windows is beyond a joke (or, why we’ll all be using macs soon)

Mom has been limping along on a 7 year old computer that tries to run XP. Unfortunately, Dad loaded MS One LiveCare on it and didn’t realize that they could do the internetz w/o the MSN software from the ISP. This comp is a dog, so miserably slow I would literally throw it in the garbage if it was mine. We finally talked Bill into getting a new computer, but it has Vista on it, with a coupon to jump to Windows 7 when available. So I have her old slow comp with XP, her new fast comp with Vista, and the self-imposed task of installing software and moving files over.

I got my start on Linux, used Windows along the way for personal desktop / multimedia / etc. All along the way, for almost 20 years now, i’ve despised Windows for being poorly written, given minimal QA and generally being about the most un-intuitive operating system out there. Compared to my recent Mac Air purchase and experience, I can’t see how people tolerate Windows any more.

Today, these are the stupid problems I ran into that remind me yet again, why our industry needs to move away from Windows (any version):

– Windows LiveCare. Microsoft’s (failed) move into security. Supposedly protects a PC by managing a firewall, having a subscription to some signatures etc. In reality, it is the most invasive and annoying software you can get. The amount of times it pops up with vague warnings of not being protected are absurd. Not to mention the ‘Windows Live’ suite shows up over a dozen times in the installed software (less than the 23 pieces of software that show up after installing Canon’s tools for her camera), embeds itself into everything it can (yet another ‘toolbar’ for IE). I uninstall it to try to make the rest of my task easier, only to have it force IE to load, dump me on a Microsoft page to take a survey about my experience with it, and promptly tell me the survey is closed.

– XP computer shares out the entire D drive. Vista mounts that drive, and can copy some files but not others, citing ‘permission problems’. All of the files/directories on the XP machines were created at the same time, by the same method, by the same person. Why do some magically have permissions that restrict this operation?

– Vista, their idea of security through ‘UAC’ is so pitiful you can’t even laugh at it. Every single thing you do, click a warning dialog 2 – 4 times. Copy a file, install software, load some programs, anything. It makes you click these warnings so often, any user will become numb to them in 18 seconds and start blindly clicking them. What’s the point? Is that really how Microsoft envisions good security working, to nag the user like that? Rename a local folder on Vista, click twice to confirm/allow.

– Manage to share a drive out on Vista, mount via XP and try to copy files. Apparently, even with XP, Microsoft never figured out file-by-file copying. The 6 gigs I try to move bomb out after a few minutes and gives me “not enough server storage is available to process this command”. Err ok, so the copy is aborted, just try to open the shared drive and same error. Yes, I have to reboot just to access the share again. After reboot, can’t mount the share anyway with the ever descriptive “The specified server cannot perform the requested operation” message. After renaming the folder, resharing it AND rebooting Vista, XP can mount it. (over 10 gigs to move, XP comp only has USB1, that wasn’t an option)

– After three reboots (security patches, windows patches Norton), Vista runs fine. Fourth reboot it wants me to install driver software for my PCI Simple Communications Controller. WTF? The HP Advisor software I disabled is back. WTF? Trying to reinstall the modem software that I removed because it said it was taking 18.2 GIGS of space.

My MMA Wish-list…

I enjoy watching mixed martial arts (MMA). It is extremely demanding, compared to boxing for example. The multi-disciplinary style each fighter must learn or cope with keeps fights interesting. While I appreciate a good old brawl in the cage, I can also appreciate technical fighting and submissions. That said, there are some parts i’d love to see change, even once in a while.

  1. “I have to thank God..” as part of the winning speech. Ok fine, you got the power from God. Just once, one of these god-fearing religious types need to blame god when they lose. “Well, i guess God had it in for me this time..” or maybe “Wow, ya know, God really failed me here.”
  2. A fighter needs to enter the ring, and not have a single tattoo. No visible ink at all. No over-done tribal, no cursive names, no elaborate fiery demons.
  3. A fighter needs to enter the venue to an unconventional song, these ‘bad ass’ songs and lame rap songs are boring. Joe Blow entering to Portishead’s “Sour Times” would be great.
  4. Just one fighter, needs to use his name, and not a nickname. Joe Blow fighting this time. Not Joe “The Savage” Blow or Joe “Facemangler” Blow.
  5. If you talk shit for days before a match, don’t wuss out afterwards, even if you win. You spent hours calling the other guy a pussy, saying he can’t fight and that he chugs cock between matches. After you beat him, or he beats you, don’t wuss out with “yeah, just talking shit, he’s a great fighter blah blah wimp wimp”.

OSVDB Content Update

[This was originally published on the OSVDB blog.]

I always mean to post these more often, but I find myself bogged down in adding entries and putting off blog updates. Quite a few little blurbs and thoughts related to OSVDB content.

Changelogs

  • I love vendors who maintain good changelogs. A good changelog has many attributes: version release with date, links to bugs/forums when appropriate, clear but concise language, categorize entries such as ‘security’ or ‘feature’, etc. Further, the changelog should be easy to find and stay updated. Rhinosoft (they maintain many other products as well) is a company that serves as a great example of this.
  • On the flip side, I despise vendors with bad changelogs. One example is IBM who keeps these ridiculously large changelogs, mostly in CAPS with overly vague wording for many issues. As an example, check out this 1.4 meg changelog and try to pick out all the security issues.

Searching OSVDB – Our search engine got an overhaul a while back. While better overall, there are still a few bugs in it. Our dev is going to be available part time come Oct 1, so hopefully they will be knocked out in short order. Until then:

  • If search results seem wrong, try using all lower case or exact case. Known bug that some searches seem to work with one, and not the other.
  • We use keywords when appropriate. This can be useful for example, if you want to see all vulnerabilities in Zoller’s recent multi-browser disclosure. Search All Text for “one bug to rule them all”.
  • Using references as a search field can be valuable. If you want to see all vulnerabilities in PHP (the core language), you can’t title search because of so many PHP applications littering the results. Instead, reference search “php.net” for a concise list.
  • If you search for two terms, it will show results with both words. Searching with three terms will show results with any two words. Known bug! Until fixed, you can work around this by using “+one +two +three” search syntax, with a plus leading each keyword.
  • OSVDB is also tracking vulnerabilities in electronic voting machines. While still in progress, we have scoured the excellent technical reports from the State of California on Premier Election Solutions (formerly Diebold) and have made good progress on Hart InterCivic. To see all of these vulnerabilities, search All Text for “Electronic Voting Machine”.

Historical Content

  • I recently finished combing through the old Zardoz mail list archives. All of the vulnerabilities from that list, operated by Neil Gorsuch between 1989 and 1991, are now in the database. For those interested in historical vulnerabilities, reference search “securitydigest.org/zardoz” to see them. 63 vulnerabilities, only 7 of which have CVE references. Unfortunately, the mail list archive is not complete. If anyone has digests 126, 128, 206, 214, 305, 306, 308, 309, 310 or 314, please send them in!
  • Similar to Zardoz, but already in OSVDB for over a year, you can reference search “securitydigest.org/unix” for the old Unix Security Mailing List disclosed vulnerabilities. There is some overlap with Zardoz here, but it should yield 57 results, 6 of which have a CVE reference.
  • For crypto geeks, you can title search “algorithm” to get a good list of cryptographic algorithms, and when they were demonstrated to be sufficiently weak or completely broken. These go back to 1977 and the New Data Seal (NDS) Algorithm.

Random Notes

  • I recently noticed another case of a vendor threatening mail list archives. Looking at the Neohapsis archive or the lists.grok.org.uk archive of a recent report on Inquira vulnerabilities, you can see each has redacted information. Mail list archives provide a valuable service and typically get little to no benefit for doing so. Despite that, it would be nice if they would post the actual legal threat letter when this occurs.
  • The OSVDB vendor dictionary has been around for a while, but needs additional work. It is the first step in not only providing vendor security contact information, but building a framework for “vendor confidence”. This will eventually allow researchers to determine how cooperative a vendor is and if it is worth their time to responsibly disclose a vulnerability. As it stands, the Vendor Dictionary is primitive and needs to evolve quickly. One example of a problem we ran into, is a researcher submitted a case where they had a ‘bad dealing’ with a given vendor and it is included in the notes. The vendor contacted us, quite surprised to see it, and asked if we agreed with it. I responded that no, that was far from our own dealing with the vendor and that they had been great to work with in disclosing vulnerabilities, providing additional details or answering general questions. Reading our entry on the vendor doesn’t reflect that, and it should. Hopefully in the coming months, with a part time developer, we can begin to address this.
  • When sanitizing takes its toll. BID 28219 has a link to an exploit that appears to have aggressively sanitized characters. Or did the researcher actually send that in? VDBs need to be mindful of this and add a note if they are displaying the submission as is.