From: Scott Francis Date: 17:39 on 13 Aug 2003 Subject: Worm of the Week (or, still waiting for everyone to realize the obvious) --JYK4vJDZwFMowpUq Content-Type: multipart/mixed; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I finally wrote down some of the thoughts floating around in my head wrt buggy software (Microsoft being the chief distributor of such). The below is taken from http://darkuncle.net/microsoft_rant.html - I've attached it in text format. --=20 Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="microsoft_rant.txt" (WARNING: long rant ahead) <rant topic="Microsoft" style="frustrated"> So it looks like the latest Microsoft security hole <http://www.counterpane.com/alert-v20030801-001.html>; (get the patch <http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp>; if you're unfortunate enough to be responsible for a Windows box) is going to, once <http://www.cs.berkeley.edu/~nweaver/sapphire/>; again <http://www.cert.org/advisories/CA-2001-19.html>; (and <http://www.cert.org/advisories/CA-2001-26.html>; again <http://www.aaxnet.com/editor/edit003.html>;), wreak havoc on the entire Internet due to a nice combination of entirely clueless end-users and poorly-written, bug-ridden software in which security is a distant third to bells and whistles and time to market. This one affects every version of Windows since Win95 that hasn't been patched in the past two weeks. Oh, and for bonus points, the worm <http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html>; that exploits this hole attempts a DDoS of windowsupdate.com, effectively preventing any of the systems that might otherwise automatically patch themselves from doing so. It was about two weeks between the public announcement of this hole and the appearance of the worm to exploit it (which is about what I predicted; I also predicted, jokingly, that it would be especially evil if the worm DDoS'ed windowsupdate so that users couldn't patch. Maybe I should stop making predictions, or only make pleasant ones, or else start up my own prophecy business.) For my next bold prophecy, I predict that Microsoft will suffer no damage whatsoever from this incident. There will be no lawsuits filed, no measurable loss of business, no public outcry (aside from the usual pundits on tech websites and the slashdot crowd), no demands that MS live up to their "Trustworthy Computing" <http://www.salon.com/tech/feature/2002/04/09/trustworthy/>; marketing slogan. This corporation, with its vast market share and nearly complete saturation of the world's computer networks, has been so negligent for so long that the majority of computer users, whether business or personal, have been conditioned to think that this kind of experience is not only normal, but to be expected. Expectations have been so lowered by this pattern of behavior that bloated software full of security holes, released by a company in which security takes a distant third to time-to-market and bells and whistles (read: additional new "features" in every release which, rather than fixing the bugs in the previous release, only serve to introduce NEW problems), has become the norm for computer users and administrators. People think that this is the way that computing is supposed to be, that having your servers raped and your network swamped with zombie traffic from the worm-of-the-week is just the way things are. They don't know to expect any better - and worse still, when someone tries to introduce something better (Linux, BSD, Apache), it is quickly squashed by those with a financial interest in maintaining the status quo, or else by so-called "system administrators" not worthy of the title that can't function without a mouse and a point-and-click interface and installation wizards. I realize that there is currently no alternative to Microsoft (except possibly Apple, which has its own problems (price being chief among them)) that's ready for prime-time (and by this, I mean ready to replace Windows and MS software on the desktops of millions of AOL users and corporate drones that think THE INTARWEB consists of Outlook, Internet Explorer, Powerpoint/Excel/Word documents, and whatever trojan-ridden filesharing software they've managed to sneak onto their computer to create havoc for the MIS help desk this week). That said, I would be happy if we could just eliminate Microsoft and their horrid software, which is a nightmare for administrators, from the server room. If we could relegate Windows and Windows software to the desktop, where it belongs (and occasionally, where it actually does a decent job), a very large portion of the problem would disappear. Anyone running any public-facing, unfiltered service on a Microsoft platform is just plain irresponsible. Especially if that service is httpd or smtpd. There just aren't any excuses for that anymore - MS Exchange and IIS (not to mention their client counterparts, Outlook and MSIE) have the worst track records of any software that performs their respective functions. Not only that, they cost a fortune, are terrible resource hogs, need to be rebooted at least weekly for stability, and are no longer the only options for ease-of-administration (why you'd want somebody administering your network who's so unskilled he/she can't manage without a mouse is a whole other rant, but anyway). There are now point-and-click GUIs for UNIX systems running server software like postfix, exim and apache that have PROVEN track records with regards to not just security, but _correctness_ and ability to easily handle large loads with relatively few resources. There is no longer any excuse for running Microsoft in the server arena (with the possible exception of Outlook's calendaring functionality, which will soon be available in a work-alike free software product for UNIX systems). The sooner businesses realize that running Microsoft software is _the_ main factor in rising IT costs (not to mention liability for business and customer data), the better off we will all be. Microsoft is hardly the only vendor out there putting profits ahead of security, but they're certainly the most egregious offender. And their market saturation means that a small mistake from them costs the rest of us dearly. </rant> --T4sUOijqQbZv57TR-- --JYK4vJDZwFMowpUq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/OmnLWaB7jFU39ScRArGMAJ9dyq9SRKaCl0IToe0o0CqmWRXgggCgwCdN eNcm3CW460ZI3vtCxc2DpU8= =7wEQ -----END PGP SIGNATURE----- --JYK4vJDZwFMowpUq--
From: Simon Cozens Date: 22:55 on 13 Aug 2003 Subject: MIME Scott Francis wrote: > --JYK4vJDZwFMowpUq > Content-Type: multipart/mixed; boundary="T4sUOijqQbZv57TR" > Content-Disposition: inline > > > --T4sUOijqQbZv57TR > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > I finally wrote down some of the thoughts floating around in my head wrt > buggy software (Microsoft being the chief distributor of such). The below is > taken from http://darkuncle.net/microsoft_rant.html - I've attached it in > text format. > --=20 'Nuff said. It was all just plain text too. Bastards.
From: Scott Francis Date: 23:11 on 13 Aug 2003 Subject: Re: MIME --TeJTyD9hb8KJN2Jy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 13, 2003 at 10:55:17PM +0100, simon@xxxxxxxxxxxx.xxx said: > Scott Francis wrote: > > --JYK4vJDZwFMowpUq > > Content-Type: multipart/mixed; boundary=3D"T4sUOijqQbZv57TR" > > Content-Disposition: inline > >=20 > >=20 > > --T4sUOijqQbZv57TR > > Content-Type: text/plain; charset=3Dus-ascii > > Content-Disposition: inline > > Content-Transfer-Encoding: quoted-printable > >=20 > > I finally wrote down some of the thoughts floating around in my head wrt > > buggy software (Microsoft being the chief distributor of such). The bel= ow is > > taken from http://darkuncle.net/microsoft_rant.html - I've attached it = in > > text format. > > --=3D20 >=20 > 'Nuff said. what, your MUA can't speak S/MIME? :) > It was all just plain text too. Bastards. --=20 Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui --TeJTyD9hb8KJN2Jy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/OreMWaB7jFU39ScRAgBkAJ0R8N4lZ4X6GcBDJhLcpUBvyp7FaACfbAX4 kwPj+aAawu32SmYXtf3f9xU= =0Yte -----END PGP SIGNATURE----- --TeJTyD9hb8KJN2Jy--
From: Richard Clamp Date: 23:15 on 13 Aug 2003 Subject: Re: MIME On Wed, Aug 13, 2003 at 03:11:24PM -0700, Scott Francis wrote: > what, your MUA can't speak S/MIME? :) My MUA can just fine. My web archiver, being made from different software, she has troubles. Look at the spectacular breakage on a website not so far from this one. Of course there's also a rant about forcing gpg onto people, but that's for another time.
From: Scott Francis
Date: 23:16 on 13 Aug 2003
Subject: Re: MIME
--zGQnqpIoxlsbsOfg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Aug 13, 2003 at 11:15:06PM +0100, richardc@xxxxxxxxx.xxx said:
> On Wed, Aug 13, 2003 at 03:11:24PM -0700, Scott Francis wrote:
> > what, your MUA can't speak S/MIME? :)
>=20
> My MUA can just fine. My web archiver, being made from different
> software, she has troubles. Look at the spectacular breakage on a
> website not so far from this one.
>=20
> Of course there's also a rant about forcing gpg onto people, but
> that's for another time.
hey, my usage forces nobody else to. Besides, S/MIME is an RFC and has been
for a while - if MUAs *cough*outlook*cough* don't support it, they're not in
compliance. (this is hardly surprising though ...)
--=20
Scott Francis || darkuncle (at) darkuncle (dot) net
illum oportet crescere me autem minui
--zGQnqpIoxlsbsOfg
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE/OrjaWaB7jFU39ScRAqgTAKCbs6O4UB6IgwmPH517A4k6VG+EuACg1DrW
UPcHwDyhl20wxzrHIzORUfw=
=G6Fd
-----END PGP SIGNATURE-----
--zGQnqpIoxlsbsOfg--
From: =?ISO-8859-1?Q?Ask_Bj=F8rn_Hansen?= Date: 02:56 on 14 Aug 2003 Subject: Re: MIME On Wednesday, August 13, 2003, at 03:16 PM, Scott Francis wrote: > hey, my usage forces nobody else to. Besides, S/MIME is an RFC and has > been > for a while - if MUAs *cough*outlook*cough* don't support it, they're > not in > compliance. Does your IP stack support RFC 3514? Oh no, it's not in "compliance"! - ask
From: Simon Cozens Date: 02:58 on 14 Aug 2003 Subject: Re: MIME Ask Bj?rn Hansen: > Does your IP stack support RFC 3514? Oh no, it's not in "compliance"! I'm sorry, but nobody announcing themselves as =?ISO-8859-1?Q?Ask_Bj=F8rn_Hansen?= has any right to bitch in a thread about MIME. There is another thread brewing about the whole Unicode catastrophe, but I have to drink enough to express what I *really* feel about IMAP first.
Generated at 10:27 on 16 Apr 2008 by mariachi