Pros point to flaws in Windows security update

I have to agree with TigerShark:

Quote:

---

Er.... Isn't the "flaw" the user himself????? I mean c'mon.... If you don't know what the cmd prompt is what could possibly be so important as to coax a user of this level into following the instructions without suspicion.

---

I mean, is it a problem that the EXE attachment will run from a command prompt without consideration for its alleged security level? Sure. However, the users dumb enough to do that don't even know what a command prompt is or how to find it. If a piece of malware actually walked a user through moving the file to execute from a command prompt and how to do it and they follow those instructions and get infected they should just be fired. There is nothing a security administrator, technology or policy can do against stupidity of that degree.

I also liked the quote from Pooh Sun Tzu:

Quote:

---

The Tao teaches us to not act until others require us to act, and to not learn unless others require us to know.

---

I have a new book by Richard Bejtlich called The Tao of Network Security Monitoring: Beyond Intrusion Detection that I haven't had a chance to look at yet. I like the philosophies behind Buddhism and the Tao although I understand they are separate and unique philosophies.

Quote:

---

The Tao teaches us to not act until others require us to act, and to not learn unless others require us to know.

---

Sounds like the definition of procrastination to me. I always thought that prevention was the best defense. MS developed a new security measure to prevent mass mailers. Now it turns out that it can be bypassed.

Is a user really that dumb when receive an email from their bosswith a picture file attached, and follow it's directions? They are if they didn't learn a lesson from a previous mass mailer, but I remember a time when I didn't think viruses could happen to me (pre-broadband). Some people still live in that era.

One more thing about that quote: I would rather see prevention techniques go wrong, and learn from that, than leave a bug wide open and learn the hard and irresponsible way. I've never seen anyone win a war by letting soldiers into their base just to see what kind of weapons they have.

Sometimes there simply are _no_ technological solutions to administrative problems!!!!!!

Quote:

---

Is a user really that dumb when receive an email from their bosswith a picture file attached......

---

And is the virus that intelligent to be able to pick out the target's boss from the list of email addresses it is presented with? There's fetched, far fetched and beyond far fetched... I think we can all see where this one lives..... ;)

BTW, I totally agree that stupid people are the biggest problem in any network (or anywhere else for that matter), and obviously can't be patched. My point is that Windows is trying to acheive the dummyproof OS, and this is a flaw on the way to that goal. Dummyproofing is good, I think. :confused:

The "email from your boss" example was taken from my work. The boss opened an attachment, and his address book was all the employees (I got to clean up the remains).

Now I'm going to chipotle for a burrito. ::bandit::

:hello:


edit:

Response to TB waaay down there-

Agreed.

Quote:

---

Originally posted here by Soda_Popinsky

Now I'm going to chipotle for a burrito.

---

Nothing like their pillows of mexican goodness to to ease the pain.
Love that place..:)

It's this simple:

They'll never be able to patch stupidity.

Quote:

---

They'll never be able to patch stupidity.

---

Which brings us back to the issue at hand. Yes, these are vulnerabilities in the strict sense of the word, but if the extenuating circumstances necessary to exploit a vulnerability are such that you have better chances of hitting the lottery on consecutive weeks than getting hit with it- its not that big a deal.

I whole-heartedly agree that remotely exploitable vulnerabilities and vulnerabilities that escalate privileges with a minimum of effort, etc., etc., blah, blah, blah should be addressed and patched ASAP.

But, the security researchers and security firms often blow their discoveries out of proportion and the media makes things into much bigger deals than they ought to be.

It seems there are two basic thoughts running through this thread: 1) Should someone try to break everything that's published and 2) where to draw the line in addressing known bugs/vulnerabilities. While I am more in the phyiscal security game than cyber security at this point of life, it seems to me that these are fundimental questions in almost any area of security. In the first place, any system that is used by human will always be somewhat vulnerable to "stupid human tricks." While security professionals (and software designers) have an obligation to armor the system as much as possible against such things, I would never claim that I had thought of all the things someone might do or the sequence they might do them in. As a result, none of my designs are foolproof, I just haven't yet found the right fool for some of them.

As to whether bugs/vulnerabilities should be identified when they are present, I think I would say yes, as a general rule. If the difficulity is fully understood along with how it might be exploited or inadvertantly activated, purchasers of the system can decide if the effort of correcting it is worth the cost within their own scheme of costs and impacts. Personally, I can't get really concerned with the vulnerabilty announced here within my user context, although others might have a different take on it and I freely admit I don't know what the impact of the fix might be on the usability of XP.

Quote:

---

I would rather see prevention techniques go wrong, and learn from that, than leave a bug wide open and learn the hard and irresponsible way. I've never seen anyone win a war by letting soldiers into their base just to see what kind of weapons they have.

---

It's a different way of living life, so I would prefer that you didn't call my lifestyle and way of learning "irresponcible". My entire career and research in security has been based upon that principle. Now I run XP security tests on AO without them getting cracked. Now I can write security tutorials on rock solid OS configurations. I learned because I let it happen, and because I let it happen I learned the cause/effect of the situation. And because I was able to see first hand the methods used in exploitation I am able to prevent it in the future by not only prevention through paranoia, but definative experience.

This is the same reason I won't run a virus scanner on my windows home machine, and havn't for seven or eight years. I don't get them, period. If/when I ever get one then I will know how it got past me as a computer user rather than just a program which blindly preforms it's job. And once I know how it got past me, my own methods will be improved to prevent it.

Two different ways to solve the same problem, so let's not critisize either of them. You do what works for you, because we all know it does indeed work for you, and I will do what works for me because I know it does indeed work for me. You like security through prevention and that's fine. It's like buying insurance in a car in case of a future accident. To me, security is like not getting the insurance and learning from the mistakes I make(and the errors in car control) so that I can improve my driving as well as make improvements to the car's handling. Some may see it as irresponcible, I see it as self-improvement through life. Does this mean in a work situation with 400 computers I play dumb? No. Self experience is not about forgetting what the past has taught you, but about applying and improving upon it. I would still place a central virus scanner, firewall, and monitoring tools. Not because it's paranoid or prevention, but because I've learned first hand what can happen without it, and now can do so much more in responce to a future attack than just run a bunch of tools.

And no, a general will not allow troops to enter a base to see what weapons they carry, but they will allow them to get in close enough to define their tactics and take a slight loss, so they better know how to fight back. Swordfighting, martial arts, chess, is the same way. You learn how your opponent works rather than trying to guess and make costly moves, even if this means giving up a pawn for the good of all. That entire concept, a sacrafice for the larger good, is eastern thinking anyways and thus the difference in how you and I view things.

None the less, let's not take it down to calling my way of life "irresponsible".

edit: Someone pmed me and said I should add this to clarify:

My methods of learning and security focus more on improving the user side of things, in which the user becomes smarter and more self-secure with or without programs to prevent stupid mistakes. In time you learn how to do and prevent all the things programs helped in the first place.

I can agree with that. From what I know about you, it seems like you do more consultant work that administration and maintenance, and in that case you would need an in depth look at how an exploit works, in order to relay it to who you consult to.

My users, on the other hand, could care less how the latest mass mailers harvest their address book, and what port gets opened when a ftp server gets planted. For me not to take preventive measures and workarounds, would be irresponsible. It doesn't matter if my users are smart or not, I'm not their mommy and I'm not going to punish them for being stupid. My job is to make "it" work, and that's why I am there. The second it looks like I am teaching lessons to the users the hard way, I'm out of a job.

I do know what you mean pst... I wouldn't be running Aim if I didn't. ;)

I didn't mean the context to be interpreted as it was, so don't take offense.