You buy a new computer, connect in to the internet and
proceed to download your choice of ant-virus software,
firewall, and possibly other security-enhancing stuff.
But in the half-hour or more it takes to do all that, your pc is
wide open, and with the frequency of probing attacks these
days, a variety of undesirable agents could be installed and
hidden before the anti-malware gets going.
So why don't computer retailers offer machines with anti-malware
stuff already installed ?

Jim Hawkins

"Jim Hawkins" <jimhawkins@manx.net> writes:

Are you saying you managed to find a retailer that didn't preload
"trial" versions of Norton or McAfee's bloated security suites on?

It's never been a better time to be behind some sort of network level
appliance when deploying a new computer, particularly with this doozie
known as
http://www.microsoft.com/technet/sec.../ms08-001.mspx


--
Todd H.
http://www.toddh.net/

Jim Hawkins wrote:


And even if it would come up earlier, it couldn't fix the consequence of
such a horribly stupid mistake of connecting a machine the internet without
prior host configuration.

It can't fix user stupidity either. Now you're abusing Outlook Express as a
newsreader, which is an open invitation for malware.


They do, and that's a problem on its own.

"Sebastian G." <seppi@seppig.de> wrote in message
news:60hdgmF1qbh4tU3@mid.dfncis.de...
How ought I to read the newsgroups then ?

Jim Hawkins

From: "Jim Hawkins" <jimhawkins@manx.net>


| How ought I to read the newsgroups then ?
|
| Jim Hawkins
|

His statements are overblown.
OE has vulnerabilities but nothing major to worry about.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

"Jim Hawkins" <jimhawkins@manx.net> writes:

Hi Jim,

NNTP newsreading clients exist in many forms. One other popular one
is Mozilla Seamonkey, which is a suite that includes a newsreader.
Another popular one is XNews:
http://xnews.newsguy.com/

Forte Agent was popular at one time. I don't use a gui newsreader
myself, but text mode is definitely not for everyone, so I won't
attempt to steer you there.

The group news.software.readers discusses such software.

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H. wrote:
You can also use Mozilla Thunderbird (email program) as a
newsreader - works quite well.

Louise

Jim Hawkins wrote:



With a real newsreader? Through Google groups via a webbrowser? Via a
mail2news gateway and a mail client?

David H. Lipman wrote:

I wouldn't consider buffer overflows, script injection and arbitrary code
injection as overblown...

On Feb 1, 1:32*pm, "Jim Hawkins" <jimhawk...@manx.net> wrote:
You could always just buy your firewall, anti-virus etc. off the
shelf at the store

"Sebastian G." <seppi@seppig.de> wrote in message
news:60hdgmF1qbh4tU3@mid.dfncis.de...
OE offers the facility to read newsgroups, so how is it 'abuse' to make use
of it ?

Jim Hawkins

Jim Hawkins wrote:



OE is meant for trustworthy networks only. Please read the documentation!

"Jim Hawkins" <jimhawkins@manx.net> wrote in news:13q6stgmm0m6883
@news.supernews.com:

I once put a vulnerable machine on the network as a test. It was infected
in 8 seconds.

I once re-installed windows XP on a machine and forgot to unplug the
network cable.
I remembered and unplugged the cable before it got to the 'log in' screen.

The machine was already infected.

NEVER hook a vulnerable machine to the network. Download the latest AV
program and definitions on another machine and transport via CD or thumb
drive.

As of OE as a news reader or mail client, do you leave your car with the
engine running and the doors unlocked?
Microsoft[in the head] software was designed, from the ground up, like a
car with no ignition key and no locks on the doors.
Over the years, they have drilled holes in the door and used self tapping
screws to tack on hasps and loops to allow you to hang a padlock on the
door,
but 15 seconds with a screwdriver and the hasp is undone. 1 second with a
pry bar and the hasp is popped off.

Vista has spot welded the hasp onto the door but requires you to unlock 2
locks each time. After a while, most people will leave the locks off [or
press the 'go' button without reading the message].










--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+acs@ch100-5.chem.lsu.edu

bz wrote:



How should that stop the compromise? Exactly not at all.
And why are you ignoring obvious things like
- downloading *patches* on another machine
- configuring the host properly
- using a host-based packet filter

Each of those would do the job. A virus scanner surely doesn't.


Once again total nonsense. OE is well-documented to not being intended to be
secure in a untrusted environment, so the only problem is that Microsoft
often creates the impression of the contrary.


Even more nonsense. Windows Vista is well-documented to be insecure in an
untrusted environment.

"Sebastian G." <seppi@seppig.de> wrote in
news:60u896F1psmkgU1@mid.dfncis.de:

Downloading a good AV and installing OFF LINE is always my first step.
It will help 'detect and defend' during the next step.

I was assuming that the install would be from at least an XP sp2 CD, then
the first step on line is to install the latest updates.

I would never walk away from a machine after just installing AV.


It usually does for us, long enough to make sure patches are up to date.

We usually have the patches and updates slipstreamed into the installation
CD.

But that just takes care of the vulnerabilities that microsoft has patched.
There are always other holes that they haven't patched.

Well documented for the Illuminati. Not for the average user or even
corporate decision maker.

If it were 'well KNOWN' rather than 'well documented', no one would buy the
stuff.

Snake oil salesmen create an impression in the minds of the impressionable.

And you think that a hasp spot welded to the door of a car with no other
protection would actually protect it from theft?

My point was that Vista is NOT secure, it just 'looks a little better'.
My point was that ms products are not secure.

You appear to be saying the same thing but disagreeing with how I said
things. That is your right.

So we agree to agree on ms being insecure and disagree on the best way to
say that.





--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+acs@ch100-5.chem.lsu.edu

bz wrote:


It will help "detect" at best. It can't do anything to defend, by design.


Bullshit. Since the exploit takes place in RAM, it fails to close any
relevant attack vector.


So then the complete documentation on IE/OE group policies and their
effective security design criteria are imagination? I read it, and i'm quite
fond that even a technical illiterate can understand the wordening clearly.



The lack of willingness to RTFM is a social problem, though it doesn't
change the fact that RTFM is the only reasonable way to act. It just proves
that most computer users are unreasonable, at least with respect to computer
usage.


Almost. The shell security issue can be worked around, albeit this implies a
lot of unintended inconvience.


Which is wrong as well. I'd consider Windows XP and Windows Server 2003 as
well as all their server stuff as quite secure and reliable.


I know only exactly two supported Microsoft product which are considered as
insecure, but are not documented to be insecure in untrusted environments:
Windows 2000 and IIS (any version). All others are either considered
insecure without actually being insecure (but only grossly misunderstoof),
or are documented to not be secure anyway (so the violation of security is
only against hypothesized specifications).

"Sebastian G." <seppi@seppig.de> wrote in
news:60v5huF1t02cnU1@mid.dfncis.de:

I remind the programmers I supervise that it is THEIR JOB to make things
easy for the user. It is NOT the user's job to make things easy for the
programmer.

Who's fault is it that the users have unreasonable expectations?
NOT the users. Maybe even not the programmers.
Software company management is at fault, especially the marketing division
and those that design the software and allow buffer overruns and invalid
data to be poked into holes in the operating system. Languages that allow
buffer overruns and make data validity checking difficult.

Of course, all the checks in the world will not prevent Joe or Sally User
from opening that e-mail 'greeting card' IF their e-mail program supports
HTML etc garbage.

'Easy for the user' should be 'easy to do what NEEDS to be done' not
'pretty' and 'easy for the ad men to use to pump their ads through'.


inexpensive, foolproof, convenient

Pick one!


True, provided they are a locked, guarded room with no connection to the
outside world.

So, if the other two products were also 'documented to be insecure in
untrusted environments' then there would be a 'clean sweep'. And everyone
could be happy because the insecurity is documented, right?





--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+acs@ch100-5.chem.lsu.edu

bz wrote:



So that's why they got NSA C2 and CC EAL4+ evaluation?


For IIS, this would be true. For Windows 2000 the cause is a lack of
security patching support.


You can't claim insecurity when there weren't any security guarantees given
in first place.

"Sebastian G." <seppi@seppig.de> wrote in
news:610kufF1sem3cU1@mid.dfncis.de:

I am not a lawyer, but there is a concept under law that is called
something like 'fitness for purpose' or some such.

You sell someone a device that is supposed to do a task, say clean freshly
killed chickens
and it fails to perform the intended task, lets say it leave 1 in 1000
uncleaned,
there is something called an 'implied warranty of fitness'.

Microsoft's software FAILS the implied fitness for service AND they stop
supporting stuff like win95/98 and 2k when there are still multiple
vulnerabilities.

If it were not for the 'fine print' in the license, they would have been
sued into bankruptcy by now.

To even use their products, you are required to wave any recourse.

That makes me less than happy with their products.
The other thing that makes me unhappy with their products is needing to
clean up machines that have been compromised.

As the Judge on TV says, "Stick a fork in me, I'm done" on this subject.
I don't see any profit to continue our discourse.

Best regards and have a nice life.



--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+acs@ch100-5.chem.lsu.edu

bz wrote:



They do?


The real cause is that warranty for fitness and alike is explicitly excluded
for software, which is quite reasonable to a certain extent. In the USA
totally, in Germany the only non-excludable warranty is for seriously
careless defects.