[ale] [OT and sorry] - M$ patches and security advice?

Nathan J. Underwood lists at cybertechcafe.net
Fri Sep 12 09:18:58 EDT 2003


THAT was good read!  Very well said Mr. Rickman!

Quoting Jonathan Rickman <jonathan at xcorps.net>:

> On Thursday 11 September 2003 21:20, Frank Zamenski wrote:
> 
> > If the ver is Win2K SP3 (or maybe it is SP4?), it has a slightly
> > different gimmick (it was added with one of those later SPs): like Win
> > eXtra Poo does now, it encourages you with this damn annoying info
> > ballon you see on your lower-right desktop shortly after logging in
> > (which you can NOT disable) to set up auto-update. It is said that by
> > enabling that, the OS will then do all this update nonsense for you in
> > the background, doing gawd only knows what to the PC. Can't say I
> > recommend it.
> 
> Frank this is not directed at you in particular.
> 
> I need to clear up some apparent misconceptions about how the Windows 
> Update process works. If it sounds like I am defending MS, then so be it. 
> Secure computing is my number one priority, Linux evangelism takes a 
> backseat and with it, MS bashing. Do not be afraid of Windows Update, 
> just be cautious when using it just as you should be when patching any 
> system. You really have no choice in the matter if you want a secure 
> system. MS is the sole provider of Windows and is therefore the sole 
> provider of updates. Different from the Linux world? Yes. Hard to 
> understand? No. The auto update feature can be disabled on 2k and XP (not 
> sure about 9x), contrary to what has been stated. If enabled, it will 
> contact MS periodically to check for the presence of an updated file (XML 
> IIRC) and compare that file against its registry. This can be verified 
> using standard network and system diagnostic tools. There are 3 settings 
> to the current version of Windows Update on Win2k and WinXP. You can set 
> it to notify you when updates are available, download updates without 
> installing and notify you when they are ready, and for the truly 
> brave...automatically download and install patches at a scheduled time. I 
> do not recommend the third option, for obvious reasons. Windows is not 
> quite like a *nix system, where you can effectively ignore many security 
> advisories that involve local exploits on a single user system. The 
> internals of a Windows system are so tangled that practically any 
> vulnerability can be leveraged remotely with a little creativity on the 
> part of the attacker. Often the presence of more than one vulnerability 
> that alone is not critical, can lead to a total compromise of a Windows 
> system. IMNSHO, failing to take advantage of this service on a Windows 
> system is...ahem...not smart. Ironically, many of those who turn the 
> feature off for whatever reason, are the same folks who wont hesitate to 
> apt-get/emerge themselves into oblivion without so much as a moment of 
> hesitation. They will often brag about it as well. Security is a process, 
> not a product. I would daresay that I can lock a Windows box down tighter 
> than 90% of Linux admins can lock down their Linux boxes...and I 
> personally despise Windows. Does that make Windows more secure? No. It 
> means that my methods are more secure. If you run Windows, use Windows 
> Update. Don't leave yourself open to compromise. If you distrust MS to 
> the point that you will not patch Windows, then IMO you should not use 
> Windows at all. Furthermore, if you're that paranoid you should not trust 
> Linux distributors either and should build from audited source. I'm all 
> for a good old fashioned MS bashing session, but let's not hand out bad 
> advice in the process. 
> 
> -- 
> Jonathan Rickman
> Key ID: 0DF501FF
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 


-- 
Nathan J. Underwood
nathan at cybertechcafe.net
http://www.cybertechcafe.net



More information about the Ale mailing list