RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

-- Jeff said --

Patches either need to be of a size that a dialup user doesn't have to
be dialed in for 24 hours to download and install them. Or .iso's
should be available for ISP's to download, turn into CD's and
distribute as appropriate. Wouldn't that be nice for a dialup user -
getting Windows Update on a CD-ROM from their ISP?

To which I reply:

  It is somewhat unreasonable to think that ISPs should be responsible
for the security of its users' systems on a systematic basis. Another reason
the idea of a 'CD with updates' most likely wouldn't be effective is because
by the time the ISP produced the CD, the user got the CD, and installed it,
the patches would most likely not be the most recent available. Also, do you
realize how much the 'average technical school graduate type' makes just
from acquaintances who complain that their computers are slow, by simply
removing whatever "flavor of the month backdoor spam proxy virus" I bet a
good number of 'tech service calls' that companies such as PC On Call and
people who service residences get could've been avoided by patching in a
reasonable time period.
  However, awhile ago we tried an idea of sending out E-Mail alerts to
our customers whenever a critical update of "Remote execution" or worse was
released. We found that most of our users were annoyed by this, a different
time we used a network sniffing tool to find a few dozen handfuls of your
average home Dial-Up users who were infected with various malicious agents
(I.e. Nimda, et cetera) and we actually contacted those users, to let them
know and again we were met with more hostility.
  From this interesting pattern I would surmise that users want their
ISPs to be hands-off unless the problem that they're causing is effecting
them directly. End users on the Internet see their connectivity as a right,
and not a privilege. I remember when I was 13 (that was only 11 years ago)
and I signed up for my Freenet account at the Columbus Public Library (I
believe it was, ? still is? Through OSU), they really made me feel like it
was a privilege to be using the Internet, and I honored that.
Its just difficult to explain from a professional level what the effects
these peoples' behavior (or lack there of) is having on the rest of the
community. Think of it like people who drive monster SUV's, they can afford
the gas, and the insurance so they don't believe that the harm that these
beasts do to our environment matter, because again its their god given right
to drive them.

-Drew

** Reply to message from Drew Weaver <drew.weaver@thenap.com> on Mon,
19 Apr 2004 13:42:53 -0400

-- Jeff said --

Patches either need to be of a size that a dialup user doesn't have to
be dialed in for 24 hours to download and install them. Or .iso's
should be available for ISP's to download, turn into CD's and
distribute as appropriate. Wouldn't that be nice for a dialup user -
getting Windows Update on a CD-ROM from their ISP?

To which I reply:

  It is somewhat unreasonable to think that ISPs should be responsible
for the security of its users' systems on a systematic basis.

Responsible? No.
Able to assist in maintaining that security (and thus that of the ISP's
network)? Yes.

Another reason
the idea of a 'CD with updates' most likely wouldn't be effective is because
by the time the ISP produced the CD, the user got the CD, and installed it,
the patches would most likely not be the most recent available.

I can burn a CD from ISO in about 5 minutes - how about you?
I'm talking about XP users who haven't even updated as far as SP1.
Win98 users who have never run an update in their life...
Win2k users are usually the most patched up that I've seen - because
that went into mostly business environments.
This would at least get them up to the level of the playing field,
where the routine updates are not as much of a hassle. Sure, you'll
get the little old ladies and gentlemen who will drop by every month
for their service pack fix, but that's just customer service.

Also, do you
realize how much the 'average technical school graduate type' makes just
from acquaintances who complain that their computers are slow, by simply
removing whatever "flavor of the month backdoor spam proxy virus"

Ah, now you are talking about why I happily promote Ad-Aware and
Spybot.

I bet a
good number of 'tech service calls' that companies such as PC On Call and
people who service residences get could've been avoided by patching in a
reasonable time period.

And your problem with the local ISP having this stuff available for
their users is?

  However, awhile ago we tried an idea of sending out E-Mail alerts to
our customers whenever a critical update of "Remote execution" or worse was
released. We found that most of our users were annoyed by this, a different
time we used a network sniffing tool to find a few dozen handfuls of your
average home Dial-Up users who were infected with various malicious agents
(I.e. Nimda, et cetera) and we actually contacted those users, to let them
know and again we were met with more hostility.

You definitely don't have our customers then. Our usually appreciate
being told that their systems are screwed up.

  From this interesting pattern I would surmise that users want their
ISPs to be hands-off unless the problem that they're causing is effecting
them directly. End users on the Internet see their connectivity as a right,
and not a privilege. I remember when I was 13 (that was only 11 years ago)

Some of ours are like that. Most seem to realize their limitations and
are happy to know that at some level we are looking out for them. BTW,
for me 13 was many more years ago than that... RTM wasn't even in
college yet, I imagine.

and I signed up for my Freenet account at the Columbus Public Library (I
believe it was, ? still is? Through OSU), they really made me feel like it
was a privilege to be using the Internet, and I honored that.

Dial-up, or using their systems at the library? And you weren't paying
for the privilege, at least not directly.

Its just difficult to explain from a professional level what the effects
these peoples' behavior (or lack there of) is having on the rest of the
community. Think of it like people who drive monster SUV's, they can afford
the gas, and the insurance so they don't believe that the harm that these
beasts do to our environment matter, because again its their god given right
to drive them.

That's a whole 'nuther horse to kill there.

He's right.

Most customers get defensive/hostile when you tell them there's something
wrong with their system.

However I've encountered the same attitude with many NOCs when informing
them they have open relays / smurf amps / owned servers. First they deny
it - "you must be mistaken", then get defensive "what business is it of
yours anyway?" or hostile "you can't possibly know that without having
broken into our network, I'm calling the police" (yeah right, I need to
break into your network in order to be smurfed by your broken routers.)

So this isnt unique to end users. It seems most people would rather
discover problems themselves, and go into a sort of panic mode when
informed by a third party. Many (including NOCs) aren't emotionally
prepared to handle anything beyond "hit ctrl-alt-del".

I'm still looking for a good way to gently inform end users/nocs of
problems without having them fly off the handle.

-Dan

> ** Reply to message from Drew Weaver <drew.weaver@thenap.com> on Mon, 19 Apr 2004 13:42:53 -0400

    [...notification of the...]

> > average home Dial-Up users who were infected with various malicious agents
> > (I.e. Nimda, et cetera) and we actually contacted those users, to let them
> > know and again we were met with more hostility.
> You definitely don't have our customers then. Our usually appreciate
> being told that their systems are screwed up.

He's right.

Most customers get defensive/hostile when you tell them there's something
wrong with their system.

For what it's worth, our (dial-up and DSL) customers have generally
act thankful when contact them about the problems their machines
are causing.

I guess nothing changes -- the world is full of people.

Date: Mon, 19 Apr 2004 10:39:10 -0700
From: Jeff Shultz

> Also, do you realize how much the 'average technical school
> graduate type' makes just from acquaintances who complain
> that their computers are slow, by simply removing whatever
> "flavor of the month backdoor spam proxy virus"

Ah, now you are talking about why I happily promote Ad-Aware
and Spybot.

They're a start. However, I've encountered many systems with
suspicious/malicious ActiveX controls or BHOs that neither
AdAware nor Spybot caught. I can't think of many other people
who are willing to rip out chunks of the Registry manually.

How savvy should users be expected to be? Education is good, but
there comes a point where the OS/software need to make abuse a
bit more difficult. I'm curious to see how Win2003 Server and
its executable restrictions fare. Not a silver bullet, of
course, but a good start.

I've given several presentations where I ask an audience member
to stand up and blindly do whatever I instruct. Nobody has been
willing yet. Most people will only perform certain "whitelisted"
actions in a public crowd.

Perhaps software should observe similar defaults. Java applets
are scored for "safety" based on what calls the execute; why not
extend the approach to all applications? Why not run with safe
defaults?

Eddy

I agree.

90% users CAN NOT UPDATE. How?

- (1) updates are too big to be diownloaded by modem , which fail every 20 -
40 minutes (which is common in many countries);
- (2) if you connect to Internet for update, you are infected by virus much
faster than you install update.

I saw it. Home user install Win2K, then connect to internet to get update...
and catch virus.

** Reply to message from Drew Weaver <drew.weaver@thenap.com> on Mon,
19 Apr 2004 13:42:53 -0400

> -- Jeff said --
>
>
> Patches either need to be of a size that a dialup user doesn't have to
> be dialed in for 24 hours to download and install them. Or .iso's
> should be available for ISP's to download, turn into CD's and
> distribute as appropriate. Wouldn't that be nice for a dialup user -
> getting Windows Update on a CD-ROM from their ISP?
>
> To which I reply:
>
> It is somewhat unreasonable to think that ISPs should be responsible
> for the security of its users' systems on a systematic basis.

Responsible? No.
Able to assist in maintaining that security (and thus that of the ISP's
network)? Yes.

>Another reason
> the idea of a 'CD with updates' most likely wouldn't be effective is

because

> by the time the ISP produced the CD, the user got the CD, and installed

it,

> the patches would most likely not be the most recent available.

I can burn a CD from ISO in about 5 minutes - how about you?
I'm talking about XP users who haven't even updated as far as SP1.
Win98 users who have never run an update in their life...
Win2k users are usually the most patched up that I've seen - because
that went into mostly business environments.
This would at least get them up to the level of the playing field,
where the routine updates are not as much of a hassle. Sure, you'll
get the little old ladies and gentlemen who will drop by every month
for their service pack fix, but that's just customer service.

> Also, do you
> realize how much the 'average technical school graduate type' makes just
> from acquaintances who complain that their computers are slow, by simply
> removing whatever "flavor of the month backdoor spam proxy virus"

Ah, now you are talking about why I happily promote Ad-Aware and
Spybot.

>I bet a
> good number of 'tech service calls' that companies such as PC On Call

and

> people who service residences get could've been avoided by patching in a
> reasonable time period.

And your problem with the local ISP having this stuff available for
their users is?

> However, awhile ago we tried an idea of sending out E-Mail alerts to
> our customers whenever a critical update of "Remote execution" or worse

was

> released. We found that most of our users were annoyed by this, a

different

> time we used a network sniffing tool to find a few dozen handfuls of

your

> average home Dial-Up users who were infected with various malicious

agents

> (I.e. Nimda, et cetera) and we actually contacted those users, to let

them

> know and again we were met with more hostility.

You definitely don't have our customers then. Our usually appreciate
being told that their systems are screwed up.

> From this interesting pattern I would surmise that users want their
> ISPs to be hands-off unless the problem that they're causing is

effecting

> them directly. End users on the Internet see their connectivity as a

right,

> and not a privilege. I remember when I was 13 (that was only 11 years

ago)

Some of ours are like that. Most seem to realize their limitations and
are happy to know that at some level we are looking out for them. BTW,
for me 13 was many more years ago than that... RTM wasn't even in
college yet, I imagine.

> and I signed up for my Freenet account at the Columbus Public Library (I
> believe it was, ? still is? Through OSU), they really made me feel like

it

> was a privilege to be using the Internet, and I honored that.

Dial-up, or using their systems at the library? And you weren't paying
for the privilege, at least not directly.

> Its just difficult to explain from a professional level what the effects
> these peoples' behavior (or lack there of) is having on the rest of the
> community. Think of it like people who drive monster SUV's, they can

afford

> the gas, and the insurance so they don't believe that the harm that

these

> beasts do to our environment matter, because again its their god given

right

Order the Windows Security Update CD
Updated Date: April 16, 2004

The Windows Security Update CD will be shipped to you free of charge. This
CD includes Microsoft critical updates released through October 2003 and
information to help you protect your PC. In addition, you will also
receive a free antivirus and firewall trial software CD.

This CD is only available for Windows XP, Windows Me, Windows 2000,
Windows 98, and Windows 98 Second Edition (SE).

Please allow 2-4 weeks for delivery.

http://www.microsoft.com/security/protect/cd/order.asp

I do not know if Microsoft plans to refresh the CD, or make it available
through other channels.

.. I almost wonder if AOL would consider shipping windows updates
on their mail-out CDs just as a "friendly" thing to do, unencumbered
by AOLness.

Adrian

Hmnm, if you:
-- are in Russia or other East Europe country
- got Windows with a computer (so it is 90% pirated one)
- have not credit card

how can you order this CD (of course, pirates will help -:))?

This explains the number of infected systems (in addition to other reasons).
My friends in Moscow have 3 - 4 Windows Me and Windows 98 (those, who are
far from computer business) - no one updated. It is impossible by Internet,
and you never know, is it Microsoft (CD) or is it Hacker (CD) when you
purchase a CD (and you have not any reason to spend a time and money,
purchasing CD).

Updates are not so easy, as it seems, having 1 Mbit DSL at home, good $20K
firewall and 10 Mbit at work (or been ISP itself).

geez, they are giving the CD away for free !

james

Hmnm, if you:
-- are in Russia or other East Europe country
- got Windows with a computer (so it is 90% pirated one)
- have not credit card
how can you order this CD (of course, pirates will help -:))?

The US/English Windows Security Update CD is free. There is also a
Russian version. I don't speak/read Russian, so I don't know if Microsoft
asks for a credit card number before shipping the CD on the Russian web
page. For the other languages/countries web pages I can understand, the
CD is free.

That goal was having an off-line version of the same patches you get from
WindowsUpdate.Microsoft.com

This explains the number of infected systems (in addition to other reasons).
My friends in Moscow have 3 - 4 Windows Me and Windows 98 (those, who are
far from computer business) - no one updated. It is impossible by Internet,
and you never know, is it Microsoft (CD) or is it Hacker (CD) when you
purchase a CD (and you have not any reason to spend a time and money,
purchasing CD).

In the US, the Security Update CD is shipped directly from the Microsoft
contractor to the end-user. Of course, if the postal service, delivery
service or contractor is corrupt; what you receive could be intercepted
and replaced enroute.

Updates are not so easy, as it seems, having 1 Mbit DSL at home, good $20K
firewall and 10 Mbit at work (or been ISP itself).

Fixing insecure computers in black market economies is a difficult
problem. The more common reason I hear is people know (or suspect) they
are using pirate copies of Windows, and are afraid the Microsoft patches
will also disable illegal copies. People concerned about that won't use
any updates, regardless of how easy or quick.

Although Microsoft has several web pages how to check the so-called
Certificate of Authenticity, I haven't found a Microsoft supported way to
verify the actual software installed on a computer. Other operating
system vendors such as Sun have Solaris MD5 fingerprints for their
operating systems.

Bittorrent?

Does anyone have a BT iso of these CDs btw? I cant imagine microsoft
objecting to its distribution...

-Dan

It depends... if you use FreeBSD with port system, for example - it is safe
enough (esp. if make a pause between 'make' and 'make install' in a few days
or a week. and read mail lists about possible problems).

In the US, the Security Update CD is shipped directly from the Microsoft
contractor to the end-user. Of course, if the postal service, delivery
service or contractor is corrupt; what you receive could be intercepted
and replaced enroute.

You do not need to kill a postman -:). Just write a disk, label it, and push
into the mailbox... few days before _real_ disk arrive.
(and make it auto-runnable).