FY;) [Jamie McCarthy: [IRR] The nightmare] (fwd)

From: Eugene Leitl (Eugene.Leitl@lrz.uni-muenchen.de)
Date: Thu Apr 05 2001 - 05:00:42 MDT


TEOTWAWKI, nth apocalyptic rider, etc., in other words Business As Usual
in Redmond.

---------- Forwarded message ----------
Date: Wed, 04 Apr 2001 13:09:51 -0400
From: david mankins <dm@k12-nis-2.bbn.com>
To: silent-tristero@world.std.com
Subject: [Jamie McCarthy: [IRR] The nightmare]

This is a delightful rant.

The back-story:

        - Some version of Microsoft Internet Explorer has a security
          hole that basically permits an email message to run an
          arbitrary bit of code when the message is read.

        - Having been told of the problem, Microsoft released a patch
          to fix it. Six weeks later.

        - Many, many people have gotten the patch, but it fails to do
          anything in a lot of cases.

        - In some of those cases, it tells you that everything is now
          hunky-dory....

------- Forwarded Message

Date: Tue, 3 Apr 2001 22:30:21 -0400
From: Jamie McCarthy <jamie@mccarthy.vg>
Subject: [IRR] The nightmare

cp@panix.com (Charles Platt) writes:

> Have not upgraded from what to what?

Well, that's the problem. It's almost like Microsoft wants its users
to be vulnerable. According to Wired, MS took six weeks to release
the patch after being advised of the security hole. (Six weeks!)

Instead of releasing a single patch that would work on all versions of
MSIE, they released two, thus immediately doubling the complexity of
the upgrade process.

Not only will the wrong patch not work, but even the right patch will
fail if you have already upgraded your MSIE _too_far_. Microsoft's
instructions are essentially to _uninstall_ your copy of MSIE,
_downgrade_ (but how do you download the older version if you removed
MSIE? oops), and then apply the proper _upgrade_ patch. Wow.

The icing on the cake, the just _unbelievable_ thing, is that if you
try the right patch and your system has been upgraded to the wrong
thing, you will be told that you're safe when you're not. Boggle. Of
all the security things you want never, ever to do. And this is after
_six_weeks_ of preparation by the Microsoft team.

I don't think the importance of this security hole can be overstated.
This should be front-page news on every newspaper and the lead story
on your 11 o'clock TV news. This allows an attacker to take over your
computer by sending you an email. No attachments, no double-clicking,
no visiting websites. You read the email and suddenly your computer
does not belong to you any more, it belongs to someone else. If you're
lucky it belongs to some shadowy cabal from Turkmenistan or Taiwan.
If you're unlucky, your IP number has been publicly posted and your
machine belongs to ANYONE WHO WANTS IT.

The nightmare, the just utter nightmare, is that some punk kid will
write the next Melissa or ILOVEYOU worm -- we're overdue now, people
have already forgotten Anna Kornikova's legacy -- and it spreads
around the world just as quickly as any of its predecessors. Except,
instead of just being annoying and clogging mail servers, this worm
has a payload: it opens a telnet backdoor in your system, maybe
replaces a few binaries with workalike trojans, and then posts your
IP number to alt.u.r.hacked.

And then it proceeds to find the last 100 people who have emailed you,
and it emails them, "Re:" that last mail, with itself as an
attachment. Those 100 people will just think you forgot to type in an
email message, but now they're infected too. Oh, and it finds 100
random recent .doc files on your hard drive and uploads their content
to FreeNet (maybe looking for key words like "secret" or "love"). But
you won't even know anything's wrong until you hear it from CNN.

Suddenly the entire world -- the entire freaking stupid Petri-dish
Microsoft-suckling silly ignorant world -- belongs to the crackers.
What will be the internet be like when, say, 30% of the machines on
the net are 0wned by anyone who wants to telnet into them?

It will be complete and utter chaos. It will be unimaginable.

We are literally standing on the brink of worldwide catastrophe, the
meltdown of the entire world's computing infrastructure. We are right
now in a situation where a 15-year-old with a little free time between
classes can destroy the machines on which the world's economy depends,
and destroy it so thoroughly that it will take six months to clean up.

This is a national crisis. This should be on the front page of the
New York Times. The President of the United States should be urging
people to upgrade their browsers. But you cannot even find news about
this on the homepage of the Microsoft website!

Let me repeat that: YOU CANNOT FIND INFORMATION ABOUT HOW TO UPGRADE
YOUR BROWSER ON THE MICROSOFT HOMEPAGE.

In fact, even if you know to go to microsoft.com/security, you still
have to go TWO MORE CLICKS before you get to the place where you can
BEGIN TO DOWNLOAD THE PATCH.

And the worst part? If (when!) this 15-year-old kid just takes the
final logical step and writes the worm that pulverizes the internet,
the newspapers and TV and radio and magazines will all just quote
Microsoft about how unfortunate this is, and how Microsoft had a patch
out in time, and how writing such a worm needs to be punishable by
serious, serious punishment, the kind of serious, serious punishment
which will be really serious to 15-year-olds.

The worst part -- the very thought of blaming Microsoft will never be
uttered, not breathed nor even considered, by a single pundit or
talking head or newspaper editor, because -- the underlying thought,
which everybody accepts without ever consciously considering -- what
other choice do we have?
- --
        Jamie McCarthy
        jamie@mccarthy.vg
 http://jamie.mccarthy.vg/

------- End of Forwarded Message



This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 08:06:50 MST