Re: Leaving Techwhirlers

Subject: Re: Leaving Techwhirlers
From: Andrew Plato <gilliankitty -at- yahoo -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Wed, 24 Sep 2003 12:21:33 -0700 (PDT)


"David Neeley" wrote

> See, for example, the downloadable PDF article entitled "Use Microsoft--Go to
> Jail?" at http://www.airscanner.com/pubs/jail.pdf.

Multiple flaws in this article (many of which are pointed out in the comments
and elsewhere on the net):

1. Only home/small businesses use WPA. Corporate editions of XP and Server 2003
do NOT have to be activated.(they even note this in the article.) Thus a
hospital or defense contractor (arguably "large" organizations) would most
likely purchase a site license and then activation isn't an issue (neither are
the alleged security holes.)

2. WPA "phones home" only if you enable automatic updates. No autoupdates, no
auto-phone home.

3. Patches can be downloaded independently off the Microsoft web site. You do
not need to use Windows Update to acquire patches and updates. For example, SP4
for Windows 2000 can be downloaded as an entire pack and applied without ever
touching Windows Update.

4. Again, personal information is not communicated. So there is no way to know
that XYZ update belongs to ABC organization or individual. See
http://www.betanews.com/article.php3?sid=990178092 specifically this quote:

"AN: The only information required to activate is the Installation ID (and for
Office XP, the country). The installation ID is made up of two components; the
product ID created during installation and a hardware hash. The hardware hash
is created based on the PC's hardware configuration. It is a one-way hash. It
cannot be backwards calculated and contains not information about the make,
model, or type of PC or component. No personally identifiable information is
used or required. For purposes of illustration, you can imagine the hash as
being a simple algorithm such as ComponentValue1 MOD 3 + ComponentValue2 MOD 3
etc. The product of ComponentValue1 MOD 3 cannot be turned back into
ComponentValue1. We wrote it this way specifically to ensure that no
information about the PC was actually required as part of activation. "

5. This excerpt below is just flat out X-Files type conspiracy paranoia with
zero basis in an understanding of HIPAA.

----excerpt-----

"The problem is found in the User Agreement of the service pack:
The OS Product or OS Components contain components that enable and
facilitate the use of certain Internet-based services. You acknowledge and
agree that Microsoft may automatically check the version of the OS Product
and/or its components that you are utilizing and may provide upgrades or fixes
to the OS Product that will be automatically downloaded to your computer.

This seemingly innocuous statement opens new possibilities as to what Microsoft
can do
to you if you install SP3. This addition to the EULA also brings with it a
range of
potential problems for those businesses and companies that absolutely cannot
permit
remote access to their computers. For example, the HIPAA act that was mentioned
in the
introduction is an example of potential violations by Microsoft's EULA.

----excerpt-----

Furthermore, if such "remote access" existed, it could be EASILY restricted
with simple perimeter firewall tuning.

> The problem is that no security administrator will feel comfortable in
allowing
> any outside party to have access through the firewall at their internal
machines
> containing confidential information. In the case of healthcare providers and
> defense-related industry or governmental entities, allowing such access may
well be illegal.

Which is why these organizations conduct security audits. I have done many such
assessments. And while you probably won't believe me, Windows machines sending
the plug n play ID for your mouse is probably the LEAST of these organization's
security worries. Considering most of them have shoddy, haphazard security
policies, untrained staff, and are often lead into solutions based on FUD and
not a rational analysis of REAL issues.

In other words, you're obsessing over a minor issue. If you knew what the big
issues are, you'd know that Windows update is a small piece of a much, much,
much larger pie. And as I have already shown, there is a secure way to use
Windows Update and NEVER communicate a single, solitary piece of information to
MS. So, even that issue is moot.

The largest and most profound security hole in virtually every organization is
between the ears of the IT staff.

> For tech writers outside of those two areas, whether to enable automatic
update is a function of your company's security policies. My post was intended
to illustrate that blindly enabling this "feature" may not be a "good
thing"--especially in cases where a fine and/or jail term may ultimately
result.

This is FUD. Nobody is going to arrest you and throw you in jail because you
tried to update your PC. I realize its very entertaining to sit and speculate
about these massive corporate conspiracies and work yourself into a lather
about how Bill the Borg wants to assimilate you. But its just not true. Unless
you can produce a case where somebody was actually thrown in jail for using
Windows Update, this isn't a valid point.


> In any case, it is not necessarily (as one list member so eloquently put it)
"anal" to refuse to do so.
>
> While you may trust Microsoft and its "security" as well as its "good"
intentions,
> they have a long history of being so insecure themselves that confidential
> information (such as their internal development networks and, I'm told, their

> Passport database containing individual identification information including
credit
> card numbers) that I am not nearly so sanguine.

Its not a matter of trusting them or not trusting them - its logic. What
benefit do they have chasing down individual users and locking them up? And if
we are going to chastise MS, what about all the other firms doing this? Are
they equally as evil for collecting marketing data. What about the people who
write worms to spam you? Aren't they "more evil" than MS?

It makes much more sense for law enforcement to go after the spammers, hackers,
and institutional pirates rather than your grandma. While I may question the
priority of law enforcement when they waste their time setting up speed traps
to stuff the county coffers with income from fines - I'd like to think they
don't waste their time chasing down grandma because she installed Service Pack
1 improperly.

Furthermore, you don't setup your customers to fail. That would be horrible
business model.

Moreover, if all your software is legal, then there isn't really anything to
fear.

The problem here is that two concepts are getting connected by an emotion. On
one hand, we have Microsoft collecting data about machines. On the other,
increasing legislation and need to be secure. If you use your emotions to
analyze that situation, you can see all sorts of evil potential. But, when you
rule out emotional obsessions with Bill Gates and Microsoft, you realize there
isn't really any problems and there isn't any motivation.

> In addition, since the offending language appeared as of Service Pack 3
> of the Windows 2000 product, I object to the nature of it--if you want
> Microsoft to attempt to patch programming errors they made originally,
> you must agree to their license terms. In the law, this is called a
> "lack of arms length bargaining" among other things. "Heavy-handed"
> might be a mild method of describing it.

You are under no obligation to use Microsoft products. Reformat your harddrive
and download Linux if those terms bother you. Nobody is pointing a gun at your
head and forcing you or your company to use Microsoft. You have a God-given
right to use whatever software you want.

That's the joy of open-source. If you don't approve of MS, you have
alternatives. Use them and be happy. Let the rest of us decide what we want to
use.

> May I also point out that you *make your living* at least in part by selling
add-on
> products to try to make a fundamentally insecure product have reasonable
> success in attaining information security? This may make you *just a little*
biased, right?

Yes, it makes me biased. It also gives me insight. I've done things and been
involved with projects that very few people have had the joy to witness. I also
have a broad perspective, as I work with over 100 different companies ranging
in size from 100,000 employees to 10. I am not theorizing from a cubicle or
basing my ideas on propaganda I read. My opinion is based in the world of
actually securing systems, networks, and organizations. And Microsoft is really
no different than any software company.

I also don't have emotional attachments to software. Once you've done enough
projects, you get a sort of Zen about technology. You don't see it as some
"movement" or "crusade." You see it as a tool. And when that happens, you don't
care about the evil MS. You just use their products and go home at night and
live your life. MS plays their games, I play mine.

Besides, I am much more worried about terrorists or the stupid policies of our
government than whether Microsoft has my home phone number.

> The simple fact is that the various flavors of UNIX and UNIX-like operating
systems were >designed from the beginning to operate in a networked
environment.

So was Windows NT. Windows NT is actually based on UNIX.

> Each of them can be secured without adding additional products. In the case
> of the open source products, this securing is done through text files
> without requiring any particularly difficult skills to master.

Hardly. You have to know where those files are. You have to know the format.
And if you mistype one thing - the whole thing fails. Furthermore, most
open-source "patches" come in the form of source code. Meaning a lengthy
compile and test period.

You should read this article: Linux has Bugs: Get Over It, by Fred Langa.

http://www.informationweek.com/story/showArticle.jhtml?articleID=6500344&pgno=1



> You may make great money selling firewalls to try to make Windows secure.
> Just as good for any users would be to put a couple network cards in any
> computer they have lying around and install one of the many *BSD o
> r Linux variants already configured to serve as router and firewall.
> Some, in fact, fit on a floppy drive and run from memory, further
> reducing the ability of intruders to hack the firewall.

You have obviously never run an IT department. All I can say is that you're
talking about theoretical benefits. Yeah, tinkering at home in the evenings on
old 486s you often can do cool stuff. But, that's tinkering. I tinker too
(when I have time). I've set up cool little Linux routers as well. Its fun. Its
also too haphazard to use in a corporate environment where 10 people need to be
trained to use that router.

Tinkering doesn't translate into a corporate IT department. You can't just
tinker with a mission critical server.

Yes, I make money securing systems. And you know what - UNIX and BSD machines
are sometimes the most insecure points in a company. Just recently I had a
customer get three Linux boxes get hacked and trashed. The Win2K servers in the
other room were fine. Considering I see a 50:1 ratio of Windows boxes to Linux.
When 10 out of 100 Linux machines are hacked and 300 out of 100,000 Windows
machines are hacked...well, you do the math.

> Of course, that strategy, while incredibly effective, would reduce the income
of folks in your
> business.

No it wouldn't. Security isn't something that only open-source has and Windows
doesn't. Windows machines can be just as secure or insecure as any other
machine. What makes a difference is how they are configured. A poorly
configured Linux machine is just as insecure as a poorly configured Windows
machine. Configuration, management, and use have a much more profound affect on
security than the underlying OS technology.

Andrew Plato

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

NEED TO PUBLISH YOUR FRAMEMAKER CONTENT ONLINE?
?Mustang? (code name) is a NEW online publishing tool for FrameMaker that
lets you easily single-source content to Web, intranets, and online Help.
The interface is designed for FrameMaker users, so there is little or no
learning curve and no macro language required! See a live demo that
will take your breath away: http://www.ehelp.com/techwr-l3

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



Follow-Ups:

Previous by Author: How to stay safe...
Next by Author: Re: Leaving Techwhirlers
Previous by Thread: Re: Leaving Techwhirlers
Next by Thread: Re: Leaving Techwhirlers


What this post helpful? Share it with friends and colleagues:


Sponsored Ads