Re: FBI tells the public to call their ISP for help
* Fred Baker: [Microsoft security updates] > It is my understanding that they even support pirated software in > this context; Their message on this message on this topic is rather mixed. The Office update used to display warnings that after a security update, pirated copies might cease to function. And the updates claimed that you need the original CD, which did not appear to be true, but still. For Windows Update, Microsoft has been quite successful in creating the impression that during the update check, your system is examined for pirated software. And finally, a major source of malware are sites which distribute cracks and product keys. 8-(
Re: FBI tells the public to call their ISP for help
On Jun 15, 2007, at 3:06 PM, Florian Weimer wrote: Most users don't buy their software from Microsoft, either. It's preinstalled on their PC, and Microsoft disclaims any support. That is mostly true, except in the case of security issues - which is what I believe this thread is somehow still talking about. Microsoft gives no-charge phone support to all Windows users, regardless of where you received your license, if it's a security related problem. Viruses, spyware, intrusions, etc. Call 1-866- PCSAFETY in the US/Canada, or you can click at link at http:// support.microsoft.com/security to get information for other countries. I've never tried it, but I've heard that they've been surprisingly helpful, even in cases where it was obviously not Microsoft's fault (directly, anyway). I'm not 100% positive that their policy explicitly allows OEM license holders to use that number, but from those I've talked to that have used it - they don't ask for any license information at all. After they've verified it fits their definition of a security problem, you're handed over to a tech to help you clean it up. -- Kevin
Re: FBI tells the public to call their ISP for help
On Jun 15, 2007, at 1:23 PM, Kevin Day wrote: I've never tried it, but I've heard that they've been surprisingly helpful, even in cases where it was obviously not Microsoft's fault (directly, anyway). I'm not 100% positive that their policy explicitly allows OEM license holders to use that number, but from those I've talked to that have used it - they don't ask for any license information at all. After they've verified it fits their definition of a security problem, you're handed over to a tech to help you clean it up. It is my understanding that they even support pirated software in this context; they figure it's better to fix the stuff and then figure out how to get the right stuff there than to wenge about its pedigree.
Re: FBI tells the public to call their ISP for help
On Jun 15, 2007, at 11:31 PM, Fergie wrote: - -- Florian Weimer <[EMAIL PROTECTED]> wrote: In most parts of the world, the Microsoft EULA is not enforceable. Most users don't buy their software from Microsoft, either. It's preinstalled on their PC, and Microsoft disclaims any support. NOTE: This has nothing to do with ISPs. Also, there is somewhere in the neighborhood of > 65M MS hosts "out there" that are either illegally or improperly licensed, and which cannot use Microsoft Update (due to the Genuine Advantage verification knobs). While they can download each patch individually through a series of acrobatic exercises, this sorta contributes to the whole end-system compromise problem. Again, not that this has much real bearing on the discussion, but figured I toss that into the mix. At the prior ISOS conference in Redmond, Microsoft made assurances even systems failing Genuine Advantage verification can enable automatic udpates to obtain critical updates. One of the attendees remarked privately this automation works only for English versions of XP. : ( With vulnerabilities created by Microsoft, such as: - cloaking files and processes - cloaking shell script extensions (even when show enabled) - requiring scripts for basic browser functionality - preventing removal of their exploitable browser - Word - .Net - inadequate provisions for temporarily privilege escalation - unfortunate network defaults - reliance upon perimeter security - etc. It seems such negligence might make Micos0ft vulnerable to class actions, especially from ISPs bearing the burnt of related support. With the FBI recommendation, another very deep pocket might be add. The paper provided by Google should give anyone cause. http://www.usenix.org/events/hotbots07/tech/full_papers/provos/ provos.pdf "A popular exploit we encountered takes advantage of a vulnerability in Microsoft’s Data Access Components that allows arbitrary code execution on a user’s computer [6]. The following example illustrates the steps taken by an ad- versary to leverage this vulnerability into remote code exe- cution: • The exploit is delivered to a user’s browser via an iframe on a compromised web page. • The iframe contains Javascript to instantiate an Ac- tiveX object that is not normally safe for scripting. • The Javascript makes an XMLHTTP request to re- trieve an executable. • Adodb.stream is used to write the executable to disk. • A Shell.Application is used to launch the newly written executable." -Doug
Re: FBI tells the public to call their ISP for help
* Douglas Otis: > At the prior ISOS conference in Redmond, Microsoft made assurances > even systems failing Genuine Advantage verification can enable > automatic udpates to obtain critical updates. One of the attendees > remarked privately this automation works only for English versions of > XP. : ( Yeah, I couldn't install the latest security update today; I was forced to run WGA first. I have to admit that I didn't try very hard to bypass it since WGA was already installed on that machine. Microsoft has been quite successful in associating security updates with piracy. Perhaps not at a technical level, but definitely in people's minds. 8-(
RE: FBI tells the public to call their ISP for help
Let me buy an appliance that handles that DNS/filtering/firewalling/updating/etc for owned machines, one that has MSFT's blessing, and that just requires policy-based routing and handing out special DNS server IPs. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Donelan Sent: Thursday, June 14, 2007 2:22 PM To: Jeroen Massar Cc: nanog@nanog.org Subject: Re: FBI tells the public to call their ISP for help On Thu, 14 Jun 2007, Jeroen Massar wrote: > You want to have a look at: > http://technet.microsoft.com/en-us/wsus/ > > Which is used in large organizations to deploy patches with ease. > Requires some AD mumbojumbo of course. > > Really the information is out there, google knows, so can you :) Read the Microsoft license agreement for WSUS, the information is out there. It works for institutional license holders, but not for public ISPs. Small ISPs without legions of lawyers may not worry about stuff like this, but unfortunately large ISPs have too. Its not a technical issue. If the Microsoft lawyers said ok, the engineers could come up with lots of ways to do this. I asked Microsoft's lawyers multiple times. But as always, you should consult with your own legal advisor. I keep hoping one day Microsoft will announce something like WSUS for ISPs. But its been several years.
Re: FBI tells the public to call their ISP for help
Frank Bulk wrote: > Let me buy an appliance that handles that > DNS/filtering/firewalling/updating/etc for owned machines, one that has > MSFT's blessing, and that just requires policy-based routing and handing out > special DNS server IPs. Please see one of: http://domino.research.ibm.com/comm/pr.nsf/pages/news.20060327_virus.html http://www.informationweek.com/story/showArticle.jhtml?articleID=14200013 http://www.ercim.org/publication/Ercim_News/enw56/riordan.html and various others. Billy Goats can do exactly at least the jailing part and most likely there are other similar services that provide the same functionality. The upgrade portion really depends on the installed software base of course. Without somebody actually doing the upgrade and most likely not even removing the virus/bot etc in place, not much can be done in that area, especially in non-ISP environments where you don't have root on the PC. This portion at least quarantines the box and then allows you to simply instruct the user in the common methods of battling the problem that the user has. Greets, Jeroen signature.asc Description: OpenPGP digital signature
RE: FBI tells the public to call their ISP for help
The Billy Goat product only seems to detect and notify nefarious activity, but it does nothing for the owned clients. I want something that restricts my owned subscribers to downloading updates and tools while preventing them from spewing forth more spam and the like. Mirage Networks is the closest to it, from my limited knowledge. Frank -Original Message- From: Jeroen Massar [mailto:[EMAIL PROTECTED] Sent: Saturday, June 16, 2007 9:43 PM To: [EMAIL PROTECTED] Cc: 'Sean Donelan'; nanog@nanog.org Subject: Re: FBI tells the public to call their ISP for help Frank Bulk wrote: > Let me buy an appliance that handles that > DNS/filtering/firewalling/updating/etc for owned machines, one that has > MSFT's blessing, and that just requires policy-based routing and handing out > special DNS server IPs. Please see one of: http://domino.research.ibm.com/comm/pr.nsf/pages/news.20060327_virus.html http://www.informationweek.com/story/showArticle.jhtml?articleID=14200013 http://www.ercim.org/publication/Ercim_News/enw56/riordan.html and various others. Billy Goats can do exactly at least the jailing part and most likely there are other similar services that provide the same functionality. The upgrade portion really depends on the installed software base of course. Without somebody actually doing the upgrade and most likely not even removing the virus/bot etc in place, not much can be done in that area, especially in non-ISP environments where you don't have root on the PC. This portion at least quarantines the box and then allows you to simply instruct the user in the common methods of battling the problem that the user has. Greets, Jeroen
RE: FBI tells the public to call their ISP for help
In the 2+ years I have been working for an ISP I'm not aware of one customer that has gone over to one of our competitors because we identified and cut them off for an abuse issue. Most of them have been very grateful that we identified a problem and are earnest in resolving it. And for those who don't care? In a slight variation on an oft-quoted statement in this listserv, "I want my competitors to have them." Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kradorex Xeron Sent: Thursday, June 14, 2007 3:35 PM To: nanog@nanog.org Subject: Re: FBI tells the public to call their ISP for help On Thursday 14 June 2007 10:27, [EMAIL PROTECTED] wrote: > > Since many Microsoft patches are only legally available via > > the Internet, and an ISP can not predict which servers > > Microsoft will use to distribute Microsoft patches, ISPs must > > enable essentially full Internet access which includes access > > for most worms. > > Has anybody tried a firewalling solution in which unpatched PCs are only > able to access a special ISP-operated forwarding nameserver which is > configured to only reply with A records for a list of known Microsoft > update sites? And then have this specially patched nameserver also > trigger the firewall to open up access to the addresses that it returns > in A records? > > According to Microsoft, their list of "trusted sites" for MS Update is > *.update.microsoft.com and download.windowsupdate.com. Even if they have > some sort of CDN (Content Delivery Network) with varying IP addresses > based on topology or load, this is still predictable enough for a > software solution to provide a temporary walled garden. > > You don't need to make copies of their patch files. You don't need MS to > provide an out-of-band list of safe IP addresses. As long as you are > able to divert a subscriber's traffic through a special firewalled > garden, an ISP can implement this with no special support from MS. Wrap > this up with a GUI for your support-desk people to enable/disable the > traffic diversion and you have a low-cost solution. You can even > leverage the same technology to deal with botnet infestations although > you would probably want a separate firewalled garden that allows access > to a wider range of sites known to be safe, i.e. Google, Yahoo, ISP's > own pages, etc. > > --Michael Dillon There's a major problem with this - End-users won't take nicely to being restricted from going to specific websites, and will more than likely go to another ISP rather than to patch their computer as they see no benefit of patching themselves. We see the benefit of the patches, they don't nessasarily. Not to single anyone out but there will more than likely always be a careless (and/or clueless) ISP who doesn't care if over half their network is wormed, the customers from the ISPs who are cracking down on infected machines will simply go over to the ISP who doesn't care as there would be "less hassle". What needs to be done is ALL ISPs accross the board need to clean up their networks, thus cornering the lazy end-users into cleaning up their machines. To be honest: There's too few ISPs that would want to take up the responsibility of filtering worm'd customers, and as well, the instant an ISP starts filtering, they may even set themselves up for a lawsuit of the customer saying "I paid for the service, why aren't I getting it?!" And reguarding Microsoft and their patching licences: Those patches may be their precious "legal property" but it's their hording of legal rights that's damaging hundreds of thousands of computers. Microsoft is currently abusing their market share standings and giving insufficient patch distribution, (i.e. offline distibution) Therefore Microsoft should be held accountable for every computer that becomes infected with worms due to insufficient patching. To me, it sounds like Microsoft wants the power, but doesn't want the responsibility that comes with the power of great market share. It is time Microsoft be forced to take that responsibility.
