Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: Windows Loophole Spawns Zombies Which Attack the Web

__/ [r.e.ballard@xxxxxxx] on Saturday 29 October 2005 19:02 \__

> This has been a Microsoft strategy at LEAST since Ultraviolet.org
> released a list of reasons why people should not use IE 4.0 with
> ActiveX controls.

ActiveX, to me at least, has a major notoriety. I cannot believe how much
freedom an operating system is willing to give merely anyone. To be stupid
enough as to permit this is either suicidal or intentional, maybe shrewdly
so. Whether it forces people to upgrade or yelp at Microsoft's way, I do not

I have seen E-mails being sent 'behind my back' back in the days when I used
Windows at work. Needless to mention, that was worrying.

> Of course, IE 4.0 was released in 1997, and Microsoft pretty much
> ignored all of the warnings, but threatened to sue the nonprofit
> organization and the owner of the machine used to host these warnings.
> In the original Web Pages, the warnings demostrated how easily one
> could:
>   Create a file anywhere on the PC, including hidden directories.
>   Modify any file on the PC, including hidden files and protected NTFS
> files.
>   Hide any file on the PC - making it appear as if it had been deleted.
>   Actually DELETE any file on the PC - possibly disabling applications.
>   Replace one file with another.
>   Read someones' outlook e-mail.
>   Send someone e-mail using Outlook.
>   Register for a Verisign publisher using false credentials and invalid
> credit cards.
>   Get users to trust your CA without asking.
>   Low-level corrupt the drive to the point where only the drive
> manufacturer can reformat it.
> Some of these hacks are occaisionally republished by other sites, and
> they still work just as well as they always did.  Of course, nowdays,
> it's not uncommon for these sites to trace back to a bogus stolen
> credit card used to pay for both the site and the certificate.  While
> it may not be enough to prosecute the actually creator of the site, it
> is enough to have the site shut down.
> Ironically, the United States government has been using the Patriot act
> to try and track down these Cyber "Terrorists" and uses these sites as
> justification for broader search warrant and internet "wiretapping"
> methods.

This does not address or solve the problem though. As I said before, these
computers must be patched up permanently. You seem to drift away in a
direction which does not provide a true solution. Harsh penalties (or 'scare
factors') are not going to stop spammers from operating in 'exotic' places.

If you manufacture a car with faulty breaks, would you rather flatten all the
roads? Or would you be better off bringing the cars 'back to base' and
fixing them?

> Keep in mind that willfully damaging a computer system of any kind,
> ranging from a corporate server, government server, to a personal PC or
> even a PDA - is a federal crime - felony - and is punishable by 5 years
> in prison PER OFFENSE.  When a hacker does crack thousands of machines,
> and he is finally arrested, the usual practice of the defense lawyer is
> to arrange a plea bargain which includes full disclosure of exactly how
> the crack was done, probation, and 2000 or more hours of community
> service (often working on computer security for OSS projects).  And
> finally, a nondisclosure agreement in which the defendent agrees not to
> tell anyone how he did the hack, how he was caught, or even how the
> case was settled.
> Repeat offenders are often given less leniency.  They are given the
> choice of working for certain government agencies in a "lifetime
> commitment" which usually involves top-secret clearance and very close
> supervision in a tightly controlled environment, and living in an
> environment where they can be very carefully monitored.  In this
> environment, any further violations result in "termination".


Roy S. Schestowitz      |    "Far away from home, robots build people"
http://Schestowitz.com  |    SuSE Linux     |     PGP-Key: 0x74572E8E
  1:00am  up 65 days  8:35,  5 users,  load average: 0.23, 0.36, 0.75
      http://iuron.com - next generation of search paradigms

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index