Archive | June, 2004

InfoWorld: Experts agree on method, not scope of IIS attacks

Tomalak’s Realm links to InfoWorld: Experts agree on method, not scope of IIS attacks.
“We don’t have significant reports of Web sites compromised or of
people sending us examples of the new Trojans,” he said. “I’d rate this
a low risk if you’re patched and a medium risk if you’re not.” Still,
other security companies reported widespread infections.

Three exploits took place at once: the IIS 5.0 servers had an SSL flaw
(patched in MS04-011) that allowed them to be infected. The Windows PCs
had two flaws: an MHTML handling problem in Outlook Express and IE
(also patched, in MS04-013) and a cross-site scripting exploit
identified last week that remains unpatched.

If you must use IE (for example, I can’t get to the Microsoft KnowledgeBase without it), make sure to do the following:

  1. Set your IE security level to high (Tools, Options, Security:
    Select ‘High’ from the drop-down and then ‘Reset’ – you’ll want to note
    your previous settings and record them somewhere in case you’re having
    problems browsing), and
  2. Make sure your virus scanners up to date. Even though I had
    upgraded to NAV 2004 on Friday and updated to the most recent files
    then, I download two updates this morning (Sunday) with 1.2Mb+ of new
    stuff in them.

NYT: Drug makers bribe docs to write prescriptions

New York Times: NYT HomePage reports As Doctors Write Prescriptions, Drug Company Writes a Check.
“An investigation has shed light on the system of financial lures that
drug companies use to persuade doctors to favor their products.” 
By Gardiner Harris.

In many ways, the investigations are a response to the evolution of the
pharmaceutical business, which has grown in the last quarter-century
from a small group of companies peddling a few antibiotics and
antianxiety remedies to a $400 billion bemoth that is among the most
profitable industries on earth… Offering
treatments for almost any affliction and facing competition in which
each percentage point of market share can represent tens of millions of
dollars, most drug makers now spend twice as much marketing medicines
as they do researching them.

This sounds like a market out of control. The arangements between
the manufacturers and distributors (doctors) leave the patient worried
about getting an informed an impartial decision, while the patients are
left ignorant of the economics of the arrangement, both between
manufacturer and doctor, and in what their insurance ends up paying.
This is capitalism with a fatal flaw: deals go on in the back room that
the players aren’t aware of. When the system is made transparent,
products can compete far more fairly.

One fix for IE?

Microsoft Watch from Mary Jo Foley reports Another Good Reason to Download XP SP2 RC2.
“Microsoft says folks running the recently delivered release candidate
2 of Windows XP Service Pack 2 aren’t vulnerable to the new “Download
Ject” attack that’s romping across the Web.” 

So, instead of getting a patch for IE, you can download a *beta* version of a service pack Woody Leonhard calls a “seriously risky patch job” or you can choose to use another browser that’s not affected. Hmmm…

Attack stopped, but vulnerability continues…

News.Com: Web site virus attack blunted.
“The attack, which had turned some Web sites into points of digital
infection was nipped in the bud on Friday, when Internet engineers
managed to shut down a Russian server that had been the source of
malicious code for the attack.” Link via Tomalak’s Realm

Surfing the web or providing web pages with Microsoft products? Stop.

InfoWorld: Top News reports: “Web attack aims to steal surfers’ financial details.
A new Internet attack discovered late Thursday was designed by an
infamous group of Russian virus writers to steal credit card and other
financial information from Web surfers and send it to Web sites where
it can be retrieved by hackers, security experts warned Friday.” The
key paragraphs:

“Security experts
have said that the attack only affects users of certain versions of
Microsoft Corp.’s Internet Explorer browser…
Additionally, Cluley said that it appears that the threat only affects
Web servers running Microsoft IIS 5 (Internet Information
Services) Web Server software and not Microsoft IIS 6, which comes with
Windows 2003 Server.”

Make sure you’ve patched IIS with the
Sasser patches. Raise the shields high on IE, or better yet, get a
secure browser. According the article, some *major* sites have been
hacked, so watch those credit card bills!

Update: According to this article on Netcraft, the trojan can be installed silently on fully-patched versions of Internet Explorer. Until the extent of the exploit is known, you may want to hold off surfing with IE.

Um, yeah…

I want my share of the credit, too. I said this, um, last year, after the year of the LAN fizzled. Or was it the year of IM?
Zawodny: “RSS looks like one of the better bets this year.” [Scripting News]

Tim O’Reilly: Open Source Paradigm Shift

Open Source Paradigm Shift.
“This article is based on a talk that I first gave at Warburg-Pincus’
annual technology conference in May of 2003. Since then, I have
delivered versions of the talk more than twenty times, at locations
ranging from the O’Reilly Open Source Convention, the UK Unix User’s
Group, Microsoft Research in the UK, IBM Hursley, British Telecom, Red
Hat’s internal “all-hands” meeting, and BEA’s eWorld conference. I
finally wrote it down as an article for an upcoming book on open
source,”Perspectives on Free and Open Source Software,” edited by J.
Feller, B. Fitzgerald, S. Hissam, and K. R. Lakhani and to be published
by MIT Press in 2005.” [Tim O’Reilly, O’Reilly Network]

Interesting reading.

How much would you pay for a favorable opinion?

From Dan Gillmor’s eJournalOpinion Laundering Thrives.

  • Tim Lambert: When Think Tanks Attack. Why
    are all these think tanks so down on Open Source? Well, the Small
    Business Survival Committee is concerned that using open source will
    expose small business to the risk of lawsuits. Citizens Against
    Government Waste is concerned that the Government might waste money on
    Open Source. Defenders of Property Rights is concerned that Open Source
    might be a threat to intellectual property rights. However, I was able
    to detect a common theme to all their criticism. They all seem to be
    funded by Microsoft.

“This piece isn’t absolute proof, but it’s another layer of circumstantial evidence that Microsoft is continuing its campaign of what I’ve called “opinion laundering” to make a case against LInux and other free software. (See previous  looks at this subject here, here and here, for example.) Microsoft is hardly alone in this activity, of course. Lambert’s article looks into the tobacco archives and shows how major think tanks were paid by tobacco companies  and took positions congruent with the tobacco interests’ own views. The bigger problem is that we often don’t know who is funding which think tank, and many won’t tell us. Even the ones that do say they’re getting some money from companies like Microsoft won’t say how much. If the “contribution” is .001 percent of annual funding, that’s trivial. If it’s 50 percent, that’s not trivial. But we are never told this relevant information. None of this is illegal, but it’s definitely sleazy. We need laws, not that this Congress or administration will every touch the topic, to force think tanks to reveal the sources and amounts of their funding in amounts over, say, $500. That would let individuals continue to contribute in privacy, but would shine a needed light on the opinion laundering that is now so prevalent. In the meantime, when a think tank takes any position on just about anything, your first instinct should be to ask, “Did someone pay for that opinion?” — Dan Gillmor

Some people accuse me of being an “Open Source zealot” (thanks, btw), but at least my opinion is not for sale to the highest bidder.

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.