Slashdot Mirror
Symantec Claims They Knew About Slammer In Advance
truthsearch writes "Wired is reporting 'Symantec claims to have identified the Slammer worm that ravaged the Internet during the last weekend of January hours before anyone else did. Symantec then shared the information only with select customers, leaving the rest of the global community to get slapped around by Slammer.' I'm not bothered I didn't know Slammer was coming, but Symantec has a moral responsibility to inform the public if it thinks millions will be affected." It isn't clear to me how Symantec could know, hours in advance, about a worm which took ten minutes to spread throughout the entire Internet, unless they had something to do with its release. Update: 02/14 16:54 GMT by M : Wired has their math wrong; Symantec apparently had at most 20-30 minutes of early warning. Symantec claims in this press release that they discovered the worm "hours before it began rapidly propagating".
Do you honestly believe that all the viruses come from joe sixpack sitting in his basement with nothing better to do?
thats what makes the extra special account worth it.if they told everyone, then whats the point in paying for the extra notice?
(not that I agree with not telling everyone, that just seems to be the why)
So I can see from a "greedy" standpoint why they would only tell select customers, but the "moral" side of me is aghast that -if they knew- they didn't tell.... Horrible!
Since when does Symmantec have a moral obligation to do anything? They're a corporation. Their service is to detect and prevent network attacks. If you are willing to PAY for the service, then you get the benefits of it. If not, then it sucks to be you. Ford's service is making cars. Are you saying that Ford has a moral obligation to give me one, even though I haven't paid for it?
Sorry, but that is not a similar situation. Not even close.
From the article:
"According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."
Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th."
Accounting for timezone differences between EST and PST, would this not make the two times much closer to each other?
Heck, Microsoft released a patch to fix this problem in June of 2002. Windows sysadmins had 6 months notice that it was a problem.
I don't mean to sound like a troll or the least bit insensitive, but if the Windows sysadmins aren't keeping their servers patched then that's the sysadmin's fault. The finger of blame should be pointed right at the mirror. Keeping their servers updated and safe is their JOB, unless they have a security specialist, in which case it's their job.
they start caring when they loose money..
The greatest right given is the right to be wrong...
This sounds like Wired trying to stir up a controversy from scratch. Besides, what would have been the impact of them posting a warning a few hours earlier? If an admin saw the notice before the widespread nature of Slammer was known, would they instantly apply patches that they hadn't already installed for one reason or another? I doubt it...
Stop by my site where I write about ERP systems & more
I have wondered why a lot of these Microsoft-worms never seem to have a destructive payload. If you imagine a script-kiddie working hard in his mom's basement, you'd think he'd add a payload of some sort.
(hell, if I had the inclenation and the time to create a virus, I'd atleast change the Windows statup
It's almost like these Microsoft-worms were desingned to create panic and purchasing action, but no legalally actionable damage.
Just a rambeling thought.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
So explain to me again how they knew about it before anyone else? -kaos
I don't see why people expect companies to donate information that costs them to find. They could've used this info in two ways, the way I see it. First, is to share it to their corporate customers who pay to have this kind of early warning. Second, release it to the media, CERT, and other organizations and make sure they "advertise" that Symantec found it first.
So they chose the first. Big deal. Do you really think even a majority of these sysadmins would have firewalled their MS SQL server hours before it would be infected? Doubtful. If they didn't apply the patch from July of '02, then they're not going to immediately respond in a few hours to patch an impending threat.
Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24." Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th.
For those of you who don't know the difference, EST is 3 hours ahead of PST. Thus DeepSight identified Slammer at about the same time as the 'rest of the Internet'"According to Symantec spokesman Yunsun Wee, Symantec issued an alert about Slammer to DeepSight Threat Management System subscribers "at approximately 9 p.m. PST on Friday, Jan. 24."
Most of the rest of the Internet didn't spot Slammer until shortly after midnight EST on Saturday, Jan. 25th."
Uhh...that's about the same time isn't it Sparky?
Probably not. Those forewarned took it seriously because they pay for the service. If Symantec had said that a huge attack was imminent and to block the port and patch your SQL servers, how many people do you think would have listened? Of those who listened, how many of those have processes in place so that the requisite network or software changes would have required approval that would have come too late to do any good?
The people who paid for the warning are going to take it very seriously, but aside from that, I would wager that there would be enough doubt about the validity that measures wouldn't have been taken anyway. Patching the server has the obvious implication for many mission critical databases of a potential restart and potential for undesired change in functionality, so patching in many cases would require a testbed server and evaluation, which this warning provided insufficient time for. Blocking the port, or disabling that part of SQL server, for those with it enabled without needing it, means they need to understand what it does or does not do for them. If they already knew, they would have disabled it sooner, so you can't say they would immediately realize and shut it down.
XML is like violence. If it doesn't solve the problem, use more.
I see two possibilities:
1) It was done for hack value, not vandalism.
2) With how many Windows computers there are out there, a simple worm has the ability to cause more than enough trouble.
As for Slammer not having a payload, that's because it was designed to fit in a single 505-byte UDP packet. There wasn't room for a payload.
Ford's service is making cars. Are you saying that Ford has a moral obligation to give me one, even though I haven't paid for it?
No - get the analogies right. If I, as a car servicing firm, knew of a part in a Ford car that could fail and cause the car to go off the road at random and I only let my best customers know, I would be sued for screwing around with peoples lives.
Not that I have any sympathy for either MS or Sympantec - Symantec gets to make money off the loopholes in MS's operating system in a strange almost parasitic relationship. The only thing that isn't clear to me is which company is the host...
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
In order for Symantec to have a "moral obligation" you must first assume that Symantec has Morals to begin with. They do not. It's that simple.
-- DuckWing
So Borland Delphi and 6 other applications wont run without admin rights, and somehow that is Microsoft's fault? Why not blame Borland?
"The defense of freedom requires the advance of freedom" - George W Bush
It's a marketing gimmick to get less savvy IT managers to think that going with Symantec will get them ahead of the game. They're burning themselves twice: they'll alienate the infosec community that rightfully believes that knowledge of a potential devastating exploit gained in advance of its use should be shared, and they'll make very poor relationships with customers who fall for this kind of marketing and never have their expectations met down the road.
So long, michael. Don't let the door hit you...
root@yourcompany:$ ./karma_burner --reply=ON --moderators=ON
If Symantec had a moral/ethical obligation to warn the rest of the world about Slammer before it was released, don't they also have an obligation to warn the rest of the world that if you're using a POS, buggy, perpetually frought with nastiness operating system that you're bending over and just asking for it anyway?
Fact is, even if they had said something, 50% of the world would have laughed because they're not running Windows, 5% of Windows sysadmins would have been at the consoles sweating it, and the rest of the world would have stayed in the recliner because they don't keep up with security updates anyway OR they have their heads so far up Gates' ass that they couldn't possibly believe it.
Personally, I sat back and laughed. How about you?
Blog,Twitter
It's a fairly fundamental difference.
I would think that they would be more careful about raising people's suspicions about their prior knowlege of absurdly fast propagating worms.
Maybe they are believers that 'any publicity is good publicity' -- even in their business.
Send us your Linux Sysadmin articles!
Geeky modern art T-shirts
If all copies of MS products were magically replaced with *nix versions tomorrow, we'd see *nix oriented viruses the day after tomorrow. It isn't the label on the box, it's the popularity of the software.
Virus writers are like vandals -- nobody is going to make graffiti where it doesn't get lots of public exposure.
load "windows7"
As others have said, it is the app's problem. DLL Hell was primarily the app's problem too. Lazy programmers who don't know how security (in permissions) and/or path (for DLL Hell) work.
I could write an app on a Un*x/Linux box that would behave similarly if I wanted. In fact, I know lots of programs that won't execute unless you are root and they are intended to be that way - not just through file permissions but through userid checks. Windows doesn't have the corner on the market there.
Symantec.
The same Symantec who's Norton Anti-virus product is prominently featured in a rash of spams in my inbox?
The same Symantec who claims to follow up on reports of this to spamwatch@symantec.com? That never seems to lead to any sort of actions?
The same Symantec who just changed their auto-renewal to cost people more money IN THE MIDDLE OF THE RENEWAL CYCLE?
Huh, who'd'a thunk it?
Glad I use somebody else's anit-virus software.
www.eFax.com are spammers
It's shared, because it's the culture MS engendered around their software. Now that MS is being forced to become more security conscious, the software community they fostered, along with its sloppy habits, have become a hindrance.
For years, features and fast development were up-front priorities on Windows, and security hadn't hit the radar screen. This encouraged sloppy programming, to get flashy new stuff out the door quickly. Somewhere in there, compatibility rose in the priorty scheme, as MS became a victim of its own success. Once upon a time, breaking old software was a way to encourage new software purchase. Now, breaking old software discourages new platform purchases, so compatibility has become necessary.
So old software, written in the days when security wasn't even an afterthought has to run on the new platform, or the new platform won't sell. At the same time, the new platform must be more secure.
Not an easy problem.
Someone mentioned sudo, but I guess that's got the commie pinko GPL on it.
The living have better things to do than to continue hating the dead.
So why are there so many more IIS worms and viruses than Apache ones?
No, it isn't just popularity, it's quality as well.
Pay no mind to the astroturf.
It's not ALL Microsoft's fault, but they're definitely NOT in the clear. They make shitty software. That is a fact.
Let's expound on that. Let's say that Yugo's have shitty locks, and there's a well known "technique" that carjackers use to steal Yugo's, and YOU own a Yugo. There's a fix that you could have applied to your car to avert tragedy.
Your car gets stolen. It is your fault because you could have done something to stop that from happening. Still doesn't put Yugo in the clear from making shitty cars.
Heh, perhaps the most interesting point we can draw from this is the fact you (the royal you) decided to buy (use) a Yugo (Microsoft Product)
Comment removed based on user account deletion
From the Symantec Web Site:
For example, the DeepSight Threat Management System discovered the Slammer worm hours before it began rapidly propagating. Symantec's DeepSight Threat Management System then delivered timely alerts and procedures, enabling administrators to protect against the attack before their environment was compromised. This combination of comprehensive up-to-the-minute attack data combined with effective solutions, patches, and countermeasures enable corporations to protect information infrastructure while avoiding downtime and lost productivity.
It sounds to me like a Tech Security company trying to boost sales of their new Threat Management System and Alert Services by stretching the truth. And we all know the sales and marketing folks would not blink an eye at fudging facts to sell their products.
Does this mean Symantec had anything to do with the Slammer virus (as Michael alluded to), I don't think so (and honestly to make an accusation like that is just plain ignorant).
Just my take. Now let the negative modding begin.
Last time I checked, Linux/Unix dwarfed Windows in the enterprise. Windows has a majority on the desktop, but it is only *one of many* players amongst servers and is not the most widely used.
:)
Time for a new theory
but Symantec has a moral responsibility to inform the public if it thinks millions will be affected.
Symantec does not have a moral responsibility to inform the public. Symantec isn't a publicly funded corporation, or a government agency.
You do not have a right to benefit for free from the hard work of others. Symantec's ONLY moral responsiblity is to increase value to their shareholders. This isn't the late 1990's where you can create a technology company based on the idea of giving things away for free and expect that to fly.
Part of that responsiblity is to treat their customers right. Given a limited timeline, and the need to provide the most value possible, they chose to send an alert to some of their (presumably) biggest and best customers. I believe that Symantec worked in a very appropriate manner in this case.
Note: I didn't read the article. I did read quite a few articles yesterday when the link was posted on hardocp.com however.
I am disrespectful to dirt! Can you see that I am serious?!
Unix/Linux dominate the market for servers and databases. Oracle is the most widely used database the last time I checked and SQL Server was third. Unix/Linux *is* ubiquitous for servers. Microsoft is the niche player and it is Microsoft that is producing softare so buggy that it is hobbling the internet.
Network Operations had to manually disconnect MANY servers which were just saturating the network. After doing this we got calls days later from people saying "My students are complaining that they can't access my server, any idea why this is?" So if you're expecting that every server has some crack squad of administrators scouring the net to make sure it's updated to the fullest - well sorry, it takes some people days to notice that their server isn't even on the network anymore.
I mean you'd think people would turn on CNN and see SQL WORM RAVAGES INTERNET, and think, gee don't I have a machine running an SQL server, maybe I should check up on that? But no.
The reality is that there was a patch available for this months before and nobody bothered to install it, I don't think a few more hours would have made much of a difference at least where I work.
While attempts with viruses and worms may be more due to populartiy, there are other factors that result in an insecure system.
Just saying that viruses and worms are more popluar because of Microsoft's success is mearly a cop-out. Their success should be a benefit to their security (more resources should be dedicated to it), not an excuse for it.
sin(6cos(r)+5A)
No system is immune, however UNIX has 25+ years of testing while Windows releases are so frequent there is little time for hardening.
<Homer Simpson>
I agree with you! In theory.
Communism works! In theory.
</Homer Simpson>
You are comparing the amount of time that UNIX (a common name for a wide number of totally different and constantly changing operating systems with different kernels, tools, applications, and philosophies) been tested to the release schedule of Windows (which is a product sold by a single company, generally released once every 1-2 years and patched just as frequently as any UNIX system that actually has a wide variety of useful software installed) and making a judgement on security. You know what? My television gets more miles to the gallon than the amount of electricity my grapefruit uses.
I agree with your subject line, but your content makes no sense. Then again, any old install script on UNIX can make anything setuid root, world-writeable, and world-executable, if you run it as root. The only way UNIX is more secure is if you read every line of code and every line of every script you run as root, and do everything else in a chroot-jailed sandbox. To be quite honest, that kinda thing would greatly decrease my productivity in any operating system, so I just backup my stuff frequently.
Karma: Incomprehensible (Mostly affected by posting at +5, reading at -1, and metamoderating everything unfair.)
Who do you think is writing these sophisticated viruses and worms? Do really believe that the hundreds of new viruses that get released every month is because of some bored hackers who have nothing better to do? There are many stories of "Men-in-Black" style approaches to out-of-work developers in countries with a large high tech community. Someone shows up at your door with a big bag of money and no identity and asks you to write a particular type of virus, you might be inclined to take the money and not ask too many questions. It's called "Creating the Market".
Please stop equating/comparing/relating every single fucking thing to 09/11. It's only a similar situation in that they knew but didn't tell anyone. What if i knew the exact time you would be born, but i didn't tell your mom? Similar situation, right? What if i knew how long the cookies were going to last before you bought them, but i didn't tell anyone? Similar situation, right?
Stupid liars.
Liars maybe, but stupid they are not.
"When it rains, it pours." --Morton's Salt