Confirmation of stealth Windows Update

[DasFox]

Originally posted by: mechBgon

Originally posted by: DasFox

Originally posted by: Nothinman
Wow, DasFox, you are really confused.

No I'm not, since Windows has been out I've only used service packs and nothing else.

90% of Windows updates for users are not needed. Let me stress this again, the key here is a user who does not have mission critical information on their system, and if they do, and it's that critical, those boxes shouldn't even be online in the first place.

Corporate, or business systems are another situation, but again they can limit the systems that are online, and what information is on these boxes that are online to limit any threats. Updates are not the real issue for security, it's how you manage your system that is the real issue to security.

You guys act like the real source of security is in the updates. Security starts with how you manage your systems, are they online, or only on an internal network? If they are then online what access is there to them, with what information, etc.?

Smart users, or Admins can pick and choose their updates to suit their needs if there are any. The biggest concerns for updates are when software won't work, and needs an update to fix a problem. If you are relying on updates for better system security, then you need to rethink about what security is in the first place, because it doesn't always begin with updates.

Another concern over updates is if you've been around Windows long enough then you'll also know MS has had a long history of updates breaking things and updates needing updates... Updating software doesn't always mean you are going to get the benefits you should. There are many times when updates create problems and also introduce another set of bugs that need dealing with. Updates in a business environment always have to consider this. Are the updates going to really help, or is there the possibility of introducing more problems, etc., when doing the updates?

Since MS first introduced Windows I've been using it without ever the need for any updates, other then something that was critically needed because software would not work without it, other then that there has never been a need for a user to update anything.

Like they say if it isn't broke you don't need to fix it, and that holds true for the software world unless software will no longer work, or it's going to pose a grave security risk, then there is no need to update, and even if it's going to pose a security risk, the FIRST line of defense in security is a firewall, not software updates.

If your system is going to become compromised because you didn't do some Windows updates, then there is something terribly wrong with your system security, and all the updates in the world aren't going to help if you don't even understand where security starts in the first place.

If you think keeping your software secure over a firewall is a safer approach to computing, then you need to rethink again.

Let me stress this in another way. The user only needs service pack updates, unless something won't work. And again, don't think that security updates to your software are going to make your box more secure if you don't even know how to use a proper firewall.

Proper security starts at the firewall first, it is the FIRST line of defense not the updates. If you don't think so, then tell that to the Admin of a company. Tell them to only update their software for security updates, and that they don't need a firewall anymore, they are now safe and secure.

Did you know you can have the crappiest bug ridden software with holes out the butt in it, and run the safest box in the world, if you know how to run a good/proper firewall, because it doesn't matter how insecure your software is, as long as your firewall is good. Then you can have a crappy firewall, with a terrible security policy/rules and great updated secure software, and guess what someone will get into that system, and eventually crack that software, why because there is no such thing as perfect software, anything is crackable.

Now does this mean this is how you should run a box with crappy bug ridden software full of holes? Of course not, but don't think that the service packs for users are that big of problems because they are not.

Again, the only people that need to concern themselves with updates is if there is anything mission critical on the system that needs the utmost protection, and GUESS WHAT? If it's that critical then those boxes shouldn't even be on the NET in the first place. They should be off line ONLY on an internal network with no access to the NET for greater security.

Let's wake up here, real critical systems shouldn't even be online if they are that important in the first place, and most of MS's updates are dealing with online security threats. Did you ever think about that?

Summary:

1. If it's not going to work, update it.

2. If security was that big of a problem, then maybe that box should not be online, but only on an internal network.

3. No computer should ever have anything on it so important that it needs Windows updates to protect it. That data should be on other forms of media, storage devices, etc... off the NET.

4. Real security is in proper management, how you run your systems, not updates!

Fascinating. By this logic, you would play World of Warcraft offline, since the bad guys (1) target WoW players to steal their logins and auction away their stuff, and (2) use Windows security vulnerabilities (which you don't want to patch) to install keystroke loggers specifically aimed at stealing your WoW login. I assume you don't want to lose your Level-whatever character and your other resources, and would consider them "mission-critical" due to the time and effort put into developing them.

Ditto for having malware delete all your MP3s and movies after exploiting a Windows vulnerabiltiy that you could've patched, or encrypting your homework files and demanding ransom... I could just keep on going. Steam logins, game CD keys, eBay or PayPal credentials, there's a lot of stuff people consider important, the bad guys want to get it, and no, we're not going to hide offline, and we're not all going to abandon Windows.

I just finished parceling out today's harvest of about 80 fresh malware samples from the wild. This little avalanche of disaster was touched off by exploits. Patch your Windows et al and patch or remove your other software too (Secunia online checkup). Use low-rights user accounts when possible. The bad guys mean business and your firewall is no guarantee of safety.


I might add that the average detection rate of these malware samples at VirusTotal, spanning 32 security software packages, is below 50%, and none of them nailed everything. Not even close. One sample :camera: could not even be detected on the infected system with antivirus products which actually have signatures for the sample in question (and also was missed by four rootkit detectors). Prevention is the name of the game, and this would've been prevented if the test computer had been patched properly (using a low-rights account would've stopped it too, in this instance). For want of a nail... yeah.

Hey nothing in the computing world is a guarantee, just remember that! Not even doing all those updates can save your ass. What will really save your ass is getting experienced, understanding how all these things work, and I know most of them. That is the difference here, knowing your enemy, and I know it, and I don't need updates to keep me safe.

I've done everything you've mentioned here, played games, use MP3's done file sharing, torrents, Newsgroups, Ebay, PayPal, online banking, I have important files on my computer, and I can share a list a mile long, and YET NOT one thing has ever effected me online ever.

And I use the HELL out of my computer with tons of software, doing tons of things online at least 60 hours a week, and in 20 years no problems, zip, nada, zilch...

Now don't take me the wrong way I'm not trying to sound like I'm bragging or better, that is not the POINT here, I'm just trying to make you realize this all comes down to user level experience, how skilled you are, and with little to no experience you better do everything by the book, but when you've been doing it over 20 years, and I mean really doing this, then there is a big world of difference.

Again does this mean this is what everyone does? NO, it means you do what you know, and if you don't know jack then you better being doing it all.

I know more then Jack, and I don't have to do Jack to my box other then install service packs, so please don't come in here calling names, because unless you've been down this road for 20 years then you don't have the experience to talk.

Don't say it can't be done, because it can!

PEACE
Das

 

[Nothinman]

See let me put it this way, have you ever done this before, or researched this for 20 years? I have, and I have 20 years of experience to tell you many people's computers will be just fine without any updates.

If you've been doing security for 20 years and these are the conclusions that you've come to then you've definitely been doing something wrong. Virtually every piece of evidence available and the experiences of every person I know doing security suggest the exact opposite.

Now did I just say every computer on the face of the planet will be ok, NO I said, "MANY", so let's not start blowing things out of proportion here, OK?

You're the one blowing things out of proportion. You're the one who suggested that if you start updating your software you won't need a firewall any more, inferences like that say one of two things. Either you don't really understand the subject or your whole argument is based on hyperbole and strawmen.

You ONLY need what is important to what you are doing, and even if it poses a problem, there are also ways around updates, by staying away from that software in the first place that has this exploit.

Even using AU you don't get updates for software that you don't have installed. Whether or not you're actively using all of the software that comes with Windows is another subject and is orthogonal to whether you should be installing updates in general.

And in a lot of cases you don't have a choice as to whether or not you use a piece of software. IE is a good example because even you browse with FF, MSHTML is still going to be used for displaying help, some things in explorer, etc.

IE has an exploit, use Firefox then, holes in a server, use another server, learn to use software that doesn't have as many issues as some, can this be done? Dam right it can, you think MS is the only one making software for the system, and there isn't good safe software to use?

Find me a single piece of software that doesn't have an exploit. If you switch programs every time an exploit is released you'll run out of options extremely fast. IE, FF, WebKit and Opera have all had problems in the past so what browser did you find that was 100% secure?

Let's get things clear here, we are ONLY talking about updates to the OS, nothing else.

No, we're not because that distinction is stupid. Software is software whether it's bundled with something else or not.

If you don't think XP with SP2 can't be run safely for anyone out there, then you don't understand the alternatives to making it safe over updates, and how this can be accomplished, and most users don't understand this, why, because they all just follow the crowd and run updates like everyone else, because they think this is the way, and the only way.

XP SP2 was released over 3 years ago, are you seriously deluded enough to think that all of the updates put out since then are pointless?

And yes, most users probably don't understand what's going on, you sure seem to be confused, but leaving AU on and letting it do it's thing is many magnitudes simpler than the alternatives so it makes sense that would be the option chosen by most people.

 

[DasFox]

Originally posted by: Nothinman

See let me put it this way, have you ever done this before, or researched this for 20 years? I have, and I have 20 years of experience to tell you many people's computers will be just fine without any updates.

If you've been doing security for 20 years and these are the conclusions that you've come to then you've definitely been doing something wrong. Virtually every piece of evidence available and the experiences of every person I know doing security suggest the exact opposite.

Your not paying attention, I didn't say I've been doing ONLY security, there is more to this then just security, it's also an understanding of how things work, etc... Yes granted the majority of this does revolve around security. Every person suggesting the opposite is fine, I'm not against anything, WHAT I'm trying to make you understand you are not grasping. Based on, "User Experience" and the "Purpose" you are using the system for will determine your needs, and if any updates will be valuable for you. EXPERIENCE is the biggest factor here.

Now did I just say every computer on the face of the planet will be ok, NO I said, "MANY", so let's not start blowing things out of proportion here, OK?

You're the one blowing things out of proportion. You're the one who suggested that if you start updating your software you won't need a firewall any more, inferences like that say one of two things. Either you don't really understand the subject or your whole argument is based on hyperbole and strawmen.

I was just making a point was all, not to be a smart ass, to show you that the real security is in the firewall, after all if you have the safest system in the world, and you then put it online with no firewall, completely open, then what kind of security is this, beyond all the updates? That's the point I was trying to make.

You ONLY need what is important to what you are doing, and even if it poses a problem, there are also ways around updates, by staying away from that software in the first place that has this exploit.

Even using AU you don't get updates for software that you don't have installed. Whether or not you're actively using all of the software that comes with Windows is another subject and is orthogonal to whether you should be installing updates in general.

And in a lot of cases you don't have a choice as to whether or not you use a piece of software. IE is a good example because even you browse with FF, MSHTML is still going to be used for displaying help, some things in explorer, etc.

Yes that is true what you are saying you are limited on certain options, BUT it also comes down to understanding those options, and how to use as many as possible to limit threats.

IE has an exploit, use Firefox then, holes in a server, use another server, learn to use software that doesn't have as many issues as some, can this be done? Dam right it can, you think MS is the only one making software for the system, and there isn't good safe software to use?

Find me a single piece of software that doesn't have an exploit. If you switch programs every time an exploit is released you'll run out of options extremely fast. IE, FF, WebKit and Opera have all had problems in the past so what browser did you find that was 100% secure?

I didn't say there wasn't software without issues, no software is perfect, some are just better to use then others, with less problems is all.

Let's get things clear here, we are ONLY talking about updates to the OS, nothing else.

No, we're not because that distinction is stupid. Software is software whether it's bundled with something else or not.

I don't get your point, I'm only talking about updates to the Windows OS, that was all I was ever talking about. If you're using a third party piece of software and it has a serious problem, then based on that problem, and your EXPERIENCE you need to determine if the update is warranted, AGAIN this all comes down to EXPERIENCE!

If you don't think XP with SP2 can't be run safely for anyone out there, then you don't understand the alternatives to making it safe over updates, and how this can be accomplished, and most users don't understand this, why, because they all just follow the crowd and run updates like everyone else, because they think this is the way, and the only way.

XP SP2 was released over 3 years ago, are you seriously deluded enough to think that all of the updates put out since then are pointless?

Your still not getting my point, I never said anything was pointless, I'm trying to ONLY merely point out, based on someones EXPERIENCE level the need, that is all! Are you saying then that all Windows users are noobs, no one has great computing skills with the best minds in computing, and because I'm on this forum it makes me a fool too, and therefore I don't know what I'm saying or doing? So if we want to start making accusations and assumptions then it certainly looks like we are making them towards me, with some pretense that it automatically makes me look clueless being on this forum? Correct?


And yes, most users probably don't understand what's going on, you sure seem to be confused, but leaving AU on and letting it do it's thing is many magnitudes simpler than the alternatives so it makes sense that would be the option chosen by most people.

I'm not confused about anything, BUT what I'm saying here, is not something for the average computer user either, but I thought people would of seen this from what I've been saying here. We are talking about an area for very skilled/experienced computer users who know what they are doing, ok we got it now?

I'm sorry if everyone seemed to think I was suggesting this is something just about for anyone to do, the average computer user, it is not, this is ONLY applicable for the HIGHLY EXPERIENCED! NOW does that make better sense?

 

[mechBgon]

Originally posted by: DasFox

Originally posted by: mechBgon

Originally posted by: DasFox

Originally posted by: Nothinman
Wow, DasFox, you are really confused.

No I'm not, since Windows has been out I've only used service packs and nothing else.

90% of Windows updates for users are not needed. Let me stress this again, the key here is a user who does not have mission critical information on their system, and if they do, and it's that critical, those boxes shouldn't even be online in the first place.

Corporate, or business systems are another situation, but again they can limit the systems that are online, and what information is on these boxes that are online to limit any threats. Updates are not the real issue for security, it's how you manage your system that is the real issue to security.

You guys act like the real source of security is in the updates. Security starts with how you manage your systems, are they online, or only on an internal network? If they are then online what access is there to them, with what information, etc.?

Smart users, or Admins can pick and choose their updates to suit their needs if there are any. The biggest concerns for updates are when software won't work, and needs an update to fix a problem. If you are relying on updates for better system security, then you need to rethink about what security is in the first place, because it doesn't always begin with updates.

Another concern over updates is if you've been around Windows long enough then you'll also know MS has had a long history of updates breaking things and updates needing updates... Updating software doesn't always mean you are going to get the benefits you should. There are many times when updates create problems and also introduce another set of bugs that need dealing with. Updates in a business environment always have to consider this. Are the updates going to really help, or is there the possibility of introducing more problems, etc., when doing the updates?

Since MS first introduced Windows I've been using it without ever the need for any updates, other then something that was critically needed because software would not work without it, other then that there has never been a need for a user to update anything.

Like they say if it isn't broke you don't need to fix it, and that holds true for the software world unless software will no longer work, or it's going to pose a grave security risk, then there is no need to update, and even if it's going to pose a security risk, the FIRST line of defense in security is a firewall, not software updates.

If your system is going to become compromised because you didn't do some Windows updates, then there is something terribly wrong with your system security, and all the updates in the world aren't going to help if you don't even understand where security starts in the first place.

If you think keeping your software secure over a firewall is a safer approach to computing, then you need to rethink again.

Let me stress this in another way. The user only needs service pack updates, unless something won't work. And again, don't think that security updates to your software are going to make your box more secure if you don't even know how to use a proper firewall.

Proper security starts at the firewall first, it is the FIRST line of defense not the updates. If you don't think so, then tell that to the Admin of a company. Tell them to only update their software for security updates, and that they don't need a firewall anymore, they are now safe and secure.

Did you know you can have the crappiest bug ridden software with holes out the butt in it, and run the safest box in the world, if you know how to run a good/proper firewall, because it doesn't matter how insecure your software is, as long as your firewall is good. Then you can have a crappy firewall, with a terrible security policy/rules and great updated secure software, and guess what someone will get into that system, and eventually crack that software, why because there is no such thing as perfect software, anything is crackable.

Now does this mean this is how you should run a box with crappy bug ridden software full of holes? Of course not, but don't think that the service packs for users are that big of problems because they are not.

Again, the only people that need to concern themselves with updates is if there is anything mission critical on the system that needs the utmost protection, and GUESS WHAT? If it's that critical then those boxes shouldn't even be on the NET in the first place. They should be off line ONLY on an internal network with no access to the NET for greater security.

Let's wake up here, real critical systems shouldn't even be online if they are that important in the first place, and most of MS's updates are dealing with online security threats. Did you ever think about that?

Summary:

1. If it's not going to work, update it.

2. If security was that big of a problem, then maybe that box should not be online, but only on an internal network.

3. No computer should ever have anything on it so important that it needs Windows updates to protect it. That data should be on other forms of media, storage devices, etc... off the NET.

4. Real security is in proper management, how you run your systems, not updates!

Fascinating. By this logic, you would play World of Warcraft offline, since the bad guys (1) target WoW players to steal their logins and auction away their stuff, and (2) use Windows security vulnerabilities (which you don't want to patch) to install keystroke loggers specifically aimed at stealing your WoW login. I assume you don't want to lose your Level-whatever character and your other resources, and would consider them "mission-critical" due to the time and effort put into developing them.

Ditto for having malware delete all your MP3s and movies after exploiting a Windows vulnerabiltiy that you could've patched, or encrypting your homework files and demanding ransom... I could just keep on going. Steam logins, game CD keys, eBay or PayPal credentials, there's a lot of stuff people consider important, the bad guys want to get it, and no, we're not going to hide offline, and we're not all going to abandon Windows.

I just finished parceling out today's harvest of about 80 fresh malware samples from the wild. This little avalanche of disaster was touched off by exploits. Patch your Windows et al and patch or remove your other software too (Secunia online checkup). Use low-rights user accounts when possible. The bad guys mean business and your firewall is no guarantee of safety.


I might add that the average detection rate of these malware samples at VirusTotal, spanning 32 security software packages, is below 50%, and none of them nailed everything. Not even close. One sample :camera: could not even be detected on the infected system with antivirus products which actually have signatures for the sample in question (and also was missed by four rootkit detectors). Prevention is the name of the game, and this would've been prevented if the test computer had been patched properly (using a low-rights account would've stopped it too, in this instance). For want of a nail... yeah.

Hey nothing in the computing world is a guarantee, just remember that! Not even doing all those updates can save your ass. What will really save your ass is getting experienced, understanding how all these things work, and I know most of them. That is the difference here, knowing your enemy, and I know it, and I don't need updates to keep me safe.

I've done everything you've mentioned here, played games, use MP3's done file sharing, torrents, Newsgroups, Ebay, PayPal, online banking, I have important files on my computer, and I can share a list a mile long, and YET NOT one thing has ever effected me online ever.

And I use the HELL out of my computer with tons of software, doing tons of things online at least 60 hours a week, and in 20 years no problems, zip, nada, zilch...

Now don't take me the wrong way I'm not trying to sound like I'm bragging or better, that is not the POINT here, I'm just trying to make you realize this all comes down to user level experience, how skilled you are, and with little to no experience you better do everything by the book, but when you've been doing it over 20 years, and I mean really doing this, then there is a big world of difference.

Again does this mean this is what everyone does? NO, it means you do what you know, and if you don't know jack then you better being doing it all.

I know more then Jack, and I don't have to do Jack to my box other then install service packs, so please don't come in here calling names, because unless you've been down this road for 20 years then you don't have the experience to talk.

Don't say it can't be done, because it can!

PEACE
Das

I agree with Nothinman. As for "experience," I think I have enough. Microsoft MVP, SiteAdvisor reviewer, approximately 400,000 machine-hours of sysadmin experience, ~5 hours per day hunting malware and studying security trends as a hobby. Nothing to brag about, really, but I can safely conclude that no matter who someone thinks he is, it would be smart for him to patch stuff. This ain't the '90s anymore.

On a practical note, if you wish to just run WinXP SP2 bare and survive most stuff, use a Limited user account and a disallowed-by-default Software Restriction Policy (XP Pro and x64 Pro only). I can also recommend disabling active scripting/JavaScript in your browsers, as well as Java, since the bad guys use them heavily nowdays.

Oh, and

to show you that the real security is in the firewall

I deal with malware daily which will probably blow right by your firewall.

 

[DasFox]

I agree mechBgon patching is the simplest and safest method, but I never said anything was simple, about what I was suggesting.

I only made reference to the fact that it all comes down to EXPERIENCE, that's all, nothing more, or less.

I'm not here to brag or puff myself up, that's not the point, I just want people to understand, THAT if you are willing to gain knowledge, you'll see a lot of what you are doing is overkill, and then the flipside of course is the user that doesn't know how to operate anything, and doesn't do anything at all, just as bad...

My point also is once you've gained a certain level of experience, why then would you install updates that have nothing to do with any piece of software you'll never use?

Perfect example Outlook Express over the years has many updates, by why update it, if you are using Thunderbird instead?

Not only was I talking about updates in general, but also this is about not just slapping in random updates for the sake of doing everything especially if you're never going to need them, why bother? Then others will argue, if you're not going to use it, then what does it bother, of course there is this side to the story too, and my answer is, the less you mess with, the better the chances are of not running into problems. Any time you do an update there is always the risk of running into problems, other bugs, system instability, etc., etc....

PEACE

 

[mechBgon]

My point also is once you've gained a certain level of experience, why then would you install updates that have nothing to do with any piece of software you'll never use?

Because whether you use it yourself or not, something else might invoke it. I see this every single day in Microsoft Network Monitor 3.1, bro, and there have been high-profile scenarios recently which underscore the importance of that.

Point in case: RealPlayer, QuickTime, WinAmp, WinZip, Sun Java, those'll do to start with. My honeypot systems have older versions of those installed. The bad guys simply love it! I hit a site and it launches a major wave of exploits to see if they can strike paydirt with a QuickTime exploit, a WinZip exploit, a Java exploit, some Microsoft vulns, and so on. Once something works, a malicious file is downloaded, possibly as a .JPG image which contains hidden attack code as a payload (Google for "frogexer"), executed, and voila, my test system is pwned. As I mentioned before, getting clean scans with antivirus software and even rootkit scanners doesn't mean it's actually clean, either.

The risk of this is highest with obviously-risky stuff like pr0n sites. However, the business model of the bad guys includes infecting normally-safe sites to launch their salvos of exploits (Google for MPACK). The national Bank Of India's site was a recent example, if you want to go read about that. And if/when your luck finally runs out, it sure would be nice if their exploits ALL fall flat, which will involve patching software you don't normally use (or removing it, better yet).

If you would like more detail, install Microsoft Network Monitor 3.1 (freebie download) and I'd be happy to supply you with capture files which make it real clear why I recommend removing what you don't use, and patching the rest, as well as containing it in the "safety cage" of a Limited account, plus SRP if possible.

As for the concerns about bugs and problems with the updates, I can understand that, but I don't agree that it should stop you from updating. Set a System Restore point first, perhaps.

 

[DasFox]

Originally posted by: mechBgon

My point also is once you've gained a certain level of experience, why then would you install updates that have nothing to do with any piece of software you'll never use?

Yes that's true I forgot, some parts of the update effect other things as well.

Because whether you use it yourself or not, something else might invoke it. I see this every single day in Microsoft Network Monitor 3.1, bro, and there have been high-profile scenarios recently which underscore the importance of that.

Point in case: RealPlayer, QuickTime, WinAmp, WinZip, Sun Java, those'll do to start with. My honeypot systems have older versions of those installed. The bad guys simply love it! I hit a site and it launches a major wave of exploits to see if they can strike paydirt with a QuickTime exploit, a WinZip exploit, a Java exploit, some Microsoft vulns, and so on. Once something works, a malicious file is downloaded, possibly as a .JPG image which contains hidden attack code as a payload (Google for "frogexer"), executed, and voila, my test system is pwned. As I mentioned before, getting clean scans with antivirus software and even rootkit scanners doesn't mean it's actually clean, either.

The risk of this is highest with obviously-risky stuff like pr0n sites. However, the business model of the bad guys includes infecting normally-safe sites to launch their salvos of exploits (Google for MPACK). The national Bank Of India's site was a recent example, if you want to go read about that. And if/when your luck finally runs out, it sure would be nice if their exploits ALL fall flat, which will involve patching software you don't normally use (or removing it, better yet).

If you would like more detail, install Microsoft Network Monitor 3.1 (freebie download) and I'd be happy to supply you with capture files which make it real clear why I recommend removing what you don't use, and patching the rest, as well as containing it in the "safety cage" of a Limited account, plus SRP if possible.

 

[DasFox]

How does Microsoft Network Monitor 3.1 compare to Ethereal?

 

[mechBgon]

BTW, here's the principal example that I had in mind when I said "high-profile scenarios":

http://blogs.zdnet.com/security/?p=362

Security researchers are in disagreement over whether this is a vulnerability in IE or Firefox. Larholm and Symantec?s DeepSight researchers insist it?s a bug in the way IE validates certain inputs but Secunia?s research team claims this is a Firefox issue.

Another from Ryan's blog:

Unpatched QuickTime-to-Firefox flaw dings IE too

It's like they're out to get us, or something

Originally posted by: DasFox
How does Microsoft Network Monitor 3.1 compare to Ethereal?

Oh, it's WAY better.

j/k, I don't use Ethereal, so form your own conclusions.


Incidentally, if you have the stamina to read it all: http://www.microsoft.com/sir <-- Microsoft's security intelligence report. They make some good points.

 

[DasFox]

Well people seem to say Ethereal is pretty good, when you get a chance check it out, let me know what you think.

http://www.ethereal.com/

THANKS

 

[Nothinman]

Your not paying attention, I didn't say I've been doing ONLY security, there is more to this then just security, it's also an understanding of how things work, etc... Yes granted the majority of this does revolve around security. Every person suggesting the opposite is fine, I'm not against anything, WHAT I'm trying to make you understand you are not grasping. Based on, "User Experience" and the "Purpose" you are using the system for will determine your needs, and if any updates will be valuable for you. EXPERIENCE is the biggest factor here.

No, you're the one not paying attention. MS doesn't push updates for software that you don't have installed so if an update is available for your system then the software is there whether you're actively using it or not. Actively ignoring updates for software that you have installed is just plain negligent.

I was just making a point was all, not to be a smart ass, to show you that the real security is in the firewall, after all if you have the safest system in the world, and you then put it online with no firewall, completely open, then what kind of security is this, beyond all the updates? That's the point I was trying to make.

But it's not. No firewall is smart enough to determine whether a packet is good or not, especially those on SOHO routers or the software ones for Windows. Even if one is released with semi-intelligent deep-packet inspection it'll still be wrong part of the time because you'll have to update it's signatures which people won't do because updating your software is bad...

I didn't say there wasn't software without issues, no software is perfect, some are just better to use then others, with less problems is all.

But your solution was to switch software instead of just updating what you already have, sure in some cases that's not a bad idea but it's usually a lot more work and not an option at all in anything mission critical. Try telling your web devs that you just switched web servers for the 3rd time this year and that they have to rewrite everything because you decided PHP wasn't secure anymore and see how that goes.

Your still not getting my point, I never said anything was pointless, I'm trying to ONLY merely point out, based on someones EXPERIENCE level the need, that is all! Are you saying then that all Windows users are noobs, no one has great computing skills with the best minds in computing, and because I'm on this forum it makes me a fool too, and therefore I don't know what I'm saying or doing? So if we want to start making accusations and assumptions then it certainly looks like we are making them towards me, with some pretense that it automatically makes me look clueless being on this forum? Correct?

If you think you're good enough to avoid every exploit out there on your own then yes, you are a fool. If you haven't had any problems yet then you're a lucky fool, but you're still a fool. Or maybe you have been exploited and you just don't know it, it's hard to tell. Just browsing a website with an old version of IE or FF can get you exploited without you even knowing it happened and no firewall will prevent that. The only way not updating a box could be considered a decent idea is if the box isn't connected to anything at all.

We are talking about an area for very skilled/experienced computer users who know what they are doing, ok we got it now?

Even if that were the case it doesn't matter. Sure it's possible to be experienced enough to make intelligent decisions about what patches will affect you and which are pointless, but you said "As long as XP has been out I've never done any updates other then installing service packs, and I've never had problems." which implies that you're not even looking at them and thus not making any form of decision about what will affect you and what won't. Which is just plain negligent and stupid.

I'm sorry if everyone seemed to think I was suggesting this is something just about for anyone to do, the average computer user, it is not, this is ONLY applicable for the HIGHLY EXPERIENCED! NOW does that make better sense?

No, it never makes sense to ignore security best practices in the name of security.

 

[Nothinman]

It's wireshark now: http://www.wireshark.org/faq.html#q1.2

 

[DasFox]

Originally posted by: Nothinman

Your not paying attention, I didn't say I've been doing ONLY security, there is more to this then just security, it's also an understanding of how things work, etc... Yes granted the majority of this does revolve around security. Every person suggesting the opposite is fine, I'm not against anything, WHAT I'm trying to make you understand you are not grasping. Based on, "User Experience" and the "Purpose" you are using the system for will determine your needs, and if any updates will be valuable for you. EXPERIENCE is the biggest factor here.

No, you're the one not paying attention. MS doesn't push updates for software that you don't have installed so if an update is available for your system then the software is there whether you're actively using it or not. Actively ignoring updates for software that you have installed is just plain negligent.

I was just making a point was all, not to be a smart ass, to show you that the real security is in the firewall, after all if you have the safest system in the world, and you then put it online with no firewall, completely open, then what kind of security is this, beyond all the updates? That's the point I was trying to make.

But it's not. No firewall is smart enough to determine whether a packet is good or not, especially those on SOHO routers or the software ones for Windows. Even if one is released with semi-intelligent deep-packet inspection it'll still be wrong part of the time because you'll have to update it's signatures which people won't do because updating your software is bad...

I didn't say there wasn't software without issues, no software is perfect, some are just better to use then others, with less problems is all.

But your solution was to switch software instead of just updating what you already have, sure in some cases that's not a bad idea but it's usually a lot more work and not an option at all in anything mission critical. Try telling your web devs that you just switched web servers for the 3rd time this year and that they have to rewrite everything because you decided PHP wasn't secure anymore and see how that goes.

Your still not getting my point, I never said anything was pointless, I'm trying to ONLY merely point out, based on someones EXPERIENCE level the need, that is all! Are you saying then that all Windows users are noobs, no one has great computing skills with the best minds in computing, and because I'm on this forum it makes me a fool too, and therefore I don't know what I'm saying or doing? So if we want to start making accusations and assumptions then it certainly looks like we are making them towards me, with some pretense that it automatically makes me look clueless being on this forum? Correct?

If you think you're good enough to avoid every exploit out there on your own then yes, you are a fool. If you haven't had any problems yet then you're a lucky fool, but you're still a fool. Or maybe you have been exploited and you just don't know it, it's hard to tell. Just browsing a website with an old version of IE or FF can get you exploited without you even knowing it happened and no firewall will prevent that. The only way not updating a box could be considered a decent idea is if the box isn't connected to anything at all.

We are talking about an area for very skilled/experienced computer users who know what they are doing, ok we got it now?

Even if that were the case it doesn't matter. Sure it's possible to be experienced enough to make intelligent decisions about what patches will affect you and which are pointless, but you said "As long as XP has been out I've never done any updates other then installing service packs, and I've never had problems." which implies that you're not even looking at them and thus not making any form of decision about what will affect you and what won't. Which is just plain negligent and stupid.

I'm sorry if everyone seemed to think I was suggesting this is something just about for anyone to do, the average computer user, it is not, this is ONLY applicable for the HIGHLY EXPERIENCED! NOW does that make better sense?

No, it never makes sense to ignore security best practices in the name of security.

Please don't call people names, I'm no fool, and I never said it's not wise to ignore good security practices, I just go about it in a different way is all.

Let's have respect for one another shall we?

THANKS

 

[stash]

Originally posted by: DasFox
Stash if you haven't got anything nice, or positive to say, just STAY the HELL away from my posts.

All you do every time I see you in just about every post is make crap comments about something, or someone.

I think you have me confused with someone else. I spend a fair amount of time here trying to help people. My comments to you are nothing personal, but your views are off-base, ignorant and frankly, dangerous. There are enough problems with computer security; we don't need a bunch of people deciding they don't need to install any updates on their machines besides service packs and thinking that a firewall is all they need to protect themselves.

There are some very smart people on this forum, people who know a lot about how to use a computer securely. These people have at least as much if not much more experience than you. There are countless other computer security experts out there--again, with much more combined experience than you--who would, without hesitation, disagree with pretty much everything you wrote.

Again, I have nothing personal against you. But I wouldn't let you near any computer I own, and I wouldn't let your personal machine(s) on my network. I also hope you are not in a position to influence others with your views on security.

 

[DasFox]

Originally posted by: stash

Originally posted by: DasFox
Stash if you haven't got anything nice, or positive to say, just STAY the HELL away from my posts.

All you do every time I see you in just about every post is make crap comments about something, or someone.

I think you have me confused with someone else. I spend a fair amount of time here trying to help people. My comments to you are nothing personal, but your views are off-base, ignorant and frankly, dangerous. There are enough problems with computer security; we don't need a bunch of people deciding they don't need to install any updates on their machines besides service packs and thinking that a firewall is all they need to protect themselves.

There are some very smart people on this forum, people who know a lot about how to use a computer securely. These people have at least as much if not much more experience than you. There are countless other computer security experts out there--again, with much more combined experience than you--who would, without hesitation, disagree with pretty much everything you wrote.

Again, I have nothing personal against you. But I wouldn't let you near any computer I own, and I wouldn't let your personal machine(s) on my network. I also hope you are not in a position to influence others with your views on security.

Just about every time I make a post I swear you're jumping in it with your two cents of negative comments towards me.

SORRY if you're not this time, but you're not paying attention to anything I'm saying.

I said it has to do with EXPERIENCE, and the purpose, and that doesn't mean that everyone, and every situation fits this criteria.

You're also making assumptions about my intentions as it relates to someone else's network, or computers, their needs are not my needs, and when it comes to others computers everything is typically done by the book, unless someone says so otherwise.

So don't say anything about your computers or anyone else's they have nothing to do with anything I'm saying, and I've worked on many computers and things are done in a typical fashion with auto updates on, and getting installed.

Please don't confuse me with someone else's experience either, and how I work on other people's computers, thinking that what I'm saying here means it's how I apply things to everyone's computers, that's not how it works.

PEACE

 

[MaxDepth]

Wow, a lot of emotion here...

I can speak to this thread from a biotech corporate view point. We cannot allow changes to our environments - computing/technology and medical - that we do not control. It is a pretty nasty word we use, we call it validation.

Any changes we make must go through the validation process to ensure consistancy and repeatability as a matter of function. If we do not understand what or how a thing works when it is implemented, we can verify the outcome of any test. For example, we have a computer controlled biological test bed, a kind that samples viruses, tests them, and records the reuslts in a database. If the system automatically updates the database program, the OS, or anything within the computer, can we say with 100% accuracy that the test results are valid? (!=true) The answer is that we will not know until we test the update/ptach/whatever in a controlled environment that is separate from our production environment. It is the biggest reason why we just rolled out our version of SP2 in WinXP. We needed to test everything and validate those results before introducing it into production.

Basically, if Microsoft surreptiously updates/patches machines without notifying us, there is a very large risk introduced into our production environment. The greatest impact is that we could be sued for erroneous data and skewed test results. Our company cannot live with unknowns introduced by a third party.

As it stands, Microsoft goofed here and lucky it wasn't something that caused us damage. It did cause us non-capital expense in going outside our hardware/software testing cycle.

 

[Nothinman]

Please don't call people names, I'm no fool, and I never said it's not wise to ignore good security practices, I just go about it in a different way is all.

You asked if I thought that you didn't know what you were doing and saying and based on the posts in this thread I have to say the answer is yes. No one in their right mind claims that not installing patches is a good security practice and the fact that anyone else who has thought about security for even a minute disagrees with you should tell you something.

Let's have respect for one another shall we?

I respect your right to do whatever you want to your own machine but I also have the right to tell you that I think your reasoning is fundamentally flawed and what you're doing is stupid and negligent.

 

[VirtualLarry]

I'm in the "don't patch unless you have to" category. I disagree with those that think everyone needs to install every patch. There is a risk to doing so that they seem to ignore.

I also don't run any antivirus program either. (I don't use IE or Outlook Express, both known virus/malware magnets.)

It's for the same reasons that doctors don't prescribe that everyone get every vaccination available out there. They only suggest that HIGH-RISK people get certain vaccines.

Likewise with antivirus software, and certain patches.

 

[mechBgon]

Originally posted by: VirtualLarry
I'm in the "don't patch unless you have to" category. I disagree with those that think everyone needs to install every patch. There is a risk to doing so that they seem to ignore.

I also don't run any antivirus program either. (I don't use IE or Outlook Express, both known virus/malware magnets.)

It's for the same reasons that doctors don't prescribe that everyone get every vaccination available out there. They only suggest that HIGH-RISK people get certain vaccines.

Likewise with antivirus software, and certain patches.

Out of curiosity, what's your plan of defense in the event that you visit a normally-safe website and it's compromised by, let's say MPack or another commercial exploit setup? Just curious...

 

[Nothinman]

I'm in the "don't patch unless you have to" category. I disagree with those that think everyone needs to install every patch. There is a risk to doing so that they seem to ignore.

Why am I not surprised?

It's for the same reasons that doctors don't prescribe that everyone get every vaccination available out there. They only suggest that HIGH-RISK people get certain vaccines.

The difference being that your body can adapt to fight whatever viruses you might run into so even if you do contract one and get sick you'll, almost always survive but once your computer has been infected with something it remains that way until you fix it manually and you might not even notice depending on the symptoms.

 

[juktar]

Originally posted by: MaxDepth
Wow, a lot of emotion here...

I can speak to this thread from a biotech corporate view point. We cannot allow changes to our environments - computing/technology and medical - that we do not control. It is a pretty nasty word we use, we call it validation.

Any changes we make must go through the validation process to ensure consistancy and repeatability as a matter of function. If we do not understand what or how a thing works when it is implemented, we can verify the outcome of any test. For example, we have a computer controlled biological test bed, a kind that samples viruses, tests them, and records the reuslts in a database. If the system automatically updates the database program, the OS, or anything within the computer, can we say with 100% accuracy that the test results are valid? (!=true) The answer is that we will not know until we test the update/ptach/whatever in a controlled environment that is separate from our production environment. It is the biggest reason why we just rolled out our version of SP2 in WinXP. We needed to test everything and validate those results before introducing it into production.

Basically, if Microsoft surreptiously updates/patches machines without notifying us, there is a very large risk introduced into our production environment. The greatest impact is that we could be sued for erroneous data and skewed test results. Our company cannot live with unknowns introduced by a third party.

As it stands, Microsoft goofed here and lucky it wasn't something that caused us damage. It did cause us non-capital expense in going outside our hardware/software testing cycle.

This is why you use a patching solution with automatic updates turned off on every machine until you are ready. Plain and simple. It has always been good policy for corporations to not rely on other companies for their patching requirements. This has been simple to do for a long time now with Group Policy, SMS, WSUS, SUS, and any of the 3rd party patching solutions out there.

Basically it goes like this:

All computer in the company have AU disabled. Not set to any of the settings, actually DISABLED.

Have a test ou with some test servers, workstations, etc. Approve the updates through your patch control software (SMS, WSUS, etc).

Turn on AU through group policy for the test ou.

Test.

If good, turn AU on for an OU at a time and start your roll out.

 

[Smilin]

Originally posted by: MaxDepth
Wow, a lot of emotion here...

I can speak to this thread from a biotech corporate view point. We cannot allow changes to our environments - computing/technology and medical - that we do not control. It is a pretty nasty word we use, we call it validation.

Any changes we make must go through the validation process to ensure consistancy and repeatability as a matter of function. If we do not understand what or how a thing works when it is implemented, we can verify the outcome of any test. For example, we have a computer controlled biological test bed, a kind that samples viruses, tests them, and records the reuslts in a database. If the system automatically updates the database program, the OS, or anything within the computer, can we say with 100% accuracy that the test results are valid? (!=true) The answer is that we will not know until we test the update/ptach/whatever in a controlled environment that is separate from our production environment. It is the biggest reason why we just rolled out our version of SP2 in WinXP. We needed to test everything and validate those results before introducing it into production.

Basically, if Microsoft surreptiously updates/patches machines without notifying us, there is a very large risk introduced into our production environment. The greatest impact is that we could be sued for erroneous data and skewed test results. Our company cannot live with unknowns introduced by a third party.

As it stands, Microsoft goofed here and lucky it wasn't something that caused us damage. It did cause us non-capital expense in going outside our hardware/software testing cycle.

What a crock. Learn to admin dude.

If you are getting automatic updates without your knowledge then you have not set your group policy right. If you can't even admin your machines correctly "then how can you say with 100% accuracy that the test results are valid?" Microsoft this, Microsoft that. bleh. Go look in the mirror.

 

[MaxDepth]

Jesus, people. Learn to read. I didn't say we have our clients with the updates turned off, on, or disabled. I just said that when they didn't reveal a patch (look up the word, "surreptitiously") and we heard of it, we had to ensure that even with the updates disabled we still had to test to see if Microsoft had a way around that.

Also. to block all traffic from Microsoft is just as retarded as we have some pre-approved and accepted IP traffic with them already. Also, not having any Internet access at all is really quite stupid when you think about it. We have several firewalls in place as well as network monitoring at the packet level. This is not your company you run from your parent's basement.

Basically, the lesson we took from this is what can we really accept from Microsoft as being absolute?

Learn to admin...gee, your momma raised a bright one didn't she?

Originally posted by: Smilin

Originally posted by: MaxDepth
Wow, a lot of emotion here...

I can speak to this thread from a biotech corporate view point. We cannot allow changes to our environments - computing/technology and medical - that we do not control. It is a pretty nasty word we use, we call it validation.

Any changes we make must go through the validation process to ensure consistancy and repeatability as a matter of function. If we do not understand what or how a thing works when it is implemented, we can verify the outcome of any test. For example, we have a computer controlled biological test bed, a kind that samples viruses, tests them, and records the reuslts in a database. If the system automatically updates the database program, the OS, or anything within the computer, can we say with 100% accuracy that the test results are valid? (!=true) The answer is that we will not know until we test the update/ptach/whatever in a controlled environment that is separate from our production environment. It is the biggest reason why we just rolled out our version of SP2 in WinXP. We needed to test everything and validate those results before introducing it into production.

Basically, if Microsoft surreptiously updates/patches machines without notifying us, there is a very large risk introduced into our production environment. The greatest impact is that we could be sued for erroneous data and skewed test results. Our company cannot live with unknowns introduced by a third party.

As it stands, Microsoft goofed here and lucky it wasn't something that caused us damage. It did cause us non-capital expense in going outside our hardware/software testing cycle.

What a crock. Learn to admin dude.

If you are getting automatic updates without your knowledge then you have not set your group policy right. If you can't even admin your machines correctly "then how can you say with 100% accuracy that the test results are valid?" Microsoft this, Microsoft that. bleh. Go look in the mirror.

 

[Robor]

Originally posted by: DasFox

Originally posted by: stash

Originally posted by: DasFox
Stash if you haven't got anything nice, or positive to say, just STAY the HELL away from my posts.

All you do every time I see you in just about every post is make crap comments about something, or someone.

I think you have me confused with someone else. I spend a fair amount of time here trying to help people. My comments to you are nothing personal, but your views are off-base, ignorant and frankly, dangerous. There are enough problems with computer security; we don't need a bunch of people deciding they don't need to install any updates on their machines besides service packs and thinking that a firewall is all they need to protect themselves.

There are some very smart people on this forum, people who know a lot about how to use a computer securely. These people have at least as much if not much more experience than you. There are countless other computer security experts out there--again, with much more combined experience than you--who would, without hesitation, disagree with pretty much everything you wrote.

Again, I have nothing personal against you. But I wouldn't let you near any computer I own, and I wouldn't let your personal machine(s) on my network. I also hope you are not in a position to influence others with your views on security.

Just about every time I make a post I swear you're jumping in it with your two cents of negative comments towards me.

SORRY if you're not this time, but you're not paying attention to anything I'm saying.

I said it has to do with EXPERIENCE, and the purpose, and that doesn't mean that everyone, and every situation fits this criteria.

You're also making assumptions about my intentions as it relates to someone else's network, or computers, their needs are not my needs, and when it comes to others computers everything is typically done by the book, unless someone says so otherwise.

So don't say anything about your computers or anyone else's they have nothing to do with anything I'm saying, and I've worked on many computers and things are done in a typical fashion with auto updates on, and getting installed.

Please don't confuse me with someone else's experience either, and how I work on other people's computers, thinking that what I'm saying here means it's how I apply things to everyone's computers, that's not how it works.

PEACE

You seem like a nice guy but at this point the hole you've dug is so deep that you're just throwing dirt on top of yourself. When some of the most respected members of this forum are telling you that you're wrong, you probably are.

 

[DasFox]

Originally posted by: Robor

Originally posted by: DasFox

Originally posted by: stash

Originally posted by: DasFox
Stash if you haven't got anything nice, or positive to say, just STAY the HELL away from my posts.

All you do every time I see you in just about every post is make crap comments about something, or someone.

I think you have me confused with someone else. I spend a fair amount of time here trying to help people. My comments to you are nothing personal, but your views are off-base, ignorant and frankly, dangerous. There are enough problems with computer security; we don't need a bunch of people deciding they don't need to install any updates on their machines besides service packs and thinking that a firewall is all they need to protect themselves.

There are some very smart people on this forum, people who know a lot about how to use a computer securely. These people have at least as much if not much more experience than you. There are countless other computer security experts out there--again, with much more combined experience than you--who would, without hesitation, disagree with pretty much everything you wrote.

Again, I have nothing personal against you. But I wouldn't let you near any computer I own, and I wouldn't let your personal machine(s) on my network. I also hope you are not in a position to influence others with your views on security.

Just about every time I make a post I swear you're jumping in it with your two cents of negative comments towards me.

SORRY if you're not this time, but you're not paying attention to anything I'm saying.

I said it has to do with EXPERIENCE, and the purpose, and that doesn't mean that everyone, and every situation fits this criteria.

You're also making assumptions about my intentions as it relates to someone else's network, or computers, their needs are not my needs, and when it comes to others computers everything is typically done by the book, unless someone says so otherwise.

So don't say anything about your computers or anyone else's they have nothing to do with anything I'm saying, and I've worked on many computers and things are done in a typical fashion with auto updates on, and getting installed.

Please don't confuse me with someone else's experience either, and how I work on other people's computers, thinking that what I'm saying here means it's how I apply things to everyone's computers, that's not how it works.

PEACE

You seem like a nice guy but at this point the hole you've dug is so deep that you're just throwing dirt on top of yourself. When some of the most respected members of this forum are telling you that you're wrong, you probably are.

This isn't about right or wrong, this is about understanding how to adapt to each and every situation. You think every patch is 100% perfect fool proof, that there is no way around them either, that once you've patched your system, it's not exploitable either? Patches aren't perfect, NO software is, let's be clear about that. Patches can only work so long for so good before you need to plug the hole again. So instead of sticking a band aid on a wound over and over again, trying to fix the problem, get at the root instead!

Now if you understood what I just said, then you know that for every different type of exploit you have to apply different approaches.

I haven't dug any hole, PLEASE don't make false accusations, there is no dirt anywhere.

Like I said before, it all comes down to ONE thing ----> EXPERIENCE!

And as I said before it ALSO depends on what you are doing, and the environment, this isn't necessarily a cure all for everyone and every situation, it all depends on who you are, and what you need to do.

So AGAIN let's be clear here what I'm saying OK? This isn't something for everyone, every situation, and every network environment. Every situation is unique, everyone has different requirements, and you do what works best with what you have, and what you know.

With what I know, what I do, I can do the things I do. NOW did I say that was for everyone? NO.

Now please don't tell me based on my needs, or experience level I need to place any MS patches on my box to be safe, because I don't.