in case nobody else noticed it, there was a mail worm released today

I've been wondering lately, after about 10 years of email worms spreading in
exactly the same manner with every incarnation ... why do you think people
haven't learned not to open unexpected attachments yet?

Blaming it on end users is one way to look at the problem, but not
a way that will result in a solution.

You should be wondering, after 10+ years of virus laden MS operating
systems, why they haven't fixed this stuff. Similar vulnerabilities
in Unix, Mac, and other OS were fixed long ago.

They're not patched in Windows because MS doesn't have to. MS
doesn't write secure code because they are a monopoly and maintain
that status by introducing subtle OS bugs that plague competitive
third party applications. They don't publish an API for many of
their system calls so nobody can write secure code other than MS
themselves. They also run as much of their own software as possible
in priviliged mode for performance (to avoid context switching).
You'll never seen any real security from this type of business
model.

(Note: I really do not want this to degenerate into another rant against
vendor M;

Sorry for not sharing your disinterest in the actual reasons we
continue to see these viruses and trojans infecting MS and, for all
intents and purposes, only MS operating systems.

If Microsoft is the problem, you care to tell me why I haven't gotten
infected by a single one of those emailed viruses/worms/trojans despite
years of running MS software? (And for that matter, neither have my
parents... Apparently, years of yelling at them that 3+ meg binary
"Christmas cards" from their friends were not worth opening, or their
friends learned the hard way and hence stopped sending them)

I don't think my MS software is any different from anyone else's, except
that
A) I don't open .SCR attachments
B) I actually believe Windows/Office Update is for me, not for the random
dude/gal working down at the Burger King down the street.

So why is it that idiots doing/not doing these things can't be the problem,
but MS must be?

And, care to tell me why, as someone else pointed out, if I were to switch
to Evolution on your random GNU/Linux distribution, someone couldn't write a
similar worm. The reason they don't do it is because there isn't a critical
mass of Evolution/GNU/Linux/glibcX.Y to make a big stink... And there is
such a critical mass for MS.

Let me put it this way: if you know one bank has 100 million dollars in the
vault, and another has 5000 dollars, wouldn't you expect most of the bank
robbers to focus on robbing the first bank, irrelevant of whether the first
bank's fault is better protected than the second's?

Vivien

And, care to tell me why, as someone else pointed out, if I were to switch
to Evolution on your random GNU/Linux distribution, someone couldn't write a
similar worm.

Rhetorical questions illustrate a lack of technical rational, thanks.
But do re-read the message you're referring to, specifically, the
section regarding unpublished APIs and context switching. If you
need more in-depth reasons see any of the URLs listed at
<http://www.msfree.com/>.

The reason they don't do it is because there isn't a critical
mass of Evolution/GNU/Linux/glibcX.Y to make a big stink... And there is
such a critical mass for MS.

No, sorry, false analogy though it does account for some portion
of MS' mess. The larger reason is that viruses are substantially
easier to write for Outlook, Exchange, et al. For another example
look at Unix Apache's market share (>75%) and it's vulnerability
share (<1%).

As Java applications make clear, it doesn't matter what your market
share is if the software is secure in the first place.

And look at the people who administer/use these things.

MS' problem, if you ask me, isn't poor engineering (though I'll grant you
I'm sure there stuff could be designed WAY better). The problem is that, as
would seem logical for a publicly-traded company out to maximize profits for
its shareholders, it designed its stuff to be used/administered by the
broadest range of people. Hence, they make it easy to setup (at the cost of
security, absolutely), and easy to forget about (especially as it crashes
less than it used to)... And then, people don't install the security patches
and have no idea about what proper security practices are. So when they find
out about the new cool screensaver... Oops.

Open source projects aren't out to maximize profits, generally... And they
don't generally aim at ease of setup. Whoever sets up Apache using vi to
edit httpd.conf needs to have at least a fractional degree of clue. Not
enough clue, no doubt... But some clue. Setting up the MS equivalent can
probably be done by the random guy on the street wearing a blindfold and
with one hand tied to the chair with a Cat 5 UTP cable. That's the problem.

Someone made the argument to me privately that the problem is that MS lets
you run attachments from Outlook, while other clients would require you to
save the files to disk. That's not a solution: if these people are like my
parents used to be, they'd dutifully save the attachment, open up a file
manager, and open it up to see the "cool new screensaver" their best friend
sent them ("hey, even if it's a virus, I have an antivirus" is the usual
excuse). Sure, that's three steps instead of one, but for as long as the
HUMAN behind the keyboard wants to open the attachments, whether it takes
two clicks or fifty keystrokes, that attachment will get open. Why doesn't
this happen to Evolution users? My guess is, if you a) know what Linux is,
b) know how to set it up, and c) know what Evolution is, you have enough
CLUE to know that executable attachments from your friends that come with a
gramatically-incorrect email body are trouble.

MS has made a business of putting computers into the hands of people who do
not have that clue, and do not want to acquire that clue. The fact that
they've been INCREDIBLY successful at doing it is the problem. Sure, they
could put a few more hoops to slow the viruses down... but for as long as
the person behind the keyboard wants to run the attachment, a way will be
found (and ISTR one patch for Outlook 2000 that blocked your ability to save
executables was released), and whoever tries to stop them will be seen as
the mean party here.

Vivien

And if you were a customer of the 100 million dollar bank and their vault was not much much much better protected than the 5000 dollar bank you would be quite justified in vigorously complaining about their irresponsible behavior.

jon

Microsoft software is inherently less safe than Linux/*BSD software.

This is because Microsoft has favored usability over security.

This is because the market has responded better to that tradeoff.

This is because your mom doesn't want to have to hire a technical
consultant to manage her IT infrastructure when all she wants to do is get
email pictures of her grandkids.

doug

Microsoft software is inherently less safe than Linux/*BSD software.

This is because Microsoft has favored usability over security.

This is because the market has responded better to that tradeoff.

This is because your mom doesn't want to have to hire a technical
consultant to manage her IT infrastructure when all she wants to do is get
email pictures of her grandkids.

Then yer mom should get a Mac.

And if she's like my mom, she'll be in the aisle in the computer store
(well, the big box electronics store, more realistically) and be like "Why
should I pay $2000 for this one when I can get 'a computer' for $500?" [1]

You can't expect people's mothers to actually know the differences between
the different platforms, just like I'm sure that when most people's mothers
shop for cars, they can't tell you the advantage of a particular engine type
over another. They just end up picking based on price and "ability to meet
need", and for most mothers old-enough-to-have-NANOG-posting-kids out there,
your $500 eMachines or whatever is more than enough. Expecting them to spend
additional money to address a problem they don't understand is an
unrealistic expectation.

Vivien

Then yer mom should get a Mac.

And if she's like my mom, she'll be in the aisle in the computer store
(well, the big box electronics store, more realistically) and be like "Why
should I pay $2000 for this one when I can get 'a computer' for $500?" [1]

Agreed. That's where you educate your mom on why Macs are godly, PCs running windows are evil and Linux is a little to complex still for the end user, and bluntly doesn't look as pretty out of the box.

If she squaks at the price, you tell her that you get what you pay for. How many times has her printer stopped working or she's been unable to download her pics or watch some video or a dvd or something else that XP touts as super easy, and integrated?

Actually, since I got my first Mac last year, I've been barking up and down about how amazing it is. I told everyone I sold every PC I ever owned because I could do it all on my powerbook. They are all jealous. I had XP for my email, visio and word, *nix for my geek router & perl stuff, another PC for my audio production stuff. All gone. All I have now is a 17" Powerbook. It's all I'll ever need. Well, no -- it's not. When I need something for music, I'll get a G5. Plain and simple, I will never own a PC again.

It's funny, I went out of town for thanksgiving with my family. When we got to where we were going, my mom was complaining that her digital camera flash was full and she didn't have another one. I told her that I could download the pictures to my powerbook and email them to her later. As I was connecting the camera, she asked "Well, don't you need to download and install the softw...." she stopped mid-sentence as the Mac found the PowerShot, opened iphoto and proceeded to download the pictures -- no software needed. She looked Jealous.

When the last big MS virus/worm caused it's major shitstorm, my mom asked me if I ever get infected with viruses. I said no, I run a Mac. They are immune to these viruses. She looked jealous.

Needless to say, a year after she bought herself her Dell with her 19" flat panel monitor, in a couple months, she'll be picking up her new 20" iMac. Now I'm jealous.

I've got a couple other friends who are going to shitcan their PCs in favor of Macs.

I agree, price is a big thing and it will continue to be. Until people can convince others to look beyond that, they are all going to be stuck in the MS world, plagued by all this badness wondering "Is there something else better out there?" All this, while us non-MS folks sit back with a big satisfying grin.

You can't expect people's mothers to actually know the differences between
the different platforms, just like I'm sure that when most people's mothers
shop for cars, they can't tell you the advantage of a particular engine type
over another. They just end up picking based on price and "ability to meet
need", and for most mothers old-enough-to-have-NANOG-posting-kids out there,
your $500 eMachines or whatever is more than enough. Expecting them to spend
additional money to address a problem they don't understand is an
unrealistic expectation.

Of course you can't expect them to know. That's where we come in; the free and the saved

It's all about educating the less fortunate There is a very fine line between pay now, save later and save now, pay later. The latter almost always works out to cost a hell of a lot more than the former ever would have.

(hypothetical) Buy the $12,000.00 (CDN) KIA with no snow tires, no ABS, no nothing. Drive somewhere in a snow storm, get stuck going up a hill, try to back down the hill, get sideswiped by the guy in the Touareg because he can't see your tiny little $12,000.00 KIA soap box, get flung over the guardrail, down the hill and into the valley. Pay the tow truck to come bail your ass out, pay your insurance deductible and the extra rates you are going to ensue because you just wrote off your car. Add all that up and compare that to the price of a brand new Touareg over 10 years. Guess what, your analogy just lost ground

Actually, since I got my first Mac last year, I've been barking up and down about how amazing it is. I told everyone I sold every PC I ever owned because I could do it all on my powerbook. They are all jealous. I had XP for my email, visio and word, *nix for my geek router & perl stuff, another PC for my audio production stuff. All gone. All I have now is a 17" Powerbook. It's all I'll ever need. Well, no -- it's not. When I need something for music, I'll get a G5. Plain and simple, I will never own a PC again.

Of course the Powerbook will do all music stuff as well (unless you need the PCI based add in cards for protools!).

Got a colleague who swapped hi twin 1GHZ PC for a 17" powerbook to do his video editing side business. Guess wot - the powerbook works much much better than his w2k based system!!

From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
Behalf Of Jason Lixfeld
Sent: January 29, 2004 11:55 AM
To: Vivien M.
Cc: doug@nanog.con.com; nanog@merit.edu
Subject: Re: MS is vulnerable

Agreed. That's where you educate your mom on why Macs are godly, PCs
running windows are evil and Linux is a little to complex still for
the end user, and bluntly doesn't look as pretty out of the box.

And when she asks why it can't be as simple as buying a microwave or a
washing machine, what do I do?

If she squaks at the price, you tell her that you get what
you pay for.
  How many times has her printer stopped working or she's
been unable to
download her pics or watch some video or a dvd or something else that
XP touts as super easy, and integrated?

My mom still uses Windows Me (yes, I know... I wouldn't recommend
95/98/98SE/Me to anyone, but good luck convincing her to upgrade), and it
works fine for her. She even manages to make it stay up for more than a few
days, which is more than what I've ever managed to do with the 9X family.

You're making the assumption here that there are real non-security,
usability benefits to switching to a Mac/OS X. That's not what we're
discussing here, we're talking about security. How can I argue to my mom
that getting a Mac (which would prevent her from running the Windoze-only
software she needs for work, FWIW) would let her printer keep working when
the only printing problem she's had was caused by clogged print heads? You
know, I don't want her to commit me to a mental hospital...

Actually, since I got my first Mac last year, I've been
barking up and
down about how amazing it is. I told everyone I sold every PC I ever
owned because I could do it all on my powerbook. They are
all jealous.
  I had XP for my email, visio and word, *nix for my geek
router & perl
stuff, another PC for my audio production stuff. All gone.
All I have
now is a 17" Powerbook. It's all I'll ever need. Well, no -- it's
not. When I need something for music, I'll get a G5. Plain and
simple, I will never own a PC again.

Great. I'm glad that you have the ca$h to make the switch. Some of us,
though, have too much $$$$ invested in a platform to write it off and start
over with another platform... especially when the current one meets our
needs.

It's funny, I went out of town for thanksgiving with my family. When
we got to where we were going, my mom was complaining that
her digital
camera flash was full and she didn't have another one. I
told her that
I could download the pictures to my powerbook and email them to her
later. As I was connecting the camera, she asked "Well,
don't you need
to download and install the softw...." she stopped
mid-sentence as the
Mac found the PowerShot, opened iphoto and proceeded to download the
pictures -- no software needed. She looked Jealous.

WinXP will download pictures from cameras without the software, too. Most
camera manufacturers downplay that ability to push their own software,
though.

When the last big MS virus/worm caused it's major shitstorm, my mom
asked me if I ever get infected with viruses. I said no, I
run a Mac.
They are immune to these viruses. She looked jealous.

Remember, Apple only has 3% market share. If that goes up to 20%, we'll see
what happens to their 'secure' reputation...

It's all about educating the less fortunate There is a very fine
line between pay now, save later and save now, pay later. The latter
almost always works out to cost a hell of a lot more than the former
ever would have.

(hypothetical) Buy the $12,000.00 (CDN) KIA with no snow
tires, no ABS,
no nothing. Drive somewhere in a snow storm, get stuck going up a
hill, try to back down the hill, get sideswiped by the guy in the
Touareg because he can't see your tiny little $12,000.00 KIA
soap box,
get flung over the guardrail, down the hill and into the valley. Pay
the tow truck to come bail your ass out, pay your insurance
deductible
and the extra rates you are going to ensue because you just wrote off
your car. Add all that up and compare that to the price of a
brand new
Touareg over 10 years. Guess what, your analogy just lost ground

And guess what, many people can't afford Touaregs.

You came up with an extreme example... And the fact that KIA dealers aren't
out of business suggests that real life isn't that extreme. For many people
who need a car to go to work and shop for groceries (which the $12K KIA will
do just as well as a $170K Mercedes S class), they won't see what the
advantage of a more expensive car is. I don't APPROVE of such attitude,
believe me, and I think anyone who sees a KIA Rio as functionally equivalent
to a Mercedes S class ought to go to a mental hospital, but it is a COMMON
attitude among people lacking an interest in cars. And, honestly, if the
purpose of a car is to go to work and shop for groceries, isn't the KIA Rio
enough, assuming the weather doesn't suck too badly, and a drunk with a
Hummer H2 doesn't decide it'd be fun to crash into you?

Same deal with computers. You, the enlightened, may argue that the $2000 Mac
is better in many ways that the $500 eMachines. Your arguments may be
utterly true... But when your mom (if she was like mine) comes back with the
"but the $500 computer does everything I want" argument and starts saying
that she doesn't need a "luxury" computer, you'll end up in a tight spot.
The $2000 Mac may do everything BETTER than the $500 eMachines, just like
any [new] car will go to work and shop for groceries BETTER than a Kia Rio,
but that "betterness" is unappreciated by the masses. And if you want to
ruin your relationship with your mom over her choice of an OS, well, go
right ahead

Vivien

Actually, since I got my first Mac last year, I've been barking up and down about how amazing it is. I told everyone I sold every PC I ever owned because I could do it all on my powerbook. They are all jealous. I had XP for my email, visio and word, *nix for my geek router & perl stuff, another PC for my audio production stuff. All gone. All I have now is a 17" Powerbook. It's all I'll ever need. Well, no -- it's not. When I need something for music, I'll get a G5. Plain and simple, I will never own a PC again.

Of course the Powerbook will do all music stuff as well (unless you need the PCI based add in cards for protools!).

True, it will do all the audio stuff, to a point. It will do well for basic, intermediate and advanced production techniques, however when you start doing pro stuff with lots of filtering and effects, that's when it'll turn ugly and the 1Ghz bus on the G5 with the SATA drives will come in real handy!

Got a colleague who swapped hi twin 1GHZ PC for a 17" powerbook to do his video editing side business. Guess wot - the powerbook works much much better than his w2k based system!!

Funny that, eh?

Your analogies suck for two reasons:

1: take a look at the huge problems apple is having with quality
control and returns on the ibooks. They've finally started admitting
there's a problem (after months and months of consumer outrage)

http://www.apple.com/support/ibook/faq/

2: VW build quality control and reliability sucks as well. Theres a
long list of problems every Jetta owner will eventually see. Most are
not covered by a recall or other warranty replacement. I can only
imagine the problems the Toureg owners will be seeing in a brand new
platform.

Not to mention that most VW dealers are raging crooks, and VWOA does
nothing to stop or discourage their theft and fraud.

http://matt.ethereal.net/ggvw/

As an iBook owner, and a VW owner, I can say with authority that I'd
think twice before making another Apple or VW purchase.

The moral of the story is that theres always a downside, and you
should take any evangelist's schpiel with a giant salt lick.

matto

"Vivien M." wrote:

And when she asks why it can't be as simple as buying a microwave or a
washing machine, what do I do?

What does she do when she is buying a microve or a washing machine?

Your analogies suck for two reasons:

1: take a look at the huge problems apple is having with quality
control and returns on the ibooks. They've finally started admitting
there's a problem (after months and months of consumer outrage)

http://www.apple.com/support/ibook/faq/

Try again. They are having quality control issues, grated. The thing is, the issue isn't huge. I read an article about this yesterday. Out of the 837,000 ibooks sold in 2003, 0.2% of all ibooks were affected.

2: VW build quality control and reliability sucks as well. Theres a
long list of problems every Jetta owner will eventually see. Most are
not covered by a recall or other warranty replacement. I can only
imagine the problems the Toureg owners will be seeing in a brand new
platform.

Sure, no company goes without having a glitch in their production or something at some point -- that's life.

Apple acknowledges their problems with their hardware, fixes it and makes sure it doesn't happen again. VW fixes their problems and makes sure they don't happen again. Microsoft acknowledges their problems and says "F**k you, we're Microsoft. Deal with it".

Not to mention that most VW dealers are raging crooks, and VWOA does
nothing to stop or discourage their theft and fraud.

*shrug* sorry about your luck. I've had nothing but good luck with my Rabbit that went 15 years on it's original clutch (and I drove like Andretti in those days). Aside from some body work on my GTI now, there aren't any crippling mechanical issues. You must just have really bad luck.

http://matt.ethereal.net/ggvw/

As an iBook owner, and a VW owner, I can say with authority that I'd
think twice before making another Apple or VW purchase.

Too bad.

The moral of the story is that theres always a downside, and you
should take any evangelist's schpiel with a giant salt lick.

As we have done here..

Now, then, I'm done. Back to on-topic stuff.

Look for the one that provides the desired functionality for the lowest
price? Without worrying about whether one brand's washing machine will
somehow spew anthrax into the neighbourhood's water network, or into her
clothes?

Vivien

> I've been wondering lately, after about 10 years of email worms spreading in
> exactly the same manner with every incarnation ... why do you think people
> haven't learned not to open unexpected attachments yet?

Blaming it on end users is one way to look at the problem, but not
a way that will result in a solution.

You should be wondering, after 10+ years of virus laden MS operating
systems, why they haven't fixed this stuff. Similar vulnerabilities
in Unix, Mac, and other OS were fixed long ago.

[snip]

this is actually what I was driving at, but I've had so MANY anti-MS rants
over the last few years, I thought I'd take a different tack.

> (Note: I really do not want this to degenerate into another rant against
> vendor M;

Sorry for not sharing your disinterest in the actual reasons we
continue to see these viruses and trojans infecting MS and, for all
intents and purposes, only MS operating systems.

oh, I share your position, believe me! It just seems that efforts to force
MS to change have had little effect, and I was hoping that maybe if we
attacked the issue from another angle, it might be productive.

Date: Thu, 29 Jan 2004 09:26:05 -0500 (EST)
From: doug@nan...

This is because your mom doesn't want to have to hire a
technical consultant to manage her IT infrastructure when all
she wants to do is get email pictures of her grandkids.

Problem:

1. Even so-called "easy" systems are often too complex for
   $non_technical_person

2. When insecure software is exploited, $non_technical_person
   must hire a technical consultant anyway to backup data,
   reinstall the OS, and restore the data.

Windows can boot to safe mode. Would an "admin mode" be that
much more difficult? Just don't allow switches to admin mode to
be automated by software...

Eddy

[snip]

> > This is because your mom doesn't want to have to hire a technical
> > consultant to manage her IT infrastructure when all she
> wants to do is
> > get email pictures of her grandkids.
>
> Then yer mom should get a Mac.

And if she's like my mom, she'll be in the aisle in the computer store
(well, the big box electronics store, more realistically) and be like "Why
should I pay $2000 for this one when I can get 'a computer' for $500?" [1]

Buy her an eMac. $700.