Media Gone Mad
Tim Mullen,

Why last week's big Windows security hole is nothing more than technology press hot air.

"Windows XP Kills Dog, Steals Toaster"

That's the next headline I'm expecting to read after wallowing through a week of technology press misreporting about the latest security issue in Windows XP -- an "issue" that's really nothing of the sort.

At the center of this shameful tempest in a teapot is the Windows Recovery Console (RC), which by design allows you to boot up a damaged system and access supported file systems like FAT and NTFS.

The perceived issue, which started its life on Brian Livingston's Web log and spun out of control from there, comes from the fact that if you boot the Win2k Recovery Console on a machine loaded with XP, it dumps you out to a command prompt without asking you for the XP administrator password.

News flash: this is expected, and desirable, behavior. The Win2k RC can't read the XP registry, so it thinks it is a corrupted Win2k installation. When it can't verify the SAM, it bails out to the console. Administrators want this behavior. If you have an installation on which some third-party driver has hosed the registry, the Recovery Console will allow you to attempt to fix it. That's what "Recovery Console" means.

Despite what the media is saying, booting to the Win2k RC does not allow one to "administer" the XP installation as the local administrator. In fact, you don't get to administer it at all. You can't list services, because it can't read the registry. You can't enable or disable services, because it can't read the registry. You can't really do anything, except copy files around -- that is, as long as they are not encrypted with EFS or something else. This is the exact behavior one who administers a Windows installation would expect, and the same functionality one would get if upon booting other alternate operating system.

This has nothing to do with Win2k or XP. It has to do with not allowing un-trusted users physical access to your assets. This is a basic security postulate, like death and taxes.

Yet the media went out of its way to make this another Microsoft "exploit." Wired reported that security experts call this a "genuine threat." I'll tell you this -- if a "security expert" tells you that this is a Microsoft vulnerability, they're not a security expert. I mean, if I wanted to hork data off of a system I had full physical access to, I'd just grab the drive, stick it in my pocket, and walk out whistling "Jimmy Crack Corn and I Don't Care."

Give Bill a Break
I certainly wouldn't sit there looking stupid while the Win2k Recovery Console took its five minutes to boot to a console so I could copy files, one by one, to a floppy disk (assuming I knew the "SET" command that allowed me to do so in the first place). Or even better, I'd just whip out my Linux boot floppy, change the administrator password and go nuts.

What I find amazing is the fact that with every article that covers this non-issue, the story gets better and better.

WinInformant headlined with "Windows XP Wide Open." Hyperbole. They further reported that you could administer the XP installation without a password, and perform other actions with full administrator privilege. Poppycock. Geek.com went so far as to say that the anonymous user (whatever that means in this case) is logged in with the XP administrator account. What bovine feces! What ever happened to journalistic integrity? What ever happened to research? It's like these people are making it up as they go along just to reel in the hits.

This kind of thing damages overall security. It clouds the issue, and rains on the wrong parade. The media should give its readers all the information-- not slant it in an effort to make Microsoft look like the bad guy every time.

Instead of wasting space on functions that are not even vulnerabilities, they should be covering issues like Oracle's "unbreakable" applications having yet another series of remote buffer overflows that took six months to fix. They should be covering the fact that in order to get the patches for Oracle, you have to pay for them under a service contract. If Microsoft tried something like that, angry mobs of protesters would pull Bill Gates from his own home like a group of crazed Colombian soccer fans and bind him to a whipping post.

It is unfortunate that the people in a position to educate the masses to computer security do not even bother to educate themselves. When banner ad revenue for a media outlet becomes more important than accuracy, it's time to find a new profession.