Get email about new security updates!

In the aftermath of swen (some of us are still dealing with it) I was
stunned to read this on the Microsoft homepage: "Stay Secure - Get email
about new security updates". This is targeted at home users (the same home
users who, in their thousands, clicked on that wonderful attachment courtesy
of swen).

Now, does this sound like Trustworthy Computing? There is, admittedly, a
separate page explaining how to tell whether an email came from Microsoft or
not, but this is beside the point. People are confused enough already.
Providing a quick fix is no solution - this just opens the door for more
swen variants, claiming to be sent because YOU subscribed for it, and with
no attachment (Microsoft will NEVER send you an attachment. Click on
<fakeurl> instead).

Does anyone care to attempt to reconcile this irresponsible action with
Microsoft's public stance on security?

David

Del
Fri Oct 17 21:53:15 CDT 2003

David;

Microsoft NEVER sends attachments with their security emails.

Read some of the messages here and see the difference between the real
ones and the SwenSpams.

ALL of the Swen message have viral attachments. The Security messages
that Microsoft has been sending for years have NEVER contained an
attachment, but instead have URLs to locations where users can
download fixes safely.

Yes, there is a difference.



On Sat, 18 Oct 2003 02:12:42 +0100, "David Barnard"
<msdn.newsgroups@didactylos.net> wrote:

>In the aftermath of swen (some of us are still dealing with it) I was
>stunned to read this on the Microsoft homepage: "Stay Secure - Get email
>about new security updates". This is targeted at home users (the same home
>users who, in their thousands, clicked on that wonderful attachment courtesy
>of swen).
>
>Now, does this sound like Trustworthy Computing? There is, admittedly, a
>separate page explaining how to tell whether an email came from Microsoft or
>not, but this is beside the point. People are confused enough already.
>Providing a quick fix is no solution - this just opens the door for more
>swen variants, claiming to be sent because YOU subscribed for it, and with
>no attachment (Microsoft will NEVER send you an attachment. Click on
><fakeurl> instead).
>
>Does anyone care to attempt to reconcile this irresponsible action with
>Microsoft's public stance on security?
>
>David
>

David
Fri Oct 17 23:44:58 CDT 2003

Comments inline:
"Del Capslock" <del @ caps.lock.net> wrote in message
news:mia1pvoougflg30ciupak06hq0ndu9pqh5@4ax.com...
> David;
>
> Microsoft NEVER sends attachments with their security emails.

I know this - as do (hopefully) all IT professionals. Your average user,
however, doesn't. The evidence for this is overwhelming.

> Read some of the messages here and see the difference between the real
> ones and the SwenSpams.

The real whats? The official Microsoft email bulletins are a) digitally
signed, b) contain no attachments and c) the bulletin is listed on
microsoft.com. Have you ever considered how easy it is to duplicate this to
the satisfaction of J. Random Idiot? Good grief - Verisign have provided
genuine Microsoft certificates to entities other than Microsoft before now.
Getting something that merely looks convincing is infinitely easier. Many
attacks also use spoof sites instead of attachments. The modifications to
swen would be non-trivial, but there are already other virii that use this
method. Finally, who checks microsoft.com? Well, using the supplied link, J.
Random Idiot will find all the information he is looking for. For once,
Microsoft have grossly overestimated the intelligence of their average user.

> ALL of the Swen message have viral attachments. The Security messages
> that Microsoft has been sending for years have NEVER contained an
> attachment, but instead have URLs to locations where users can
> download fixes safely.

You're confusing the services: Microsoft have supplied the TechNet security
notifications for years. The recent push to send emails to "home users" is
new - and quite unbelievably misguided. When Microsoft didn't offer this
service, the situation was simple. Any email purporting to be from Microsoft
almost certainly wasn't. Now, the waters are muddied.

> Yes, there is a difference.

Undoubtedly there is a difference. Unfortunately, to people already confused
by swen, the difference is incomprehensible. Offering a service like this is
merely an invitation to Trojan writers. Surely Microsoft don't want yet
another high profile security fiasco?

David

Ken
Sat Oct 18 05:32:49 CDT 2003

David,

I'm sorry that you do not feel that this initiative will be helpful. Frankly
I feel that there will be some people who will never be able to tell whether
an email originated from Microsoft or not. It doesn't matter whether they
sign up for Microsoft's service or not - think about how many people are
currently fooled by spam that says "you are receiving this email because you
signed up for xxx at one of our sites" - that text is there because some
people actually believe it.

I think Microsoft's making efforts to get their security message out. Your
entitled to your opinion, but I don't think you can knock the Trustworth
Computing initiative because you think the idea of email bulletins hasn't
been thought out enough.

Cheers
Ken

"David Barnard" <msdn.newsgroups@didactylos.net> wrote in message
news:%23GUuGKTlDHA.372@TK2MSFTNGP11.phx.gbl...
: Comments inline:
: "Del Capslock" <del @ caps.lock.net> wrote in message
: news:mia1pvoougflg30ciupak06hq0ndu9pqh5@4ax.com...
: > David;
: >
: > Microsoft NEVER sends attachments with their security emails.
:
: I know this - as do (hopefully) all IT professionals. Your average user,
: however, doesn't. The evidence for this is overwhelming.
:
: > Read some of the messages here and see the difference between the real
: > ones and the SwenSpams.
:
: The real whats? The official Microsoft email bulletins are a) digitally
: signed, b) contain no attachments and c) the bulletin is listed on
: microsoft.com. Have you ever considered how easy it is to duplicate this
to
: the satisfaction of J. Random Idiot? Good grief - Verisign have provided
: genuine Microsoft certificates to entities other than Microsoft before
now.
: Getting something that merely looks convincing is infinitely easier. Many
: attacks also use spoof sites instead of attachments. The modifications to
: swen would be non-trivial, but there are already other virii that use this
: method. Finally, who checks microsoft.com? Well, using the supplied link,
J.
: Random Idiot will find all the information he is looking for. For once,
: Microsoft have grossly overestimated the intelligence of their average
user.
:
: > ALL of the Swen message have viral attachments. The Security messages
: > that Microsoft has been sending for years have NEVER contained an
: > attachment, but instead have URLs to locations where users can
: > download fixes safely.
:
: You're confusing the services: Microsoft have supplied the TechNet
security
: notifications for years. The recent push to send emails to "home users" is
: new - and quite unbelievably misguided. When Microsoft didn't offer this
: service, the situation was simple. Any email purporting to be from
Microsoft
: almost certainly wasn't. Now, the waters are muddied.
:
: > Yes, there is a difference.
:
: Undoubtedly there is a difference. Unfortunately, to people already
confused
: by swen, the difference is incomprehensible. Offering a service like this
is
: merely an invitation to Trojan writers. Surely Microsoft don't want yet
: another high profile security fiasco?
:
: David
:
:

David
Sat Oct 18 09:57:21 CDT 2003

Don't misunderstand me: to date, nearly everything in the Trustworthy
Computing initiative has been positive. The security of 2003 Server is
testament to that. In fact, apart from the email notifications, the only
other thing that seriously concerns me is the new monthly update cycle. I
understand why they did it, but I wish they had listened to the security
experts, and not the voice of their customers for once :-S

David

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:eMX3sMWlDHA.2216@TK2MSFTNGP12.phx.gbl...
> David,
>
> I'm sorry that you do not feel that this initiative will be helpful.
Frankly
> I feel that there will be some people who will never be able to tell
whether
> an email originated from Microsoft or not. It doesn't matter whether they
> sign up for Microsoft's service or not - think about how many people are
> currently fooled by spam that says "you are receiving this email because
you
> signed up for xxx at one of our sites" - that text is there because some
> people actually believe it.
>
> I think Microsoft's making efforts to get their security message out. Your
> entitled to your opinion, but I don't think you can knock the Trustworth
> Computing initiative because you think the idea of email bulletins hasn't
> been thought out enough.
>
> Cheers
> Ken
>
> "David Barnard" <msdn.newsgroups@didactylos.net> wrote in message
> news:%23GUuGKTlDHA.372@TK2MSFTNGP11.phx.gbl...
> : Comments inline:
> : "Del Capslock" <del @ caps.lock.net> wrote in message
> : news:mia1pvoougflg30ciupak06hq0ndu9pqh5@4ax.com...
> : > David;
> : >
> : > Microsoft NEVER sends attachments with their security emails.
> :
> : I know this - as do (hopefully) all IT professionals. Your average user,
> : however, doesn't. The evidence for this is overwhelming.
> :
> : > Read some of the messages here and see the difference between the real
> : > ones and the SwenSpams.
> :
> : The real whats? The official Microsoft email bulletins are a) digitally
> : signed, b) contain no attachments and c) the bulletin is listed on
> : microsoft.com. Have you ever considered how easy it is to duplicate this
> to
> : the satisfaction of J. Random Idiot? Good grief - Verisign have provided
> : genuine Microsoft certificates to entities other than Microsoft before
> now.
> : Getting something that merely looks convincing is infinitely easier.
Many
> : attacks also use spoof sites instead of attachments. The modifications
to
> : swen would be non-trivial, but there are already other virii that use
this
> : method. Finally, who checks microsoft.com? Well, using the supplied
link,
> J.
> : Random Idiot will find all the information he is looking for. For once,
> : Microsoft have grossly overestimated the intelligence of their average
> user.
> :
> : > ALL of the Swen message have viral attachments. The Security messages
> : > that Microsoft has been sending for years have NEVER contained an
> : > attachment, but instead have URLs to locations where users can
> : > download fixes safely.
> :
> : You're confusing the services: Microsoft have supplied the TechNet
> security
> : notifications for years. The recent push to send emails to "home users"
is
> : new - and quite unbelievably misguided. When Microsoft didn't offer this
> : service, the situation was simple. Any email purporting to be from
> Microsoft
> : almost certainly wasn't. Now, the waters are muddied.
> :
> : > Yes, there is a difference.
> :
> : Undoubtedly there is a difference. Unfortunately, to people already
> confused
> : by swen, the difference is incomprehensible. Offering a service like
this
> is
> : merely an invitation to Trojan writers. Surely Microsoft don't want yet
> : another high profile security fiasco?
> :
> : David
> :
> :
>
>

N
Sat Oct 18 20:48:28 CDT 2003

In article <#yabfTRlDHA.2772@TK2MSFTNGP10.phx.gbl>,
msdn.newsgroups@didactylos.net says...
> Does anyone care to attempt to reconcile this irresponsible action with
> Microsoft's public stance on security?

Would you blame the Federal Reserve, or the U.S. Treasury, for all of the
phoney $20 and $100 bills in circulation? Or would you advise people about
how to detect a forgery.

Does MS not advise people how to detect a forgery? Are people so stupid that
they can't remember whether they actually subscribed to receive Microsoft
Security Bulletins? I am not sure what you expect Microsoft to do. Why don't
you offer suggestions to improve matters, and not just rant at them about
"not doing anything".

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

N
Sat Oct 18 20:49:59 CDT 2003

In article <#GUuGKTlDHA.372@TK2MSFTNGP11.phx.gbl>,
msdn.newsgroups@didactylos.net says...
> The modifications to
> swen would be non-trivial, but there are already other virii that use this
> method.

Is a 'virii' something akin to an 'octopi'?

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

N
Sat Oct 18 20:51:39 CDT 2003

In article <#GUuGKTlDHA.372@TK2MSFTNGP11.phx.gbl>,
msdn.newsgroups@didactylos.net says...
> Have you ever considered how easy it is to duplicate this to
> the satisfaction of J. Random Idiot?

Like counterfeiting currency, eh?

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

David
Sat Oct 18 21:18:47 CDT 2003

And here was me thinking I had written a measured argument. A quick scan
down some of the other posts in this group will demonstrate exactly how
security conscious the "average" user is.

I am not ranting about Microsoft "not doing anything". (Your quotes, not
mine. And by the way, I'm not impressed by your attempt to sound like you
are quoting me. Frankly, it's rude.) No, I am concerned about this single
service, and its impact on users. It directly contradicts the message
sensible sysadmins are communicating to their users.

I'm afraid I entirely fail to see the connection between your analogy and
what Microsoft are doing. A better analogy would be if forgers put large
quantities of $70 bills into circulation, and soon after, the Federal
Reserve issued a legal tender $70 bill, with instructions on how to tell one
from the other. Crazy, is it not?

David

"N. Miller" <anonymous@discussions.microsoft.com> wrote in message
news:MPG.19fb8d4665e10e91989845@msnews.microsoft.com...
> In article <#yabfTRlDHA.2772@TK2MSFTNGP10.phx.gbl>,
> msdn.newsgroups@didactylos.net says...
> > Does anyone care to attempt to reconcile this irresponsible action with
> > Microsoft's public stance on security?
>
> Would you blame the Federal Reserve, or the U.S. Treasury, for all of the
> phoney $20 and $100 bills in circulation? Or would you advise people about
> how to detect a forgery.
>
> Does MS not advise people how to detect a forgery? Are people so stupid
that
> they can't remember whether they actually subscribed to receive Microsoft
> Security Bulletins? I am not sure what you expect Microsoft to do. Why
don't
> you offer suggestions to improve matters, and not just rant at them about
> "not doing anything".
>
> --
> Norman
> ~Win dain a lotica, En vai tu ri, Si lo ta
> ~Fin dein a loluca, En dragu a sei lain
> ~Vi fa-ru les shutai am, En riga-lint

Robert
Sun Oct 19 05:38:33 CDT 2003

David Barnard wrote:
> Don't misunderstand me: to date, nearly everything in the Trustworthy
> Computing initiative has been positive. The security of 2003 Server is
> testament to that. In fact, apart from the email notifications,

I think we'll just have to say that "You can't please everyone". I don't
feel theres much wrong with that.

> the
> only other thing that seriously concerns me is the new monthly update
> cycle. I understand why they did it, but I wish they had listened to
> the security experts, and not the voice of their customers for once
> :-S

If you understand it perhaps you could explain it to me? I'm thinking its
about the dumbest thing I've seen in a while right now.


--
--
Rob Moir
Microsoft MVP for servers & security
http://www.robertmoir.co.uk

David
Sun Oct 19 11:35:55 CDT 2003

<snip>
> > only other thing that seriously concerns me is the new monthly update
> > cycle. I understand why they did it, but I wish they had listened to
> > the security experts, and not the voice of their customers for once
> > :-S
>
> If you understand it perhaps you could explain it to me? I'm thinking its
> about the dumbest thing I've seen in a while right now.

If you had a million customers screaming that there are too many updates,
what would you do? I know what I would do, but it seems Microsoft have
thrown in the towel. I would dearly love to hear them (officially) try to
justify it from a security standpoint.

David

Robert
Sun Oct 19 12:21:39 CDT 2003

David Barnard wrote:
> <snip>
>>> only other thing that seriously concerns me is the new monthly
>>> update cycle. I understand why they did it, but I wish they had
>>> listened to the security experts, and not the voice of their
>>> customers for once :-S
>>
>> If you understand it perhaps you could explain it to me? I'm
>> thinking its about the dumbest thing I've seen in a while right now.
>
> If you had a million customers screaming that there are too many
> updates, what would you do?

Improve the quality of the code by stopping marketing from setting the
release date. Insist of auditing of all code going into the product
including, if not especially, code that is being "grandfathered" in from
previous versions of the products.

> I know what I would do, but it seems
> Microsoft have thrown in the towel. I would dearly love to hear them
> (officially) try to justify it from a security standpoint.

Me too.

Christopher
Sun Oct 19 16:16:05 CDT 2003

> No, I am concerned about this single
> service, and its impact on users. It directly contradicts the message
> sensible sysadmins are communicating to their users.

What really doesn't make much sense is that there are now so many delivery
methods. Rather than plaster an ad about a new service on the front page of
the site, why not use the space to advise users about the Automatic Update
service?

Right, some people have complained about it being irritating, so it's
apparently better to send mass mailings. Fixing the existing product would
require effort and research, and wouldn't produce yet another mailing list
that "will only be used for security purposes" or however Microsoft phrases
it. I really don't see how this will reach a new audience.


> I'm afraid I entirely fail to see the connection between your analogy and
> what Microsoft are doing. A better analogy would be if forgers put large
> quantities of $70 bills into circulation, and soon after, the Federal
> Reserve issued a legal tender $70 bill, with instructions on how to tell
one
> from the other. Crazy, is it not?

A slight stretch, but not horrible. I know of several sysadmins who were
able to say "no, those emails that say they're from Microsoft are not real,"
and thus keep users from being infected. I really hate to use AOL as a
positive example, but their policy of never asking for billing information
by email or IM actually works in most cases.

Now we have to rely on the discretion of all the people who don't want to be
bothered with it, don't see why there are so many problems in the first
place, and in some cases prefer to live with relatively nondestructive
spyware and worms rather than all the trouble of keeping them off.

Granted, it's not Microsoft's fault that its users aren't digilent and fully
informed, but the company really needs to recognize that these users
represent a large market segment. So either leave available the option to
make blanket statements like AOL's by not sending such email, or find some
way to inform the users that coincides with their frustration levels and
less than perfect understanding of the system.

If you read a User Interface design essay or book, it'll tell you that the
you can't expect the average user to read so much as a paragraph, especially
when he or she is trained to "just click OK" all the time. So I would expect
it to be easier to state "don't open Windows patches in email" than to
explain how to tell the difference, and much more likely to stick with the
user.


We probably need to give Microsoft a little time to see if the company will
properly educate its users, or release something to simultaneously fix and
apply a prevention patch for the most common scam updates. If a user's going
to "click everything" anyway, as is likely to follow from the current
strategy, I suppose having the real ones mixed in will eventually cut down
on infections. It just doesn't seem like a very good method to me, but I'll
grant that we can't always have optimal solutions.

--
Christopher Hance
MCDBA, frustrated support provider