Re: How to fix broken security in Windows 2000?
From: Shannon Jacobs (shanen_at_my-deja.com)
Date: 02/06/05
- Next message: Yi: "message "setup cannot copy the file: -Default.pif""
- Previous message: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
- In reply to: Pat Walters [MSFT]: "Re: How to fix broken security in Windows 2000?"
- Next in thread: Karl Levinson, mvp: "Re: How to fix broken security in Windows 2000?"
- Reply: Karl Levinson, mvp: "Re: How to fix broken security in Windows 2000?"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 6 Feb 2005 09:42:08 +0900
Is this [the post included below] a veiled threat to delete more posts? Or
some sort of disguised back-handed sales pitch? Based on previous
experiences, I do believe I could escalate the issue, pay Microsoft some
"support" money, and someone at Microsoft would reveal the answer, perhaps
with a clause requiring me not to republish it in public places like the
newsgroups. After all, security almost entirely depends on obscurity, as all
good Microsoftians "know".
Anyway, in the event that some thin-skinned person was offended by my
attempt at lighten-the-tone humor, I have no problems with apologizing for
it. Apparently only Republicans are allowed to make such jokes, and I also
apologize for being too poorly read to know of a suitable parallel usage
with a male protagonist, which would have obviated the attempted joke.
Now let's return to the technical issues you (Pat Walters [MSFT]) ignored,
for whatever mysterious reasons. I think it best to begin by refreshing the
history a bit.
One of my machines developed an annoying but apparently minor problem at
boottime. As time allowed for such a low-priority item, I investigated.
After several months, I became focused on the hypothesis that the problem
involved missing security certificates. My current belief is that the
problem is more widespread than I initially thought and that many of your
customers would see it if they ran the "sfc /scannow" command, especially on
Windows 2000 computers. My sample is too small, but so far it seems to be
*all* W2K boxes. I'll probably check some more machines over the next few
days.
After reading *lots* of official Microsoft Web pages and searching in
various other places, I finally resorted to the newsgroups. My initial query
resulted in a request for more data, which I provided, but it went downhill
from there. Many years ago the newsgroups had a positive SNR, but nowadays
zero-signal-and-downhill is the safe prediction.
Just in case some technically competent person would be so kind as to
provide a useful answer, the technical question is:
How can missing security certificates be identified (and "safely" replaced)?
I am stressing "safely" because this is actually a new technical issue for
this thread. Perhaps I misunderstand the situation, but I think it would be
possible for someone to replace a system file with a bogus one and produce
the problems I am describing here. However, that same "someone" could
perhaps prepare a security certificate that could be used to assure people
(via SFC) that the bogus file is the truly bogus one (albeit with
non-Microsoft ownership).
[The non-technical question is "Why have the MVPs become so ineffective at
answering anything beyond the most trivial FAQs?", but we're not supposed to
consider that one, even in the absence of useful technical answers.]
Pat Walters [MSFT] <a-patwal@online.microsoft.com> wrote:
> "Shannon Jacobs",
>
> After reading the thread further, let me just reiterate what Karl
> Levinson said at the end of his last posting. We are here to help.
> I do not pretend to understand what good can come from ranting on a
> newsgroup about how much you dislike our company or the amazing and
> technically savvy group of volunteers that devote themselves to
> people with problems using Windows Update --but at name calling,
> here it ends.
>
> Please refrain from name-calling or ad-hominem attacks in this, and
> any other Microsoft newsgroup. We encourage all people with
> questions or comments about our products to visit our many
> newsgroups and find the community that can best help them. We are
> honored and humbled by the generous time and energy of the many
> volunteers who contribute to these newsgroups, and pleased to have
> the Microsoft Valuable Professional program ( http://www.mvps.org.)
> This is a *privately*-owned newsgroup for the assistance of
> Microsoft customers.
>
> To our MVPs and volunteers, thank you for your continued hard work
> and efforts. We continually make a better product, and we learn
> how to serve the customer better because of this forum and the
> interaction you have with our customers.
>
> Sincerely,
>
> Pat Walters [MSFT]
>
> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
> news:e9exlqCBFHA.2792@TK2MSFTNGP15.phx.gbl...
>> The lady doth protesteth too much. Or is it one of Arnold's
>> girly-men? Well, actually the "incident" most reminds me of a
>> certain very prominent judge who wrote a 20-page explanation of
>> why an apparent personal interest in a certain case was not really
>> an interest, so there was no reason to recuse himself. Sorry, but
>> the 20-page explanation goes way *beyond* the appearance of a
>> conflict. That explanation itself was the most concrete evidence
>> of why the judge should have recused himself, incredible hypocrisy
>> notwithstanding. Same with your verbose defenses of your technical
>> abilities in the absence of technical answers.
>>
>> Of course, I'm not surprised you can't put up (something of
>> technical value). I am surprised you aren't smart enough to use
>> the other half of the old saying. Years ago, way back when the MVP
>> program was useful, I would ask similar technical questions, and
>> if there was an answer from an MVP, it was almost certain to be
>> very helpful. Even their questions were helpful in finding the
>> real source of the problems. Other times my questions went
>> unanswered, but sufficient research revealed that they really were
>> that difficult to answer or even define, and the MVPs were correct
>> to wait for more knowledge.
>>
>> These days it seems like an MVP will usually respond quickly--but
>> for any non-trivial question, more often than not, the response is
>> just incorrect. That is why I asked about the current metrics
>> Microsoft is using to assess the MVP program. I really suspect you
>> get MVP brownie points for being the first MVP to answer, and
>> without regard to the utility, correctness, or even relevance of
>> the answer. I am quite sincerely interested in how Microsoft does
>> business, even in the ethically dubious tactics. As regards the
>> MVP program, I think it was probably easy for Microsoft to tip the
>> scales in this way, since most technically competent people are
>> too busy to donate lots of time to Microsoft's greater glory.
>> (Yes, I'm being slightly tongue in cheek, since I'm sure you do it
>> to help the suffering customers--but Microsoft is still willing to
>> make a bit more money by milking your efforts.)
>>
>> Regarding your (Levinson's) list of candidates for MVP
>> incompetence, I'm sorry, but I don't track people for their
>> inability to be helpful. I remember people for their competence,
>> especially technical competence. I used to know the names of a
>> number of MVPs--but I recognize none of the names you mentioned.
>> Just piling the evidence up, aren't you? Now excuse me while I
>> forget your name, too.
>>
>> As I am prone to do, I'll commit the folly of mentioning technical
>> matters in what is eminently not much of a technical thread. Now
>> that I can run SFC again, it issues the same unable-to-verify
>> complaints about a number of files. Still no hint about *which*
>> files are too new or *which* security certificates are still
>> missing. (However, I'm supposed to receive a new computer in a
>> month or two, so I think I'll just ignore it until then. Maybe
>> I'll convert this old one to Linux?)
>>
>> Karl Levinson, mvp wrote:
>>> "Shannon Jacobs" <shanen@my-deja.com> wrote in message
>>> news:OvKU5AbAFHA.4044@TK2MSFTNGP11.phx.gbl...
>>>
>>>> Several of my earliest attempts along the
>>>> missing-security-certificate path were to try to reinstall some
>>>> of the recent security certificate updates that WindowsUpdate had
>>>> provided. I was not able to do so from the Microsoft site, and
>>>> none of the MVPs even thought to suggest that approach.
>>>
>>> Well, if reinstalling the patches didn't fix the problem, isn't
>>> it a good thing we didn't suggest it?
>>>
>>> Windows Update absolutely lets you see and re-install whatever
>>> patches are on your system, but it has no possible way of knowing
>>> about patches that were pushed down by your IT staff using who
>>> knows what method, nor would we. You would have to contact your
>>> IT staff for that.
>>>
>>> Your only statement in your OP regarding patches was this:
>>>
>>> "Some possibility it may have been caused by a WindowsUpdate,
>>> possibly even one that was pushed onto my machine by the
>>> corporate IT people."
>>>
>>> With that vague level of detail, of course your IT people knew
>>> how to fix the problem and we didn't. Your IT people knew which
>>> patch they had pushed out to cause the problem, and we still
>>> don't.
>>>
>>> Even now, you still haven't provided enough information about
>>> which patch or file was the problem, but you expect us to
>>> magically know the answer in a minute to a problem you've been
>>> struggling with for months. I can only guess that the patch
>>> you're talking about might be the May 2004 root certificates
>>> update over 7 months ago, but I would be hesitant to waste your
>>> time offering suggestions like reinstalling this or that patch
>>> based on that guess [and since this didn't fix your problem, it's
>>> a good thing I didn't sugest it]. You still haven't shared
>>> enough detail about the fix to help anyone else learn from your
>>> experience.
>>>
>>>> Using the link I provided (which actually came from someone in my
>>>> company), I was able to find a file which fixed the damage.
>>>
>>> How do you know your IT people didn't get the answer to this
>>> problem from Microsoft, or from an MVP?
>>>
>>>> I am not certain if that
>>>> file is the same one that exists somewhere on the Microsoft
>>>> site, or if it was a special version. However, I am absolutely
>>>> certain the Microsoft search engines failed to find it, and the
>>>> MVP program participants also failed to find it--or even to
>>>> suggest looking for it.
>>>
>>> Most problems with Microsoft patches are due to pre-existing
>>> problems with the configuration of the PC. If no one else on the
>>> planet has ever had your problem, then why would you expect the
>>> solution to be in the Microsoft knowledge base? Note that your
>>> problems [getting answers from the MS search engine or from the
>>> newsgroups, your computer breaking in the first place] always
>>> seem to be because someone at Microsoft has failed you, never
>>> because of you, say, entering the wrong description or deleting
>>> root certificates.
>>>
>>>> The part that is apparently rubbing you the wrong way is my
>>>> general comments about what Microsoft has done to the MVP
>>>> program. If so, you should quit acting in a way that provides
>>>> additional evidence. So far you are only reinforcing my belief
>>>> that Microsoft has pretty much destroyed the MVP program by
>>>> getting rid of the most technically competent people.
>>>
>>> Which of the Microsoft MVPs do you think are not technically
>>> competent? Is it Ed Skoudis? Stuart McClure? Roberta Bragg?
>>> Tom and Debra Littlejohn Shinder? Mark Russinovich? Mark
>>> Minasi? I would like to know why you think the MVP program has
>>> fewer or less competent MVPs. How and why exactly would
>>> Microsoft want to spend money and time on the MVP program, but
>>> intentionally choose the worst candidates? How and why would
>>> they destroy the program by increasing their support for it?
>>>
>>> If Microsoft is solely in it for the money, as you claim, then why
>>> spend a single cent on the MVP program in the first place? You do
>>> realize that Microsoft has given you access to pretty much the
>>> same knowledge database that their paid support technicians use
>>> when you call them, correct? And that Microsoft lists the phone
>>> numbers of other companies that offer cheaper tech support on
>>> their support web site? There are certainly some valid
>>> criticisms that can be levied at Microsoft, but your criticisms
>>> of Microsoft make little sense and border on paranoia.
>>>
>>>> Or perhaps
>>>> they have simply changed the incentive system so the MVPs are
>>>> encouraged to post meaningless answers even when they have no
>>>> idea of what the answer is?
>>>
>>> The link I posted may not have fixed your problem, but it is the
>>> answer to what you asked: "what are the dependencies and
>>> troubleshooting steps for certificate problems related to SFC?"
>>>
>>> I also tried in my post to clear up some of your misconceptions
>>> about how PKI certificates work that were causing you to angrily
>>> think Microsoft was trying to re-write PKI specifications. You
>>> have yet to prove or suggest why the link I posted was
>>> meaningless. What exactly was it in the link that did not apply
>>> to the question you asked?
>>>
>>> The award MVPs get from Microsoft is relatively small and hardly
>>> compensates me for all the time I spend here. If you think I post
>>> thousands of posts here every year because of this award or
>>> because it gets me some kind of points, you are very mistaken.
>>>
>>>> Certainly I admit that some of my queries are liable to be
>>>> non-trivial. Whatever the reason, I also believe this negative
>>>> change to the MVP program is a deliberate policy on the part of
>>>> Microsoft to discourage customers from relying on
>>>> no-cash-involved support.
>>>
>>> I see. Microsoft has increased the number of MVPs over the past
>>> two or three years in order to discourage relying on free
>>> support. That makes lots of sense.
>>>
>>>> In truth, the main technical value I get from the newsgroups in
>>>> recent years, and the only reason I will sometimes resort to them
>>>> (and usually only after some weeks of struggle), is that the
>>>> process of describing the problem more precisely and completely
>>>> for a public post is sometimes helpful in understanding the
>>>> solution.
>>>
>>> I see. So, you don't really need anything from us. You solve the
>>> problem entirely on your own, just by typing it down here to us.
>>> Microsoft and the MVPs caused the problem, hide the solution to
>>> the problem from you, solely for monetary greed on the part of
>>> all of us, and you single-handedly solve the problem. Might I
>>> recommend posting your next question to microsoft.public.test?
>>> You'll get the same results.
>>>
>>> I'm not sure how exactly coming back here to insult us and express
>>> your disappointment in our not solving the answer fits in with
>>> this, given that you didn't really expect us to solve the
>>> problem, but then again, I'm just an MVP, so I have trouble tying
>>> my shoes in the morning.
>>>
>>>> Not so in this particular case, however. This
>>>> time it was just a lucky cross-reference that caught my eye. (I
>>>> cannot provide a link to that source since it is internal to the
>>>> corporate intranet, not public.)
>>>
>>> That's convenient. And that prevents you from posting details
>>> about the fix too?
>>>
>>>> Today I do have a new technical problem from another friend, but
>>>> I'm not yet stumped or desperate enough to describe it here.
>>>> Thanks, but no thanks.
>>>
>>> No problem. When you encounter problems too tough for you to
>>> solve, we'll be here to help.
>>>
>>> kind regards,
>>>
>>> Karl Levnson, CISSP
-- null?
- Next message: Yi: "message "setup cannot copy the file: -Default.pif""
- Previous message: Shannon Jacobs: "Re: How to fix broken security in Windows 2000?"
- In reply to: Pat Walters [MSFT]: "Re: How to fix broken security in Windows 2000?"
- Next in thread: Karl Levinson, mvp: "Re: How to fix broken security in Windows 2000?"
- Reply: Karl Levinson, mvp: "Re: How to fix broken security in Windows 2000?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
