Re: Microsoft's Early Xmas Present.

[Ryan Russell <ryan () securityfocus com>]

On Thu, 3 Jan 2002, David Kennedy CISSP wrote:

> At 10:04 PM 12/29/01 -0700, Ryan Russell wrote:
> After watching all the NIMDA hit's we're still seeing, this idea has some
> appeal but I also seem to recall a great hue and cry from the digerati when
>  DCMA and UCITA were interpreted to include a "remote kill" function a
> software publisher could trigger that sounds a lot like this.  Think back
> to July and September, would we *really* want anyone to have the ability
> turn off IIS all over the world in response to Code Red or NIMDA?

What I propose is a little bit different from a remote kill.  A simple
expiration, with warnings ahead of time.  Think MS's evaluation versions
of Win2K for example, which are good for 120 days, and start complaining
about 2 weeks before they cut off.

I failed to explain part fo my thinking in my first note.  Naturally, MS
would seemingly note be willing to do such a think, users would complain,
etc...  And I would never even have considered something like this to be
viable.  However, MS has already shown a willingness to put Office XP into
cripple mode if your system appears to have changed too much, unless you
check in.  So, I figure if they can do it for copy protection reasons, why
not for security?

No, I don't expect this to actually happen.  This is just one suggestion
as to how the problem might be improved.  Perhaps having an extreme option
might help drive a realistic one.

As a side note, one person pointed out that some of these patches are
huge, and what about modem users?  I can see a couple of solutions; One,
some sort of baby patch that perhaps disables a service rather than
patching it, until the real patch can be obtained.  Two, allow people to
buy a subscription.  Make MS allow other vendors to have the update images
to cut their own CDs, so it's not another profit center, ala Red Hat
repackagers.

I think the CD image idea has merit.  I was at a friends house last night
trying to download DirectX 8.1 over a modem at their place.  After it died
with 1 minute to go, I am now prepping a CD of all the patches they need
via my home DSL line.  It would be great if I could download an ISO image
from MS.

                                        Ryan


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com