On Mon, 22 Sep 2003 16:36:51 GMT, Richard Clark
wrote:

snip
Should have been the point where you stopped writing.

The security holes are not inadvertent mistakes that anyone could have
suffered in the face of such a monumental work as Windows. These
holes (and I am not talking about the current round of affairs, as
neither was J. McLaughlin) are deliberate design "features" that
Chairman Bill and MS claim to be what the user population clamor for.

Richard, you reminded me of things I had long forgotten.
I've been around this stuff since before there was a Microsoft.
I purchased my own PC in 1979-1980. We called them PC even before IBM
was given the copyright...much like MS and DOS. sigh

In other words, insecure software is being deliberately constructed
and sold for the express purpose of satisfying Market issues. MS is
quite blunt in this admission, and aggressively so! Many years ago,
the computer community bewailed MS's determination to allow raw
sockets to be made available at the user level. As you are "not a
programmer" you probably never heard this debate, and yet it is part
and parcel to the features of insecure design. MS snubbed the
security experts (Not Invented Here syndrome) and went their own way -

Although I'm not an MS booster, I've had to use it to stay compatible
over the years. I do take exception to their ethics and lack there
of. OTOH, as much as I hate to admit it, I truly believe that had MS
not gone for the "Market" we wouldn't have the abilities we have
today. And...yes that can be taken two ways and both are correct.
sigh

the body count over those same years testify to it in the millions.
Unfortunately the income measures in the billions and security is
buried in the digits with the corpses of dead machines.

The feature called DCOM is so insecure, that it leads the way in
current hacker fields of delight. DCOM is a patchwork quilt of an
older Marketing concept called COM (which has been largely ignored by
software professionals such that MS tried to "sex" it up by adding a
"D" to make it "Distributed," yet another Market slide) which in turn
was spun off from OLE. All of these have technical basis in
implementation, but were designed in whole ignorance of security
requirements. You have absolutely no need for DCOM, and yet as a
service to you MS has deliberately left access to it on your machine
open to anyone on the internet.

None of these issues are trivial. None of them require poking and
prodding to discover or crack. None of them came without advanced
warning (and one site has had fixes months in advance of MS). None of
them were designed by accident, or through the misfortune of Windows
being too complex to debug 100% faithfully. What is worse, MS even
submitted a security patch in the last two weeks that did not work!
Making allowances for them is generous in the extreme.

I guess I'd have to be generous and say I doubt they released the
patch that didn't work on purpose...It's bad for their image.


I note that you post from a revolving IP, such that if you had not, I
could have connected to your machine to give you a demonstration of
how open you are to attack. It involves a command built into NT that
is designed EXPRESSLY to allow me to do this! I don't need hacker
tools, just a DOS session and the command line interpreter will do the

A few years back, I was receiving an inordinate number of viruses
which more correctly were mostly worms. I'd take the IP and head for
what looked like the culprit in the above manner. I verified that was
the source and then sent them an e-mail, or looked up the phone number
and called. True, I didn't track all that many down, but I still
found a bunch and those e-mails had given me the machines address.
Back them dynamic IPs were the norm, not the static IPs on the
broadband of today. BTW, many of those systems would have been very
easy to log in as I was basically in the same position as any user
when they are at the boot up screen. OTOH, I had no desire to root
around in someone else's system and particularly if it most likely
had a virus.

I can't imagine going on the net with an MS system without a firewall,
virus checker, "cookie cruncher" and "SpyBot". I don't use MSs
firewall either and I avoid "Passport" like the plague.

IF MS would just set the defaults to off, it would be a big
improvement, but their market base wants all that stuff that opens
them to the whole wide world.

It's not just individuals who want that fancy stuff either.
My wife has used one of our computers for several years to keep a
large database for a pretty big organization. That database comes
with a complete set of macros and VB programming to make it user
friendly. I have the security features now set to prevent that stuff
from running automatically. If they want her volunteer time they are
going to have to create a stand alone program to use the database as
our system now strips that stuff off on receipt. Maybe it's overkill,
but I don't like the idea of a program having the ability to run
macros and VB when it is opened. Either is quite capable of doing any
operation on my computer that I can and probably no few that I don't
even know about and my degree is in CS.

rest. If you ever consider moving up to townsqr's hi-speed
connectivity, you better get these on-ramps to your system controlled!

It's interesting to sit here was watch port probes repeatedly move
through the list trying to find a way in. If I did not have a fire
wall they'd be in on the first try.

One day I saw a familiar address as the source of the probes. I
called my ISP and asked them to check out an IP that was probing my
machine. There was a long pause and then the exclamation..."That's
one of OUR IPs"! "Yah, I know...I think you guys have picked up a
termite." To top it off I use multiple layers of isolation and they
were still probing the one machine. Just the one, none of the others.

So, from the marketing standpoint the MS approach has been extremely
successful, but a disaster from the security standpoint.

OTOH, had some other system such as LINUX, or UNIX been adapted to a
user friendly GUI (I mean man-on-the-street friendly)

No system is completely invulnerable, but I wonder what the state of
the art for users and security would be had a more secure route been
followed? Would the industry have progressed as fast? would
redirected energy from crackers eventually have created as much of a
problem? Would we have near as many people capable of interacting
world wide?

All hypothetical questions as there is really no way of answering
"what ifs".

What we do know beyond the history is that the "ordinary" users are
not truly computer literate and no amount of education and training is
going to make them give up those fancy features that open their
computers to the whole wide world and I don't mean internet.

Roger Halstead (K8RI EN73 & ARRL Life Member)
www.rogerhalstead.com
N833R World's oldest Debonair? (S# CD-2)


73's
Richard Clark, KB7QHC