RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
-- Jeff said -- Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP? To which I reply: It is somewhat unreasonable to think that ISPs should be responsible for the security of its users' systems on a systematic basis. Another reason the idea of a 'CD with updates' most likely wouldn't be effective is because by the time the ISP produced the CD, the user got the CD, and installed it, the patches would most likely not be the most recent available. Also, do you realize how much the 'average technical school graduate type' makes just from acquaintances who complain that their computers are slow, by simply removing whatever "flavor of the month backdoor spam proxy virus" I bet a good number of 'tech service calls' that companies such as PC On Call and people who service residences get could've been avoided by patching in a reasonable time period. However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of "Remote execution" or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. From this interesting pattern I would surmise that users want their ISPs to be hands-off unless the problem that they're causing is effecting them directly. End users on the Internet see their connectivity as a right, and not a privilege. I remember when I was 13 (that was only 11 years ago) and I signed up for my Freenet account at the Columbus Public Library (I believe it was, ? still is? Through OSU), they really made me feel like it was a privilege to be using the Internet, and I honored that. Its just difficult to explain from a professional level what the effects these peoples' behavior (or lack there of) is having on the rest of the community. Think of it like people who drive monster SUV's, they can afford the gas, and the insurance so they don't believe that the harm that these beasts do to our environment matter, because again its their god given right to drive them. -Drew
** Reply to message from Drew Weaver <drew.weaver@thenap.com> on Mon, 19 Apr 2004 13:42:53 -0400
-- Jeff said --
Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP?
To which I reply:
It is somewhat unreasonable to think that ISPs should be responsible for the security of its users' systems on a systematic basis.
Responsible? No. Able to assist in maintaining that security (and thus that of the ISP's network)? Yes.
Another reason the idea of a 'CD with updates' most likely wouldn't be effective is because by the time the ISP produced the CD, the user got the CD, and installed it, the patches would most likely not be the most recent available.
I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service.
Also, do you realize how much the 'average technical school graduate type' makes just from acquaintances who complain that their computers are slow, by simply removing whatever "flavor of the month backdoor spam proxy virus"
Ah, now you are talking about why I happily promote Ad-Aware and Spybot.
I bet a good number of 'tech service calls' that companies such as PC On Call and people who service residences get could've been avoided by patching in a reasonable time period.
And your problem with the local ISP having this stuff available for their users is?
However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of "Remote execution" or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility.
You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up.
From this interesting pattern I would surmise that users want their ISPs to be hands-off unless the problem that they're causing is effecting them directly. End users on the Internet see their connectivity as a right, and not a privilege. I remember when I was 13 (that was only 11 years ago)
Some of ours are like that. Most seem to realize their limitations and are happy to know that at some level we are looking out for them. BTW, for me 13 was many more years ago than that... RTM wasn't even in college yet, I imagine.
and I signed up for my Freenet account at the Columbus Public Library (I believe it was, ? still is? Through OSU), they really made me feel like it was a privilege to be using the Internet, and I honored that.
Dial-up, or using their systems at the library? And you weren't paying for the privilege, at least not directly.
Its just difficult to explain from a professional level what the effects these peoples' behavior (or lack there of) is having on the rest of the community. Think of it like people who drive monster SUV's, they can afford the gas, and the insurance so they don't believe that the harm that these beasts do to our environment matter, because again its their god given right to drive them.
That's a whole 'nuther horse to kill there. -- Jeff Shultz Network Technician Willamette Valley Internet
On Mon, 19 Apr 2004, Jeff Shultz, WIllamette Valley Internet wrote:
** Reply to message from Drew Weaver <drew.weaver@thenap.com> on Mon, 19 Apr 2004 13:42:53 -0400
However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of "Remote execution" or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up.
He's right. Most customers get defensive/hostile when you tell them there's something wrong with their system. However I've encountered the same attitude with many NOCs when informing them they have open relays / smurf amps / owned servers. First they deny it - "you must be mistaken", then get defensive "what business is it of yours anyway?" or hostile "you can't possibly know that without having broken into our network, I'm calling the police" (yeah right, I need to break into your network in order to be smurfed by your broken routers.) So this isnt unique to end users. It seems most people would rather discover problems themselves, and go into a sort of panic mode when informed by a third party. Many (including NOCs) aren't emotionally prepared to handle anything beyond "hit ctrl-alt-del". I'm still looking for a good way to gently inform end users/nocs of problems without having them fly off the handle. -Dan
On Mon, Apr 19, 2004 at 12:03:32PM -0700, Dan Hollis wrote:
On Mon, 19 Apr 2004, Jeff Shultz, WIllamette Valley Internet wrote:
** Reply to message from Drew Weaver <drew.weaver@thenap.com> on Mon, 19 Apr 2004 13:42:53 -0400
[...notification of the...]
average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let them know and again we were met with more hostility. You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up.
He's right.
Most customers get defensive/hostile when you tell them there's something wrong with their system.
For what it's worth, our (dial-up and DSL) customers have generally act thankful when contact them about the problems their machines are causing. I guess nothing changes -- the world is full of people. :-)
JS> Date: Mon, 19 Apr 2004 10:39:10 -0700 JS> From: Jeff Shultz JS> > Also, do you realize how much the 'average technical school JS> > graduate type' makes just from acquaintances who complain JS> > that their computers are slow, by simply removing whatever JS> > "flavor of the month backdoor spam proxy virus" JS> JS> Ah, now you are talking about why I happily promote Ad-Aware JS> and Spybot. They're a start. However, I've encountered many systems with suspicious/malicious ActiveX controls or BHOs that neither AdAware nor Spybot caught. I can't think of many other people who are willing to rip out chunks of the Registry manually. How savvy should users be expected to be? Education is good, but there comes a point where the OS/software need to make abuse a bit more difficult. I'm curious to see how Win2003 Server and its executable restrictions fare. Not a silver bullet, of course, but a good start. I've given several presentations where I ask an audience member to stand up and blindly do whatever I instruct. Nobody has been willing yet. Most people will only perform certain "whitelisted" actions in a public crowd. Perhaps software should observe similar defaults. Java applets are scored for "safety" based on what calls the execute; why not extend the approach to all applications? Why not run with safe defaults? Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _________________________________________________________________ DO NOT send mail to the following addresses : blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net Sending mail to spambait addresses is a great way to get blocked.
I agree. 90% users CAN NOT UPDATE. How? - (1) updates are too big to be diownloaded by modem , which fail every 20 - 40 minutes (which is common in many countries); - (2) if you connect to Internet for update, you are infected by virus much faster than you install update. I saw it. Home user install Win2K, then connect to internet to get update... and catch virus.
** Reply to message from Drew Weaver <drew.weaver@thenap.com> on Mon, 19 Apr 2004 13:42:53 -0400
-- Jeff said --
Patches either need to be of a size that a dialup user doesn't have to be dialed in for 24 hours to download and install them. Or .iso's should be available for ISP's to download, turn into CD's and distribute as appropriate. Wouldn't that be nice for a dialup user - getting Windows Update on a CD-ROM from their ISP?
To which I reply:
It is somewhat unreasonable to think that ISPs should be responsible for the security of its users' systems on a systematic basis.
Responsible? No. Able to assist in maintaining that security (and thus that of the ISP's network)? Yes.
Another reason the idea of a 'CD with updates' most likely wouldn't be effective is
by the time the ISP produced the CD, the user got the CD, and installed it, the patches would most likely not be the most recent available.
I can burn a CD from ISO in about 5 minutes - how about you? I'm talking about XP users who haven't even updated as far as SP1. Win98 users who have never run an update in their life... Win2k users are usually the most patched up that I've seen - because that went into mostly business environments. This would at least get them up to the level of the playing field, where the routine updates are not as much of a hassle. Sure, you'll get the little old ladies and gentlemen who will drop by every month for their service pack fix, but that's just customer service.
Also, do you realize how much the 'average technical school graduate type' makes just from acquaintances who complain that their computers are slow, by simply removing whatever "flavor of the month backdoor spam proxy virus"
Ah, now you are talking about why I happily promote Ad-Aware and Spybot.
I bet a good number of 'tech service calls' that companies such as PC On Call and people who service residences get could've been avoided by patching in a reasonable time period.
And your problem with the local ISP having this stuff available for their users is?
However, awhile ago we tried an idea of sending out E-Mail alerts to our customers whenever a critical update of "Remote execution" or worse was released. We found that most of our users were annoyed by this, a different time we used a network sniffing tool to find a few dozen handfuls of your average home Dial-Up users who were infected with various malicious agents (I.e. Nimda, et cetera) and we actually contacted those users, to let
know and again we were met with more hostility.
You definitely don't have our customers then. Our usually appreciate being told that their systems are screwed up.
From this interesting pattern I would surmise that users want their ISPs to be hands-off unless the problem that they're causing is effecting them directly. End users on the Internet see their connectivity as a right, and not a privilege. I remember when I was 13 (that was only 11 years ago)
Some of ours are like that. Most seem to realize their limitations and are happy to know that at some level we are looking out for them. BTW, for me 13 was many more years ago than that... RTM wasn't even in college yet, I imagine.
and I signed up for my Freenet account at the Columbus Public Library (I believe it was, ? still is? Through OSU), they really made me feel like it was a privilege to be using the Internet, and I honored that.
Dial-up, or using their systems at the library? And you weren't paying for the privilege, at least not directly.
Its just difficult to explain from a professional level what the effects these peoples' behavior (or lack there of) is having on the rest of the community. Think of it like people who drive monster SUV's, they can afford the gas, and the insurance so they don't believe that the harm that
because them these
beasts do to our environment matter, because again its their god given right to drive them.
That's a whole 'nuther horse to kill there. -- Jeff Shultz Network Technician Willamette Valley Internet
On Mon, 19 Apr 2004, Alexei Roudnev wrote:
- (1) updates are too big to be diownloaded by modem , which fail every 20 - 40 minutes (which is common in many countries); - (2) if you connect to Internet for update, you are infected by virus much faster than you install update.
I saw it. Home user install Win2K, then connect to internet to get update... and catch virus.
Order the Windows Security Update CD Updated Date: April 16, 2004 The Windows Security Update CD will be shipped to you free of charge. This CD includes Microsoft critical updates released through October 2003 and information to help you protect your PC. In addition, you will also receive a free antivirus and firewall trial software CD. This CD is only available for Windows XP, Windows Me, Windows 2000, Windows 98, and Windows 98 Second Edition (SE). Please allow 2-4 weeks for delivery. http://www.microsoft.com/security/protect/cd/order.asp I do not know if Microsoft plans to refresh the CD, or make it available through other channels.
On Mon, 19 Apr 2004, Alexei Roudnev wrote:
- (1) updates are too big to be diownloaded by modem , which fail every 20 - 40 minutes (which is common in many countries); - (2) if you connect to Internet for update, you are infected by virus much faster than you install update.
I saw it. Home user install Win2K, then connect to internet to get update... and catch virus.
.. I almost wonder if AOL would consider shipping windows updates on their mail-out CDs just as a "friendly" thing to do, unencumbered by AOLness. Adrian -- Adrian Chadd I'm only a fanboy if <adrian@creative.net.au> I emailed Wesley Crusher.
Hmnm, if you: -- are in Russia or other East Europe country - got Windows with a computer (so it is 90% pirated one) - have not credit card how can you order this CD (of course, pirates will help -:))? This explains the number of infected systems (in addition to other reasons). My friends in Moscow have 3 - 4 Windows Me and Windows 98 (those, who are far from computer business) - no one updated. It is impossible by Internet, and you never know, is it Microsoft (CD) or is it Hacker (CD) when you purchase a CD (and you have not any reason to spend a time and money, purchasing CD). Updates are not so easy, as it seems, having 1 Mbit DSL at home, good $20K firewall and 10 Mbit at work (or been ISP itself). ----- Original Message ----- From: "Sean Donelan" <sean@donelan.com> To: "Alexei Roudnev" <alex@relcom.net> Cc: <nanog@merit.edu> Sent: Monday, April 19, 2004 11:06 PM Subject: Ordering Windows Security Update CD (was Re: Microsoft XP SP2)
On Mon, 19 Apr 2004, Alexei Roudnev wrote:
- (1) updates are too big to be diownloaded by modem , which fail every 20 - 40 minutes (which is common in many countries); - (2) if you connect to Internet for update, you are infected by virus much faster than you install update.
I saw it. Home user install Win2K, then connect to internet to get update... and catch virus.
Order the Windows Security Update CD Updated Date: April 16, 2004
The Windows Security Update CD will be shipped to you free of charge. This CD includes Microsoft critical updates released through October 2003 and information to help you protect your PC. In addition, you will also receive a free antivirus and firewall trial software CD.
This CD is only available for Windows XP, Windows Me, Windows 2000, Windows 98, and Windows 98 Second Edition (SE).
Please allow 2-4 weeks for delivery.
http://www.microsoft.com/security/protect/cd/order.asp
I do not know if Microsoft plans to refresh the CD, or make it available through other channels.
On Tue, 2004-04-20 at 00:21, Alexei Roudnev wrote:
Hmnm, if you: -- are in Russia or other East Europe country - got Windows with a computer (so it is 90% pirated one) - have not credit card
geez, they are giving the CD away for free ! james
On Mon, 19 Apr 2004, Alexei Roudnev wrote:
Hmnm, if you: -- are in Russia or other East Europe country - got Windows with a computer (so it is 90% pirated one) - have not credit card how can you order this CD (of course, pirates will help -:))?
The US/English Windows Security Update CD is free. There is also a Russian version. I don't speak/read Russian, so I don't know if Microsoft asks for a credit card number before shipping the CD on the Russian web page. For the other languages/countries web pages I can understand, the CD is free. That goal was having an off-line version of the same patches you get from WindowsUpdate.Microsoft.com
This explains the number of infected systems (in addition to other reasons). My friends in Moscow have 3 - 4 Windows Me and Windows 98 (those, who are far from computer business) - no one updated. It is impossible by Internet, and you never know, is it Microsoft (CD) or is it Hacker (CD) when you purchase a CD (and you have not any reason to spend a time and money, purchasing CD).
In the US, the Security Update CD is shipped directly from the Microsoft contractor to the end-user. Of course, if the postal service, delivery service or contractor is corrupt; what you receive could be intercepted and replaced enroute.
Updates are not so easy, as it seems, having 1 Mbit DSL at home, good $20K firewall and 10 Mbit at work (or been ISP itself).
Fixing insecure computers in black market economies is a difficult problem. The more common reason I hear is people know (or suspect) they are using pirate copies of Windows, and are afraid the Microsoft patches will also disable illegal copies. People concerned about that won't use any updates, regardless of how easy or quick. Although Microsoft has several web pages how to check the so-called Certificate of Authenticity, I haven't found a Microsoft supported way to verify the actual software installed on a computer. Other operating system vendors such as Sun have Solaris MD5 fingerprints for their operating systems.
In the US, the Security Update CD is shipped directly from the Microsoft contractor to the end-user. Of course, if the postal service, delivery service or contractor is corrupt; what you receive could be intercepted and replaced enroute.
You do not need to kill a postman -:). Just write a disk, label it, and push into the mailbox... few days before _real_ disk arrive. (and make it auto-runnable).
On Tue, 20 Apr 2004, Sean Donelan wrote:
I do not know if Microsoft plans to refresh the CD, or make it available through other channels.
Bittorrent? :-) Does anyone have a BT iso of these CDs btw? I cant imagine microsoft objecting to its distribution... -Dan
participants (9)
-
Adrian Chadd
-
Alexei Roudnev
-
Dan Hollis
-
Drew Weaver
-
E.B. Dreger
-
James Edwards
-
Jeff Shultz, WIllamette Valley Internet
-
John Osmon
-
Sean Donelan