Symantec Claims They Knew About Slammer In Advance

truthsearch writes "Wired is reporting 'Symantec claims to have identified the Slammer worm that ravaged the Internet during the last weekend of January hours before anyone else did. Symantec then shared the information only with select customers, leaving the rest of the global community to get slapped around by Slammer.' I'm not bothered I didn't know Slammer was coming, but Symantec has a moral responsibility to inform the public if it thinks millions will be affected." It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release. Update: 02/14 16:54 GMT by M : Wired has their math wrong; Symantec apparently had at most 20-30 minutes of early warning. Symantec claims in this press release that they discovered the worm "hours before it began rapidly propagating".

Imagine if CNN knews about 9/11

At 5am, and didn't tell anyone except a few rich and powerful business people who worked at the Trade Center. Yes, no one (probably) was killed by the Slammer, but it's a similar situation.

Re:Imagine if CNN knews about 9/11

[RT+Alec]

Sorry, but that is not a similar situation. Not even close.

Re:Imagine if CNN knews about 9/11

Knowledge of something illegal before it happend which affected many people and disrupted at least one country's economy for a day?

Re:Imagine if CNN knews about 9/11

False

Re:Imagine if CNN knews about 9/11

If you left MS SQL Server accessible to the internet, you deserve what you got.

Re:Imagine if CNN knews about 9/11

So, I guess since we let terrorists on our plains, we deserved what we got?

Re:Imagine if CNN knews about 9/11

Our plains? Terrorists are in the midwest? What about our precious beef reserves?

Re:Imagine if CNN knews about 9/11

[lvdrproject]

Please stop equating/comparing/relating every single fucking thing to 09/11. It's only a similar situation in that they knew but didn't tell anyone. What if i knew the exact time you would be born, but i didn't tell your mom? Similar situation, right? What if i knew how long the cookies were going to last before you bought them, but i didn't tell anyone? Similar situation, right?

Re:Imagine if CNN knews about 9/11

Yes, they trained there, remember?

Re:Imagine if CNN knews about 9/11

The first comparison is regarding illegal activities (terrorism, spreading worms), yours do not, therefore, no, not similar. But, if you knew someone was going to rob a bank and didn't tell anyone, that would be.

Big Surprise

Do you honestly believe that all the viruses come from joe sixpack sitting in his basement with nothing better to do?

Re:Big Surprise

exactly. why does it seem that symantec seems to come to the rescue every single time a virus is running rampant? I am quite convinced they have some disgruntled ex-employees, or even current employees who are quite capable of making any thing possible. As well, they have a reputation of being first for waving the flag of solution to the problems. Concidence?

Re:Big Surprise

s/symantec/the police/

Re:Big Surprise

Or they just do their job well. Any asshole with a warez copy of visual basic can accomplish what the people who release these viruses can. Put your tin foil hat away.

Re:Big Surprise

[m0rph3us0]

I knew about it 6 months ago, back then I decieded to apply the hotfix. This is a sys admin problem anyone who had this worm should learn to patch their systems.

Re:Big Surprise

Slammer type exploit on ms sql known a year or more ago.

How many port 1433 probes do you need before you start ms sql server on a different port.

If 'Slammer' was a bomb...

Wouldn't they be detained and in front of a war tribunal by now?

makes it worth it

thats what makes the extra special account worth it.if they told everyone, then whats the point in paying for the extra notice?

(not that I agree with not telling everyone, that just seems to be the why)

Re:makes it worth it

[frodo+from+middle+ea]

exactly, so were u not affected by the worm. may be your m/c wasn't affected, but the entire NET was on its knees. so it did affect your net browsing time.
Now can u sue them , bcoz you paid all this extra money and still couldn't logon to yahoo :-)

Re:makes it worth it

[error0x100]

Wouldn't there be some sort of criminal negligence issue here though? Allegedly, they (a) knew in advance that this was coming and (b) knew it would do damage to many people and (c) had the capability of warning many of those people and (d) chose not to. Isn't there something in the law about this? If I know the car you're about to step into is rigged with explosives, and I choose not to tell you (for whatever reason) even though I could have warned you, surely I am still in the wrong somehow?

Re:makes it worth it

[jallen02]

Interesting. This reminds me of a case I read about. A guy gets called buy his friend, asks him to come get him from the police station. The friend comes and gets him and takes him to his car. The person picked up from jail proceeds to later that evening kill someone in his vehicle. The friend is then prosecuted for some very serious felony (negligent manslaughter or something, I don't remember exactly).

The catch? The guy the cops picked up was drunk. After his friend came and got him he went and drank some more and killed himself and someone else in a DUI accident. Is the friend responsible if he knew the person had been drinking? What about if the friend didn't know? The cops never told him why he was arrested. The prosecutors are basically saying it would take a moron to not notice, and that is why the friend is responsible.

Something to think on. I was at a party and I noticed people coming and going, some of them possibly drunk. They then proceed to go kill someone. Now I can get charged with the murder! (That is, if this case goes through). I think it was a hung jury twice, and the prosecution probably wont go for a third time.

Jeremy

Re:makes it worth it

[error0x100]

Hmm.. it could of course be that Symantec, although they may have known about the worm, may not have known that it was going to be as big as it was. They probably find new worms all the time, and perhaps they saw it as "just another worm". Since the thing apparently ripped through the internet in about 10 minutes, or something ludicrous like that, it may anyway already have been too late once they realised that it was going to a big one.

Re:makes it worth it

[m_cuffa]

That's why in democratic societies we don't convict anyone unless we can prove guilt "beyond a reasonable doubt."

Re:makes it worth it

[lordsid]

there's been an underground idea that symantec and a few other virus protection companies have been propagating the fear of virii in the community for years. of course they would never do this to up profits and make their expensive product seem useful.

They're in it for profit...

[Lukano]

So I can see from a "greedy" standpoint why they would only tell select customers, but the "moral" side of me is aghast that -if they knew- they didn't tell.... Horrible!

Symantec... I knew about you going out of business

[digitalgimpus]

Just wait til next week!

HA HA HA HA HA [silence]
HA HA HA HA HA [silence]
HA HA HA HA HA [silence]

Doubtful.

[BoomerSooner]

Unless they helped the Korean program the thing. I unfortunately have to use MS products (my company pay's me to) and it's a constant waste of time applying the daily hotfix, backing up, testing, implementing, ...

Why doesn't MS just give up with their POS OS and go to a Unix core like OS X. MS Linux with a .Net front end would be secure, fast, OSS Core, and finally kill 99% of the reason the internet sucks.

Oh well, guess I'm dreamin.

Re:Doubtful.

They'll just come up with viruses that work on *NIX, and THAT would be disastrous.

Re:Doubtful.

[msim]

Honestly, i know a dutiful admin *should* apply those hotfixes, read hose cert advisories. But honestly, how many of them can be fucked doing so? The likelyhood of the next one being "the big one" to these people is negligable(sp?), so they dont give a damned about thse bugs..

But a 6month old vunerability? i mean, c'mon!

Re:Doubtful.

[AnotherShep]

Wouldn't help at all. Shitty code is shitty code, no matter what's underneath it. It isn't the core of the OS that's broken (Well, at least not completely), it's the 'services' that run on top of it (SQL server, IIS, etc).

Re:Doubtful.

[ichimunki]

Because there have never been any security issues with Linux/Unix? The first internet worm didn't exploit a Unix service? And most importantly, having the right name on the operating system will magically make up for any programming errors like buffer overflows and protect users from harm? I'd avoid MS Linux just as much as the rest of MS' software because they have a terrible record of responding to concerns and poor up-front design decisions, not because Unix is inherently better.

Re:Doubtful.

When the user is not running as root? How?

Re:Doubtful.

[stratjakt]

I can bring mysql, oracle or postgresql down as easily as SQL server. You can get root in a poorly secured linux box, or hardlink out of a poorly configured chroot jail, just as easily as you can get a process to run with administrative rights on a poorly secured NT domain.

There are as many 'hotfixes' and 'service packs' for linux based software, they just call them patches and releases.

Linux just isnt ubiquitous enough to be a worthwhile target. Yet.

All the bragging and dipshittery that uninformed OS fanboys are doing will bite them in the ass in a big way if linux is adopted into the mainstream.

Re:Doubtful.

[spring]

Through acquisition, Symantec has access to several firms that have deployed "sensors" in many locations around the 'net. These sensors relay actvity information back to a central location.

Symantec correlates this information, and determines threats. They then relay this information to customers of the subscription service.

This may be what they are referring to.

Re:Doubtful.

[Mwongozi]

You want MS Linux!

Slashdot requires you to wait 20 seconds between hitting 'reply' and submitting a comment.

Re:Doubtful.

no, your company doesn't "pay is" you to do shit. It PAYS you to do many things, one of which is to leave the fucking apostrophe out of words that don't need one.

Re:Doubtful.

ROFL, troll.

if you are applying daily hotfixes, you are doing something desperately wrong.

it's kinda funny. i always hear about how it takes X times more windows admins than unix admins to admin a network of Y boxes. maybe my boss and i are doing something very wrong, but it's the 2 of us for ~225 machines (40% windows, 30% (sol[8|9])|([f|o]bsd), 2 vaxen, the rest macs).

how is that? it's called planning, i'd suggest you learn what that is. ghost and sus for the windows boxes; assimilator for the macs; jumpstart for the sol boxes. and a few *very* strict dd firewall.

Re:Doubtful.

[ipxodi]

If all copies of MS products were magically replaced with *nix versions tomorrow, we'd see *nix oriented viruses the day after tomorrow. It isn't the label on the box, it's the popularity of the software.
Virus writers are like vandals -- nobody is going to make graffiti where it doesn't get lots of public exposure.

Re:Doubtful.

[kasperd]

Unless they helped the Korean program the thing.

Indeed, that was also my first thought. The graphs I have seen over the activity for the first minutes looked like exponential growth with a doubling time of less than one minute. That would give at most half an hour between the very first infection and worldwide spread. If Symantec notified their customers hours before, that would be before the worm was released. Of course it is theoretically possible, that the author notified Symantec prior to release.

Re:Doubtful.

[AnotherShep]

My point exactly. Bad code brings things down, no matter *what* they're running on. It was just in reply to the guy who thought slapping a unix core under Windows everything else would be a magic fix-all solution. And OS fanboys are annoying as hell.

Re:Doubtful.

So why are there so many more IIS worms and viruses than Apache ones?

No, it isn't just popularity, it's quality as well.

Pay no mind to the astroturf.

Re:Doubtful.

Yet it doesn't PAY you to capitalize the first word of a sentence? Strange company, I'd say.

Re:Doubtful.

[EddieBurkett]

Symantec didn't notify their customers hours before. According to the article, Symantec sent out a notice at 9 pm PST on 1/24. The article says the virus started propogating at 5:30 am UTC 1/25, which is 9:30 pm PST on 1/24. They also say that the rest of the internet started noticing the virus at about midnight EST 1/25, which is also 9 PM PST 1/24. I'm not sure who is changing all the times to make it sound like there is a large window of time, and I don't understand how the virus could propogate so quickly, yet people saw it before it started propogating -- and not just Symantec according to the article's time frame -- but Symantec did not beat the virus by hours.

Re:Doubtful.

nope, that's what the weekend staff's job is.

Re:Doubtful.

[JWW]

Its always wonderful when the fix breaks an interface with another system as well.

AND when the people who wrote that interface call and tell you to remove the patch so that their interface will work again.

You were saying something about keeping up with all the hotfixes, or should I worry about the business being able to have systems that talk to each other?

This really is a serious issue and I think it happens more often than people expect. In this case the client program should have been fixed, but corporate politics were used to force me to make the change to the database instead of them changing their client program.

But the main point is that only better software right out of the gate, without the need for a gazillion patches is the answer. Once you've been burned by a patch breaking your previously working systems, you get very wary of future patches.

God I hate SQL Server.

Re:Doubtful.

Waaah. Waaah. The moderators don't like me. I'm going to go pout in my parents' basement and bring down their MySQL server. Waaah.

Re:Doubtful.

[John+Sullivan]

Because it's about brand awareness, not number of units out there. Apache may have more installed units, but it has very little publicity outside the geek community - whereas Microsoft lives or dies by its marketing image, so in a sense sets itself up for attack.

Re:Doubtful.

[manyoso]

Last time I checked, Linux/Unix dwarfed Windows in the enterprise. Windows has a majority on the desktop, but it is only *one of many* players amongst servers and is not the most widely used.

Time for a new theory :)

Re:Doubtful.

[manyoso]

Whaa?? You think SQLServer is widely known outside the geek/tech community? I do not grant that SQLServer has more brand awareness then Oracle outside of the geek community, but even if it did please explain how this affects the bugs. Are you asserting that slammer was written by someone unaffiliated with computers and would fall outside of the 'geek' community? What kind of logic is this?

Re:Doubtful.

[dskoll]

stratjakt writes: I can bring mysql, oracle or postgresql down as easily as SQL server.

Go on, then, have a crack at the PostgreSQL server on my box (see my URL.)

Re:Doubtful.

you're just all talk. why not save all of us the bother and not post next time. please?

Re:Doubtful.

[manyoso]

Unix/Linux dominate the market for servers and databases. Oracle is the most widely used database the last time I checked and SQL Server was third. Unix/Linux *is* ubiquitous for servers. Microsoft is the niche player and it is Microsoft that is producing softare so buggy that it is hobbling the internet.

Re:Doubtful.

[John+Sullivan]

No, but Microsoft is. The name, the brand, "Microsoft". If doesn't matter if it's Windows XP or "Services for UNIX" - if you can attach the Microsoft name to it and exploit it you've got a surefire route to infamy. Which is why so many more people are trying to than for other vendors.

Look, I'm not saying MS products are equal in robustness to those on competing platforms, I don't think they are. But if those other platforms had as much mindshare in the general population as Microsoft does, then the number of active and publicised exploits would be a lot closer to parity.

Re:Doubtful.

[pi+radians]

While attempts with viruses and worms may be more due to populartiy, there are other factors that result in an insecure system.

Just saying that viruses and worms are more popluar because of Microsoft's success is mearly a cop-out. Their success should be a benefit to their security (more resources should be dedicated to it), not an excuse for it.

Re:Doubtful.

[OrangeHairMan]

it's the popularity of the software.

You so sure? According to the latest Netcraft survey Apache has 62% of the server market while all versions of Windows have only 27%. And you still see more Windows server viruses appearing (Slammer exploited bugs in the SQL server). If you want to talk about end users and desktops though, you'll have to find a email client that runs programs automatically with root-like priv's, then I might believe you.

Orange

Re:Doubtful.

[eht]

True, but how many servers do you need per desktop machine?

For http it's a couple of thousand or even hundred thousand and most people running unpatched and without firewalls are going to be the home users.

Re:Doubtful.

[chef_raekwon]

dude, get a grip.

the arguement is : Apache has much more installs than IIS, on many. many different platforms. The amount of bugs are substantially lower, because of much higher quality of code.

people exploit programs mainly for the "vandal" aspect, but if you can't vandalize a paint proof building, you move onto the next building. Remember, one would get much more credit exploting a large corporations webserver, than some small time clown, who serves a couple of pages. (the small time clowns are running IIS, not usually Apache.) so , in light of this

what is your argument again?

if more non-techies knew about apache, it would be more exploitable?? how so?

Re:Doubtful.

Frankly an MySQL worm could be a lot worse then this one. MySQL seems to be on every WebHosting service on the face of the earth. Lots of Servers with nice fat pipes. Maybe MySQL and Linux are more secure than MsSQL and Windows?

Re:Doubtful.

Completely off-topic. The parent posters email address is spam armored as "bit[ ]dle.com ['pud' in gap]". I don't know if this slang spans oceans, but here in the USA "pud" is slang for a certain piece of male anatomy, and putting it in a gap is quite suggestive. </mind-in-gutter>

Re:Doubtful.

[Rasta+Prefect]

For http it's a couple of thousand or even hundred thousand and most people running unpatched and without firewalls are going to be the home users.

Yeah, but most of these worms hit Microsoft Servers lately - Slammer, Code Red, Nimda. Very few desktops are running IIS and MsSQL.

Re:Doubtful.

There are as many 'hotfixes' and 'service packs' for linux based software, they just call them patches and releases.

True, but there is a huge difference: time. The time frame for a security fix on a Linux or *BSD box is hours or days. On the other hand, hotfixes and SPs have a timeframe of weeks or months. Under Windoze, the admin is at the mercy of M$ to provide the patch. In an open source OS, that same admin may be able to correct the issue him/herself and provide a fix with the bug report. Corporate interests are about money, not the end user. That is the major difference you have overlooked.

However, I will concede that in this case it is indeed lazy admins at fault, which is NOT platform dependant. ;P Good call.

"There is no patch for stupidity."

Re:Doubtful.

[callipygian-showsyst]

Good point!

I always laugh when Mac folks (especiall before OS X) used to claim that Macs were somehow immune to viruses.

In fact, the only reason you hear less about Macintosh viruses is that virus writers want their work to spread quickly and reliably, and that means targeting the most popular platform: Windows

I can't imagine why you would need your SQL port open and accessible on the Internet. The real fault is those sysadmins who have the port open (followed by a failure to apply all security patches to machines that are accessible on the Internet.)

Re:Doubtful.

Does that mean that stratjakt cannot bring down any of them?

Re:Doubtful.

[juan2074]

Actually, there is more to it than just a straight comparison of who has more bug-fixes.

Even if we knew exactly how many bugs were fixed by every patch or hot-fix or service pack, we cannot compare how severe those bugs were in the first place.

Also, think about which services are enabled or installed by default, and how easily the system administrator can disable or not install those. If you do not have something installed, it will not be a vulnerability on your system.

If there was a major worm or virus for UNIX, its propagation would likely depend on root access (or at least some good permissions of a user like lp). How much damage can be done as a normal user on a UNIX box? How much damage can be done as a normal user on a Windows box? How easily can a virus or worm get elevated privileges?

There is really no easy way to compare vulnerability between UNIX and Windows servers. There are too many differences in how they are put together and how they function.

Re:Doubtful.

Actually the argument is that IIS has the single largest homogenous install base of all webservers. You see there's versions of apache running on multiple OSes, multiple hardware platforms, and each combination will effectively require a unique rehashing of your exploit. Ie, you'll need unique shell code for the sparc chip, for the powerpc chip, hp-pa risc, x86. You'll need a different shell code for solaris 8, solaris 9, linux (possibly different shell code variances for redhat, mandrake, suse, slackware, debian, etc), openbsd, freebsd, netbsd, macos x, hpux, aix. You'll need a different exploit for apache 1.3.2, 1.3.10, 1.3.12, 2.0. apache+ssl, etc. Hell, you even have to worry about which version of GCC was used to compile and which options were stack alignment options, which optimization options, etc. For IIS, you have one architecure (x86), one syscall API (Win32/NT/2000), and perhaps two or three versions IIS 4.x, 5.x, .net. Gosh which one would you select????

At least we need to not be stupid. You're giving a new definition to the term "slashdotted": when you are being argued with by a moron who doesn't look at the facts, but rather argues from a point of ignorance, stupidity and zealousness. a common tactic is to simplify the situation to the point of irrelevance and eliminate anything that might possibly shadow of a doubt on the validity of their stupid position.

And this argument applies to all the stupid mother fuckers who are the parents of this thread too.

Re:Doubtful.

[Alan]

There is a big difference between space for uploading warez on anon ftps and having your program exploitable enough to bring down 911 systems, atms, etc.

Now I'm not saying that OSS isn't vulnerable, just that your example isn't quite up to the level of what people were talking about.

Re:Doubtful.

1) No it isn't about "brand awareness", it's about vulnerability. Machines are hacked because they are vulnerable.

2) Even if it =were= about brand awareness, Unix/Linux has just as much brand awareness as MS among people likely to hack.

3) Finally, even assuming it =is= about brand awareness =and= that MS' is greater, it's STILL not the relevant factor. The general public doesn't care about which server some site is running, they care about which site is =hacked.= So, if brand awareness has any relevance, it is the popularity of the site that gets attacked that matters.

Re:Doubtful.

[Anonymous+DWord]

Apache may have more installed units, but it has very little publicity outside the geek community - whereas Microsoft lives or dies by its marketing image, so in a sense sets itself up for attack.

Huh? Attack by whom? You think that the people who are r00ting boxes have never heard of Apache? Joe User may have never heard of it, but he's not the one writing worms anyway.

Re:Doubtful.

[John+Sullivan]

*Not* more exploitable, more exploit*ed*. Exploitable bugs are present in both, whether one has more or less is not necessarily the most important factor.

Re:Doubtful.

LOL, you spaz "it is Microsoft that is producing softare so buggy that it is hobbling the internet. " What was the names of all those worms produced for apache again? oh wait, I forgot .. it's not cool to hate apache ...... That just simply isn't "geek". SHIT! I just broke the secret *GEEK* code! Oh No! best moderate me down...

Re:Doubtful.

[manyoso]

"What was the names of all those worms produced for apache again?"

Let me assist you in finding your clue: You can't remember the names of those worms because they had no discernible impact compared to Code Red or Slammer.

Everyone knows about Code Red and Slammer because they were frightening worms that caused a massive amount of damage. Hell, Gartner is telling people to not use IIS and migrate away because it is so damn buggy!

People do not hate IIS because it isn't *cool* they hate it because it is shit software that has caused millions and millions in damages.

Re:Doubtful.

yet MS is still considered a monopoly?
from what you say their dominance is an inch wide and a mile deep when it comes to the marketplace, yet in court you hold them to the opposite effect saying that this one thing allows them to control everything else. Essentially you are saying that MS produces buggy software and operating systems that are in the minority and no-one uses, but on the other hand they have leveraged this power to be the domninant players in the software/os industries. Well which is it fanboy?

Re:Doubtful.

[Falconpro10k]

THANK YOU!, your right, IIS is poorly developed software, Httpds and such need to be open source, else you CANT fix security bugs, etc... thats why i would never put IIS on my network... I say that for a good reason too, if it was more secure, maybe, but hell, my apache is viturally bulletproof.

Re:Doubtful.

If all copies of MS products were magically replaced with *nix versions tomorrow, we'd see *nix oriented viruses the day after tomorrow.

Translation: "Baaaaaa."

Re:Doubtful.

It's a piece of cake to update many linux distros. You use whatever update utility it has, it gives you a list of what updates are available for every package you installed, and away you go. There may be situations you want to have more control over specific services, so you can install from latest source if you wish. You have options

No, Linux folks will not have any problems when Linux becomes mainstream (in fact, it is mainstream in many ways already).

Really, though, the OS debate is a red herring in this instance. The fact of the matter is that good security policies and quality sysadmins are the main factor that will determine the security of data on a network.

Re:Doubtful.

[Vulture_]

Linux just isnt ubiquitous enough to be a worthwhile target. Yet.

Oh dear. All the people that have been writing exploits for Linux for untold years will be quite shocked to hear this.

Re:Doubtful.

[Vulture_]

Virus writers are like vandals -- nobody is going to make graffiti where it doesn't get lots of public exposure.

And yet, mysteriously, I find the most graffiti in obscure corners that few ever venture into...

Re:Doubtful.

[You're+All+Wrong]

""" ... want their work to spread quickly and reliably, and that means targeting the most popular platform: Windows
"""

So not only is Windows the most popular, but it's the quickest and the most reliable!?!?!

Yeah, yeah, just pulling your leg.

YAW.

Moral responsibility ?

They only have a corporate responsibility which is to make money, nothing else

Isnt capitalism great !

when corporates have "morals" is the day hell freezes over, you Americans will understand
(tyco/enron/aol/anderson etc etc etc)

Of course they did...

[supergwiz]

*puts on conspiracy hat*

they write the virus that directly benifit themselves as a result.

Foot in mouth disease

[phil+reed]

From the article:

Wee did not respond to requests for further clarification of Symantec's policy regarding the public release of threat information.

Probably because he's suddenly realized just how far he has jammed his foot into his mouth.

Symantec, do you really expect me to buy any more of your products?

I had them beat...

[jpsst34]

I knew about Slammer in 1988. (Take a look at Jim Brown's character.)

Re:I had them beat...

I got three UDP 1434 hits (scan of one of my IP ranges) on 2003-01-16 08:59 PST -- 8 days before the big event. The packets were only 33 bytes long, compared to the 404 byte packets sent by the worm. Significant?

Moral obligation?

[nakhla]

Since when does Symmantec have a moral obligation to do anything? They're a corporation. Their service is to detect and prevent network attacks. If you are willing to PAY for the service, then you get the benefits of it. If not, then it sucks to be you. Ford's service is making cars. Are you saying that Ford has a moral obligation to give me one, even though I haven't paid for it?

Re:Moral obligation?

[phil+reed]

The Internet is a cooperative enterprise. It behooves all the users to play nice with each other. Symantec evidently decided that their customer base was a higher priority than playing nice with everybody else. That's fine, and they are welcome to make that choice. They then get to live with the consequences, including the one where everybody else decides not to play with Symantec because of their attitude.

Re:Moral obligation?

[MrFredBloggs]

Perhaps they meant `all companies around the world have a moral obligation to conform to my personal belief system'. I wonder what truthsearch's views are on the pending war against Iraq, abortion, animal rights etc. I think we should be told - i`d like to know what to think.

Re:Moral obligation?

[catch23]

Dude!! It's obviously the same moral obligation Microsoft has for making bug-free products we've all come to expect!!

Re:Moral obligation?

If it's true, then Symantec knew ahead of time of an illegal act that was going to disrupt vital communication paths on a global scale.

If a gas mask company knew ahead of time that someone was going to drop some poison gas onto a major metropolitan city, would it not be their moral responsibility to notify the city? Even though they would directly benefit from said gas actually being let loose?

Re:Moral obligation?

[Frequanaut]

gah. You are ridiculous, ignorant and shallow.

The minimum set of morals any citizen or corporation must subscribe to are those outlines by the state and federal law.

Re:Moral obligation?

[ShieldWolf]

If Ford discovered a flaw in the axles of all GM cars that could lead to accidents, you are damn skippy they have a moral obligation to let everyone know.

Re:Moral obligation?

Since when does anyone have any moral obligations to anyone! We live only to make money and be self serving.

Re:Moral obligation?

[Quixote]

OK, then why do companies like Microsoft bitch and moan about individuals releasing exploits before they have had time to "study" the bug (read: sit around and do nothing) ?

"Moral responsibility" is a two-way street: if you (the company) expect me to have some, then show some towards me too.

Re:Moral obligation?

[CelloJake]

I think there is a moral obligation. Knowing about a virus is, essentially, knowing about a crime that is about to be or is being committed. They at least had an obligation to report anything they know to legal authorities, short of proprietary solutions.

Re:Moral obligation?

[Gildogg]

You are right, Ford would have that obligation, because the failure of the axles would be directly responsible for accidents that could cost lives. Does your life depend on the Internet or a Microsoft SQL server? If so, end it now, because you are in for a lifetime of dissapointments.

Re:Moral obligation?

Ford's service is making cars. Are you saying that Ford has a moral obligation to give me one, even though I haven't paid for it?

if Ford finds that someone is going to exploit a vulnerability in most roads which will cause your Chevy to crash and burn, then Ford has a moral obligation to inform you about it. Ford would probably have a legal obligation to do so as well.

this is besides the point that a vulnerability like Slammer and Code Red affects everyone, not just MS users who dont patch or subscribe to Symantec, due to their network usage.

Re:Moral obligation?

[Fredge]

That's a noble idea but is it practical? I certainly haven't tried every virus scanner/detector on the market, but of the various ones I've tried I've found Symantec/Norton's to be the best. Simply put, it has found and protected me from infections that other systems let through (yes, I've run multiple detectors at the same time in the past).

Do we have to compromise our systems to keep from compromising our values? If there's better protection than Symantec offers for Windows (don't say "Use Linux" - I would if I could) I'm all ears.

Re:Moral obligation?

[madcarrots]

When there is talk in Congress about making cyber-crimes punishable by life-imprisonment, Symantec has a resposibility to warn the masses about Internet threats. They have a reputation as "the anti-virus company" and as such they have to live up to that reputation. To say that they will sit on information that they know will disrupt millions of people, businesses, and educational instituitons andonly provide warnings to the people that pay them is admittance or extortion.

"GIVE US THE LOOT, OR YOUR PC WILL NOT BOOT!"

Prosecute them.

Re:Moral obligation?

You see, this kind of attitude is part of the problem. I know the US is more lax about engineering than Canada (where I live) but give me a break. I know Software Engineering is not regulated to the same extent as say Civil Engineering but the CCPE (Canadian Council of Professional Engineers) is working hard to get both on the same level. The idea is that Software engineers should be liable to the same extent Civil engineers are (ie same negligence standard applies).

To bring an analogy to this case, say Civil engineering company A employed a P.Eng (Professional Engineer, required in Canada) to design a bridge. A few months later someone in company B finds out that the bridge will collapse whitin hours and informs his boss (a P.Eng). The P.Eng has to inform the authorities under the rules of CCPE (or the provincial organization in charge, PEO in Ontario). Engineers swear an oath to this extent at the Iron Ring ceremony upon graduation and they have to follow it (similar to the oath doctors swear to).

Anyways, this is what I learnt from the Professional Practice and Engineering Law classes in university. I know the rules are different in the US and morality is not expected from any corporation but you'd expect them from individual professionals (or at least one ought to expect it).

Re:Moral obligation?

[Tord]

Everybody has moral obligations to act in certain ways given certain situations, this includes both companies and people. If Symantec had a moral obligation to release this information or not is another question, but I'm sick and tired of the argument that companies don't have moral obligations since they're only into business to make money. Hey, I'm only into getting as much fun out of my life as possible, does that mean that I'm without moral obligations?

Re:Moral obligation?

"If it's true, then Symantec knew ahead of time of an illegal act that was going to disrupt vital communication paths on a global scale."

I wonder if Symantecs lawyers are watching this story, with its baseless, and possibly libellous assertion.

What does killing people with gas have to do with writing computer programs? Clue: analogies are useless. If what you are discussing is different, then the outcomes probably are too.

http://www.philosophypages.com/lg/e13.htm

Re:Moral obligation?

[jwilloug]

My mother is a pediatric nurse, and she said Slammer shut down their hospital network for more than a day. Forcing them to revert to paper and generally slowing things down.

This is a failure of the hospital's admin more than anything, but it points out that you can't just down every computer network connected to the Internet and expect there will be no "real" consequences. Somewhere, someone died because of Slammer.

Re:Moral obligation?

Slammer disrupted life for an entire day in South Korea, and even brought down many ATM machines in the United States. What if the next one effects an even more critical infrastructure? Telephones (no 911), or hospital networks?

Re:Moral obligation?

>Somewhere, someone died because of Slammer.

Pure speculation, your honour.

Assuming someone DID die, then its professional negligence, or corporate manslaughter, if people are using incorrectly configured (ie patched) software. Note: Microsoft explicitly waives any responsibility for mission-critical systems.

Re:Moral obligation?

Posting this as AC so I can mod you -1, stupid. Suppose I have a service that warns of criminal gangs ready to pillage towns and assault the residents. If you're a subscriber to my service, I can let you know when this is about to happen. If not, well, you know, we live in dangerous times.

Get it now?

Re:Moral obligation?

[dpilot]

Do we really hold corporations to such low standards?

Do you hold your friends or family to such low standards?
Do you hold other members of your community to such low standards?
Do you hold your elected officials and their appointees to such low standards?

This came up during the hearings for Edwin Meese for Attorney General. The Attorney General is the highest Officer of the Law in the land. For him to merely say, "I have been convicted of no crimes." is not ANY sort of endorsement for the office. It's barely a qualification.

When we rant against the poor and welfare, we argue that putting a safety net under these people will encourage them to fall into it, and not try to better themselves.

Isn't the law really an ethical and moral safety net? So is it any wonder that *some* sink to the net, just like some poor do with welfare? But the real problem comes when we EXPECT people and corporations to sink to the net, take for granted that they will, and dont' see a problem with that situation.

Businesses are a member of the community, too. I'd expect them to behave as ethically and civilly as any person. With a business, I only have my words and money as tools to 'encourage better behavior.'

Re:Moral obligation?

[juju2112]

It is immoral to not have morals. Hiding behind the mantra "My goal is profit" doesn't make morals magically go away.

Re:Moral obligation?

[Brigadier]

If Ford new about a bump in the road, that could cause thousands of dollars of damage and didn't tell anyone it would be reasonable that the be held liable.

Re:Moral obligation?

[TheCrackRat]

Not having morals is amoral, not immoral.

Re:Moral obligation?

Well, lessee, if Ford sells a device that impacts public safety, like say air-bags, and they find out that their is something out their that would keep them from functioning correctly, thereby diminishing or eliminating the usefulness of the air-bags, then YES, they have a Moral, Ethical, and Technical duty to let people know that the device they created and implemented may not work!

Re:Moral obligation?

Libellous? Slashdot? Never!

Re:Moral obligation?

[dr.badass]

Since when does Symmantec have a moral obligation to do anything? They're a corporation.

Are you implying that corporations have no moral obligations? That these entities that, by disgusting perversion of the law, have much the same rights as actual people. Entities that are themselves composed of individuals acting in concert. Are you implying that they should be bound only by law and market?

For what it's worth, I don't really have a problem with Symmantec in this case, but I am greatly concerned by the increasingly common belief that corporations should have the same rights, but not responsibilities, as people.

Re:Moral obligation?

[Daniel+Dvorkin]

Ford has no moral obligation to give you a car. However, Ford does have a moral (and legal) obligation to warn you if it knows that there's something wrong with your car.

I'm so fucking sick of people trying to blow off corporate misbehavior by claiming that there are no moral obligations for corporations. Corporations are made up of people. Those people make decisions, and most, if not all, of those decisions have a moral dimension. You don't stop being human, with the same moral obligations as any other human being, when you go to work.

Re:Moral obligation?

[NightmareDNS]

"Their service is to detect and prevent network attacks."

Ha, that's a good one. Are you saying that they care about their customers?

To go along with your little analogy, they're probably saying Ford has an obligation to tell you that yours will blow up next time you start it. Not that they should give you one even though you haven't paid for it.

Besides, if you're not under the impression that it's important to look for updates (the sql update that came out months ago), then maybe your company should hire someone else to look after their interests.

Re:Moral obligation?

spoken like a true minion of the all mighty Dollar $$$ ...
Even in todays dollar driven society sooner or later a corperation has to hold the interests os society above their interests in making money.

In this example, imagine what "Good will" symantec would have gained if they warned all of their paying customers of the impending threat and then immediately warned the general public.

Corperate "Good will" is often overlooked on the balance sheets of many companies. Except for the most successfull....

Re:Moral obligation?

[lildogie]

Two words:

Protection racket.

Re:Moral obligation?

[enkidu55]

No but Ford would be obligated to issue a recall if it was found that a flaw in their vehicle was going to take out not only Ford rigs but every other car on the freeway at the same time. If Symantec knew ahead of time that a storm was coming whether it be 20 minutes or 4 hours, they should have done all they had in their power to prevent it. Why do you think their sensor outposts are there anyway. Early warning and detection. Nobody makes any money if the entire internet is devalued as a medium because people consider it unreliable and scary.

Re:Moral obligation?

I work for Symantec (as a first-tier corp. tech) so my view might be a little skewed. Of course, views my own, etc.

We are a network security company. We sell firewalls that use heuristics to detect attacks, much like other people's do. To create new heuristic definitions, we have sensor honeypots all over the interent, waiting for new attacks so that we can analyze them and better protect our customers.

Regardlesss of how it gets spun by PR, here's what happened: A few minutes before Slammer hit the big time, we saw it hit a few honeypots. We noticied what it was doing, and created a heuristic to detect it. We had no idea how big it was going to be, but because our customers pay us to be alerted every time we see something new, they were informed and provided protection via heuristics definitions.

The same routine is gone through every time we see ANY new attack. This one just happened to get big, and fast. And it looks good to talk about how we caught it ahead of time. You expect us to tell the entire internet every time we see any new script kiddie port-scan a honeypot in a way we haven't see before? Perhaps we should have an automailer set up to send to EVERYONE@TEH-INTARWEB.COM, and attach the heuristics we paid technicians top dollar to develop? I don't think so. We pay people 24/7 to keep an eye out and develop detections for new attacks, large or small. It's not a service we provide for free. It's a COMMERCIAL SERVICE, and it's what we do.

Get used to it.

Re:Moral obligation?

[Anonymous+Custard]

Ford's service is making cars. Are you saying that Ford has a moral obligation to give me one, even though I haven't paid for it?

No, that's not the issue. It's not a crime for you not to have a car. But keeping quiet about an outbreak could be constituted as Criminal Neglect.

If a company makes vaccines/medicines for a certain virus, and for some reason they notice a possible minor outbreak in a small town, they must inform authorities of the outbreak. They are not allowed to allow the outbreak to spread, even though that would be more profitable since the demand for their product would rise, or even Racketeering.

Re:Moral obligation?

Since when does Symmantec have a moral obligation to do anything? They're a corporation.

Why do people think that being a corporation eliminates moral obligations?

Human beings are also competing for money and power, trying to get as much as they can of each for themselves. Ever heard of Darwinism or "survival of the fittest"? There's no more reason for a human to have a moral obligation than for a corporation to have a moral obligation. And yet, the concept of morality does exist, and humans are presumed to have moral obligations. So why exactly are corporations different?

To state the question more accurately: Why are the humans who had information about Slapper presumed to have no moral obligations just because they work for a corporation? Let's not forget that "corporations" don't have information about Internet worms. They're just legal constructs for organizational and tax purposes. _People_ have information.

Re:Moral obligation?

[juju2112]

Right. But I'm saying that being amoral is immoral. Perhaps everyone not feels that way, but I do.

For example, what if I, like, killed your mom, and then said, "It's okay, I'm amoral! Besides, I got paid for it"

:)

Re:Moral obligation?

[juju2112]

Businesses are a member of the community, too. I'd expect them to behave as ethically and civilly as any person. With a business, I only have my words and money as tools to 'encourage better behavior.

What's funny is that they have the legal rights of people, but not the moral responsibilty of people!

But hey, it's okay. It's "just business".

Let the onslaught begin!

[FyRE666]

I can see them spending a lot of time in court issuing statements like that. Since the worm cost [insert random() x billion] dollars in lost business according to the press litigation seems inevitable.

It's more likely that their customers, since they must have some interest in security, had already installed firewalls and not left SQL server open to the entire internet though...

Hmm..

[A.+Lynch]

I'd have to agree with Michael.

Even if a private security guard were working for someone, and he witnessed (or had a chance to prevent) a crime in progress, he would still be responsible.

I think. But thats just my moral compass talking.

Re:Hmm..

[Bastian]

I see two possibilities:

1) It was done for hack value, not vandalism.

2) With how many Windows computers there are out there, a simple worm has the ability to cause more than enough trouble.

As for Slammer not having a payload, that's because it was designed to fit in a single 505-byte UDP packet. There wasn't room for a payload.

Re:Hmm..

[Pxtl]

I've always noticed that too. The fact that there's never any large-scale loss really does encourage the idea that its not your garden-variety blackhat. When I was a kid, your computer contracting a virus meant that you could kiss all your files goodbye. These days, it means your connection will be lagged and maybe some e-mail sent. All ILOVEYOU even did was delete some jpgs and mp3s. I'm surprised that none of these worms don't wait for an hour or two(for the computer to finish spreading) then wipe the machine or something - or maybe begin spewing the contents of the SQL database onto the 'net (heaven forbid credit card #'s be in there).

I always say when something like this happens - at least the attacker wasn't going for raw damage.

Re:Hmm..

[teridon]

It's almost like these Microsoft-worms were desingned to create panic and purchasing action, but no legalally actionable damage.

Hey! These viruses are good for the economy!

More seriously, perhaps they are meant to make MS look bad without seriously damaging anything (lost sales?), while drawing attention to the hacker skills of the author.

Re:Hmm..

It seems to me that the destructive part of the worms isn't any sort of payload, its the fact that they begin a sort of DDOS attack on anything vulnerable to it. It doesn't damage systems as such, just makes them perform way below par.

Re:Hmm..

[mthed]

The "payload" of the slammer virus was a DOS attack on the local network of the afflicted machine. While very little destruction occured at my office due to the virus, there was definitely a major outage caused until all instances of the virus could be contained. You don't think the money lost due to downtime and the extra man hours needed to remove the virus is "legalally [sic] actionable damage"?

Re:Hmm..

[ryanvm]

I have wondered why a lot of these Microsoft-worms never seem to have a destructive payload.

I've thought about this before. I think the reason is that, just like a real virus, it generally doesn't pay to debilitate your host. Dead hosts aren't going to spread the infection.

Of course, it could work like AIDS. Where it could lie dormant until it's had time to infect many other machines, then kill the host. But then, the OS or antivirus vendor would surely discover it during its larval phase and write a tool to eradicate it before any damage is done.

I would think the best payload would be one that's immediately destructive to the OS, but leaves the facilities necessary for transmission intact.

Of course, this kind of speculation probably looks suspicious, so I'll shut up now. ; )

Re:Hmm..

[ItWasThem]

Or 3.)...
MS is always complaining that sysadmins and corporations don't immediately go and lap up WindowsXP++ whatever, and the corporations push back, tell MS they've standardized on NT4, and won't budge for years. Well if there's no actionable damage (or tracability) caused by the virus, what have they got to lose?

I'm not saying MS releases every virus on earth, but would you really be surprised if they slip one or two in the mix every couple years? Sure make it look like they don't have anything to gain, since the "upgrade" that fixes the issue the virus targets is free, except for in the case where it's a rolled up Service Pack with features X and Y along with bugfix.

It'd be a great way to make sure your proprietary extensions work their ways into the cores of every business. Then when that businesses developers are all sitting around looking for a solution, they remember "hey, all our systems run XP++SP3 and now they support X. Sure, it's an MS proprietary extension, but it's on -all- our servers and it'll work for us." And that's how the noose tightens...

You just have to wonder sometimes...

Re:Hmm..

[WNight]

Slammer could have included a payload. Send the intrusion section ahead in a small UDP packet, have it contact its parent system as ask for the full executable after infection.

Then, after your small payload virus has claimed millions of hosts, it switches to probing for more complex holes once it downloads the main executable. Scanning for more vulnerabilities, or with larger packets, slows you down so you don't want to do it as your first wave, but once you have a large base of operations you could scan the whole net in minutes. It could also try to penetrate firewalled segments. Perhaps by taking over web servers and using IE exploits, or getting people to download it. Or switch to being an email virus. Then once it detects being on a private segment it switches back to worm mode and hunts for more systems to infect.

Re:Hmm..

[WNight]

Not just data loss.. Almost every component in your computer has a flashable BIOS. Even HDs (at least IBM's) can be field upgraded. Once the virus finished infecting, and distributing your files, it could wipe the drive, install itself in the boot sector, and reboot. Once it's out of protected mode it can start flashing BIOSes, most equipment only uses the flash-ROM at boot so it'd keep running even after you'd sabotaged it. Then, start a low-level wipe of the drive and when that's done, up the CPU and RAM voltage as high as the board will go and overclock everything that can be software overclocked. (Video cards, CPUs, etc)

It's all too easy. Nobody uses digital signing for bios upgrades (and if they do, it's the flashing program that checks, not the device itself, before accepting the upgrade).

The question then it, if you want to spread confidential files as far as possible, what do you do with them to ensure they spread? Email them to random people? Post them on a newsgroup? Combine this with those kiddy-porn scanners. If you find illegal pictures, make sure you email them (from that person's account) to the authorities. Maybe email any large spread-sheets to the SEC just in case.

We should think about these things. Ignoring them isn't going to keep them from happening, so we need to have an idea of what to do about it.

Re:Hmm..

I really don't understand what the big deal is with Symantec. I mean, the FBI knew about this at 5AM PST. I know, because my company found an infected host, had a converstation with some of deployers via an IRC server on that host, and then shut it down.

No one had any idea that it would have been this big.

Re:Hmm..

[roca]

I always wonder why viruses and worms don't flash the BIOS with garbage.

Re:Hmm..

[Bastian]

Has anyone ever told you that you are one paranoid sunnuvabiscut?

Re:Hmm..

..... unless they had something to do with its release.

The pattern is getting suspicious. Viruses today seem to be optimized for selling anti-virus software. They don't do much damage, they're easy to block, but they're annoying. This is consistent with some of the anti-virus software makers quietly encouraging a few tame hackers.

Now that we know Enron manipulated the California energy market, this shouldn't surprise anybody. Anti-virus software is a huge industry, and it ought to be a tiny one. Hype, and viruses optimized to sell anti-virus software, have made it a multi-billion dollar business.

There's a powerful synergy between the virus writers and the anti-virus software vendors. The connection is more than incidental.

Re:Hmm..

[Quixadhal]

Who told you that? Who did they work for??? :)

Yeah, it's pretty paranoid to think that an unchecked monopoly, unable to innovate new products and desperate to maintain their market share in the face of slowly growing competition, would ever try to make continued upgrades look appealing by damaging customers of older products who seem reluctant to provide them with further revenue...

Re:Hmm..

MAYBE because viruses cannot spread any further from a dead computer.

Re:Hmm..

[thogard]

In 1987 the virus compaines used to pay $50 for each new virus you turned in. One of the guys that I shared an office with at the universiy computer lab used to turn in a few new ones every week and sometimes 5 or six in a day if he was low on cash.

What??

I'm not bothered I didn't know Slammer was coming, but Symantec has a moral responsibility to inform the public if it thinks millions will be affected.

Says who? You? They can do whatever they damn well please. If you have problems with anyone, take it up with Microsoft to fix their software. These buys were known about for months.

Re:What??

The patches have been available since July *nix-boy.

How does this announcement gain Symantec?

[Max+Romantschuk]

OK, I don't get it... How does Symantec going "We knew all about it but we didn't tell you" make Symantec look good in any way? I know I get annoyed when people behave like that... So anyone have a thought on exactly how this benefits Symantec?

Re:How does this announcement gain Symantec?

Easy... pay me $extra/month and I'll share these revelations with you.

It is the extended virus protection plan. Call it a commercial, even though it seems to be in very poor taste.

Re:How does this announcement gain Symantec?

it makes them look like asses, they probably consider that a good thing

Re:How does this announcement gain Symantec?

[Azureflare]

Now, people will realize "Oh, Symantec knows about major virus outbreaks in advance. There's nothing I can do about it, but with their assistance, I can avoid problems" So the corporation plops down money to be a "preferred" customer, and whenever Symantec knows the virus is going out, they tell them beforehand so they don't get caught by it. Basically, Symantec is saying "We know everything. Buy our products, to escape damnation." Sound familiar? One of the oldest strategies in the book.

Re:How does this announcement gain Symantec?

[stratjakt]

CHUBB should be monitoring my house for free if they know that burglaries are on the rise in the area. Instead they sell their alarm systems and protection plans.

Call it commercial, but its very poor taste.

Re:How does this announcement gain Symantec?

[IOnly.ForTheArticles]

By not telling anyone, how many people rush right out and bought antivirus software after their machines all crashed Its all about the cashflow

Symantec should have told the public...

[JWizard]

...but then would it have changed much considering that days later some servers were still unprotected against slammer ?

Re:Symantec should have told the public...

Yes. A twenty minute warning would have been used to fill out 1/2 of the 3 forms required for a help desk request. This way when the boss comes yelling, you can say I'm submitting the work request.

PR stunt?

Hmm...this sounds like a soon-to-fail PR stunt!

Symantec: Oh we knew about this beforehand, but we let our select customers know. So if you don't want to get "slapped" (wink from oily saleman) next time, sign up for our services!
Everyone else: @#$% you! Here's a bill for our downtime!

Of course it's true that the SQL vulnerability has been around for a while (that's probably what they mean), but man, talk about a dumbass thing to say!

Timezones?

[remmy1978]

From the article:

"According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th."

Accounting for timezone differences between EST and PST, would this not make the two times much closer to each other?

Re:Timezones?

[waldoj]

Accounting for timezone differences between EST and PST, would this not make the two times much closer to each other?

Uh...yeah, you're right. That's a one hour difference.

Whoop-dee-freakin'-doo.

-Waldo Jaquith

Re:Timezones?

[Gildogg]

Exactly what I was going to post...9:00 p.m. PST is the same as 12:00 Midnight EST!

Re:Timezones?

eastern is -5 gmt and pacific is -8 gmt ..
so this should read ..

Most of the rest of the Internet didn't spot Slammer until shortly after Symantec.

case closed, move on.

Re:Timezones?

[fname]

Yup. So, Symantec forgets abouts time zones and starts congratulating themselves for their good work. Wired forgets about time zones and reports on Symantec's irresponsible acts. A Slashdot reader breezes through the article and submits it, whilst forgetting about time zones. Slashdot editor, rushing to post the article, forgets about time zones and posts the news item.

Shame on Symantec. Shames on Wired. Good thing we have the good folks at Slashdot to keep the news in perspective.

Re:Timezones?

[Geekboy(Wizard)]

*whack* 3 hour difference. 9PM PST == midnight EST.

Re:Timezones?

[Speed+Racer]

Especially since the virus didn't even debut until 12:30 AM EST on 25 Jan, according to the article. Either everybody noticed it before it was actually released or the times listed in the article are FUBAR. Either way, the Symantec spokesman is full of doublespeak.

Re:Timezones?

[Christianfreak]

Hahaha, good observation. 12 a.m. in the east = 9 p.m. in the west, they found it the same time as everyone else.

Makes you wonder if the spokesman is clueless or if their counting on clueless PHBs to buy into this ridiculous claim.

Re:Timezones?

[waterford0069]

Uh... isn't that a 0 hour diffence?

PST -8 hours
EST -5 hours

Therefore 12am EST = 9pm PST

Re:Timezones?

[Xaleth+Nuada]

According to the article Slammer debuted "at 5:30 a.m. (UTC) Jan. 25 (9:30 p.m. PST, Jan. 24)"

Symmantec issued its warning at 9:00 pm PST, Jan. 24. So that means that not only did they know about Slammer a whole half hour before it was sent out, they put together a warning for their DeepSight Threat Management System subscribers.

Re:Timezones?

[sapgau]

Both parent posters are right... there was nothing detected by Symantec in advance.

Ooops! Case closed...End of discussion...Next Slashdot topic.

Re:Timezones?

[Xandar01]

Considering there was very little lead-time between Deep Sight's alert and the total saturation of infected machines, there are alot of corporate weenies and beancounters out there trying to justify this expense.

Norton is probably trying to release this press release not only to "get new business", but probably to also justify the expense of the program. Some corporate shmuck was standing in front of "the man" and he came up with these hours of notice to save his job.

Re:Timezones?

[GreyPoopon]

Accounting for timezone differences between EST and PST, would this not make the two times much closer to each other?

I'd say so. It also makes the folks at Symantec look like idiots. It sounds like their big customers only received a few extra minutes notice for their money. It also conjures up images of a little girl with Symantec across her shirt sticking out her tongue and saying. Nah nah nah nah nah nah. I found it 30 seconds before you did....

Re:Timezones?

[Gildogg]

What do you mean check my math...it is currently 12:20 p.m. in Ohio, I chat with my mother-in-law in California and it is currently 9:20 a.m. No math problem here!

Re:Timezones?

Do you need me to hold your hand? I'm not going to waste my time explaining it to a retard from Ohio.

Re:Timezones?

[Gildogg]

Retard from Ohio? You tell me to check my math, when it is correct, and I'm a retard from Ohio? I'll have you know that this retard from Ohio happens to have an IQ of 185, SAT Score of 1536, and ACT Score of 29. This retard from Ohio probably has more intelligence than everyone in your family. So before you tell someone to check their math, and call them a Retard make sure you know your facts and know the person you are talking to.

Re:Timezones?

[Davorama]

Which article were you reading? Here's what it's saying now.

"Within 10 minutes of debuting at 5:30 a.m. (UTC) Jan. 25 (9:30 p.m. PST, Jan. 24), the worm was observed to have infected more than 75,000 vulnerable hosts," the researchers' report read in part. "Thousands of other hosts may also have been infected worldwide. The infected hosts spewed billions of copies of the worm into cyberspace, significantly slowing Internet traffic, and interfering with many business services that rely on the Internet."

According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

The first posts about Slammer appeared on major security discussion lists about an hour later, at roughly 1 a.m. PST, according to security consultant Ken Pfeil."

Re:Timezones?

I'll have you know that this retard from Ohio happens to have an IQ of 185, SAT Score of 1536, and ACT Score of 29.

Ah- that explains why you are still a virgin. So that now makes you a retarded, lying virgin from Ohio.

Re:Timezones?

Hey, retard from Ohio, do you make it a habit of spouting off your fake test scores to anybody you meet? I've met people from Ohio and the most impressive thing they had was a smelly ass, a peach fuzz mustache, and an uncanny love of Christian Slater.

Re:Timezones?

Don't feed the trolls. Ignore them and they have no power.

So?

[fobbman]

Heck, Microsoft released a patch to fix this problem in June of 2002. Windows sysadmins had 6 months notice that it was a problem.

I don't mean to sound like a troll or the least bit insensitive, but if the Windows sysadmins aren't keeping their servers patched then that's the sysadmin's fault. The finger of blame should be pointed right at the mirror. Keeping their servers updated and safe is their JOB, unless they have a security specialist, in which case it's their job.

Re:So?

[phil+reed]

Have you even looked at those patches? Microsoft patches, especially in a system like SQLServer, have a tendency to break running code. So, you can't just fling it onto a production server. Further, the bug exists in a database component that gets installed with a whole lot of other Microsoft software (like Visio, a CAD-like program). And reading the "how to install this patch" instructions would scare off almost everybody -- it's not automated like Windows Update.

Sorry, but installing patches is a non-trivial exercise.

Re:So?

[stratjakt]

Yep.

And plenty of unix admins still running insecure versions of apache, ftpd, and openssl.

MSFT has no monopoly on laziness, percieved or real.

A big part of it is the propellerheads releasing the MS-hotfixes or OS-patches dont realize that in an enterprise environment you dont always have the time to bounce a server, apply the patch, test, validate all code that was running prior to the patch.

Re:So?

windows sys admins are in an unfortunate position when it comes to patching, service packs, etc. it is not reasonable to blindly patch, since many times the patches wreak havok on the systems. and with all the patches and such that microsoft releases, it's a really big time sink to even keep up.

not to take away from the fact that admins SHOULD be paying attention, it is just really hard when it is difficult to trust MS that your patch is going to work, and not fsck up the system you are patching.

just my $0.02

Re:So?

[haplo21112]

Thats a load of crap, any decent company has a test integration lab(I know we do, I'm in the group that runs it). Patches do thake time to test a week or two not 6 months...and once you have it tested there is a little thing called SMS from MS it makes deployments like this snap.

Re:So?

[Matty_]

I think we can pretty much assume that most informed administrators would patch the security hole on their systems.

My guess is that the vast majority of Windows administrators do not subscribe to Microsoft's security advisories list and were not aware that they needed to fix a problem. This is probably due to shear ignorance and/or lack of responsibility.

Furthermore, tons of Windows servers are sitting out there which don't have anyone administrating them and keeping them up-to-date.

A lot of small companies simply don't want to pay someone a service contract to maintain such things, but GOD FORBID they don't get to have their expensive Exchange/File/Print server.

Re:So?

[fobbman]

A couple of responses to your post, if you don't mind:

The sysadmin had six months to test the patch. SIX MONTHS. They had plenty of time to see whether it would screw up other code in the system. Heck, six months is plenty of time to let other front-runners test the patch and report any problems that they run into on newsgroups.

Also, if they are not capable of reading the "how to install this patch" documentation then maybe they shouldn't be the admin on important servers like this. It is their job to know how to do this stuff.

Re:So?

This was the company position I saw circulating:

[company] has a number of external sources that provide advance notice of potential system risks, where known, as well as alerts when attacks are discovered. These services monitor networks and work with application providers such as Microsoft and network vendors like Cisco, in an effort to identify and categorize these types of problems in advance if possible, and as problems are discovered. [company] subscribes to services from Symantec and iDefense, two of the leading network security vendors. We receive daily updates from these vendors as well as notices from other network providers like Cisco.

It is not uncommon for us to install patches or make changes to the network based on information from these sources. However, there are many reported issues, notifications, and patches reported and it is common practice for us and other companies to not install the majority of these patches. Installation is not an automatic process due to the number of patches, related systems, and potential impact on the operation of the systems by installing the changes. It is our practice to install those patches that are deemed to have potential impact based on knowledge of our systems and applications, and recommendations from the external sources. Our desktop and data network steering committees and staff members evaluate the individual notices and make the recommendations for whether to make changes or not.

Patches don't typically get applied by individual administrators when they come out, in our case. There is a layer of bureaucracy that monitors and controls the operating environment and they are slow an cautious about installing service packs and hotfixes until they have been evaluated and deemed critical or necessary.

Re:So?

[phil+reed]

If it's so easy, why did Microsoft's internal network get hammered?

In an ideal world, you're right.

Re:So?

[phil+reed]

The sysadmin had six months to test the patch. SIX MONTHS. They had plenty of time to see whether it would screw up other code in the system.

True enough. Of course, if the patch did break running code, you'd then have to convince management to get out of the "if it's not broke, don't fix it" thinking rut. On a large site, 6 months might not be enough time at all. "You're going to pull programmers off the new project for this???"

Re:So?

Actually all of Bushes business ventures where failures, anyone with a rich pappy can go to harvard, and well we all know the election problem.

Nice try fascist.

Re:So?

[ichimunki]

Yeah so? That's why these people are getting paid to administer these machines, right? If the patch was issued in June 2002, I'd say six months is adequate time to test it and move it into production. Or, if six months isn't enough time, maybe these folks should investigate alternative solutions that don't have such severe problems when it comes to security updates. The fact that they chose a lousy product from an incompetent vendor sounds like a pretty lame excuse for continuing to operate an insecure server to me.

Re:So?

Actually all of Bushes business ventures where failures

You mean like raising the money to buy a professional baseball team, and managing the team successfully for 5 years until he was elected Governor? That couldn't be that big of a failure- the Texas Rangers ARE still around and very much profitable.

anyone with a rich pappy can go to harvard

I think Harvard would disagree.

and well we all know the election problem.

And what would the 'election problem' be? The only problem I see is you crying because the person that you wanted to win lost.

Nice try fascist.

Where did fascism come into this?

Re:So?

[spells]

Even scarier (to me) than not applying the patch for six months is explaining why the tcp port was open to the internet in the first place. If the machine was properly configured, the patch wouldn't have even been necessary (to prevent this exploit).

Re:So?

[workindev]

Can you please explain how turning a $600k investment in the Texas Rangers into $15 Million is a failure?

Re:So?

Hmmm. That doesn't add up. Bush himself admitted that he was a C student. If he was so lucky to have a rich daddy to buy his grades, don't you think that George Senior would have at least sprung for an A, or at the very least a B?

$XXXXXX from daddy
Actually, Bush did get $20k from his daddy in the 1970's, but that money was gone when his oil drilling company failed. Daddy didn't give him any more after that.

Re:So?

Of course it doesnt add up- this Gildogg has shown a history of mental incapacity.

http://slashdot.org/comments.pl?sid=53847&cid=5302 776

Re:So?

[Masem]

I'd argue that there's a subtle difference between Windows and *nix admins. You definitely cannot deny that laziness exists in both camps, however:

With Windows, important updates are typically announced broadly, and/or make use of the MSN Messanger service. Thus, to know that an update to Windows or other MS product exists, you just sit and watch the news (aka PASSIVE or REACTIVE).

With *nix, a lot of updates aren't necessary broadcast fully save for the ones with the most dire consequences. Instead, it's easier to follow BugTrak discussions or your distro's security mailing list as to see what's insecure and what's patched. Which means that you have to actually sign up and deal with the mail that comes through these mailing lists, thus requiring action on the end of the *nix admin (aka ACTIVE)

Now, this is not to say that mailing lists don't exist for Windows, nor that there aren't those admins that wait until it's news at Slashdot then patch, but I'd figure there's more of the REACTIVE type admins for Windows, and more ACTIVE types for Unix simply due to the nature of how those OS operate and the general attitude towards them. And of course, the REACTIVE type of admin person will general be the one to let security holes remain until the situation worsens, as appears to what happened with Slapper.

Thus, while fingers of blame are continually pointed around, they should fall squarely on the shoulders of those REACTIVE system admin types instead of on Symantec or on Microsoft or anyone else. A patch was out by Microsoft 6 months ago, and it fixed the problem. It should not have been an issue whether to patch or not; yes, it wouldn't have been an instant patch (as suggested, you'd patch a mirror of the enterprise server and make sure code works without question before patching the production ones), but it's reasonable to expect that you could verify the patch works and make changes within 6 months.

Re:So?

He also forgets to mention what it is, exactly, that his "test group" would do if they found a patch did indeed break compatibility on their production server. Patch it anyway? More secure, also more problematic. Leave it unpatched? That's what started this whole conversation in the first place.

It doesn't make a whole hell of a lot of difference if your company has a magical test group or not..if they try the patch and it doesn't work, or causes a lot of problems, there will still be a fairly lengthy delay while a solution for -those- problems is found. And during that time, yes, you can still be infected by viruses.

Re:So?

[KenSeymour]

Another possiblity is that the Windows System Admin set up the server, and applied all the patches.
He or she was simply laid off 6 months ago.

I once set up a stock RedHat 5.2 server running Apache on the Internet.
When I quit, I don't think I was replaced (the server kept running).
A few years later, I heard that the web site was defaced.

Re:So?

[WNight]

If Microsoft was better at releasing bug fixes in small packages, so that you could keep your server do exactly that it does now, but without a buffer overflow, people would update more often.

Most admins are pretty trusting with Apache patches. Give them ten minutes of testing, mainly insure you didn't overwrite something during the install, and you're ready to go live. MS patches are larger and unwieldly. MS software also tends to have more unpredictable interactions than unix software. As a consequence, Unix admins who patch at all, tend to trust updates and patch more quickly. Of course not everyone will patch, many people have toy webservers they don't really admin, but that's beyond the scope of this.

Unix software also tends to be smaller and call other programs instead of doing everything in one executable. As long as the interface between the two works, you can keep your bug testing isolated to the segment you're patching. (Upgrade PHP, run PHP tests, not full webserver-and-CGI tests.)

Don't forget that MS themselves weren't in full compliance with this patch. There's the ability to auto-install updates, but they didn't for some reason. You'd think their admins would be the best, that they'd know all the tricks.

Re:So?

[barc0001]

Must be nice to have a company that has the available money around to have both machines for simulating your live environment, the staff to run it every time Microsoft releases a security update, and simulate the real-world traffic your site gets. You guys all have Aeron chairs and beer on tap too?

Oh, and don't even bring up SMS. That thing is the biggest steaming pile of crap I've ever seen.

Re:So?

[WNight]

In a science course, or something requiring actual skill? Oh, no. A *business* degree. They give those out in a box of wheaties.

And did he get rich from scratch by building a company or something? Oh, no again. His daddy essentially bankrolled his aquisitions and even with that his track record isn't good.

Here's a tip. "Getting Wealthy" doesn't count when you start wealthy. It's pretty easy to invest and make money, making enough money to be able to invest (beyond retirement savings) is where the difficulty is. Bill Gates's success isn't as impressive as Jobs', Jobs having started out in a garage with Woz. Gates went to Harvard for free, and was bankrolled by his parents with a interest free loan.

I'm not saying he's a moron, but it doesn't take much for a rich kid to get a degree from a university and "succeed" in business.

Re:So?

A *business* degree. They give those out in a box of wheaties.

Yeah- its so easy to get an MBA from Harvard. So how many graduate degrees do you have from an Ivy League school?

His daddy essentially bankrolled his aquisitions

If you read his biography, you will see that he was not "bankrolled" by his dad. George Sr loaned him like $20k back in the 70's, and thats it. His most successful business endeavor (the Texas Rangers) had nothing to do with his father.

Re:So?

[haplo21112]

Actually, if we discover such a problem, and we frequently do, its also our job to solve the problem...is it an internal app? Work with the internal developers of it to resolve the incompatibility. Or perhaps escalate back to MS, they do listen.

Re:So?

[DASHSL0T]

The problem is not that so many people didn't patch SQL server proper, but that SQL desktop edition (MSDE) was included and running on so many other products. I am a pretty good admin (I think) and I would have had my SQL servers patched (and firewalled properly), but I can almost guarantee that in an organization of any decent size, MSDE would have been running unpatched somewhere, on someone's desktop and I wouldn't have known it.

Did you know all the product that use MSDE? Do you now?

Re:So?

[estes_grover]

Agreed. There is always the risk of applying a patch, hot-fix, SP and breaking one or more applications. Whenever something like Slammer gets hot, we see many posts stating that the Admins/DBAs are lazy and uninformed. If Admins/DBAs could work in a pure tech environment and the Slammers of the world *still* happened, there would be more validity to this claim. One problem in a larger shop is this (certainly not true in all cases): we don't work in a pure tech environment. We work in an env that is a *cost center*. We're often funded by operations and back office business lines that are also cost centers. We're two steps (at least) removed from the business lines that are profit centers. The real visible stuff (e.g., development) is what business sponsors get excited and upbeat about. They like to fund development (and other visible efforts). The invisible stuff like nitty-gritty systems admin is not well understood by funders and can be viewed as actually detracting from the all that nice visible development work. Try selling your business sponsors on this idea: "We want a team of full time Admins/DBAs dedicated to nothing but security, patching, hot-fixes, service packs. Oh, and we'll also need a lab environment that has all the components of the production environment for applying said patches, hot-fixes and service packs. And we'll also need a full time team of Business Analysts, UAT and regression testers to ensure apps still work as expected after applying patches, hot-fixes and service packs. Give us all of this and we'll guarantee that all systems are current and secure." It's a tough sell ;-)

Re:So?

I eat wheaties. If I wore a black sweater and was gay, I could be successful like Jobs.

Re:So?

Why the hell are they allowing port 1433 through the firewall in the first place? I bet most that got hit had an sa password that was blank.

Re:So?

[HBI]

Agreed 100% - this patch was a mess. I wrote a little installer for the thing but even then it wasn't something I was wanting to go to every desktop with data access components and apply.

MS got out SP3 for SQL 2000 just before this - that was much better and that's when the global patching happened. At least it had an adequate installer.

Re:So?

[DJ+FirBee]

//...and once you have it tested there is a little thing called SMS from MS it makes deployments like this snap.//

This must be a troll right ? I have never seen a well working implementation of SMS and I have been been a consultant to a few dozen fortune 500 companies.

Any company smart enough to have a well working, well staffed integration lab will have done of enough TCO testing to generally go with Oracle on a *nix platform. Further, a larger company like that is almost always migrating from big blue iron to midrange stuff anyways.

SMS .... *giggle* ....BUHAHAHAHAHA!! What trade garbage have you been reading ?

Re:So?

[aaarrrgggh]

Layoffs...

I'm just curious what impact cost cutting and layoffs had on some of the companies, BofA in particular. Apparently the patch was ready to go, just never got installed. Did someone get laid off before they finished patching machines?

Re:eh

[Budgreen]

they start caring when they loose money..

Gotta agree with the poster...

[TopShelf]

This sounds like Wired trying to stir up a controversy from scratch. Besides, what would have been the impact of them posting a warning a few hours earlier? If an admin saw the notice before the widespread nature of Slammer was known, would they instantly apply patches that they hadn't already installed for one reason or another? I doubt it...

Re:Gotta agree with the poster...

[tundog]

Anyone else remember back to when every other article on Slashdot WASN'T a Wired kick-back and the discussion was actually worth reading?

Hmm..

[zulux]

..... unless they had something to do with its release.

I have wondered why a lot of these Microsoft-worms never seem to have a destructive payload. If you imagine a script-kiddie working hard in his mom's basement, you'd think he'd add a payload of some sort.

(hell, if I had the inclenation and the time to create a virus, I'd atleast change the Windows statup .JPG to the 'gentleman who is affiliated with goats.')

It's almost like these Microsoft-worms were desingned to create panic and purchasing action, but no legalally actionable damage.

Just a rambeling thought.

Urban legend...

[gmuslera]

... antivirus makers == virus makers. They creates they own market.

Seriusly, any one could have thinked that a worm that spread between the very few not firewalled sql servers around the globe could make such problem? Even if they know about the worm or some previous testing, I don't think they could predict what happened. Is easier to explain what happened that what could happen.

very intriguing

[greechneb]

Nothing better to increase your business like having something that scares potential customers.

How many windows users that you know that have virus protection software that came with their pc and has never been updated? They won't upgrade their virus software until they learn that it is necessary.

When do they find out it is necessary? When someone hits the web with a massive worm/virus. If nothing massive happens for a while, I'm sure antivirus companies are losing money. What better way to spike sales than by creating panic?

Re:very intriguing

[Pxtl]

Well, plus AV software runs out of time. My Norton AV had to be uninstalled because the resubscribe message was too annoying (and I'm careful enough to keep worms off of my PC - the only messages I ever got from Norton were about dangerous attachments I never opened anyways).

This is just going to increase it.

[Spazntwich]

Many people are already suspicious the AV community is responsible for at least some of the more major virus outbreaks in the past. The shroud of secrecy they keep around their operations doesn't help matters any.

A situation like this REALLY makes it look like they're responsible for it. Why would they go around parading the fact that they knew about a worm they only did a half-assed job of protecting people from?

Seems kind of fishy.

Awesome

[rw2]

I love guilt by implication!

"It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release."

Kudo's to you michael, a masterpiece!

Conspiracy Theory

[SoVi3t]

This may end up being another conspiracy theory, invented by the over worked imagination of sceptical geeks, that don't trust virus protection software. Or it could be true, and Symantec just wanted to boost virus protection sales, and profits, by releasing a virus that would scare the entire internet community.

Re:Conspiracy Theory

[presearch]

Thinking that Symantec would release a virus for increased profits is absurd.

That would be like having the US selling WMD technology to other countries and then invading them
later for having it. What responsibly sane organization would do that?

Re:Conspiracy Theory

[curtisk]

That would be like having the US selling WMD technology to other countries and then invading them later for having it. What responsibly sane organization would do that?

LOL you should have had a SARCASM tag on that line. LMAO

Re:Conspiracy Theory

Clinton swore it was only for energy producing nuclear plants (and intercontinental ballistic fireworks shows)

It's not that easy.

[BoomerSooner]

I fix a lot of systems (windows based) and the difference is you can actually run software without being root in UNIX. I would bet over 1/2 the software out there won't run on Windows unless you have admin rights. A girls computer I had to repair (for the 3rd fscking time) has this POS Cattery software (Delphi, give me a break) and it cannot connect to it's JDataStore since her user doesn't have admin rights. So I'm screwed, I have to give her rights for that and about 6 other programs that won't run. I cannot believe the piss poor planning (any planning MS?) that went into Windows.

MS Linux like OS X would be good. Windows isn't that bad of a UI it's just a piss poor backend that causes problems.

Re:It's not that easy.

So I'm screwed, I have to give her rights for that and about 6 other programs that won't run. I cannot believe the piss poor planning (any planning MS?) that went into Windows.

arent there sudo-like privs in MS? like, "run command as different user" ?

Re:It's not that easy.

sorry, that's piss poor application programming.

mmc and the group policy snap-in. learn about it.

Re:It's not that easy.

[haplo21112]

actually thats the programmers fault not MS the programmers of windows programs being lazy assaholes are the reason that so many programs require admin rights to run properly.
I've written tons of windows software at work and not a bit of it requires anything beyong user rights.

Re:It's not that easy.

[Jaysyn]

Can you just give her account write access to the Registry Keys Delphi (and the other programs) use? Or is it something else jamming the works?

That's what we do with AutoCad here.

Jaysyn

Re:It's not that easy.

[cheezedawg]

So Borland Delphi and 6 other applications wont run without admin rights, and somehow that is Microsoft's fault? Why not blame Borland?

Re:It's not that easy.

[fitten]

As others have said, it is the app's problem. DLL Hell was primarily the app's problem too. Lazy programmers who don't know how security (in permissions) and/or path (for DLL Hell) work.

I could write an app on a Un*x/Linux box that would behave similarly if I wanted. In fact, I know lots of programs that won't execute unless you are root and they are intended to be that way - not just through file permissions but through userid checks. Windows doesn't have the corner on the market there.

Re:It's not that easy.

[stratjakt]

>> MS the programmers of windows programs being lazy assaholes

Why does tripe like this get +5 informative?

Oh yeah, it's insulting MS employees.

Lets burn some karma.

I'll see your "Lazy assaholes", and raise you 2 "stupid fat smelly communist OS programmers"

Re:It's not that easy.

[SparkyUK]

>>(Delphi, give me a break)

Troll.

Re:It's not that easy.

[Gildogg]

No, it's not Borland's fault, it's MS's fault because they aren't giving programmers enough access to the OS code to properly develope secure and stable programs. If there were more access to the source code then there would be less need for Administrator access in the programs.

Re:It's not that easy.

[ElGuapoGolf]

Seriously...

Give me Delphi over VB anyday.

Re:It's not that easy.

[EvilBudMan]

--MS Linux like OS X would be good.--

They (M$) are already using BSD code. Just how much is not clear.

Re:It's not that easy.

[diryn]

It can be MS's fault. They need to stop doing factory-line programming. They need better inter-org communications, instead of having some programmers write the same line of code over, and pass it on to the next programmer.

Re:It's not that easy.

[Quazion]

Its is the Fault of the MS programmers in the end, since win95 didnt have a security model it didnt matter where you wrote a file or change a registry entry.

But since NT things are difrent, now you cant just tweak the settings and write files in the windows system folder, which loads of programs do, we have created a sort of MSI package's here at my work for about 100 programs, nearly half want to change/create admin only keys in HKEY_LOCAL_MACHINE or want to create a temp file in c:\winnt\ this attidude is created cause of i think MS, since they did the same some years ago, they had to change now the world has to follow as they have followed before..

but users just run as admin and dont ask software company's to change the software, IT departments find repackaging with rights on sertain files and registry entry's easier then forcing software developers to fix the problem.

Symantec for example sells winfaxpro as a win2k complaint yeah if your admin ofc....i took us about a week to get it working with a user account, without to much security breaches to the file system and registry. everytime we thought we got it all another key needs to change and if not crash ;-)

so yeah its the programmers fault for not following the guide lines, but its MS's fault for giving a bad example.

Re:It's not that easy.

If you need the OS source code in order to develop a 'secure and stable program', then perhaps its time you went back to your programming classes at the community college.

Re:It's not that easy.

[Lumpy]

A girls computer I had to repair (for the 3rd fscking time) has this POS Cattery software (Delphi, give me a break) and it cannot connect to it's JDataStore since her user doesn't have admin rights. So I'm screwed, I have to give her rights for that and about 6 other programs that won't run. I cannot believe the piss poor planning (any planning MS?) that went into Windows.


No it's the piss poor programmers that wrote the apps you are fighting with.

Be sure to let management know that these apps are HUGE security holes.... Cover your Arse.

I blocked one app coming in my office when the company's installers/trainers came to help me install their product. they said the users must be added to the admin group. I said no way. it's not going to happen.

after pointing out the corperate IT policies and telling my boss that I'll gladly do it if he signs a letter stating that he is ordering me to violate company policies.... We now use a different companies program that is NOT insecure.

if a program NEEDS admin rights to run and it is a general users program... it is written by complete morons and needs to be blackballed and not let in a companies doors.

Re:It's not that easy.

[dr_db]

Amazingly enough, Delphi 6 runs just fine on my machine without admin rights.

Re:It's not that easy.

[Cutriss]

Microsoft's own programmers don't follow the schema properly, though. Flight Simulator 2000 won't run properly unless you're using an Administrator-class user. Power Users need not apply. I used to do add-on development for FS2K, so I know this for a fact.

Re:It's not that easy.

[FuzzyBad-Mofo]

Can you write CDs now on XP without being Administrator? Because when I used to run win2k, I tried to do things the "right" way, but eventually had to give my user Admin rights in order to burn CDs (among other things).

Re:It's not that easy.

[Spunk]

Christ, dude. Learn to spell. While you're at it, learn punctuation. It's painful to read posts like this. Think of English as a programming language and take care with your syntax.

Re:It's not that easy.

[Fulcrum+of+Evil]

There are very few reasons why you'd need root to anything on a Windows box other than poor design - things like writing temp files to improper locations

This shouldn't even be an issue - on win2k, the TEMP and TMP environment variables point to my private temp directory. Hardcoding C:\winnt\temp is just lazy.

Re:It's not that easy.

[Karrots]

I know if you are using Nero and W2K you can use Nero's BurnRights utility. This utility creates a group which you can put those whom you wish to have burn rights or for that matter you can give everyone burn rights. I don't have personal experience with XP but Ahead's site said that XP has the problem also.

karrots

Re:It's not that easy.

Don't blame Microsoft for this.

Blame the H1-B visa program.

Companies hire cheapo programmers (or should I say "ploglammels") to write software, and these folks take the lazy way out and don't test on anything other than their own developement accounts where they run as "Administrator".

Re:It's not that easy.

Delphi 5+ all run fine without Admin rights, although they must be installed by someone with those rights.

One does have to do some jiggering to get the debugger to work without Admin rights, but go figure -- you don't want just any user to have the ability to hook a random process, peek into it's every detail, and have the ability to modify it's contents.

Now, software like Nero needing special rights for users in order to work is just bad design.

Re:It's not that easy.

[slaker]

Yes, there are. Hold down shift and right-click to "Run As". Unfortunately that doesn't work for everything, so for example I can't change the system time on my 2000 machine at work unless I log out of my "User" account and log in with my admin account (yes, I know I can fix that one easily, but I live with all the same restrictions as my users).
There are lots of similar examples out there. The NT-ish system just doesn't work as well as sudo.

Re:It's not that easy.

[Lumpy]

yes you can. you have to use a good burning program..

Nero upon install let's you choose what users can use the service that does the burning.

Re:It's not that easy.

[FuzzyBad-Mofo]

Thanks, that's good to know. This was with Nero, by the way. I think I looked at their BurnRights thing but maybe it didn't support win2k at the time?

Ah, well. Now I use X-CD-Roast for my cdr needs anyway. :)

Re:It's not that easy.

[etcpasswd]

Are you telling me that one should READ the whole freaking code of OS to write some simple application? Sloppy applications are a result of sloppy programmers, who would do no better, open source or no.

Re:It's not that easy.

[russellh]

I could write an app on a Un*x/Linux box that would behave similarly if I wanted. In fact, I know lots of programs that won't execute unless you are root and they are intended to be that way - not just through file permissions but through userid checks.

You do, huh? Well, news to you: Unix has been an actual multiuser system since (time_t)0

Time of discovery

[vwp]

From the article: Symantec issued an alert ... at approximately 9 p.m. PST on Friday, Jan. 24. and Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th.

Aren't these the same time once timezones are factored in?

Ummm....

[Ummagumma]

It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release.

Taking off the tin-foil hat for a bit, its totally plausible that they were notified in advance, from numerous sources - a guilty programmer, etc. I would find it hard to believe that they would have anything to do with the release of such a worm.

As for the question about wether or not they had some 'moral obligation' to the rest of the world to let us know what was coming - they don't. They exist to make money. If they did know in advance, as customer Im going to be pissed, but if you don't purchase thier products, you have nothing to say.

I'd like to think, that if they know what havoc this could spread, that they would tell the world in advance, but thats not the realities of todays marketplace.

So?

[seanmcelroy]

Honestly, even if they had, what could good could the advanced notification have done? Surely in a few hours not even 5% of all vulnerable systems would be patched, so the point is fairly moot, I believe.

9PM PST == 12AM EST

[kaosmunkee]

From the article...

According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th.

So explain to me again how they knew about it before anyone else? -kaos

Re:9PM PST == 12AM EST

[XO]

I'd just like to point out that it was more along the lines of 5AM EST that Slammer was really hammering the world. Not 12AM EST.

If it had been 12AM EST, would anyone in the U.S. had even noticed it? Probably not, since it was mostly taken care of by the time I woke up at 11AM EST.

Re:9PM PST == 12AM EST

[ryanr]

According to Caida at:
http://www.caida.org/analysis/security/sapphi re/

"The worm (also called Slammer, SQLSlammer, W32.Slammer) began at almost exactly 5:30 AM (UTC) on Saturday January 25th and spread by infecting copies of Microsoft SQL Server and MSDE 2000 (Microsoft SQL Server Desktop Engine) that were exposed to the Internet."

Which (I think) would be 12:30 AM Eastern. 9:30 Pacific, the night before.

They show 74K infected hosts within 30 minutes of that time.

Re:9PM PST == 12AM EST

[t_aug]

Wrong. My school probably had a few sql vunerable sql servers because our connection was hit bad. Past 12:25am EST I couldn't even load a webpage.

Re:9PM PST == 12AM EST

At least my local ISP was up and noticed the spike in traffic around 3AM. They promptly blocked off the packets that were creating such a mess. Quite smashingly good service.

Re:9PM PST == 12AM EST

[XO]

hmm. fair enough. I guess I never noticed that all the reports said 5am UTC, and just assumed they were EST. oopsie!

Still, when I woke up, most of the world was back to normal except for some internal networks that were crashed to halts. Though I think most of the problems that I had with issues were when dealing with corporations who had taken themselves completely offline to avoid being hit harder (at least, that's what one of the companies i work with did.. i think the other one probably uses MS SQL internally and got their internal network fairly well destroyed, since they don't have competent people at ANY level that i've ever met, so i doubt sysadmins are any better)

Re:eh

loose = your mom

lose = to deprive, less of

if USA spelling is an indicator, wont be long now

Would it have mattered?

[mgs1000]

If Symantec had release a warning, would it have made much difference? How many months did the nimda and code red viruses stay with us because people didn't bother updating their software. I even doubt Microsoft would have had a bug fix out in time.

Re:Would it have mattered?

[WoodSmoke]

I even doubt Microsoft would have had a bug fix out in time.

The fix was in place 6 months before the Worm came out.

WoodSmoke

Re:Would it have mattered?

[mgs1000]

Hehe, maybe I should have read more about the worm before posting. But it kinda reinforces my first argument, that system admins don't bother installing bug fixes.

Re:Would it have mattered?

[keiferb]

> How many months did the nimda and code red viruses stay with us because people didn't bother updating their software.

Not sure... I'll tell you when they've actually gone away.

Agreed

[Adam9]

I don't see why people expect companies to donate information that costs them to find. They could've used this info in two ways, the way I see it. First, is to share it to their corporate customers who pay to have this kind of early warning. Second, release it to the media, CERT, and other organizations and make sure they "advertise" that Symantec found it first.

So they chose the first. Big deal. Do you really think even a majority of these sysadmins would have firewalled their MS SQL server hours before it would be infected? Doubtful. If they didn't apply the patch from July of '02, then they're not going to immediately respond in a few hours to patch an impending threat.

Re:Agreed

Heh. Are you aware that they get their info from volunteers on the Internet?

Re:Agreed

[enjo13]

Let me us an extreme example..

Lets say your run a business cleaning up crime scenes (Such business really do exist). You find out, hours before, that someone is going to walk into a mall and just open fire. Do you A) Tell your friends not to go to the mall, and make sure that you just happen to be around before the massacre occurs? or B) do you call the police?

Go with option A and you are an accessory to the crime and you go to jail. Even IF it was good for business.

The same thing occured here. If in fact symantec KNEW about the transimission of a crime before it occured, then they most likely broke the law by not contacting the proper authorities. Would it have prevented Slammer? Nah.. but it doesn't change the fact that YES they are completely required to share this information. The issue of morality is irrelevant, this is an issue of law.

Re:Agreed

[Cutriss]

So they chose the first. Big deal. Do you really think even a majority of these sysadmins would have firewalled their MS SQL server hours before it would be infected? Doubtful. If they didn't apply the patch from July of '02, then they're not going to immediately respond in a few hours to patch an impending threat.

First off, as has already been stated, installing the patch from July '02 is irrelevant, since MS later released a patch in October which re-opened the hole.

Second off, considering that the companies in the Deep Sight program are paying many thousands of dollars to Symantec for first-watch notice, I think it's reasonable to say that they're *remotely* interested in keeping their systems secure.

Third, this worm affected people that weren't running MSSQL - Thousands of systems got packets hitting on the system query port. If you were a second- or top-tier ISP, don't you think it'd pay for you to know as soon as possible that you might want to consider a temporary blocking on that port on all your routers in specific subnets (like your home customers, for instance)?

Re:Agreed

[error0x100]

I don't see why people expect companies to donate information that costs them to find

OK, right. So if I find a major security exploit in Symantec's antivirus products, I now don't see why I should be expected to provide that information to them. It was my manhours that were used to find the exploit. Heck, according to your reasoning, I even have a right to sell this information to, say, Symantec's competitors. Thats "my right", see, to "make money".

Apparently these days the "right" to make money trumps just about everything else in American society.

Re:Agreed

[LiNT_]

I think your totally misunderstanding the situation.

Working for an MSSP, a major competitor of Symantec, let me share some insight. Let's say we're monitoring the standard deviation of hits to certain ports and all of the sudden we see 10x more traffic then usual. Less then 5 minutes later we're seeing 100 or 1000x the usual traffic. Step one, protect our customers. End of story. You don't have time to fire off an email to incidents@securityfocus.com, you do everything you can to figure out what is attacking and you and who of your customers is vulnerable.

Can you imagine how much business an MSSP would lose if they fired off an incident report to major mailing lists at 11:15 and one of thier customers got hacked at 11:20? From the customers perspective that's total negligence. We knew about the attack and we even released an advisory but we couldn't protect you, sorry.

It's great to fire off a notice to incidents@, it shows the company is proactive and noticed the attack quickly. Something important to customers looking to get managed security services. One of the prime selling points of an MSSP is that we, by monitoring many customers, can notice trends and attacks quicker than you could by yourself.

Re:Agreed

Your analogy is meaningless. Comparing someone going into a crowded mall to open fire is nothing compared to a virus/worm spreading itself on the Internet. As others have suggested, it costs them MONEY to research these things and they provide a service to reveal what they research. And also as even others have suggested, this worm spread itself due to a bug in software that was fixed months ago. And finally, the chance that maybe the worm ended up not spreading itself throughout the Internet like it did. I'm sure Symantec wouldn't want to effect their credibility if the worm suddenly stopped somewhere along the way through the Internet. But it all goes back to them providing a service that relates to their research. They might not have said "SLAMMER IS GOING EVERYWHERE" in their alerts to customers, but rather mentioned the possibility. I would like to see an article with them saying "Slammer might possibly spread", and if it ended up 1) not doing anything, or 2) ravaging the Internet like it did.. you would probably still have /.'ers flaming them either way.

Re:Agreed

[kasperd]

Less then 5 minutes later we're seeing 100 or 1000x the usual traffic.

But that is not the way it happened, they say, they knew about it before.

Moral responsability is bollocks

[Akardam]

At least from a "We're a company, we exist to make money" standpoint. Symantec maintains that privledged list precisely so they can make money - they offer a "tell you before I tell anyone else" service, and people are obviously willing to pay for that.

Besides, I highly doubt Symantec is the cause of slammer, and because of that, they don't have any moral obligation to let anybody know about it. On top of that, we're talking about a matter of hours, not days or weeks. They probably told their clients "Uh, we think something's coming, so watch out". I highly doubt they would have had specifics.

Not trying to flame here or anything, but let's be a little realistic. If anyone's to blame, it should be Microsoft, for releasing the buggy program in the first place, or the sysadmins for not applying the paches, yadda yadda yadda.

Re:Moral responsability is bollocks

[Thing+1]

They probably told their clients "Uh, we think something's coming, so watch out". I highly doubt they would have had specifics.

Any subscribers to that service here? Care to post the notice that they sent out? That way we'd know for sure what the specifics were, if any...

Re:Moral responsability is bollocks

[localman]

As has been pointed out time and time again in this thread: releasing the virus was a felony. Witnesses to a felony are obligated by law to report said acts. Symantec broke the law. Morality has nothing to do with it.

Not that they'll ever get punished - our society is so proud of it's moral relativism that we've come to appreciate corporations treating us like garbage even if the same actions would get an individual thrown in jail.

Cheers

I'm with you.

Here's my letter notifying Symantec of my boycott:

Dear Sirs:

Because of your foreknowledge of of the Slammer worm and your lack of notifying the public, I will no longer use Symantec products.

No longer will I visit warez sites in order to get the latest Symantec product.

Sincerely,

AC

SO name the next worm the "symantec worm"

[Unknown+Poltroon]

Since they seem to be encouraging the spread of this one, the deserve the recognition.

Fools

[YrWrstNtmr]

A) How did they know about it "hours before" anyone else did? Even before it went active.
Things that make you go hmmm...

B) They missed out on a prime opportunity. "HEY! There's a nasty thing happening in a few hours. Get your fix HERE before you lose all the company data!" (And you can't say we didn't warn you)
Even if you blew it off and didn't apply the fix from them, you might look on them as being far more reliable. They predicted (knew) AND provided the fix beforehand. Next time, you just might go with them. "Hey...those guys were right!"

Now, it just makes them look like assholes. "Yes, we know there's a major attack coming, but we're not going to tell anyone except our more solvent customers. Everyone else can go screw themselves"

Unix is inherently better.

[BoomerSooner]

If they start from scratch I would bet they could create a viable product. No system is immune, however UNIX has 25+ years of testing while Windows releases are so frequent there is little time for hardening.

That being said it would (I agree with you) require a significant shift in the marketing driven approach of MS. Betting on either is a waste of time however since it will never happen. On the off chance it does MS would have to change their approach so I think it would work.

Re:Unix is inherently better.

[entrylevel]

No system is immune, however UNIX has 25+ years of testing while Windows releases are so frequent there is little time for hardening.

<Homer Simpson>
I agree with you! In theory.
Communism works! In theory.
</Homer Simpson>

You are comparing the amount of time that UNIX (a common name for a wide number of totally different and constantly changing operating systems with different kernels, tools, applications, and philosophies) been tested to the release schedule of Windows (which is a product sold by a single company, generally released once every 1-2 years and patched just as frequently as any UNIX system that actually has a wide variety of useful software installed) and making a judgement on security. You know what? My television gets more miles to the gallon than the amount of electricity my grapefruit uses.

I agree with your subject line, but your content makes no sense. Then again, any old install script on UNIX can make anything setuid root, world-writeable, and world-executable, if you run it as root. The only way UNIX is more secure is if you read every line of code and every line of every script you run as root, and do everything else in a chroot-jailed sandbox. To be quite honest, that kinda thing would greatly decrease my productivity in any operating system, so I just backup my stuff frequently.

Re:Unix is inherently better.

[Cyno]

The only way UNIX is more secure is if you read every line of code and every line of every script you run as root, and do everything else in a chroot-jailed sandbox.

But at least with Linux you have this option. With windows you are at the mercy of Microsoft. And lately it appears as if they haven't been doing their job.

Occam's Razor

[Hershmire]

It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release.

Or they're lying to get business.

Some authors of viruses

Tell the AV community in advance as bragging rights. Duh! What is so hard about this concept.

PST vs. EST

[shawn.fox]

From the article:

Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24." Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th.

For those of you who don't know the difference, EST is 3 hours ahead of PST. Thus DeepSight identified Slammer at about the same time as the 'rest of the Internet'

Re:PST vs. EST

[usrerco]

• For those of you who don't know the difference, EST is 3 hours ahead of PST. Thus DeepSight identified Slammer at about the same time as the 'rest of the Internet'

Yeah, I read it the same way; 9pm PST == 12am EST the next day.

I can only guess "midnight Saturday" means literally night time Saturday, or "12am Sunday", which would put the events 24 hours apart. I'm not sure which they mean; and neither is 'hours apart', which implies only a few hours.

The term "midnight" is bad enough, but to mix in different timezones just makes it worse.

Convert all the times to one timezone so it's clear; UTC or PST, I don't care which. They made the effort to translate one direct quote from (UTC) to PST, but failed to do that consistently as shown by your article quote.

Since the whole article seems to hinge on this comparison, it comes off pretty weak.

Troll?

[fobbman]

"According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th."

Uhh...that's about the same time isn't it Sparky?

Re:eh

[Budgreen]

and the sad thing is I knew I spelled it wrong and still hit submit.

Good Business

[koan]

I wonder if they can be held liable for damages now.
I'm sure we have all discussed the type of business providing a cure for a problem you cause.
As paranoid as it sounds "cold and flu" season has always been suspicious to me =)
My current philosophy for things of this nature is "who stands to profit" and I think you can apply this accross the board (Including the Bush administration) sorry I slipped into Rant mode.

Re:Good Business

[Vulture_]

As paranoid as it sounds "cold and flu" season has always been suspicious to me =)

If what you're thinking were true, cold and flu season would be year-round.

My current philosophy for things of this nature is "who stands to profit" and I think you can apply this accross the board (Including the Bush administration)

Go get a job at the Department of Justice. Or maybe the Federal Trade Commission. They could probably use you over there.

Could Spam be the same?

[plankers]

People have started becoming more paranoid about antivirus companies' involvement in virus creation. That's good -- if these companies are defrauding the public by creating the viruses they catch then all of them should end up in jail.

Could this be the same with spam? Could anti-spam vendors be sponsoring the spam itself, just to take corporate money in exchange for protection? Sounds like the mafia to me.

Re:Could Spam be the same?

[Vulture_]

Could this be the same with spam? Could anti-spam vendors be sponsoring the spam itself, just to take corporate money in exchange for protection? Sounds like the mafia to me.

I believe the word you are looking for is "extortion".

I'm a Idiot

[waldoj]

Uh...yeah, you're right. That's a one hour difference.

Er...no. I'm an idiot. 9pm PST and 12am EST are the exact same time.

-Waldo Jaquith

Re:I'm a Idiot

[Didion+Sprague]

Wait, if anyone's an idiot it's me.

Now, I've not always considered myself and idiot, but lately I've come to believe that's the case. For example, I find myself monitoring the North Korean News Agency and actually expecting to find news. I did, however, find this:

Symatic Antivirus Policy Flailed

Pyongyang, February 14 (KCNA) -- The DPRK calls upon the Symantic "corporation" to behave itself. Unchecked viral aggression under the guise of helpful support is obvious to all but the US warmongers. The peace of all nations is it at stake, and it should be noted that the so-called "Slammer" worm was an effort by imperialists to stifle the peace-loving livelihoods of the DPRK.

Now that the guise is unmasked, no one but war mongers see the clear provocations. The DPRK reminds the US that such clear efforts to undermine stability on the peninsula by allowing servers to go "unplugged" and "unfixed" merely underscore the fragile nature of the current nuclear-war situation.

Re:I'm a Idiot

[mithras+the+prophet]

It's getting old, Didion.

Re:I'm a Idiot

[StoryMan]

Actually, no, it's not getting old. It's pretty damn funny.

And who cares? At least Didion's posting some funny, interesting shit. He's no Jon Katz (thank goodness) but he makes me chuckle.

He's actually one of the funnier Slashdot posters I've seen in sometime. His rant of a couple weeks back is classic.

So, no, it's not getting old. I want more. It beats the hell outta reading the same old Linux versus Windows crap.

Is this off-topic? Probably.

Re:I'm a Idiot

[KelsoLundeen]

Iron Will of Determined Slashdot Poster

Pyongyang, February 14 (KCNA) -- Despite sensible efforts by the DPRK "moderators" to halt repetitive Slashdot postings, one poster continues. This poster should behave himself. Thanks to Slashdot.org's deep love for the people, the poster will be allowed to continue but DPRK recommends that poster should "cease" and be sensible. It is clear to all but the warmongers that such postings are a mere ploy to build upon humorless foundations.

Greetings to Mithras the Prophet

Pyongyang, February 13 (KCNA) -- President General Secretary sends greetings to Mithras the Prophet. We hope Mithras continues to reap common sense. Thanks to Mithras's deft critical abilities, such posters as Didion Sprague remain in check. We commend Mithras and are happy he is behaving himself.

Responsibility

[jaavaaguru]

People's responsibility to respect other internet users and not run arbitrary code on their machine which could slow down other people's networks or cause other havoc is much greater than a commercial organisation's responsibilty to make public announcements.

Perhaps computer vendors should be more reponsible, and not sell insecure systems to the public when a large portion of the public don't want to have to care about security.

Your local Volvo dealer doesn't sell cars that are remarkably easy to break into or hijack. Your local PC World shouldn't sell computers like that either.

Note: This post is aimed at people who sell complete systems, not at any particular software manufacturer. A lot of the default insecurities can be disabled if vendors bother their ass.

Would it have changed anything?

[Junta]

Probably not. Those forewarned took it seriously because they pay for the service. If Symantec had said that a huge attack was imminent and to block the port and patch your SQL servers, how many people do you think would have listened? Of those who listened, how many of those have processes in place so that the requisite network or software changes would have required approval that would have come too late to do any good?

The people who paid for the warning are going to take it very seriously, but aside from that, I would wager that there would be enough doubt about the validity that measures wouldn't have been taken anyway. Patching the server has the obvious implication for many mission critical databases of a potential restart and potential for undesired change in functionality, so patching in many cases would require a testbed server and evaluation, which this warning provided insufficient time for. Blocking the port, or disabling that part of SQL server, for those with it enabled without needing it, means they need to understand what it does or does not do for them. If they already knew, they would have disabled it sooner, so you can't say they would immediately realize and shut it down.

I've always assumed

it's the anti-virus companies that spread virii. If they didn't, they wouldn't make any money.

Absolutely

[kfg]

Although the same logic could be applied to the Tellitubbies and McDonald's "Milk"shakes.

The essential fact of the matter is that Slammer *wasn't* a bomb. A fact that may have escaped your attention.

KFG

Yunsun Wee is right. Symantec is an accessory.

If they had prior warning of the attack and did nothing they were in fact accessories to the attack. They should at the very least be investigated and chastised for their (in)actions, at worst sued and financially punished for their (in)actions.

Re:Moral obligation? I'd say so.

[tjwhaynes]

Ford's service is making cars. Are you saying that Ford has a moral obligation to give me one, even though I haven't paid for it?

No - get the analogies right. If I, as a car servicing firm, knew of a part in a Ford car that could fail and cause the car to go off the road at random and I only let my best customers know, I would be sued for screwing around with peoples lives.

Not that I have any sympathy for either MS or Sympantec - Symantec gets to make money off the loopholes in MS's operating system in a strange almost parasitic relationship. The only thing that isn't clear to me is which company is the host...

Cheers,

Toby Haynes

no morals

[DuckWing]

In order for Symantec to have a "moral obligation" you must first assume that Symantec has Morals to begin with. They do not. It's that simple.

Re:no morals

I used to have lunch/dinner round at the home of someone who was quite high up in Semantec. (He no longer works there, or lives near where I do.) One evening we got into a long discussion of the eithics of Semantec selling web site blocking software to the Chinese government. Apparently it had been discussed at a high level within Semantec, but money won out over eithics.

Re:Business aside there are moral Obligations

if they really knew and didn't bother to alert the world to this threat, they right up there with Sadam and company in my book.

You equate not notifying people about a worm that has no payload to the wholesale slaughter of thousands of people?

You are a real sicko.

Re:Bullshit

So, the death of x people is "exactly the same thing" as a computer virus being spread? Give me a fu-duck-ing break. The morality issue is still there, just not NEAR the wrong cause by inaction.

Check http://www.webster.com for the meaning of "exactly".

It's like I've always said...

firefighters start fires. They always seem to be the first ones on the scene.

Magic Eight Ball Says...

[kbindera]

My Magic Eight Ball predicts of a future exploit of a buffering problem in Microsoft software.

How can you know this stuff Magic Eight Ball!!

Re:Magic Eight Ball Says...

[Dirtside]

Heck, my Magic Eight Ball has known about Microsoft for years. Whenever I ask it a computing question, it responds, "Outlook not so good."

(originally seen in someone's sig)

Re:Magic Eight Ball Says...

[Thing+1]

My favorite (from someone's sig): Outlook not so good. That Magic 8-Ball knows everything! Next I'll ask it about Exchange Server.

Re:Magic Eight Ball Says...

[Foehg]

Wow, I congratulate you for having the moral fortitude to tell the entire internet community, not just your best customers... or something. :-)

Article got the time zones wrong

[DaBunny]

According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."

Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th.

Ummm..."shortly after midnight EST" is pretty damn close to "approximately 9 p.m. PST"! It doesn't sound like Symantec had much advance knowledge at all.

They knew nothing

[doc_traig]

It's a marketing gimmick to get less savvy IT managers to think that going with Symantec will get them ahead of the game. They're burning themselves twice: they'll alienate the infosec community that rightfully believes that knowledge of a potential devastating exploit gained in advance of its use should be shared, and they'll make very poor relationships with customers who fall for this kind of marketing and never have their expectations met down the road.

Obligations

[tarsi210]

root@yourcompany:$ ./karma_burner --reply=ON --moderators=ON

If Symantec had a moral/ethical obligation to warn the rest of the world about Slammer before it was released, don't they also have an obligation to warn the rest of the world that if you're using a POS, buggy, perpetually frought with nastiness operating system that you're bending over and just asking for it anyway?

Fact is, even if they had said something, 50% of the world would have laughed because they're not running Windows, 5% of Windows sysadmins would have been at the consoles sweating it, and the rest of the world would have stayed in the recliner because they don't keep up with security updates anyway OR they have their heads so far up Gates' ass that they couldn't possibly believe it.

Personally, I sat back and laughed. How about you?

Re:Obligations

50% of the world? What world do you live in?

Re:Obligations

[tarsi210]

Uh....it was pointed out by some gutless cowards that my stats are off. Well, they weren't MEANT to be accurate, and if you feel content to pick on that and miss my point, knock yourself out.

Some dare call it conspiracy?

[Badgerman]

It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release.

Want to be we're going to hear plenty of conspiracy theories about this idea?

No, Ford does not "owe" me a car

[kfg]

But. . .if they had foreknowledge of a major problem upcoming with the automotive *infrastructure* that would effect all car owners, even non Ford car owners, it might have been a nice gesture to say something about it. Publicly.

KFG

Bottom Line is this

[jsb2]

This wasn't some new elite exploit.
Patch was out.
Get off your lazy ass and fix your servers. If you got tagged it was your own fault not microsoft's not symantec's.

If they choose to release info to their subscribers that's their choice since they PAY for it... I would take a different stance if this was a new exploit but it wasn't so who really needs the heads up? Plus at most it was a 30minute window. Thousand of distributed IDS's will give you that type of info....

Anyway any OS regardless of the vendor requires patching at some point.... If you don't do that it is your OWN FAULT!

Re:Bottom Line is this

[perlchild]

Of special Irony is that Microsoft produced a patch for the vulnerability months before the worm, and still they got caught by it...

Makes you wonder if even microsoft is on its own security mailing list for patches...

Re:Bottom Line is this

[Biff98]

It's not ALL Microsoft's fault, but they're definitely NOT in the clear. They make shitty software. That is a fact.

Let's expound on that. Let's say that Yugo's have shitty locks, and there's a well known "technique" that carjackers use to steal Yugo's, and YOU own a Yugo. There's a fix that you could have applied to your car to avert tragedy.

Your car gets stolen. It is your fault because you could have done something to stop that from happening. Still doesn't put Yugo in the clear from making shitty cars.

Heh, perhaps the most interesting point we can draw from this is the fact you (the royal you) decided to buy (use) a Yugo (Microsoft Product)

Re:Bottom Line is this

You're forgeting that Yugo's have a built-in anti-theft system. Just look at the car. Who'd want to steal that POS?

Re:Bottom Line is this

Wrong.
Patch was REGRESSED, if you were up to date, you were exposed.
Fact MS fiddles with patches so they have the same number.
It will be bad when a worm is released to take advantage of regressed patches in combo with something new. Admins waste precious time, demystifying reused patch numbers, and if reads if you have patch A and B applied, you are up to date, and can go back to sleep- he will. Bring back honesty in patch numbers

Re:Bottom Line is this

[Vulture_]

Anyway any OS regardless of the vendor requires patching at some point.... If you don't do that it is your OWN FAULT!

Aside from the undesired changes in functionality mentioned elsewhere, have you ever bothered to read the license terms on the patches for a great many Microsoft patches? If ever there was a clear-cut example of extortion in the software industry, this is it.

Bullshit

[machine+of+god]

Symantec has a moral responsibility to inform the public if it thinks millions will be affected.

Like hell they do. They have a responsibility to do for their customers what their customers pay them to do. That is all. It's not their job to hold your hand.

The real question is

if the notice they sent to their customers is

There is a worm starting spreading, that will cause huge damage in the following hours.

or

There is a worm we have found, that uses some old MS bug, but not known to spread quickly.

i mean if the warning was more like a call for immediate action, or just general information, that later turned out to be just hours before the catastrophe.

first case: they could help their customers MORE, by helping the world stop the worm. most of the users did not suffer from the worm on their own systems, but the effect on the internet traffic.

second case: they are just trying to make profit of some good luck

vajk

It's a conspiracy

[mrmaster]

Isn't it obvious? Symantec is trying to take over the world!

Information brokers

[davids-world.com]

We need to acknowledge the fact that information - in particular, timely information, is a valuable resource that comes with a price tag.

A security advisor essentially sells information to customers who make/save money with that information. It's the same as stock quotes being circulated freely only with a delay, because real-time information is being charged for. Do some Wall Street companies have a moral obligation to issue a warning if stocks drop?

As a response to some "imagine if CNN had known about 9/11 beforehand" comment earlier on: There is a (moral) difference a community getting hurt financially by a worm, after neglecting available patches, and thousands of people getting killed. In the latter, there would have been a moral obligation.

They didn't quite say that

[jpmorgan]

They said 'We knew all about it, but only told our paying customers. You should become one of our paying customers.'

It's a fairly fundamental difference.

Re:They didn't quite say that

[Max+Romantschuk]

They said 'We knew all about it, but only told our paying customers. You should become one of our paying customers.'

You're probably right, that would be their "hidden" agenda. Then again... many people are bound to get angry about it... and probably some feel even more annoyed by Symantec trying to use this as a marketing tool.

I do see the point in making profit though.

Re:They didn't quite say that

[LePrince]

It's a fairly fundamental difference.

Yep, it's quite FUNDamental.

Re:Symantec... should be more careful!

[Sun+Tzu]

Anti-virus companies have a huge conflict of interest in that they sell 'protection' against anonymously produced virus threats. These, and firewall producers, are precisely the same companies that benefit the most from malware and network-borne threats of all kinds.

I would think that they would be more careful about raising people's suspicions about their prior knowlege of absurdly fast propagating worms.

Maybe they are believers that 'any publicity is good publicity' -- even in their business.

Send us your Linux Sysadmin articles!

Wrong, moron

[dh003i]

WRONG. They had a LEGAL obligation to report this. Releasing a virus onto the internet to infect other computers is a FELONY -- a CRIME. If you witness a crime and don't call 911, you're an accessory to the crime. Symmantec had a LEGAL obligation to report this obvious CRIME to the authorities. Because they didn't, they are an accessory to the crime.

Re:Wrong, moron

[Dirtside]

You're talking about Good Samaritan laws, that require you to report a crime if you witness it. There are a number of states that have laws of this kind, but generally they're with respect to medical emergencies -- namely, if you in good faith provide emergency medical assistance to someone in need, you can't be held liable for any damage you case. However, laws that require you to report a crime you witness generally don't exist. Not in California, at least, as far as I know.

Besides, you're not talking about someone witnessing a crime -- you're talking about someone witnessing the results of a crime. If I come across a corpse, I'm not an accessory to murder if I don't report it. That would be absurd.

Symantec....

[wowbagger]

Symantec.

The same Symantec who's Norton Anti-virus product is prominently featured in a rash of spams in my inbox?

The same Symantec who claims to follow up on reports of this to spamwatch@symantec.com? That never seems to lead to any sort of actions?

The same Symantec who just changed their auto-renewal to cost people more money IN THE MIDDLE OF THE RENEWAL CYCLE?

Huh, who'd'a thunk it?

Glad I use somebody else's anit-virus software.

Re:Symantec....

[oyenstikker]

You use somebody else's anti-virus software? What do you use? The links you provided offer no clue to your software, only to your operating system.

Re:Symantec....

[Thing+1]

I've recently found AVG , a free anti-virus product. Seems to be working OK, and does an auto-update so it's always fresh.

Sooo...

[jgerman]

... some jackass at Wired can't do timezone math. Has anyone used their feedback page to whack them with the cluestick? Of course the /. title is just as bad, "advance warning" implies that they knew about it before it's release.

As far as moral obligations, I've seen a lot of comments about how they're a company and aren't under any obligation to notify anyone. That's a crock of shit, in the same way that if I witness a crime I'm under obligation to speak up about it, as soon as possible.

Spread rate

[tomdarch]

It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet...

Wouldn't the spread rate of this be an exponential curve, with a flat beginning leading to a steep spike? It seems reasonable that the flat start would be a few hours before the steep spike that would be seen as 'spreading across the internet in ten minutes.'

Nonsense

[dachshund]

I don't see why people expect companies to donate information that costs them to find.

Your obligation is to protect your customers. Allowing a worm to spread free on the Internet potentially endangers your customers, even if you do give them the relevant info. Even if a company protects its own servers, it's still vulnerable to DDoS and bandwidth floods from other infected machines, and it might be infected due to some administrator's failure to heed the warning.

I see no reason why restricting this information to corporate clients and letting everyone else go to hell does any party a service. It seems like a really backwards way to do business-- let an infection run wild just to make your own research team look a little more valuable. I sure wouldn't want to do business with such a company.

PS It's possible that Symantec might not have been able to prevent the spread of the worm, but why not at least try?

Anyone get the alert?

[acvh]

So is anyone here working for a subscriber than can verify that this alert even went out and was received by someone?

Timing...

Anyone else think the time zone use was odd in the article? If you convert everything to PST you'll see what I mean

...programmers' fault not MS...

[dpilot]

It's shared, because it's the culture MS engendered around their software. Now that MS is being forced to become more security conscious, the software community they fostered, along with its sloppy habits, have become a hindrance.

For years, features and fast development were up-front priorities on Windows, and security hadn't hit the radar screen. This encouraged sloppy programming, to get flashy new stuff out the door quickly. Somewhere in there, compatibility rose in the priorty scheme, as MS became a victim of its own success. Once upon a time, breaking old software was a way to encourage new software purchase. Now, breaking old software discourages new platform purchases, so compatibility has become necessary.

So old software, written in the days when security wasn't even an afterthought has to run on the new platform, or the new platform won't sell. At the same time, the new platform must be more secure.

Not an easy problem.
Someone mentioned sudo, but I guess that's got the commie pinko GPL on it.

Re:...programmers' fault not MS...

[steve_l]

I agree with almost everything you say. The point I differ is that MS have only now cared about compatibility. The success of win3.x, win9x and laterNt is that they jump through hoops to keep old code running.

Which is why apps can do portIO on Win9x, and why the windows security model is wide open by default.

Where the MS culture has created risk is the obsessiveness with adding progammability to everything -the hacker urge combined with marketings vision of 'enterprise solutions'. Example: Windows scripting host; why do I need .js and .vbs support? I dont, but I get it with every IE upgrade.

Example 2: why do word docs have the right to be able to open any library and run any app. It used to be spreadsheet macros were little functions you wrote to simplify the spreadsheet. Now anyone receiving a spreadsheet with a macro in it assumes you've an email virus and panic.

I dont think OSS is any different here in terms of adding programmer-centric flexibility (emacs, for example), we just started with a more secure foundation (unix) and tried not to make it worse.

The other diff is deadline driven coding: commercial apps have a ship date, and MS would neglect non-critical bugs to meet that date. They need to recognise that all security holes are showstoppers.

Quote...

[WPIDalamar]

My favorite quote ...

"If I witness a felony but refuse to call 911 because the victim hasn't paid me money to do so, I'm technically an accessory to that crime, not to mention a really rotten citizen."

they have a point there.

So ... first there was security through obscurity ... now security through monetary gain.

Michael's Added Statement

[DaytonCIM]

It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release.

Libel - A false publication, as in writing, print, signs, or pictures, that damages a person's reputation. The act of presenting such material to the public.

Michael,
I know you're pretty opinionated and think highly of yourself, but you may want to reconsider posting such statements as it could adversely affect you and your employer.

Re:Michael's Added Statement

Symantec isn't a person.

Re:Michael's Added Statement

You can libel a corporation.

They're much more likely to sue, to boot.

Re:Michael's Added Statement

And this happens in your precious "free" country with "free speech" and all? Ha ha.

Re:Michael's Added Statement

[Microsift]

I think the standard for winning a Libel lawsuit is pretty high. IANAL, but my recollection is that you have to show that the author knew that the alleged libelous content was untrue.

Not enough time anyway..

[harborpirate]

Another important point is this:

The worm spread around the entire globe in minutes. And Symmantec didn't know about the worm in advance, they are simply saying that they knew about it before anyone else. (Which other posters have pointed out is BS - apparently journalists and corporate managers don't understand time zones)

Which leaves us with this simple fact: even if a sysadmin had gotten and read symmantec's message immediately, it is unlikely they would have had time to block the port and/or patch their server in time anyway! They may have already been hit in the time it took them to read the virus alert.

The fact that symmantec noticed it was happening is hardly surprising, they make money by detecting and stopping viruses. Of course they would notice when a ton of traffic on a certain port started inundating the internet.

This whole story is a load of crap. Hopefully wired will be more do a little more research in the future into the stories they display, but somehow I doubt it.

Symantec's claim makes NO sense

[nweaver]

Slammer hit so hard and fast (doubling every 8 seconds, peak scanning rate in 3 minutes, analysis.

An "hour" before is a preposterous claim. They might have gotten in 10 seconds before, or even a minute if the first couple of copies were on bad links, but an hour is total, complete, and UTTERLY ridiculous claims to make.

The only way they could make the claim is if they found an extra-buggy, prerelease version. IF so, we need to know about it as it aids in understanding the author.

My bet is they saw some unrelated script-kiddie scanning (we saw some of this in our OWN data sets) and someone in marketing is trying to say that they saw the worm 2 hours ahead of time.

Re:Symantec's claim makes NO sense

[ryanr]

Deepsight gets their information from various IDS systems around the world. They get alert logs, not actual packet samples or code samples. (At least not from that mechanism, they also manually collect the other stuff.)

Probably what happened is that they picked up enough of an increase in UDP Port 1434 activity ahead of time that they felt it warranted an alert and issued it. For the reasons you've noted, they probably wouldn't have been able to indicate that a worm was coming, or even that it was going to be a particularly serious problem in the near future. They would have been able to point to the vulnerability associated with that port. They probably would have recommened firewalling and patching.

That is the sort of report they issue every day. At the time, they probably wouldn't have had any reason to issue it publicly. By the time anyone knew what was really up, it was over, and everyone was already informed.

And of course, after the fact the PR people play up the initial report, with interesting results.

I might be wrong. Symantec should make a copy of the report publicly available so we can all see.

Poor computer use

[rhino_badlands]

Its crap that they hold information back but heres what i think about any one who got wacked with it.

Some people and companies practice poor computer use ... If your car has a recall you sure as hell don't sit around and say ah ill get it fixed tomorrow, cause your ass could end up on the side of the road in itty bitty pieces. People should think they same way about computers, mantain, update, and keep it clean you will never have a problem, and get security patches !

I haven't had a problem with any of my computers with viri, worms, and other things, just because i keep them updated !

It also helps to not be an idiot with your e-mail !

Here's Your Warning...

[jot445]

I know about something in advance. Sometime in the near future there will be a DOS attack on the Internet root name servers. The entire internet will be down, your hard drive will be crashed, your hair dryer will stop working, and the water in your home will turn to blood. This will happen! Prepare. You have been warned. This information was released to the public, in advance of the attack, under the protection of the GPL. BTW - The Man knows about this too!

That's not the issue fool

You failed to respond to actual issue.

The issue of Israeli firms recieving instant messages warning of a bomb attack that morning have no been disproved, why not? because it happened.

As i said this is NOT the "all the jews stayed home" rumor.

So your sneaky propoganda tactics seem slick, but i think anyone with half a brain will not fall for your pathetic straw man tactics.

Re:That's not the issue fool

No, it was the French. French nationals were recieving instant messages warning of a bomb attach that morning. Disprove that...

See have fucking silly that is? You could lay down the same load of bullshit for any religion, nationality, gender, etc.

What a moron...

Symantec sucks anyway

Would this guy agree?

http://slashdotebayitem.0catch.com/

Original URL (has been removed):

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&it em =2911684233&category=16709

Was one of the auctions of the day for 2/14 at

http://bluesnews.com/

Re:Bullshit

i think the parent is drawing an *analogy* between the two situations. idiot.

I don't get it ...

[Thanatiel]

Since basically everyone suffered from the worm, that means that :

_ The people who buy Symantec's soft
_ The informed select customers ... suffered too.

Someone can explain what's the 'smart move' now ?

This sounds like lies.

[bscanl]

The worm propogated extremely quickly, and started generating UDP traffic to random hosts immediately.

Any large pooling of firewall logs would have logged the first handful slammer infected hosts spewing their packets out onto the net to random hosts. I simply do not believe Symantec when they say they somehow knew about this before the rest of the net did.

The folks at <a href="http://www.dshield.org"> Dshield</a> caught this within moments of it getting out onto the net, no?

Useful Slammer analysis links:
<a href="http://www.caida.org/analysis/security/sapph ire/index.xml">One</a>

<a href="http://www.caida.org/outreach/papers/2003/sa pphire/sapphire.html">Two</a>

Allegory.

Smith & Wesson: "There's a problem with our guns - someone can shoot you with them."
Person: "Duh, Okay."

Police: "There's a dude in that bar with a Smith & Wesson. Don't go in there."
Person: "Duh, Okay."

*Person walks in the bar, gets shot*
Person: "Damn Smith & Wesson! Their guns suck!"

Virus companies are liason to a lot we don't know

[adzoox]

Call it conspiracy: I believe that Virus companies are partner, liason, originator, friends with, creators of a MAJORITY of the viruses that hit the internet. Think about it. If profits or revenues are down - what's the best way to sell software? A need for the software you sell, right? It is an ethical, moral question, but I honestly don't leave it beyond a company in today's economy/world. The interesting thing is a lot of former Symantec employees are paid EXTREMELY big retirement bonuses - my guess as hush money, not necessarily for KNOWING, but for research and development of viruses and security holes in products. I also think former and current disgruntled Microsoft, Cisco employees "join up" with and provide resources for Virus companies and hackers to exploit problems.

Re:Bullshit

The parent WAS drawing an analogy...the problem is it was an extremely fucked-up analogy

Re:Euro-wussies read this!

Well, the rest of the world has to tolerate and live with that dictator known as Bush.
S'funny how Americans wrap themselves up in the flag and cry over themselves while saying how proud they are of their 'free' (watched the news lately?) and 'democratic' country, but as soon as Bushie says let's destroy 'X' because we can't destroy 'Y', it doesn't matter what people say anymore?
Hey, America, die already.
PS: To the NSA CIA FBI assfucks who will probably intercept this, you know where I live, come and get some good hard Canadian ass loving, mkay?

Bzzt, false analogy

Large difference, no one died from Slammer.

An accessory for not reporting a felony?

[jeaster]

Someone help me out here. The article states: "If I witness a felony but refuse to call 911 because the victim hasn't paid me money to do so, I'm technically an accessory to that crime, not to mention a really rotten citizen." I don't believe this to be true. I have been advised, by poilice officers and law professors, that if I happen upon someone drowning in a pond and screaming for help, that I am well within my rights to pull up a chair, take out a bag of popcorn and a coke and watch. Our laws do not provide for forced intervention in crime by the citizens. Sure, it would make me a rotton person, but it does not make me an accessory. Can anyone site law differently?

Re:An accessory for not reporting a felony?

[josh+crawley]

---I have been advised, by poilice officers and law professors, that if I happen upon someone drowning in a pond and screaming for help, that I am well within my rights to pull up a chair, take out a bag of popcorn and a coke and watch.

In the US, that's correct. What's worse is if you (attempt) save somebody who is about to die, they or their family can sue you. What I remember this from is a lawsuit somewhere in Indiana where a lady was chocking, and the guy tried everything. He finally gave her a trake (hole in neck to bypass mouth, usually with pencil or scissors). She lived, but in response, she sued the guy. He took away her beauty. However, the judge dismissed the case.

However, if Symantec has offcies in the UK, I believe they DO have a morality clause. If you dont 'support' public welfare, they can arrest/fine you.

Check out system policy editor

[mrhandstand]

For problems like this it's often a matter of tweaking user right in the System ploicy editor. I would think it's possible to give the user rights for a DB connect without give full admin/root rights.

Just my $.02.

Re:Symantec... I knew about you going out of busin

another new conspiracey theory blossoms...

Symantec sucks!

[megagurka]

Damn losers! Try to make money out of others misery. Shame on you Symantec! I will never buy your products again!

Blame to spam

[gmuslera]

maybe they issue an alarm, but as almost everyone should be stopping anything that says something about Norton Antivirus, Internet Security and so on that comes in so much spam, the announce don't reach all the intended targets.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Email clarification from the author

[brian1442]

Here's the email response that I got from the author of the Wired article:

Yes, you're right. We're adding a clarification to the story. 9:00 was when symantec released their alert, but the company does claim to have known about the worm hours for "hours" prior to its spreading. The first warnings (in English) on the major security sites were posted (and not by Symantec) at around 1:00 AM EST/10PM PT. People did start seeing the worm around midnight ET, as stated in my story, but if Symantec already knew exactly what was happening (and presumably they did if they released an alert to their customers that allowed them to block the worm) it would have helped had they shared that info ASAP. Sorry for the confusion -- I didn't report that as clearly as I should have. Michelle

I don' think so, mon

[mschuyler]

My guess is Symantec did no such thing. They said the same thing about Nimda. I was one of the first sites hit by Nimda. Why we were at the 'cutting edge' I don't know. (God, memories of that day are flooding back!) We knew what it was within minutes of getting hit. It was a full 24 hours before Symantec had a patch, but they claimed later they were on top of it right away and claimed they had a patch out the day before they really did. I was monitoring the site every few minutes for a clean up tool and I know darn well they weren't ready when they said they were. The first day of Nimda our eradication efforts were totally manual. We lost three servers completely and it took us more than a week to fully recover. Thank goodness we just happened to be paying attention that morning. It could have been a lot worse. I hate to think what would have happened if we'd got hit at night.

Re:Symantec... should be more careful!

[Incongruity]

Anti-virus companies have a huge conflict of interest in that they sell 'protection' against anonymously produced virus threats. These, and firewall producers, are precisely the same companies that benefit the most from malware and network-borne threats of all kinds.

That same claim can (and has) been leveled against the defense and intelligence industry for some time now. If we don't believe there to be a threat, then we (any given 'we') will not pay for a defense against that (non) threat. The point you make, however valid, isn't really all that new.

I'm not in any way trying to flame you, however...I'm just pointing it out because it seems interesting to see how once again it's the same old story (life, that is) with a new wrapper on it.

PRE-warning

[Vantage]

With only 20 or 30 minutes of advanced warning they couldnt realy do anything anyway. The most realy is get it up on there web site, anounce to a few important customers and maybe email a few other companies that would put advisories up on there site.

Besides, with the speed this spread, I am inclined to believe that if they new in advance it was more like 5 or 10 minutes and not 20 or 30.

This is kind of a chicken and egg issue...

[orichter]

It can be reasonable argued that the application programmers could be blamed for poor multi-user support, but it could also (and I think rightly) be argued that the original windows paradigm was single user, and thus it was accepted to write single user applications. Because Unix is fundamentally designed to not be run in Admin mode by everyone, application programmers are forced (or at least strongly encouraged) to write multi-user applications. You'r argument is somewhat akin to saying, "It's not the mayors fault that crime is rampant in this city, it's the criminals fault." While that statement is true, it is the mayor's fault for allowing an environment where such behavior can thrive. Similarly, it's Microsofts fault for creating an environment where single-user applications can thrive. By the way, in my view, the situation is getting much better, and much as I hate to say it, Windows XP is making many improvements in this regard. It's still not as good as Linux by a long shot however.

Perhaps a new time system needs to be set?

[josh+crawley]

Well, we all see the wired articles about "KNOWING hours in advance". And of course that nice 3 hour discrepancy, oh wait! That's a timezone change.

I could go on to flame Wired, or even Symantec but I wont. Instead I use a system called .beats whenever I talk to friends over the net (in other countries). The .beat system is based on Greenwich time (+0). The day is then subdivided into 1000 sections. According to the math, 1 beat is 86.4 seconds. In this setup, it doesnt matter where you're at. The .beat is exactly the same for any timezone.

In this case, all times are equal (well, the fact the .beat was created as Internet Time helps). Here's some links to the @beat system:

CNN story
Some crazy guy who does lots with time

Yes, but their customers still sufferred

[hughk]

If for, example, you were a Symantec subscriber doing business with South Korea, it was a little sad if you had your patch installed as per Symantec's warning, because South Korea still dropped off the map.

The problem with Slammer, is that it didn't just screw up the infected machines, it ate so much bandwidth that untill the routers and firewalls were locked down, the protected systems were as badly effeted by the outage as the systems that were not protected by Symantec.

If they had contacted a backbone provider with information about the port, the outage could have been stopped as quickly as it occurred.

No

[waldoj]

No - get the analogies right. If I, as a car servicing firm, knew of a part in a Ford car that could fail and cause the car to go off the road at random and I only let my best customers know, I would be sued for screwing around with peoples lives.

Close, but no cigar. If you, as a car servicing firm, knew of a part in a Ford car that could fail and keep the car from starting sometimes under some circumstances, and you only let your best customers know, you would be...um...nothing.

-Waldo Jaquith

From the Symantec Web Site

[DaytonCIM]

From the Symantec Web Site:

For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised. This combination of comprehensive up-to-the-minute attack data combined with effective solutions, patches, and countermeasures enable corporations to protect information infrastructure while avoiding downtime and lost productivity.

It sounds to me like a Tech Security company trying to boost sales of their new Threat Management System and Alert Services by stretching the truth. And we all know the sales and marketing folks would not blink an eye at fudging facts to sell their products.

Does this mean Symantec had anything to do with the Slammer virus (as Michael alluded to), I don't think so (and honestly to make an accusation like that is just plain ignorant).

Just my take. Now let the negative modding begin.

10 minutes? No way!

[rcr484]

My network was getting a data stream from our parent data center on the Thursday before the Slammer hit. The target server of the data stream was our SQL box. After some talk with my colleagues at our other companies, they were hit with the same issue on the same day. We think the worm was preparing to attack and was propagating to trust SQL servers for a wider data stream. When the moment came on that Saturday morning, my SQL box went nuts, nailing every IP it could reach with packets.

I think Symantec was getting reports of some weired data streams on client's SQL servers and issued some prior warnings about a potential threat.

No way did this thing propagate in ten minutes. It's just not possible.

why tell customers only?

Do you think Symantec maintains a mailing list of everyone who needs to be contacted, not just a mailing list of actual (bill-paying) customers?

I would guess that Symantec contacted the bill-payers first , you know those customer thingys, and then the non-customers.

Internet a coop enterprise? The Earth(tm) too...

[kevinvee]

The world is a cooperative enterprise, too. It behooves all the people there to play nice with each other, too.

Will this ever happen? Probably not anytime soon. The same amount of freedom, if not more, exists on the internet, with even more anonymity. Why lead yourself with the false expectations that all the other users are as generous to their brothers as you are?

Not Unless They Wrote It

[hibachi]

Dozens of network administrators from around the world on the NANOG mailing list, and EFnet #nanog all saw the first packets of Slammer at 05:29:29 and 05:29:45 GMT. That's dozens of very well placed people all seeing the first incident within a 16 second window, and not one administrator saw one earlier. How am I supposed to believe that Symantec knew about this earlier when none of us did?

I would like to see a copy of this so-called alert they sent out before the worm hit, if it exists, and then an explanation of how they knew in advance this worm would hit. Dubious does not even begin to describe it.

Your missing the obvious.....

[greymond]

Symantec is a software corporation that runs OODLES (that means a lot) of "Computer PROTECTION" . Now weather or not you beleive they are the best OR worst is your opinion, but from a marketing standpoint it wouldn't be a good idea if they said they had their hands up their asses when the worm came out, now would it?

Bad Example of Conversation:
"Hay whats your opinion on X new virus/trojan/worm/etc..." - News People

"Yeah we got hit really bad, we were totally useless for about 2 to 3 hours" - Symantec

Good Conversation:
"Hay whats your opinion on X new virus/trojan/worm/etc..." - News People

"Yeah we saw this coming, but unfortunately could only reach a few of our customers in time." - Symantec

Re:Euro-wussies read this!

Yes, if necessary. Your friend is a coward to hide behind innocent children. But if it comes down to the choice between Iraqi children and my grandchildren, guess what, Bozo - they lose.

Moral Responsibility???

[merlin_jim]

but Symantec has a moral responsibility to inform the public if it thinks millions will be affected.

Symantec does not have a moral responsibility to inform the public. Symantec isn't a publicly funded corporation, or a government agency.

You do not have a right to benefit for free from the hard work of others. Symantec's ONLY moral responsiblity is to increase value to their shareholders. This isn't the late 1990's where you can create a technology company based on the idea of giving things away for free and expect that to fly.

Part of that responsiblity is to treat their customers right. Given a limited timeline, and the need to provide the most value possible, they chose to send an alert to some of their (presumably) biggest and best customers. I believe that Symantec worked in a very appropriate manner in this case.

Note: I didn't read the article. I did read quite a few articles yesterday when the link was posted on hardocp.com however.

Re:Moral Responsibility???

Symantec does not have a moral responsibility to inform the public. Symantec isn't a publicly funded corporation, or a government agency.

I think you're confusing moral responsibility and legal responsibility.

Re:Moral Responsibility???

[SuiteSisterMary]

Morality is always contextual. And contextually, it can be argued, Symmantec had the *moral* obligation *not* to release information to any but their own customers.

Re:Moral Responsibility???

[bonewah]

Symantec's ONLY moral responsiblity is to increase value to their shareholders.

Wow, thats Symantec's ONLY moral responsibility? If thats the case, then they should sell crack to kids to boost thier profit margin. After all, acording to you the only thing that matters is if they make money. Sorry, i dont buy it. Companies have an obligation to make money, but its neither thier only one, nor thier highest one.

Re:Moral Responsibility???

[(void*)]

And what sense of "morality" is that.

Re:Moral Responsibility???

[merlin_jim]

Wow, thats Symantec's ONLY moral responsibility? If thats the case, then they should sell crack to kids to boost thier profit margin. After all, acording to you the only thing that matters is if they make money. Sorry, i dont buy it. Companies have an obligation to make money, but its neither thier only one, nor thier highest one.

Not selling deadly narcotics to children IS a moral responsibility; doing so would doubtless result in a loss in shareholder value.

You assert that a company has some obligation other than to increase shareholder value. I'm working on the assumption that there aren't any magical obligations that everyone just automatically has to do for no good reason (and I apparantly wasn't informed of) when I ask:

Why does a company have any obligation other than to make money? What are these obligations, and in what way has the company incurred them? I'll start off by defining an obligation as a responsibility one owes due to receiving something of value from another entity.

Re:Moral Responsibility???

[merlin_jim]

Define a moral action to be one which is ultimately preserving of an entity's own existance.

In this sense, the moral obligation of Symantec is to increase shareholder value.

This action was moral on their part, as they were providing a service to customers that were paying for that service. If you wanted the service you should have paid for it.

This was not necessarily an ETHICAL decision however; ethics is the act of applying morals to a larger body, such as a town, a state, a country, or the entire species.

Re:Moral Responsibility???

[schon]

the moral obligation of Symantec is to increase shareholder value.

So you're telling us that it would be moral for Symantec to start writing and releasing viruses, or to start hacking into other people's machines?

After all, that would increase stockholder value, too.

Re:Moral Responsibility???

[Cyno]

ahh, the logic of capitalism. Anything is moral as long as it makes money. ;)

Re:Moral Responsibility???

[(void*)]

Define a moral action to be one which is ultimately preserving of an entity's own existance.

Sorry, that's not what most people mean by morality. What they mean may be vague, but it always includes an element of consideration for other people. The way you've defined it seems totally contradictory to this essential meaning.

Let's see the warning.

[spells]

If anyone reading this subscribes to the Symantec Deep blah blah blah, can they post the warning (with the time it was received). I would be interested in reading it.

Re:Wrong, moron-wrong yerself

[way2trivial]

Average joe-sixpack, you'd do not have a legal obligation to report it to 911 walking down the beach, if I see someone drowning, I have no legal obligation to call anyone.. this changes if I'm employed as a lifeguard.. to be an accessory, requires ACTION, inaction is not punishable.

Very true

[Nazmun]

As a server admin i've had to patch almost every crucial software on my webserver. Apache had a vulnerability with ssl, sendmail, had problems, and even OpenSSH (secure telnet shell) had to be patched recently.

Re:Moral obligation? I'd say so.

[liquidsin]

Maybe you should get *your* analogies straight. Everyone is acting like Symantec did something horribly wrong. Let's not forget that there has been a patch available for this since july of last year. So if we must make analogies, how about this one:
I, as a mechanic, know that cars made by Ford had a recall (say for something like tires...). Now, of course it's in my best interest to inform *my* customers, but am I "morally obligated" to stop every passer-by on the street who's driving a Ford and tell them?

The point is, Microsoft admitted there was an issue and fixed it six months ago. Why is it Symantec's obligation to remind us all to secure our servers?

Ya! Right! People has a moral responsibility ...

People has a moral responsability not to use windoze
server. If you use crap don't bitch when you get
burned.

Re:TRUE

Ohhh...

its published...

thereby making it fact...

Oh wait, the New Testament is also published. I guess all the Jews and Muslims are going to Hell anyway so it really doesn't matter...

I'd take it a step further

[arcadum]

If I had a security guard that did nothing to prevent a crime against me I would fire that person and get a new gueard; If I were a paying, Symantec, customer I would drop them and pick up one of their competition.

I would also tell my new provider why I switched.

less Richard, more Ron

[emilng]

If you witness a crime being committed and don't alert the authorities, then you're an accessory to the crime. If you witness the results of the crime, that doesn't necessarily make you an accessory to the crime. By your logic you could get arrested for seeing graffiti on the wall because grafitti is a crime.

oh - one more thing... emphasis in ALL CAPS does NOT make you smarter ;)

What an idiot

Yes, I do believe the viruses come from miscreants sitting in Mommy's and Daddy's basement, and not from the software houses.

If you have some proof that Symantec et al. are responsible, then let's see it. I'm sure the whole world would be very interested in the details. But if you don't have any proof, then running around saying such things so no better than saying, "I can't prove it, but I'm convinced all Italians are in the mob, all blacks are lazy, all the Irish are drunks, all women can't drive, all Linux users are arrogant slobs", etc.

In other words, put up or STFU.

Re:eh

Here I just assumed it was a subspecies of the troll ecosystem that insisted on teh classic mispellings to pull in anal retentive geeks!

Warnings Are Useless

[RedSynapse]

At the University where I work our entire network was down for about 6 hours due to Slammer/Sapphire. This is an institution with 30,000 students and Oh happy coincidence, it was the last day to drop courses without academic penalty - which could only be done online. The problem is that each department, faculty, club, etc. runs their own servers so what ends up happening is Professor so-and-so's graduate student's cousin who once started studying for the A+ exam becomes the system administrator. Security Bulletin? Patch? Hotfix? What's that?

Network Operations had to manually disconnect MANY servers which were just saturating the network. After doing this we got calls days later from people saying "My students are complaining that they can't access my server, any idea why this is?" So if you're expecting that every server has some crack squad of administrators scouring the net to make sure it's updated to the fullest - well sorry, it takes some people days to notice that their server isn't even on the network anymore.

I mean you'd think people would turn on CNN and see SQL WORM RAVAGES INTERNET, and think, gee don't I have a machine running an SQL server, maybe I should check up on that? But no.

The reality is that there was a patch available for this months before and nobody bothered to install it, I don't think a few more hours would have made much of a difference at least where I work.

Re:Warnings Are Useless

[PigleT]

"well sorry, it takes some people days to notice that their server isn't even on the network anymore."

In some ways, I think it's quite reassuring that there are people out there with NON-immediate demands. I'm used to processing stuff quite often in an interrupt-driven manner, as it's the only way that seems to work. Being able to tell a car-electrician garage that they could take their time over diagnosing and fixing things rates amongst the finer things in life, to me.

However, I'm firmly of the opinion that it doesn't apply to any box put on the 'Net. If you can't have someone respond to abuse, postmaster or hostmaster as the case may be, in a more timely fashion - maybe about 12hrs or so - then you shouldn't be putting it online. If you're (generic) going to ignore security updates - most people seem to be putting them around in a responsible fashion, these days - then kindly don't inflict your laziness on the other inhabitants of the 'Net, because that *is* your responsibility, however much one might want to dodge it.

Symantec lies

[helix400]

Symantec has a bad history of not telling current customers about their viruses. When they discover a virus, they first take a few days to figure out a fix, and when they find a fix...THEN they announce it as "Discovered". Sure makes them look good when they claim to discover and fix most viruses the same day

I saw this first hand. When Opaserv variants were coming out almost weekly last fall, Symantec was very slow to acknowledge their existance. A few people I know sent them executables of a new variant on October 19. Finally, on October 23, they announced they "Discovered" it...4 DAYS AFTER WE SENT IT TO THEM! Those Symantec liars didn't even tell us that they discovered it, but they're working on a fix. No, they sat on the virus for 4 days! (Want proof? Check out Symantec's Oct 23 discover day for brasil.pif, here, and compare that with the Oct 19 date that many of us first noticed that virus on this discussion sire here.) And of course, following true to Symantec policy, they claimed to have released a fix either the day of discovery or the the next day...to show they're working hard for their customers.

Stupid liars.

Re:Symantec lies

You dumbfucks, why should Symantec make a press release that a virus is found just because Joe Nobody emails them an .exe file. You don't think they get thousands of .exe files emailed to them, probably with most NOT being viruses. Then once they do verify it is a virus, what is the point of making a press release saying that it is a virus without having a fix. As soon as they did that, idiots like you would be chastising them for being a anti-virus company and not having a fix. Their business coustomers would be upset because they are paying good money for protection but don't have it for that virus, which they might not even be suceptable to, but want the fix just because that is how idiots (like you) think. I would have done the same thing as Symantec. Do you think that if I email a digital pic of what I think is a UFO (ET) to NASA, the day they get the mail they are going to have a press release to show it to the world. No, they are going to try to analyse the photo first, which is what Symantec did. Once they know the virus and how it works, it only takes literally seconds to make. The time is spent checking out that it is indeed a virus and how it works.

Now go fuck yourself, you typical /. whiny bitch.

Re:Symantec lies

Yeah, I don't like Symantec. Not many people here in the US use it, but pandasoftware.com has a great program and great software. Updates every 24hrs if needed.

Re:Symantec lies

ALL antivirus vendors wait until they have a fix for the virus before telling or posting anything.
What Symantec did was just plain wrong.... I also don't believe that they actually knew about it first either.

I WANT A TIMELINE OF THEIR "DISCOVERY"!!!!

Re:Symantec lies

[Lawbeefaroni]

Stupid liars.

Liars maybe, but stupid they are not.

Re:Symantec lies

[The+Kiloman]

Mod this up. This is how it works.

Re:Symantec lies

[CrazyDuke]

I experienced this on what should have been routine for them by now, yet another sub7 varient. I didn't know it was sub7 at the time other than it did basically what the sub7's before it did. I tried it on a dummy box, and it waltzed past Norton Antivirus. I verified the infection when my firewall started complaining about illegal requests from the trojan phoning home. I submitted the executable as packaged, discribed its infection stratagy, removal guide, and packaged it all in a nice little email explaining that I had the latest and greatest patches and list for their current corporate version antivirus. This took me about 3 hours total, from research, infection, tracing, removal, verifying removal, formating a report, and submiting it.

About a month an a half later, I get a terse email from Symantic, stating that they already knew about sub7 and that they had had the definitions for a month now. They recommended that I should keep my antivirus updated more often. This was conveyed in a nice little way that sounded like I was some AOL newbie that couldn't tell the left from the right mouse button. Needless to say, I am no fan of Symantic now.

Re:Symantec lies

"Symantic" eh? No wonder they thought you were a lame newbie when you can't even spell the company name correctly...

Re:Symantec lies

Well, I guess it is at least somewhat comforting they didn't think I was some basement hobgoblin that forgot to take his Paxil.

they're just full of crap

[Alcimedes]

and this just in, Marketing drones mistakenly promote their products abilities beyond the realm of reality.

i'm not buying that they had hours of notice until i see something on the subject a little more trustworthy than a marketing release designed to sell a product.

you're all reacting like that's actually the truth.

OFCOURSE THEY KNEW!

[MoneyT]

Their systems were the first ones to be infected.

Re:Euro-wussies read this!

Yo, Ass Clown, Bush is not a dictator.
The reason you have to deal with us is because right now we're the biggest, baddest mofos on the block.
Capici?
If you don't think Saddam would use nukes the moment he got the chance, you're showing how protected and naive you are.
You don't pick a fight with North Korea because of the millions of South Koreans within easy artillery range.
In spite of the fact that they're ungrateful for our protection.
Kind of like how Canadians are lucky to be between us and the tundra, otherwise they'd be bowing to some rock in Mecca 5 times a day like those Islamofascists.
Get a grip.
Your country == weak.
Our country == strong.
If you don't like it, build an Army.
BWWAAAHHHAAAAHHHHAAAAAAAA

Re:Moral obligation? I'd say so.

[g(zerofunk.org)]

But if you had sent out a notice (Patch) saying that the part was bad and the way for the user to fix it was to bring it in (Apply patch) then what could you be held accountable for? If that is the case every computer that I have ever worked on I could be held accountable when someone gets a virus, software doesnt work due to outdate versions and the lack of updates. It doesnt work that way.
You were pretty close with that example but missed the part that you had OFFERED a fix for it, but the people who were using the product chose not to use it.
Yeah it is kind of shitty that Symantec sat on this, if they did, but they are only REQUIRED to give their service to their customers. We can talk about how great the Internet is as a group thing, etc. But I do not recall the last time my competitor called me up to tell me of the issues I *might* have if I do not patch/fix/whatever a certain part of my network. The are a business not a free site for updates and patches.
g

Let's just talk about accountability

I'd like to know if Symantec could be held accountable as a facilitator to the crime. Considering they knew about the attack 5 hours ahead of time and choose not to warn the general public might constitute facilitation or at least be held as an accessory to the crime. For Example, if a neighbor knows that there is going to be a robbery in his/her building. He/she knows that it's going to take place that very night yet decides not to call the police or warn the neighbor. He waits till after the burglary has taken place and then goes in for what's left behind and then calls the police. This is synonymous with what Symantec has done. They knew there is going to be an attack based on a known exploit they could repair. They knew the time it was going to start and how it was going to happen. But they choose to wait until everyone (except a few) are victimized and then offer their solution...for a monetary value. That's like spreading a disease just so you can sell the vaccine at a higher price. I think most Anti-Virus companies are just as much part of the problem as the solutions.

admins at fault no-one else

[DrSkwid]

Why oh why would ANYONE with a clue connect important work-a-day machines in a hospital to the internet?

If anyone died because AN INTERNET WORM did anything to a hospital then the hosptial administrators should be prosecuted for lack of due diligence.

what i dont understand....

[dmnic]

is that Slapper suppossedly hit the net on a sat, yet my server loggs show it was probing me on the thursday night preceding.
the only affect it had on me was less bandwidth over my ADSL for a few days...

I'm beginning to dislike michael's comments.

[dr.badass]

It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release. (Emphasis mine.)

-1, Troll

Thank you for reminding my threshold-set-to-4 ass how bad the signal-to-noise ratio around here can be. (Note : I'm not one of those big anti-michael psychos, but I wish there was some way to filter certain editors' comments.)

Re:I'm beginning to dislike michael's comments.

[ellem]

dr.badass... you ignorant slut!

There is a way.

http://slashdot.org/users.pl?op=edithome

Re:I'm beginning to dislike michael's comments.

[dr.badass]

Wow. I've been called a lot of things, including whorebiscuit, assclown and fucknozzle. You may be surprised to hear this, but I've never been called an ignorant slut before! Thanks!

To clarify, I was refering to the editors' little blurbs in the stories, not the stories themselves. Filtering everything Michael posts would make the YRO section, which I read when I'm not feeling ignorant, rather empty.

Re:I'm beginning to dislike michael's comments.

[ellem]

I'm all about the love you hickory ass platypus!

It's doubtful sysadmins could have reacted...

[callipygian-showsyst]

Johnstone pointed out that had Symantec released information, systems administrators could have stopped the worm in its tracks simply by blocking port 1434.

True, but then everything would be down because nobody would have connictivity to their databases. They needed to apply the patches.

BTW: I was shocked at how many companies had their SQL database out on the Internet completely exposed! I'm working for a Big Evil Media Company right now, and you can't get to any SQL server unless you're on a secure (inside) network with a private (192.168) IP address.

Sure I trust symantic's math

anyway, what I really wanted to say was that I miss Slammer. That weekend, my spam load was down close to 75%. It's no shock that asia was hit the hardest, since a sizeable chunk of spam (only around 30%) is relayed through there.

Slammer affected Servers

[Andorion]

I'm not saying I don't agree with the guy (that we'd see many more worms for *nix if it were more popular on the desktop) but keep in mind that Slammer affected SQL Server 2000, which isn't usually running on a desktop machine.

~Berj

Re:Slammer affected Servers

[NickDngr]

[...]but keep in mind that Slammer affected SQL Server 2000, which isn't usually running on a desktop machine.

From the Symantec Website: "W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as Microsoft Desktop Engine (MSDE) 2000." So, yes, it often runs on the desktop.

Wa wa wa wa wa

Funny idea, Symantec is a company. A company that employs people to make money... a compnay that isn't funded by the public. So what they choose to do or not choose to do with their own information is their own business. If you think there should be some virus monitoring compnay that tells everyone what's coming down the pipe then contact your state representative. Or you could pay Symantec to get the kind of coverage they provide, because believe it or not people don't spend their lives analyzing viruses for free. If you want to be protected then use their service. Don't complain about not getting protected because you were too cheap to pay them. You're responsible for your own machines not someone else.

Re:Business aside there are moral Obligations

[haplo21112]

No I could careless if it didn't have a payload, cause if it had and the situation repeated, perhaps it takes out a hospital while your laying there dying....

Not quite right

The slammer worm attacked mainly those servers AND workstation that had MSSQL installed along and under another product ... those were the SQL installs that nobody cared to patch, 'cause nobody even knew they were there!

Well, DUH!

Let's see here.. we have a virus company that "knew" of a virus or worm before it hit the streets. I wonder why? A bit of self-inflicted "job security" for a company?

Re:Moral obligation? Fuck yes!

[Tony]

Symantec does not have the moral obligation; the people within Symantec have the moral obligation.

Corporations are designed to be soulless money-making machines. The people within corporations (who fucking are the corporation) are under the same moral obligations as the rest of us: to behave as if we are in this life together.

Too many people (like you) are willing to allow corporations to do whatever the hell they want in the pursuit of making money. Fine. Let corporations do whatever they want. But hold the people within the corporation responsible. There are people within Enron who broke the law in pursuit of profit and control; make 'em pay! There are people within Microsoft who made the decisions that led to a corporate conviction of monopoly abuse: make 'em pay!

Corporations are not at fault. People are at fault. If a corporation does something that is wrong, it is because people within the corporation did something wrong. Make the people within the corporation pay.

how did symantec know ??

All the research I have seen says there was no advanced warning of the worm. The worm propogated around the world in about 5 minutes. There is no way slimetec could have had an advanced warning of several hours given the propogation rate. They certainly have not provided any technical proof that they had advanced warning. Nor has any slimetec customer come forward to say "YES SLIMETEC SAVED ME FROM THE WORM." To me this is a baseless lie used to lure customers to another pricey service. Your best bet in protecting yourself from this worm was to be reading nsp-sec or bugtraq etc right when the worm hit. Here are some good initial studies of the worm. http://www.nanog.org/mtg-0302/weaver.html

Re:how did symantec know ??

[dmnic]

as myself and a few others have stated, our server logs showed activity a _DAY_ before it *hit*, so yes, Symantec could have known early on.

Re:how did symantec know ??

[nekomatic]

This whole case once again feeds ammo into *some* people's long standing suspicions that it is the "AntiVirus" companies themselves that sponsor virus creation. Make your own market dot com. When sales are down, sponsor a real nasty and sell new software... Symantec get no sympathy on this one from me.

This is all backwards.

[blair1q]

The reporting, whining, and handwringing over Slammer has cost me more than the virus did. I saw zero downtime from the virus, but wading through this wailing has taken up valuable time.

THE INTERNET IS NOT SECURE

Go back to your pr0n. There's nothing to see here.

Re:This is all backwards.

[PigleT]

Yes, well, that's all very well in your own world. Unfortunately, there are those of us out here who measured 873Kb/s of 1434/UDP going past the back end of eth0 from 3 separate IP#s in the same rack and watched the local router have problems coping - either with that, and/or external scans, or with traffic from other /24 networks, or with filtering all the above, causing major loss of connectivity at several times for the next 12hrs or more.
My rsync server pushed 1.0Gb compared to the usual 1.7Gb at that time, that day.
So don't forgive us for thinking it worthy of further discussion.

Now, you were saying? ;)

Re:This is all backwards.

[DJ+FirBee]

So, you can run tcpdump. Do you want a medal ? So your rsync server ran slow. Wahh. You come across like it is only happening to you. The whole friggin 'net was having problems.

Relax. Do what you can, and then relax.

Why isn't your server on a switched port anyways ? Duh!! Maybe work on fixing that instead of crying in your beer. If you are not using switched ports for your servers then the rest of your network probably sucks as well.

There, now you have something to do besides check your rsync all day, (besides post to slashdot).

Maybe next time you could properly find out how it's hammering your router and prepare a solution. That is if they even let you near routers in that place.

One gig is a _drop_ buddy.

Re:This is all backwards.

[PigleT]

"You come across like it is only happening to you".

Not, well you come across like a gratuitously offensive idiot, but at least I don't feel the need to resort to the lowest of forms of humour to press the point.

"Maybe work on fixing that instead of crying in your beer."

Perhaps if you bothered reading my article you'd like to justify where it appeared to be such.

"One gig is a _drop_ buddy."

Tell you what. Go patronise someone else with your idea of "big" numbers. And don't come back until you have something useful to say, either. Pathetic little flaming troll.

Re:Symantec... should be more careful!

actually, in America there are checks and balances against the military and intellegence. The president is held liable to the people every 4 years, and has a variety of cabinet officers (not just defense) and there is a legislature that can pass laws, allocate funds, and remove the president. And a court system that overrule executive decisions.

We detected it several hours early...

[thealpha]

Our ISS IDS detected it but we didn't have it setup to page us. So looking back at the logs, the initial detection was between 7-8 pm and we were hit full bore between 10pm-1am.
If we had been paged we could have blocked it before it really hit.

Wake up people!

[FrankieBoy]

Who do you think is writing these sophisticated viruses and worms? Do really believe that the hundreds of new viruses that get released every month is because of some bored hackers who have nothing better to do? There are many stories of "Men-in-Black" style approaches to out-of-work developers in countries with a large high tech community. Someone shows up at your door with a big bag of money and no identity and asks you to write a particular type of virus, you might be inclined to take the money and not ask too many questions. It's called "Creating the Market".

Re:Wake up people!

[unconfused1]

I have read a number of articles about bullying done by anti-virus producers, like McAfee. Apparently they send in their little spies to find a "problem" or at least something they can yell negative press about.

It is not a far cry to believe that since companies like Symantec do get insider information as to how to filter for these viruses and worms that they might have people writing some of them.

I'm not suggesting that it is definitely true...but it is probable.

Re:Wake up people!

[koan]

Like I said my rule of thumb is "who stands to profit?" apply it to your current administration or "cold and flu season" really anything where people profit by selling "fixes" or "cures"
Greed.

Re:Wake up people!

[Logopop]

It's improbable. I'm a developer in the industry. Marketing of the products is one thing, but the industry ethics when it comes to handling viruses is something completely different. Start out by reading through some back-issues of the professional magazine 'Virus Bulletin' to get a feel for how things work. I can assure you, an AV company that manufactures/releases a computer virus would be without customers immediately. Not to mention that the company would loose its professional connections with the research- and intelligence depts. of its competitors. The thought that AV companies somehow is behind some computer viruses would be such a scandal that this myth just refuses to die.

Re:Wake up people!

[FrankieBoy]

I agree with your statement "an AV company that manufactures/releases a computer virus would be without customers immediately". What I was suggesting is that these AV companies are covertly designing these viruses and worms. They hire someone who does not represent them but makes inquires anonymously. In this way they can keep their reputation intact.

Re:Bag of Hammers (was "Big Surprise")

[Feral+Bueller]

I had the opportunity to interview with Symantec about 5 years ago, for the Norton Anti-Virus unit.

It's safe to say by your post that you haven't.

To post the assertion that these guys have anything to the propagation and dissemination of viruii is retarded - not only do they have to contend with regular build issues, feature requests, etc. - but they also have to keep up with the dozens of virii released into the wild on a weekly basis. The heuristics involved in developing the software necessary to *fix* an already infected (sometimes by multiple virii) is pretty impressive. There's no *good* reason why any of these engineers would intentionally create more work for themselves -- they don't need any.

Additionally, they aren't the only game in town as far as anti-virus software. They would be out of the fame in a New York minute if they were ever found to be involved in disseminating virii, intentionally or not.

Please turn off your computer and go back to your "X-Files" reruns.

P.S. - The coolest thing about the interview was when one of the Senior Engineers showed me the Quarantine Room, where they research different virii and repairing the damage.

playing the game

[neoThoth]

Symantec like most other 'security' companies (I quote here because they are a morph and not a real security company) are trying to cash in on the worm activity. Most security companies make windfalls of cash during high profile worm attacks (see code red).

Symmantec just bought a truckload of security properties and wishes to make it known that they are on top of things. Truth be known, eEye knew about the worm because of tips from product users and other contacts who became infected. Our researchers were called back from the bars to dissect the worm (which takes hours) and then provide a signature and scanner.

Looking back though, what would a few hours notice do for anyone? Haven't you seen Armageddon? ::asteroid chunk falling towards asia on radar::

"Shouldn't we call someone"

"What and tell them to evacuate the entire pacific rim?"

This worm had no payload because it was about speed! I've seen these global maps with 'spread vectors' and it goes from 0 to 100 in about 10 seconds. The last thing I need as my servers are choking on residual SQL traffic is a phone call from my AV vendor stating "your screwed, servers are gonna go down".

Re:Bag of Hammers (was "Big Surprise")

Yes ofcourse... They would obviously tell you if they were making viruses.

So much for security through obscurity

[Rares+Marian]

I'm sure releasing that information would have caused much more harm. Why I believe if we stop telling our children not to take candy from strangers we would put an end to the candy baiting algorithm once for all.

check the timezone...luke

[ii-v-i-head]

maybe in their timezone they discovered the worm "hours ahead" of everyone else?

Finally, something insightful

[Adam9]

LiNT makes a great point. This is Symantec's business. If you "forced" Symantec to disclose all of their privileged information to the public, then there would probably be no Symantec. A company like MSSP or Symantec have their own responsibilities. If they didn't, what would be the point of them existing?

Also, we don't know of Symantec's certainty of their info about the worm, or even the severity of it (before it happened). Here's your mall scenario of what I'm talking about.

Suppose you're on some local city's bulletin board (online) and some kid as sUperc00l posts something like "man that security officer is a total idiot, I'd love to cap some ass in that mall some day."

Do you A.) immediately call the police and report the "tip" you received, or B.) tell your friends to stay away from the mall for a few days.

I'm under the impression that most people didn't expect the worm to spread so quickly (90% of targeted machines infected within the first 5 minutes). Symantec probably heard about something vague and decided that it'd be in their best interests to alert their top customers. They're the ones paying for super-paranoid alerts, the other guys aren't.

Ahhh... The missing link!

[davcorp]

Ahhhaaa! Acually you could hypothesize, "It isn't the label on the box, it's the fact that Symantec products are windows based, why write a virus for an OS that you don't write software for :)" Hmmm.. food for thought

King County E-911 service affected

[juan2074]

I live in King County. (What a coincidence! That's the home of Microsoft.)

The county's emergency 911 call centre was affected by Slammer. Why? Why should their computers running SQL Server need to be connected to the internet? They could have a LAN to share information without connecting to the world at large, eh?

This is just more fuel for the fire. I have consistently voted against all the levies to fund the E-911 service in this county. Already, more than half of the county budget is spent on police, courts, and jail. (They call it 'criminal justice'.) Why don't they fund the E-911 services out of that big chunk of money we already give them?

After seeing crap like this (E-911 losing service because of Slammer), it makes me wonder why we bother to spend any money for this. Those idiots just squander tax dollars.

Re:Euro-wussies read this!

> Yes, if necessary.

Well, it isn't necessary.

> Your friend is a coward

There's no need to suggest Sadam is my friend.
I agree that he's a bad guy.

> to hide behind innocent
> children. But if it comes down to the choice
> between Iraqi children and my grandchildren, guess
> what, Bozo - they lose.

Iraq is no imminent threat to the USA.
There is no need for an invasion which will
generate more anti-american hate in the world
(which is bad for your grandkids).

Re:Bag of Hammers (was "Big Surprise")

[lvdrproject]

Ok, i haven't reached the bottom of this page yet, but i'm willing to bet a couple dozen posters made this same mistake.

The plural of "virus" is "viruses". Aside from that, Latin plurals end in "i", not "ii". For example, "magus" becomes "magi", not "magii". The notion of Latin plurals ending in "ii" probably comes from such words as "radii" (plural of "radius"). The reason "radii" has two "i"s is because "radi-us-" becomes "radi-i-".

"In antiquity the word virus had not yet acquired, of course, its current scientific meaning; rather it denoted something like toxicity, venom, a poisonous, deleterious, or unpleasant agent or principle, or poison in the abstract or general sense. [...] Nouns denoting entities that are countable pluralize (book, books); nouns denoting noncountable entities do not (except under special circumstances) pluralize (air, mood, valor). The term virus in antiquity appears to have belonged to the latter category, hence the nonexistence of plural forms." (taken from here) Also, "viri" is Latin for "men", so that's not it either. The word is "viruses".

I know i'm coming off like a jerk here, and normally i don't post just to criticise someone's spelling, but "virii" is a plague. It's because of mistakes like this that we have two words for "disc", and the bizarre spelling of "Thames" (i.e. people trying to make English correspond to its Latin/Greek roots). Anyway, i just thought i'd point that out. That word really bothers me (which i guess is somewhat sad).

Sources:
- http://dictionary.reference.com/help/faq/language/ v/virus.html
- http://www.perl.com/language/misc/virus.html

PS: Otherwise an interesting post, heh.

In related news...

[Mysticalfruit]

Minutes after the slapper worm begins "slapping" around machines all over the internet, the PR department at Symantec was hard at work thinking up a way to make themselves not look like they were standing there with their pants down...

Check out Symantec's website on Linux bugs....

[Jerry]

and of the 40+ listed there all but a couple have such a low incidence of exposure, some being found on only a couple of machines, it makes one wonder if those 'two machines' are development boxes at Symantec and perhaps they are "salting the mines"?

That is a shady business model!!!

[quick9vb]

They create a virus and release it on the Internet, then they sell you and anti-virus product to protect you against the virus they just released. That would be like Microsoft selling you and OS, then charging you for an upgrade to fix the security holes. Damn it, they arlready to that, I'm getting robbed!!!

Symantec should have told

[thenumberone]

Customers do pay Symantec to protect their networks in every way possible. If they told a few customers first, thats great for them, they are a business and the higher paying customers probably appreciate that. I am wondering though, if they had spread the word earlier (assuming they knew earlier), could non clients have patched their systems and reduced the effect that the worm caused on its paying customers systems. -dave

Have you looked at MS version numbers?

[gottabeme]

There are as many 'hotfixes' and 'service packs' for linux based software, they just call them patches and releases.

Have you looked at MS version numbers? Help>About in IE:

v6.0.2800.1106
Update Versions: "; SP1; Q324929; Q810847" There are more Q's but there's only room for those in the Help>About box.

If I want to know if I'm secure against a bug that has been fixed in mySQL, I look at the version number, something like 3.23.17, maybe with a pl# on the end. I don't have to read a 10 digit version number and then look up a database of 15 knowledge base "Q numbers" to see if I'm vulnerable to Cross-Site Frames Scripting Media Player Buffer Overrun X.

How do I feel?

[JSmooth]

It is hard to know how I feel about this issue. Yea, we can yell at Symantec for not announcing the discovery. We can applaud them for a shrewd business decision (without that no one makes any money and eventually we all lose). I can hate MS for releasing the POS that is MS SQL. I can be appalled by the administrators for not applying a patch that has been available for months. I can feel superior to the CIO that allowed SQL access to the public net. I can feel justified hatred to the bozos that wrote and distributed slammer. I can feel technical awe for those same bozos.

I guess I'll just stick with feeling confused and let /. tell me what to think. That usually works

Wow, so many idiots so little time!

What do you want from them!?!

[SageLikeFool]

Come on, stop picking on Microsoft. They dedicated a whole month to security before going back to business as usual!

Symantec motto

[dubiousmike]

We told you so.

Or at least we would have had it not been in our business' best interests to do so.

Illegal Windows copies

[Kyrt]

I have a strange feeling that many people who own illegal copies of Windows and Microsoft apps are afraid to download and apply patches, because it may cause the software to report this fact to Redmond...

Re:Bag of Hammers (was "Big Surprise")

[dohcvtec]

Heh, well said. Maybe you'd care to comment on the misuse of "-holic" as well. This is a real pet peeve of mine, where when someone wants to describe someone who is addicted to $something they use/invent the word $something:oholic. It really should be $something:ic, I presume. The "ohol" is simply part of the word "alcohol" that is incorrectly used.

Both sides are wrong

[Florian+Weimer]

I think I've seen a DeepSight bulletin that was send around 9:00 UTC on that very Saturday (at least "DeepSight" is referenced in it). In this bulletin, Symantec recommended that customers protect MS SQL servers using filters, as an emergency measure. They failed to notice that this worm was melting the networks of their customers and as a result, didn't provide them with adequate information.

I'm furious how a single company tries to profit from the Slammer incident. The network engineers who cooperated in a truly open manner and successfully mitigated the issue on a large scale deserve all the praise. I've never seen such a cooperation before, and I believe it was for the first time that so many people at different network service providers worked together to address a global threat in such a timely manner.

Most people view the Slammer incident as a fearful omen of worse things to come. But as long as the big carriers continue to allow those great engineers to run their networks, these engineers will be able to deal with distinctly more fatal threats, I believe. Let's hope that corporate craze doesn't scare them off.

Re:Euro-wussies read this!

Even the USA Today thinks there's no need to rush to war.

get it all for free at DShield !

well, if you don't want to pay $50k for some 'virtual' advanced warning, sign up with DShield and get it all for free.Just den them your logs and they will do the same thing Symantec does for you.

Re:Bag of Hammers (was "Big Surprise")

Man a lot of peni read slashdot

Re:Bag of Hammers (was "Big Surprise")

It's "penes", numbnuts.

Re:Symantec... should be more careful!

[arivanov]

That same claim can (and has) been leveled against the defense and intelligence industry for some time now.

Which hs been known to fabricate threats in order to achieve financing or advance towards their political or financial goals. Want examples? Search and you shall find some.

Enough about the differences in time zones

[enkidu55]

We get it already, there was probably a little foreknoweldge but not much. How do these guys that post the same shit about time zones every other post get modded up so high. So what if the difference was only 5 minutes, they could have sent an email to somebody, anybody for that matter. But they didn't, therein lies the fault.

Re:Bag of Hammers (was "Big Surprise")

[ohsoribbed]

There's no *good* reason why any of these engineers would intentionally create more work for themselves -- they don't need any.

Wouldn't fixing viruses that you created make you seem more valuable? Job Security?

Re:Bag of Hammers (was "Big Surprise")

the bizarre spelling of "Thames" (i.e. people trying to make English correspond to its Latin/Greek roots)

"Thames" has been reputed to be pronounced 'Tems' as a result of a royal speech impediment. As the story goes, if you are to speak the King's English, then what might be an impediment/lisp in an ordinary person becomes the norm when it's the king.

Purportedly, this is why the Americans still pronounce their "Thames" river 'Thay-mes'.

Re:Bag of Hammers (was "Big Surprise")

You mean you interviewed with Symantec and they didn't tell you that they intentionally create viruses? Give me a break.

Hmmm ... what could be the advantage of creating a virus that your competitors don't know about and then releasing a fix long before they do?

--X-Files Watcher

Re:Moral obligation? why yes, it is

[zogger]

--following your corporation's line of reasoning, I am driving by your house, I notice some badguy breaking into it (call it obvious, smashing the lock or something pretty suspicious). I own a cell phone, I can A-call the cops, or B-ignore it as you didn't pay me in advance to waste my time and protect your house. Note: I have a job too (several, one of them actually is security related), my time is as valuable as yours, and you getting burgled doesn't cost me a penny directly.

Is it moral for me to just ignore a possible crime-in-progress of a common sense observatory level of "severe"?

It costs your company a pittance in money and time (as it would me to make a cell phone call in my hypothetical scenario) to post updated possible threat scenarios on your web site and CC them to appropriate other security related sites, in real time. I am sure it could be automated as well.

To me, it is petty, short sighted, and not even in your best interest financially in the long run to not do that, but that's your corporation's choice, and is fully in lock step agreement with similar corporate "secret stuff" that is going on that eventually is proven to be detrimental, and in fact, causes so much business loss as we are seeing now. "Greed", in other words, and contrary to popular corporate opinion, is not good.

The history of state granted corporate charters (in the US at least, not familiar with other nations that much) had a provision that said corporation did in fact and by law have a duty to be of a public interest and benefit, along with whatever widgets it made or serviced or traded in, it was NOT totally about your rights to profit as the only criteria for granting the corporate charter.

IMO, this needs to be readdressed and severe limits placed on corporations, time limits for granting these charters, and to make it easier to remove said charter given a proven pattern of not serving the public interest as a full part of the charter.

With that said, and following my own line of reasoning and law and history noting, I think microsoft should have lost their corporate charter a long, long time ago, and maybe this particular worm would never have happened. don't know, call that a maybe, but for sure their products and related apps wouldn't be in such a profuse use now.

I think "corporate america" needs to really step back and take a long hard look at how you are perceived by just the "common man" speaking in broad general terms now. There's a phrase - "people are starting to talk", that fits here.

"Corporations" are not all bad, nor all good, and neither is making money, everyone wants to make money, what is bad though is when any human or any corporation places the "making money" part over all other considerations. It certainly and must be a very important part,the making money part, else no need for the corporation, but to neglect the other parts is de-humanising and harmful.

There are extenuating circumstances and a human factor called ethics that comes into play. Some folks have little use for ethics, and no use to be "neighborly", if it interferes with "the bottom line". Me, personally, I have worked at some places like that, when it became evident to me that was the mindset that was pushed, I quit, moved on..

That is my opinion, anyone else's may vary.

Re:Bag of Hammers (was "Big Surprise")

I also am irked by the use of Unices when describing the plural of Unix, as in matrix and matrices. People just think that they can use latin syntax as if it were a find and replace mechanism for anything!!!!!!

Re:Bag of Hammers (was "Big Surprise")

[fishbowl]

People say "virii", not because they think they are speaking latin, but because they think it
sounds good. They think it expresses what they want to mean.

Look at the whole damned French language for an example of what happens when people spend a few centuries speaking what they think is latin. :-)

So the problem is not that you are right or wrong, but rather, that the people you would like to persuade do not care for your argument.

It's like the people who wish media would stop using "hacker", or that slashdotters would use "GNU/Linux" when they say "Linux"... The argument is sound, and compelling, but is completely lost on those it seeks to influence! Not only do they not care, they actually prefer to stick with their chosen usage! You'd do just as well to argue that "virus" should be a mass noun or a possessive state of being: It has virus. (Like "milk" -- en français, il vaut mieux qu'on dit du virus).

I wouldn't hold my breath waiting for "virii" to go away -- these people don't even CARE that some English words have latin roots!

Hey, that makes me wonder if there is any other language whose plurals are formed with a final -i or -ii?

Now, if someone DOES buy the argument that latin usage should influence English, I wonder if it is important to note that "virus" in latin refers to "poison"... I'm standing by my argument that it should be a mass plural, not a count plural!

It is easy to make the case against "virii" from the latin "virus" -- it is not "virius" therefore not "virii" in the plural.

My advice is to write and speak with proper usage, correct others when they ask you to proofread their copy, and not expect anyone else to upgrade their literacy in

What's next on your agendum? ;-)

Two other ways

[nweaver]

a) They caught a bad (well, even worse) pRNG copy.

b) Their PR people got confused on previous worms.

POS

right, and since they have no customers, no one exists to prove it so.

guess what happens when someone other than your killer knows about your death before it happens?

Re:Bag of Hammers (was "Big Surprise")

[dusty123]

Two more points to your posting:

1) They could never have been sure, that the worm would hit the Internet so intensive. Hence, if they would have screamed "fire", they also could have been very wrong, which would not give them a better reputation.

2) If a virus/worm actually does damage, more people will buy their software.

Re:Bag of Hammers (was "Big Surprise")

[rleibman]

Hey, that makes me wonder if there is any other language whose plurals are formed with a final -i or -ii?
Esperanto makes plurals by adding 'j' as a suffix (and it is roughly pronounced as a soft 'y' of eth English 'yes').

Cxu ne?

Re:Bag of Hammers (was "Big Surprise")

It's pretty safe to say by your post that you take them at face value cause you got to see the "magic" room. "Ohh yay, I'm special cause I saw the special room so these guys MUST be telling the truth" Please, in your great wisdom, show me any company out there telling the truth all the time. ANY!!!! They don't exist, the world is a spin game and you got spun apparently. What's worse, you liked it!

Your entire post is insane as a basis for argument against mine. You call me retarded but you seem to be too dumb to understand that:

#1) This is their job, most likely they'd get another if they hated it so much. They created their software so yes, they're gonna have the normal stuff like feature reqs. etc..DUH

#2) I don't think it is a major feat, assuming they create it in the first place, to create the heuristics....DUH...if they were the ones to program it then of course they can find a way to stop/fix it.

Conspiracy Theory?

Symantec had something to do with the release of Slammer??

It's just like saying Osama was a CIA operative trained to pose as a terrorist mastermind to warrant a reason for the US to invade middle-east countries and take over their oil production.

Does that make sense?

I don't like this

[INeedWeed]

>>Symantec claims to have identified the Slammer worm that ravaged the Internet during the last weekend of January hours before anyone else did. Symantec then shared the information only with select customers, leaving the rest of the global community to get slapped around by Slammer. I want to see them judged for doing like that! Punish this kind of commerce!

The DeepSight Threat Management System...

"The DeepSight Threat Management System tracks security threats as they occur on a global basis by gathering data from firewalls and intrusion detection systems (IDS) of more than 19,000 partners in over 180 countries - the most extensive data network in the world."

How come when my tired eyes glazed over this, I read, "The DeepThroat site management system..."

Here's how you can get "advance notification"

[leeet]

It's no secret that most security vendors have large IP ranges all around the world (in order to get different ranges), and thousands of emails that are monitored for viruses.

It's simply a matter of who (among the vendors) will get hit first.

As far as notifying the community, well hmm they probably "forgot"...(!)

salty

[djupedal]

If you own a glass shop, the best way to drum up business in the neighborhood is to run around after dark and smash a few windows.

Do I Smell....

[NeoMoose]

A Lawsuit? Withholding vital information certainly sounds like grounds for suing the living crap out of 'em.

It's a flat out Lie

[ChadDa3mon]

Ok. I work for a rather large competitor of Symantec, and I know this is a lie. First, the number of infected hosts that symantec reported as about 1/5 of what we had seen so far. Second, we had some very large customers thank us for calling them, stating that they had yet to hear anything from Symantec. And judging by who this customer was, I'm sure they would have been on symantecs VIP list as well. I just lost all of the respect I had for them.

Ok, let's say it's like that...

[raehl]

It may not be nice, but CNN would have been under no obligation to tell anyone.

Fortunately, CNN's business interest would have been to let the cat out of the bag.

Symantic isn't under any more of an obligation to tell you stuff that you're under an obligation to pay them for it.

Re:Bag of Hammers (was "Big Surprise")

[Feral+Bueller]

Your entire post is insane as a basis for argument against mine. You call me retarded but you seem to be too dumb to understand that:

AC: While I called your post retarded, I don't recall resorting to an ad hominem attack.

#1) This is their job, most likely they'd get another if they hated it so much. They created their software so yes, they're gonna have the normal stuff like feature reqs. etc..DUH

I never made the assumption that they hated their jobs, and that was after spending several hours meeting with a majority of the engineering team in interviews and so on, so I don't see how you could make that leap of logic.

#2) I don't think it is a major feat, assuming they create it in the first place, to create the heuristics....DUH...if they were the ones to program it then of course they can find a way to stop/fix it.

From this point, I can only assume that you've never worked in software engineering (your sophmore Pascal project doesn't count), or if you do/have, that you're probably not very good at it. I'm too busy with regularly scheduled deliveries, status reports, and analysis meetings to go off and create work for myself - it cuts into my /. and Counter-Strike time.

Re:Bag of Hammers (was "Big Surprise")

[Vulture_]

I had the opportunity to interview with Symantec about 5 years ago, for the Norton Anti-Virus unit.

If there were any covert activities going on, I sincerely doubt you were ever exposed to them. How would you know if they've got some top-secret, burn-before-reading, underground lab or two doing virus development? How would you know if they've started one since you've interviewed with them?

The heuristics involved in developing the software necessary to *fix* an already infected (sometimes by multiple virii) is pretty impressive.

Not when you designed the virus yourself! Think about it. You coded up the virus. You know it inside and out. You designed it to be easy to detect (e.g., by making it oligomorphic and knowing each of the possible permutations in advance), and equally easy to remove (e.g., by making it respond to some obscure signal to remove itself, a la '--bliss-uninfect-files-please', but probably some indirect signal, like flipping a bit in the middle of the boot sector in FAT filesystems).

There's no *good* reason why any of these engineers would intentionally create more work for themselves -- they don't need any.

How about making more money?

They would be out of the fame in a New York minute if they were ever found to be involved in disseminating virii, intentionally or not.

When you are engaging in covert and/or criminal activities, that is a risk you are taking.

Re:Bag of Hammers (was "Big Surprise")

[Feral+Bueller]

Wouldn't fixing viruses that you created make you seem more valuable? Job Security?

While some engineers operate under the assumption that code maintenance = job security, I've been fortunate enough not to work with any.

That aside, there are more than enough people creating viruses to keep all of the anti-virus shops busy.

But let's run with this for a second, since a lot of people are apparently entertaining this as a possibility.

From a product liability standpoint, ask yourself this:

1. What is the benefit from a market share standpoint to doing this?
2. How long will that market share benefit be realized?
3. What is the likelihood of getting caught?
4. What will the negative impact be if they get caught?

For #1 - "minimal". For example, hysterical media reports aside, we didn't see sales of anti-virus software skyrocket after the Melissa virus, either in end-user or corporate sales. People are either smart enough to have the software installed or not. Big companies tend to keep anti-virus software as a pretty high priority from a licensing standpoint, at least every place I've worked. If they get caught unprotected, the people responsible (IT management) tend to get fired: it's called Gross Negligence.

While there's a lot of activity as far as keeping virus definitions updated, this is trivial both at the end-user and corporate level due to automation, and is not a significant source of revenue, if it generates any revenue at all.

#2 - also "minimal". The major players all tend to release virus definitions within hours if not days of each other, so any market share benefit would be very short-lived from an income standpoint.

#3 - "somewhat likely". While I realize this is anecdotal, the only people I've found worse at keeping a secret than a 5 year old is a software engineer. If they did do something like that, we'd hear about it - probably not right away, but we'd hear about it eventually, if only via the rumor circuit - the same people who have it from a reliable source that Apple's running OS X on Dells.

#4. - "potentially catastrophic". If it did come to light that Symantec pulled something like this, I'm sure that the corporate sales teams for Sophos, McAfee, and Trend Micro would immediately add this information to their Power Point presentations, and your average corporate IT executive might consider this fact when negotiating a software license renewal contract.

In summary, it looks like (1) the benefit would be small, (2) it would be short-lived, (3) it would eventually get out that they had done it, and (4) they would be faced with a significant reaction from their corporate customers.

Symantec isn't Microsoft: they have real competition, especially in the enterprise market. Factor in a relatively flat job market for software engineers and the fact that Symantec has (at least when I interviewed with them) a pretty attractive option plan, and I can't see why anyone in the organization would think this was a good idea.

But I could be wrong.

Re:Bag of Hammers (was "Big Surprise")

[Feral+Bueller]

I just posted a hella long response to a similar response to my original response elsewhere.

In case you don't feel like reading it( it's pretty long) I'll give you an executive summary:

There's not enough upside to the potential downside if they got caught, and it's not worth watching your options go down the toilet for a market advantage that won't last more than a couple of days, especially since enterprise software license purchases are usually on an annual cycle.

Please don't think I'm defending Symantec: the arrogance of their corporate culture is running a strong 3rd behind front-runners Apple and tied for 2nd place contenders Oracle and Microsoft.

There's just no intelligent reason that I can see for doing taking that big a risk.

Re:Bag of Hammers (was "Big Surprise")

[Feral+Bueller]

I know i'm coming off like a jerk here, and normally i don't post just to criticise someone's spelling, but "virii" is a plague

No you're not. I actually learned several things from your post.

Thank you.

I am tempted to use "virii is a plague" as my .sig, though. Interesting concept.

Re:Bag of Hammers (was "Big Surprise")

[Vulture_]

What about selling heroin? Is there an intelligent reason that you can see for taking that big a risk? If not, why do people do so anyway?

Re:try reading the news instead of israeli propoga

Actually, there is a non-existing news article referencing it! It must be true!

Oh wait, it is referenced to by lots of conspiracy theorist and hate sites! That must make it even more true!

Re:Bag of Hammers (was "Big Surprise")

[posternutbaguk]

I can't argue with with the logical thinking for using 'viruses' rather than 'virii' but surely you should use the word as many other people recognise it?

I spent 3 years at university study biotechnology and one of the first things we learnt is that the plural of 'virus' was NOT 'viruses'.

I know latin is a historically important language but do we really need to check out 2000+ year old rules in the generation of modern phrases?

Re:Bag of Hammers (was "Big Surprise")

You have convinced at least one person that there are no virii, only viruses. I have been involved with antivirus software testing and maintenance for many years, and it is somewhat embarrassing to realize that I have used the non-word "virii" on many occasions in informal memos and formal documentation. Mea maxima culpa! I shall sin no more.

Arthur Eaton (alias Anonymous Coward)

Wasn't it called the Sapphire worm?

[Louisa+Benson]

To: Sent: Tuesday, January 28, 2003 9:37 PM Subject: Sapphire Slammer Uh, is there any possibility that this little old computer inadvertently launched the attack last Friday? For some reason, when I cleaned out my cache, there was 27 MB of stuff that seemed to appear from out of nowhere. The pinging insanity started shortly thereafter. Will I be charged for this service? Oh, and the Boss clearly needs some sleep. Will I be charged for this service?

Re:Bag of Hammers (was "Big Surprise")

- But neither of you were offered a job there. That's pretty safe to say too.

Sounds like you're easily impressed. No, I don't think these companies would have put something like the slammer into the wild, but they -are- getting desperate, as more and more of their major clients are abandoning them, and several companies - I believe Mr J McAfee is in this egregious group - have been known to play tricks with the media and/or subtly introduce something so they can come to the rescue.

You paint these A/V guys like gods. They're not - and they're not the decision-makers either. All it takes is one devious programmer mind and one very cynical marketing jerk.

Delio

Delio always inflates or exaggerates.

Re:Bag of Hammers (was "Big Surprise")

It took four posts to get off-topic here. If anything summarises Slashdot, this is it. Your post is marked 5 Informative, but in my book it's off-topic and should be marked sub-zero. If you want to discuss the etymology of words, write to Slashdot with a news story about it, and see if they publish it. And no, I don't give a hoot how much "virii" irritates you - this is not the place for you to express that, and you should be less pretentious with your sensitive feelings. There are a lot of things that irritate us all - e.g. your idiotic interruption here - but we keep quiet about it, and we keep on topic.

In case anyone got confused here, this was not a thread about the plural form of 'virus' in the American language; this is about complicity on the part of Symantec with regard to the slammer.

The floor is yours.

Re:Bag of Hammers (was "Big Surprise")

I wonder what the plural of "DOUSCHBAG" is?

Last Post!

[alpg]

> I've hacked the Xaw3d library to give you a Win95 like interface and it
> is named Xaw95. You can replace your Xaw3d library.
Oh God, this is so disgusting!
-- seen on c.o.l.development.apps, about the "Win95 look-alike"

- this post brought to you by the Automated Last Post Generator...