OT: Windows Vista security 'rendered useless' by researchers

Bob Sneidar bobs at twft.com
Mon Aug 11 13:58:57 EDT 2008


I think the gist of this story is that their methods are not like  
previous low level methods which require a fairly sophisticated degree  
of competency, and that they used a completely new vector. I also took  
note that their methodology was not SPECIFICALLY vista based as it did  
not take advantage of any specific Vista vulnerability, so the  
possibility of using these methods on other platforms is at least  
theoretically viable.

While my gut instinct is to ban Vista OS on my network until Microsoft  
addresses this (if indeed they can) my ears are perked up for any  
information on vulnerabilities that are developed for the Apple OS and  
Linux as well.

The real bear here that I can see is the possibility of going to a  
perfectly valid web site to do my banking let's say, and then having  
content injected into my web browser unbeknownst to me that could  
compromise my credentials. THAT would be pretty bad. If that is what  
we are talking about, then this is far more profound than just another  
newly discovered vulnerability.

Bob Sneidar
IT Manager
Logos Management
Calvary Chapel CM

On Aug 11, 2008, at 3:55 AM, Richmond Mathewson wrote:

> I just love phrases like 'rendered useless'. Now I am not a great  
> fan of MicroSoft products, but:
> I ran a Pentium 3 with Windows 2000 for a year; running about 16  
> hours a day, with not a single virus, trojan or relative of  
> pinocchio causing problems. How did I do it?
> 1. By realising that the makers of the OS probably didn't give a  
> d**n about the security of my computer, and in fact might favour my  
> rig being a leaky sieve.
> 2. By realising that the only person who was likely to care about my  
> rig was me.
> 3. By reading an awful lot of boring stuff about firewalls and then  
> implementing most of it.
> 4. Steering clear of 'funny' websites, and not downloading software  
> (ran FireFox and Open Office and nothing else).
> So, I successfully rendered Windows 2000 useful.
> Every time I install an operating system on a computer (doesn't  
> really matter who made the OS) I have to render it useful; this is  
> because I start with the idea that the system is probably fairly  
> leaky. This takes considerable time and effort. I spend quite some  
> time every year helping people who bought PCs with Windows pre- 
> installed, because, of course, the person who installs these OEM  
> versions doesn't care about the customers, he/she has to install the  
> max. number of OSs in the minimum of time - by the quickest method  
> (i.e. keep clicking the default button).
> I am quite sure that Windows Vista, for all its millions of jazzy  
> windoids that go on and on and on and on about security, is no  
> better than half the experienced people who find joy in breaking  
> into operating systems. It would, for the sake of argument, be  
> perfectly possible to write a "nasty little widget" in Runtime  
> Revolution that would delete an awful lot of the 'C' drive before  
> anybody noticed; why anybody would want to do that beats me.
> People who use phrases such as the header of this message to urge  
> people to change their OSs and/or computers also so look a bit silly  
> as they beg the question: how long will it be before there is a full- 
> scale attack on the Mac OS? or a Linux distro?
> I'm digging out some Rhapsody DR2 disks that a friend gave me in  
> about 1999 (neither he nor I ever used them) and going to have some  
> "holiday fun" installing them on a partition on my G3 iMac - why?  
> well, lots of reasons really; but one of them is that by using a  
> fairly old and obscure OS I might be less vulnerable online. I  
> wonder if I can use the PC CD to breath some life into a P2 I have  
> lurking under the bed.
> One should also pause and reflect on the fact that both Microsoft  
> and Apple produce their operating systems to make money, and if they  
> waited until they had a rock-solid OS that nobody could ever touch  
> they would never make any money at all and the computer industry  
> would collapse, and people like you and me would die of inanition.
> sincerely, Richmond Mathewson.
> ____________________________________________________________
> A Thorn in the flesh is better than a failed Systems Development  
> Life Cycle.
> ____________________________________________________________
>      __________________________________________________________
> Not happy with your email address?.
> Get the one you really want - millions of new email addresses  
> available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your  
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution

More information about the use-livecode mailing list