27th August 2005: Microsoft Virus Control
eweek articleFirst, MS patch the bug, and post the patch, with a (presumably updated or incorrect) bulletin message, so the signature was invalid. Trivial mistake, so that's easy to fix. Then the exploits are discussed by the community, and (this is not explicitly stated) the patch clearly does not fix the actual problem, only one particular aspect of the problem. So a new advisory is published (no code, just an advisory). The politicians must then have got involved, for this priceless quote:
"Customers using Windows 2003 Server SP1 [Service Pack 1] weren't impacted by the vulnerability because of changes we made. This is best example of learning how to make product more resilient to attack and have it be secure by default.""No surprise here, since the actual flaw was clearly not fixed by the patch:
On Saturday, the MSRC staff checked the lists again and found that the proof-of-concept code was being modified. "People were looking at it, changing it, making it more dangerous"A customer kindly provides Microsoft with a sample of an actual attack. Management are contacted, and a web page is created.
CNN got hit. With fabulous spin-control,
We invited them to the Situation Room, and we let them help us get the word out. This attack against CNN was not a new attack. It was the same thing we were seeing since Sunday, but it became a major story because some big media companies got infected.This does blow away the previous claim that "W2k is ancient, so nobody is really using it any more" - CNN use it, and got hit by sloppy code. This forced MS to update their removal tool earlier than expected.
The article implies that the job is now "done".
Countless W2k machines remain unpatched for this vulnerability... the only way to save yourself from this attack
is to configure (and trust) automatic updates, and have the necessary bandwidth for this to be practical.
At school, I was constantly reminded that with rights, comes responsibility. Surely with monopoly, comes responsibility.
Responsibility to write secure code in the first place, and responsibility to secure users once a flaw becomes known.
In the motor industry, this (like most remote security attacks against computers) would be considered a "recall" issue,
whereby all owners would be notified of the flaw, and it would be fixed by the vendor. MS have published a fix, but
the difference is that random strangers aren't trying to abuse any design/implementation flaws in my car, and that
Microsoft only noticed the problem after it had been noted by the outside community.
Trustworthy Computing? They need to understand the word before they can make it work.
11th August 2005: ZDNet strike back at Google
ZDnet have an excellent comment in response to Google's decision to refuse any quotes to their parent company, C|Net, after C|Net reported on how Google can be used to identify personal information, using for an example, Google CEO Eric Schmidt.
Apparently Google took offence to the article; to be fair, the personal information is publically available about Schmidt
because public information has been written about him, being the CEO of a large company, so C|Net's inferrence that
Google has the power to provide such information about lesser mortals is disingenuous. The second point, that Google
store gmail users' emails is pretty well obvious, and applies to any email provider. It is true that Google also
hold various other bits of information about users; they have the potential to tie my website's adverts (and content)
to myself, as well as my emails, web search terms, buying preferences (when I occasionally use Froogle), and other
information.
Any savvy user will spot that visiting www.google.com will install a cookie on their PC, like this:
Set-Cookie: PREF=ID=060bd629b77abc2a:LD=en:TM=1123801586:LM=1123801586:S=Kpn03Cbx8NsFeTiL; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.co.uk
Note the expiry date: some time in 2038. So they can tie my previous searches to me, even though I've rebooted and got a new IP address since then; it's the same PC, same cookie, so they can still tie that search down to me. If I log in to Gmail, or check how my website's Google adverts are performing, then they know that that cookie refers to me, and the registration information I have supplied to them for the email account and advertising account (which includes my bank details so they can pay me for any adverts clicked on).
It's pretty scary stuff; it's also been public knowledge for a long time (at least for anyone who cares to think for a few minutes about how data can be linked to other data). C|Net have simply drawn attention to it. Use Google at your own risk,
as with any service. Clear your cookies every time you visit Google to mitigate the risk.
It's not a huge issue, so my take is that C|Net have hyped it, and that Google have over-reacted to C|Net's hype.
That's why it's nice to see that ZDnet have taken a pretty relaxed stance on the issue.
The Register's Andrew "love him or hate him" Orlowski has an article on the subject.
Update: A Slashdot comment provides
some interesting info: http://ericschmidt.com/ provides a yahoo.com email address!
another Slashdot comment points out that 7 of the 9 links provided were to press releases and news articles; the other two to were Schmidt's personal home
page, and a blog entry.