WinSCPbeen in heavy use over the years...

I hadn't given it much thought, but I have been using ONE Windows-application quite extensively over the past years. WinSCP.

For a simple-faced filemanager, it has many uses. But it's main feature is to connect to SSH / SFTP / FTP servers, handle files locally / remotely, transfer files, etc. A networked client-server file-manager application.

Before the early years of 2000, there were no decent graphical file-managers for cross-platform transfers and handling. Especially not with proper support for the Secure SHell v2 protocol.

WinSCP had this from the beginning (mainly with the scp program at first, then the SFTPv2 protocol. more recently WinSCP opts for switching to SFTPv3 protocol if available, for added security).

I can't recommend this program enough for it's easy transfer, handling and other file-related operations. I have never had any serious problems with it. It just works, and it works pretty damn good too.

It's interface is a beautiful interpretation of earlier, rather similar :P command-line designer guidelines.

2000/XP sikkerhet? LuLz? *sukk*

Som nevnt tidligere i et engelsk-språklig innlegg (linken i enden av innlegget), fortalte jeg om et nyfunnet sikkerhetshull som i grunnen burde være klassifisert som høy-risiko, men som Microsoft har ned-prioritert både for Windows 2000 og XP fordi "systemene er såpass utdaterte at det ikke lar seg gjennomføre å oppdatere disse", og anbefaler heller brukere av Windows 2000 å benytte den innebygde Windows-brannmuren som erstatning for en sikkerhetsfiks... ehm, javel?

Bare for å nevne det, så er hullet fikset i både Windows Vista, 7 og Server 2008.

Et genialt fremsteg av Microsoft, å faktisk snakke rett fra levra og fortelle at de ikke har tenkt å fortsette oppdatering av det mest brukte systemet på nettet den dag i dag.

Nå håper jeg at folk begynner å tenke på hvilket system og programvare-leverandør de har tenkt å benytte fremover i tid basert på dette. Men sannsynligheten er nok den at folk bare fortsetter å hive de hardt tjente pengene sine rett i Microsofts lommer uten spørsmål eller kritikk som vanlig.

Snakket mye med folk på jobb om dette, og de sier det samme som Microsoft, når XP fases HELT ut av sikkerhetsteamet, er det rett og slett bare å bytte til Windows 7, men det er her de fleste kommer til å få seg et realt sjokk. Microsoft har bare lagd oppgraderings-avtaler med folk som har kjøpt nyere datamaskiner med Windows Vista pre-innstallert, vi som sitter med XP på systemet og vil oppgradere og sikre oss selv, må nok dessverre ut med hele grossist-prisen for Windows 7 virker det som.

P.S.:

Nå kan feilen diskuteres hvorvidt den er kritisk eller ei, men når slike hull blir publisert offentlig, er det bare et tidsspørsmål før black-hats lager exploits og benytter feilen for alt den er verdt...

Linker:

http://blog.pizslacker.org/

http://www.hardware.no/

http://www.itavisen.no/

Abandoning 2000/XP security updates?

Oh well, it was fun while it lasted...

Seems M$ is dropping security patching for Windows XP, according to this security bulletin regarding a rather serious flaw in the Windows TCP/IP-stack, which enables a black-hat (or any person with technical expertise and malicious intent, really) to easily take control of any Win 2000/XP-computer running a listening service (webserver, SMB file-sharing, FTP, etc.). Microsoft on the other hand, chuffs the flaw, saying the vulnerability only affects a minor percentage of their business-oriented Windows 2000 user-base.

The only thing that concerns me (and a lot of IT critics online) about that statement, is that Windows XP is based on Win 2000. I wouldn't say the Windows XP user-base is a minor percentage, especially when statistics show that around 70% of web-users are on that platform. If this is a ploy from Microsoft to force people to switch to Win 7, it's a bad tactical move. Not only because of the security implications involved, but also Microsoft's decline on the customer-relationship front, as well as business-relations.

Will "The Silicon Valley Giant" ever learn from it's mistakes? Apparently, NO...

Ok, so the flaw isn't high-risk, but it CAN be without proper configuration! My point being that revoking security updates from a product currently in sale is a bad move.

EXPLANATION:

Ultimately, if an attacker gets through with specially crafted TCP-packets (TCP injection/prediction techniques), he can generate a DoS-condition, which halts the affected machine. But as the system can regain control again as soon as the attack-wave dissipates, Microsoft does not regard it as particularly high-risk.

All-in-all there are too many variables in the case-studies to make any good judgement on how risky this hole actually is, but it allows for DoS attacks, and therefore also the possibility of takeover.

Update, thursday september 17th:

To be fair, this flaw only affects advanced users with mal-configured listening-services, but that's not to say, once one IS taken over by a malicious black-hat, it can't be used for destruction and malcontent. If the machine resides in a network with other 2000/XP-machines, it's suddenly (probably) in the trusted IP-range, and therefore poses a risk as a penetration-tool to spread malware internally. There's a lot of vectors to exploit in this scenario, unfortunately... Let's just hope this flaw gets resolved before major abuse occurs.

Link:

http://www.itworld.com/