Slashdot Mirror

Symantec has an article on Code Blue. This might not be it.. but it's a lot like it from what I can tell.

The 'Fuck PoisonBox' you're getting is due to the Sadmind virus.

More at:
http://www.symantec.com/avcenter/venc/data/backdoo r.sadmind.html

The attacks look a lot like the DoS.Storm worm that appeared on the scene June 2001. Either it's a new outbreak of DoS.Storm, or a modified version

Symantic has info on DoS.Storm here
SANS incidents.org has more details here

What exactly would be the point of Microsoft's eliminating CD-burning competition? The current strategy of simply licensing technology from someone with expertise such as Roxio makes much more sense.

When I hear complaints about Microsoft's bundling with Win9x and beyond, how come I never hear anyone complaining about the biggest victim of bundling: Trumpet Software's Trumpet Winsock. So had Trumpet been located in the US instead of Australia, would it have had a legitimate antitrust complaint versus Microsoft? Before Windows 95, Trumpet was quite often bundled with ISPs' installation software packages, and it was not considered a big deal that the customer would have to eventually purchase the product. How come no one complains on how "bundling" cost Trumpet Software untold billions in revenues?

As for cracking, it'll most probably happen, although with CCS they got lucky and found the keys unencrypted in Xing's Player, I wonder how easy it will be this time..

One of the memorable quotes from alt.sysadmin.recovery:

For their next act, they'll no doubt be buying a firewall running under NT, which makes about as much sense as building a prison out of meringue.

-- Tanuki

How many people are going to listen to the advice "get a firewall" when they're out shopping? They have a budget of, say, $1000 for a computer. Are they going to buy a $300 firewall, and only spend $700 on their desktop computer? No, at best they're going to spend $925 on their computer, and buy a "Personal Firewall" product for $50.

Saying Melissa is a computer viruses is FUD; it's a Word 97 Macro virus. It just happens to use Outlook (and its address book) to distribute itself, but the code itself is a Word 97 macro. Perhaps that's why it was named W97M.Melissa.AA
...

W32.Sircam.Worm@mm isn't an Outlook virus either (just a Win32 program), but 2 people have already pointed that out.

Saying Melissa is a computer viruses is FUD; it's a Word 97 Macro virus. It just happens to use Outlook (and its address book) to distribute itself, but the code itself is a Word 97 macro. Perhaps that's why it was named W97M.Melissa.AA
...

W32.Sircam.Worm@mm isn't an Outlook virus either (just a Win32 program), but 2 people have already pointed that out.

I have screencaps of each step of the process, along with some relevant links at http://www.sylvan-glade.com/intrusion/ And, of course, it's easy to download, install and try this out yourself. I use Netscape/Mozilla for my serious work anyway, so I don't mind leaving it in to see just how bad it gets.

I've tried to get hold of someone at Symantec to let them know they're advertising for their competitor, but I was referred to the feedback for for web site problems. I don't think the people I spoke to understood what I was saying. Does anyone know how to get hold of someone there who might get the point and set fire to this issue?

It may seem a bit Machievellian of me, but I suspect that if Symantec were to see for themselves how this little gem is making their web site work against them, they might raise enough stink that their weight might make a difference.

As far as I'm concerned, this is nothing but a glorified Trojan. At the very least it is trespass into my system [1], corrupting the intellectual property of web publishers everywhere, most likely trampling on the spirit if not the letter of copyright protection, and responsible for erectile dysfunction in ex-politicians.

Hey; maybe if Symantec gets upset enough they'll define TopText as a Trojan and have Norton AV remove it. j/k of course, but it's a pleasant fantasy...

Ray Simard
ray.sdot@sylvan-glade.com

[1] Well, not mine, since I installed it to research its effects. But you know what I mean. :-)

PS: eZula, maker of TopText/ContextPro, says you can get their keyword list by contacting them. Has anyone done so? It would be interesting to see just what it's looking for and who's being vectored to by them.

From Symantec's website:

Damage
The damage component measures the amount of harm that a given threat might inflict. This measurement includes triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, errors in the virus code, compromising security settings, and ease by which the damage might be fixed.

In terms of what it does locally (ie doesn't erase your entire harddrive), medium damage isn't that far out of line.

Maybe they should add a Mainstream Media Hype rating...

Support? You priced it with support? What is support? Seriously, though, as a customer of an ISP, I expect them to spend the money I give them on quality services. The fact that you came up with a much cheaper solution makes it even more shameful that they don't provide that extra level of protection.

The Webshield you priced covers both sparc hardware and the software, and support is on both. Trend Viruswall is just a software product ($1k for 50 users) that you still have to purchase a dedicated machine for in order to do the job properly. Luckily it is available for Linux, so the hardware portion can be cheaper in both initial cost and support.

We purchased our Webshield a year or two back when there were no solutions like this readily available. Now, Norton has Antivirus for Gateways, and more are coming out. As a small 200 person company, it's not a big deal to get support on our Webshield, but given a choice today, we would probably go for a Linux solution involving the Trend product. Heck, just thinking about the couple of bugs that we've seen in the Webshield, maybe we should consider the Trend product anyway.

This is a reply I typed up and started sending everytime I received one of these (annoying 200 Kb bandwidth-wasting) Sircam documents:

Hello. Just to let you know, it seems that your Windows-based PC appears to be infected with the "SirCam" virus (details at http://www.zdnet.com/filters/printerfriendly/0,606 1,2801171-2,00.html, possible anti-virus fix details at http://www.symantec.com/avcenter/venc/data/w32.sir cam.worm@mm.removal.tool.html). It is likely that you, or somebody else who has used your PC, double-clicked an attachment received from another infected user, which caused your own PC to be infected. (Double clicking on attachments you have received by e-mail, whether from a "trusted" source or not is almost NEVER a good idea.)

What you choose to do about this is your business, but I thought I'd let you know that your private documents are being sent to random Internet users around the world -- and not every one of them deletes them unread like I do.

By the way, you might wish to consider switching to Linux. I have been a happy Linux user since 1995, and I have not had to put up with these kinds of viral infections since giving up Microsoft software so long ago.

I beleive ISPs should provide some level of support for handling viruses. A lot of ISPs already do filter for viruses. Symantec offers products that retrofit themselves onto mail servers to automatically reject viruses from being sent and reject viruses from entering. Or at least generate an automatic email to the sender/receiver/mail admin that a virus was spotted in the mail stream and temporarily hold it until advised on what to do. Unfortnately, the same product can also be used by your boss as spy-ware.

If anything, I'm surprised the media isn't paying more attention to SirCam - they could sound all serious and say "It's a violation of your privacy because it sends all your personal crap all over the Internet", then follow that story with an ad for MSN Internet Service.

It's actually a pretty cool idea. Distributed.net took him out of the contest of course, but still...

You would think that Norton AntiVirus 2001 7.0 would filter it as well. After all, that's what it's designed to do.

Yet, if you have a look at Symantec's Discussion Forums you will see many NAV2001 users complain that their e-mail scanner does not pick up SirCam attachments. Detaching those same attachments and running a manual scan of them then does find SirCam. Thois has been an issue since day 1 of SirCam (six days now) and Symantec still has yet to acknowledge it.

So you're a corporate user. You have a locked-down image with hidden extensions. Your NAV templates are up-to-date. E-mail scanning is active. You receive an e-mail from your boss with the title and attachment as a .DOC Word file that you know he's been working on, and he's usually too busy to check his spelling and grammar for every quick note. Your NAV scanner clearly checks it (there is an animated system tray icon that shows it working.) So you open it...

Sometimes it's not always the user's fault.

Adobe's a member of the BSA.

The BSA has an interesting statement on the DMCA here. This is a response to a Library of Congress rule available here.

Members of the BSA include Adobe, Apple Computer, Autodesk, Bentley Systems, CNC Software/Mastercam, Compaq, Corel Corporation, IBM, Intel, Intuit, Lotus Development, Macromedia, Microsoft, Network Associates, Novell, Sybase, Symantec, and Walker Digital; i.e. most of /.'s favourite hate companies, plus some extras.

These are the guys to line up against. They've been around since the '80s. I suspect that Adobe's lawyers are all BSA stooges. Certainly Adobe's PR department doesn't seem to be toeing the BSA line.

http://www.symantec.com/avcenter/venc/data/w32.hyd @mm.html

I also remember one team being disqualified for writing a virus to spread another of the distributing computing clients (didn't spread through outlook though), but I couldn't find it on Symantec.

Haha! :) Ain't that the truth. Remember that Good Times email virus that was all the rage?

You'd laugh at whoever "warned" you about it, because it was unthinkable that an email would transmit a virus to your terminal.

But now, thanks to Microsoft Innovation(TM) it really is possible for your email to wipe out your machine. :)

Other people have pointed this out, I'm sure, but the sircam worm has NOTHING to do with Outlook. Any windows user who opens an infected file becomes infected, and then starts sending out the worm. It prowls cached web files to discover emails, not Outlook-related crap.

Contrary to the story, even web-based email isn't safe. I use Yahoo, and it'll scan it for you--and correctly identify--but it still has the option to download the infected file. http://www.symantec.com/avcenter/venc/data/w32.sir cam.worm@mm.html is a good writup by Norton.

It seems just about every damn virus nowadays spreads via Outlook or Outlook Express which is too bad

But has anybody (specially Timothy) actually paid any attention to the damn stories?

Nowhere in these stories is it claimed that Sircam uses Outlook to spread! Maybe Timothy got the idea from reading this CNN article.

Geez, people, do you believe everything that CNN says? It's not like I really expect CNN to get this right, but /. readers are supposed to be better than that!

In fact, the Wired news clearly says that the virus serves as it's own SMTP client. A lot about this virus in fact resembles how the Judge Disemboweler virus operates.

The only thing that can be interpreted as using Outlook to spread itself is the fact that it takes its e-mail addresses from Windows Address Book files; however it will also try to get addresses from some files in the 'Temporary Internet Files' folder. This means it should be able to spread without any need for Outlook (just some e-mail client and a user naive enough to run the attachment) and without Windows Address Files.

All the usual sources of virus information seem to agree about this virus serving as its own SMTP client. Please check for yourselves:

http://www.symantec.com/avcenter/venc/data/w32.sir cam.worm@mm.html

http://vil.mcafee.com/dispVirus.asp?virus_k=99141&

http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A

http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A

http://www.sophos.com/virusinfo/analyses/w32sircam a.html

http://www.europe.f-secure.com/v-descs/sircam.shtm l

http://service.pandasoftware.es/servlet/panda.pand aInternet.EntradaDatosInternet?operacion=FichaViru s&idVirusFicha=1911&pestanaFicha=1

http://support.centralcommand.com/cgi-bin/command. cfg/php/enduser/std_adp.php?p_refno=010718-000010

It seems just about every damn virus nowadays spreads via Outlook or Outlook Express which is too bad

But has anybody (specially Timothy) actually paid any attention to the damn stories?

Nowhere in these stories is it claimed that Sircam uses Outlook to spread! Maybe Timothy got the idea from reading this CNN article.

Geez, people, do you believe everything that CNN says? It's not like I really expect CNN to get this right, but /. readers are supposed to be better than that!

In fact, the Wired news clearly says that the virus serves as it's own SMTP client. A lot about this virus in fact resembles how the Judge Disemboweler virus operates.

The only thing that can be interpreted as using Outlook to spread itself is the fact that it takes its e-mail addresses from Windows Address Book files; however it will also try to get addresses from some files in the 'Temporary Internet Files' folder. This means it should be able to spread without any need for Outlook (just some e-mail client and a user naive enough to run the attachment) and without Windows Address Files.

All the usual sources of virus information seem to agree about this virus serving as its own SMTP client. Please check for yourselves:

http://www.symantec.com/avcenter/venc/data/w32.sir cam.worm@mm.html

http://vil.mcafee.com/dispVirus.asp?virus_k=99141&

http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A

http://www.antivirus.com/vinfo/virusencyclo/defaul t5.asp?VName=TROJ_SIRCAM.A

http://www.sophos.com/virusinfo/analyses/w32sircam a.html

http://www.europe.f-secure.com/v-descs/sircam.shtm l

http://service.pandasoftware.es/servlet/panda.pand aInternet.EntradaDatosInternet?operacion=FichaViru s&idVirusFicha=1911&pestanaFicha=1

http://support.centralcommand.com/cgi-bin/command. cfg/php/enduser/std_adp.php?p_refno=010718-000010

Actually the school I attend does this on windows 9x machines fairly well. They use norton ghost, which can make a disk image from one computer, and then the program can "ghost" all (or selected) computers on the network, which basically just loads the disk image onto them. It's a pretty effective solution.

Win95.Babylonia (discovered December of '99) does exactly that.

The definition of wiping drives properly, like other security related matters, depends on what adversary you are trying to protect the data from. If your adversary is a coworker, shred ( gnu fileutils (older) or gnu fileutils (newer) ), wipe , or norton utilities wipeinfo (see Norton System Works , you might have to get the professional edition to get wipeinfo) might work. For adversaries that have more funding and/or time, purchasing sanitizer is advisable as its "D" version meets DOD requirements for electronically disposing of classified and sensitive data on a hard drive. It can apparently defeat electron microscopes with spin control, when properly utilized. Note that if you're going to this extent you probably want to TEMPEST shield (and here and there ) your life, and start using crypto sytems that keep the key material in FIPS 140 compliant crypto devices like these.

On some Symantec products, they state that the arms-crossed pose of the Holy Pink-shirted One is a trademark of Peter Norton (not Symantec though, Peter Norton is a third party).

Ah, here it is, from:
http://www.symantec.com/legal/legal_note.html

Third Party Trademarks

Peter Norton, Peter Norton's stylized signature, and Peter Norton's crossed-arm pose are U.S. registered trademarks of Peter Norton.

Y'know, this kind of crap doesn't help the Geek Community At Large overcome the image of being a bunch of fanatical morons

Hemos took a lot of liberty with my submission including changing the title as well as cutting of some technical analysis at the end of my submission.

Basically the gist of my submission was that Microsoft is taking a heavyhanded and incorrect approach to attempting to solve the problems with Outlook viruses and the like. Specifically, instead of coming up with some Draconian all-or-nothing security policy why not introduce more granular access levels to Whistler?

For example, I currently run ZoneAlarm and it prompts whenever a program I haven't given permission tries to access the Internet (in fact I found a Trojan this way). ZoneAlarm has three permission settings Always Deny, Always Allow, and Always Ask. I wouldn't mind seeing such functionality moved to the OS and made even more granular so that programs have very explicit permissions as to what they can do (similar to java.policy files). Outlook should not be able to tweak the registry nor delete files (via the ILOVEYOU virus) regardless of whether it is signed by Microsoft or not.

Basically I am proposing something similar to Access Control Lists for executables on the OS, after all, there already is a central repository of information (the registry) so adding that data shouldn't be too hard.

Second Law of Blissful Ignorance

The complaints about exchange mail here are constant and frequent.
I strongly suggest finding out who is pushing the change over, find out what their goals are, and find a way to deal with it in the *nix enviroment.

Malk-a-mite

I'm really getting sick of all the whining about internet filtering software, in particular this comment. This is going to be a crow bar to push schools around? Far from it. First, let me tell you why not. Second, let me tell you my experience.

Already, a huge part of schools across America are implementing filtering programs on their networks. This isn't just limited to the schools - libraries are putting them in place as well. Why? Because there's universal pressure from the politicians in power to put them there. Look back at that chart of candidates. Did you notice that out of the six listed, four support filtering, and two didn't respond? Why's this? Because the vast majority of the public feels like it keeps their children safe. It's a nice warm, fuzzy security blanket.

Now to my experience. I'm a college student now, but I'm originally from Fairfax County, Virginia. I went to Thomas Jefferson High School for Science and Technology, one of the greatest high schools in the nation. Our entire school system is consistently ranked very highly. I have personally dealt with filtering software. As of right now, nearly every high school in the Fairfax County Public School (FCPS) system is filtered by I-Gear, a product developed by URLabs (now owned by Symanted). Take a look at the FCPS overview and background info. On the background info page, scroll on down to the "Pilot results" section. You'll notice that 0.2% of the 1.1 million sites accessed over a six week test period were blocked. 0.2%! That's 1 out of 500. Additionally, notice that web access improved from 9 seconds per page load to 3 seconds (on average), thanks to the cache that I-Gear provides.

So you're telling me that this internet filtering system makes the internet a non-useful resource? A waste of time, and leads to poor education? I think that's a ridiculous assertion to make. Look at the FCPS system. Through the filtering, the million students in Fairfax County manage to obtain some of the best education anywhere in the United States. Yes, I agree that filtering sucks, and I wouldn't want it on my connection. However, if I live in a low-income area, where my school has no internet access, I definitely want to have a filtered system, rather than nothing at all. When implemented properly, filtering can work. This is going to a crow bar? No. This is going to be a positive addition to millions of childrens' lives.

The weekend did not manage to quell the massive amounts of coverage the Microsoft infiltration continues to garner. Virtually every news organization has its own version of the Microsoft debacle, of which we've provided a sampling below. Meanwhile, we are left wondering why the crown jewels of Microsoft were left at the mercy of passwords. There are all sorts of other authentication technologies that we have no doubt Microsoft will be investigating. Perhaps utilizing the smart card support in Windows 2000 wouldn't be a bad idea. It's a shame it takes negative incidents like this to get people to consider security as a strategic business issue. Shame on you, Microsoft.

• The Wall Street Journal via MSNBC
• CNET
• MSNBC via ZDNet
• Reuters via Yahoo
• The Register

ou've heard it before and you'll hear it again. Threats are evolving. We've seen viruses retrieve and forward passwords before on a large scale, now they are becoming targeted and fast. Threat evolution is something that cannot be dealt with reactively; it must be part of infrastructure planning and design. Today, all attention is focused on Microsoft. The world's favorite target has fallen victim to a password-stealing virus that got a hold of passwords that can access the source code to upcoming versions of Windows and Office. It is unclear whether or not the perpetrators were able to use the passwords to actually access and manipulate the source code, however if the source code was accessed two questions remain. 1. Was the code manipulated in some way that could open the door for later attacks or other problems? Microsoft claims no, the code has maintained it's integrity. Other than to trust Microsoft's word we may never know the answer. 2. Does the ability for a criminal group to view the source code destroy the security by obscurity that is key to so many commercial software products? In the open source community, numerous hackers examine products and contribute solutions to flaws in the products. In the commercial world, many companies rely on their development team to produce secure code and then keep the source code secret to not only protect their intellectual property, but also to minimize potential attacks that could be launched against the product. In this case, the loss of security by obscurity could result in a criminal having intimate knowledge of the product development cycle to be able to develop targeted attacks on future Microsoft products. Regardless of the quality of Microsoft products, the mere fact that the company was able to recognize that this incident occurred is unfortunately unique. Many corporations might never know this had happened to them. In fact the ability to isolate the incident to specific networks or machine is quite difficult in many environments. The other interesting thing going on here is the Trojan horse attack. These attacks have been discussed for several years now and the current solution has been to use content filtering software to detect the attack. If you are one of the world's favorite targets, the Trojan horse writer will write the attack specifically at you. By the time the anti-virus companies know about the Trojan horse and are able to detect and stop it, it's too late. Unfortunately, it has taken a high profile incident like this for awareness to spread. One solution is to seperate general purpose computing such as internet surfing and email from sensitive computing such as accessing source code or controlling IT infrastructure. This is what the military does. They run 2 networks that are physically isolated from each other. A less expensive solution is to keep all executable content from reaching workstations such as executable programs, active HTML content, or documents that contain macros. This is difficult to acheive in reality so physical seperation is the the only way to be sure you are secure. The Wall Street Journal broke this story and pretty much everybody is currently running it. Look for more information and speculation to filter out through the rest of the day.

• Wall Street Journal via MSNBC
• Reuters
• CNNfn
• CNET
• Newsbytes
• AP via ABC News
• Reuters via Excite re: Microsoft Stock Price
• http://www.symantec.com/avcenter/venc/data/w32.hll w.qaz.a.html
• F-Secure's Qaz description via datafellows.com

[...] W32.HLLW.Qaz.A was first discovered in China in July of 2000. W32.HLLW.Qaz.A is a companion virus that can spread over the network and also has a backdoor that lets a remote hacker connect to and control the computer via port 7597. Since the virus does not have the ability to spread to computers outside the network, the virus might have originally been spammed out by email.

----

What the enterprise customer does is set up an initial install with the OS and application and then clone it to new PCs with Norton Ghost. (I recently used the personal edition for $99 to back up a freshly installed dual-boot windows system and I think it's just dandy; now comprehends linux ext2 filesystems).

The problem is that if the enterprise customer bought the PC from a tradition Microsoft OEM, it will come preinstalled with Windows, and they'll be required to pay twice for it, as discussed at Paying Twice for Windows and Microsoft licensing deals confuse customers, study says.

Eventually Microsoft yielded somewhat, but only for the largest customers, as discussed in Commentary: Microsoft hasn't totally reversed its policy on fees.

This is a problem because traditional Microsoft OEMs are contractually obligated by Microsoft to install some operating system on every machine they sell. Microsoft claims that this is to cut down on piracy, but it has the added effect of discouraging people from trying out other operating systems.

The solution? Encourage the enterprise customers to purchase hardware with no operating system at all installed on it from OEMs that have no relationship with Microsoft. Then the customer can do their Ghost cloning without any worry about double license fees. This will work well both for the large enterprise customers that may have been helped by the minor adjustment in Microsoft's policy, as well as the smaller enterprise that were no helped out.

If you work for one of the traditional linux hardware vendors, I'd like to suggest to you that you view Microsoft Windows enterprise customers as a new market opportunity, not just to sell Linux to, but just to sell naked hardware to. If the hardware has no OS installed at all, there's no OS support issues to be concerned with, as there might be if you put some Linux distro on it.

Consider also that although trying to sell a machine bundled with Linux might meet resistance from a company that really does need its Windows applications to do business, selling naked hardware and emphasizing savings on Windows license fees is an easy foot in the door. Once you establish a rapport with the customer you'll have a better chance to upsell them to Linux.

Also consider that if Microsoft OEMs start losing significant hardware sells to folks like VA Linux Systems, Penguin Computing, Tuxtops and the screwdriver shops, they'll be a little more aggressive about getting Microsoft to back down on requiring an OS to be installed.

Of course, an alternative to the traditional OEM vendors is to just preinstall Debian and include a clause in the contract stating that the preinstall OS software is not supported by anyone. That just pretty much screws Microsoft up the Yin-Yang.

Symantec & Lotus: They already sold out, or have been crushed by Microsoft. Much more worrisome.

The following Symantec products serve to correct or work around design flaws of Windows/DOS or MacOS:

• Norton AntiVirus -- While viruses running under Linux have been created as experiments, the Linux platform does not suffer from the promiscuous vulnerability to machine-code viruses of unprotected platforms. Nor do Linux's popular applications suffer from unprotected scripting systems vulnerable to viruses.
• Norton CleanSweep -- Almost all Linux-based OSes use package-management systems such as dpkg and rpm, which permit the clean uninstallation of programs.
• Norton Speed Disk -- ext2fs, the current standard filesystem for Linux, does not suffer from the severe fragmentation problems of FAT, nor from the somewhat lesser but noticeable ones of FAT's successors and MacOS's HFS.

The following Symantec products serve purposes already filled by existing free software:

• Mail Gear -- The foremost mail daemons for Linux (such as sendmail, postfix, and qmail) already support the filtration of mail. Users can use procmail recipes or other tools to accomplish the task at their level.
• Norton Ghost -- Virtually every Linux-based OS ships with backup/recovery and disk-imaging tools such as dump, tar, and dd. There are even X-based versions such as guiTAR available.
• Norton Internet Security (firewall portion) -- Firewall capability is built into the Linux kernel. Several popular free packages exist to do rule-based intrusion detection, such as snort.
• Norton Utilities -- Though ext2fs is more robust than FAT or HFS, it can suffer from disk hosement in certain situations (such as loss of power); in these cases, Linux already has fsck. (Norton Utilities also contains tools that belong in the previous category, such as software to prevent program crashes from bringing down the whole OS.)
• pcAnywhere -- Linux has ssh and X for secure remote login and display.
• Procomm Plus -- The last thing Linux needs is another terminal emulator.
• Retriever -- Port-scanning software is hardly anything new to Unix; for network security mapping try SATAN or one of its derivatives such as SAINT.
• WinFax PRO -- The Hylafax system supports the sending and receiving of faxes under Linux (and other Unices) as well as network-based faxing.

The following Symantec products serve political purposes not in tune with many or most Linux users; specifically, they are parental or office censorware:

• I-Gear
• Norton Internet Security (censorware portion)

The following Symantec products are potentially useful under a Linux-based OS:

• Expert -- From the blurb, this sounds like an attempt at implementing Bruce Schneier's model of analyzing security as a business risk. (I am not convinced that Schneier is right, nor do I claim that Symantec Expert is a good implementation of his ideas ... but that's another story.)
• Mobile Essentials -- While one could well keep several versions of /etc in tarballs and untar the right one for each location, I imagine laptop users would like a clean way to switch from one set of settings to another.
• TalkWorks PRO -- The last time I looked into the matter, there didn't seem to be any reasonably advanced voice-mail or answering-machine packages for Linux.

(Mobile WinFax is not counted as it runs on the PalmOS, not a conventional OS. Norton SystemWorks is not counted because it is a bundle of several packages listed above.)

In short, it is not to be taken as a surprise that Symantec, and other "utility software" companies, see themselves as not having anything to offer the Linux community -- they don't.

Symantec & Lotus: They already sold out, or have been crushed by Microsoft. Much more worrisome.

The following Symantec products serve to correct or work around design flaws of Windows/DOS or MacOS:

• Norton AntiVirus -- While viruses running under Linux have been created as experiments, the Linux platform does not suffer from the promiscuous vulnerability to machine-code viruses of unprotected platforms. Nor do Linux's popular applications suffer from unprotected scripting systems vulnerable to viruses.
• Norton CleanSweep -- Almost all Linux-based OSes use package-management systems such as dpkg and rpm, which permit the clean uninstallation of programs.
• Norton Speed Disk -- ext2fs, the current standard filesystem for Linux, does not suffer from the severe fragmentation problems of FAT, nor from the somewhat lesser but noticeable ones of FAT's successors and MacOS's HFS.

The following Symantec products serve purposes already filled by existing free software:

• Mail Gear -- The foremost mail daemons for Linux (such as sendmail, postfix, and qmail) already support the filtration of mail. Users can use procmail recipes or other tools to accomplish the task at their level.
• Norton Ghost -- Virtually every Linux-based OS ships with backup/recovery and disk-imaging tools such as dump, tar, and dd. There are even X-based versions such as guiTAR available.
• Norton Internet Security (firewall portion) -- Firewall capability is built into the Linux kernel. Several popular free packages exist to do rule-based intrusion detection, such as snort.
• Norton Utilities -- Though ext2fs is more robust than FAT or HFS, it can suffer from disk hosement in certain situations (such as loss of power); in these cases, Linux already has fsck. (Norton Utilities also contains tools that belong in the previous category, such as software to prevent program crashes from bringing down the whole OS.)
• pcAnywhere -- Linux has ssh and X for secure remote login and display.
• Procomm Plus -- The last thing Linux needs is another terminal emulator.
• Retriever -- Port-scanning software is hardly anything new to Unix; for network security mapping try SATAN or one of its derivatives such as SAINT.
• WinFax PRO -- The Hylafax system supports the sending and receiving of faxes under Linux (and other Unices) as well as network-based faxing.

The following Symantec products serve political purposes not in tune with many or most Linux users; specifically, they are parental or office censorware:

• I-Gear
• Norton Internet Security (censorware portion)

The following Symantec products are potentially useful under a Linux-based OS:

• Expert -- From the blurb, this sounds like an attempt at implementing Bruce Schneier's model of analyzing security as a business risk. (I am not convinced that Schneier is right, nor do I claim that Symantec Expert is a good implementation of his ideas ... but that's another story.)
• Mobile Essentials -- While one could well keep several versions of /etc in tarballs and untar the right one for each location, I imagine laptop users would like a clean way to switch from one set of settings to another.
• TalkWorks PRO -- The last time I looked into the matter, there didn't seem to be any reasonably advanced voice-mail or answering-machine packages for Linux.

(Mobile WinFax is not counted as it runs on the PalmOS, not a conventional OS. Norton SystemWorks is not counted because it is a bundle of several packages listed above.)

In short, it is not to be taken as a surprise that Symantec, and other "utility software" companies, see themselves as not having anything to offer the Linux community -- they don't.

For the best bang for your buck on Windows, Norton Internet Security wins hands down. It blocks banner ads, allows you to add your own custom html strings to block, lets you block Javascript, Applets, ActiveX controls, animated gifs, referrers, cookies, user agent, and popup windows on sites.

Not only that, but if you want to block cookies from yahoo.com but not mail.yahoo.com, you can do that (and all of the above listed).

http://www.symantec.com/sabu/nis is where to find it

Also, look at "Portal" sites. They all grew out of Web search engines -- but their business success has nothing to do with the quality of their search technology. The biggest winner of all is Yahoo, which is hardly an example of cutting-edge technology.

Hey!

Wouldn't web-banner blocking programs (i.e. Norton Internet Security) block these 'web bugs' out? Furthermore, wouldn't it be easy to get a porn-site-listing-and-blocking firewall and change the names of porn sites for those of companies like doubleclick? If everyone did this, doubleclick wouldn't get the views.

SUB MANICLAUGH {
write("They would be crushed BWHAHAHAHAH!")
}

This would be a good thing for privacy. If we could get a big ISP like AOL into the blocking, it would be interesting to see the results.

Michael Tandy

1.) Reality Master 101's comment was in no way "flamebait."

2.) One way to commit *nix advocacy is to send a reply email to the person who sent you the two megabyte Word file as follows:

"Please resend your letter of the 23rd in text format. Our mail system detected a macro virus attached to the email you sent and the antivirus program automaticallly deleted the attachment, so I got your email but the document was gone. FYI, our network manager told me that it was the particularly destructive W97M.Stand.c virus which silently installs itself in Microsoft Office and exactly two weeks later wipes out all data on infected systems all across the user's office network."

OK, so (someone will complain) that's dishonest. But it's funny too, and that's important. Anyway, in the long view, if you can help him break his habit, your little white lie could be doing a poor cruelly longsuffering MSOffice addict a big future favor. Because after all things like W97M.Stand do exist.

Yours WDK - WKiernan@concentric.net

...but then, I'm using Java (at home: OpenGL)...or I might use CodeWarrior on my iMac.

Some people may not be this lucky.

CNN also has a later version of the story which reports Network Associates and Symantec assessing this as "low risk". CNN still don't name the files, but Symantec have some details under the name Serbian.Trojan, but not really clear on how to remove it. They say it is also known as "downloader" and Network Associates (McAfee) have more details.

Quite simple these guys want your money and they created a media hype to get it. No reason to flip. And now I am off.

People seem to think that we need some radical new paradigm in the way we're doing things in order to indicate progress; Microsoft is all too eager to jump in with a spiffy new standard and a handful of TLAs to placate this crowd and keep us all on the frequent-upgrade track. This is not good innovation (and while I'm talking about Microsoft, this isn't either). Sometimes different and more complex doesn't beat tried-and-true. Can't innovation be combining yesterday's solutions with today's needs to make a new product? Why are people so willing to attach the label of innovation on things that are new but not better?

I work in a Microsoft NT / IBM AS/400 / Linux environment. The AS/400 feels archaic, but does what we need it to. Linux feels archaic, but does what we need it to. Microsoft NT looks good.

---

The Freelinks virus as it's called is an old virus. I saw it first about six months before the loveletter came out.

This macro virus - one of the earlier Outlook ones - was from last July. Check out the Symantec page for more info.

If you're running Outlook and not scanning attachments, you deserve what you get.

-dg-

Yes, its true. Though it is far from a new thing - it's been around for about a year now.

...but rather a precursor. It's almost a year old. Details here.

Virus Experts are predicting that the spread of this variant will be slower than the original Lovebug virus, because of the 'mutation' that it tries to perform on itself. Every time it mutates, it adds up to 10 lines of crap to itself, in order to try to avoid detection. It ends up being huge after a moderate number of iterations.

Have a look at Symantec's information.

~P

Suspicious, I consulted my friendly install of StarOffice on my Linux machine. He didn't answer back, which is what I woudl have expected from M$ Office, and StarOffice continued to happily to my word processing without bother or error.

Moving back over to my Windows machine with M$ Office... that little MechWarrior like droid was not at all happy! He threatened to allow the 'I love you' worm to work its way through my machine via its evil powers of VB scripting.

Flustered... I then remembered who should be in control of the computer in the first place... ME! I promtly played my own ace-in-the-hole against that evil little M$ droid, named "F1", and hit the power button on the computer.

With F1 no longer being a concern, and no virus or VB script security problems on my Linux machine... I moved back over to the screen with the Gnome footprint eagerly waiting to do what I request without problem or crash.

I donned my red hat and rode off in into the lovely sunset with my StarOffice at my side.

http://www.symantec.com /avcenter/venc/data/vbs.bubbleboy.html

Imagine what a variant of this worm could have done.. the author posted the virus directly to anti-virus vendors, so M$ found out about the security hole the easy way.