Digg this story   Add to del.icio.us  
Media Gone Mad
Tim Mullen, 2003-02-24

Why last week's big Windows security hole is nothing more than technology press hot air.

"Windows XP Kills Dog, Steals Toaster"

That's the next headline I'm expecting to read after wallowing through a week of technology press misreporting about the latest security issue in Windows XP -- an "issue" that's really nothing of the sort.

At the center of this shameful tempest in a teapot is the Windows Recovery Console (RC), which by design allows you to boot up a damaged system and access supported file systems like FAT and NTFS.

The perceived issue, which started its life on Brian Livingston's Web log and spun out of control from there, comes from the fact that if you boot the Win2k Recovery Console on a machine loaded with XP, it dumps you out to a command prompt without asking you for the XP administrator password.

News flash: this is expected, and desirable, behavior. The Win2k RC can't read the XP registry, so it thinks it is a corrupted Win2k installation. When it can't verify the SAM, it bails out to the console. Administrators want this behavior. If you have an installation on which some third-party driver has hosed the registry, the Recovery Console will allow you to attempt to fix it. That's what "Recovery Console" means.

Despite what the media is saying, booting to the Win2k RC does not allow one to "administer" the XP installation as the local administrator. In fact, you don't get to administer it at all. You can't list services, because it can't read the registry. You can't enable or disable services, because it can't read the registry. You can't really do anything, except copy files around -- that is, as long as they are not encrypted with EFS or something else. This is the exact behavior one who administers a Windows installation would expect, and the same functionality one would get if upon booting other alternate operating system.

This has nothing to do with Win2k or XP. It has to do with not allowing un-trusted users physical access to your assets. This is a basic security postulate, like death and taxes.

Yet the media went out of its way to make this another Microsoft "exploit." Wired reported that security experts call this a "genuine threat." I'll tell you this -- if a "security expert" tells you that this is a Microsoft vulnerability, they're not a security expert. I mean, if I wanted to hork data off of a system I had full physical access to, I'd just grab the drive, stick it in my pocket, and walk out whistling "Jimmy Crack Corn and I Don't Care."

Give Bill a Break
I certainly wouldn't sit there looking stupid while the Win2k Recovery Console took its five minutes to boot to a console so I could copy files, one by one, to a floppy disk (assuming I knew the "SET" command that allowed me to do so in the first place). Or even better, I'd just whip out my Linux boot floppy, change the administrator password and go nuts.

What I find amazing is the fact that with every article that covers this non-issue, the story gets better and better.

WinInformant headlined with "Windows XP Wide Open." Hyperbole. They further reported that you could administer the XP installation without a password, and perform other actions with full administrator privilege. Poppycock. Geek.com went so far as to say that the anonymous user (whatever that means in this case) is logged in with the XP administrator account. What bovine feces! What ever happened to journalistic integrity? What ever happened to research? It's like these people are making it up as they go along just to reel in the hits.

This kind of thing damages overall security. It clouds the issue, and rains on the wrong parade. The media should give its readers all the information-- not slant it in an effort to make Microsoft look like the bad guy every time.

Instead of wasting space on functions that are not even vulnerabilities, they should be covering issues like Oracle's "unbreakable" applications having yet another series of remote buffer overflows that took six months to fix. They should be covering the fact that in order to get the patches for Oracle, you have to pay for them under a service contract. If Microsoft tried something like that, angry mobs of protesters would pull Bill Gates from his own home like a group of crazed Colombian soccer fans and bind him to a whipping post.

It is unfortunate that the people in a position to educate the masses to computer security do not even bother to educate themselves. When banner ad revenue for a media outlet becomes more important than accuracy, it's time to find a new profession.



SecurityFocus columnist Timothy M. Mullen is Vice President of Consulting Services for NGSSoftware.
    Digg this story   Add to del.icio.us  
Comments Mode:
Media Gone Mad 2003-02-24
Anonymous (1 replies)
Media Gone Mad 2003-02-27
Linux_Hawk
I agree completely. 2003-02-24
Anonymous (4 replies)
I agree completely. 2003-02-24
Anonymous
Re: I agree completely. 2003-02-25
Anonymous (2 replies)
Re: I agree completely. 2003-02-25
Anonymous (1 replies)
Re: Re: I agree completely. 2003-02-26
Anonymous
Re: I agree completely. 2003-02-25
Anonymous (2 replies)
Re: I agree completely, or NOT 2003-02-26
Anonymous (2 replies)
Re: I agree completely, or NOT 2003-02-27
Anonymous
Re: I agree completely, or NOT 2003-02-27
Eric Grabowski (eric@mazenet.com) (1 replies)
Re: I agree completely, or NOT 2003-02-27
Anonymous
Re: I agree completely. 2003-02-26
Seb (1 replies)
Re: I agree completely. - thank you 2003-02-28
Anonymous (1 replies)
I agree completely. 2003-02-26
Anonymous
Media Gone Mad 2003-02-24
Anonymous (1 replies)
Media Gone Mad 2003-02-24
Anonymous (1 replies)
Media Gone Mad 2003-02-26
Anonymous
For once I agree with you. 2003-02-24
Anonymous
at least someone sees sense 2003-02-24
ravidew (1 replies)
Media Gone Mad 2003-02-24
Anonymous
Bravo! 2003-02-24
Keydet89@yahoo.com
Media Gone Mad or not? 2003-02-24
Anonymous
Norteamericano Gone Mad 2003-02-25
John Comeau http://risp.org/members/jcomeau (1 replies)
Norteamericano Gone Mad 2003-02-25
Gavin
Media Gone Mad 2003-02-25
Anonymous (4 replies)
Media Gone Mad 2003-02-25
Anonymous (1 replies)
Media Gone Mad 2003-02-26
Anonymous (1 replies)
Media Gone Mad 2003-02-27
Anonymous (1 replies)
Media Gone Mad 2003-02-27
Anonymous
Media Gone Mad 2003-02-26
Anonymous
Wrong on at least one count 2003-02-26
Anonymous
Media Gone Mad 2003-02-26
Anonymous
Media Gone Mad 2003-02-25
Anonymous
WRONG! 2003-02-26
Charles Hill (9 replies)
WRONG! 2003-02-26
Anonymous
WRONG! 2003-02-26
Anonymous
THANK YOU! 2003-02-26
Anonymous
WRONG!....err...not 2003-02-26
Anonymous
WRONG! 2003-02-26
Ralf (1 replies)
WRONG! 2003-02-27
Anonymous
re: WRONG! 2003-02-26
Anonymous
WRONG! 2003-02-26
jonsteph (1 replies)
WRONG! 2003-02-27
Anonymous
WRONG! 2003-02-27
Anonymous
WRONG! 2003-02-28
Anonymous
Media Gone Mad 2003-02-26
Jimmy
Media Gone Mad 2003-02-26
Anonymous
Linux "boot" floppy? Wow, I'm impressed. 2003-02-26
TJ Miller jr (23 replies)
Linux "boot" floppy? Wow, I'm impressed. 2003-02-26
Anonymous (1 replies)
Actually, fellow, there -is- one. 2003-02-26
Anonymous
Linux "boot" floppy? Wow, I'm impressed. 2003-02-26
Daniel Franklin
Linux "boot" floppy? Wow, I'm impressed. 2003-02-26
Anonymous (2 replies)
Columnist Gone Mad 2003-02-26
Anonymous (2 replies)
Columnist Gone Mad 2003-02-27
Anonymous
Media Gone Mad 2003-02-26
Anonymous
My Experience with The Linux 2003-02-26
Egg Troll (14 replies)
re: My Experience with The Linux 2003-02-26
Stonewolf
My Experience with The Linux 2003-02-26
Anonymous
My Experience with The Linux 2003-02-26
Anonymous
My Experience with The Linux 2003-02-27
Anonymous
Feed the troll 2003-02-27
Anonymous
Re: My Experience with The Linux 2003-02-27
Anonymous
My Experience with The Linux 2003-02-27
Anonymous
Re: My Experience with The Linux 2003-02-27
Anonymous
My Experience with The Linux 2003-02-27
Anonymous (1 replies)
Re: My Experience with The Linux 2003-02-27
Anonymous
My Experience with The Linux 2003-02-27
Anonymous
My Experience with The Linux 2003-02-27
Anonymous (1 replies)
My Experience with The Linux 2003-02-27
Anonymous (1 replies)
Egg Troll Rules! Anonymous Doesn't. 2003-02-28
Anonymous (1 replies)
As if 2003-03-03
Anonymous
My Experience with The Linux 2003-03-05
blacklight
Linux Boot Floppy 2003-02-26
Anonymous
Joy! 2003-02-26
Anonymous
Media Gone Mad 2003-02-26
Anonymous
Media Gone Mad 2003-02-26
Anonymous
Media Gone Mad 2003-02-26
Anonymous (1 replies)
Media Gone Mad 2003-02-27
Anonymous
Media Gone Mad 2003-02-26
Anonymous
You don't need a Linux boot floppy 2003-02-27
Aaron Brooks
Media Gone Mad 2003-02-27
Anonymous
Media Gone Mad 2003-02-27
Anonymous
Media Gone Mad 2003-02-27
icewhit
Media Gone Mad 2003-02-27
Anonymous (1 replies)
Media Gone Mad 2003-02-27
Roberto J Dohnert
Defined media 2003-02-27
bri guy
Media Gone Mad 2003-02-27
Anonymous
Media Gone Mad 2003-02-27
Cent
Alert: Major Security Flaws 2003-02-27
Asmo (2 replies)
Alert: Major Security Flaws 2003-02-27
Anonymous
Alert: Major Security Flaws 2003-02-28
Anonymous
This IS a major vulnerability 2003-02-27
obadii@hushmail.com (2 replies)
This IS a major vulnerability 2003-03-02
Anonymous
Media Gone Mad - bye bye *nix 2003-02-27
Anonymous (1 replies)
Media Gone Mad - bye bye *nix 2003-03-02
Anonymous
Media Gone Mad 2003-02-28
Anonymous
Media Gone Mad 2003-02-28
Anonymous
Media Gone Mad 2003-03-02
Anonymous
Media Gone Mad 2003-03-03
Anonymous
STOOPID PEOPLE 2003-03-03
GENIUS GUY (2 replies)
STOOPID PEOPLE 2003-03-04
Anonymous
STOOPID PEOPLE - uhm, yeah. 2003-03-04
Anonymous
It is unfortunate... 2003-03-03
Glenn Schulz (1 replies)
It is unfortunate...that you don't understand 2003-03-04
Anonymous (1 replies)
It is unfortunate...that Glenn learned security from a text book. 2003-03-05
Erik (1 replies)
Reality 2003-03-06
Glenn Schulz (1 replies)
Agreement 2003-03-06
Erik (2 replies)
It has been a pleasure 2003-03-07
Glenn Schulz
Agreement 2003-03-07
FUNNY (2 replies)
MICROSOFT SUCKS! 2003-03-04
[ Discussion Closed ] (1 replies)
MICROSOFT SUCKS! - your a dink. 2003-03-06
Anonymous
Media Gone Mad - Strikeback 2003-03-05
Anonymous
Media Gone Mad - Linux sucks 2003-03-06
Anonymous
what more can I do 2003-03-06
Tigger


 

Privacy Statement
Copyright 2010, SecurityFocus