Rant time again

Hey, it is back to my favourite activity. Microsoft issued five more security warnings, all at once, at a time when system administrators are still reeling form the effects of MSBlaster. Then hopped over with 5 mod points over to the discussion forum for the article on slashdot. There I found this which accurately describes what I really feel about the issue. Funny, someone made a AC post, and it already had a mod-up. I splurged on it too, though I strictly dont encourage AC posts.

I mean, i seriously dont understand that Microsoft has the nerve to compare its security / performance with something as rag tag as Linux. I dont see why Microsoft should not commit suicide in a drop of water. Look at the start difference between the setups of the biggest computer company in the world and the biggest collaborative setups in the world. One has all the resources in the world to make sure that the software is the best in the world. It has the beta testers which is probably bigger than the installed base of the other. It has the power to seek 'advice' of the best of the best in all fields - usability to security. And then it has the nerve to stand up and say its security is 'just as good'?

lord is watching, he will punish,

~!nrk

And more does

I know I cannot make those long posts anymore.

That is because, I sit in this corporate outfit, and I have to be all corporat-ish. So God help me.

Well, I had to write this. So I remembered this. I am in corporate, but I still /. and google.news a lot. In the technology section, I found this article.

I dont know if you have been reading the news recently, but the Blaster worm has been doing the rounds. And then they "caught" this blaster worm writer. A script kiddie. An 18 year old who is just spending some spare times, grepping old scripts to change strings and replace then with his own names. And do you know what they called him?

Mr McKay would not elaborate beyond the allegations against Mr Parson, but said, "Is he dangerous? Yes, he's dangerous. ... There is serious harm to individuals, businesses, Microsoft Corp. being only one of them."

Oh my gawd. Gimme a break. I mean, they say the same thing against everyone. He is a dangerous deranged criminal. He is the reason I am going to miss my profit targets. Big valuations of possible problems, and then big flashes of photographers in the press conference.

I dont know if you know about another guy called Kevin Mitnick. I think i wrote about him earlier. The same with him too. I can understand the desperation of the media for these poor script kiddies. I so feel sorry for them. Most of the bigger fish are probably doing all they want to do, and making sure neither the media not the courts find anything against them. And then there are these kids, who know a little, have an attitude and in the end be those who have take the fall.

And to top it all, people act as if they were the persons to cause the trouble to begin with. The article acts as if 18 year old script |<1dd133 is the bad person and Microsoft is the victim!! How pathetic can journalism get.

I dont know if journalists will ever look beyond the obvious and reach out for the truth. And I hope that one day, people will understand the difference between hackers, crackers, virus authors and script kiddies. And one day, I hope, Microsoft is secure enough that script kiddies are mere kids and unable to cause 7.7 million dollar worth of trouble.

No, let me change that. And one day, I hope, there wont be enough of M$ left for script kiddies to do 7.7 million dollar worth of trouble.

Amen to that.

warm regards,

~!nrk

Security?

"Typically with these types of issues it will be six to nine months until we see a massive attempt to start exploiting it," Cooper said, adding that a preemptive patch was critical.

This is from an article, that discusses yet another *sigh* security disclosure by MicroSoft. It is incredible, what this guys cannot do. I mean they teach you this at school. "How-to-code-sensibly-101". And these guys come up with pathetic code, time after time. They are simply amazing. I never knew they had so much of code which could give rise to so many critical bugs.

But that is more irrevelant. What i felt more about was the above statement by Russ Cooper, head of security at TruSecure Corp. What a hell load of crap. How long does it take for a CR4c|<3r to take a vulnerability and mount an attack you said? 6-9 months. WOW. get real. I'd say something like 6-9 hours is more like it. Does the guy know anything about the current state of security? Mebbe he ought to read of a project called the honeynet. Ask them. The script kiddies take that long to get easy to use GUI tools to launch attacks. Not crackers. Atleast not the talented ones.

The only thing we can bank on is that no one does serious work on Office anyway, so it does not matter what crackers do. Yah I was just joking. There is no solace. Those people at Redmond keep churning bad code. These guys at security agencies keep tracking them. Those people keep playing down the seriousness. And cracking continues to be done by kids with ready to use tools. It is sad. Wonder what happened to M$'s trust initiative. Remember sometime back, Bill Gates asked all his programmers to stop coding and sit around fixing bugs. Wow, I mean look at the nerve of the guy. He produces sloppy code, then he is under pressure and asks his own programmers to do what they were supposed to do better, and gets mileage out of it, and establishes M$ as a security focused company because of his initiatives. Simply, pathetic.

Have my end terms starting from next week. Sad. I have eight subjects and five days. Lets see how it goes.

50 10n6 & 7|-|4nk5 f0R h4x0R-5p34|<
~!nrk

Why I don't trust Microsoft: 'smart tags'

A rant on Microsoft, about their smart tags.

Edit: As it turns out, the annoyances of these smart tags have not entirely gone away, only morphed into a cross-browser technology. The difference is that now they are under the webmaster's control and generating income for them.

What follows is not my article. The real author's name is given below. I got this in a mail from our local LUG. Just put it up so that i could refer others to this. If anyone knows the trus source of the article please write to me. I will be more than glad to put up a credit.

Now Microsoft has come along with a "brilliant" idea. They want to piggyback their own selected content on top of your work. The idea is to have their products (such as Internet Explorer and the Office suite) scan web pages and documents for keywords and phrases known to the Microsoft. Any of these that are found would be underlined with a special purple "squiggle" to show that they are "smart tags".

Anyone viewing the page could then click on the smart tag and be transported to a Microsoft web site for more information. For example, you could write a web page about the Grand Canyon, and the phrase "Grand Canyon" could be underlined, allowing your visitors to check out the Expedia.Com page about how to book travel to the area.

Why does Microsoft want to do this? It's really very simple - to make an incredible amount of money. Look at it this way, Microsoft suddenly would have at their disposal every single document viewed with a new Microsoft product as a potential advertisement. Wow. That's power. No, this is an understatement of incredible magnitude. This is more than power - this is the harnessing of everyone's creative energy into a huge global advertising tool. It totally staggers the imagination.

You could be looking at a newspaper site, reading an article about train travel, and click on numerous links to Microsoft sites (and presumably third party sites which paid Microsoft for the privilege) selling train related products and services. If you read a classified ad on that same newspaper site selling an automobile, the word "Cadillac" could be underlined with a smart tag linking to a Cadillac dealer.

Content (the tags) are added dynamically to web pages by the browser without the permission of the person who created the pages (the webmaster or author). While strictly speaking this might not violate copyright laws (but it might be considered vandalism), it sure is rude. In fact, most people would consider it highly unethical.

As an example, suppose you bought a book through a book club. Before it was shipped to you, someone opened the book and examined every single page, adding comments here and there about how you could purchase this or get more information about that. You would be very annoyed if you were the author, you'd probably be livid if you were the publisher of the book, and you'd almost certainly return it if you were the customer.

Carefully crafted web pages whose look and feel has been lovingly built for countless hours by dedicated designers, authors, artists and webmasters would be randomly covered with trash by a company intent on siphoning away visitors to their own sites and pages.

And what about the problem of inappropriate content? Suppose you had a site which was against animal cruelty, yet Smart Tags went ahead and added to your pages links to other sites which sold muzzles for horses? You wouldn't like that very much, would you?

Another problem is that Smart Tags are "opt-out". This means the tags are inserted unless you (the webmaster or the user) indicate that you do not want them. Opt-Out is the preferred method of removal for many advertisers because they understand that most people will not bother to remove themselves from the list. Opt-in is the preferred method of most consumers because then they receive only what they have requested.

Webmasters can keep smart tags from working on their site by including a special "opt-out" metatag in the header of each and every page. I highly recommend that all webmasters include this tag to prevent smart tags from operating.

<meta name="MSSmartTagsPreventParsing" content="TRUE">

As soon as Smart Tags appeared in a beta release of Windows XP, the furor began. It was awesome to see. Microsoft was hit from all sides by just about everyone, because their intentions were so transparent and so blatantly monopolistic that even the most conservative could see what they were up to. The dangers caused a flood of protests to be received by the giant company, so many that Microsoft was forced to remove the feature from their products.

"As a result of smart tags in beta versions of Windows XP and IE, we received lots of feedback, and have realized that there is a need to better balance the user experience with the legitimate concerns of content providers and web sites," Microsoft said in a statement on June 28th, 2001.

Keep an eye on Microsoft, however, because they also added, "Microsoft remains committed to this type of technology, and will work closely with content providers and partners in the industry in the coming months to further refine how it can be used."

by Richard Lowe Jr.

Document Changes:
August 23, 2001: First version published