RE: Windows XP RC2

["Dom De Vitto" <Dom () DeVitto com>]

| -----Original Message-----
| From: Dennis McHenry [mailto:ronmch () comports com]
| Sent: 21 August 2001 04:12
| To: vuln-dev () securityfocus com
| Subject: Re: Windows XP RC2
|
| Geez, I'm not much for conspiracy theories, so here goes my rebuttal:
|
| > but what is disturbing is take a guess as to what the "default" Time
| > Server that gets used???
| > time.windows.com  !!!
| What would you rather that they do?  Better than MS saying to someone "Get
| ready for tens-of-millions of hits on your NTP Server...."
Hmmm,
10,000,000 machines requesting one a day * 100-byte request
/ 86400 seconds in a day = 11574 bytes/sec = 93kbits/second
I'm sure connexion could cope :)

| > Well for every install M$ can monitor/track who is running XP that has a
| > Net connection.
| Dial-ups kinda screw this theory up, don't you think?
Why ? Every XP machine has a unique SID, why track by IP?
Using SIDs would allow tracking through firewalls etc.

[ rant on why your self-suggested IP tracking isn't workable deleted ]
| I don't see any value of tracking unique IPs using their NTP server.
I don't see any value in RealPlayer providing QoS info...oops they actually
could track you from something you played back to the credit card/billing
details
you bought realplayer with.  'Til GRC exposed 'em.
| The reregistration process handles people pirating their software.
And CSS protects DVDs :)

HOW MANY cracks for the activation have there been?

| > If your real paranoid one can think well if the NTP is using
| > time.windows.com what is stopping M$ from having some hidden app that
can
| > be communicated to once they grab the IP that queries their time
server?!
| The market will stop this.  No company in their right mind would put
coding
| like this into their product.  It relies on one flawed premise, a flaw
which
| is easily spotted:  "nobody will ever use a packet sniffer and our
product."
| Besides, they could just have this "Sup3R S3krIt" application phone home.
(see RealPlayer above)

So you put a packet sniffer on your network, right.
Do you own Time Warner? No. So who's going to listen to you?
If MS DOES get embarrassed, I guess they'll recall 10,000,000 copies of XP?
Right? No. They'll issue a patch, and bury it in the bottomless pit they
call a web site.

| Microsoft is a multi-billion dollar corporation.  There's one thing that
| would stop them from doing this:  turning their company into a penny-stock
| by intentionally putting a backdoor into their software.
Nothing will turn MS into penny stock, it has too many people who will
lie, cheat and steal at it's beck and call.

| It's a *feature* (for real!) intended to make their customers (the one's
| that made the company into a multi-billion dollar company in the first
| place) happy.
Maybe, but then why did it take 15 years to make it into the product?
Features get added only if they have 'value', VALUE TO MS.
(which may or may not be value to the end user)

| Of course I could be wrong, and they may be a front company for the NSA,
and
| NTP could be a 5uP3R S3krIt project that actually means NSA Tracking
| Protocol.
The NSA doesn't have $500 billion(IIRC) in cash...
...of the two, I know who I'd trust.

Dom