Mozilla, Lynx, Amaya, ........ need I go on, and don`t 
even ask about Mail and news clients
all "Bundled" together......

Need I go on.....

Cheers Mark.

"Excellent I cried!, elementary said he."
The much misquoted A C Doyle.
0
baskitcaise
12/29/2001 9:17:00 PM
"baskitcaise" wrote in message:

> > Furthermore, why don't you complain about
> > Linux distributors for bundling the Konquer web
> > browser into the KDE?  Same sh!t, different pile
> > really.
>
> Konqueror, Netscape, Mozilla, Lynx, Amaya, ........
> need I go on, and don`t even ask about Mail
> and news clients all "Bundled" together......
>
> Need I go on.....
>
> Cheers Mark.


THANK YOU!  :-)  And before anyone pipes up and says something like
"why can't Microsoft include BOTH Internet Explorer AND Netscape
Navigator in the OS?", I'd like to quote one Mr. William Gates....

************************
That's like asking Coke to put a can of Pepsi in every 6-pack.
   -Bill Gates
************************

I hear ya Bill...  tell it to the rest of these people now.

-S
0
Stefan
12/29/2001 9:22:00 PM
Stefan wrote:
> 
> "baskitcaise" wrote in message:
> 
> > > Furthermore, why don't you complain about
> > > Linux distributors for bundling the Konquer web
> > > browser into the KDE?  Same sh!t, different pile
> > > really.
> >
> > Konqueror, Netscape, Mozilla, Lynx, Amaya, ........
> > need I go on, and don`t even ask about Mail
> > and news clients all "Bundled" together......
> >
> > Need I go on.....
> >
> THANK YOU!  :-)  And before anyone pipes up and says something like
> "why can't Microsoft include BOTH Internet Explorer AND Netscape
> Navigator in the OS?", I'd like to quote one Mr. William Gates....
> 
> ************************
> That's like asking Coke to put a can of Pepsi in every 6-pack.
>    -Bill Gates
> ************************
> 
> I hear ya Bill...  tell it to the rest of these people now.

Totally inappropriate analogy.  Let's examine it.  Coke is
supposed to be analagous to Internet Explorer?  In that
case, Coke is to Internet Explorer as Windows is to what? 
My throat?
0
Kenneth
12/29/2001 9:36:00 PM
"Kenneth Doyle" <kdoyle@ihug.com.au> wrote in message:

> Totally inappropriate analogy.  Let's examine it.  Coke is
> supposed to be analagous to Internet Explorer?  In that
> case, Coke is to Internet Explorer as Windows is to what?
> My throat?

Microsoft is to Netscape what Coke is to Pepsi.  They're competing
companies making a similar product.  If you need to sell your rivals
product along with your own, you're basically being asked to compete
with yourself.  If Netscape wants, they can go write their own damn OS
and bundle their own damn browser into it.  Is it really THAT hard to
understand?

Not like it matters, but that quote I found wasn't verbatim.  Here's
the exact one:
********************************************
Forcing Microsoft to include Netscape's competing software in our
operating system is like requiring Coca-Cola to include three cans of
Pepsi in every six-pack it sells.
 - Bill Gates
********************************************

-S
0
Stefan
12/29/2001 9:40:00 PM
Stefan wrote:
> 
> Microsoft is to Netscape what Coke is to Pepsi.  They're competing
> companies making a similar product.  If you need to sell your rivals
> product along with your own, you're basically being asked to compete
> with yourself.  If Netscape wants, they can go write their own damn OS
> and bundle their own damn browser into it.  Is it really THAT hard to
> understand?

Coke doesn't sell throats.  It's an inappropriate analogy. 
The issue is how IE was bundled with Windows.  That's the
issue on which Microsoft was found guilty in a court of
law.  The analogy fails to address that issue.  It's a red
herring, a straw man.  Is it really THAT hard to understand?
0
Kenneth
12/29/2001 9:53:00 PM
Kenneth Doyle wrote:
> 
> Stefan wrote:
> >
> > Microsoft is to Netscape what Coke is to Pepsi.  They're competing
> > companies making a similar product.  If you need to sell your rivals
> > product along with your own, you're basically being asked to compete
> > with yourself.  If Netscape wants, they can go write their own damn OS
> > and bundle their own damn browser into it.  Is it really THAT hard to
> > understand?
> 
> Coke doesn't sell throats.  It's an inappropriate analogy.
> The issue is how IE was bundled with Windows.  That's the
> issue on which Microsoft was found guilty in a court of
> law.  The analogy fails to address that issue.  It's a red
> herring, a straw man.  Is it really THAT hard to understand?

OK, maybe it is hard to understand.  So let me explain it to
you from another angle.  IE is free, the only way MS could
loose business is if people started using Linux instead of
Windows.  So how does bundling Netscape with Windows
encourage people to switch to Linux?  It doesn't.  The
analogy is inappropriate.
0
Kenneth
12/29/2001 10:06:00 PM
On Sat, 29 Dec 2001 12:27:21 -0600, "Stefan" <no.sp@m.please.com>
wrote:

> I'm not talking about a defective product.  I'm talking
>about a product that NEEDS constant maintenence.  When a plane falls
>out of the sky because a mechanic did something wrong, nobdy complains
>to Boeing about it.  It NEEDS constant maintenence.  Furthermore,
>Microsoft admits that!  That's why they make products like "keeping
>Windows up to date...."  Finally, you *all* know it's true!  However
>you'd rather blame MS then the much more obvious solution which is to
>blame the user.

Stefan,

Your rather liberal idea of "logic" is predicated on the premise that
M$ is not putting out a "defective" product.  I maintain that M$ puts
a product that, by it's default settings, is a defective product.
Somewhat like a car that has it's brakes turned off by default
settings from the factory. You have to install the brake pads from the
dealer in order to securely stop before hitting the pedestrian. 

By it's own admission, M$ is out to bring the personal computer to the
masses.  This population has not been exposed enough to the many and
varied security and privacy problem that comes with the internet, etc.
Therefore, it behooves the Microsoft Corporation to stop trying to
make a system too easy to just turn on without the benefit of some
knowledge.  It would be like giving your kid the keys to the car
without any instructions. At least the kid has some experience with
riding in a car.

Geek..
0
handyman
12/29/2001 10:11:00 PM
"Kenneth Doyle" wrote in message:
>
> OK, maybe it is hard to understand.  So let me explain it to
> you from another angle.  IE is free, the only way MS could
> loose business is if people started using Linux instead of
> Windows.  So how does bundling Netscape with Windows
> encourage people to switch to Linux?  It doesn't.  The
> analogy is inappropriate.

What in the hell is wrong with it?  This is so simple monkeys can
figure it out.  I'll go slowly and stick to low-syllable words, ok?

- The issue (in this analogy) is whether or not MS should have been
forced to add Netscape into the Windows OS.

- The issue (in this analogy) is *not* that MS was giving it away
free.

-Now.  We have two companies:
Microsoft Corp. and Netscape Inc.

-We're comparing them to two other companies:
Coke Ltd. and Pepsi Ltd.

-Go back to the first two companies.  They each make a similar
product:
Microsoft Corp. makes Internet Explorer., the web browser
Netscape Inc. makes Navigator (or Communicator), the web browser

-Look at the two companies we're comparing them to
Coke Ltd. makes Coke-a-cola (the drink)
Pepsi Ltd. makes Pepsicola (the drink)


Are we still on the same page?  Stop me if you're confused yet.


We're comparing:
Microsoft Corp's product (Internet Explorer, the web browser)
      TO
Coke (the company) Ltd's product (Coke-a-cola, the drink)

ALSO, we're comparing:
Netscape Inc's product (Navigator/Communicator, the web browser)
    TO
Pepsi (the company) Ltd's product (Pepsicola, the drink)


You still with me?  There's nobody selling a throat anywhere in this
analogy, ok?


Now...

If, we force Microsoft Corp to include a product made by Netscape Inc
(aka - the Navigator web browser)...

THAT IS LIKE.... (are you ready for the analogy?)...

forcing Coke Ltd (the company) to include a product made by Pepsi Ltd
(the company).  That produt is Pepsicola, the drink.


You following me yet?

Why does this comparison work?

Because Microsoft Corp (the company) competes with Netscape Inc (the
company) in producing web browsers in a similar way that Coke Ltd (the
company) competes with Pepsi Ltd (the company) producing carbonated
beverages.


There's no throat in this analogy, ok?  none?  We're not drinking web
browsers or surfing the Internet on a can of Coke, ok?

To RECAP...  In this analogy the Bill Gates used...  We're making the
following comparisons:

Microsoft Corp (the company) = Coke Ltd (the company)
Netscape Inc (the company) = Pepsi Ltd.(the company)
Internet Explorer (the web browser) = Coke-a-cola (the drink)
Netscape Navigator (the web browser) = Pepsicola (the drink)

Did we have it all in check yet?

-S

PS - Surgeon General Warning:  don't drink your web browser
0
Stefan
12/29/2001 10:26:00 PM
"Geek" <handyman@firstaid.org> wrote in message
news:3c2e3cb9.28804706@news.grc.com...

> Your rather liberal idea of "logic" is predicated on the premise
that
> M$ is not putting out a "defective" product.  I maintain that M$
puts
> a product that, by it's default settings, is a defective product.

And you, you continue to use it anyway.



> Somewhat like a car that has it's brakes turned off by default

No, it's something like a car that needs it brakes inspected and fixed
every once in a while.



> settings from the factory. You have to install the brake pads from
the
> dealer in order to securely stop before hitting the pedestrian.

Well, if you were daft enough to drive you car for 15 years without
ever getting your brakes fixed, that might be a problem.  Just because
the car was originally made with working brakes, doesn't mean the keep
working forever.  WOW.


> By it's own admission, M$ is out to bring the personal computer to
the
> masses.  This population has not been exposed enough to the many and
> varied security and privacy problem that comes with the internet,
etc.

And somegow we'll all blame MS because people are too dumb to learn
about computers before buying a computer.


> Therefore, it behooves the Microsoft Corporation to stop trying to
> make a system too easy to just turn on without the benefit of some
> knowledge.

Yea, then they can have almost nobody wanting to use their products...
like Linux


> It would be like giving your kid the keys to the car
> without any instructions.

Exaclty, who would be that stupid to blame ford after the child
crashed a car into a wall?


> At least the kid has some experience with
> riding in a car.

I saw someone use a computer once.  So what?


> Geek..

Jerk.  ;-)  (just kidding)


-S
0
Stefan
12/29/2001 10:34:00 PM
Stefan wrote:
> 
> "Kenneth Doyle" wrote in message:
> >
> > OK, maybe it is hard to understand.  So let me explain it to
> > you from another angle.  IE is free, the only way MS could
> > loose business is if people started using Linux instead of
> > Windows.  So how does bundling Netscape with Windows
> > encourage people to switch to Linux?  It doesn't.  The
> > analogy is inappropriate.
> 
> What in the hell is wrong with it?  This is so simple monkeys can
> figure it out.  I'll go slowly and stick to low-syllable words, ok?

Don't speak to me like that.  I explained what's wrong with
it.

> 
> - The issue (in this analogy) is whether or not MS should have been
> forced to add Netscape into the Windows OS.
> 
> - The issue (in this analogy) is *not* that MS was giving it away
> free.
> 
> -Now.  We have two companies:
> Microsoft Corp. and Netscape Inc.
> 
> -We're comparing them to two other companies:
> Coke Ltd. and Pepsi Ltd.
> 
> -Go back to the first two companies.  They each make a similar
> product:
> Microsoft Corp. makes Internet Explorer., the web browser
> Netscape Inc. makes Navigator (or Communicator), the web browser
> 
> -Look at the two companies we're comparing them to
> Coke Ltd. makes Coke-a-cola (the drink)
> Pepsi Ltd. makes Pepsicola (the drink)
> 
> Are we still on the same page?  Stop me if you're confused yet.

My, your rhetoric is dazzling.

> 
> We're comparing:
> Microsoft Corp's product (Internet Explorer, the web browser)
>       TO
> Coke (the company) Ltd's product (Coke-a-cola, the drink)
> 
> ALSO, we're comparing:
> Netscape Inc's product (Navigator/Communicator, the web browser)
>     TO
> Pepsi (the company) Ltd's product (Pepsicola, the drink)
> 
> You still with me?  There's nobody selling a throat anywhere in this
> analogy, ok?

Exactly, I knew you'd get it sooner or later.  There's
nobody selling throats in this analogy, that's what makes it
inappropriate.

> 
> Now...
> 
> If, we force Microsoft Corp to include a product made by Netscape Inc
> (aka - the Navigator web browser)...
> 
> THAT IS LIKE.... (are you ready for the analogy?)...
> 
> forcing Coke Ltd (the company) to include a product made by Pepsi Ltd
> (the company).  That produt is Pepsicola, the drink.

No... it's not LIKE that at all.  If Coke includes Pepsi in
their six pack, they loose money, if MS includes Netscape in
Windows, they don't loose money.  Clear enough?

> 
> You following me yet?

Yes.  You want to defend an inappropriate analogy.  The
question is, are you following me?

> 
> Why does this comparison work?

It doesn't work because if Coke includes Pepsi in their
sixpacks then Coke looses money.  Whereas, if Microsoft
includes Netscape in Windows, they don't loose any money. 
Understand?

> 
> Because Microsoft Corp (the company) competes with Netscape Inc (the
> company) in producing web browsers in a similar way that Coke Ltd (the
> company) competes with Pepsi Ltd (the company) producing carbonated
> beverages.

Since when does Netscape sell operating systems?  This is
where the analogy breaks down.  The only way that MS could
loose money is for people to stop buying windows.  How does
including Netscape encourage peopole to buy a different
operating system?

> 
> There's no throat in this analogy, ok?  none?  We're not drinking web
> browsers or surfing the Internet on a can of Coke, ok?

Right.  That's why the analogy is inappropriate.

> 
> To RECAP...  In this analogy the Bill Gates used...  We're making the
> following comparisons:
> 
> Microsoft Corp (the company) = Coke Ltd (the company)
> Netscape Inc (the company) = Pepsi Ltd.(the company)
> Internet Explorer (the web browser) = Coke-a-cola (the drink)
> Netscape Navigator (the web browser) = Pepsicola (the drink)
> 
> Did we have it all in check yet?


I understand the comparisons, but they do not appropriatly
reflect the reality of the situatuation for which they are
meant to be analogous.
0
Kenneth
12/29/2001 10:54:00 PM
"Stefan" <no.sp@m.please.com> wrote in message news:a0lj7m$1mej$1@news.grc.com...

> >This population has not been exposed enough to the many and
> > varied security and privacy problem that comes with the internet,
> etc.

That is the line which Geek posted that I consider to be the true crux
of the matter...the focal point of all our current security concerns.

"that comes with the internet"
Microsoft does not install the internet ~ just access to it via Windows.

Crackers, exploits, Trojans do not come by default on any OS
and certainly will not be found on your default CD loaders.

It is only when the conduit is established via the internet that any
of this becomes relevant...so why is Microsoft responsible for
activities on/via a medium they did not create?  I still don't get it.

That's my perspective.  I continue to elaborate...no one sees it.

Lets get on with IPv6 already.

'Seek and ye shall find'
NT Canuck
0
NT
12/29/2001 11:02:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0l960$1b5m$1@news.grc.com...
> "Sam Schinke" wrote in message:
> > Well, I guess the same problem will be apparent. I
> > am assuming that with no changes to a service, two
> > years is enough time for any bugs in it to be found,
> > or at least that they will be found at a greatly diminished
> > rate.
>
> Sam, every now any then you say things that sound really good until
> you think about it for a second or two...
> In two years:
>
> no changes to a service?  Not likely

We'll see. I guess MS does like to extend protocols to do all sorts of
non-standard things, though. I wonder if they'll do that to UPnP?

> enough time for any bugs in it to be found?  There won't be any bugs
> in 2 years>  or there won't be any bugs in two years if Microsoft
> doesn't design anything new?  Either way... :-/
>
> they will be found at a greatly diminished rate?  Yea, we find them
> less today then we did 2 years ago...  :-/  Wait a sec...  they're
> still releasing service packs for NT4 which was released HOW long ago?

Heh. UPnP is a bit simpler than NT4 (and heck, I like to hope fewer mistakes
were made in XP overall than in NT4 :P), so I think there is some
conceivable upper bounds on how many bugs they could have coded into it and
still have it function.

I don't think it unreasonable to assume that a service that has been "on the
market" for two or more years will generally be more secure than one that is
going through it's infancy (as UPnP is).

> > No, I never had it installed or near my computer. But
> > when I did install my current OS, I disabled anything
> > that tries to listen on ports, or where I was unable to
> > do that, but wanted to use to software regardless, I
> > made sure it was firewalled.  Even though I am not
> > aware of any exploits against any of that software.
>
> Hey, you never know when that sharp, pointy Internet packet is going
> to come along.  You'll want to be ready for it.  :-)

Actually, I never know when an exploit will be developed against any
software that listens and accepts unsolicited packets, and frankly, it's
more effort than I care to make to track bugs and different versions from
all these different manufacturers. It's much easier to just firewall ports
or disable that part of the software (I still use ICQ2000b, even though
there are newer versions, but I have it fairly stripped down)

> > Yeah. I speak of course, about someone who has
> > something worth stealing and is likely to be targeted
> > by a real "pro". Not you or I, as we're not going
> > to have a first-rate exploit wasted on us.
> Isn't this exactly the reason to back up my "don't worry so damn much"
> theory?  :-)

For the general public? Sure. For an enterprise, or someone who has
something they really want left alone (cryptographic keys?), maybe not.

> > I have all services I do not use disabled on my machine, and
> > when some new software I use tries to open a port, I make
> > sure it's firewalled unless I need that port open for some reason.
> > Period. I would have done the same with XP, except perhaps
> > to connect and reasearch how to safely disable things.
> Why?  if you don't think a pro would waste a first-rate exploit on
> you?

No. Not every instance where there is an unpatched exploit is going to be
one where the exploit is secret in the black-hat world.

Not to mention that on my home PC, I really can't think of any services I'd
like to be offering the world, so they will either be limited to a LAN (when
I have one :P) or disabled, regardless.

> > > Kewl.
> >
> > Yeah. Definately a BIG step in the right direction.
>
> I can agree with that.  Will see how the masses deal with all-off
> configuration.

I thought the masses weren't supposed to run servers? *g*

Anyways, anyone who has taken the time to learn how to code up an ASP page
will no doubt be able to learn how to enable the ASP interpreter or whatnot.

[...]
> > > Yea, but 95%+ of the folks out there in the world
> > > aren't qualified to have an opinion anyway.
> >
> > Ah, so they should remain lemmings? nice.
>
> No, but you know what I was saying.  It's a double edged sword.  If
> that 95% of the population was educated enough to share a VAILID
> opinion on security, then they MUST also be smart enough to keep their
> own machine secure.

I don't see the logical neccesity there, nor even that one has to be
terribly educated to share an opinion, valid or not. Everyone has opinions.

Now, to come to that opinion from "first principles" is another matter, but
I don't think we can expect to see much of that anyways.

> Now, if that were the case, there would STILL be
> no problem because everyone's machine would be up-to-date and secure.
> Either way you swing it, I'm not the one being hit by that sword.  You
> are.  :-)

Nah. It's a bit of a made-up sword. Someone can be upset about
vendor-originated problems in their software, perfectly validly, without
needing to study computer security (or whatever area the problem is in) for
months.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 11:07:00 PM
"Kenneth Doyle" wrote in message:

> Don't speak to me like that.  I explained what's
> wrong with it.

Ok, but you're wrong in your explination.  Who do think is smarter?
You, or Bill Gates.  Don't fool yourself with your answer.



> > Are we still on the same page?  Stop me
> > if you're confused yet.
>
> My, your rhetoric is dazzling.

I wish I could say the same without that sarcasm.



> > You still with me?  There's nobody selling a throat
> > anywhere in this analogy, ok?
>
> Exactly, I knew you'd get it sooner or later.  There's
> nobody selling throats in this analogy, that's what makes it
> inappropriate.

Do you know what an analogy is?


> No... it's not LIKE that at all.  If Coke includes
> Pepsi in their six pack, they loose money, if MS
> includes Netscape in Windows, they don't loose
> money.  Clear enough?

The battle in the browser was was NEVER over money.  EVER!  It was
over market share in a push to control the future look and feel of the
Internet being that most webpages are designed mainly for browser with
the largest market share.  People design a webpage to look best on IE
because it's 95% of the browsers out there.  Market share, not money.
Didn't you realise the browser war was never about money?  That's why
the products were free - to increase market share.  :-/


> > You following me yet?
>
> Yes.  You want to defend an inappropriate analogy.
>  The question is, are you following me?

No...  the seeing don't follow the blind, sorry.



> > Why does this comparison work?
>
> It doesn't work because if Coke includes Pepsi
> in their sixpacks then Coke looses money.
> Whereas, if Microsoft includes Netscape in
> Windows, they don't loose any money. Understand?

Replace "money" with "market share", and your whole argument falls
apart.



> Since when does Netscape sell operating systems?

When they get off their ass and make it I suppose.  I wish them luck.
I sure won't ask them to include IE if they do make an OS.



> This is where the analogy breaks down.

The analogy is about web browsers, not OS's.  Try again.



>  The only way that MS could
> loose money is for people to stop buying windows.

MARKET SHARE!  not money!  They want to be the number one used browser
on the Internet.  Period.



> How does including Netscape encourage people
> to buy a different operating system?

I NEVER said it did!  It does, however, encourage them to use another
web browser and Microsoft doesn't want that because it would reduce
their market share.


> > There's no throat in this analogy, ok?  none?
> > We're not drinking web browsers or surfing
> > the Internet on a can of Coke, ok?
>
> Right.  That's why the analogy is inappropriate.

Why because you don't understand it?  When Bill Gates said it in a
press conference, nobody stood up and said, "uuuhhhh...  who's selling
a throat?"  Think about that.  You're the only one ever to ask that.
You're on your own.  Maybe, just maybe...  you're wrong.


> I understand the comparisons, but they do not appropriatly
> reflect the reality of the situatuation for which they are
> meant to be analogous.

Again, do you know what an analogy is?
http://www.dictionary.com/cgi-bin/dict.pl?term=analogy


-S
0
Stefan
12/29/2001 11:15:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0lf15$1hpn$1@news.grc.com...
> "baskitcaise" wrote in message:
>
> > Konqueror, Netscape, Mozilla, Lynx, Amaya, ........
> > need I go on, and don`t even ask about Mail
> > and news clients all "Bundled" together......
> THANK YOU!  :-)  And before anyone pipes up and says something like
> "why can't Microsoft include BOTH Internet Explorer AND Netscape
> Navigator in the OS?", I'd like to quote one Mr. William Gates....

I think the point baskitcase was trying to make is that most linux distro's
come with a fairly recent compile of EVERY browser out there. *g*

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 11:18:00 PM
"Kenneth Doyle" <kdoyle@ihug.com.au> wrote in message
news:3C2E49AA.84484074@ihug.com.au...
[...]
> It doesn't work because if Coke includes Pepsi in their
> sixpacks then Coke looses money.  Whereas, if Microsoft
> includes Netscape in Windows, they don't loose any money.
> Understand?

Technically, they might loose money burning that extra 10-100 MB's to each
CD they distribute. *g*

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 11:21:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0lllf$1pcb$1@news.grc.com...
> "Kenneth Doyle" wrote in message:
> > Don't speak to me like that.  I explained what's
> > wrong with it.
> Ok, but you're wrong in your explination.  Who do think is smarter?
> You, or Bill Gates.  Don't fool yourself with your answer.

Stefan,

Arguing by relying on authority isn't usually respected. Particularly not
when debating whether what that authority has said is correct. It somewhat
begs the question, don't you think?

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 11:24:00 PM
"Sam Schinke" wrote in message:

> Stefan,
>
> Arguing by relying on authority isn't usually respected.
Particularly not
> when debating whether what that authority has said is correct. It
somewhat
> begs the question, don't you think?


You're right.  I'm wrong.  Sorry.  But Bill Gates didn't get to be the
world's richest man by being so stupid he couldn't draw up a proper
analogy.  It's bad enough defendiong my own, mow I've been somehow
sucked into defending someone else's.  :-/

Anyway...  ixnay on my comment.  It was tasteless.  :-(

-S
0
Stefan
12/29/2001 11:24:00 PM
"Sam Schinke" wrote in message:


> I think the point baskitcase was trying to make is that most linux
distro's
> come with a fairly recent compile of EVERY browser out there. *g*

Because they *WANT* to, not because they're *forced* to.  Nobody can
force them to include a browser, and nobody complains abount any of
the ones they chose to add.  So MS only choses to include their own.
My point - so what.

-S
0
Stefan
12/29/2001 11:27:00 PM
An open port IS NOT an open share.  I'm talking about ports.  I run an
FTP server on port 21, that doesn't mean I have open shares exposed.
Don't change what I said.  I'm saying an "open port" is not a problem
if it doesn't open up a security hole (such as an open share).  That's
all I said.

-S


"Robert Wycoff" wrote in message:

> > Yes, but just because the port is open doesn't mean you can do
> > anything malicious to me.  You can try.  It doesn't mean you'll
get
> > in.  An open port is like a door lock.  You still need a key to
get
> > in.  Sometimes the key is an exploit, sometimes it's a password,
but
> > the sheer existance of a port isn't a door to slaughter someone's
> > system just because it's there and open.
>
> Stephan,
>
> I'm not following you.  Are you saying that open shares are not a
problem?
>
> http://www.nsfocus.com/english/homepage/sa_05.htm
0
Stefan
12/29/2001 11:29:00 PM
"Robert Wycoff" wrote in message:

>
> Then why do so many people come here asking about how to close port
5000?

They run XP or had in installed on WinMe or Win98 or Win98SE.  All I
said was that it's nut running in a default installation of Windows
Millennium.  I have a WinMe box.  I think I'd know that it's not
running as soon as a ran UnPnP, ok?

-S
0
Stefan
12/29/2001 11:31:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0lllf$1pcb$1@news.grc.com...
> Again, do you know what an analogy is?
> http://www.dictionary.com/cgi-bin/dict.pl?term=analogy

To that I reply:
http://www.dictionary.com/cgi-bin/dict.pl?term=apt

I'm not too interested in debating a particular quote of Bill Gates', but I
think it important to note than analogies, while remaining analogies, aren't
neccesarily apt, or "valid" (and also that the opinion of whether each
analogy is such can vary).

It's the same as opinions. Just because one has one (and by definition, it
remains one, no matter how anyone tries to argue), doesn't mean it is
correct (though people will still disagree about it!)

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 11:31:00 PM
On Sat, 29 Dec 2001 15:18:25 -0800, "Sam Schinke"
<arishae.NO@SPAM.icqmail.com> wrote:

>"Stefan" <no.sp@m.please.com> wrote in message
>I think the point baskitcase was trying to make is that most linux distro's
>come with a fairly recent compile of EVERY browser out there. *g*

Sam,

To add to your point, they are also NOT integrated into the OS either.
To me, that's a rather big distinction.

Geek..
0
handyman
12/29/2001 11:32:00 PM
"Robert Wycoff" wrote in message

> > you got a decent refrence on that?

> http://www.idg.net/ic_723536_6192_1-3121.html


My point (as I said) was that you can find articles like that saying
the same crap about Win9x, WinNT, and Win2k.  The fact that the same
goofs also hated XP is no real shocker.  like, wow.

-S
0
Stefan
12/29/2001 11:33:00 PM
"Robert Bradley" <robert.bradley_family@btinternet.com> wrote in message
news:a0kn57$mk8$1@news.grc.com...
> "Steve Gibson" <support@grc.com> wrote in message
> news:MPG.1696a662f97f60fb98a191@207.71.92.194...
[...]
> > Or why not send out replies with a TTL of only 5 or 6 so that the
> > server can't be used as a DoS or DDoS attack tool?
> >
>
> Useful for the UDP replies, but the HTTP requests are probably designed to
> access the manufacturer's Web site to fetch drivers.  The UPnP stack
visits
> the url in the "Location:" header.

Good point. You can't really shorten the TTL on this without seriously
breaking the protocol. The only solution is some sort of "throttle", at the
client end, unless someone has a better idea (some distributed per-subnet
download seems possible..)?

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 11:33:00 PM
"Sam Schinke" <arishae.NO@SPAM.icqmail.com> wrote in message
news:a0llri$1poi$1@news.grc.com...

> Technically, they might loose money burning that extra 10-100 MB's
> to each CD they distribute. *g*

YES!  And in extra man hours testing for complete compliance with
the other 4,700 files in the Windows family and then with all the
other MS products with internet access ~ Office ~ Media Player etc.

Not to mention ~ WHO do you now call for support?
Who is responsible for Netscape's ~ bugs, patches and updates?
And how do you introduce the exams that qualify the installers?
Yes, pre-installation specialists have to write an exam.

As it stands, IE allows for another browser to be the default, it
even has a checkmark for it.  The biggest problem was whether
the OEM's would be allowed to bundle it ~ not MS itself.

In January 2002 (afaik) this will change, I hope it works out.
This is just history now, depending on what you get from your
favorite local OEM distributor ~ Netscape/Opera who knows.

'Seek and ye shall find'
NT Canuck
0
NT
12/29/2001 11:34:00 PM
"Sam Schinke" wrote in message:

> I'm not too interested in debating a particular quote of Bill
Gates', but I
> think it important to note than analogies, while remaining
analogies, aren't
> neccesarily apt, or "valid" (and also that the opinion of whether
each
> analogy is such can vary).

In my opinion it is.  It doesn't shock me that you disagree.  Now,
more importantly, who cares?  This isn't worth the time it's taken
trying to explin what Bill was saying.  Either you see what he was
getting at or you don't.  Even if you disagree, I don't see why it's
so damn hard just to understand what he was TRYING to day.



> It's the same as opinions. Just because one has one (and by
definition, it
> remains one, no matter how anyone tries to argue), doesn't mean it
is
> correct (though people will still disagree about it!)

You wrong!  :-)  *G*



-S
0
Stefan
12/29/2001 11:37:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0lm71$1pvu$1@news.grc.com...
> "Sam Schinke" wrote in message:
>
> > Stefan,
> >
> > Arguing by relying on authority isn't usually respected.
> Particularly not
> > when debating whether what that authority has said is correct. It
> somewhat
> > begs the question, don't you think?
>
>
> You're right.  I'm wrong.

Natch. I'm not arguing with you on that one. I don't really care what Bill
said.

I just sometimes have my eye caught by a bit of argument, either a really
good point, or one that looks like a fallacy (no offense intended)

[..]
> Anyway...  ixnay on my comment.  It was tasteless.  :-(

Not tasteless, really, just... inconclusive?

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 11:38:00 PM
"Geek" wrote in message:

> To add to your point, they are also NOT integrated into the OS
either.
> To me, that's a rather big distinction.
>
> Geek..

You say that like it's not incredibly useful.  It makes it so Explorer
(file explorer) can see remote FTP servers, websites, etc, etc.  I
love that about it.  I stop does it all.

-S
0
Stefan
12/29/2001 11:39:00 PM
Stefan wrote:
> 
> The battle in the browser was was NEVER over money.  EVER!  It was
> over market share in a push to control the future look and feel of the
> Internet being that most webpages are designed mainly for browser with
> the largest market share.  People design a webpage to look best on IE
> because it's 95% of the browsers out there.  Market share, not money.
> Didn't you realise the browser war was never about money?  That's why
> the products were free - to increase market share.  :-/

OK.  So how exactly does this relate to the situation
between Coke and Pepsi?  What products are designed to be
compatible with the soft drink with the largest market
share?
0
Kenneth
12/29/2001 11:41:00 PM
"Kenneth Doyle" wrote in message:

> > The battle in the browser was was NEVER over money.  EVER!  It was
> > over market share in a push to control the future look and feel of
the
> > Internet being that most webpages are designed mainly for browser
with
> > the largest market share.  People design a webpage to look best on
IE
> > because it's 95% of the browsers out there.  Market share, not
money.
> > Didn't you realise the browser war was never about money?  That's
why
> > the products were free - to increase market share.  :-/
>
> OK.  So how exactly does this relate to the situation
> between Coke and Pepsi?  What products are designed to be
> compatible with the soft drink with the largest market
> share?


It's ALWAYS over market share.  In the browser war, market share meant
the ability to steer the direction of the look and feel of the
Internet.  In the soft-drink inductry, market share DOES equal money.
That's why the analogy, IMO, works...  It's comparing company's that
sell competing products in a push for market share.  the only
difference is why they want that market share.

-S
0
Stefan
12/29/2001 11:43:00 PM
"Robin Keir" <robin@keir.net> wrote in message
news:a0l6fe$186i$1@news.grc.com...
> "Steve Gibson" <support@grc.com> wrote in message
> news:MPG.1696a662f97f60fb98a191@207.71.92.194...
> > Or why not send out replies with a TTL of only 5 or 6 so that the
> > server can't be used as a DoS or DDoS attack tool?
>
> From upnp.org regarding the UPnP protocols:
> "To limit network congestion, the time-to-live (TTL) of each IP packet for
> each multicast message must default to 4 and should be configurable."

This is for an outbound multicast, I believe. There is no way for a client
to enforce the originating TTL on a packet it receives though, and a
non-multicast reply can have any TTL, I gather (at least from that quote?).

> Now, whether MS have actually chosen to enforce this TTL I haven't
> checked, but its in the "spec".

I looks like they have some TTL limits on _something_, I'm just not sure
what.

> http://www.upnp.org/download/UPnPDA10_20000613.htm

Nice link.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/29/2001 11:46:00 PM
Sam Schinke wrote:
> 
> "Kenneth Doyle" <kdoyle@ihug.com.au> wrote in message
> news:3C2E49AA.84484074@ihug.com.au...
> [...]
> > It doesn't work because if Coke includes Pepsi in their
> > sixpacks then Coke looses money.  Whereas, if Microsoft
> > includes Netscape in Windows, they don't loose any money.
> > Understand?
> 
> Technically, they might loose money burning that extra 10-100 MB's to each
> CD they distribute. *g*
> 
Heh.  OK, you got me there.

The thing is, I don't think it's reasonable to expect
Microsoft to include Netscape with Windows; that's not what
I'm arguing.  I just don't like it when people think that
they've slam dunked an argument by using childish and
inappropriate comparisons.
0
Kenneth
12/29/2001 11:47:00 PM
"Kenneth Doyle" wrote in message:

> The thing is, I don't think it's reasonable to expect
> Microsoft to include Netscape with Windows; that's not what
> I'm arguing.  I just don't like it when people think that
> they've slam dunked an argument by using childish and
> inappropriate comparisons.

Talk to Bill Gates, not me.  I never said it.  I just agreed with it.
So if you think Bill is childish and inappropriate, well, I don't
think he really cares...  so he's probably arrogant also.

-S
0
Stefan
12/29/2001 11:48:00 PM
"Robert Wycoff" <Don't.use.Lockdown@any.price> wrote in message
news:a0lm4o$1pul$1@news.grc.com...

Hi Robert,

> I *think* I am following what you are saying.  <g>

Heh, ok...

> One answer I thought of was "it meets the standard until another security
> vulnerability is found".

Fine with me, I would just like a little closure at the moment from eEye
in regards to their original announcement.  They say that there is a patch,
but they do not say that "ok, patch in place, looks good to us right now".

> Isn't it *very* likely that another security vulnerability will be found in
> XP, based on the track record of previous MS O/S's?

I don't know that for sure, maybe everyone will start USING their
OS instead of trying to break into someone elses.  It could happen?

Damm it Robert, technology can change the spin of a molecule and
line them up to emulate a mainframe...how do you defend against a
molecular level exploit?  It certainly won't be at the OS code level.
So I know that there will be some surprises for us all in a few years.

> I don't want to bash MS here; I am just trying to state what I think the
> reality is.

I can give you a list of something current with a hundred faults in it
right now, and it isn't even a MS product.  But some of my stuff is
sitting on it "high and dry" until someone wakes up and updates it.

'Seek and ye shall find'
NT Canuck
0
NT
12/29/2001 11:55:00 PM
Stefan wrote:
> 
> "Kenneth Doyle" wrote in message:
> 
> > The thing is, I don't think it's reasonable to expect
> > Microsoft to include Netscape with Windows; that's not what
> > I'm arguing.  I just don't like it when people think that
> > they've slam dunked an argument by using childish and
> > inappropriate comparisons.
> 
> Talk to Bill Gates, not me.  I never said it.  I just agreed with it.
> So if you think Bill is childish and inappropriate, well, I don't
> think he really cares...  so he's probably arrogant also.
> 

It was my impression that you had used Gates' words as if
you thought that you had presented an unassailable
argument.  I'm quite prepared to believe that you had
thought no such thing.  It just seems that way from the
manner in which you presented it.
0
Kenneth
12/30/2001 12:02:00 AM
On Sat, 29 Dec 2001 16:34:01 -0600, "Stefan" <no.sp@m.please.com>
wrote:

>And you, you continue to use it anyway.
>
Yes, after tweaking the *** out of it, taking care of all those lovely
default value and stripping IE too.  Also added brakes, lights,
steering, horn, and steering so it will run right.

>> Somewhat like a car that has it's brakes turned off by default
>
>No, it's something like a car that needs it brakes inspected and fixed
>every once in a while.
>
Having brakes inspected and fixed once in a while is an entirely
different story than driving it out of the dealership with the brakes
left off by default.  
>
> Just because
>the car was originally made with working brakes, doesn't mean the keep
>working forever.  WOW.

Wow is right, you missed the point entirely.<G>
>
>And somegow we'll all blame MS because people are too dumb to learn
>about computers before buying a computer.

Unfortunately, the ads for MS products lead people to think that no
experience or knowledge is needed.  
>
>Yea, then they can have almost nobody wanting to use their products...
>like Linux
>
So what's the downside to this? (LOL)

>Exaclty, who would be that stupid to blame ford after the child
>crashed a car into a wall?
>
Who said anything about Ford?  I'm talking Porsche here baby. No, the
point is MS (the adult) allows the kid (newbie user) to take the key
to the car without proper prep.

>I saw someone use a computer once.  So what?
>
Did you learn anything? 

Geek.. 
0
handyman
12/30/2001 12:24:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0lmtv$1qp3$1@news.grc.com...
> "Sam Schinke" wrote in message:
>
> > I'm not too interested in debating a particular quote of Bill
> Gates', but I
> > think it important to note than analogies, while remaining
> analogies, aren't
> > neccesarily apt, or "valid" (and also that the opinion of whether
> each
> > analogy is such can vary).
>
> In my opinion it is.  It doesn't shock me that you disagree.

I disagree? I'm afraid you've mistaken me for someone who cares. *g*

You think it's apt, Kenneth thinks it isn't. It _is_ an analogy, though. Is
that an accurate summation?

But stating it is an analogy doesn't reflect on it's aptness, if you see the
distinction.

> Now,
> more importantly, who cares?

Hmm, yeah. See above.

> This isn't worth the time it's taken
> trying to explin what Bill was saying.  Either you see what he was
> getting at or you don't.  Even if you disagree, I don't see why it's
> so damn hard just to understand what he was TRYING to day.

Not an issue I have. I see what he was trying to say. I'm not too interested
in the topic though, as I don't drink Pepsi *g*.

> > It's the same as opinions. Just because one has one (and by
> definition, it
> > remains one, no matter how anyone tries to argue), doesn't mean it
> is
> > correct (though people will still disagree about it!)
>
> You wrong!  :-)  *G*

Yeah, as usual. *g*

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/30/2001 12:24:00 AM
"NT Canuck" <ntcanuck@hotmail.com> wrote in message
news:a0lmis$1qhj$1@news.grc.com...
> "Sam Schinke" <arishae.NO@SPAM.icqmail.com> wrote in message
> news:a0llri$1poi$1@news.grc.com...
>
> > Technically, they might loose money burning that extra 10-100 MB's
> > to each CD they distribute. *g*
>
> YES!  And in extra man hours testing for complete compliance with
> the other 4,700 files in the Windows family and then with all the
> other MS products with internet access ~ Office ~ Media Player etc.

I'd say MS could fairly say this was Netscape's responsibility. EG: We'll
bundle it whether it works or not, you put it in a netscape wrapper though.

> Not to mention ~ WHO do you now call for support?
> Who is responsible for Netscape's ~ bugs, patches and updates?
> And how do you introduce the exams that qualify the installers?
> Yes, pre-installation specialists have to write an exam.
>
> As it stands, IE allows for another browser to be the default, it
> even has a checkmark for it.  The biggest problem was whether
> the OEM's would be allowed to bundle it ~ not MS itself.
>
> In January 2002 (afaik) this will change, I hope it works out.
> This is just history now, depending on what you get from your
> favorite local OEM distributor ~ Netscape/Opera who knows.

Yeah. I say all responsibility for testing and maintenance stays with the
person who holds the IP, not the distributor, except in unique cases such as
OEM's, where they really are selling a "package".

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/30/2001 12:25:00 AM
On Sat, 29 Dec 2001 17:02:28 -0600, "NT Canuck" <ntcanuck@hotmail.com>
wrote:


>Crackers, exploits, Trojans do not come by default on any OS
>and certainly will not be found on your default CD loaders.

No, but open shares is like leaving the doors unlocked
>
>It is only when the conduit is established via the internet that any
>of this becomes relevant...so why is Microsoft responsible for
>activities on/via a medium they did not create?  I still don't get it.

Because MS opens everything to the net, including the OS and MS apps.
>
>That's my perspective.  I continue to elaborate...no one sees it.
>
>Lets get on with IPv6 already.
>
I'm game whenever you are <G>

Geek..
0
handyman
12/30/2001 12:27:00 AM
"Kenneth Doyle" wrote in message:

> It was my impression that you had used Gates' words as if
> you thought that you had presented an unassailable
> argument.  I'm quite prepared to believe that you had
> thought no such thing.  It just seems that way from the
> manner in which you presented it.

Dude...  Despite the fact I never said it, I totally AGREE with the
statement.  I follow the analogy 100% as per *MY* line of thinking.
Ok?  Now, I know you don't agree with the analogy just because of your
opinions about Microsoft, but damnit, don't play this song of "I don't
understand it".  You're smart enough to know what he was TRYING to say
even if you don't *agree* with it.

Part of my success (so far) in life is that I don't ever take the
first opportunity to pass the blame.  I blame myself first, and in
that regard I usually expect something similar from other people
despite it being a rare trait in my fellow humans.  the easiest way to
learn is to first realise that you NEED to learn because noone else id
going to figure it out for you.  Unfortunaly, here in the world, the
idea of wait for a problem then "pass the buck" has always been so
much more convinient for most people.  I don't play that crap.  I
never have.  Look out for yourself, because nobody else will.  My
outlook just happens to extend into computer technology.  Microsoft
provides the tool, they provide the ability to keep it secure.  If you
buy it, everything else is *your* responsibility after that, not
their.  They've given you the tools...  learn to use them.  God forbid
I start another analogy, but please don't argue it.  I'm not
interested in that, and if you can't see what I'm getting at here then
it's a lost cause from the get-go and not worth debating.  So here
goes...  Look at the cigarette industry.  People start smoking, get
lung cancer, blame the cigarette company, sue them for billions.  My
responce...  they're a dumbass!  They knew it was dangerous, now they
can enjoy a slow death.  Microsoft really is selling a potentially
dangerous product (*if you don't know how to use it*).  The analogy
completely falls apart at that point because there's no safe way to
smoke a cigarette, and there *is* a safe way to run your computer.  MY
PERSONAL STANCE is that people need to recognize the danger BEFORE
their purchace, understand the risks, protect themselves, and take
responsibility when their OWN decisions when their neglegence creates
a problem for them.  Sometime protecting yourself means asking for
help from people who know more about computers even for something as
simple as running the Windows Update from the Start Menu.  This
outlook means not blaming MS when we get bit by a security problem.  I
don't expect everyone to share my self-responsibility outlook on life,
but that's where I stand on it.  Again, either you followed my
comparison to cigarette makers or you didn't...  Either you agreed, or
you didn't, but I'm in no way going to ramble on for another 35
postings arguing a silly analogy.  If you don't agree, fine, I'm wrong
about it all...  whatever.

I always understood "you", because "you" represent 90% of the people
here.  Now you maybe understand "me" a little better.

-S

All that said, I'm soon to be off to a 4-day long new year's bash, so
I probably won't be here to debate my latest analogy anyway.  And I'll
probably still be half liquered when I get back on Tuesday...  :-)
0
Stefan
12/30/2001 12:31:00 AM
"Sam Schinke" <arishae.NO@SPAM.icqmail.com> wrote in message
news:a0lphi$1ts6$1@news.grc.com...

> > In my opinion it is.  It doesn't shock me that you disagree.
>
> I disagree? I'm afraid you've mistaken me for someone who cares. *g*

If you don't care, why are you here?  problems getting a date?  :-)
*g*


> > You wrong!  :-)  *G*
>
> Yeah, as usual. *g*

Well, now we're gettin' somewhere Sam!  :-)

-S
0
Stefan
12/30/2001 12:33:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0lq4o$1uig$1@news.grc.com...
[...]
> Part of my success (so far) in life is that I don't ever take the
> first opportunity to pass the blame.  I blame myself first, and in
> that regard I usually expect something similar from other people
> despite it being a rare trait in my fellow humans.

Stefan,

Are you saying Microsoft is _your_ fault?

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/30/2001 12:42:00 AM
"Geek" wrote in message:

> Yes, after tweaking the *** out of it, taking care of all those
lovely
> default value and stripping IE too.  Also added brakes, lights,
> steering, horn, and steering so it will run right.

Great, you understand how to take responsibility for yourself.
Congrats.



> >> Somewhat like a car that has it's brakes turned off by default
> >
> >No, it's something like a car that needs it brakes inspected and
fixed
> >every once in a while.
> >
> Having brakes inspected and fixed once in a while is an entirely
> different story than driving it out of the dealership with the
brakes
> left off by default.

When XP was first released, this exploit didn't exist.  That's all I
was saying.



> > Just because
> > the car was originally made with working brakes,
> > doesn't mean the keep
> > working forever.  WOW.
>
> Wow is right, you missed the point entirely.<G>

You had a point?  <G>



> Unfortunately, the ads for MS products lead people
> to think that no experience or knowledge is needed.

Show me that add.  The one where they said a flaming moron can use
this with ease.  Quite frankly, how much knowledge really is necessary
to hit the Windows Update button and install a few patches as they're
released.  If you can't figure it out, get someone to turn on the
"keeping windows up to date" feature and let that take care checking
for updates for you.


> > Yea, then they can have almost nobody wanting to
> > use their products...
> > like Linux
> >
> So what's the downside to this? (LOL)

To me:  nothing.  :-)
To Microsoft:  what do you think?



> >Exaclty, who would be that stupid to blame ford after the child
> >crashed a car into a wall?
> >
> Who said anything about Ford?  I'm talking Porsche here baby.

Imports...  BAH!  I'll keep *my* Ford, thanks.  :-)
http://www.lfchosting.com/regflycl/x/car.jpg


> No, the
> point is MS (the adult) allows the kid (newbie user)
> to take the key to the car without proper prep.

If someone took a car and drove it into the wall because they didn't
know how to use it, THAT PERSON (at any age) would be for blame.  If
I'd done it as a kid, my parents woulda killed me.  I'm talking about
blaming the person who did it, not the company woh made the product.



> >I saw someone use a computer once.  So what?
> >
> Did you learn anything?

Not until I started using it for myself.  That's my whole point.
Riding in a car doesn't mean you know how to drive one.  Watching
someone use a computer doesn't mean you know how to use one.

-S
0
Stefan
12/30/2001 12:49:00 AM
"Sam Schinke" wrote in message:

> > Part of my success (so far) in life is that I don't ever take the
> > first opportunity to pass the blame.  I blame myself first, and in
> > that regard I usually expect something similar from other people
> > despite it being a rare trait in my fellow humans.
>
> Are you saying Microsoft is _your_ fault?
>

No...  I'm saying when my machine is taken over because of a patch I
forgot to install, that's *my* fault (for not running a secure
system), not Microsoft's (for allowing the exploit to slip past
development).  I thought I was pretty clear there.  :-/

-S
0
Stefan
12/30/2001 12:52:00 AM
Stefan wrote:

> 
> Ok?  Now, I know you don't agree with the analogy just because of your
> opinions about Microsoft, but damnit, don't play this song of "I don't
> understand it".

I see no point in responding to this sort of bullshit.  I've
made my point.
0
Kenneth
12/30/2001 1:07:00 AM
"Kenneth Doyle" wrote in message:

> Stefan wrote:
> >
> > Ok?  Now, I know you don't agree with the analogy just because of
your
> > opinions about Microsoft, but damnit, don't play this song of "I
don't
> > understand it".
>
> I see no point in responding to this sort of bullshit.  I've
> made my point.

I made mine.  you actually want me to believe you didn't understand
what Gates was TRYING to say in his analogy?  ok then.  :-/

-S
0
Stefan
12/30/2001 1:08:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0lmgk$1qfp$1@news.grc.com...
>
> An open port IS NOT an open share.  I'm talking about ports.  I run an
> FTP server on port 21, that doesn't mean I have open shares exposed.
> Don't change what I said.  I'm saying an "open port" is not a problem
> if it doesn't open up a security hole (such as an open share).  That's
> all I said.

Stephan,

To me, open shares = open ports 137-139 = NetBIOS.

http://www.sans.org/topten.htm

      7. Global file sharing and inappropriate information sharing via
NetBIOS and
      Windows NT ports 135->139 (445 in Windows2000), or UNIX NFS exports on
port
      2049, or Macintosh Web sharing or AppleShare/IP on ports 80, 427, and
548.
      These services allow file sharing over networks. When improperly
configured, they can expose critical system files or give full file system
access to any hostile party connected to the network. Many computer owners
and administrators use these services to make their file systems readable
and writeable in an effort to improve the convenience of data access.
Administrators of a government computer site used for software development
for mission planning made their files world readable so people at a
different government facility could get easy access. Within two days, other
people had discovered the open file shares and stolen the mission planning
software.
      When file sharing is enabled on Windows machines they become
vulnerable to both information theft and certain types of quick-moving
viruses. A recently released virus called the 911 Worm uses file shares on
Windows 95 and 98 systems to propagate and causes the victim�s computer to
dial 911 on its modem. Macintosh computers are also vulnerable to file
sharing exploits.

      The same NetBIOS mechanisms that permit Windows File Sharing may also
be used to enumerate sensitive system information from NT systems. User and
Group information (usernames, last logon dates, password policy, RAS
information), system information, and certain Registry keys may be accessed
via a "null session" connection to the NetBIOS Session Service. This
information is typically used to mount a password guessing or brute force
password attack against the NT target.

      Systems Affected:
      UNIX, Windows, and Macintosh systems.
      CVE Entries:
      SMB shares with poor access control - CAN-1999-0520
      NFS exports to the world - CAN-1999-0554
      These candidate entries are likely to change significantly before
being accepted as full CVE entries.

      Advice on correcting the problem:
      A. When sharing mounted drives, ensure only required directories are
shared.

      B. For added security, allow sharing only to specific IP addresses
because DNS names can be spoofed.

      C. For Windows systems, ensure all shares are protected with strong
passwords.

      D. For Windows NT systems, prevent anonymous enumeration of users,
groups, system configuration and registry keys via the "null session"
connection.

      Block inbound connections to the NetBIOS Session Service (tcp 139) at
the router or the NT host.

      Consider implementing the RestrictAnonymous registry key for
Internet-connected hosts in standalone or non-trusted domain environments:

        NT4: http://support.microsoft.com/support/kb/articles/Q143/4/74.asp
        Win2000:
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

      E. A quick, free, and secure test for the presence of NetBIOS file
sharing, and its related vulnerabilities, effective for machines running ANY
operating system, is available at the Gibson Research Corporation web site.
Simply visit http://grc.com/ and click the "ShieldsUP" icon to receive a
real-time appraisal of any system's NetBIOS exposure. Detailed instructions
are available to help Microsoft Windows users deal with NetBIOS
vulnerabilities.

      F. For Macintosh systems, disable file sharing and web sharing
extensions unless absolutely required. If file sharing must be enabled,
ensure strong passwords for access, and stop file sharing during periods in
which it is not required.

      To permanently disable Web sharing in MacOS 8 or MacOS 9, remove two
files and restart:
      System Folder:Control Panels:Web Sharing
      System Folder:Extensions:Web Sharing Extension

      To permanently disable AppleShare/IP in MacOS 9, remove one file and
restart:
      System Folder:Extensions:Shareway IP Personal Bgnd


--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/30/2001 1:12:00 AM
On Sat, 29 Dec 2001 17:39:04 -0600, "Stefan" <no.sp@m.please.com>
wrote:

>You say that like it's not incredibly useful.  It makes it so Explorer
>(file explorer) can see remote FTP servers, websites, etc, etc.  I
>love that about it.  I stop does it all.
>
I stop?  What's that?

For me, having all these MS apps integrated with the browser is more
of a pain than a help.  Not to mention more potential problems

Geek.
0
handyman
12/30/2001 1:15:00 AM
"Robert Wycoff" wrote in message

> Stephan,
>
> To me, open shares = open ports 137-139 = NetBIOS.

Open shared DO mean open ports.  However, open ports do NOT mean open
shares.  I can have an open port 139 and still not be exposing an open
share to anyone!  Hell, I DO expose port 139 and I don't have any
shares at all - nevermind an open share.  Try again.



> http://www.sans.org/topten.htm

Ducky.  I didn't even read it.  I've personally exploited open shares
many times, so I'm quite certain that I don't need a cute little web
page to teach me how they work.  Unless it's total BS, there is NO
line in there that says having port 139 open means you are definitely
exposing an open share.  That's just not true.  You can install
netBIOS, expose port 139 and have NO open shares at all.  YES, YOU
CAN.  I do it personally.  You can get my username, my computer name,
my workgroup name, and my MAC address this way.

I'll save you the time of looking for yourself.  Do you want them?
User:  Administrator
Computer:  PIII1GHz
Workgroup:  Workgroup
MAC: 00-60-08-3B-40-59

Thank you, come again.

ttyl,
-Stefan.
0
Stefan
12/30/2001 1:17:00 AM
"Geek" wrote in message:


> >You say that like it's not incredibly useful.  It makes it so
Explorer
> >(file explorer) can see remote FTP servers, websites, etc, etc.  I
> >love that about it.  I stop does it all.
> >
> I stop?  What's that?

I suffer from a rare condition called typelexia.  Check that to read:
"1 stop does it all"


> For me, having all these MS apps integrated with the
> browser is more of a pain than a help.  Not to mention
> more potential problems

Functionality always bring potential problems.  I take that chance.


ttyl,
-Stefan.
0
Stefan
12/30/2001 1:19:00 AM
Brother Robert -

You have given me another keeper, thank you.

The road to knowledge is long AND wide.

Please continue your wonderful work here at GRC!

Quote on, McWycoff.

;^ )




--

Mark Strelecki,  ACP          BE6.2600.011208
Computing and Programming Since 1975  http://www.strelecki.com
Protect Your Rights -- Fight UCITA   http://www.4cite.org
0
Mark
12/30/2001 1:29:00 AM
" Mark Strelecki, ACP, Atlanta, GA" <be6-506@nospam.strelecki.com> wrote in
message news:a0lt19$228t$1@news.grc.com...
>
> Brother Robert -
>
> You have given me another keeper, thank you.
>
> The road to knowledge is long AND wide.
>
> Please continue your wonderful work here at GRC!
>
> Quote on, McWycoff.

Mark,

Google is my friend.

And List of Lists.

And Eric's site.

I'm just a messenger. <g>
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/30/2001 1:35:00 AM
"Stefan" <no.sp@m.please.com> wrote in message ...

> "Tommy_k" <tommy_kins@ntlworld.ie> wrote in message

> > Hmm - so you do work for Microsoft, Stefan -

> Tommy, do you EVER add anything to the conversation, or just toss
out
> these useless, pointless tidbits or annoying, mindless dribble?
> -S

Well excuse me for asking, but who made you boss of who/what and how
someone posts here, tsk tsk.
I'm beginning to see I hit a nerve, for which I'd like to apologize,
but I won't.  Feeling a bit tetchy today are you.  Okay, who is the
'we' that YOU quoted, and are you EVER wrong.  See. I can do caps
also, actually they are quite striking in their own way, much like
your squirming.
Cheers and take care
Tommy
0
Tommy_k
12/30/2001 2:48:00 AM
"Stefan" <no.sp@m.please.com> wrote in message ...

> > Condescension DOES NOT preserve order and DOES NOT illuminate rationale.
> In

> > fact, it does quite the opposite in both cases.  It destroys order and
> flies
> > in the face of rationale.  That's exactly the problem here, isn't it?

"Stefan" <no.sp@m.please.com> wrote in message ...

> > Tommy, do you EVER add anything to the conversation, or just toss
> out
> > these useless, pointless tidbits or annoying, mindless dribble?
> > -S
>
> "Stefan" <no.sp@m.please.com> wrote in message ...

>blahblahblahblahblahblahblahblahblahblahblahblahblahblahblah

  Tommy,
He likes the sound of his own voice is my read.
                            ~meow~
0
catseyenu
12/30/2001 3:46:00 AM
>
> Open shared DO mean open ports.  However, open ports do NOT mean open
> shares.  I can have an open port 139 and still not be exposing an open
> share to anyone!  Hell, I DO expose port 139 and I don't have any
> shares at all - nevermind an open share.  Try again.
>

Stephan is quite correct.  Having TCP 139 open does not mean you have shares
open.  You may, but that is an administrative issue, not a protocol issue
that this level.  And while I think that Stepan is usually right on target
in his posts,  I must point out that you can get lots more info out of
NetBIOS than the currently logged on user, workgroup/domain, and MAC
address.  Of course, Stephan knows this quite well, I'm sure, and has 139
open for other reasons ;).

ADa
0
Thor
12/30/2001 8:22:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0lrag$2026$1@news.grc.com...
> "Sam Schinke" wrote in message:
>
> > > Part of my success (so far) in life is that I don't ever take the
> > > first opportunity to pass the blame.  I blame myself first, and in
> > > that regard I usually expect something similar from other people
> > > despite it being a rare trait in my fellow humans.
> >
> > Are you saying Microsoft is _your_ fault?
> >
>
> No...  I'm saying when my machine is taken over because of a patch I
> forgot to install, that's *my* fault (for not running a secure
> system), not Microsoft's (for allowing the exploit to slip past
> development).  I thought I was pretty clear there.  :-/

I guess I should take my tongue out of my cheek now. *g*

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/30/2001 10:18:00 AM
>Forcing Microsoft to include Netscape's competing software in our
>operating system is like requiring Coca-Cola to include three cans of
>Pepsi in every six-pack it sells.
> - Bill Gates
>********************************************

But Coke doesn't own most all the bottling equipmnt.

That's the problem with analogis - they usually don't work.

FWIW - neither Coke nor Pepsi has a monopoly - Micro$ux does.
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/30/2001 1:34:00 PM
If Coke is "free" at the grocery store, will Pepsi sales decline??
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/30/2001 1:36:00 PM
"[The Hon. Rev. joWazzoo] " <LumberCartel@Lart.com> wrote in message
news:hr5u2uglqggi2pke94vcepcqracgrt9fmq@4ax.com...

> That's the problem with analogis - they usually don't work.

It was a similie, not an analogy.

'Seek and ye shall find'
NT Canuck
0
NT
12/30/2001 2:30:00 PM
"Sam Schinke" wrote in message:

> Heh. UPnP is a bit simpler than NT4
> (and heck, I like to hope fewer mistakes
> were made in XP overall than in NT4 :P)

Firtp off...  compare apples to apples.  We're not copmparing UPnP to NT,
we're comparing XP to NT.  I fullybeliever that since XP is much more
complex (much more "stuff") that it will, in the end, have MORE bugs than NT
ever had.

> I don't think it unreasonable to assume
> that a service that has been "on the
> market" for two or more years will
> generally be more secure than one that is
> going through it's infancy (as UPnP is).

UPnP *HAS* been on the market that long.  It's also a part of WinME.


> Actually, I never know when an exploit
> will be developed against any software
> ... <snip>...
> but I have it fairly stripped down)

I hate that "lets strip everything down to that bare bones" attitude.  I wun
Win2k server fairly stripped down (almost NO options installed, most unused
network features removed or disabled), but as for programs...  I like the
toys.  What's the point of owning a computer to surf the net in text-only...
that might have been cool in 1985, but there's a lot of stuff out there I
want to play with.  I luagh at all the people who disable ActiveX and
VBscript.  Use it smartly, and it honestly can't hurt you.  Shut it off is
only a great option for people to silly to know what it is and how to use
it.


> For the general public? Sure. For an
> enterprise, or someone who has
> something they really want left alone
> (cryptographic keys?), maybe not.

Fair enough.  I mean, despite my anti-firewall attitude, I have installed
them on servers at the office more that once, so....


> I thought the masses weren't supposed
> to run servers? *g*

referring to the masses of people running web servers on purpose....  and
you KNOW that's what I was saying, Sam.


> I don't see the logical neccesity there, nor
> even that one has to be terribly educated to
> share an opinion, valid or not. Everyone has
> opinions.

Ok, but if you can't even keep YOUR OWN syetem secure, why the hell would I
want your opinion on security?  :-/  That's why I put "VALID" before the
word "opinion" and used all-cap letters like that.

Anyhoo..

-S
0
Stefan
12/30/2001 3:06:00 PM
"[The Hon. Rev. joWazzoo] " wrote in message

> If Coke is "free" at the grocery
> store, will Pepsi sales decline??

As far as the analogy goes, Pepsi is also free.

Dropping the analogy now...

By your logic, the fact that Linux is FREE should og hurt Microsoft sales,
shouldn't it?  Oh...  but I'm sure you think that's completely different
that this.  Well, there is FREE ISP's out there...  why is AOL still the
biggest?  Or is that also completely different?  Or are we jumping on the
trendy to be anti-MS bandwagon|?  :-)

-S
0
Stefan
12/30/2001 3:08:00 PM
"[The Hon. Rev. joWazzoo] wrote in message:

> But Coke doesn't own most all the bottling
> equipmnt.

The fact that MS controls 90%+ off the desktop market is hardly their fault.
By your logic, the second they got on top, they should have backed off.  I
hope you never run a company.  They'll fire you.  :-)


> That's the problem with analogis - they
> usually don't work.

The problem with them is that people spend too much time bitching about the
analogy rather then just looking at what was TRYING to be said by basis of
comparison.  I don't give a shit about Coke and Pepsi...  it's just a
comparison.  It's so hard for some people to jump that hurdle.


> FWIW - neither Coke nor Pepsi has a monopoly

Well, "together" they do.  What about all the "little" soda-companies?  I
think we'll force both Coke Ltd and Pepsi Ltd to include 3 cans of RC Cola
in every sixpack.  That way poor little RC isn't hurt by the big bad evil
pop drink monopoly.  Shall we keep beating this to death?  DIE ANALOGY,
DIE!!!LMAO.


> Micro$ux does.

The fact you ALWAYS call them "Micro$ux" shows that you're just another
biased opinion hoping on the anti-MS bandwagon.

-S
0
Stefan
12/30/2001 3:16:00 PM
"Thor@HammerOfGod.com" wrote in message:

> Stephan is quite correct.

Thanks.  I try.  :-)


> And while I think that Stepan is usually
> right on target in his posts

Thanks again.  you're going to give me an ego...  oh wait...  I already had
one.  :-)


> I must point out that you can get lots
> more info out of NetBIOS than the
> currently logged on user, workgroup/domain,
> and MAC address.

Yea, but without the open share, it's not like they're going to get anything
I care about.  I mean 99.9999999% of the NetBios wannabe-crackers out there
are using some pre-made tool like Legion and scanning only for open,
un-password-protected shares.  If you're showing anything else, who cares?
Well, I don't anyway...  I'm sure other people here are concerned and
remembering the phrase "My port 139 is wide OPEN!" just casuse Steve told
them to remember it.  AHHHH!

> Of course, Stephan knows this quite
> well, I'm sure, and has 139
> open for other reasons ;).

he he he.  Yup.  I keep it open to do my own scanning OUT from.  I haven't
done anything in several months now, but at one time I had batch files just
running "NET VIEW \\xxx.xxx.xxx.xxx" commands across the cable network I'm
on.  The batch file would dump the output to a text file, the text file
would later be parsed by a program and all the positive results would end up
in yet another text file (at the time, I didn't know tools like Legion
existed, so I was re-invernting the wheel).  Once you have a list of folks
with their computer wide open, you walk in to their computer, grab their
e-mail address and send the a warning telling them their system is wide
open.  I'd usually give them a link to ShieldsUP to explain it 'better' for
them.  I found I was getting too many people replying to my e-mail and
wanting to know more and more like I actually cared to be their pre-school
teacher, so I got annoyed with that and just starting putting a link to
ShieldsUp in the C:\Windows\StartMenu\Programs\StartUp directory and hoped
they'd be smart enough to figure it out on their own the next time they
flipped their computer on and were greeted with a face full of ShieldsUp.

It would SHOCK THE HELL out of you to know the number of people I e-mailed a
warning to AFTER walking right into their computer who STILL didn't do
anything to fix it.  I kept a list of the people I'd warned and checked back
in on their IP in a few days.  MANY PEOPLE did NOTHING to close the hole I'd
shown them.  I even tried sending some of them a screen capture showing a
drive I'd mapped to thier C:\ drive.  This is how I came to my "people are
stupid" attitude in life towards computer security.  they really are stupid.
I know.  I've dealt with them.  You can beat them in the face with proof
that their machine is insecure, and they just don't care.  piss on em.  I'm
glad that some people took my advice, thanked me, patched the hole, and
moved on, but so many just ignored it.  It's interesting to note that never
once did anyone express anger towards me for just walking in to their
computer and taking their e-mail address off their hard drive to send them a
warning.  I suppose the fact that I showed up with an olive branch maybe
helped.

-S
0
Stefan
12/30/2001 3:37:00 PM
"catseyenu" wrote in message:
>
> >blahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
>
>   Tommy,
> He likes the sound of his own voice is my read.
>                             ~meow~


Ok...  now what's your excuse?  :-)

-S
0
Stefan
12/30/2001 3:44:00 PM
On Sat, 29 Dec 2001 13:02:59 -0600,  "Stefan" <no.sp@m.please.com>
threw these bits into the ether:

>To you.  Not me.  This is all about opinions anyway, isn't it?  I
>mean, I KNOW nothing I'm saying is 100% correct, but you need to see
>that nothing you say is 100% correct either.  It's all opinion from
>where we're looking at it.  Before you tell someone they're 100% wrong
>you ought to consider that there really isn't a black-and-white right
>and wrong.  Furthermore, neither of us is more qualified than the
>other to be the official authority on the topic anyway.  It's just a
>discussion.

Ther is a big difference between Objective and Subjective. You tend to
get the two mixed up.

Much of where I com from is Economics - not opinion. And I have a BS &
MA in con with further graduate training in con at Harvard and Boston
College.

M$ is likly one of the most blatant examples of Monopolies since the
robber barons ofd the 18th century.

>> Bill Gates is no visionary - a fairly smart chap, but
>> nothing more.
>
>That's an easy statement to make while you're on the bottom of the
>ladder and he's on the top of it.  If you really knew better, why
>aren't you up there?

How you know where I am? You don't. More of your pull it out your butt
and throw it out there...

>Nay.  Smart enough to *BUILD* a monopoly position.  Furthermore, smart
>enough to *KEEP* it.

Until the DOJ realizes that they have been duped. But then there are a
lot of States that haven't signed on...

>Exactly.  That makes it HARDER to take over.  Typically a business is
>easiest when you're the first person in, because you have nobody to
>compete with.  Microsoft came in after-the-fact and took over.  That's
>not easy to do.

Sure it is when you have a monopoly....no one BUT M$ux could have
pulld off what they did. No one! You need to study econ - you don't
know...

>know that 95% of the folks out there aren't knowledgable enough to FTP
>out from a DOS prompt to download a browser.  If it wasn't for
>Explorer in there by default, how are they supposed to go get
>Netscape?

Internet in a box coms to mind...

>You never thought of that, did you?

Duh. You are a dip****. Been on line since 1981. Using computers since
1968. I didn't need a GD browser from M$ to get my net apps...

Good grief...

> but everyone thinks
>they should have bundled a BETTER (2-way) firewall into XP?

Blankt statement. I want them OUT of the app business. totally. Hell -
I wouldn't use their FW.

>Which software did you all want bundled, and which software are you wanting
>to burn them at the stake for bundling?  You wanna clear that up for
>me?

Screw you - wise ass. I want NOTHING bundled. Zero. The Internet is
not Microsoft's to own....
>
>> Did Netscape and the other app vendors have the
>> ability to hook their sw into the OS code - like
>> M$ux? Of course not!
>
>HA HA HA.  I suggest you go get a copy of RedHat my friend.  You just
>put your foot in your mouth.

We ae talking Windows. Quit changing the topic. Oh windows isn't open
souce? I must have beeen mistaken...

>> I imagine that I can safely say that I was likely computing before
>you
>> were born. Micro$ux has done nothing other than:
>>
>> 1 - ride the net wave
>> 2 - take advantage of their monopoly
>
>1 - *built* the wave
>2 - *built* the monopoly

Heh. Sory - no cigar...AOL is probably more responsible than MS if you
want to play that game...

>> Any firm in their position could have done the same thing.
>
>Any firm in their position?  what position?

Monopoly...

> brand new and starting
>out with nothing?

MS was not brand new and starting with nothing. They were an
establishd monopoly with control of the OS...

>So why didn't you do it?  You could be a
>billionaire with your own Island in the pacific, and not sitting in a
>GRC newsgroup talking to me.

>AGAIN, you don't START with a Monopoly...  you build it.  It wasn't
>just handed to them on a golden platter.

Sure it was. Stupidly by IBM....go back and do some research...

Good bye...


p
l
o
n
k
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/30/2001 3:47:00 PM
"[The Hon. Rev. joWazzoo] wrote in message:

> Much of where I com from is Economics - not
> opinion. And I have a BS & MA in con with further
> graduate training in con at Harvard and Boston
> College.

Wow..  you done good.


> M$ is likly one of the most blatant examples
> of Monopolies since the robber barons ofd the
> 18th century.

You'd be better to compare it to the oil monopoly that John Rockefeller ran.


> How you know where I am? You don't.
> More of your pull it out your butt
> and throw it out there...

Well, you can't be too important... you have a lot of time to waste in news
groups.  I don't walk around bragging about how important I am.  :-)


> Until the DOJ realizes that they have been
> duped. But then there are a
> lot of States that haven't signed on...

The whole case was bullshit from the start.


> Sure it is when you have a monopoly....

AGAIN, they didn't start with a monopoly.



> no one BUT M$ux could have
> pulld off what they did. No one!

Earlier in the the threat you said ANY firm could have done what Microsoft
did.


> You need to study econ - you don't know...

How you know where I know? You don't. More of your pull it out your butt
and throw it out there...


> Internet in a box coms to mind...

Why do I have to go buy something if I can have it right there by default?


> Duh. You are a dip****.

You're a bigger dip****.


> Been on line since 1981. Using computers
> since 1968.

Whoopee.  born in 1977, been using computer since I was 4.  Do I care what
you did?  not really..  but since we're tossing it out on the table, there
ya go.


> I didn't need a GD browser from M$ to
> get my net apps...

YOU don't.  95% of the people ourt there DO!


> Good grief...

I hear ya.


> Blankt statement. I want them OUT of the app
> business. totally. Hell -
> I wouldn't use their FW.

So stop crying and use something else for shit sakes.


> Screw you - wise ass.

Screw you - pin head  (I can type insults also... isn't it fun?)



> I want NOTHING bundled. Zero. The Internet is
> not Microsoft's to own....

They sell a browser, not the Internet.  Don't confuse the two.


> We ae talking Windows. Quit changing the topic.
> Oh windows isn't open souce? I must have beeen
> mistaken...

OHOOHOHHH  I see!!!  We have one set of rules for MS, and one for all the
other companies.  Horse shit!


> I imagine that I can safely say that I was
> likely computing before you were born.

that just makes you older and more prone to going impotent.  It has very
little to do with computer skill.


> Heh. Sory - no cigar...AOL is probably more
> responsible than MS if you
> want to play that game...

So why not cry about their monopoly?


> MS was not brand new and starting
> with nothing. They were an establishd
> monopoly with control of the OS...

That's right, they had NOTHING one day, and a monopoly the next day.  Uh
huh.  try again.


> Sure it was. Stupidly by IBM....go
> back and do some research...

Oh, now it's IBM's fault?


> Good bye...

I can only hope.


-S
0
Stefan
12/30/2001 4:12:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0nf3u$h0j$4@news.grc.com...

> It would SHOCK THE HELL out of you to know the number of people I e-mailed
a
> warning to AFTER walking right into their computer who STILL didn't do
> anything to fix it.  I kept a list of the people I'd warned and checked
back
> in on their IP in a few days.  MANY PEOPLE did NOTHING to close the hole
I'd
> shown them.  I even tried sending some of them a screen capture showing a
> drive I'd mapped to thier C:\ drive.  This is how I came to my "people are
> stupid" attitude in life towards computer security.  they really are
stupid.
> I know.  I've dealt with them.  You can beat them in the face with proof
> that their machine is insecure, and they just don't care.  piss on em.
I'm
> glad that some people took my advice, thanked me, patched the hole, and
> moved on, but so many just ignored it.  It's interesting to note that
never
> once did anyone express anger towards me for just walking in to their
> computer and taking their e-mail address off their hard drive to send them
a
> warning.  I suppose the fact that I showed up with an olive branch maybe
> helped.

Stephan,

Thank you.

Robert
0
Robert
12/30/2001 4:53:00 PM
"catseyenu" <catseyenu@nurdreams.
>> >blahblahblahblahblahblahblahblahblahblahblahblahblahblahblah

  Tommy,
> He likes the sound of his own voice is my read.
Whadidhesay ??
Hmmm. throwing up a few spins from a web page, is probably his idea of
expertise.
Anyway with all due respect to the other GRC'ers I personally added
him to my blocked senders.  Things should return to normal fairly
soon, maybe :-))
Cheerio and God bless
Tommy
0
Tommy_k
12/30/2001 5:02:00 PM
In article <a0nf3t$h0j$3@news.grc.com>, no.sp@m.please.com says...
> "[The Hon. Rev. joWazzoo] wrote in message:
<snip>
> > FWIW - neither Coke nor Pepsi has a monopoly
<snip>
I hate analogies, but did you ever notice that you never have both Coke 
*and* Pepsi on sale in a major grocery store at the same time ? It's 
always one or the other. 

-- 
Bloated Elvis
0
Bloated_Elvis
12/30/2001 5:15:00 PM
In article <tlcu2uksd0b90bc3coqdoo764q8h14vln3@4ax.com>, 
LumberCartel@Lart.com says...
<snip>
> Ther is a big difference between Objective and Subjective. You tend to
> get the two mixed up.
<snip>

FWIW, you really ought to take a step back and re-read your posts. The 
only real difference I see is you are on the other side of the fence on 
this issue.

Also, unless Agent has some new *nix version 1.8, you wold appear to be 
constantly posting from an OS by a company you immaturely and constantly 
refer to as micro$ux. That seems more than a bit hypocritical of you.
-- 
Bloated Elvis
0
Bloated_Elvis
12/30/2001 5:37:00 PM
From: "Stefan" <no.sp@m.please.com>
Newsgroups: grc.news.feedback
Sent: Sunday, December 30, 2001 9:44 AM
Subject: Stephan's Personality Disorder

Congratulations! You are the joining Abu for a one way all expense paid
trip. Pack your bags.
*
*
*
*
Little farther
*
*
*
*
Closer
*
*
*
*
*
*
PLONK!
0
catseyenu
12/30/2001 5:39:00 PM
On Sun, 30 Dec 2001 12:37:39 -0500,  Bloated_Elvis
<thel8elvis@hotmail.com> threw these bits into the ether:

>Also, unless Agent has some new *nix version 1.8, you wold appear to be 
>constantly posting from an OS by a company you immaturely and constantly 
>refer to as micro$ux. That seems more than a bit hypocritical of you.

Why? I have felt that way since ohhh 1982. Likely before most people
ever heard of PCs or for sure the Internet.

I think they suck. I could care less I use their product. So? I also
hate my local electric utility. They suck. They are a monopoly...
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/30/2001 5:44:00 PM
"catseyenu" <catseyenu@nurdreams.com> wrote in message
news:a0nm6v$pm0$1@news.grc.com...
> From: "Stefan" <no.sp@m.please.com>
> Newsgroups: grc.news.feedback
> Sent: Sunday, December 30, 2001 9:44 AM
> Subject: Stephan's Personality Disorder
>
> Congratulations! You are the joining Abu for a one way all expense paid
> trip. Pack your bags.
> *

LOL

I beat ya by a good day or so on this one, cat. My jerkalert went up *real*
early on this ol' boy and I made him go "poof". <BG>

Phil
0
Phil
12/30/2001 6:11:00 PM
In article <feku2usd0k465tdf4vc8esvmdu7ljp7no4@4ax.com>, 
LumberCartel@Lart.com says...
> On Sun, 30 Dec 2001 12:37:39 -0500,  Bloated_Elvis
> <thel8elvis@hotmail.com> threw these bits into the ether:
> 
> >Also, unless Agent has some new *nix version 1.8, you wold appear to be 
> >constantly posting from an OS by a company you immaturely and constantly 
> >refer to as micro$ux. That seems more than a bit hypocritical of you.
> 
> Why? I have felt that way since ohhh 1982. Likely before most people
> ever heard of PCs or for sure the Internet.

You can keep touting how long you have been using computers, it's still 
doesn't impress me.
 
> I think they suck. 

You have made that abundantly clear.

> I could care less I use their product. 

I assume you mean *couldn't*.

> So?  I also
> hate my local electric utility. They suck. They are a monopoly...
> 
I won't get into the debate of the technical definitions of a monopoly. 
Let's just say that someone such as yourself that has been using 
computers so long *does* have an OS choice. You have chosen to support a 
company that you profess 'sucks' by purchasing their OS. If you don't 
see the hypocrisy in that, then I doubt I could explain it any better.

-- 
Bloated Elvis
0
Bloated_Elvis
12/30/2001 6:55:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0l764$18u6$1@news.grc.com...

<re: enforcing multicast ttl<=4 in UPnP>

> If they didn't do it originally, they did do it in the patch:
>
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;q315056
>
> However, if it's in the spec, the *should* have done it originally.
> I'm not sure yet as to if they did or not.

The only problem is that this is on UDP replies, not the HTTP requests.
These may well have the normal TTL for TCP of 128.

> eEye certainly didn't mention the limitation when they were
> talling the world it could be used to generate a DDoS attack.  If it
> is the default on an unpatched system, I have to say that was VERY
> irresponsible of eEye to ignore that fact while telling the world it
> could be exploited and used to generate a DDoS.

The DoS (and DDoS) uses HTTP, and not multicast.
--
Robert Bradley

I am not a mindreader, so I don't know everything.
0
Robert
12/30/2001 7:10:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0nf3u$h0j$4@news.grc.com...
> Yea, but without the open share, it's not like they're going to get
anything
> I care about.  I mean 99.9999999% of the NetBios wannabe-crackers out
there

If you've applied the RestrictAnonymous registry patch then you'll be
fairly safe as far as not divulging so much information, but having your
139/445 open leaves your Win2K system open to brute force password
guessing. As soon as some determined person gets that then its game over.

-Robin
0
Robin
12/30/2001 7:25:00 PM
On Sun, 30 Dec 2001 11:25:56 -0800,  "Robin Keir" <robin@keir.net>
threw these bits into the ether:

>"Stefan" <no.sp@m.please.com> wrote in message
>news:a0nf3u$h0j$4@news.grc.com...
>> Yea, but without the open share, it's not like they're going to get
>anything
>> I care about.  I mean 99.9999999% of the NetBios wannabe-crackers out
>there
>
>If you've applied the RestrictAnonymous registry patch then you'll be
>fairly safe as far as not divulging so much information, but having your
>139/445 open leaves your Win2K system open to brute force password
>guessing. As soon as some determined person gets that then its game over.

www.cert.org talks about open ports - not shares. Guess they don't
know what they ae talking about either.
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/30/2001 8:25:00 PM
> > I care about.  I mean 99.9999999% of the NetBios wannabe-crackers out
> there
>
> If you've applied the RestrictAnonymous registry patch then you'll be
> fairly safe as far as not divulging so much information, but having your
> 139/445 open leaves your Win2K system open to brute force password
> guessing.

I was going to bring that up, but since he referred to putting things in the
\windows\... dir I assumed he was speaking primarily about 9x.  I guess we
should note that TCP 139 lets us at the IPC$ share, which I guess some would
indeed consider an open share (on NT/2k/XP) though I consider 'open shares'
to be user defined shares...

Regarding RA, you might point out that RA=1 (the only setting available on
NT) still allows null sessions to enumerate all the user information- on
Win2k you can set it to 2 which explicitly blocks all null session access to
IPC$.  XP has many more anonymous/null session settings, and allows you to
really tighten down what you wish a null session to be able to enumerate.
0
Thor
12/30/2001 8:29:00 PM
In article <a0o020$14jt$1@news.grc.com>, Thor@HammerofGod.Com says...
<snip>
> Regarding RA, you might point out that RA=1 (the only setting available on
> NT) still allows null sessions to enumerate all the user information- on
> Win2k you can set it to 2 which explicitly blocks all null session access to
> IPC$.  XP has many more anonymous/null session settings, and allows you to
> really tighten down what you wish a null session to be able to enumerate.
> 
I am still hoping someone will finish a nice Teminal Server brute force 
tool....
:-)
-- 
Bloated Elvis
0
Bloated_Elvis
12/30/2001 8:41:00 PM
> I am still hoping someone will finish a nice Teminal Server brute force
> tool....
> :-)
> --
> Bloated Elvis

;) I think I'll go ahead and buy IDA so that I can expose the proper
parameters on the sclient dll's... That should help a bit.  I've got a
couple other tricks up my sleeve if that doesn't work :)

AD
0
Thor
12/30/2001 8:47:00 PM
In article <a0nf3s$h0j$1@news.grc.com>, Stefan transmitsitlikethis:

> I hate that "lets strip everything down to that bare bones" attitude.  I wun
> Win2k server fairly stripped down (almost NO options installed, most unused
> network features removed or disabled), but as for programs...  I like the
> toys.  What's the point of owning a computer to surf the net in text-only...
> that might have been cool in 1985, but there's a lot of stuff out there I
> want to play with.  I luagh at all the people who disable ActiveX and
> VBscript.  Use it smartly, 

*"Smartly"* ... what does that mean?  


> and it honestly can't hurt you. 

But could it hurt me dishonestly?


> Shut it off is
> only a great option for people to silly to know what it is and how to use
> it.

I need to know "what it is" and "how to use it" ... "smartly", if by 
this you mean, safely. I am sure I am missing out a lot on out there 
by having these features disabled and that's only because I don't know 
how to use them safely.  


> -S
> 
> 
> 
0
waves
12/30/2001 9:36:00 PM
Wow, not a freeware version for you eh. You can code too?

Anyway Absez rules

"Thor@HammerOfGod.com" <Thor@HammerofGod.Com> wrote in message
news:a0o156$15vs$1@news.grc.com...
> > I am still hoping someone will finish a nice Teminal Server brute
force
> > tool....
> > :-)
> > --
> > Bloated Elvis
>
> ;) I think I'll go ahead and buy IDA so that I can expose the proper
> parameters on the sclient dll's... That should help a bit.  I've got a
> couple other tricks up my sleeve if that doesn't work :)
>
> AD
>
>
0
Absex
12/30/2001 11:55:00 PM
Why can't you code? Anywhere we can check otherwise
All you do is criticize others, you get paid i know but sure is a dirty
job. Barren bloated bitter spinster

Anyway Absez rules

"Bloated_Elvis" <thel8elvis@hotmail.com> wrote in message
news:MPG.169945ed224c4865989760@news.grc.com...
> In article <a0o020$14jt$1@news.grc.com>, Thor@HammerofGod.Com says...
> <snip>
> > Regarding RA, you might point out that RA=1 (the only setting
available on
> > NT) still allows null sessions to enumerate all the user information-
on
> > Win2k you can set it to 2 which explicitly blocks all null session
access to
> > IPC$.  XP has many more anonymous/null session settings, and allows
you to
> > really tighten down what you wish a null session to be able to
enumerate.
> >
> I am still hoping someone will finish a nice Teminal Server brute force
> tool....
> :-)
> --
> Bloated Elvis
0
Absex
12/30/2001 11:58:00 PM
You are full of it

Anyway Absez rules

"Stefan" <no.sp@m.please.com> wrote in message
news:a0nf3u$h0j$4@news.grc.com...
> "Thor@HammerOfGod.com" wrote in message:
>
> > Stephan is quite correct.
>
> Thanks.  I try.  :-)
>
>
> > And while I think that Stepan is usually
> > right on target in his posts
>
> Thanks again.  you're going to give me an ego...  oh wait...  I already
had
> one.  :-)
>
0
Absex
12/31/2001 12:00:00 AM
"waves" wrote in message:

> > VBscript.  Use it smartly,
>
> *"Smartly"* ... what does that mean?

Don't run a VBsript that you get in the e-mail... you know... like lovebug.


> > and it honestly can't hurt you.
>
> But could it hurt me dishonestly?

despends how well you speak english and why you'd waste my time with a dumb
question like that.


> I need to know "what it is" and "how to use it"
> ... "smartly", if by  this you mean, safely. I am sure
> I am missing out a lot on out there by having these
> features disabled and that's only because I don't know
> how to use them safely.

Well, I have VBscrip and ActiveX on.  I'm still just fine.  Think about
that.

-S
0
Stefan
12/31/2001 5:14:00 AM
"Robin Keir" wrote in message:

> If you've applied the RestrictAnonymous
> registry patch

Of course I have!  :-)  If I hadn't I'd look like a complete retard touting
my "protect yourself" attitude.

> then you'll be fairly safe as far as not
> divulging so much information, but having
> your 139/445 open leaves your Win2K
> system open to brute force password guessing.
> As soon as some determined person gets that
> then its game over.

GOOD POINT robin.  The password on my TEST computer (the one I don't care
about) is "t1r4s1i5t9s2s6r5w3m5f9".  The one on my production system just as
hard to guess.  How do I remember it?

take the capital letters from:
"Tim Robbins Stars In The ShawShank Redemption With Morgan Freeman"
and mix that in with the first 11 decimal places of PI (3.14159265359).

HAVE FUN guessing my MAIN password now.

ttyl,
-Stefan.
0
Stefan
12/31/2001 5:25:00 AM
"Absex" wrote in message:

> You are full of it
>
> Anyway Absez rules
>

You say that like you opinion meant something to me.

-S
0
Stefan
12/31/2001 5:27:00 AM
"[The Hon. Rev. joWazzoo] " wrote in message:

> www.cert.org talks about open ports - not shares.
> Guess they don't know what they ae talking about
> either.

They talk about open ports, not shares because it's easier to say "block the
whole port" than it is to explain to people every one of the 4 billion
problems that come from leaving it open (like the remote access problem).
I'm NOT saying the average user should leave it wide open.  I never said
that.  However, if you have those 4 billion problems mostly covered and you
know how NetBIOS works, you can, with moderate complete safety, leave it
WIDE open to the world as I do.

-S

(yes, "4 billion" is an exageration.  If you were thinking of posting a
comment/question about "4 billion", save your keystrokes.  I'm busy cleaning
my toe-jam out and won't have time to reply to it.)
0
Stefan
12/31/2001 5:36:00 AM
> take the capital letters from:
> "Tim Robbins Stars In The ShawShank Redemption With Morgan Freeman"
> and mix that in with the first 11 decimal places of PI (3.14159265359).
>

No fair!  You're rounding! ;)

AD
0
Thor
12/31/2001 5:40:00 AM
"Thor@HammerOfGod.com" wrote in message:

> though I consider 'open shares'
> to be user defined shares...

For the record, I've always considered "open shares" to be a wide open, no
password at all network share.  If there's a password, I refer to is as a
"passworded share" or just a "network share".  I'm realise I'm sorta
inventing my own terminology there I suppose.  Oh well.


> Regarding RA, you might...<snip>

To be honest, I know what it does, but I never did read much about this
problem.  I just set it to "2" and went on with life.  Not enough hours in
the day.

-S
0
Stefan
12/31/2001 5:48:00 AM
"Thor@HammerOfGod.com" wrote in message:

> > and mix that in with the first 11 decimal places of PI (3.14159265359).
> >
>
> No fair!  You're rounding! ;)

Not that this adds to the topic, but

For the record, I know PI to 22 decimal places (3.1415926535897932384626).
After that, it's a blur, but in college math classes I was trying to
memorize it as far as I could just for fun.  At one point I knew it to over
50 without needing to look it up.  However brain space is somewhat of a
buffer and I've had to start clearing some space for things that might
actually help me in life.  :-)  The true sign of someone with too much time
on their hands is a guy who sits around trying to memorize PI for no real
reason.  :-)

-S
0
Stefan
12/31/2001 5:53:00 AM
At least I'm actually staying on topic here.  What the hell are you doing
here?  Like really....  who's the troll?  And why do I care about your
useless opinion?  The second someone here doesn't agree with everthing being
said you....

ah. to hell with it...  not worth the time.

-S



"catseyenu" wrote in message

<mindless dribble snipped.>
0
Stefan
12/31/2001 6:01:00 AM
Really?  mind did the same on you.  ain't that neat-o?


"Phil Youngblood" wrote in message

> LOL
>
> I beat ya by a good day or so on this one, cat. My jerkalert went up
*real*
> early on this ol' boy and I made him go "poof". <BG>
>
> Phil
0
Stefan
12/31/2001 6:02:00 AM
Once again, the amazing tommy proves he can add nothing to the conversation.
:-/

-S


"Tommy_k" wrote in message

<nothing>
0
Stefan
12/31/2001 6:03:00 AM
On Sun, 30 Dec 2001 09:16:10 -0600, "Stefan" <no.sp@m.please.com>
wrote:

>The fact that MS controls 90%+ off the desktop market is hardly their fault.
>By your logic, the second they got on top, they should have backed off.  I
>hope you never run a company.  They'll fire you.  :-)
>
It's the way they got there that's the issue.
>
>The fact you ALWAYS call them "Micro$ux" shows that you're just another
>biased opinion hoping on the anti-MS bandwagon.
>
AND you just another one of BG's henchmen who acts a spokeperson for
the glorious motherland. You must quelch any unkind words about the
sole source of your entertainment!  BTW, you consider yourself
unbiased? (HAHAHAHA)

Geek..
0
handyman
12/31/2001 6:22:00 AM
But only 14 characters are relevant with NTLM authentication so everything
after the "6" is redundant. Not too hard to brute force now that everybody
knows how you construct your passwords: "lowercase alpha", "digit",
"lowercase alpha", "digit"...Where's my copy of Brutus...

 ;-)

-Robin


"Stefan" <no.sp@m.please.com> wrote in message
news:a0ovit$29kj$1@news.grc.com...
> GOOD POINT robin.  The password on my TEST computer (the one I don't
care
> about) is "t1r4s1i5t9s2s6r5w3m5f9".  The one on my production system
just as
> hard to guess.  How do I remember it?
0
Robin
12/31/2001 6:24:00 AM
"Tommy_k" wrote in message:

> Well excuse me for asking, but who
> made you boss of who/what and how
> someone posts here, tsk tsk.

I didn't tell you that you *couldn't* post it.  I just asked you if you EVER
added anything to the converation? It's only a question based on an
observation.


> I'm beginning to see I hit a nerve

Hardly.  I save nerves for people I care about.


> for which I'd like to apologize,
> but I won't.

Aweee...  you know, it hurts my feeling when you say that stuff.


> Feeling a bit tetchy today are you.

Not really.


> Okay, who is the 'we' that YOU quoted

I'm spit-personality.  None of us 6 like you.


> and are you EVER wrong.

Yup.  Go read all my posts.  I know I've admitted to being wrong on several
occasions in here before, for one reason or another.


> See. I can do caps

does that make you proud?


> also, actually they are quite striking
>in their own way, much like
> your squirming.

I assure you I'm not squirming.  I'm looking at my monitor in sheer awe of
how clueless you seem at times.


> Cheers and take care

same to you.  :-)


-Stefan
0
Stefan
12/31/2001 6:28:00 AM
"Geek" wrote in message:

> It's the way they got there that's the issue.

And hows that?  holding guns to people's heads saying "use our software"?

> AND you just another one of BG's
> henchmen who acts a spokeperson for
> the glorious motherland.

BG's?  I never liked disco music and the BeeGee's were never my thing.


> You must quelch any unkind words about
> the sole source of your entertainment!

No...  I agree with *certain* negative things said about MS.  to list just a
few:
1. we should be able to turn off scripting in e-mail.
2. raw sockets are a feature that XP doesn't need.


> BTW, you consider yourself
> unbiased? (HAHAHAHA)

Did I say that?  No.

-S
0
Stefan
12/31/2001 6:33:00 AM
"Robin Keir" wrote in message:

> But only 14 characters are relevant
> with NTLM authentication so everything
> after the "6" is redundant.

Really?  cool.  thanks.  I didn't know that.  We can all learn something
new,  thanks you.


> Not too hard to brute force now
> that everybody knows how you
> construct your passwords: "lowercase
> alpha", "digit", "lowercase alpha",
> "digit"...Where's my copy of Brutus...
>
>  ;-)

Well, they're not all like that.  My old hotmail password was "aoe45rlk".  I
don't use it anymore due to the fact I've abandoned hotmail over the
inbtroduction of "passport".  I think MS is *STUPID* if they actually want
to tie everthing I do on the Internet into one single username and password.
get frickin real.  Absolutly stupid.

Yes folks... you heard it here first.  Me saying something negative about
Microsoft.

-S
0
Stefan
12/31/2001 6:38:00 AM
On Sun, 30 Dec 2001 12:11:36 -0600, "Phil Youngblood"
<yngbld@net(remove)door.com> wrote:

>
>LOL
>
>I beat ya by a good day or so on this one, cat. My jerkalert went up *real*
>early on this ol' boy and I made him go "poof". <BG>
>
Hey Phil,

I enjoy getting a laugh or two from his post.  Really enjoy his warp
sense of logic, and weird sense of humor too.

Geek..
0
handyman
12/31/2001 6:42:00 AM
On Mon, 31 Dec 2001 00:33:10 -0600, "Stefan" <no.sp@m.please.com>
wrote:
>
>And hows that?  holding guns to people's heads saying "use our software"?

That's a lot closer to the truth than you might think.  IE OEM 
>
>BG's?  I never liked disco music and the BeeGee's were never my thing.

Nor mine, disco deserved to die. 
>

>No...  I agree with *certain* negative things said about MS.  to list just a
>few:
>1. we should be able to turn off scripting in e-mail.
>2. raw sockets are a feature that XP doesn't need.
>
Very selective I see
>
>> BTW, you consider yourself
>> unbiased? (HAHAHAHA)
>
>Did I say that?  No.
>
I didn't say you said that, I am just asking the question.<G>

Geek..
0
handyman
12/31/2001 6:49:00 AM
"Geek" <handyman@firstaid.org> wrote in message
news:3c300886.146531781@news.grc.com...
> On Sun, 30 Dec 2001 12:11:36 -0600, "Phil Youngblood"
> <yngbld@net(remove)door.com> wrote:
>
> >
> >LOL
> >
> >I beat ya by a good day or so on this one, cat. My jerkalert went up
*real*
> >early on this ol' boy and I made him go "poof". <BG>
> >
> Hey Phil,
>
> I enjoy getting a laugh or two from his post.  Really enjoy his warp
> sense of logic, and weird sense of humor too.
>

Be my guest, Geek. I have to put up with enough jerks and self-anointed
masters of the universe in real life to do the same on my 'puter screen.
Hummm -- I wonder if this "plonk" button is portable. <g>

Phil
0
Phil
12/31/2001 6:57:00 AM
"Geek" wrote in message:

> That's a lot closer to the truth than
> you might think.  IE OEM

IMHO, the OEM's could install Linux (if anyone out there in the general
public was smart enough to use it... which they're not.  Is that MS's fault?
no.).  I will agree that in the past, MS has put some pretty restrictive
measures on OEMs, but I don't believe that's what made them the giant they
are today.  (*I don't believe*...)

> > BG's?  I never liked disco music and the
> > BeeGee's were never my thing.
>
> Nor mine, disco deserved to die.

Seriously...  what did you mean by "BG"?  You lost me there.


> > No...  I agree with *certain* negative things
> > said about MS.  to list just a
> >few:
> >1. we should be able to turn off scripting in e-mail.
> >2. raw sockets are a feature that XP doesn't need.
> >
> Very selective I see


I did say "top list just a few".  I have other hates with Microsoft.  I
think passport is a HORRIBLE idea to name another.  Why do I want the guy
who stole my hotmail password to be able to buy stocks in my on-line stock
market website?  It's a terribly terribly dumb idea.

> >> BTW, you consider yourself
> >> unbiased? (HAHAHAHA)
> >
> >Did I say that?  No.
> >
> I didn't say you said that, I am just
> asking the question.<G>

In that case, of course I'm biased.  Everyone is to some degree.  My support
of Microsoft in *most* everything they do will leak over into a defence of
the company on a whole which could be called nothing other that "bias".  I
never claimed I was *always* right.  I just state my opinions.

-S
0
Stefan
12/31/2001 7:02:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0nf3s$h0j$1@news.grc.com...
> "Sam Schinke" wrote in message:
>
> > Heh. UPnP is a bit simpler than NT4
> > (and heck, I like to hope fewer mistakes
> > were made in XP overall than in NT4 :P)
>
> Firtp off...  compare apples to apples.  We're not copmparing UPnP to NT,
> we're comparing XP to NT.

You started with the comparison between UPnP and NT4, saying that NT4 is
still having service-packs released for it, so expecting UPnP to become
"stable" wouldn't be reasonable. Your comparison, not mine.

> I fullybeliever that since XP is much more
> complex (much more "stuff") that it will, in the end, have MORE bugs than
NT
> ever had.

XP, perhaps, but UPnP as a component isn't that complex.

> > I don't think it unreasonable to assume
> > that a service that has been "on the
> > market" for two or more years will
> > generally be more secure than one that is
> > going through it's infancy (as UPnP is).
>
> UPnP *HAS* been on the market that long.  It's also a part of WinME.

Yeah. I wonder if they changed version numbers going up to XP, or if they
just recoded the old version and somehow got some new bugs.

> > Actually, I never know when an exploit
> > will be developed against any software
> > ... <snip>...
> > but I have it fairly stripped down)
>
> I hate that "lets strip everything down to that bare bones" attitude.

Hey, your call. I have the bells and whistles I need, and if I want more on
any particular website, I can add it to my "trusted" zone.

[...]
> > For the general public? Sure. For an
> > enterprise, or someone who has
> > something they really want left alone
> > (cryptographic keys?), maybe not.
>
> Fair enough.  I mean, despite my anti-firewall attitude, I have installed
> them on servers at the office more that once, so....
>
> > I thought the masses weren't supposed
> > to run servers? *g*
>
> referring to the masses of people running web servers on purpose....  and
> you KNOW that's what I was saying, Sam.

Ok, fair enough. I think those masses running servers intentionally are
(generally) capable of dealing with a bit of configuration. It's probably
what they're getting payed for anyways.

> > I don't see the logical neccesity there, nor
> > even that one has to be terribly educated to
> > share an opinion, valid or not. Everyone has
> > opinions.
>
> Ok, but if you can't even keep YOUR OWN syetem secure, why the hell would
I
> want your opinion on security?  :-/  That's why I put "VALID" before the
> word "opinion" and used all-cap letters like that.

Yeah, I'm certainly not going to ask any old random person how to secure my
machine, but regardless, when arrayed with other "competent" voices, a crowd
can have force.

> Anyhoo..

Yep.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/31/2001 9:35:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0p5bm$2f9c$1@news.grc.com...
[...]
> In that case, of course I'm biased.  Everyone is to some degree.  My
support
> of Microsoft in *most* everything they do will leak over into a defence of
> the company on a whole which could be called nothing other that "bias".  I
> never claimed I was *always* right.

But Stefan, does this mean you _aren't_ perfect?

> I just state my opinions.

Really?

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/31/2001 9:57:00 AM
In article <a0ouuj$291o$1@news.grc.com>, Stefan transmitsitlikethis:

> "waves" wrote in message:
> 
> > > VBscript.  Use it smartly,
> >
> > *"Smartly"* ... what does that mean?
> 
> Don't run a VBsript that you get in the e-mail... you know... like lovebug.

No, I wouldn't do that.  But I wasn't talking about email, I was 
referring to the use of ACTIVE-X/VBscript when on the internet.  If I 
have these features turned on and I go to a site that uses them, how 
can I know if it is OK/safe... that the site has not incorporated some 
dangerous script which I wouldn't know about until it was too late?


> > I need to know "what it is" and "how to use it"
> > ... "smartly", if by  this you mean, safely. I am sure
> > I am missing out a lot on out there by having these
> > features disabled and that's only because I don't know
> > how to use them safely.
> 
> Well, I have VBscrip and ActiveX on.  

We have already established this and that is why I thought you might 
be able to assist me in the understanding of how it is safe to use 
these when I am on the net. Obviousy, you must have a thorough 
understanding of same in order to be so confident in using them.  All 
I would like is for you to share your knowledge and help me learn how 
I can have the same confidence in using ActiveX and VBScript.

> I'm still just fine.  
> Think about that.

It is quite clear that I HAVE thought about that and that is why I am 
asking you to share your knowledge with me.  You said:

"What's the point of owning a computer to surf the net in text-only... 
that might have been cool in 1985, but there's a lot of stuff out 
there Iwant to play with.  I luagh at all the people who disable 
ActiveX and VBscript.  Use it smartly, and it honestly can't hurt you.  
Shut it off is only a great option for people to silly to know what it 
is and how to use it."

Well, I am one of those "silly" people then, because I have come to 
the understanding that to have these features enabled is a security 
risk.  You say it isn't, if it is used "smartly". It seems a simple 
question, Stefan ... could you please define "smartly" in a little 
more detail ... so "silly" people can "know what it is" 
(ActiveX/VBscript) and "how to use it" ... ESPECIALLY "HOW TO USE IT" 
"smartly" ... safely ...

I am only asking you because you have stated that you DO know how to 
use them safely and "smartly" when you are on the net.  I don't.  If I 
encounter a site that uses ActiveX, how do I distinguish whether or 
not it is safe to accept ActiveX from that particular site?  It seems 
a simple enough question, Stefan.  I don't have a spare comp to use to 
let all hell break loose.  I gather you do and so if all your info 
gets destroyed or you get a virus/trojan, it doesn't much matter to 
you ... you just reinstall and start over?  And, of course, if I had 
another machine to use, I would quite happily go out and use every 
ActiveX and script going and probably have fun with trojans and 
viruses ... because it wouldn't matter. And, it would be very 
educational, too!  However ...

The point is, I do not have a spare comp around to do such things, 
just this one and I hesitate to risk experimenting with same. BUT, if 
you would divulge the knowledge that you claim to have with respect to 
the safe usage of ActiveX/VBScript, then I could enjoy the benefits of 
same NOW, so I can "play" with the "lot of stuff out there".

You are a great defender of MS.  How are you affiliated with them? You 
have taken up a great deal of space in this newsgroup defending them 
but, your arugments have done little to sway my thinking towards 
believing that MS is correct in their operations and that they are  
knowledgeable regarding security and that they have the best interests 
of their users at the core of their policies. Having said that, I do 
not wish to hear any further comments from you regarding this and 
request that you not take the opportunity to address only these 
comments rather than the ones regarding ActiveX/VBscript ...

> 
> -S
> 
> 
> 
> 
0
waves
12/31/2001 10:19:00 AM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0p06r$2a62$1@news.grc.com...
> "[The Hon. Rev. joWazzoo] " wrote in message:
>
> > www.cert.org talks about open ports - not shares.
> > Guess they don't know what they ae talking about
> > either.
>
> They talk about open ports, not shares because it's easier to say "block
the
> whole port" than it is to explain to people every one of the 4 billion
> problems that come from leaving it open (like the remote access problem).
> I'm NOT saying the average user should leave it wide open.  I never said
> that.  However, if you have those 4 billion problems mostly covered and
you
> know how NetBIOS works, you can, with moderate complete safety, leave it
> WIDE open to the world as I do.

Stephan,

It was an issue long ago and MS never saw fit to fix it in Win98.  I do not
understand why they didn't.
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/31/2001 11:41:00 AM
On Mon, 31 Dec 2001 01:02:19 -0600, "Stefan" <no.sp@m.please.com>
wrote:

>
>Seriously...  what did you mean by "BG"?  You lost me there.

Bill Gates?
>
>I did say "top list just a few".  I have other hates with Microsoft.  I
>think passport is a HORRIBLE idea to name another.  Why do I want the guy
>who stole my hotmail password to be able to buy stocks in my on-line stock
>market website?  It's a terribly terribly dumb idea.
>
Glad to see that we agree on this one. Unfortunately, this is the key
to M$'s plan to dominate the e-commerce.

> I never claimed I was *always* right. I just state my opinions.
>
Now this is a revelation!

Geek..
0
handyman
12/31/2001 12:59:00 PM
"waves" wrote in message:

> Well, I am one of those "silly" people then,
> because I have come to the understanding
> that to have these features enabled is a security
> risk.  You say it isn't, if it is used "smartly".
> It seems a simple question, Stefan ... could
> you please define "smartly" in a little
> more detail ... so "silly" people can "know
> what it is"  (ActiveX/VBscript) and "how
> to use it" ... ESPECIALLY "HOW TO USE IT"
> "smartly" ... safely ...

You have trusted zones and non trusted zones.  You can accept activeX from
Microsoft.com, but you probably will want to NOT do that on most other
sites.  that's using it "smartly".  accept it from some places, don't accept
it from just anywhere.

VBscript (on a web page) is no more harmful that Javascript on a webpage.
Put your tinfoil hat away.  People only disable it because of lovebug type
malicious trojan scripts.


> You are a great defender of MS.
> How are you affiliated with them?

That same way you are affiliated with the aliens stealing my brainwaves.  I
would say not-at-all, but you can decide for yourself.

-S
0
Stefan
12/31/2001 1:35:00 PM
"Sam Schinke" wrote in message:

> But Stefan, does this mean
> you _aren't_ perfect?

No I'm still perfect.  Just a little biased because of it.  ;-)


> > I just state my opinions.
>
> Really?

No, I'm God and actually know everything there is to know.  Sam, you're
either antagonistic because it ammuses you, or you really don't read my
posts before you reply.  Joking or not, you're wasting my time with this,
because.....?

-S
0
Stefan
12/31/2001 1:40:00 PM
"Robert Wycoff" wrote in message:

> It was an issue long ago and MS never
> saw fit to fix it in Win98.  I do not
> understand why they didn't.

This is not what this little sub-topic conversation is about.  This
sub-topic is about whether or not an open port is a problem just because
it's there and open.  Do we finally agree on that yet so we're picking
something new?

A better question is, is that if you're smart enough to set up networking,
why can't you be expected to be smart enough to do it peoperly and securly?

This is a problem at the administration level, NOT the protocol level.  Some
people still can't swallow that pill.

-Stefan.
0
Stefan
12/31/2001 1:51:00 PM
"Geek" wrote in message:

> > Seriously...  what did you mean by "BG"?
>
> Bill Gates?

Oh..  I suppose that should have been obvious.  That's right.  I'm a paid
propaganda agent for the evil empire.


> Glad to see that we agree on this one.
> Unfortunately, this is the key
> to M$'s plan to dominate the e-commerce.

If you say it, it must be true.  I thought it was just another way to make
money.  You did realize MS can't force ANY site to use passport
authentication, right?  They still have to choose to use it.  I suppose they
also have a monopoloy on password authentication services.  :-/


> > I never claimed I was *always* right.
> > I just state my opinions.
> >
> Now this is a revelation!

Hardly.  I've said this in similar ways many times over.


ttyl,
-Stefan.
0
Stefan
12/31/2001 1:57:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0pt83$38v$1@news.grc.com...
> "Robert Wycoff" wrote in message:
>
> > It was an issue long ago and MS never
> > saw fit to fix it in Win98.  I do not
> > understand why they didn't.
>
> This is not what this little sub-topic conversation is about.  This
> sub-topic is about whether or not an open port is a problem just because
> it's there and open.  Do we finally agree on that yet so we're picking
> something new?
>
> A better question is, is that if you're smart enough to set up networking,
> why can't you be expected to be smart enough to do it peoperly and
securly?
>
> This is a problem at the administration level, NOT the protocol level.
Some
> people still can't swallow that pill.

Stephan,

Still off-topic, I guess:  The majority of people who try to use a computer
have no clue about networking issues.  I do not understand why MS doesn't
make such an important issue easy enough for them so that they can do it
right.

Actually, I have my suspicions why they don't; I think they have their
priorities wrong.  I have seen it in other companies like BMC Software, for
instance, not to mention IBM.

I personally don't think MS gives Internet security the attention it needs.
--
�
--
Robert
grc.com forum FAQ - http://grc.com/discussions.htm
grc.com forum quick reference - http://grc.com/nntpquickref.htm
grc.com forum disclaimer - http://grc.com/forumdisclaimer.htm
grc.com privacy statement - http://grc.com/privacy.htm
0
Robert
12/31/2001 2:09:00 PM
On Mon, 31 Dec 2001 06:49:02 GMT,  handyman@firstaid.org (Geek) threw
these bits into the ether:

>On Mon, 31 Dec 2001 00:33:10 -0600, "Stefan" <no.sp@m.please.com>
>wrote:
>>
>>And hows that?  holding guns to people's heads saying "use our software"?
>
>That's a lot closer to the truth than you might think.  IE OEM 

When I last bought a complete machine, I got down to Dell and Gateway.
This was several years ago

I asked them if I could get machin with Linux. They said "no can do".

I asked them how much for machine shipped with no OS. They said "no
can do".

I said - huh?? OK Well just skip the time of having somone load the OS
and I will do it myslf. They said no can do.

Of course we now know that M$ had thm by the balls and it was M$ who
was calling the shots - not the OEM.
-- 
PC Help needs Our HELP!!  Lockdown 2000 Law Suit
 http://www.pchelpers.org/        http://www.pc-help.org
0
The
12/31/2001 2:32:00 PM
"Robert Wycoff" <Don't.use.Lockdown@any.price> wrote in message
news:a0pu7k$4dc$1@news.grc.com...

> I personally don't think MS gives Internet security the attention it needs.

They will never have good security as long as they use a hand_me_down
socket (Berkeley/BSD ~ basis of Winsock).  Is it any wonder that the
'nix and 'nux crowd has such a high access rate to MS exploits?
Hmmmm.....where's TWF when you really need her anyway.

I'm not surprised if BSD OS releases are inherently more secure
online than either Linux or Windows, it is their gateway we all use.
After years of being prey to spoofed attacks ~ now you want to
remove that ability from Windows?  Everyone else has it. <no fair>

It is the multimedia components in Windows that draws the crowds.
People want flashing lights, bright colors and groovy sounds...when
they turn on the computer they expect to be entertained. MS seems
to cater foremost to that audience...to give them the best performance
possible under one roof.  If you can run a TV remote control then
you can run a Windows based computer.  AFAIC

It's the only OS I know that a 6 year old can run and be happy.
Actually one 10 year old student I had...pushed me away when
he had any problems..."I can do that!"  LOL  At least he learnt.

'Seek and ye shall find'
NT Canuck
0
NT
12/31/2001 2:54:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0p3rd$2dq1$1@news.grc.com...
> "Robin Keir" wrote in message:
>
> > But only 14 characters are relevant
> > with NTLM authentication so everything
> > after the "6" is redundant.
>
> Really?  cool.  thanks.  I didn't know that.  We can all learn something
> new,  thanks you.

The book "Hacking Exposed" (Chapter 5) has a good write-up on the password
encryption algorithm and why a 12- or 13-character password is generally
less secure than a 7-character password.  It also suggests that you use
non-printable characters like ALT-255 in your password.
0
Ed
12/31/2001 3:49:00 PM
In article <a0psak$2hn$1@news.grc.com>, Stefan transmitsitlikethis:

> You have trusted zones and non trusted zones.  You can accept activeX from
> Microsoft.com, but you probably will want to NOT do that on most other
> sites.  that's using it "smartly".  accept it from some places, don't accept
> it from just anywhere.

For what purposes does Microsoft use ActiveX?  Do I have to engage 
ActiveX when I am downloading a patch for example? Why do you say I 
can accept it from Microsoft.com and not from most other sites?  How 
do I distinguish between the two?  What's different about MS's ActiveX 
which makes it *trusted* and others' *untrusted*?   

But, hey, the whole point of this thread(s) is about Microsoft's  
blatant recklessness in their disregard for the health and safety of 
their customers' computers and in light of this, I fail to understand 
how you can suggest that Microsoft.com is a candidate for "Trusted 
Zone".  Oh, you do make me luagh!

 
> VBscript (on a web page) is no more harmful that Javascript on a webpage.

You're not being very helpful, now are you, Stefan?


>  People only disable it because of lovebug type
> malicious trojan scripts.

Sounds like a good enough reason to me.

I guess we should get back to the point of concern here, which is 
Microsoft's blatant disregard for the health and safety of their 
consumers' computers.  The way they decide what should be on/off by 
default.  When I first got my comp, ActiveX/Scripting stuff was on by 
default.  Considering I knew nothing about what ActiveX/Scripting was 
at the time, I was at rather a disadvantage whilst on the net. Agreed? 
.... which could have been easily avoided had these things NOT been on 
by default.  Agreed?  And surely MS are in a position to be aware of 
the hazards of same and so, to deliberately enable these by default is 
criminal.  Same with this Port 5000/1900 stuff ... reckless behaviour!  
I thought Open vs Closed ports was pretty basic stuff?  I read 
somewhere in one of these groups that virus/scanner checkers have been 
aware of this for over a year now, so, why would MS go and leave a 
port open by default again?


> > You are a great defender of MS.
> > How are you affiliated with them?
 

> I would say not-at-all, but you can decide for yourself.

If you say you're not, I'm going to have to believe you.
> 
> -S
> 
> 
> 
0
waves
12/31/2001 3:55:00 PM
[The Hon. Rev. joWazzoo]  dipped a pen in the inkwell and wrote...
> On Mon, 31 Dec 2001 06:49:02 GMT,  handyman@firstaid.org (Geek) threw
> these bits into the ether:
> 
> >On Mon, 31 Dec 2001 00:33:10 -0600, "Stefan" <no.sp@m.please.com>
> >wrote:
> >>
> >>And hows that?  holding guns to people's heads saying "use our software"?
> >
> >That's a lot closer to the truth than you might think.  IE OEM 
> 
> When I last bought a complete machine, I got down to Dell and Gateway.
> This was several years ago
> 
> I asked them if I could get machin with Linux. They said "no can do".
> 

http://www.dell.com/us/en/dhs/topics/linux_linuxhome.htm

Dell has been offering Red Hat for a couple of years now. They don't make 
a big splash about it, but it is available.

Don
0
Don
12/31/2001 4:30:00 PM
Don Voorhees wrote:
> 
> [The Hon. Rev. joWazzoo]  dipped a pen in the inkwell and wrote...
> > On Mon, 31 Dec 2001 06:49:02 GMT,  handyman@firstaid.org (Geek) threw
> > these bits into the ether:
> >
> > >On Mon, 31 Dec 2001 00:33:10 -0600, "Stefan" <no.sp@m.please.com>
> > >wrote:
> > >>
> > >>And hows that?  holding guns to people's heads saying "use our software"?
> > >
> > >That's a lot closer to the truth than you might think.  IE OEM
> >
> > When I last bought a complete machine, I got down to Dell and Gateway.
> > This was several years ago
> >
> > I asked them if I could get machin with Linux. They said "no can do".
> >
> 
> http://www.dell.com/us/en/dhs/topics/linux_linuxhome.htm
> 
> Dell has been offering Red Hat for a couple of years now. They don't make
> a big splash about it, but it is available.
> 
> Don

The last time I was pricing out a dozen or so Dell GX-100's (about 1.5 years ago),
was the first time I saw Linux as an option. The Windows of the day was free and
the Linux had a charge of $700 per machine. I doubt they sold many...

              Best regards,
                      -maxm
0
maxm
12/31/2001 5:34:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0psj0$2m4$1@news.grc.com...
> "Sam Schinke" wrote in message:
[...]
> > Really?
>
> No, I'm God and actually know everything there is to know.  Sam, you're
> either antagonistic because it ammuses you, or you really don't read my
> posts before you reply.  Joking or not, you're wasting my time with this,
> because.....?

I apologise for the levity. *g*

See, I wasn't sure if perhaps you were holding back on us...

Holiday cheer and all that. I guess I shouldn't let it get to me :P

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
12/31/2001 7:00:00 PM
maxm dipped a pen in the inkwell and wrote...
> Don Voorhees wrote:
> > 
> > http://www.dell.com/us/en/dhs/topics/linux_linuxhome.htm
> > 
> > Dell has been offering Red Hat for a couple of years now. They don't make
> > a big splash about it, but it is available.
> > 
> > Don
> 
> The last time I was pricing out a dozen or so Dell GX-100's (about 1.5 years ago),
> was the first time I saw Linux as an option. The Windows of the day was free and
> the Linux had a charge of $700 per machine. I doubt they sold many...
> 
>               Best regards,
>                       -maxm

I didn't say it was cheap... Just that it was available. :-)

Don
0
Don
12/31/2001 7:52:00 PM
"waves" wrote in message:

> For what purposes does Microsoft
> use ActiveX?  Do I have to engage
> ActiveX when I am downloading a
> patch for example?

If you HONESTLY don't know, you're clueless and not worth the time this is
taking to reply, but here goes anyway...  You don't need it to download the
patch.  ActiveX is needed so MS can figure out which patches you already
have and which patches you still need.  Otherwise you need to figure it out
yourself.  Do you even know what ActiveX is?

> Why do you say I can accept it from
> Microsoft.com and not from most
> other sites?

Accept it from any site you trust not to install malware on your system.


> How do I distinguish between the two?

Use your head.



>  What's different about MS's ActiveX
> which makes it *trusted* and others' *untrusted*?

I HIGHLY douby Microsoft would exploit their own security holes to install
something malicious on your system.


> I fail to understand how you can suggest
> that Microsoft.com is a candidate for "Trusted
> Zone".  Oh, you do make me luagh!

Well, that's 2 of us laughing.


> > VBscript (on a web page) is no more
> > harmful that Javascript on a webpage.
>
> You're not being very helpful, now are
> you, Stefan?

Because I've blown snot that was smart enough to figure that much out.  If
you can't, don't blame me.


> >  People only disable it because of lovebug type
> > malicious trojan scripts.
>
> Sounds like a good enough reason to me.

Why, you can't figure out enough not to run a VB script file in your e-mail?


> When I first got my comp, ActiveX/Scripting
> stuff was on by default.

I care?


> Considering I knew nothing about
> what ActiveX/Scripting was
> at the time, I was at rather a
> disadvantage whilst on the net. Agreed?

you knew nothing?  there's a shock.


-S
0
Stefan
12/31/2001 11:31:00 PM
"[The Hon. Rev. joWazzoo] wrote in message:

> [...]

So don't buy OEM!  I never buy OEM, and I had no problem getting Linux.
I've built all my systems from scratch just buying the parts I wanted.  That
includes the OS of my choice.

Don't blame MS that OEMs only sell MS.  Blame Dell for not selling Linux...
better yet, ask yourself why they don't.... because nobody wants to buy
Linux OEM and the people who do buy OEM only, usually aren't smart enough to
build their own system or run linux.

-S
0
Stefan
12/31/2001 11:35:00 PM
"Robert Wycoff" wrote in message:

> Still off-topic, I guess:  The majority of people
> who try to use a computer have no clue about
> networking issues.

How is that MS's fault?

If I crash my car, I don't blam Ford.
If I cut myself, I don't blame Ginsu.
If I hit my thumb with a hammer, I don't blame MasterCraft.
If blow-up a can of gas, I don't blame Exxon.
If my computer is hacked, I don't blame Microsoft.

A computer is a tool.  Learn to use it.


> I do not understand why MS doesn't
> make such an important issue easy enough
> for them so that they can do it
> right.

How hard is the Windows Update button?


> I personally don't think MS gives Internet
> security the attention it needs.

I *AGREE* completely that they could do more.  I agree NetBIOS/NetBEUI
should have been made smarter.  I just don't blame MS for user stupidity
when it comed to ignoring computer security.

-S
0
Stefan
12/31/2001 11:42:00 PM
"Stefan" <no.sp@m.please.com> wrote in message
news:a0qvfo$19id$1@news.grc.com...
> "[The Hon. Rev. joWazzoo] wrote in message:
>
> > [...]
>
> So don't buy OEM!  I never buy OEM, and I had no problem getting Linux.
> I've built all my systems from scratch just buying the parts I wanted.
That
> includes the OS of my choice.
>
> Don't blame MS that OEMs only sell MS.

Stefan,

I think you are ignorant of some of MS's past practices in this arena. For a
LONG time the only way an OEM could "buy" the "privilege" of selling MS OS's
bundled with new machines was to sign an extremely restrictive license.
Restrictive to the point of requiring OEM's that sign the license and then
sell a non-MS OS bundled with a new machine to also pay the full price for
the MS OS that _wasn't_ sold with the computer (even if the user asked for
NO OS). The end result was that any non-MS OS options sold by OEMs in that
period had their prices increased by the amount of the price of the current
MS OS, and sometimes with the additional price of the other OS added to
that.

> Blame Dell for not selling Linux...

Blame Microsoft for making it a "only sell microsoft" deal, or more
accurately "sell whatever you want, so long as you are also paying for a
copy of whatever microsoft product you aren't selling in it's place".

> better yet, ask yourself why they don't.... because nobody wants to buy
> Linux OEM and the people who do buy OEM only, usually aren't smart enough
to
> build their own system or run linux.

Well, IIRC some of the OEM's stopped offering linux due to a lack of demand
(they didn't want to support it for just a few thousand users I guess). But
then, this is after years of the OEM's being subjected to things such as I
mentioned above, so I don't think it is an accurate measure of how linux
COULD have done, absent MS's interfering licenses.

Regards,
Sam
--
Welcome to Earth. A subsidiary of Microsoft�.
0
Sam
1/1/2002 12:02:00 AM
Now now big boy just cuz u always had to pay for love
Don't be rude

Anyway Absez rules

"Stefan" <no.sp@m.please.com> wrote in message
news:a0qv6s$19di$1@news.grc.com...
> "waves" wrote in message:
>
> > For what purposes does Microsoft
> > use ActiveX?  Do I have to engage
> > ActiveX when I am downloading a
> > patch for example?
>
> If you HONESTLY don't know, you're clueless and not worth the time this
is
> taking to reply, but here goes anyway...  You don't need it to download
the
> patch.  ActiveX is needed so MS can figure out which patches you
already
> have and which patches you still need.  Otherwise you need to figure it
out
> yourself.  Do you even know what ActiveX is?
>
0
Absex
1/1/2002 2:16:00 AM
In article <a0qv6s$19di$1@news.grc.com>, Stefan transmitsitlikethis:

     <cut>

You're a funny little person!  How high are you?
0
waves
1/1/2002 2:47:00 AM
"Absex" wrote in message:

> Now now big boy just cuz u always
> had to pay for love Don't be rude

Well, if we're dragging my sex life into this topic for some unknown reason,
just for the record, I'm single and I own my own house.  I rent out two
rooms on the main floor to this pair of bisexual college girls who pay me
$600/month to live there, and I'm sleeping with both of them.  On a few
occasions, I've done them both at the same time...  Technically, I'm the one
getting paid for it...  Not that it has a damn thing to do with this topic,
but since YOU brought it up, I figured I'd clear up your clouded opinions.


> Anyway Absez rules

It would appear that Absex can't even spell his own name properly.  Is it
Absez or Absex?  Just curious.

-S
0
Stefan
1/1/2002 7:25:00 AM
On Tue, 1 Jan 2002 01:25:11 -0600, "Stefan" <no.sp@m.please.com> wrote:


<Snip Graphic details>

Ok...didn't need/want/expect to know that...
0
TheBTwin
1/1/2002 8:16:00 AM
You then rewind and watch again. No wonder you spend so much time here

Anyway Absez rules

"Stefan" <no.sp@m.please.com> wrote in message
news:a0rr0h$24ku$1@news.grc.com...
I rent out two
> rooms on the main floor to this pair of bisexual college girls who pay
me
> $600/month to live there, and I'm sleeping with both of them.  On a few
> occasions, I've done them both at the same time...  Technically, I'm
the one
> getting paid for it...  Not that it has a damn thing to do with this
topic,
0
Absex
1/1/2002 1:57:00 PM
Reply: