On Thu, 20 Sep 2001, Doug wrote:

> Or how a patch for stupidity and laziness can be created. Since nimba
> wouldn't be an issue if people would just patch their damn software.

I blame Microsoft for not properly informing people that they need to
patch.  I subscribe to the Security Bulletins list (for the humor..  some
of them are damn funny) and there has been NO MENTION of how to secure
your server.  Go to Microsoft.com, off on the right side in small print is
the link to the IE and IIS patch pages.  These are new patches and there
hasn't been ANY notification from  Microsoft that they exist and they need
to be applied, other than a small link on their home page.  Most people
I've talked to the last few days have had trouble finding finding it, so I
know it's not just me.

These worms work because most hackers realize that unpatched machines
exist.  Some are laziness and ignorance from an admin standpoint, yes,
but IMHO Microsoft is not making the proper effort to inform their
customers of new security flaws and the need to patch.  I learned more
about the need to patch from the linux community these last couple days
than from Microsoft.  I call that negligence.

What I learned from the MS Security Bulletins:

If anyone feels like being mean to a Win2K laptop, set up your linux
laptop and point the IR ports at each other.  Do an irdaping from the
linux laptop.  The Win2K machine will BSOD.  They've released a fix but I
believe it's only in SP2, which most people have uninstalled because it
makes things worse.  I have yet to confirm that this works though.

-Brian