Return-Path: <sentto-279987-4527-1014660003-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 25 Feb 2002 10:01:09 -0800 (PST) Received: (qmail 19515 invoked by uid 510); 25 Feb 2002 18:00:00 -0000 Received: from n3.groups.yahoo.com (216.115.96.53) by all.net with SMTP; 25 Feb 2002 18:00:00 -0000 X-eGroups-Return: sentto-279987-4527-1014660003-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.188] by n3.groups.yahoo.com with NNFMP; 25 Feb 2002 18:00:03 -0000 X-Sender: cpreston@gci.net X-Apparently-To: iwar@yahoogroups.com Received: (EGP: unknown); 25 Feb 2002 18:00:02 -0000 Received: (qmail 36799 invoked from network); 25 Feb 2002 18:00:00 -0000 Received: from unknown (216.115.97.171) by m2.grp.snv.yahoo.com with QMQP; 25 Feb 2002 18:00:00 -0000 Received: from unknown (HELO mta-1.gci.net) (208.138.130.82) by mta3.grp.snv.yahoo.com with SMTP; 25 Feb 2002 18:00:00 -0000 Received: from mmp-1.gci.net ([208.138.130.80]) by mta-1.gci.net (Netscape Messaging Server 4.15) with ESMTP id GS3ONY00.6JB for <iwar@yahoogroups.com>; Mon, 25 Feb 2002 08:59:58 -0900 Received: from graywolf3 ([24.237.13.96]) by mmp-1.gci.net (Netscape Messaging Server 4.15) with SMTP id GS3ONY00.515 for <iwar@yahoogroups.com>; Mon, 25 Feb 2002 08:59:58 -0900 To: <iwar@yahoogroups.com> Message-ID: <OCEDLLJFJEMAFJGHDCLNGEAEDCAA.cpreston@gci.net> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-eGroups-From: "Charles Preston" <cpreston@gci.net> From: "Charles Preston" <cpreston@sinbad.net> X-Yahoo-Profile: cpreston_2000 Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Mon, 25 Feb 2002 08:59:40 -0900 Subject: [iwar] Microsoft.changes.Windows.XP Product.Use.Rights Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit > Microsoft.changes.Windows.XP.online.'Product.Use.Rights The Microsoft EULA also has this provision for individual users of XP, since it is in the OEM version of Windows XP Pro. (see below for original article) What are the security implications? Here are some possibilities. 1. Change control for application software on workstations and servers is useless unless you have change control on operating system code. This method of dynamic system patching would seem to invalidate any concept of "meets C2 requirements in this specified configuration". The whole idea of an exhaustively examined and tested configuration appears to be thrown out the Windows(TM). 2. Maybe you cannot use a firewall to prevent 24/7 access to any workstation or server with XP, or at least anything other than the XP built-in packet filter for incoming traffic. 3. Maybe you can't do egress filtering that prevents installed components from initiating sessions with unspecified addresses. 4. Your installed applications or communications may suddenly quit working in the middle of the night due to software conflicts. 5. Your server or workstation may remotely reboot, accidentally enabling malicious software, or failing to start anything you forgot to make automatic. 6. Without checksum integrity controls you may not even know your OS software has changed. 7. Since security fixes have been applied automagically, is there any pressure to release any information on them? With public documentation, system administrators of possibly affected systems that were compromised before the patch could do a quick search for evidence of that particular method of compromise, and take remedial action with their backups or data. 8. Isn't it possible that specific vulnerabilities that had been dealt with might be suddenly re-enabled due to new bugs in new patches? And that relentless probing from hostile systems might find these known exploitable holes before the system administrator? 9. You won't necessarily know when to test systems for functionality or vulnerabilities, which should normally be done after software changes. 10. Won't this justify an attacker in a large research expenditure to compromise the update process, since tens of millions of systems might be backdoor compromised at once? This is different from the automatic OS updates offered by other vendors, since higher security systems don't need to participate. 11. Any disagreement over access to all of your systems could result in a staggering financial loss to any particular company if it is forced by legal action to immediately quit using XP due to violating the license. 12. The EULA specifically allows use of previous software versions(Windows 2000) in lieu of the use of XP. This would cover a case where Microsoft refuses to sell an earlier version before customers are ready to upgrade. The use of that earlier software is now covered by the same XP access agreement, superseding the license agreement that comes with earlier software. 13. Another provision of the EULA is that if you use Internet update features, Microsoft will gather (language is "it is necessary to use") unspecified information on your software, hardware and and system. This would seem to violate some security policies designed to limit intelligence gathering on internal system configuration, and perhaps make this information available at a central or less secure location. 14. An additional provision of the EULA is that if you choose to license any content protected by Digital Rights Management (one example is Microsoft Reader), Microsoft or their subsidiaries may download, (without limit) security updates. Possibly this would exclude servers, if they only distribute DRM content. cmp -------------------------Begin quote-------------------------- Message: 15 Date: Thu, 14 Feb 2002 22:25:54 -0800 (PST) From: Fred Cohen <fc@all.net> Subject: [fc:Microsoft.changes.Windows.XP.online.'Product.Use.Rights'] Microsoft changes Windows XP online 'Product Use Rights' InfoWorld, 2/14/02 <a href="http://www.infoworld.com/articles/op/xml/02/02/11/020211opfoster.xml"> http://www.infoworld.com/articles/op/xml/02/02/11/020211opfoster.xml> BILL GATES SAYS security is Microsoft's top priority, but just whose security does he have in mind? Consider some of Microsoft's recent boilerplate legalese -- language you or your company might already have unknowingly accepted -- and then decide for yourself. The language is contained in the Product Use Rights (PUR) document that can be found at www.microsoft.com/licensing/resources. As the PUR document is part of most customers' volume license agreements and is subject to periodic change, in theory Microsoft customers should check it regularly to see what rights Microsoft has decided to grant or take away. You can be forgiven if you feel like you have better things to do with your life than reading and rereading all this mind-numbing legal gobbledygook. Fortunately, one Microsoft customer did review the PUR document recently and noticed a change. In the section on Windows XP Professional, he found the "Internet-Based Services Components" paragraph that said in part, "You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer." The reader was stunned. "By changing that term in the PUR, Microsoft has found a creative way to obtain authorization from users to access their workstations at will," he said. "How many customers are going to review this PDF file and realize they've given Microsoft this right? And all the risk for the security and privacy violations due to this are neatly put on the customer's shoulders, not Microsoft's." -------------------------End quote-------------------------- ------------------------ Yahoo! Groups Sponsor ---------------------~--> Sponsored by VeriSign - The Value of Trust Do you need to encrypt all your online transactions? Find the perfect solution in this FREE Guide from VeriSign. http://us.click.yahoo.com/vCuuSA/UdiDAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:03 PST