I wonder how many will install worms and viruses from a CD that they got not from Microsoft but from phishing schemes that will inevitably pop up around it..... Michel. -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of David Lesher Sent: Saturday, February 21, 2004 1:45 PM To: nanog list Subject: M$ CD patches http://www.internetnews.com/dev-news/article.php/3314501 In a bid to target a security hurdle rampant with dial-up Internet users, Microsoft has rolled out a security update CD giveaway for users of Windows XP, Windows Me, Windows 2000, Windows 98, and Windows 98 Second Edition (SE). The Windows Security Update CD will ship with all of its "critical" patches released by the software giant through October 2003 and free anti-virus and firewall trial software. .... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Sat, 21 Feb 2004, Michel Py wrote:
I wonder how many will install worms and viruses from a CD that they got not from Microsoft but from phishing schemes that will inevitably pop up around it.....
As far as I know, Microsoft is currently mailing the CDs to only consumers that request the patches. In the future you may be able to obtain patches through other distribution channels, e.g. your ISP or consumer electronics chain or original equipment manufacturer. Regardless of the distribution method, geniune Microsoft patches are always cryptographically signed by Microsoft. Whether consumers can figure out how to check the signature is a different question. Perhaps more significant is Mail Fraud is a well tested law, which has trained, sworn law enforcement active the United States Postal Inspection Service. Unlike ISP abuse departments, the USPIS has badges, carries guns and the legal authority to arrest people. If you receive a counterfeit CD in the mail, I expect both Microsoft and the US Postal Inspection Service would be very interested.
Speaking on Deep Background, the Press Secretary whispered:
In the future you may be able to obtain patches through other distribution channels, e.g. your ISP or consumer electronics chain or original equipment manufacturer. Regardless of the distribution method, geniune Microsoft patches are always cryptographically signed by Microsoft. Whether consumers can figure out how to check the signature is a different question.
Except, as a friend has twice found out... M$ tends to let their certs expire. Ooops! -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Sat, 21 Feb 2004, David Lesher wrote:
In the future you may be able to obtain patches through other distribution channels, e.g. your ISP or consumer electronics chain or original equipment manufacturer. Regardless of the distribution method, geniune Microsoft patches are always cryptographically signed by Microsoft. Whether consumers can figure out how to check the signature is a different question.
Except, as a friend has twice found out... M$ tends to let their certs expire. Ooops!
An expired cert is only a risk if you install the software anyway. The other risk is a "trusted" certificate authority issuing a certificate to an unauthorized user, or the signing certificate is compromised. How do you know ANY copy of Windows XP that came on your computer, or you bought in a box from Best Buy is genuine and unaltered? Hint, if you read the documentation, Microsoft tells you how. How many people even bother to check? Double hint, did you read the documentation? Triple hint, this problem exists with all computer operating systems and applications. Sun has the same issue with Solaris, check with Sun how to check if you Solaris CD is geniune. Even mainframe software from IBM has this issue, check with IBM how to check if your IBM mainframe OS is genuine. For the parnoid, did you check the chip in your shiny, new HP laserjet network printer connected to your network is genuine?
participants (3)
-
David Lesher -
Michel Py -
Sean Donelan