* Dan Hollis sez: : Microsoft is advertising "high security padlocks", but is instead selling : locks that dont work at all. After finding out they were flawed, Microsoft offered everyone a replacement/bugfix. While there's no proof that these padlocks are actually high-secure, they are more secure than what came with the purchase initially. Microsoft has - and I believe Firestone would do the same - informed all registered customers as soon as the fix was available. In addition there was quite some buzz about the .ida vulnerability a while ago. While one might argue that it's Microsoft's resposibility to communicate those flaws better, they indeed offered better padlocks and a mechanic (setup.exe) to install them. A customer refusing to open his door to the guy walking around and informing him of flawed tires, not opening his mail and - even if aware that the padlocks are screwed - neglects to put the new ones on (at no cost, mind you), should be slapped with the UNIX bible until unconscious for endangering others and himself in a particularly stupid manner. Let's just repeat that: - Microsoft is a known flawed OS - IIS is a known flawed component of this flawed OS - There are more than a few sites out there selling or offering security advise for free - The fix has been out for months - The fix has already been exploited by smaller, less media active worms - The owners of said Websites in some/most cases offer services to a third party, are therefore by no means 'the poor schmock with the Firestone tires' but rather 'the owner of Ryder, Inc.'. These servers put customer data and confidential information in jeopardy long before the worm struck and in quite a few cases still do, even though most of the attack points are fixable. - Few of the infected hosts have learned a damned thing from this attack, just look for iisadmpwd at those hosts - a week after the attack. ... facts dutyfully ignored by said 'Administrator's of said boxen. In this case network and system administrators had a bad time with long hours trying to stop something from happening that did not need to happen and that would have not happened would 90% of the socalled Internet Experts out there understand even the basics of their work. I am not ready to push the blame towards M$, even though I'd love to see that Monopoly drown in a big bucket full of the tears and sweat shed by innocent bystanders who got hit by crap like this one, but in this case the perp sits somewhere else and needs to - at least for once - be made aware of the mess he created and the costs that resulted from it. -- <@rs> someone the other night suggested that defcon was actually about drinking, not hacking <@rs> so i went to my wine rack and did some port scanning. <@rs> i found warez