Exploits

User avatar
spot
Posts: 39031
Joined: Tue Apr 19, 2005 5:19 pm
Location: Brigstowe

Exploits

Post by spot »

I'll just drop this article in for anyone who feels like discussing the general issue.

Plug a corporate laptop, say, into a dodgy network in a cafe, and it's game over. According to Microsoft:

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This remote-code execution flaw affects all supported versions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.



Patch now: Design flaw in Windows security allows hackers to own corporate laptops, PCs • The Register Forums

Nullius in verba|||||||||||
Who has a spare two minutes to play in this month's FG Trivia game!
User avatar
High Threshold
Posts: 2856
Joined: Wed Nov 23, 2005 2:20 am

Exploits

Post by High Threshold »

Is MS preparing us for their latest and greatest? The unbuggable? Toss out last year's model and rush to buy the new one!
User avatar
spot
Posts: 39031
Joined: Tue Apr 19, 2005 5:19 pm
Location: Brigstowe

Exploits

Post by spot »

High Threshold;1473879 wrote: Is MS preparing us for their latest and greatest? The unbuggable? Toss out last year's model and rush to buy the new one!


There's certainly a grinding of teeth among server folk about the refusal of Microsoft to patch this bug in Server 2003, which is consequently now unusable. A lot of people were still running that. Refusing to patch it will make Microsoft a stack of new cash.
Nullius in verba|||||||||||
Who has a spare two minutes to play in this month's FG Trivia game!
User avatar
High Threshold
Posts: 2856
Joined: Wed Nov 23, 2005 2:20 am

Exploits

Post by High Threshold »

spot;1473886 wrote: There's certainly a grinding of teeth among server folk about the refusal of Microsoft to patch this bug in Server 2003, which is consequently now unusable. A lot of people were still running that. Refusing to patch it will make Microsoft a stack of new cash.


Makes one feel like a new-born wildebeest, surrounded by hungry lions.
User avatar
FourPart
Posts: 6447
Joined: Fri Jun 06, 2014 3:12 am

Exploits

Post by FourPart »

Unfortunately there's idealism & there's reality. The two are rarely compatible.

Because of the natural inclination of the market to want the newest & freshest products on the shelf it doesn't make good business sense to keep ploughing its resources into failing old stock. Also, because of this high demand for new items manufacturers aren't given the valuable time that they need in order to perfect their products. The term "More Haste, Less Speed" also seems to apply. When something is rushed, then faults occur over the long term, but if they take their time in order to get the job done properly, then by the time their perfected product is released it's out of date & a total dinosaur.

Furthermore, even without the market's demand for shiny new toys, if a manufacturer were to provide a perfect model, they would be out of business at a stroke as no-one would ever need replacements.

Take a look at the way Apple operate. They don't improve their products in any real way at all. They just appeal to Peer Pressure by adding sparkly new built in 'Apps' which, in all likelihood can be downloaded & installed into any bog standard model, but they still have the morons champing at the bit to hand over their cash (and at no small cost either) to get the new model so that they can be one step up from their friends.

For business use, especially, it's Horses for Courses. A friend of mine runs his own Lumber business & has always used XP. He sees no reason to change as it suits him perfectly for what he needs (i.e. Stock Control, Accounts, Sales, Wages, eMail & general access to the Internet etc.). In fact I've noticed quite a few local businesses are still running XP. The company I work for, which started this contract at the beginning of October, have been provided with PCs & laptops, all with the latest version of W8 preinstalled, but the first thing they did was to downgrade to W7, as it was known to be more reliable.

Also, as far as business are concerned, it's not always the best thing to use OEM software, as it's not always a case of one size fits all. Custom designed software (and hardware, for that matter) may be a costly investment, but it can work out a lot cheaper in the long run.

I don't think you can really blame Microsoft (or even Apple, though I am lothe to admit it), as they are merely trying to fulfill a demand that is becoming increasingly difficult to keep up with. In the end it is the customer who is to blame - not the manufacturer.
User avatar
spot
Posts: 39031
Joined: Tue Apr 19, 2005 5:19 pm
Location: Brigstowe

Exploits

Post by spot »

FourPart;1473889 wrote: A friend of mine runs his own Lumber business & has always used XP. He sees no reason to change as it suits him perfectly for what he needs (i.e. Stock Control, Accounts, Sales, Wages, eMail & general access to the Internet etc.). In fact I've noticed quite a few local businesses are still running XP.


I'd quite happily run XP, but I'd not allow any XP machine under my control to be visible to the Internet. There are no security releases for XP any more. The consequence is that all the company's files on any XP machine visible to the Internet can be downloaded by anyone who has an XP exploit which will bypass XP's now-compromised security. Do these companies you refer to really want all their emails and correspondence in the hands of third parties?

The trouble is that, for any operating system, there will be a very small proportion of miscreants out there who have such an exploit available which is so far unpatched. Those same emails and correspondence are downloadable by that small proportion of miscreants using these "zero-day" exploits. It's a far smaller problem than the XP problem, because far fewer people own a zero-day exploit for more recent operating systems, but it's still a real issue and the sole fix is to keep your data on computers which never have Internet access. Is that really an extreme solution? I'm not sure why I should be.
Nullius in verba|||||||||||
Who has a spare two minutes to play in this month's FG Trivia game!
User avatar
FourPart
Posts: 6447
Joined: Fri Jun 06, 2014 3:12 am

Exploits

Post by FourPart »

The real problem is that no matter how secure a system is, there will always be someone out there who will find a way to crack it & once the genie's out of the bottle every miscreant has a copy of that key. Remember, the Enigma Code was originally thought to be unbreakable.
User avatar
spot
Posts: 39031
Joined: Tue Apr 19, 2005 5:19 pm
Location: Brigstowe

Exploits

Post by spot »

FourPart;1473894 wrote: The real problem is that no matter how secure a system is, there will always be someone out there who will find a way to crack it & once the genie's out of the bottle every miscreant has a copy of that key. Remember, the Enigma Code was originally thought to be unbreakable.


That's quite true. But there's no reason for any computer you own to both have private information on it and also be visible to the Internet. I feel that people in general connect their computers to the Internet by default and then keep their secrets on them anyway. The secure approach is to keep secrets and the Internet at arm's length.
Nullius in verba|||||||||||
Who has a spare two minutes to play in this month's FG Trivia game!
User avatar
FourPart
Posts: 6447
Joined: Fri Jun 06, 2014 3:12 am

Exploits

Post by FourPart »

spot;1473895 wrote: That's quite true. But there's no reason for any computer you own to both have private information on it and also be visible to the Internet. I feel that people in general connect their computers to the Internet by default and then keep their secrets on them anyway. The secure approach is to keep secrets and the Internet at arm's length.
I totally agree. The problems there arise, though, when it becomes necessary to network information between different locations, or even on site. Good encryption levels are invaluable, but nothing can be 100% secure & any claims to the contrary merely throws down the gauntlet to those who might want to take up the challenge.
User avatar
LarsMac
Posts: 12434
Joined: Fri Nov 27, 2009 9:11 pm
Location: Far Out, Man

Exploits

Post by LarsMac »

spot;1473886 wrote: There's certainly a grinding of teeth among server folk about the refusal of Microsoft to patch this bug in Server 2003, which is consequently now unusable. A lot of people were still running that. Refusing to patch it will make Microsoft a stack of new cash.


Most of my customer have long ago abandoned Server 2003, unless it is for internal use only, for which they expect no support from the Redmond gnomes. The memory limitations, alone, make it less than useful these days. IT is, after all based on the old NT/win2K engine.

Server 2008 is far more robust, and still supported by MS.

The newest server, 2012, is gaining a following, in spite of its cheesy looking UI.

http://www.computerworld.com/article/28 ... -risk.html
Control is an illusion. The Chaos is all part of the fun.
-Susan Hattie Steinsapir
User avatar
spot
Posts: 39031
Joined: Tue Apr 19, 2005 5:19 pm
Location: Brigstowe

Exploits

Post by spot »

FourPart;1473896 wrote: nothing can be 100% secure


Let's call a spade a spade - what you mean is that everything connected to the Internet has 0% security. The fact that a site can keep Joe Public from reading the secrets it contains is irrelevant if you can guarantee there's a set of miscreants in the world who, in fact, can read the secrets it contains. There is no online security, the only security that can exist for computerized information is to be both offline and behind a secure physical lock and key.

As far as I can see, a claim to "99% online security" can only be meaningless. If just one miscreant can get the secrets off a computer, the machine is down to 0% by definition.
Nullius in verba|||||||||||
Who has a spare two minutes to play in this month's FG Trivia game!
User avatar
FourPart
Posts: 6447
Joined: Fri Jun 06, 2014 3:12 am

Exploits

Post by FourPart »

spot;1473909 wrote: Let's call a spade a spade - what you mean is that everything connected to the Internet has 0% security. The fact that a site can keep Joe Public from reading the secrets it contains is irrelevant if you can guarantee there's a set of miscreants in the world who, in fact, can read the secrets it contains. There is no online security, the only security that can exist for computerized information is to be both offline and behind a secure physical lock and key.

As far as I can see, a claim to "99% online security" can only be meaningless. If just one miscreant can get the secrets off a computer, the machine is down to 0% by definition.
That's Binary for you. On or Off.
User avatar
Snowfire
Posts: 4835
Joined: Wed Mar 11, 2009 9:34 am

Exploits

Post by Snowfire »

Is this of any use to anyone ?

How to continue getting free security updates for Windows XP -- until 2019.
"He has all the virtues I dislike and none of the vices I admire."

Winston Churchill
User avatar
spot
Posts: 39031
Joined: Tue Apr 19, 2005 5:19 pm
Location: Brigstowe

Exploits

Post by spot »

Snowfire;1473978 wrote: Is this of any use to anyone ?

How to continue getting free security updates for Windows XP -- until 2019.


That works, Microsoft might even allow it to continue to work, it's a lot better than nothing. Not having any XP machines I'd not heard of this as a solution.
Nullius in verba|||||||||||
Who has a spare two minutes to play in this month's FG Trivia game!
User avatar
Bryn Mawr
Posts: 15917
Joined: Mon Feb 27, 2006 4:54 pm

Exploits

Post by Bryn Mawr »

Snowfire;1473978 wrote: Is this of any use to anyone ?

How to continue getting free security updates for Windows XP -- until 2019.


Yes, extremely - many thanks
User avatar
spot
Posts: 39031
Joined: Tue Apr 19, 2005 5:19 pm
Location: Brigstowe

Exploits

Post by spot »

Would you like to explain what you're doing, Raizo? We have time, we'll listen.
Nullius in verba|||||||||||
Who has a spare two minutes to play in this month's FG Trivia game!
User avatar
FourPart
Posts: 6447
Joined: Fri Jun 06, 2014 3:12 am

Exploits

Post by FourPart »

Isn't that against FG rules to quote without providing accreditation? I protest under Copyright rules.
User avatar
spot
Posts: 39031
Joined: Tue Apr 19, 2005 5:19 pm
Location: Brigstowe

Exploits

Post by spot »

I think the "text from the same thread" clause applies.
Nullius in verba|||||||||||
Who has a spare two minutes to play in this month's FG Trivia game!

Return to “Computers Internet”