HomeSec Warns Again About Microsoft's Insecurity

cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."

How big a threat is this?

[mjmalone]

The security people at my office were talking about this vulnerability yesterday in our monthly meeting, they were saying it is likely going to be worse than slammer/code red/etc (which the article seems to back up)... Do you guys think this is that serious of a threat? A lot of what they were saying sounded like worst case scenario kind of stuff, hopefully it will not be that large of an issue. One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

Re:How big a threat is this?

[rde]

windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.#

So upgrade to Windows XP, or the 73rr0r1575 \/\/1ll win.

Re:How big a threat is this?

[tlovie]

I'm not sure if Windows98/se is vulnerable since microsoft's knowledge base specifically states that Windows ME is not vulnerable. The vulnerability is based on a buffer overflow of the RPC service. Does windows 95/98 even offer the RPC service?

Re:How big a threat is this?

[mjmalone]

ah, I can see it now.

You are either with US, or you are with the TERRORISTS. We want YOU to upgrade to Windows XP!

Re:How big a threat is this?

they just suck. Windows 98/98SE doesn't enter non support phase until Jan 16 next year.

Re:How big a threat is this?

"A lot of what they were saying sounded like worst case scenario kind of stuff..."

A competent hacker should always be able to find the "worst case scenario"!!!

Re:How big a threat is this?

[diersing]

It could be bad if the Windows admins out there aren't paying attention. But, most sysadmins in MS shops realize the frequency of these kind of patches and are good about applying them timely. This was released over 10 days ago (I got notified on the 19th), and have already applied it to the 350+ MS servers on our network. If the lazy admin has configured auto-update they are protected as well.

The primary vehicle for spreading this type of exploit, are all the MS clients of broadband users, many untechy PC owners will be to blame if this things hits hard. And yes, I think it could be worst then slammer/code red because its RPC. Pretty much all the MS client out there are going to have it running (versus an IIS exploit).

Re:How big a threat is this?

[TedCheshireAcad]

expoit here

why not, i got karma to burn...

Re:How big a threat is this?

[iabervon]

It's reasonable to expect this to be worse than some of the other worms, because it is part of a more central and common service. It seems unlikely that future worms will be less effective than past ones, for that matter, since the past ones have generally been disassembled and discussed, and someone writing a worm is unlikely to start from scratch.

Of course, the vulnerability requires that it be possible to reach the machine with an inbound connection, so firewalled networks will be protected until someone combines this with a document-based vulnerability to attack these networks from inside.

Re:How big a threat is this?

[dreamchaser]

The primary vehicle for spreading this type of exploit, are all the MS clients of broadband users, many untechy PC owners will be to blame if this things hits hard. And yes, I think it could be worst then slammer/code red because its RPC. Pretty much all the MS client out there are going to have it running (versus an IIS exploit).

Perhaps ISP's should just block RPC at their routers that feed broadband users. I can't think of any good reason most people would want it to be exposed anyways, on a residential broadband account at least.

Re:How big a threat is this?

[gregmac]

One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

If this is true, Microsoft doesn't even acknowledge that it affects Windows98. It's one thing to not release a patch for an affected OS, it's quite another to not mention that it's affected.

Re:How big a threat is this?

[Xformer]

That, or ditch Windows entirely (novel idea, I know :-)

Re:How big a threat is this?

I love my RPC spam :(

Re:How big a threat is this?

[foolish]

What is really interesting is that some of the newer exploits stil affect systems even with patch-26 applied. Not to mention that NT4 workstations and servers appear to be on SP6a and that might still not patch things.

Production networks are complex, sometimes you can't kickin a reboot or even change services, especially when you're talking about the core method Microsoft uses to make things 'easier'.

That and now the various viral writers are producing payloads that hit the DCOM ports (mumu.a variants). Looks like the joyousness of more code red loss of productivity (shoulda patched, been warned but, 'naw we'll be ok').

Mmmm, Trusted Computing.

Re:How big a threat is this?

[tuba_dude]

Hah! XP upgrading me? It'll probably just strap a refridgerator to my back and hand me a set of knee/wrist/elbow guards MADE OUT OF GLASS.

Re:How big a threat is this?

[mark_lybarger]

maybe you were going for +1 phunny, but i'll swing anyway.

Windows XP isn't really a upgrade for Win98 machines. Win 98 was delivered on PII 266mhz, 32/64MB RAM, 2-4MB PCI Video systems. I would hate to try anything on a system like that with XP. Sure the CPU could handle it, but the memory would need to be seriously upgraded. There's also the issue regarding device drivers. There's a LOT of hardware out from that time period that doesn't have XP drivers.

Re:How big a threat is this?

[I8TheWorm]

Our security team went nuts when this "released" last week. However, it's old news, and has had whitepapers our for quite some time on it. It's nothing more than NetBIOS, which is only needed when Win2k/XP needs to fileshare with
In other news, it's recently been discovered that you can lose all of the data on your 5 1/4" floppy by storing it on that large magnetic board on your wall...

Re:How big a threat is this?

[GrenDel+Fuego]

These days you can buy a computer for not much more than the price of Windows XP home (retail version).

They're not great machines, but they're better than a PII 266mhz.

Or as other people said, ditch windows entirely.

Re:How big a threat is this?

[I8TheWorm]

>>which is only needed when Win2k/XP needs to fileshare with

Oops, somehow the end of this sentence was lopped off. should have read...

which is only needed when Win2k/XP needs to fileshare with NT4.0/9x

Re:How big a threat is this?

[saskwach]

Someone did their reporting wrong. The huge gaping flaw that was announced recently pertained only to computers with the NT kernel (WinNT, Win2000, WinServ2003, WinXP). This vulnerability does NOT affect 98/98SE/ME/95/3.1/whathaveyou.

Re:How big a threat is this?

[los+furtive]

I agree with you. But if you have 128megs of ram (or even 64), I would strongly recommend upgrading to Windows 2000, for the stability alone. A P2 266/300/350 with Win2K is a fine machine.

Re:How big a threat is this?

[melonman]

Have you tried running Open Office and KDE on that kind of spec machine? I reckon the hardware requirements to give sensible performance with a modern Linux release and OO are about the same as for XP.

Re:How big a threat is this?

[Lumpy]

and the fun part is that cince corperate IT is so damn slow, current IT policy is "NOTHING HIGHER THAN SP3 on W2K machines."

so that makes all "OFFICIAL" machines in corperate will be hosed as usual when these things come through... Just like the stupid policy of no virus updates from anywher but the corperate server which is always at least 4-5 behind the software companies site. (Another policy I ignore.. I keep everything at the latest DAT)

Re:How big a threat is this?

[kikta]

Pretty sure they don't. I believe this is something only on the NT side of the house.

Re:How big a threat is this?

[timelorde]

windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

No, 98 isn't in the list for this vulnerability (MS03-026). But it is in the list for a different one: MS03-030 (the one about MIDI files and DirectX and QUARTZ.DLL)...

Re:How big a threat is this?

[drinkypoo]

If you have 128MB of ram, I strongly recommend upgrading to 256MB before you even think about running any version of Windows NT. You might be able to load Win2k in 64MB (never tried, myself) but back in the bad old win2k days (You might think it's great, but I think it's unreliable trash) I had 256MB, upgraded to 512MB, and it was like night and day. Sadly enough, I experienced the same situation going from 512MB to 1GB on Windows XP; my boot time was cut in half, as was my log in time, and most programs work faster in general.

Memory is super cheap these days, and so are whole computers. For the price of 128MB ram a couple years ago, you can buy a new mb, cpu, and 256MB ram today.

Re:How big a threat is this?

[prandal]

Now all we need is an exploit for the quartz.dll (MS03-030) vulnerablility which uses that as a launchpad for the DCOM/RPC (MS03-026) attacks. That way you use your unpatched Win9x boxes to attack the others, all from an innoculous email or web page link.

Re:How big a threat is this?

[ipour]

This doesn't seem like a big threat. If they are referring to exploits using ports 135-139 and 445, those are already blocked by the high security internet setting on most commercial firewall programs and routers. If they know of some additional vulnerability, Homeland Security should provide more information than the alert says. Their recommendation is that you update with the latest security patches and block the above mentioned ports. If your IT people AREN't doing this already, I don't think this alert will help.

Re:How big a threat is this?

[norite]

What a complete load of tosh!!! I have a pentium 166Mhz machine with 64Mb RAM and it runs windows 2000 just fine. Admittedly, the pentium is overclocked to 200Mhz though....)

Windows 2000 requires a minimum of 32Mb to run. it won't install on a machine with less than 32Mb RAM.

Re:How big a threat is this?

[esarjeant]

Works like a champ. Companies need to be just as concerned from internal exploits, which means this update must be applied everywhere ASAP.

Kudos to Microsoft for working with groups like NIPC to get the word out. There's no excuse for not getting your Windows boxes patched on this one.

Re:How big a threat is this?

[jav1231]

Well, anyone with open RPC on the net is an idiot. We've known this for years. The only new thing here is the DCOM issue and being able to possibly use DCOM from a call to port 80. Seriously, if this becomes another slammer/code red at your office, someone needs to seriously re-think they're security strategy...and IT staff. JAV

Re:How big a threat is this?

[walt-sjc]

That's true, but you don't NEED OO / and the full KDE environment. fvwm2 with abiword/gnumeric works just fine. You just need gnome base libraries - you don't need to be running the entire thing. Ditto for koffice.

It's quite easy to setup a modern linux box for email, letter writting, browsing the web for fairly low-end machines. Win98 running NOTHING uses about 40M (includes VM usage.) Win2K uses about 60M, with a lot more resident in RAM. (Don't have XP, but XP is based on 2K so my guess is that the numbers are close, if not MORE than 2K.) Debian Linux, unstable, with fvwm2 and a smattering of applets uses about 30M - better than win98, and half that of 2K.

It's going to be a LOT harder to get a decent performing setup with XP than Linux on low-end systems just due to the memory footprint of the base OS and windowing environment alone.

OO is a memory pig. Won't argue that.

Re:How big a threat is this?

[ImpTech]

phew... and here I was terrified that I wouldn't be able to patch my Windows whathaveyou install in time

Re:How big a threat is this?

[melonman]

Well, for that matter, I guess you could do it all from the command line. We're playing with an embedded Linux system that fits onto a 32Mb CF at the moment(see here). Very neat.

But I also run a cybercafe, which is a pretty good place to see what end users make of Linux, and your proposed setup wouldn't do it for most of them. There's no point connecting to the net nowadays unless you can run flash and java, and even OO doesn't keep up with all the fonts and layout quirks of Office well enough to be able to print, say, a 100-page dissertation blind without finding that half the page breaks are in the wrong place.

As it happens, our terminals are P200s, mostly with 32Mb of RAM, but the server they run off is a 2x2GHz monster with 1Gb of RAM, and 4 copies of Yahoo Billiards still slow it down. Our previous server, a mere 1GHz, regularly ground almost to a halt with 3 or 4 customers and a few badly behaved java applets.

The people with the old hardware tend to either be techies - in which case they can look after themselves - or very conservative end users, in which case the sort of solution you are describing often isn't appropriate.

I think that, increasingly, my tip would be "throw the old hardware in a skip and get a new PC".

Re:How big a threat is this?

[los+furtive]

Bah. I won't make any claims about what you know about running a desktop, but Win2K runs well with 64megs, and very well with 128megs. Yes RAM is cheap these days, but I was just trying to show how he could upgrade his computer without even needing to spend more money (yes, I realize what I just said).

Re:How big a threat is this?

[toddestan]

And they also said Windows 95 would run on a 386 with 4MB of ram. Anyone ever try that? They also said Windows 98 will run on a 486-66 with 8MB of ram. I've seen that and it's not pretty.

It is possible, and it is useable, it certainly is not too responsive.

Re:How big a threat is this?

[netsharc]

Hmm, doesn't the MIDI exploit involve corrupted data (that overflows the buffer and inject the exploit) in MIDI files? If so, it would be easy to just make a webpage with the tag Microsoft invented: . User visits the page, IE tries to play annoying background music and boom you're in. Gotta love Microsoft, that's too simple it's not worth doing.

Of course I'm assuming IE uses DirectMusic to play the MIDI file, this may not neccessarily be true

Re:How big a threat is this?

[DerekLyons]

One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

Not true. I downloaded and installed a new security patch for Win98 just last night.

Re:How big a threat is this?

[rutledjw]

TROLL?!? Stupid fscking moderators...

If he's right, he's right. Go soak your head you stupid mod. Sheesh. Giving out mod points to Windows trolls, what's /. coming to?

On the other hand, you're right. The cost right there has deterred me from trying it. Although to be honest, the only reason I'd use Windows at home is for games. I really should have something better to do...

Re:How big a threat is this?

[net-junk]

I really can't say this bothers me much after several people have called me to find out why their systems are down. After going thru the usual questions, one person explained to me that they ran updates on their systems, only to find that each and every one of them got disabled. Now this person has purchased a license for each system, yet this "update" has rendered his systems unusable. Last I heard he was playing phone tag with MS in getting them unlocked, but this brings a question to mind: Is this another ploy of M$ to get everyone to run the update so it can effectivly weed out pirated copies? I mean, it wouldn't really suprise me much if this wasn't another one of their tactics. That is just my thought on this - Thank God for Linux..

Re:How big a threat is this?

[vadim_t]

Well, it depends on what you run on it. Maybe try Enlightenment. In its day it looked horribly bloated and slow, but on that machine it's very fast. One problem with remote desktops is animations. Maybe disable animations, or set them to play only once. Perhaps also lower the priority of Java applets.

Re:How big a threat is this?

[walt-sjc]

Um, Linux can run most flash sites, and supports java just fine. Some of the interactive flash doesn't work (disney kids) but it's rare to hit a site that needs that.

Second, if you are using OO, you probably are not using it to JUST print 100 page word documents. You are probably creating your OWN documents, which will print as you expect. Hell, MS WORD doesn't even print correctly half the time - you expect it to be perfect in a totally different application? If you want something to print exactly as it shows on the screen you should be using PDF anyway.

Not everyone buys into the upgrade-every-2-years game that MS pushes. Even though PC prices have come down, people just don't have a NEED to upgrade. You are also forgetting a HUGE market segment - schools. They are still using original IBM PC's from 1983 and some apple ]['s for christ sakes. Telling them to go buy 100 labs worth of new computers every 2 or 3 years is not gonna fly. They are Certainly not going to be dumping P233's any time soon. We can't even afford to pay the damn teachers.

Re:How big a threat is this?

[vadim_t]

Oh yeah, I've seen Win95 on a 386 DX 40 with 4MB RAM. I suppose it kind of works. You boot it (slowly), open Explorer and it takes a while to appear due to the swapping.

I've also used Win2K on a P133 with 64MB, and even played Mechwarrior 3 on it. It was very slow, and MW3 took quite a while to load. On my current machine (Dual Athlon MP 2000+ with 1GB RAM) it's pretty much instant. After seeing how this new computer runs using a GUI on anything slower than a P3 is just painful.

Re:How big a threat is this?

[ejunek]

In any major organization, servers will never be the source of damage. The problem occurs when the attack hits the "regular user's" machine. In a large company I'm familiar with, the only reason any servers went down when the SQL bug hit was because a lot of users had MS developer tools installed (which apparently has some SQL server elements in it) all got infected and the DoS attacked the system and the servers had no bandwidth to work with. Assuming you have an even half-competent system administration staff, your employees machines are a much larger vulnerability than your servers.

Re:How big a threat is this?

[nmos]

Getting all their applications and data moved over to the new machine is far beond what most users are capable of.

Re:How big a threat is this?

[walt-sjc]

Sure, memory is cheap but many of these older machines can't handle that much. We are also not talking PC100 ram here. Most stores don't even carry the older stuff like EDO anymore - it's special order and Much more expensive. I've had lots of problems trying to upgrade the ram in older boxes. Not as easy as it should be. They get flakey.

Re:How big a threat is this?

[nmos]

This was released over 10 days ago (I got notified on the 19th), and have already applied it to the 350+ MS servers on our network. If the lazy admin has configured auto-update they are protected as well.

And how about all of the workstation/desktop machines? One of the lessons from the last few rounds of worms is that security isn't just for servers and machines directly connected to the internet anymore.

Re:How big a threat is this?

[walt-sjc]

From Very recent personal experience (father-in-law's machine) Windows98se SUCKS with less than 64M. His machine had 32M, with a totally clean install from the Windows CD. Takes F o r e v e r to boot, and apps are very slow to load. Swapping like mad. Now he's at 96M (after I found some dusty old chips) and Much happier. Win2K really needs a minimum of 128M to be usable, and with 256M it's alright. I've got piles of 256M PC133 dimms, but these older machines can't use them.

Re:How big a threat is this?

I don't know about RPC, but Win98SE does have a DCOM running, just open regedit and search for enabledcom

Re:How big a threat is this?

Windows XP is quite fast on my computer with 128MB RAM.

Re:How big a threat is this?

[NanoGator]

"That, or ditch Windows entirely (novel idea, I know :-) "

You'll also remove the problem of games generating instability in your machine.

Re:How big a threat is this?

[A_Non_Moose]

Gah, I need to learn how to read.

Instead of That, or ditch Windows entirely (novel idea, I know :-)

I thought you said That, or ditch Windows entirely (Novell idea, I know :-)

(or, I just corrected your spelling) ;)

Re:How big a threat is this?

[Le+Marteau]

No, 98 isn't in the list for this vulnerability (MS03-026).

From: MS03-026

Affected Software:

Microsoft Windows NT(R) 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server(TM) 2003

Not Affected Software:

Microsoft Windows Millennium Edition

So 98's not on either list. Looks like non-supported software to me.

Re:How big a threat is this?

[Fulcrum+of+Evil]

Most stores don't even carry the older stuff like EDO anymore - it's special order and Much more expensive.

At this point, maybe you should upgrade? $500 gets you an ATX motherboard with 1G of ram and a 2.4Ghz P4. $300 can probably get you something less studly, but still quite nice. How much does 256M of EDO ram cost?

Re:How big a threat is this?

[diersing]

Great point, but since most corporate clients are behind a firewall that will block such RPC requests I'm betting the larger problem is with broadband users plugged into their modems with no protection and fast spreading capabilities.

One of the other replies mentioned ISP's taking action and blocking the port.... I hope they do. My ISP after several days of slooooooow traffic finally started disabling connections of those users who were not patching thier machines for Code Red many moons ago.

Re:How big a threat is this?

And the 5 people who actually use Win ME sigh with relief for a breif moment before going back to the sheer pain of using ME.

Re:How big a threat is this?

[FrankNputer]

I'd recommend a 2k upgrade for anyone these days - but if they had 64 megs of RAM I'd recommend getting more RAM first. 2k's minimum stated req's are 128, which really means you'd better have more if you actually want the computer to DO something.

Besides - a 2k upgrade from Ebay will run you about $125 (just did this for my sister), so be a big spendir & drop another $50 on RAM, fer chrissakes!

Re:How big a threat is this?

[mummers]

There's a small company called Red Hat offering free upgrades for Windows 98 users. I can't see it catching on though.

Re:How big a threat is this?

The day they stop pirating of windows is the day that Linux wins the war. Atleast that is what M$ thinks

Re:How big a threat is this?

[spectral]

mine can! send me some? ;)

Re:How big a threat is this?

[Zork+the+Almighty]

Actually, Windows XP tries to upgrade you here in America. I can only assume that in Soviet Russia, you upgrade Windows XP.

Re:How big a threat is this?

[comandante+frito]

Apparently Win 98 has a remote administration service that uses RPC, but sounds like one must enable it, else the server portion won't be running. See: http://www.networkcomputing.com/netdesign/1011part 1a.html Note that Win 98 has almost no security anyhow, so it is extremely easy to hack into.

Re:How big a threat is this?

[comandante+frito]

An erroneous blank got inserted into the URL submitted above. The correct link is: Windows 98 Registry Handbook Sorry.

Re:How big a threat is this?

actually yes I have. A 386 Grid laptop 4 meg memory.(could have been 8) and a compressed harddrive.
Also ran ie4 and office(4 i think)

Re:How big a threat is this?

hmmm is this pile for sale. or at least 4 pieces of it

Re:How big a threat is this?

[Dave2+Wickham]

Yeah, but that does seem to imply that only NT-based are affected.

Re:How big a threat is this?

[melonman]

I think we've just jumped several threads sideways:

• I know quite a lot about running flash and Java with linux. I've been doing it for 2 years in my cybercafe, and I think I've' done it just about every way possible, including crossover plugins, and went through all the 'flash 5 over remote X' problems step by step. But that wasn't the original question. The question was about the relative merits of XP and Linux on PII233s with 32Mb of RAM. Anyone tried running Flash and Java with Mozilla under X on such a system? If so, has it loaded yet?
• Yes, I do occasionally produce my own documents in OO, but, as I said several times, I was talking about the experiences of my customers in a cybercafe. Now I know the /. solution would be to mail drop 10 million OO CDs, but, in the real world, 99% of the people who walk in with a disc in their hand have put .doc or .xls files on it, and expect it to work blind. Sorry, it's just the truth. And, in any case, the original point was actually that OO is so much better than the less bloaty OSS alternatives at doing this, but that it still isn't good enough. (BTW, I can show you plenty of documents that open in xpdf but not acroread or vice versa.)
• I know every thread on /. has to turn into a piece of MS paranoia, but it does get boring. I've just bought a new server after 2 years because of the needs of Linux. I also have Windows 2000, which runs very nicely thank-you on the old hardware. Having set up a lot of old machines to run Linux, I reckon you need at least 192M of RAM to run a modern distro at anything like a useable speed. And I am willing to state as a matter of fact that using OO on any machine with less than 64Mb is all but impossible, and that even 128Mb is going to be extremely painful (ie 10-30 second delays on occasions). Sorry, but I don't think MS has anything to do with any of the above.
• We weren't talking about schools, but, if we had been, I would have suggested our cybercafe solution, which is to use the old machines as diskless terminals running LTSP, connected to one fast server. I suspect that most schools can stretch to, say, one pretty standard spec machine per 80 keyboards. But telling schools that they can teach anything useful on standalone linux machines with 32Mb of RAM is just insane: if the kid clicks on the OO icon at 9am, he might get a window by lunchtime, assuming the old and flakey hard disc hasn't vaporised by then.

This "MS=bloaty, Linux = compact" myth has to go. To run XP plus Office sensibly, you need more or less the same spec machine as you need to run Redhat 9 plus some office apps sensibly, at least in processor and RAM terms. XP probably needs more disc space, but then disc space for new machines costs nothing at all, and a lot of machines that were delivered running W98 don't have a hard disc big enough for XP or RH9.

All of which is to say that there are lots of good reasons to run Linux, but I don't think you are describing any of them.

Re:How big a threat is this?

[FrankNputer]

That's fine for anyone willing to leave Windows. I wish more people would - I only use it when I have to, and spend most of my time using Linux, OS X, and BeOS. However, if they're not willing to stop using Windows, then they should ditch 98 and go 2000 (fuck XP!).

Re:How big a threat is this?

[drinkypoo]

If you have a machine that takes EDO you probably don't even have AGP. If you do it's AGP 1x and you have some old piece of crap in it anyway. You could spend about $200 and get a mini itx board with firewire and usb, and a case, and crawl (due to the slow CPU) into the future. The problem is, most machines that old are AT or AT/ATX combo, and they're usually in AT cases because they were cheaper than ATX. So a case is a good fifty bucks, with a decent power supply.

On the other hand, you could get a Pentium III (or another equally distasteful brand) for $200 from geeks.com and just replace the whole damn show.

Microsoft really did it this time..

[Tirel]

This is turning out to be a huge problem, we got the exploit a bit *cough*early*cough* and by simply joining a channel on IRC you get a handful of IPs, of which at least a few are exploitable. And then they wonder why there are a thousands of ddos zombie machines running windows!

But there's another problem, a lot of people are starting to distrust microsoft and are turning off the automatic update / not getting service packs instead of switching to another operating system.

Re:Microsoft really did it this time..

[BWJones]

But there's another problem, a lot of people are starting to distrust microsoft and are turning off the automatic update / not getting service packs instead of switching to another operating system.

Shoot, this was a problem years ago leading me to never enable automatic updates after more than one Windows machine was completely FUBAR'ed after an update. We fought with security issues on Windows for a while, then dealt with the expense and hassle of IRIX (although IRIX is impressively stable), went back to Windows due to the cost and then simply migrated our servers to Apache on OS X. Safe, simple, stable, affordable and secure.

Re:Microsoft really did it this time..

[kasperd]

Windows, IRIX, OS X.... How often do you replace your hardware?

Re:Microsoft really did it this time..

[Andy+Smith]

a lot of people are starting to distrust microsoft and are turning off the automatic update

That's exactly what I've done.

One of their "updates" to Movie Maker (which I use solely to grab DV from an encoder) made the output files incompatible with other video programmes, in particular VirtualDub. Thankfully I was able to get the previous version back by doing a system restore but that's the last time I'll upgrade an MS app when the one I've got is working fine.

Re:Microsoft really did it this time..

Apache on OSX as a server...... Why don't you just use FreeBSD and get the same exact box with less smiley faces and no $$$$ cost to the OS?

Re:Microsoft really did it this time..

[Tirel]

Date: Fri, 1 Aug 2003 09:03:40 -0500
From: "Schmehl, Paul L"
Subject: RE: [Full-Disclosure] Oh no - the feds are on to us :-)
To: full-disclosure@lists.netsys.com
Envelope-to: xxx
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
X-MS-Has-Attach:
X-MS-TNEF-Correlato r:
Thread-Topic: [Full-Disclosure] Oh no - the feds are on to us :-)
Thread-Index: AcNYERdtC6ehtjvNRBGGZ9vx79rvtQAJG6hg
X-MIME-Autoc onverted: from quoted-printable to 8bit by netsys.com id h71E3e816766
Errors-To: full-disclosure-admin@lists.netsys.com
X-BeenTher e: full-disclosure@lists.netsys.com
X-Mailman-Versio n: 2.0.12
Precedence: bulk

The feds aren't the only ones. On another list I monitor a Microsoft rep admitted that Microsoft believes there will be a major event, and they are urging admins to "batten the hatches". Pretty are for MS to admit to that.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

-----Original Message-----
From: Larry Roberts [mailto:larryr@netbeam.net]
Sent: Friday, August 01, 2003 2:33 AM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Oh no - the feds are on to us :-)

Group,
Not sure if everyone saw this yet.
http://www.msnbc.com/news/946460.asp?cp1=1

That's pretty fucking scary if you think about it, the company I work for runs it's site on a winnt4 machine (hey, it's a small company), I called them up and told them about it and they said they're going to switch to freebsd during the weekend.

Re:Microsoft really did it this time..

Gee, so good of you to include the useful headers of this message, such as "X-MS-TNEF-Correlator:". Now I KNOW you couldn't have forged it, and it adds SO much to the conversation....

Re:Microsoft really did it this time..

[fishbowl]

>switching to another operating system.

If there was another operating system to switch to, more people might consider it.

Linux and BSD are wonderful in the areas where they work, but, as alternatives for the typical applications of media and end-user apps, they don't even bear consideration for the average user.

Even to the extent that software is available, hardware support is a train wreck. (If you want to argue with me on this point, attach linux and freebsd drivers for Broadcom 802.11b cards with your argument.)

Re:Microsoft really did it this time..

[jo42]

Microsoft says here:

Action: Read Security Bulletin MS03-026 and Install the Security Patch Immediately
Microsoft urges users of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 to install this critical security patch immediately.

Or else...!

Re:Microsoft really did it this time..

[Rinikusu]

It's kinda amusing in a way. I've found the perfect way to keep myself from being infected with virii and becoming r00ted. It's called: turning off the computer and killing your ISP. See, I've found that 95% of my spare time on the computer is, well, posting on /., reading comments on /., reading the articles on /., and thinking about /.. By being on the net, I've found I waste a whole lot of time that I could be doing something else. Like, finding exploits in girls. Chocolate + handwritten love letters + good hygiene seems to be a good route for r00ting them. And I also save about $30/month in ISP fees, not to mention the health benefits (I now go outside and ride my bike much more). Now, I only browse and post on /., on the clock, just like god intended. Let the admins worry about security fixes.

Re:Microsoft really did it this time..

[metasyntactic]

Automatic updates only update security wholes and other critical bugs. Movie Maker updates are never delivered by automatic updates. You have to connect to WindowsUpdate in order to get them.

Re:Microsoft really did it this time..

[Andy+Smith]

Yes you're right.

What I should have said is that I've stopped using Windows Update entirely. I figure that if a major bundled app like Movie Maker (which I chose to update manually) can be tampered with like that then I really don't want Microsoft having carte blanche freedom to change other components of my OS.

I was even more suspicious when they incorporated rights management into Media Player and then suddenly there were security holes "discovered" in previous versions that required people to urgently upgrade to the new version. Seems to me like MS software updates can be less about upgrading your system and more about changing it to Microsoft's new view of how it should be.

I wonder if Microsoft already knows of security flaws in any other Windows components, but they're keeping quiet about them until such a time as the "critical security patch" can be used to deploy other features, changes, restrictions, etc...

(I'm not at all anti-Microsoft btw, I'm just wary of their upgrades following my Movie Maker experience!)

How long?

[Voltas]

2 years / millions of dollars and the Home Land Security people tell me that people like to attack Microsoft Products.

I'm glad I pay all those taxs!

Re:How long?

[rusty0101]

And what's the OS Vendor of choice for the Department of Homeland Security? I seem to recall a story or something about it.

Anyone want to talk to their representative or senators about that decision?

Re:How long?

[Jonsey]

I'm glad I pay all those taxs!

And I'm glad our "edjacashun" budget keeps rising to make the US more smarterer.

Re:How long?

[sniggly]

The sad part is that the NSA itself already was far ahead developing a secure OS that would do just fine for the dept of HS. Instead tax monies go to bill gates and his dancing monkeys.

Re:How long?

Oh by the way..bcis past life ins.gov chocks with Microsoft OLE DB issue.

Re:How long?

maybe he's from Texs

But then, typo jokes are so lame

Re:How long?

Don't forget, they also told you that Windoze is buggy and fully of security holes. How's THAT for value for your taxpayer money?

Re:How long?

SELinux is not a seperate OS. It is a set of kernel modules that sit atop Linux, and utilize the LSM (Linux Security Module). In fact, the group working on SELinux presented the model for the LSM to the kernel group, and after a few modifications by Linus and team, it went into the 2.5 kernel. The 2.6 version will apparently have some minor further modifications, but most of it will be the same.
SELinux provides mandatory access controls to the Linux OS (RBAC, MAC, TE--RoleBased Access Controls, Mandatory Access Controls, and Type Enforcement(TM) ).

Re:How long?

[sniggly]

Technically you are completely correct, but politically saying the NSA has its own linux makes things more interesting! Also they are distributing a modified kernel and since linux is basically is a kernel only arguably they are a linux distributor..

It has to be said though, why does one of the most crucial security related departments in the US govt choose notoriously insecure software from a convicted monopolist when its own National Security Agency has done such great work??

Re:How long?

[ImpTech]

Well, I'm not about sending Bill money, but dancing monkeys? C'mon now, who doesn't want their tax dollars going to such a noble cause!

Re:How long?

[jo42]

> NSA has its own linux

Don't tell SCO!!!

Re:How long?

[sniggly]

Oops you think darrel will sue the NSA? :)

Now if we can get them to arrest

[MECC]

If ew can get them to arrest the board of MS directors, in cluding BIll Gates, and treat them as POWs, that would help things considerably.

Re:Now if we can get them to arrest

[Zemran]

The whole Microsoft staff end up in Gauntanamo bay without trail or legal representation :) Seems fair to me...

Re:Now if we can get them to arrest

No way man. Lot's of good people who work at Microsoft who you would be unfairly punishing. If you punish anybody, punish the upper management who allow the bad stuff to happen and make the critical (re: illegal/immoral) decisions.

Re:Now if we can get them to arrest

Christer Matsson (chrismat@microsoft.com)
Henrik Schaub (henriks@microsoft.com)

If you want NAZI's working for a NAZI corp, these are the guys.

For example. Have fun with theyre emails :D

Re:Now if we can get them to arrest

and...

Niklas Sjostrom (niks@microsoft.com)

Re:Now if we can get them to arrest

[sinserve]

Oh look, an Oak tree!

Pls go bang head against trunk, while(!exists(CLUE));

Re:Now if we can get them to arrest

[ajs318]

On what charge? How about computer misuse in the second degree? Since MS not only wrote the lousy software, but refused to show the users the source code so they could subject it to independent scrutiny {How is it even legal for them to hide the source code from users? What don't they want us to see?} I think you would have a pretty strong case against them.

Re:Now if we can get them to arrest

dictionary.com if you do not understand english

Pretty Bad

[the.jedi]

My friend works at MIT's network security.
From wednesday to thursday they're compromise rate
went from 3 computers an hour to 30.
Right now they're just blocking the RPC port
but the routers are starting to take some heavy
traffic. Looks like this one is going to be pretty
bad.

Re:Pretty Bad

[mjmalone]

Which port is it that you need to block?

Re:Pretty Bad

[Type_O_Negative]

Port 135.

Re:Pretty Bad

some folks trashed my univ's firewalls
for about 24 hours a week ago. they
never managed to get a trace on em.
big earthquake a comin I can feels it,
in me bones.

Re:Pretty Bad

TCP, UDP, or both?

Re:Pretty Bad

[tarquin_fim_bim]

"Which port is it that you need to block?"

To make windows secure?

All of them.

Re:Pretty Bad

[Type_O_Negative]

TCP should do the trick.

Re:Pretty Bad

[Malc]

Read the article damnit. Don't give me that "this is slashdot" crap either ;)

It's basically all the NetBIOS and Microsoft-ds ports.

Re:Pretty Bad

[pascalb3]

Check out CERT, a good site for this stuff. Here's their warning (more info than DHS). A list of what they have to block:
135/TCP
135/UDP
139/TCP
139/UDP
445/TC P
445/UDP

Also, it appears 4444 is being used,

Security Focus's incidentmailing list is also enlightening. And for good measure, a posting on the ineffectiveness one of MS's patch (as of 29 Jul).

Re:Pretty Bad

[Troed]

Mod parent down. Bugtraq posting listing several other attack vectors:

• ncacn_ip_tcp : TCP port 135
• ncadg_ip_udp : UDP port 135
• ncacn_np : \pipe\epmapper, normally accessible via SMB null session on TCP ports 139 and 445
• ncacn_http : if active, listening on TCP port 593.
• 
  ... and finally, even port 80 might be used if ncacn_http is active, and COM Internet Services is
  installed and enabled.
  

Re:Pretty Bad

You joke, but shouldn't most people block all ports except the ones they need anyways?

Re:Pretty Bad

[mark_lybarger]

my hosts.deny is

ALL : ALL

seems to keep others away.

Re:Pretty Bad

[technix4beos]

Speaking of routers...

Am I correct in saying that a router can be used at home to prevent these kinds of attacks in the first place?

With more families getting online and having multiple computers in a network, wouldn't it make sense to install a router that protects against the silly port attacks?

I believe a router these days costs about $50 USD, so it's far cheaper to purchase one than to buy a software based "firewall" solution, that might be turned off by little johnny anyhow.

Re:Pretty Bad

[I8TheWorm]

Actually, 135, 139, and 445.

NetBEUI = Port 135 netBEUI is only required when you have non-Windows 2000 clients to support. However, NetBIOS over TCP/IP prevents any need for NetBEUI. These days NetBEUI is the usual answer for connection problems that turn out to be name resolution or NetBIOS configuration problems. The other ports listed, 139 and 445, are used for Server Message Block (which with Win2000 can run directly over TCP/IP rather than needing to run on top of NetBIOS) respectively. SMB is a file sharing protocol used in Windows. The attempt hits 445, and if it's succesful, it sends an RST to 139 (if NetBIOS is installed, otherwise 139 is never used). If there's no response from 445, it continues the SMB session over 139.

Re:Pretty Bad

[Tackhead]

> ncacn_ip_tcp : TCP port 135
>ncadg_ip_udp : UDP port 135
>ncacn_np : \pipe\epmapper, normally accessible via SMB null session on TCP ports 139 and 445

Etc. Etc. Etc.

The ironic part is that a Win9x box doesn't run these services. Or any other services - to use a technical term, in comparison to XP and 2K, an out-of-the-box 9x install doesn't listen to jack shit. If you do the 30-second tweak to disable/unbind the NetBIOS crap, you can safely (!) run 9x without a firewall because such a box doesn't listen to 80, 135, 137, 139, 445 etc. Unpatched. (Well, as long as you don't use Outleak Excess or Internet Exploiter, but that's just plain sanity :)

XP? 2K? Nuh-uh. You can disable UPnP hole (SSDP/1900) from the Services panel, but I have yet to find a way (well, short of a firewall :) of stopping an XP box from listening to 135 and 445. After all, Joe Sixpack who owns just one computer obviously, always wants to be able to network it with NT 4.0 boxen over a LAN. But there's just no way of saying "Look, XP, I don't do that kind of kink. Ever. So stop listening to those ports".

Thanks, Bill. No, really. Thanks a bunch. Other than a noble desire to take one for the team by jumping on the proverbial grenade, why the hell did HomeSec chose these twits as their vendor of choice?

Re:Pretty Bad

[Tony+Hoyle]

Assuming you're connecting to the internet (which is a safe assumption) Win9x base install:

1. Binds netbios to all interfaces
2. Installs 'Personal webservices'

Unless you have a fact connection it's also not an option to keep it up to date. I had to install Win98se only a couple of days ago and it needed 45MB of updates from Windows Update - since 95% of users are on dialup they're probably running completely unpatched versions at this very moment, and webservers they didn't even know they had.

Re:Pretty Bad

[TheViffer]

Am I correct in saying that a router can be used at home to prevent these kinds of attacks in the first place?

Actually that is not correct. A "router" in a nutshell is just used to "route" traffic from point A to point B.

What what people need is a hardware based NAT switch with firewall firmware. It places that nice "buffer" zone between your machines and the web.

If if the NAT switch/firewall is compromised somehow, it will not get the hacker very far without the presence of an OS. Your boxes behind should still be safe (but left without networking).

Re:Pretty Bad

[jeeptj]

We are also seeing an increase activity on port 135 but let's not cry around saying the sky is falling yet...There is a lot of publicity for this vulnerability and I'm pretty sure much of the activity is scanning done by people trying to figure out if they're opened/vulnerable. Lots of traffic on port 135 != worm knocking on doors...

Re:Pretty Bad

[Tackhead]

> Assuming you're connecting to the internet (which is a safe assumption) Win9x base install: 1. Binds netbios to all interfaces
> 2. Installs 'Personal webservices'

Oops. I knew about #1, because there's no way to turn it off at install time. It's the first thing I do after setting up networking.

I also knew about #2, but whenever I installed 9x for myself or others, I always did a full custom install and said "WTF does $USER need a web server on this box for?" and unclicked it. So no IIS hole built-in.

So I'll stand partially corrected on this one. But I think the original point -- which is that without a firewall, a consumer 9x box can still be hardened (albeit "hardened" in the sense of having gone from liquid to Jello) in ways that an XP box can't -- stands.

Re:Pretty Bad

[AvitarX]

I've always had to click the I want to share shit button to get it to bind NetBios

I'm pretty sure Webservices is not part of the standard install.

This is a boxed non OEM version of WIN98 SE I am (attepting) remembering.

If I'm wrong correct me, but I think you are wrong.

Re:Pretty Bad

Ahem, having used the patch, and still having my RPC service crashed [albeit not exploited as far as I can tell] on 2 machines 2 days ago, I highly suspect that the comment on bugtraq is correct. The patch only fixes the DCOM permission escalation, not the RPC overrun. It's only a matter of time [indeed, not much time at all I'd guess] before someone uses that overrun independantly.

In the meantime, my machines are off the net; just to make sure.

Re:Pretty Bad

[drinkypoo]

A so-called home router (some of which are honestly routers, some are bridges, and some are firewalls and little else) will indeed solve this problem. More to the point, simply using NAT will solve this problem, as long as you don't forward the RPC port to something inside your organization. You might consider mangling the packet so that its destination is the originating host and resending, that might be kind of fun.

Personally, I use a linux system with two NICs as my router/gateway. netfilter/iptables provides possibly the most powerful and configurable IP filtering suite available, and even though I use only a small portion of its features, I know that if I want to make it do all kinds of weird things, I just have to pore through volumes of crappy documentation.

Of course with linux you must be careful to stay updated. This is true of any OS but less true with, say, openbsd which is what I used to use. I ended up using linux because it has advantages in terms of using it for other things than just a firewall box, and it's an athlon 700 so I can still get some decent use out of it.

Re:Pretty Bad

[drinkypoo]

Windows XP comes with built-in "firewalling". Actually NT comes with port blocking, also. You can use either facility. XP Firewalling allows you to create specified mappings and block them; NT port blocking allows you to block all but specified ports, or block specified ports.

You might not be able to stop it from listening for requests, but you can stop that part of the software from receiving the requests.

Re:Pretty Bad

[whitmer]

Another fine tactic is to remove the RJ-45 cable from NIC, works pretty well too. ;)

Re:Pretty Bad

w1nd0z3 98 5ux0rs.

Ugh.

[JohnGrahamCumming]

Could we not go around referring to The Department of Homeland Security as HomeSec? The last thing we need is /. popularizing a cool sounding name for this behemoth.

If we need to refer to it then use the initial letters of its name... DoHs.

Somehow appropriate when they put out warnings like the last one.

John.

Re:Ugh.

[glwtta]

I just tend to call it MiniPax - is that better?

Re:Ugh.

[GoofyBoy]

HomeSec sounds like some sort of home-office networking product.

Re:Ugh.

As I wrote here, (before it instantly got -1 overrated, and also pointed out here, 'HomeSec' seems to be a completely made-up term created solely by Michael for the sole purpose of belittling them.

We should call out Michael for his newspeak.

Re:Ugh.

[TedCheshireAcad]

If we need to refer to it then use the initial letters of its name... DoHs

Sounds too much like DOS.

oh, wait....

Re:Ugh.

[WildFire42]

Would that make the entire executive branch the Ministry of Smart?

Hmmmm...

MiniSmt

After the Ken Starr report, that does seem to fit.

Re:Ugh.

Yeah, you're right. It's the Pentagon who's MiniPax. The Department Of Homeland Security is MiniLuv.

Re:Ugh.

[chrisgeisel]

I prefer "Ministry of Love". We are at war with drugs err, al queda err, iraq err, gay marriage. We have always been at war with gay marriage.

Re:Ugh.

DoH fits well...

Dept of Homeland Security: we just bought 100 million dollars worth of MicroSoft products

everyone else: but their OS leaks like a sieve!

Dept of Homeland Security: Doh!

Re:Ugh.

[Dracos]

I suggest not using the exact acronym, but something that pays tribute to the president who created the department: DuH. _Department _uv _Homeland--ooh! Security should be in a different color, like the background.

Re:Ugh.

[glwtta]

Ha ha you're so funny. No wait, you're still an idiot. Yay you read 1984. What do you want, a cookie?

My humblest apologies, I didn't fully appreciate just what level of sophistication I am dealing with here. The next time that I happen to think it unnerving that 50 year old satire (heavy-handed, over the top satire at that) is being recreated in real life with an uncalled for faithfulness, I will not try to exploit it for a mediocre bon mot and will instead just keep it to myself.

If you want to be taken seriously though by intelligent people and not Slash-idiots then you might want to try dropping the name calling so you appear older than 12.

I am not sure I follow your logic here; presumably my efforts to impress these "intelligent people" would, by definition, go to waste in this forum? Incidentally, why do you assume that I am older than 12 in the first place?

The Department of Homeland Security?

[Wacky_Wookie]

Sounds more like The Department of Homeland in-security :)

Joking aside I find the US media's "fear hyping" to be outrageous.

"It could happen to you" Is a major catch phrase for the US media, and they are not talking about winning the lottery.

Re:The Department of Homeland Security?

[admbws]

Why do they beat around the bush with a purely hypothetical statement such as "It could happen to you". If you are running an unpatched Windows (as most people are) and somebody releases a worm that exploits it, it WILL happen to you!!

Re:The Department of Homeland Security?

"fear hyping" is outrageous? After Sept 11th , the idea of "It could happen to you" has never been more true. I think Department of Homeland Security is doing the best job anyone could considering what the broad range of responsibilites they are taking on!

Re:The Department of Homeland Security?

Now throw in a few "Orange" alerts here and there and you've got yourself a perfect republican re-election platform. You see, fear breeds consent for those in power, good or not. And which party is using "safety" from "terrorist" threats as their selling point? They aren't stupid, and it's how "they've" done it since the Reagan years. In fact, if you look at the list of memebers in the cabinet, you will see many of the same people. Granada? Nicaragua? Libya? Sheesh... Keep us in fear, and we will ALWAYS rally behind the leaders. It's worked for the repubs for decades...

Re:The Department of Homeland Security?

"fear hyping" is outrageous? After Sept 11th , the idea of "It could happen to you" has never been more true.

Thank you for proving the Terrorists won.
They have all you panty-waist Americans in a fear-frenzy, with no way out.

Re:The Department of Homeland Security?

[glsunder]

Media fear hyping? You mean the current administration. They started fear hyping before they won the election.

hmm Bill Gate's advice

[linuxislandsucks]

Bill Gate's advice was that there was no knowledge or lack of knowledge in writing secure applications and OSes..

I beg to differ in that UNix has been progressing and practing secure code writing for nearly 20 years..

Mybe Bill Gates shoudl send his programmers back to school and unix programming classes?

They should know!

[jocknerd]

After all, they're giving Microsoft $90 million to run their computers.

Re:They should know!

[Shivaji+Maharaj]

And have probably seen the Windows source code.!!

Re:They should know!

[pmz]

After all, they're giving Microsoft $90 million to run their computers.

My mind choked when I read the headline for this article. A very large US government agency whose role is security buys a shitload of MS software for their own computers and, then, turns around and tells the world, "We run the least secure software known to man."

Their flagrant stupidity (or, more likely, corruption) is baffling. It must be a case of their head not knowing what their ass is doing, or something like that. How else can they not notice Microsoft's enormous shaft ramming them to hell and back? The U.S. government needs to call a spade a spade and get Microsoft out of any office remotely relevant to national security. Even a secretary's computer can have tidbits that melded with other tidbits can provide valuable information to crackers and spies. Complacency and laziness is simply not an excuse, anymore.

Re:They should know!

[mdielmann]

Of course. They're running a test bed. They probably know more ways to get a BSOD using solitaire than any other organization in history.

Re:Linux is a joke, a mess, a waste of time.

Here's someone with his head on straight...
Hey, how does it smell with your head so far up your ass that you can see your colon? When was the last time you used Linux...5 years ago?

FYI, it sounds like you have some personal issues...but there's hope for you! I hear that they have a pill you can take to increase the size of your penis, maybe if you had a dick you would act so much as one!

Affect Win98?

Just a question. Does this affect Win95, Win98 systems as well? All the advisories I've seen have only mentioned Win2K and up, but I think MS is no longer supporting the Win95, Win98 series. Basically, does anyone know if Win98 has this RPC call thing that is at the root of the trouble?

Re:Affect Win98?

[mjmalone]

According to the security people at my work Win98 is affected, and since Microsoft no longer supports it they didn't bother to write a patch.

Re:Affect Win98?

[GoofyBoy]

But if you have a software based firewall should that protect you?

How about hardware based firewall?

Re:Affect Win98?

[kasperd]

According to the security people at my work Win98 is affected, and since Microsoft no longer supports it they didn't bother to write a patch.

So no more Win98 machines on the Internet.... Oops looks like I'm daydreaming, make that no more secure Win98 machines on the Internet.... Yeah right, as if there ever were any.... How long before somebody write a worm to upgrade those machines? ;-)

Which ports are they?

[bobbotron]

Which ports do you need to block to keep the RPC requests out?

Re:Which ports are they?

80 and 8080

Re:Which ports are they?

Thank you much sir, I just blocked these on my router. Is this RPC service resonsible for connecting people to the interweb though because it seems that when I blocked it people say they can no longer connect to my internet site.

Re:Which ports are they?

Have you considered you lack enough humor to be allowed out in public?

I feel bad for the Poor slob(s)....

[curtisk]

....that works at Dept. of Homeland Security whose entire job will consists of keeping up to date with MS security advisories....

wonder how they (DoHS) are feeling about their OS investment already? :)

Godwin's Law! Godwin's Law!

Worst Thread Ever. (TM)

windows at the office??

[chef_raekwon]

i could have sworn that 2 weeks ago, here on this very same slashdot....there was a story about HomeLand Security securing a very large purchase from Microsoft....aka 100 million, or some outrageous number like that..

isn't this a bit irresponsible of them, now that they are declaring Windows a vulnerability?

Re:windows at the office??

[akiaki007]

Indeed they did, and 2 days (maybe 1?) later this security hole was announced. It received national coverage on all the major news players and the implicaitons of security.

I, personally, am rather angry that my fucking tax money is being spent by the DoHS and all they have come up with is a dependency on an insecure OS and a stupid colour coded system that NO ONE understands!

Re:windows at the office??

[Jagasian]

You better shut your pro-terrorist mouth you unpatriotic liberal! HOW MANY FINGERS AM I HOLDING UP?!? WRONG! FIVE! NOT FOUR!

Re:windows at the office??

[cliffiecee]

Think of it as "Homeland Security eats its own dog food..." In other words, they are using the same operating system that the vast majority of people use, so they will experience the same vulnerabilities. They'll be able to advise people about computer security from first-hand experience, not just from a few pristine 'test lab' machines.

Re:windows at the office??

I think it is probably one of the best ways to get MS to improve their security. What better incentive for them than to constantly be in such a high visibility scenario?

Re:windows at the office??

[AllUsernamesAreGone]

Yeah, I can just see it: "We'd like to tell you about this new, fast-spreading malicious windows exploit does but our computers are experiencing a slight technical problem at the moment..."

Re:windows at the office??

[TheDredd]

Of course! They needed a copy of windows, to check if it was secure or not

Re:windows at the office??

and now you learn that those with the real knowlege do not make the purchasing decisions withing an organization...

welcome to the real world... the idiots lead the scientists....

Re:windows at the office??

[MillionthMonkey]

Everyone understands the color system. It's a pointless token measure that is useful for political leverage. It makes them look like they're doing something about terrorism and threats. "Look here, pretty colors!"

When things start looking bad, they can just notch it up a color and call it a day.

Re:windows at the office??

[Sanga]

They are very responsible --

they bought, they tested and they declared!!

Sounds fair to me.

Hilarious!

[Wilersh]

Microsoft is now officially a threat to Homeland Security. Maybe George should drop some bombs on Redmond! We know where they are and they keep putting out a product that threatens our security. Oh wait, the government saw fit to give them a slap on the wrist and turn around and contracted even more unsafe software from them. They'll undoubtedly be mentioned in future hindsight publications from congress but on blanked out pages for national security reasons. That's what we do for "friends".

Ugh.

Wilersh

Re:Hilarious!

[kinnell]

Maybe George should drop some bombs on Redmond

...or maybe he should summon the giant penguin of the apocalypse.

From the "WTF" files

[Mikey-San]

The Department of Homeland Security has issued a warning regarding the security of Microsoft's products.

Does this seem fairly stupid to anyone else? I mean, didn't "HomeSec" (please, no catchy names for this terrible organization) just partner with these idiots?

Re:From the "WTF" files

Yes, please don't use that term. Except that you just used it. Thanks.

Remember, they bought MS software!

[gatesh8r]

Your tax dollars at work demonstrating a good example... :-)

Color scale?

[Elendil]

On the DHS alert color code, blue means "guarded", just one notch lower than the alert level the USA have been living in for the last few months (with occasional orange flares). Should this color be reconsidered in sight of the well known Blue Screen of Death?

Re:Color scale?

[Jagasian]

All your liberals slam the war in Iraq, but considering that our alert color is blue now after the war... when it was yellow or orange before the war... seems like proof to me that the war decreased the amount of terror in our world.

Re:Color scale?

[akiaki007]

NYC (New York City) has been in Orange since the inception of this colour coded system.

what is orange again? why can't they just say level 4 of 5 or something?

Re:Color scale?

[tanguyr]

... whilst increasing the amount of terror in somebody else's.

Re:Color scale?

[Elendil]

Bzzt... wrong, but thanks for playing. The present threat advisory is yellow. Business as usual.

Re:Color scale?

[sinserve]

> seems like proof to me that the war decreased the amount of terror in our world.

Well of course, DoHS' color coding system exists in nature and there is a direct
provable relation between it and "terrorist in our world." and it is not a subjective
matter under the whim of some entity or anything.

You conservatives (trolls?) never fail to amuse me.

Re:Color scale?

[Troed]

Due to the war in Iraq the risk has _increased_ since the US doesn't seem to understand that pissing 2/3 of the world off doesn't go unnoticed ..

Oh, and you _have_ seen the news about all the links between Iraq and terrorism were void, and that basically everything you were told before the war was lies?

Re:Color scale?

[orkysoft]

They should probably go to Brown Alert by now... ;-)

Re:Color scale?

Should this color be reconsidered in sight of the well known Blue Screen of Death?

The calm color blue represents the only time a Windows system is safe (aside from being powered-down). Once the serenity of blue overtakes a CPU, it is beyond the reach of evil hackers.

Re:Color scale?

[lovebyte]

seems like proof to me that the war decreased the amount of terror in our world.
LOL. In fact the only thing it did was to increase the amount of hue in the colours!

Re:Color scale?

[micromoog]

Wait, is 5 the best or is 5 the worst? Can't they just say "Be slightly nervous today", "Maintain a constant irrational fear of death today", or "Shit your pants every time you hear a car backfire today"?

Or how about the best one: "Treat today just like every other day because any terrorist attacks in the works are COMPLETELY outside of your control"?

Re:Color scale?

[paganizer]

Hmm. Agent Provacateur, or just incredibly stupid?

if it's the latter: If we kill everyone else but US, we don't have to worry about THEM. Until the group we are a part of becomes the new THEM, of course.

FREENET=FREESPEECH

Re:Color scale?

[Jagasian]

I'm obvioudly joking with that above post. I figured I was the only one that noticed that the "terror colors" are tweaked to coincide with political moves by the Bush regime.

Why are they even working on this?

[slusich]

Shouldn't the Department of Fatherland Security be working to eliminate terrorists and Democrats instead of pointing out the obvious?

Re:Why are they even working on this?

[admbws]

Can't you see??? If they don't tell anyone about these vulnerabilities, "terrorists" will take advantage of them and kill hundreds of thousands of people! What if "terrorists" hacked into the Win98 computer controlling one of the many Nuclear Reactors based in the United States? Can you imagine the havoc that could cause?!?!

Switch campaign kick-off

[SgtChaireBourne]

One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.

A second interesting thing is why just this particular bug is getting the publicity. There's been no shortage of remote exploits for that product line, old or new, this year. Is it part of the new marketing campaign that's just kicking in?

Along those lines, since most of the design flaws are downplayed for weeks/months/years after exploits are found. Apple, RedHat and SuSe have a good lead time to prepare switch campaigns.

I'm sure a dollar value can be put on the peace of mind and increase productivity that goes with moving to a better workstation platform.

Re:Switch campaign kick-off

[rmadmin]

Its skynet! Its taking over! Pretty soon it'll become self aware and launch all the nukes!! AHHHHHH! Ok.. Its time for me to stop watching so many scifi flicks. :-/

1: Infect all computer systems on earth
2: ???
3: Profit!^H^H^H^H^H^H^HBuild sexy ass terminatrix!

Re:Switch campaign kick-off

[Cromac]

A second interesting thing is why just this particular bug is getting the publicity. There's been no shortage of remote exploits for that product line, old or new, this year. Is it part of the new marketing campaign that's just kicking in?

It's possible that the reason this bug is getting publicity by the Dept of Homeland Security and others didn't is simply because they know about this one. Yes, other security problems are out there and "known" but maybe not by the people at HS. Remember even though it's a large government agency the bottem line is it's still run by people who may not have all the facts.

Re:Switch campaign kick-off

[Angry+Pixie]

Maybe I'm ignoring the severity of this new Microsoft flaw, but why the Dept. of Homeland Security issuing ANY statement about security flaws in any operating system? The Department was created to combat terrorism, and it's resources (and hopefully skills) are vested in doing just that, but providing a service I can get for free from the computing community...

The next thing you know, the government will be raising the threat level in response to a Slashdot poll.

Re:Switch campaign kick-off

[platypus]

Maybe I'm ignoring the severity of this new Microsoft flaw, but why the Dept. of Homeland Security issuing ANY statement about security flaws in any operating system?

Maybe because their PR department was scheduled to prodce some proof for their right to exists,but they didn't have any terrorists handy ATM.

Seriously, this shouldn't be their job, in the end they will be just echoing CERT or bugtraq, while wasting a lot of money into "network security research".

Re:Switch campaign kick-off

[Geek+of+Tech]

Well, a lot of people trust the government a great deal more than their neighborhood geek whose been using linux since 1995.

Those of us who are around tech alot have a way of telling everyone about this new security flaw and that new security flaw. For a great deal, we've just been crying wolf (or so the non-techies think).

Now the US Government says "Microsoft OS's have a serious vulnerablity in them". In the eyes of a number of Non-tech and Tech users alike, that is more reputable than hearing one, or even the majority of us say "There's a new hole in Microsoft OS's..."

Again..

[NetJunkie]

Patch your stuff and for goodness sake put up a firewall! RPC port open to the word? Why?!

Re:Again..

[blibbleblobble]

"Patch your stuff and for goodness sake put up a firewall!"

Yeah, patch it with a friggin' OpenBSD installation.

And no, "BSD" doesn't stand for the microsoft icon.

Re:Again..

[White+Roses]

RPC port open to the word? Why?!

So it can be saved and get into heaven. Oh, you mean world.

Re:Again..

[TheHulk]

Unfortunately the issue isn't restricted to clients open to the Internet. If someone were to deliver the worm via email, and it were set loose inside a firewall, the results would be disasterous!!! The other possibility is client VPNs. If a client is infected and VPNs to their corporate network, they could still infect all hosts behind the firewall. I agree, firewalls are a good place to start, but it's not the solution to the real problem.

Re:Again..

[Telastyn]

Because hiding the problem doesn't fix the problem. It just means that it takes 2 steps to own the machine rather than 1. Shut down services or make them secure, don't firewall them and expect them to suddenly become secure. They won't...

how long has the patch been available?

[*weasel]

*boggle*

would every geek please walk over to their nearest 4 non-geek's MS boxes and flick 'autoupdate' on? maybe we can spare a few routers in the future?

i mean, if they insist on having those boxes, the least we can do is make sure they're patched up.

say what you will about MS - but these big exploits don't usually hit until weeks after the patch has been available.

and if you're relaxed enough with control over your box to run MS in the first place, autoupdate ain't any worse.

Re:how long has the patch been available?

[MagPulse]

Yes, please instruct Linux weenies everywhere to go over and change the configuration of "non-geek"'s computers. Please, oh Linux gods, save us impoverished Windows users from the horrors you speak of by messing with our personal boxes. Or wait, I have a better idea:

KEEP THE F*CK AWAY FROM MY MACHINE.

Re:how long has the patch been available?

would every geek please walk over to their nearest 4 non-geek's MS boxes and flick 'autoupdate' on? maybe we can spare a few routers in the future?

Oh, yeah, it'll spare the routers alright! Because one of M$'s auto-updated patches is sure to bring the machine down! Auto-update is a bad idea until M$ gets their act together and does more thorough testing before releasing patches. One of the reasons there are so many unpatched machines out there is because they hav released so many patches that have killed machines and/or applications.

Re:how long has the patch been available?

[Rogerborg]

Jeez, you Microserf zealots are getting irrational and touchy. Back off man, that's our shtick. ;-P

Re:how long has the patch been available?

[blibbleblobble]

"would every geek please walk over to their nearest 4 non-geek's MS boxes and flick 'autoupdate' on?"

"Do you accept the updated EULA for...?"

Re:how long has the patch been available?

[forgetmenot]

The *problem* with this is that a lot of people don't trust auto-update and not without good reason. The last time I allowed autoupdate to patch my system it "broke" several applications. One of those broken apps was the install manager used by Sun's Java distributions. surprise surprise.

Unfortunately, another problem - and this is one I have where I work - we have NO direct connection to the internet meaning we can't apply these patches. Our internet services are provided via Citrix sessions to our ISP. Too complicated to try to explain here. But anyway, you might think this means we're not vulnerable. HA. Think again! Some joker with a laptop can still get his machine infected elsewhere and then come in to work the next day, plug into our LAN, and presto! Big problems and no easy way to patch. And to boot, we laid off our only sysadmin because the department manager figured we didn't need him anymore because Ta-da! Our servers were all taken care of by our ISP now.. You have to ask yourself now, "Who takes care of all those workstation".
NOBODY! That's who.

We're doomed.

so what?

[shaklee]

They post other vulnerabilities like BIND, not just windows advisories. Was this just a bad attempt to make a cheap shot at microsoft?

Futures market for network insecurity

[The+Fun+Guy]

I wonder what kind of odds John Poindexter would offer on "MS-based systems will be the subject of a successful cyberattack resulting in significant economic impact in lost data, functionality, uptime and manhours." Any bets? Anyone? C'mon, no body wants to take this bet?

Seriously, if they wanted to take bets on which national leader would get hit, couldn't they do the same for which OS will fail first/most? Or bet on how much the next big expolit will cost, to the nearest $10M?

Re:Futures market for network insecurity

[MoThugz]

Almost nil... he was (forced?) to resign.

Contract?

[WPIDalamar]

Didn't the department of homeland injustices sign a big fat contract with MS to provide a bunch of software a little while ago? Wouldn't announcing this be againse the EULA of microsoft products or something =)

Govt should use its own OS.

[sniggly]

It's time the government started to realize its own linux version has been developed to preclude vulnerabilities such as these that are caused mostly by sloppy programming.

Well engineered worms

[Catskul]

I think it is going to be worse if someone actually has an objective (ie terrorists) because all of the worms I have heard of have been fairly poorly engineered.

A well engineered worm would:

Work on many different system.

Use more than one security flaw. (spread by email, + kazaa, + IE hole, + sendmail hole)

Patch that flaw once compromised, and open a separate hole

Have at least different attack modes (slow and quiet and local sub nets, fast and hard and whole internet)

Build up to critical mass before initiating fast attack mode.

Attempt to hide itself from scans. (maybe randomly stop functioning for a while to offer false sense of security)

Adjust its fingerprint so that it isn't simple to find computers which have the worm (use different ports, different protocols, send some different data when filling buffers etc)

Offer a payload that makes patching difficult, goes after security websites that often offer patches, targets financial institutions, etc.

Patch other programs on the system, back to previous insecure versions.

And that's just off the top of my head. If someone really is sitting down and thinking about this, Im sure they could come up with much more dangerous specifications.

I think someone should be writing a competing worm that patches all vulnerable systems, just in case this breaks out in to a chrisis.

Re:Well engineered worms

The trouble with your worm is that it's going to be HUGE. That means it'll be slow to spread and easy to guard against. It'll probably never break out of the first few servers it finds. Really successful stuff is small - look at SQL Slammer.

Re:Well engineered worms

[wirelessbuzzers]

Mutation engines and polymorphic encryption can be pretty evil for this sort of thing. Basically you encrypt most of the worm (doesn't have to be good encryption, it's just there to confuse scanners), and then have the decryption engine mutate (change order of instructions, values of literals for a different key). This sort of thing confuses the hell out of scanners for quite awhile.

Re:Well engineered worms

[digitalunity]

In case you hadn't noticed, few virus writers are developing malicious code. It would appear that most of the internet worms of late are fairly innocuous, and their only design feature is the ability to replicate itself. However, there are others that send random files by e-mail to random people. That was kind of funny. No, if someone wanted to write some really mean code, they'd set up a worm that would find and infect at least a few hosts, and then destroy it's host OS. It wouldn't spread as fast as non-destructive worms, but it'd cause a lot of trouble for a lot of people.

Personally, this RPC bug doesn't really get me thinking much. Anyone stupid enough to allow incoming RPC packets from the internet deserves what they've got coming. Now, on the otherhand, if a live exploit for BGP4 was ever discovered and published, we'd be in a world of hurt for quite a while.

Re:Well engineered worms

[Catskul]

Several of those features wouldnt necessarily really increase the size of the worm. Also there could be some that are going around with out the extra features and some with, and once it took hold the ones without could dl from the ones with to gain extra functionality.

Re:Well engineered worms

[Finni]

Anyone stupid enough to allow incoming RPC packets from the internet deserves what they've got coming.

True, but that doesn't cover any/all cases at all. Businesses with Windows servers can't turn off RPC (and sometimes can't turn off DCOM) on their users' laptops, right? So a laptop user goes home and uses dialup, or he has broadband and no router and gets infected. No he comes back into work the next day. The MS-supplied patch doesn't work in all cases, so even if they have a good patching system and a great firewall, they've still got a compromised, infectious system on their LAN. Mobile-user VPN has the same risks.

Re:Well engineered worms

Many people have problems with the white hat route....although I'm sure they'd shut their faces as soon as they can't get to Slashdot for their info fix..

Seriously though, I don't see terrorists doing this. As you've very clearly laid out, it's a complex task. I do, however, see a real possibility from people in Russia or China pulling it off.....for a variety reasons.. I'm sure there are many people who would love to disrupt US businesses remotely.

Re:Well engineered worms

[hey]

Thanks for the tips ;-)

Yeah, I like the idea of changing DLLs on a system back to insecure versions and (of course) keeping the Add/Remove Programs list saying they patches have been applied. Needless to say this would be other worms/viruses would get in further making diagnosing more difficult.

If we want to see what nasty viruses do we need only look at nature. For example, AIDS (or the HIV virus if you want to be exact) attacks the immune system -- the part of the body that fights viruses. People with AIDS then die with opportunistic viruses, like pneumonia, take advantage of the situation. If you wrote a computer virus that only attacked the immune system of the net it would be quite a sight to see.

• Launch DDOS attached against Windows Update, Symantec, Norton, CERT websites
• Make the Windows update agent think all is well but to the user appear to functioning properly
• Likewise neuter virus checking programs by say altering their .EXE's to check for a different .DAT file. If the user can manage to get a current .DAT file he replace one that the program isn't looking at :-)

Re:Well engineered worms

[jandrese]

In some ways, a destructive worm like the one you mentioned above might actually do some good by waking people up to the need to keep their boxes patched or protected so they don't become a host for yet another worm. I can imagine something like the old Michalangelo scare from a few years ago (although that one didn't amount to much).

Re:Well engineered worms

[WhiteWolf666]

Or, maybe, create a set of worms

IANAWC (I am not a worm creator), but, you could have all kinds of worms running around. One that attacked on a large scale, seeking to infect as many systems as possible. Then it would download extra components as needed, but otherwise sit dormant, awaiting the final component. One that sought out unpatched, vulernable, Windows 2000/XP boxes, to use as a permanent base of operations (This one could be BIG). One that sought out infected systems, and modified the worm continuously, to confuse scanners. Any maybe, you could even have the dang things self-destruct? I don't know much about this, but you can setup applications on a Windows 2000/XP box that won't run until the next realmode boot, right? If it installs itself as a system file, scanners won't be able to remove it unless they run before the system is fully booted up. But if your worm runs the next time pre-bootup system maintenance is scheduled, and runs before any other task, you could have it eat the harddrive.

If one were to prepare this sort of thing ahead of time, and released the worms one by one, most of the security community wouldn't anticipate the attack. Especially if they were all encrypted, and you released them in a quick enough period such that it would not be obviously that they were working together until after the fact.

The other thing I wonder is why worms haven't targeted the infrastructure of weak networks. Like that worm that was discovered on the comcast dns servers. If somewhere were to create something that attacked the Windows 2000/XP (or any other operating system, but Windows seems like it would be the most vulnerable) TCP/IP stack, and only attacked systems behind vulnerable routers, and then utilized the hacked TCP/IP stack and hacked routers to hide all of the traffic, it would be extremely hard for anyone to tell what had happened, right?

Of course, all of the things I have just said won't work, as I've described them. My knowledge of this topic is just too limited to really make much sense, but my point is I don't think we have seen a coordinated effort to run multiple, smaller worms in concert. This way you can spread a rapid, smaller infection, and use it to pave the way for a much more deadly, and harder to remove infection.

Re:Well engineered worms

[jkrise]

that doesn't cover any/all cases at all. Businesses with Windows servers can't turn off RPC (and sometimes can't turn off DCOM)

In other words, what the parent is trying to say is this "This doesn't appear to be a terrorist kind of attack at all. It appears to be a move to get people patching and/or upgrading their Windows systems. It's fairly obvious which firm benefits from both of the above.

Kind of sick acually, but that's how MS made most of it's $45 bn.

-

Re:Well engineered worms

...Or, maybe, create a set of worms...

if a set of geese is a gaggle,
a set of whales is a pod,
a set of cows is a hurd,
is a set of worms a can ?

...Or, maybe, open a can of worms...

HA! I Crack my self UP!

Re:Well engineered worms

[geekmetal]

That would also be a mighty good progress in the field of Artificial intelligence.

Re:Well engineered worms

[Finni]

No. This has nothing to do with forced upgrades, because

1. They made patches for this covering all the way back to NT 4.0

2. They don't charge for these patches.

3. The bloody patch doesn't work.

Re:Well engineered worms

[chef_raekwon]

...the mother of all conspiracy theories....

i wonder if you watched a helluva lot of star trek when you were a kid....(or maybe Bill Nye the Science Guy, you really seem to like worms.)

(this is meant as a joke for all you moderators...im not trolling, atleast not here)

Re:Well engineered worms

[Tony+Hoyle]

If the laptop is owned by the company, the company installs a firewall (at least zonealarm, probably something better). And antivirus. And locks it down.

If the laptop is owned by the user, the company mandates that he installs his own firewall - if his machine then infects the network, he gets his ass fired.

Simple.

Re:Well engineered worms

That's a lot of code to try and fit into a small file that is meant to be distributed rapidly. I suppose this could be possible with a worm that spreads first, then downloads plugins to add all the functionality (which has been done before).

Re:Well engineered worms

[nat5an]

Well, admins can turn off RPC on their users' laptops. The average user probably has no need for this service to be running. Of course, you never know what Microsoft is using it for. You turn off the RPC service, and suddenly 10 unrelated things stop working. Such is the fun of being a Windows Admin (and I would know).

Re:Well engineered worms

[tsa]

And since most users are completely incompetent in configuring and securing their PC, if I had a business I would forbid them to use their own computers for work.

Re:Well engineered worms

[johnnyb]

Actually, destroying the whole OS isn't as bad as you can get. Imagine if there were a worm packed with a payload like CPUburn! Or if it had drivers which hosed hardware. Especially if it was set to go off in the middle of the night, you could actually have a virus which inflicted hardware damage.

Re:Well engineered worms

[Vainglorious+Coward]

In case you hadn't noticed, few virus writers are developing malicious code.

While it's generally true that historically, most viruses have had feeble or non-existent payloads, the evidence is strong that some of the waves of infection this year have been created by spam gangs, using viral infections to install proxy software.

Re:Well engineered worms

[peccary]

The fact that there are so few truly malicious worms has given me renewed faith in the basic goodness of human nature.

The only other explanation is that malice and laziness are inextricably intertwined.

Re:Well engineered worms

[johnnyb]

A well-engineered worm could also cause hardware damage using a payload such as CPUburn.

Re:Well engineered worms

[mopslik]

Anyone stupid enough to allow incoming RPC packets from the internet deserves what they've got coming. Isn't this akin to saying "anyone who doesn't personally inspect architectural component X deserves to have their house collapse on them"? I don't know about you, but I think it's more appropriate to point the finger at the manufacturer than to laugh at the end users.

Re:Well engineered worms

[geekoid]

or, once on the machine, change its name, change its file size try to contact other machines for a day, then hide. about a month later, just start deleting files.

Re:Well engineered worms

Launch DDOS attached against Windows Update, Symantec, Norton, CERT websites

Or tamper with the DNS client so that instead of downloading updates from these sites, they are in fact obtaining an infected patch from an infected peer (not from a hax0r site - that would be too easy to block. make it a P2P mechanism)

Re:Well engineered worms

Most ISPs and backbone providers at least ACL their BGP peers, so it might be a little harder to conduct a widespread assault on BGP than simply just having an exploit for it.

Re:Well engineered worms

[richard_willey]

I've started to wonder whether there might not be an inverse relationship between the rate at which a worm spreads and the type of payload that it carries.

If I have a worm that propagates relatively slowly, this may limit my ability to deploy a nasty payload. I need infected hosts up and running in order to infect other systems.

Contrast this with a "flash worm" which propagates at an enormously high rate of speed. After 15 minutes, almost all vulnerable hosts will be infected. No reason not to frag the system.

Re:Well engineered worms

[bmajik]

to fool add/remove programs:
you'd need to edit the MSI database on the machine. otherwise at some point MSI will recognize that the packages are invalid and will ask you to put in a disk to repair them

good luck trying to ddos Windows Update :)

here is a place where defense in depth helps.

MBSA is basically a windows version of tripwire, and WU / MBSA exchanges are cryptographically signed, etc.

Re:Well engineered worms

[WhiteWolf666]

HAHAHAHAHA

ROFL

I'm crying.

That was funny

Re:Well engineered worms

[mdielmann]

Or, you could create a script generator, select the options of the day, and create any worm/virus you want. That sounds new...

Re:Well engineered worms

[JBv]

Well... considering that most people only notice the mssql server running when they see the icon on the systray...

Most of them don't even know (or care) where this thing came from. Talk to them about this RPC stuff. Don't forget to tell them it's their fault.

Re:Well engineered worms

LOL, AHHHHHHHHH administration, it's a lovely thing when the company trust the IT department ; )

Re:Well engineered worms

[gordyf]

CPUburn would do nothing to a server. All it does is peg cpu usage at 100%. Running SETI@Home would be equally dangerous.

Re:Well engineered worms

[johnnyb]

This is incorrect. There are certain instructions that cause much more heat than others. Some an order of magnitude hotter. Running these instructions in sequence can cause CPUs to overheat easily.

Re:Well engineered worms

[StillNeedMoreCoffee]

"Anyone stupid enough to allow incoming RPC packets from the internet deserves what they've got coming."

And I suspose that someone who drives down the street and suffers from a stray bullet from a bank robbery is stupid, or a someone sitting on their porch and is a victim of a drive by shooting. Lets not get confused with who is at fault and how malicious these things can be. There is not excuse for worm or virus creation. There is no justification for worm or virus creation.

The idea that people who purchase computers and hook to the internet are "stupid" if they haven't researched the latest esoteric system problems and downloaded and patched their home computer is elitist and wrong headed. Or that that unethical unprincipled people have worked hours and hours finding bugs in systems and designed code that will invade, possibly damage or destroy someone elses property, makes the victim "stupid" or the coder "clever". Lets keep some perspective about who is who and what is what.

Re:Well engineered worms

[gordyf]

No, actually, you're wrong. Read CPUburn's own documentation:

If sub-spec, your system may lock up after 2-10 minutes. It shouldn't. burn* are just an unpriviliged user processes. But it probably means your CPU is undercooled, most likely no thermal grease or other interface material between CPU & heatsink. Or some other deficiency.

So, in essence, if cpuburn crashes your system, your system is defective to begin with.

Re:Well engineered worms

[johnnyb]

"So, in essence, if cpuburn crashes your system, your system is defective to begin with."

This is true, but it doesn't mean that it is as innocuous as Seti@Home.

Do you think that most sysadmins watch their heat that closely? Do you think they'd notice if they threw a fan? Especially with older equipment, this could cause major problems.

And think if you had a worm which attained privileged access. You might be able to do real damage (think of how hot you can get those NVIDIA cards).

Re:Well engineered worms

[gordyf]

I think they would notice if they "threw a fan", as all decent hardware has fan and temp monitoring built in. Hell, anything newer than a Pentium II board will have fan monitoring.

I still believe that a cpu load testing tool such as cpuburn is just as damaging, or not, as a distributed client such as seti@home or any of the distributed.net projects.

Re:Well engineered worms

[johnnyb]

One thing - many modern CPUs will switch to half-clockspeed mode or apply other heatsaving measures when they hit a certain heat.

Re:Well engineered worms

[johnnyb]

I disagree, but I could still think of other fun things someone could do to render your machine useless:

* Overwrite the BIOS with something fun - wouldn't it make your day to boot to a Hangman game rather than your BIOS? Flash BIOSes are everywhere, this could possibly work.

* Based on how cheaply hardware is being made these days, my guess is that most hardware can be tricked into doing out-of-spec things. Even if not, many of them have programmable parts. Imagine if your plug-and-play network card suddenly decided that it owned the IRQ of another device?

* If you managed to bypass the buffer-cache, you might be able to cause a hard-disk to fail by reading and writing a single sector multiple times in ultra-rapid succession. That would be really fun on the partition table.

* Another fun BIOS thing - you might be able to change the boot order of your machine so that it tries to netboot. It would be really fun if you had your virus alternating between _setting_ a machine to netboot, and being a netboot server serving out fun images (by fun I mean, well, use your imagination :)

Re:Well engineered worms

[gordyf]

Right, they slow down when they get dangerously hot. This only makes a defective system less prone to crashes.

Really, if someone's going to try to damage a system, cpuburn is the last thing they're going to install.

For one, a server that runs important services will be monitored closely, and will probably have a fairly high load as it is. Running cpuburn on it will either do nothing at all, or alert the sysadmins that something's not quite right. It will have no damaging effect on hardware.

Even in the worst case scenario, where a server has no ventilation and a heatsink caked with dust and somehow hasn't already crashed itself, cpuburn would merely lock it up. Once the cpu locks up, it will cease executing instructions and begin to cool off. No damage will occur.

If a worm wants to be malicious, cpuburn is not going to do the trick.

Re:Well engineered worms

[Geek+of+Tech]

Okay, go ahead and mod me "Offtopic", but I have a question I've been wondering about.

Suppose someone created a virus that had a list of vulerabilities for Win9x / WinXP / Win2K / RedHatx.x / Mandrake x.x / etc.
Now, would it be possible to compile two copies of the virus? One that ran on windows and one that ran on linux? Now, couldn't one of the viruses be packaged inside the other?

Windows Virus[Linux Virus]

Now, couldn't the virus have a network scanner, to tell what OS other hosts use, and if they had any applicable flaws? Basically a normal network scanner, souped up a notche.

Now if this scanner found a vulnerable linux host couldn't it put the Linux Virus on the host and put a copy of the Windows Virus packaged inside that?

Linux Virus[Windows Virus]

Couldn't it be done with some assembley?

Windows Virus[Linux Virus]

Create New Buffer
Copy Linux Virus to Buffer

Linux Virus

Copy the Windows Virus into storage

Linux Virus[Windows Virus]

Wouldn't that be possible?
Something like that might be needed for both the Windows and Linux community, the realization that neither of us are perfect.

Nice cross-platform virus?

Re:Well engineered worms

[taernim]

Uh... if the worm has only been seen in isolated instances, how exactly do you know it doesn't work?

Re:Well engineered worms

[kir]

Mobile-user VPN has the same risks.

So true Finni. I feed and care for the perimeter security for a somewhat visible DoD organization. We've no VPNs. We don't do VPNs. All the many threats like this are exactly why.

Users want them... why? So than can access their home directory and the organizational shares. In order to do this with any sort of real security, you've got to use a VPN. So, you give them a VPN, personal firewall, and then firewall their ingress point. Sounds good, but you've still got to give them access to the protocols on the servers that are the most critical. SMB/NetBIOS to the DCs and the fileserver(s). Why even firewall if you've got to open these deadly protocols up.

Others tell me VPNs are secure. As far as I'm concerned, their just encrypted tunnels through my perimeter. I've got a pretty well locked down perimeter. Why in the world would I want to push my perimeter out to some remote laptop with only personal firewall software protecting it? I'm lucky I've been able to stem the tide this long, but I'm not sure how much longer I can.

I'm trying to push something like a share-point server to solve this "requirement". I could implement it in Linux with Apache and Samba, but Linux is sort of a worrisome word around the office thanks, in part, to SCO.

Re:Well engineered worms

Funny, that post doesn't look like a troll to me. I think it's either Interesting or Insightful.

Re:Well engineered worms

Actually, much worse than burning the CPU or erasing files would be for a virus to subtally and purposfully corrupt data. Image if a virus searched out spreadsheets and change only a few digits. Not enough to notice changes, but enough to affect results. Just think of millions of people frustrated with doing their taxes because thay can no longer make QuickBooks come out the same as their check book. Or if TurboTax resulted in people paying less taxes then they were suppose to.

Re:Well engineered worms

[jmorris42]

The one I have always wondered why there were not more examples of is flash bios infectors. Heard one tale from a source that MIGHT be telling the truth of encountering a machine where it just displayed a penis and hung in place of the BIOS banner, but that was early 90's. Lots of potential on a modern machine, BIOS, many hard drives, most CD-RW drives, some video boards. And if you don't need to display a penis you can ignore the problem of getting valid code in em and just blank the whole thing.

Talk about getting into the news. It would really boost Dell's stock (all that hardware to be replaced) except it would probably also cause a depression such that nobody would be buying much of anything for a few years.

But thankfully all we have had to date is illbehaved malware written by idiots. Sure it might be nice to watch Microsoft grilled before Congress and hounded out of business in the aftermath of a real destructive worm, but I wouldn't want to live through the sort of economic catastrophe it would take to get that sort of action. And if it is anything less than a total poochscrew, the victims will just eat the cost and keep buying more Dells preloaded with Windows.

Re:Well engineered worms

[digitalunity]

No, what makes people stupid is their lack of interest in security and their incessant ranting about the lack of Microsoft's security stance. My point is it is ignorant to leave open 75 TCP/IP ports for services that aren't being used. What's worse is that 10 minutes of research could prevent 90% of most virus' spreading.

It's not akin to a random driveby shooting. It's closer to living in a gang neighborhood and leaving the front door open with the porch light on.

Re:Well engineered worms

[digitalunity]

Isn't this akin to saying "anyone who doesn't personally inspect architectural component X deserves to have their house collapse on them"?
No. Would you move into a house knowing it was completely dryrotted and could collapse at any moment, with even the slightest breeze? That's like using Windows without spending 10 minutes tidying up all the open ends Microsoft ships their OS's with.

Microsoft isn't secure like Unix/Linux/BSD is. But it can become far more secure than it is out of the box.

Re:Well engineered worms

[Joey+Vegetables]

I think that DCOM, and therefore ADO, and therefore most data-backed applications, depend on the RPC service. So this wouldn't be an option for most corporate desktops.

Re:Well engineered worms

[StillNeedMoreCoffee]

Sorry, the internet is not just for the initiated anymore. Not for years. The 10 minutes you speak of research only applies to someone who knows what a tcp port is and how to ask the question. Some people will never know what questions so ask of of whom and how to solve the problem. Most environment don't come with easy ways to do this. You often have to find (buy/download) software, install it (software firewalls and the like) then limit the ports. Knowing my own father who wants a PC hooked to the internet, these concepts are very foreign. He has'nt a chance of knowing what to do or what risk he is in. But he is not stupid.

The problem to use your analogy which I like is like living in a gang controlled neighborhood. The problem and fault is with the gangs, not the home owners sitting on the porch. I was talking about where the responsibility lies. Actually I would say its more like a good neighborhood that a bad malicious element has moved in. There is no excuse for their behaviour. It is not the type of neigborhood any of us want.

To compound the problem, no manufacturer or computer store is going to tell the consumer of the risks, well maybe to sell more stuff, but certainly not Microsoft or Best Buy, or Comcast. It is not in their best interests to tell people they are walking into potentially risky environments and that they need to be constantly vigilant and continually upgrade and patch to stay safe.

Part of that is software quailty and part is malicious behavior. Both of these need to be fixed.

Try going to someone in your family who has a computer but not in the business and not stupid and just see if they can find out what they need to do and how to shut down which tcp ports in 10 minutes. It might be and eye opener to the magnitude of that problem.

HomeSec. Ingsoc. MiniPax. Double-plus good.

[thelandp]

The name "HomeSec" reminds me of a few similar terms from George Orwell's important (and never more appropriate) book, 1984.

Most government departments actually are designed to achieve the opposite of their names. For example, the "Department of Homeland Security" is in fact designed to control the level of insecurity that people feel. Likewise, the ministry of defence is really about offence, and in 1984 the Ministry of Information is about disinformation and so on.

In the book, the language was controlled to the point of creating new terms like IngSoc, MiniPax (ministry of peace, really designed to perpetuate war), and Double-plus good.

The whole point here is to justify the actions of the government. Because it becomes alot easier to justify removing civil rights when there is the perceived threat of some common enemy.

Re:HomeSec. Ingsoc. MiniPax. Double-plus good.

[jvollmer]

He's read Goldstein's book... GET 'IM!

Re:HomeSec. Ingsoc. MiniPax. Double-plus good.

[replicant108]

The US is responding to 9-11.

Re:HomeSec. Ingsoc. MiniPax. Double-plus good.

Yes, congratulations, you found out where michael made up the term. Yay, you both read the same book and are suspicious of the government. That doesn't mean either of you should go around using it in place of Homeland Security's proper name.

Re:HomeSec. Ingsoc. MiniPax. Double-plus good.

[mdielmann]

The theory was, if you didn't have words for something, you couldn't conceptualize it. This seems intuitive, but raises questions with the whole invention idea. Some things really are new. And you could always define a new word - and if one isn't enough, you can build whole dictionaries with new ones.

Also, if there is an 'approved' word, if you have negation terms in your language, you can now describe the opposite of the approved word. But how can you have a language without the concept of negation? It was the biggest flaw in the language of the book - "MiniPax is double-plus-ungood". All that effort to modify language, and you can still disparage them....

Re:HomeSec. Ingsoc. MiniPax. Double-plus good.

"It would have been possible, for example, to say Big Brother is ungood. But this statement, which to an orthodox ear merely conveyed a self-evident absurdity, could not have been sustained by reasoned argument, because the necessary words were not available."
The Principles of Newspeak, C Vokabulary

Too many rights!

[littleghoti]

Imprison them as "illegal combatants" at camp x-ray and that way you don't even have to follow the Geneva convention! You can break any human rights they have!

Free patches!

[idiotnot]

So much for "journalism" from CNN. That story is sucking up to MS. I guess the AOL/MS lovefest continues.

Yeah, they're offering the patches free of charge. But it wouldn't be that big of a deal if their junk wasn't broken so much to begin with! If MS actually *charged* for security patches, okay, it needn't be MS necessarily -- any proprietary software vendor, they'd take a hit in sales.

Notice that Server 2k3 is affected, too. Keeping count, the rate of vulnerabilities is slowing down a bit, but they're still very much there.

How shocking.

[Srass]

And in other news, the Department of Homeland Security also warned that the sun may rise in the east tomorrow. . .

Re:How shocking.

[schatten]

I have to agree with this. HomeSec is doing what for the people of the US? oh, they are telling us of Microsoft patches. Ugh. What a joke. Sounds like they hired some real winners there.

DoHS is anti-Internet anyway

[Dynamoo]

The Department of Homeland Security is dead against the internet anyway, as stated in this press release. ;)

The World is Ending!!!

[RDosage]

Does anyone else in the security industry worry about the amount of publicized security vulnerabilities not having an effect on the general population? When CNN.com is running stories like this one, and then nothing happens, will people just start ignoring the problem? If people start ignoring these advisories, we will be in much greater trouble when something bad really does happen.

Re:The World is Ending!!!

[rice+krispy]

...and the little boy cried wolf till one day nobody heeded his cries. unfortunately it is we who are the sheep.

the patch is really a trojan (funny)

[number6x]

The patch from MS is really a trojan!

Go to this link to learn more!

Re:the patch is really a trojan (funny)

[normal_guy]

Did the immensely useful Gator program show you that trick?

Download Bush's Executables?

[Jagasian]

So wait, the government is recommending that I download an executable and run it. Is that supposed to make me feel more safe? After being repeatedly lied to by this government, I am supposed to bend over and run their executables? I already run Linux at work. Seems the home computer needs a little conversion too.

Hired Pathetc Web Developer?

[Jerk+City+Troll]

Is it just me, or do the web pages of our GroBartige Abteilung der Vaterland-Sicherheit look like it was made by a 14 year old?

Re:Hired Pathetc Web Developer?

I've just discovered from this post that /. cannot handle the #0225 character (ß). Too US-centric, guys, if you can't even handle ISO8859-1

Re:Hired Pathetc Web Developer?

I made an honest affort to use that, but /. kept stripping it out. How stupid... I try to not be so "American" (as opposed to nlingual where "n" is greater than 1).

Just because i'm paranoid...

[rice+krispy]

is it just me (and my imaginary friends) who thinks this just a game of cat-and-mouse that the fear mongers at the DOHS like to play with the media, knowing full well that even the smallest rumor will be inevitably amplified in stentorian tones on the national stage? is it just me who thinks that this is merely a glorious and dramatic means of self-justification on the part of DHS? is it just me who thinks that the DHS is doing a wonderful job... at spreading terror?

security through obscurity

[BigBir3d]

I guess that is why our IT Department doesn't want to update the desktops beyond Windows 98. "Hackers target the newest OS" is what he said. Apparently system stability is not a high concern :(

Re:security through obscurity

[Chibi+Merrow]

Except that Win98 is also vulnerable to this, it's just no longer supported for updates.

Thankyoudrivethrough.

Re:security through obscurity

[BigBir3d]

RTFLA.....

SYSTEMS AFFECTED: Computers using the following operating systems:

Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

And Windows 98 is still actively being supported.

Attention
In accordance with the Microsoft Product Support Lifecycle, no-charge support for Windows 98 will end on July 1, 2003. Paid-only support will continue to be available from Microsoft at $35 per incident. Support will also be available from some third party providers.

Microsoft will also continue to offer a variety of self-help resources on the Product Support Services Web site until at least January 16, 2006, two years after phone support for Windows 98 ends on January 16, 2004. These resources include the Microsoft Knowledge Base and Newsgroups.

Time to be happy...

[bangalla]

....if you're a Linux or Mac user.

This isn't a surprise is it? What's worse is that so many MS patches are uninstalled from peoples' systems because they break something important.

I'm so over these types of problems, put all of these crappy windows boxes behind great big firewalls, switch whatever you can to other platforms and let the other suckers bear the consequenses of the disaster. Hopefully if a large proportion of the worlds IT infrastructure grinds to a halt often enough peoples' eyes will be opened.

Re:Time to be happy...

[perly-king-69]

...if you're a Linux or Mac user.

Don't worry, they're plenty of unpatched sendmails out there

Re:Time to be happy...

whew, my C64 wasn't on the list.

Are you kidding me?

[Jagasian]

That "poor slob" has some of the best job security I have ever seen in an IT job these days. Is it really that hard of work to read USENET and hang out on IRC?

Re:Are you kidding me?

[curtisk]

Dishwashers and garbage collectors have pretty good job security as well, doesn't mean that I'd like to do it. :)

But as far a IT goes, MS advisories are one of the few things you can count on.

Re:Linux is a joke, a mess, a waste of time.

He said "mp3 programs like cooledit". Have you ever used CoolEdit? A program "like cooledit" is not a program that does a few of the thousands of things cooledit does with a crappy GUI and no support. A program like cooledit is just as good or better than the original. Please show me your competitor.

Not really that big of a deal

[SailorFrag]

As an IRCOP on GamesNET, I spend some of my spare time tracking down packet kiddies that attack channels and/or servers. /Most/ of the botnets these days still spread by simply scanning for open c$ shares using the Administrator account and no password. The DCOM exploit that's floating around really messes up the computer until it's rebooted (Windows NT doesn't like having RPC crash, which is what it does as soon as you close the shell it creates), so it's not even all that useful for spreading stuff.

All that the DCOM exploit did was reopened the people who don't keep their systems up to date open for infection. As most botnets disable the c$ hole they use to spread as they infect machines these days, it will simply replenish the supply to levels from around the beginning of the year.

There's always a few attacks against some host or another at any given point in time on the internet. It's been this way for years. I don't see how this will be a big deal.

Re:HomeSec????

Maybe he meant HomoSec. He should stop posting his shit stories to this otherwise decent news site and go and get a job with them. Sounds like he'd really fit in.

No patch for Win98/SE?

[shunnicutt]

This suggests a new marketing slogan:

"If you don't upgrade to Windows XP, then the terrorists have already won!"

Re:No patch for Win98/SE?

[akiaki007]

I believe this only effects the NT based computers, since it is a RPC hack and 98 and below aren't NT based computers, thus don't run an RPC server!

Re:No patch for Win98/SE?

[ThunderRiver]

No you are wrong. The vulnerability ONLY affects NT based system, not 95/98/Me. So if you are using the following OS Windows NT 4.0 Windows 2000 Windows Xp Windows 2003 Server You are affected by the vulnerability. Microsoft is in no way to force people to upgrade to Xp. Please get your facts straight.

MS patch does NOT fix the latestRPC vulnerability!

The newest RPC vulnerability does NOT have a patch from MS and is still exploitable with all windows patches applied if RPC ports are open. The patch that is available from MS is for a previous RPC vulnerability(yes two RPC vulnerabilities in one month).

Dont believe me? Then try the dcom.c exploit that was spread in the past few days on bugtraq after updating your system. Guess what... its still vulnerable!

How about "Big Mother?"

[dpbsmith]

Just a thought...

RPC Attack

Heh, I just cleared my firewall logs this morning before checking /. and I noticed about 50 rpc port hits. This explains it.
When I looked just now, there is another:

Time: Aug 1 10:32:22 Source: dialup-64.156.39.12.Dial1.Denver1.Level3.net Destination: 24.222.xxx.xxx In IF: eth0 Out IF: Port: 135 Length: 435 ToS: 0x00 Protocol: udp Service: ms-rpc

Looks like the "kiddies" are hard at it.

That's not true

[TheConfusedOne]

"Which port is it that you need to block?"

To make windows secure?

All of them.

You only have to block the port where the power cord goes into the computer. :-D

Re:That's not true

Hey! I was going to post that!

Dummy worm, or google searches and hits?

[totierne]

Is the worm the rumour, and can we track it through google zeitergeist and/or a dummy worm exe/code/honeynet that script kiddies (sort of like myself allegedly) might not realise is not the real thing?

Can I suggest some newspeak

[Rogerborg]

Instead of saying open source versus closed source, how about we just start saying open source versus untrustable? That might help to chivvy things along.

Re:Can I suggest some newspeak

[zeugma-amp]

I like the sound of that. I would probably use "untrusted" rather than "untrustable" though.

Re:Can I suggest some newspeak

[Rogerborg]

Hmm. Untrusted is punchier, but it implies that it could be trusted under certain circumstances. Untrustable makes it clearer that it can't be. Heck, how about we just appropriate Microsoft's terms and call it "untrustworthy"?

Re:Can I suggest some newspeak

At least I can trust my closed-source apps to actually work.

Re:Can I suggest some newspeak

[Rogerborg]

Sure, because the absolute disclaimer of warranty and liability and no-money-back-not-never clause really keeps the vendors honest.

Linux Users?

[Chibi+Merrow]

I'm a tech on a Windows network for the local government here and we immediately disable Automatic updates on machines now. Lord knows it's not because we're Linux users (I'm the only one) but because the updates all too often BREAK things that were already working.

Re:Linux Users?

[prandal]

Yes, like RRAS on Windows NT 4 Servers:

Microsoft is aware of a problem with the recently released security patch MS03-029
(http://www.microsoft.com/technet/securi ty/bulleti n/MS03-029.asp) This patch corrects a Moderate rated Denial of Service security vulnerability in Microsoft Windows NT 4.0 Server.

Specifically there is a problem with the patch when installed on systems that are also running RRAS (Routing and Remote Access Service) that
causes the RRAS Service to fail when the system is rebooted after applying the patch. It is important to note that the security fix itself is unaffected and the patch is still effective in correcting the DOS flaw.

Microsoft is investigating this problem and will shortly issue a fix to correct it once that fix has been thoroughly tested. The security bulletin has been updated to reflect this. In the meantime customers affected by the problem may take one of the following actions.

1. Contact Microsoft Product Support Services for a hot fix that corrects the problem. This fix has not yet been extensively tested and should therefore only be applied by customers who are directly affected by the RRAS problem.
2. Install the patch if you do not need the RRAS service. The RRAS Service will fail to start however this will not impact normal operations other than those that use the RRAS Service.
3. Review the security bulletin and assess whether your enviroment requires the security patch.
4. Wait until a fix for the RRAS problem has been fully tested and released. The security bulletin will be updated when this happens.

Regards,

Microsoft Security Response Center

Re:Linux Users?

[korgull]

Right, but what to do when you have to chose between having vulnerabilities or some broken services ?
There really isn't a good choice in that case besides dumping your software solution because it's not fit for use, or is it ?

That's too cruel - for the terrorists

I mean, Islam being against mixing with swine and all that...

The only way to make any computer secure...

[I8TheWorm]

Unplug it from the network/phone jack
Turn it off
Take the power supply out
Take the hard drive out and place it in a water tight zip lock bag
Take said bag/hard drive and drop it into the Marianas trench.

d'oh

[saskwach]

And the Code Red/Nimda spam was just starting to not fill the majority of my apache logs...grumble

google is fun

[sniggly]

Concidence or not? google news' primary link to this story points to the register's article about this vulnerability. In their best sour Brit register tradition theyre none too congratulatory about "free patches". Does bandwidth cost money?

WoMD?

[vgaphil]

Windows of Mass Destruction?

Re:WoMD?

[Biomechanoid]

also know as: Windows of Mass Deception

Homeland INSecurity Spinning a Bad Decision

[FreeUser]

Think of it as "Homeland Security eats its own dog food..." In other words, they are using the same operating system that the vast majority of people use, so they will experience the same vulnerabilities. They'll be able to advise people about computer security from first-hand experience, not just from a few pristine 'test lab' machines.

That's a good spin on an incredibly incompetent IT decision, but at the end of the day, spin is all it is.

You want a testbed for vulerability? Fine. Set up a windows lab with its own dedicated internet connection and absolutely no way to talk to the rest of your internal network. Catalog, experience, and enjoy the chaos that ensues.

Do not, I repeat, do not deploy it as your platform for collecting, collating, analyzing, and addressing security threats. What good is Homeland INSecurity going to be when they need to address a real, meatspace threat and a Microsoft worm has taken down most of their IT infrastructure?

Some perhaps, but they certainly will be operating at a severely degraded effeciency level.

Not quite far enough!

[Baron_Yam]

That does not necessarily work; you must also check to ensure there isn't enough air in the sealed bag to create neutral bouyancy at any reasonable depth - say 500 meters - or the sealed unit could be recovered and accessed.

And this is...

[Penguin2212]

And this is how many weeks after they just signed a deal with Microsoft?

Work on many different systems? How?

[Viol8]

Most worms spread because they use VB script or a subset thereof and because most ignorant home
users use windows. If you want it to work on most systems in the internet it will have to run on
multiple OSs and multiple architectures. No such cross platform toehold exists because even if you
exploit a buffer overflow in a cross platform VM such as Java your overflow exploit with be CPU and probably OS specific unless you code in
every possible exploit. In which case your worm will have to know about X86 , Sparce , MIPS , PowerPS , RS6000 and god knows how many
other machine codes. As for the high level scripting route only javascript is portable across all platforms and that has so little power
you couldn't write anything harmful in it.

Re:Work on many different systems? How?

[red+floyd]

Tell that to Robert Morris. IIRC, the Morris Worm --

1. Used multiple vectors for spreading
2. Was cross platform (VAX/BSD and SunOS)

Re:Work on many different systems? How?

[Viol8]

OSs were a little bit simpler back in 1988. Thats a bit like saying now that something that
runs on Windows 98 and 2000 is cross platform.

Re:Work on many different systems? How?

[Catskul]

Thats really what I meant by different systems. To get the majority of systems you have to get several win varients.

Re:Work on many different systems? How?

[red+floyd]

Not really, because a stack overflow attack(binary only) wouldn't work on both architectures. VAX/BSD was VAX, and SunOS was (at that time) MC680x0.

Re:Work on many different systems? How?

Well, that's easy. You just make it a modal attack. If it scans a Windows machine and finds a particular vulnerability, then it sends the Windows varient of itself. Once the machine is infected, it copies over all of the other varients so that that machine can now infect numerous platforms. It would take quite a bit of bandwidth, but if all of the viruses were designed like Slammer, then that wouldn't be a problem.

Make the scanning portions of the program entirely separate from the infecting parts. Send a small program to infect the host and then send the routines to make it spread. That way, it can infect hosts quickly. If the virus had no discernable symptoms other than an increased netwkork useage, then it would go undetected for quite some time. You could put a time delayed payload in there such that all infected machines would destroy their own hard drives at noon on Christmas. Every infected computer would go down at exactly the same time, leaving almost no time for anyone to respond unless they found a way to decode the virus before it happened.

Easy.

Re:Work on many different systems? How?

[Dylan+Zimmerman]

Same AC as the last one.

Come to think of it, you could have all of the infected computers put the scanning routines on KaZaA or some similar program such that they wouldn't even have to transmit that directly. The only way to trace the virus back to the infecting computer would be to see it as it's infecting the host. In a Warhol Worm, that time is negligable, so the virus would effectively become untraceable. KaZaA traffic would increase which might send up a red flag in the RIAA, but I'm betting that they have no idea what a virus would look like, let alone what to do with the information. That would also eliminate the need for the infection routines for all of the platforms to be transmitted to each version of the virus. They would just download the appropriate executables from the P2P network which would take far less bandwidth.

Re:Work on many different systems? How?

Same AC as the last one.

Just not quite as A this time, eh? ;)
Oops
Don't worry, the Homeland Security department will be sending a few people there to pick you up shortly and sentence you without a trial... you evil terrorist hacker!

More BBC data on Iraqi WMD

What the BBC says about Iraqi WMD

Windows Update is your friend.

[MtViewGuy]

Sheesh.

I think people are WAY too ignorant of the Windows Update page (http://windowsupdate.microsoft.com).

Given the fact the Microsoft products are the most targeted by hackers and crackers, users should regularly monitor this web page at least three times per week to download the latest security patches, code updates, and so on. I've updated my Windows 2000 Professional setup on my home machine with all the latest patches from Windows Update, and that combined with running McAfee VirusScan 7.0 (which has a software firewall) ensures I won't get hacked into anytime soon. =)

Re:Let the bashing begin

What a sucky joke...

You only need to block one port!

[siskbc]

To make windows secure?

Nah, you only need to block the ethernet port. See? Just one. Well, I guess the modem port too. And I guess the serial port. And while we're at it, maybe the parallel port just in case.

So at most, four ports. Sheesh, you guys are just complainers!

Anybody who places...

... a Windows box directly on an Internet-routable network segment... or even behind a lame-ass nat router without further protection is a FARGIN MORON.

Always, always ALWAYS ALL-FREAKIN-WAYS keep you Windows boxen on private RFC1918 networks that have zero routability to the public internet. It is not possible to secure a Windows machine any other way. The O/S itself is a giant security hole.

Unfair to public servants

[laetus]

You know guys, not everybody in the government is fawking off and trying to screw you out of your legitimate right to freely download copyrighted music.

There are thousands of hardworking men and women serving in Coast Guard ships off our coasts, monitoring land border crossings, inspecting imported cargo containers, and serving as airport security inspectors and skymarshals, all to keep your bloody arses safe behind your monitors as you make fun of them.

Sorry for the rant, but reality check, there ARE bad people in the world that are intent upon harming the United States and a good number of Americans working at the Department of Homeland Security are intent upon preventing that from happening.

Instead of easily making fun of these institutions, how about sitting down and thinking about better ways to reduce risks cost effectively. Propose it, then make your criticisms.

Re:Unfair to public servants

[redragon]

I would agree, there are a lot of good people out there working as public servants. However...

A certain number of people out there ARE fawking off and trying to screw me. I could care less about "downloading music." The issues that I think a lot of us are worried about are things like:

* The Patriot Act and it's Big Brother.
* Our public servants being sent off to WAR by a bunch of leaders that don't really have any idea about the people they're sending off to war. Remember, it's typically not your rich/white/sons going into the military.

I could go on, but I think I would be going overboard. The issue really comes down to that some of us have had run-ins with the type of people that give our public servants a bad name. Others of us just really understand that power corrupts, and we'd at least like to pretend that there are some checks and balances in place.

Re:Unfair to public servants

[ortholattice]

(OK, this is getting offtopic but...)

There are thousands of hardworking men and women serving in Coast Guard ships off our coasts, monitoring land border crossings, inspecting imported cargo containers, and serving as airport security inspectors and skymarshals, all to keep your bloody arses safe behind your monitors as you make fun of them.

Well, it seems they spend an awful lot of time seizing boats and putting fishermen out of business because a crew member had a joint in his pocket. How exactly does this help Homeland Security?

Re:Unfair to public servants

[0111+1110]

Still it makes me uncomfortable to see our tax dollars going towards analyzing Microsoft products for security holes. I wonder how many HS employees are devoted to network security and Microsoft vulnerabilities.

Of course, we all know that "hackers" are the number one threat to our security, not terrorist WMD plots. Now that like 70% of FBI resources are devoted to "computer crime", it's only natural for other segments of our very sensible government to follow suit. God knows our entire society would just collapse if we couldn't use the internet for a day because of some "terrorist created" virus/worm. Needless to say the term "terrorist" now really means "computer hacker".

Re:Unfair to public servants

[arkane1234]

Your right, those hardworking coast guard people, the army/navy/airforce/marine soldiers, all of them are great and all.

It's the command officers and executive personnel that do the bad stuff :)

It just so happens that if the lower personnel don't do their bidding, their punished. Sometimes severely.

Color scale for Dummies

[Cro+Magnon]

Green - the lowest alert. That's when everyone's sleeping.

Blue - I'm not clear on this one, but it has something to do with KMart.

Yellow - Our standard color.

Orange - We get bumped there when there's a percieved threat. Or maybe Tom Ridge has gas, I'm not sure which.

Red - Hasn't ever happened yet. Presumably, we'll go to red when the Terrorists (tm) are coming right at us yelling "Jihad!" at the top of their lungs.

Re:Color scale for Dummies

[Alien+Being]

The alert color is determined by Dubya's mood ring. They tried to couple it to his brainwaves, but they couldn't find any equipment sensitive enough to measure them reliably. Interestingly though, whenever he hears the word "oil" the instruments light up like a pinball machine.

Re:Color scale for Dummies

[Rich0]

They'll bump it up to red 5 minutes after the next skyscraper comes crashing down... That way the American public can rest assured that the Feds are indeed watching CNN and know what is going on.

One would think that Red would mean that the govt knows beyond a shadow of a doubt that something is about to happen. If that were the case, they'd probably be able to stop it, and there is little reason to be alarmed. It might make sense if NORAD detects an ICBM headed for New York City, but in that case a simple announcement on CNN that everyone in New York who is not 50 feet underground is about to die might get more response than a red icon in the corner of the CNN screen.

The only way to prevent terrorism is to maintain a high state of alert all the time. Even this isn't completely foolproof - look at Israel - where EVERYBODY is CONSTANTLY on their guard since bombs go off just about every day, and yet the bombs still go off every day (well, not very recently due to the Hamas truce, but we'll see how long that lasts).

People need to know the facts to make good decisions. The little icon in the corner of CNN doesn't really add much.

Re:Color scale for Dummies

[Cro+Magnon]

One would think that Red would mean that the govt knows beyond a shadow of a doubt that something is about to happen. If that were the case, they'd probably be able to stop it, and there is little reason to be alarmed.

Probably true, but it's ironic that we'd probably be safer on red alert than on yellow!

The only way to prevent terrorism is to maintain a high state of alert all the time. Even this isn't completely foolproof - look at Israel - where EVERYBODY is CONSTANTLY on their
guard since bombs go off just about every day, and yet the bombs still go off every day (well, not very recently due to the Hamas truce, but we'll see how long that lasts).

I don't think it's POSSIBLE to maintain a high state of alert in peacetime. People eventually relax and get sloppy. That would happen in Israel too, if they had a long enough period of peace.

Re:Color scale for Dummies

[normal_guy]

Speaking of color levels and little icons, I was thinking about the Emergency Broadcast System. That's certainly not a weather-only system, and they didn't use it on 9/11. What are the criteria?

Re:Color scale for Dummies

[Rich0]

I think its purpose it to alert the public that they should take some specific action - usually along the lines of hiding in the basement or sealing the windows or something like that. What were people supposed to do on Sept 11th?

To be really exact...

[Shenkerian]

or the HIV virus if you want to be exact

Actually, to be really exact, it's just HIV. The 'V' is for virus.

I bet you enter your PIN number at ATM machines, too.

Re:To be really exact...

[Some+Dumbass...]

Hey, who modded this down? It's actually pretty funny.

Re:To be really exact...

[ceswiedler]

You're absolutely right, but I believe there's probably something psychological / linguistic about the trend of PIN, HIV, ATM, UPC (code), etc. It looks to me like people have a hard time using an acronym as a common noun. They would much prefer to use the acronym as an adjective which modifies a normal common noun.

Security

[atcurtis]

To make your computer truely secure, follow these simple steps:

1. Get a decent firewall
   
2. Configure it to deny everything except the ports you really need.
   
3. Unplug any conputer with really sensitive data from the network
   
4. In fact, unplug it from the wall power socket
   
5. Heck with it, it's still vulnerable from someone at the console - encase it in concrete
   
6. Cover the concrete block with copper sheeting to prevent against Echelon
   
7. Cover it with lead plate just to be safe from X-Rays.
   
8. Put it on a back of a trailer and tow it into a deep mine shaft. Salt mines go pretty deep.
   
9. More concrete please!
   
10. Use a tactical device to ensure that access to the bottom of the mine is difficult.
    

Should be truely secure... But for the overtly paranoid, concider dropping the planet into your local black hole. Please note that there may be information leakage as any entropy is represented on the black hole's event horizon.

Not practical... But fun.

Re:Security

[Captain+Large+Face]

Hold on, this is Slashdot. You missed:

11. Profit!!

Re:Security

[jo42]

You missed:

0. Format C:"

Relax - reactors controlled by MS unlikely

[alispguru]

There hasn't been a new nuclear reactor built in the US in at least a decade. I believe Seabrook (NH) was the last one, and it went live in 1990.

Also, nukes are like airplanes or the Shuttle - their designs must be approved and certified out the wazoo, so they tend to never be upgraded unless there's absolutely no choice. Many US reactors are still controlled by PDP-8s - 1 MHz machines with a 4K address space of 12 bit words.

Re:Relax - reactors controlled by MS unlikely

[FlyGirl]

Many US reactors are still controlled by PDP-8s - 1 MHz machines with a 4K address space of 12 bit words.

Which tend to be pretty secure and reliable... Thank God!

Re:Relax - reactors controlled by MS unlikely

[admbws]

It's not that they are particularly secure, it's more likely that a s'kiddie would have no idea what to do with it ;)

It's all right

[Rogerborg]

"Based on this notification, no change to the Homeland Security Advisory System (HSAS) is anticipated; the current HSAS level is YELLOW."

Hasn't it been yellow for like ever? I think they just can't figure out how to change the bulb.

Slightly more seriously, are we all comfortable with the idea that the Vaterland Security Advisory System is now here to stay, and that it's now featured in contexts where the words "external" or "terrorists" don't appear? That Homeland Security bulletins, much like the "troops killed in Iraq" daily scorecard, are now routine routine occurances?

I've just had a kid. When he starts asking what the HSAS is, what do I tell him? "We're at War, junior. We've always been at War. Terrorists, drug barons, organized criminals, religious extremists, crackers, hackers, commies, arabs, they're all out to get us, and it's important to know just how scared the government wants us to be that we're going to die today."

Nice world he's going to grow up in.

Re:It's all right

[unDiWahn]

Rimmer: All right, this is serious. Go to Red Alert.

Kryten: Are you sure sir? It does mean changing the bulb.

Re:It's all right

[pmz]

I've just had a kid. When he starts asking what the HSAS is, what do I tell him? "We're at War, junior. We've always been at War. Terrorists, drug barons, organized criminals, religious extremists, crackers, hackers, commies, arabs, they're all out to get us, and it's important to know just how scared the government wants us to be that we're going to die today."

Nice world he's going to grow up in.

I don't know why this is modded "Funny". Yeah, the world turning into shit is so funny I'm in pain from laughing.

Re:It's all right

[Rogerborg]

It's funny if your formative experiences were after the Berlin Wall coming down, and pre WTC. The 1990s were a pretty neat time, when all's said and done. I'm sure we'll swing back there sooner or later, but government, business and media are closer than they've been since McCarthy, perhaps closer, so it might take a while before they stop trying to stimulate the economy by reminding us that we might all die tomorrow.

With a young son, sure, I want him to be safe tomorrow, but I also want him not to have to deal with the crap that we're storing up today. We're building a society based on runaway consumerism, building a garbage mountain, wrecking the ozone (hey, the rate that it's disappearing has slowed! Whoop dee doop!), there's no sign of us switching away from fossil fuels before we absolutely have to, and our foreign policy is to make the rest of the world fear us more than they hate us.

Good luck, kid, you're going to need it.

Re:It's all right

I think it's the part before what you quoted that's funny, but I never know for sure, being an anti-social nerd and all.

Re:It's all right

"DepHoSec exists to protect us against foreign InWarOp, hacking, insurgents, and fear, just as it always has. They use the tools of Big Gates to protect you against childporcrime and to support the Ministry of Recordings so that we all have access to multimedia that has not been corrupted or copied. If it was not for them, every time you went online, you would be exposed to unauthorized spam and unlicensed thought, and you would need rehabilitation. Remember, who controls the desktop controls the future: who controls the net controls the past. Licensing is Freedom, Linux is Slavery, Windows is Strength."

Re:It's all right

[sharkey]

Hasn't it been yellow for like ever?

France?

Re:It's all right

[glenstar]

With a young son, sure, I want him to be safe tomorrow, but I also want him not to have to deal with the crap that we're storing up today.

My son just turned 2 and it seems really sad to me that he recognizes, with very little encouragement from me, brand names like The Gap, Disney, McDonald's, etc, etc. He doesn't watch TV (except for a couple of shows on Nick), but somehow he knows these things.

As for the other thing, this McCarthyism that is sweeping the US, that's another matter. No matter how upset I get about our current situation, I try to not let him know that I am upset. I can only hope that by the time he is old enough to be aware of how things are, they won't be so fucked up.

<Pitch> On a related note, I encourage all slashdotters to try and get Wesley Clark to run for President. He has a good amount of geek appeal, having a triple masters in Philosophy, Economics, and Politics from Oxford, where he was a Rhodes Scholar. Oh, and he is also a licensed Investment Banker and was the NATA Supreme Commander in Europe. He also doesn't fit nicely into either the Democratic or Republican parties, although chances are he would run as a Democrat. Another great benefit is that he can actually pronounce words like "American", "Nuclear", etc, etc, etc...(Note to Bushophiles: several candidates seem to have speaking problems, I am not explicitely picking on him, but Bush is certainly on the top of the bad verbiage list). I am working on putting together a grassroots movement called "Geeks for Clark" (although that name is certainly not finalized. Interested parties should Contact Me. </Pitch>

How is it fair to ANYONE ...

[burgburgburg]

for the current administration, on the same day that they announce that have direct Al Quaeda intelligence that there is planning for renewed suicide airline takeovers, to simultaneously have the transportation department severely cut the number of air marshals because the department has a $900 million budget shortfall?

Re:How is it fair to ANYONE ...

[blinder]

wrong

Overinflated sense of purpose?

[DeusExLibris]

What makes the DoHS think that anyone that has already ignored warnings from Microsoft, CERT, etc. is suddenly going to decide to patch their systems because DoHS has said they should?

"Oh, it's a threat to national security? Well that DOES give me a good reason to apply that patch!"

Re:Superiority Complex

uh???

emerge sync

emerge -u system
emerge -u world

put this stuff in a bash script and run it in cron on your Gentoo box...

easy.

Port blocking

[Gothmolly]

Is it me (insert tinfoil hat joke), or is anyone else disturbed by the increasing tendency of ISPs and vendors to say 'just block port xxx' on your network connection, as a response to problems? Is this one more step on the road of converting the Internet to simply an MSN-ified WWW? Where does the small, independent content creator turn as more and more barriers to market entry are enacted, either by FUDding ISPs, lobbying Congress, and blatant stupidity?

Re:Port blocking

[Telastyn]

Absolutely.

Worse yet, I am disturbed because it does not provide any more security. It just means that the vulnerability will be exploited via email or web rather than directly.

Re:Port blocking

[drinkypoo]

On one hand, we would like to see Microsoft fix all the bugs -- especially security bugs -- that it introduces into its products. On the other hand, if you are an admin and you do not block certain ports coming into your corporate network, you are incompetent. This includes NetBIOS and RPC, and in light of other vulnerabilities, should also include ports used for mail, ftp, and the web.

It would be far wiser in fact to take a "least rights" approach to the problem, and simply block all traffic, opening up holes only as needed, because that's what they are: holes.

Re:Port blocking

[arkane1234]

He did say ISP's, he didn't say your local network administrator.

If your running an ISP, your serving a network connection to people who have their own thing to do. If you alter their abilities, your not providing. You may as well just put up a squid proxy and tell them to point their browser at that.

Now if your a netadmin at and enduser location, sure.. block those ports.

Re:Port blocking

[drinkypoo]

I agree that ISPs should freely allow inbound traffic, though it would be nice if they could detect floods and cut that traffic off.

ISPs should DEFINITELY be providing proxies, which allow some small amount of abstraction which could protect their users.

Re:Port blocking

[arkane1234]

though it would be nice if they could detect floods and cut that traffic off.

I've been wondering for years why some sort of feature in the Cisco IOS hasn't been implemented to enable this type of protection. Then again, I guess it would be hard to detect if it was a flood, or just a simple high-bandwidth transfer...
would be nice though.

SPs should DEFINITELY be providing proxies, which allow some small amount of abstraction which could protect their users.

I definately agree with that. As long as it's an optional proxy, and not a transparent proxy.

THIS IS TOOOOOO RETARDED

[Bob+Abooey]

I JUST CAN'T TAKE IT ANY FRIGGIN MORE!!!

If you need to be secure then UNPLUG YOUR FUCKING NETWORK CARD AND TAKE YOUR DATA OFFLINE!!! And yes I know, even if it's offline someone can still get to your data by social engineering or physically breaking into your box and all that, but taking it offline (ie., off any public network) will make it much more secure. LET ME REPEAT THIS: IF YOUR BOX IS CONNECTED TO A PUBLIC NETWORK LIKE THE INTERNET THEN IT'S NOT SECURE. PERIOD.

And isn't it ironic that the department of homeland stupidity just announced they're spending a metric buttload on Microsoft software a few weeks ago, and now they come out to tell us about how insecure it all is?????

I give up, it's all just too retarded for me to deal with anymore...

Re:THIS IS TOOOOOO RETARDED

[sremick]

Not practical.

Consider your house. Using the same argument, one could say, "If you want your house to be secure, don't build it on a public street." Hmm but how would you get to it? Ok, a private street... oh but that has to connect somewhere... ok, an island... but there's water-access... ok, on your own planet...

No. We secure our houses by creating barriers between the unavoidable link between them and the outside world. There are different levels of security. Around our front lawn (the DMZ) we might just have a fence, or nothing at all. The door to our house will have a lock, though. Some people will have a deadbolt, electronic entry, and an alarm system to call the authorities if there's a brake-in. All depends on how much security one needs. Security is not an item or a single action. It's a process, a process along the lines of insurance. You use as much as is appropriate. There's always a way in, nothing is 100%. You just need to take steps to match the threat to YOUR data.

My computer is connected to the public internet, out of necessity. If it wasn't, it wouldn't be of much value to me. Between my computer and the internet I have a hardware router/firewall. That device has one port open, which I use for SSH. Everything else (X, VNC, etc) is tunneled over that encrypted SSH session.

As an added step, I choose to run a more reliable and secure OS (FreeBSD) instead of Windows.

Re:THIS IS TOOOOOO RETARDED

[Bob+Abooey]

No No.. it is practical.

If you have something that needs to be secure and your house is on a public street then you should take whatever it is that needs to be secure and put it in a safe desposit box, or hire a guard to watch it, or pay security experts to store it, or something along those lines. If you have data that needs to be secure then you keep it offline, much like the FBI does. (I've worked with them on some things in the past, the guy I worked with had two computers, one secure that isn't on the Internet and one insecure that is on the net.)

My home PC is on the net too, but there isn't any data on it (like my SS number or banking info or stuff like that) because I prefer to have that kind of stuff secure.

I'm not saying you can't have a PC on the Internet, I'm saying if your PC is on the net out of necessity then don't have data on it that needs to be secure because, regardless of what OS you use, it can be hacked and your data can be stolen.

Questions from the article you noted

[burgburgburg]

According to the article you referenced:

But Roehrkasse said operations were continuing as before and marshals would still be deployed on "critical" flights.

This seems to imply (along with the emails to air marshals about changes to their schedules) that they are NOT deploying air marshals on what they define as "non-critical" flights. Unless they're only talking about Cessna's, this makes me nervous. Any major jet, filled with fuel and passengers, becomes "critical" if slammed into a major piece of architecture (buildings, dams, nuclear facilities).

Hmmm...

When G.W.'s good ol' boys at DoHs decide to warn the masses about a potentially devastating computer security threat, and point us to the patch, you've just gotta ask yourself if they're showing all their cards....

Shine on, Magic Lantern.

Fixes

[DanV]

If I understand right, 4444 is the port the exploit for the DCOM bug connects to.
I updated all my systems,and firewalled 135/139/445(UDP and TCP) and 4444(TCP).
I know I am gonna get modded down for this,but if you dont have already, I suggest you fix this ASAP.
You can get the fix from here for windows 2000, and here for windows xp.

The exploit has it in the code:

target_ip.sin_port = htons(4444);

Also, notice the comment about the shell code:
/* port 4444 bindshell */

Dan
Security consultant
ClickNews

Just a shake up

This is simply Ashcroft/Bush asking for more money. Apparently the buy-out from the trial was not enough.

Bandwidth costs question

[RichMan]

Anyone have any idea what it costs Microsoft to manage and supply all these updates. How many update distribution centers are there, how much disk space and bandwidth is required.
How much of the global bandwidth requirements is all this patching eating up?

Re:Bandwidth costs question

[jo42]

...and imagine if all of the IT people started to invoice, say at $300 US an hour, Microsoft for the time time they piss away installing updates, hotfixes and other such Microsoft caused nonsense?

Mmmmm.... CERTS!

[simetra]

Mmmm, Certs! I especially like those that spark when you bite them in the dark. Or is that LifeSavers?

Already hearing it as an excuse...

[Satan's+Librarian]

For boxen being broken at ISP's. Interland trashed a rather important co-located server for us over the weekend, and blamed it on a "Worm" referencing this bug. AFAIK, no worm has yet been released, and certainly none was out then - anyone else been fed this kind of b.s.? Anyone heard of any truth to it at all?

As far as DoHs getting in on the action - I think they'll cry wolf at anything to keep interest. The more afraid the public is on a daily basis, the more they are legitimized. I was appalled the other day to see this article on the front page a few days ago - no shit guys, thanks for the press release. Ya know what else? .COM stocks might not be the best investment if the company hasn't produced a product.

Obviously this hole is a major one, but we've kinda known that unfirewalled Windows boxen on the net are a Bad Thing (tm). This hasn't changed, and it's not much more likely now for a worm to run rampant through everything that it was in the past - it'll happen, it'll suck, and everyone will do the same fire drill as every other time it happened. And a few, bright IT departments will switch to FreeBSD or similar for their external machines or put up a bloody firewall.

Who or what can you trust?

[dollar70]

Look, this is not meant as a flame or troll, but new updates/patches are coming out every 10 minutes, and conspiracy theories keep flying around like its a tin-foil hat party. The only patch I've ever decided I had to install was the one for Win95 back in '98 because I kept getting "nuked" whenever I went into an IRC chat room. Win98 was that patch. Then one day I discovered GRC.com and realized I was leaking crap all over the web. So I put ZoneAlarm on my PC and felt relatively secure. Yes, I was one of the poor suckers that actually got the free rubber collectors' watch with my purchase of Windows ME. After much hesitation I finally decided to plunge into broadband, and felt the need for a NAT router, but still kept ZoneAlarm turned on for good measure. With the introduction of XP and the EULA I couldn't abide, I started seriously looking into the option of Linux. By this time, MS was crankin' out the updates every time a new weblog started.

Now why should I trust MicroSoft? They led me down the primrose path to endless updates that either show no noticeable effect, or cause my computer to act flakey.

Why should I trust HomeSec? I'm never going to feel secure so long as they keep throwing terror alerts in my face as an excuse to keep whittling away what's left of my civil rights.

And why should I trust the Linux community who's mainstay advice is "RTFM". I'm stuck using Lycoris until I can figure out how to get Wine to work under a better distro. (I'm sorry but some programs designed to run under MS Windows are just too cool to ignore.)

As far as I can tell, these so called updates could be trojans to give backdoor access to HomeSec so they can determine the efficacy of their scare tactics, and Linux is a twisted plot to make borderline-geeks like myself waste their time reading endless man pages trying to figure out how the damn thing works.

OK, so maybe I'm sounding a little frustrated, but all I really want is a nice little computer that does only what I tell it to do. Is that too much to ask?

--

Next stop: Insanity

Re:Who or what can you trust?

[tb3]

So get a Mac with OS X. None of this RTFM crap, solid as any other *NIX, and runs almost any application you care to name.

Re:Who or what can you trust?

[dollar70]

Believe me, I've seriously given it some thought. I do like the Mac, and OS X has the slickest looking UI IMHO... but I also like to build my own computers. Except for my obsolete laptop, all of my computers are home built... It's been a point of pride for me to look at the machine and know I personally had a hand in its creation.

--

I'm not a complete idiot; some parts are missing.

The READ terrorists...

...are the studs in Redmond who have launched this horrible virus called Windows, who have persisted in distributing the greatest security risk know to LifeKind! WHEN WILL THEY PAY!! I WANT BILL GATES AT GET-MO AND ALL RESPONISIBLE!!!

MOD PARENT UP PLEASE

I burned off all my points this morning cancelling the mods of the slashbot groupthinkers. This man deserves a few "Insightful" bones thrown his way.

M$ Insercurities

[applefan]

Microsoft and insecure pretty much goes hand and hand.

Your post was excellent and correct EXCEPT...

[doc_traig]

... you used the word "boxen" which immediately disqualifies it. Mods, come on in and bring this balloon back down to earth. We've found a fatal flaw.

I'm sorry, but I believe we have some parting gifts for you.

Re:Your post was excellent and correct EXCEPT...

You hate "boxen". I hate it when someone runs a sentance from the subject into the post. Whatever.

Re:Arabs really aren't that bright!

[bluethundr]

The above comment is not by me. I disavow all knowlege of this, do not harbor these beliefs. Left myself logged in and a co-worker thought this was funny. I did not.

Port/Process utility for Windows?

[simetra]

Is there a utility/app/shareware thing that will tell you what process on WinNT/2K/XP is associated with whatever ports are active? Thanks. Really, I mean that.

Re:Port/Process utility for Windows?

[gregarican]

Search for a utility called FPort. It will map out all of the active PID's with the TCP/UDP port and associated process. Some processes can hide themselves through rundll32.exe (Win9x) or svchost.exe (WinNT/2K/XP), however.

But you can get an idea about what ports are sitting out there either listening or actively transferring.

WHEEEE

[mrgreenfur]

wheee! internet worms are fun!

quick! someone re-release SQL Slammer! and code red! and all our buddies locked away in cyber-jail!

wheeeeeeeee.....
(runs to public library)

Micro$loth moving right along.

[gregarican]

The folks at the Last Stage of Delirium announced the RPC hole back at the end of 2002! Here's a link to the white paper --> http://www.lsd-pl.net/documents/winasm-1.0.1.pdf.

My questions:

1)Why does it take Micro$loth this long to respond to and to address a major flaw?

2) Why do most of their security flaws involve unchecked buffers? This function should be a fundamental part of a programmer's toolbelt. It's not like they don't like adding more lines to already-bloated code

3) If it's true (as posted in another thread) about the RPC bugfix not fixing the problem what is the ETA of a re-release of the bugfix?

even port 80

Port 80? Darn, I kind of liked that port.

doesn't help us pirates @_@

I would patch XP, except using auto update will disable my computer as I used a keygen for my key. microsoft supposedly keeps track of all keys they have sold and mine ain't one of them.

Microsoft's Insecurity?

[Captain+Large+Face]

Perhaps all it needs is a big hug? I know we all call Microsoft a massive anti-competative tool of the Devil, but these comments do HURT.

Thank god today's payday

[clckwrkMalChick]

So I can help fund shit like this...
Step 1. Microsoft wins homeland security contract worth $100 million
Step 2. Homeland security warns of flaws in microsoft software
So, this government has spent $100 million dollars to Q&A Microsoft products. Meanwhile,at the NSA, free security enhanced linux.
Your tax dollars hard at work. I'm going to buy a box of tea and throw it in Boston harbor.

Re:Thank god today's payday

[serbanp]

I'm going to buy a box of tea and throw it in Boston harbor.

Nah, the real thing is to dump tea you didn't buy.

it's official

[geekoid]

Microsoft has more insecurities then Woody Allen. ...rimshot...

national news organizations.....

[blandboy]

i wonder if msnbc is running this story.

The big one is coming.

[AugstWest]

We've seen many worms now that pretty much were just proof of concept things. Nothing detrimental was happening, other than the worm spreading itself.

This won't go on forever, especially as these things become easier to use. Eventually someone with reason to want to do harm (say, oh, a terrorist) will pick up on this readily available tool and beat the crap out of the internet with it.

How many cable modems/DSL connections are there out there attached to 95/98/98SE machines?

Re:The big one is coming.

[DrRiffic]

9x does not run RPC. 9x is not affected by this exploit.

Use IPSec filters...

[jeeptj]

One very good way to lock down a machine is to use a combination of IPSec filters (available on Windows 2000, Windows XP and Windows Server 2003)

Here is a brief explanation on how to do this under:
Windows 2000
Windows 2003 (Look at the deploying IPSec chapter for details)
Windows XP See above, same cmd util as Windows Server 2003 (i.e.: netsh)

Uh...

[jotaeleemeese]

Try telneting to a W98 machine.

Or ftp.

Same thing, moron. If there is no server running the machine can't be affected.

Re:Uh...

[gregmac]

what in the hell are you talking about? Did you just hit reply without reading anything, or what?

If windows98 has DCOM (I dunno, does it?), then it's probably affected as well (considering that NT4 is affected). My point was that microsoft didn't even acknowledge Win98 as being affected (as opposed to saying it was affected, but not creating a patch because they don't support it anymore).

If it's not affected, then the whole parent thread is pointless in the first place.

Re:Uh...

If it's not affected, then the whole parent thread is pointless in the first place.

Now you're understanding.

Don't know.

[jotaeleemeese]

You should upgrade to Linux, there you can see all this.

Re:Don't know.

[simetra]

Nice. You obviously don't work for a living.

Re:Don't know.

[colenski]

http://www.eeye.com/html/Research/Tools/Download.a sp?file=RetinaRPCDCOM

Re: Dept. of Homeland Insecurity

Soon there will be thousands of billboards warning the public of the imminent security threat to their Windows OS. Billboards? Oh yes, the department standardized on Windows and all data transmissions have ceased. FUD is fun! Hey, if the astroturfers can do it . . .

Typical USian.

[jotaeleemeese]

Whn you go to France or Russia you are surely one of those that expects to be all the times greeted in US English I am sure.

Well, if you are not like that, then learn Linux and believe it or not, the machine will do what you want.

Annd what you say about RTFm is bullshit. There are tons of material in the net, how tos, faqs, perosnla pages, discussion board, USENET, etc.

If you don't find help it is because you don't want to.

I have been using Linux fo 8 years now and I have never been treated in the way you imply by anybody providing help.

Re:Typical USian.

[normal_guy]

LOL. Telling a person looking for a friendly computing experience to not only RTFM, but RTFH, RTFF, RTFPP, RTFDB, and RTFU. Intuitive software is intuitive software. Plain and simple. I don't know what the Ugly American has to do with any of this. Windows is not to Linux what English is to French.

Oh yeah.

[jotaeleemeese]

The unsung heroes of freedom.

And for that protection, you are willing to sacrifice your liberties.

Disgusting frankly.

Once again harping on Windows Vuln while...

Completely ignoring Linux server vulns that are being currently exploited on unpathced Linux based web servers today...

Way to go!

How much more secure would we be with Linux?

[Eric+Damron]

I'm very much pro-Linux. I switched from Microsoft to Linux years ago. It was kind of hard because so many "fun" programs could only be had in Windows. So I ran a dual boot for quite some time.

I finally removed Windows altogether. After a few months of running only Linux it struck me. My system had NEVER crashed after doing so. Programs would sometimes hang but the system stayed up, not requiring a reboot. It was like an epiphany. I just started laughing!

I was also relieved that I no longer had to worry so much about viruses. Or do I?

My question is: If Linux becomes the dominate desktop and virus writers switch their main focus onto my OS of choice, would we be in as bad a shape as Microsoft's XP, 2000, etc?

Re:How much more secure would we be with Linux?

[korgull]

Linux comes in a lot of varieties.
It's hard to find vulnerabilities that attack all distibutions and versions of the software that being used I think.
In some cases it may be possible but I think the OS community is much faster in finding and solving these problems than M$ can ever do. They can't even deal with the crashes they produce themself, why would you trust them with a more difficult job ?

Slightly off-topic

I Just tried to run windows update on my mothers Windows 98 box. It said "Administrators Only". Is this some stupid joke? Is Microsoft really unable to figure out what operating system of theirs I am using? Has anyone else figured out how to fix this? All suggestions I see are for XP. I am sick of jumping through hoops to get this pathetic software to work how it is supposed to.

KDE runs just fine

[EdlinUser]

...on my 450PII booting Knoppix off the hard drive. Using it right now.
OO while quite useable can be a little frustrating with users expecting all actions to occur immediately.

Re:KDE runs just fine

[melonman]

The start of this bit of the thread said

Win 98 was delivered on PII 266mhz, 32/64MB RAM

If your system has 64Mb of RAM, I simply don't believe that you can use OO on it. The binary alone takes most of that. I once installed SO 5.2 on a machine with 48Mb of RAM, and it thrashed the hard disc for 2 hours before I got an empty document.

I use OO on my laptop, a P233, and, as you say, it is slow but useable. But I do have 192Mb of RAM. And even Mozilla was pretty well unusable with less than 128Mb

DHS warns about windows.

[Mr_Icon]

DHS warns about Windows.
I see.
Did their solution involve duck tape and plastic sheeting?

(Though I must admit, after about 20 minutes the computers protected this way will be VERY secure. :))

That's fitting...

[kwiqsilver]

Since they just spent millions to outfit their entire department with thousands of windows boxes.
Way to keep the fatherland...er...homeland...safe.

Fight on.

[TwistedSpring]

As usual out come the Linux crowd to say "M$ si teh ghey use lunix!". My answer to this is that you use the OS that:

Your staff are familiar with, to avoid re-training
Is easilly patched against such flaws as this (the OS does it for you without you even knowing if you want, couldn't be more straightforward than that)
Runs the legacy applications you have developed to run your organisation
Runs commercial applications such as Sage and Office that have been developed to be the best and not shallow copies of such products that have been developed because the OS needs to compete

The bottom line here is that jumping on the "hah! crappy RPC!" bandwaggon is probably a mistake. RPC is extremely handy, despite the fact that it may have a few security flaws, and it is not something that was really meant to be open across the Internet, it's more of a LAN thing. The fact that it can, if desired, be conveniently accessible over your external interface is really something sysadmins should decide about whether this should be allowed or not.

Admittedly, most home users aren't system administrators, and I think Microsoft is probably failing (through obscurity and simplicity-of-install) to inform people using, for example, Windows XP, that they probably don't NEED to allow RPC over their dial-up adapter. I'm not sure if there's an option to disable it, but I think simply disabling "Client for Microsoft Networks" on your external/dial-up interface would do the trick. Since I use a gateway to access the net, I'm not even sure if CfMN is enabled on new dialup connections by default, but I seem to remember it isn't.

With the amount of people running windows update (which is a gift from God now that it doesnt download updates for crap you don't even have) I'm not sure how much of a threat this will really be. It'll slam people who were arrogant enough to say "hah! windows update is a pile of filth and is insecure and if i use it MS will come knocking on my door asking about my pirated copy of their softwarez!!" but then they probably deserve to be slammed anyway.

Use Windows for your office desktops, and Linux or some other UNIX variant for your servers. May I also point out that some Linux distros are so insecure on the default install that it beats all hell out of anything that Microsoft have done, for example some don't even set a root pass until the user does it manually.

hmm

All this talk about creating worms with powerful functions is sorta silly. Your forgetting the bigger the worm the harder it is to infect. Its true with everyone now running a broadband connection they can increase in size without a problem. But the smaller they are, the more effecient. Unfortunately someone will turn this exploit into a worm and all those unpatched boxes out there will be infected. Ive noticed most of the people i know who dont even know what a patch is are running 98 anyway, and apparently that OS isnt vulnerable. I dont think this upcoming worm will be worse then code red / slammer etc. But if and when we do see a worm its going to be noticed. Hopefully it wont carry any DDOS tools on board. Get the word out to your friends, patch your boxes and all will be fine :]

--Chris
http://elusive.filetap.com

Re:All of this crap is pure HYSTERIA

So true, this is all just a bunch of self-serving bullshit. And how the parent is a TROLL, can only be because the mods (as norman of late) HAVE THEIR HEADS UP THEIR ASSES

Security alerts and bad economy

[just+fiddling+around]

Slightly offtopic, but here goes:

As there is a permanent terrorist alert going on, could it be possible that everybody is scared from going about and conducting their business? Can this explain USA's shitty economy while Canada's is better than ever and the CA$ is constantly going up?

[tasteless joke]
Go MiniHomeSec! Let us commie canadians get on top!
[/tasteless joke]

A little gotcha

I see that to apply the Windows patch on the Win 2k machines you gotta have Service Pack 3 or higher. Question: Isn't that the Service Pack at which the wonderful new licensing scheme kicks in? How convienient.

Re:HomeSec????

I was with you until "otherwise decent news site".

The only reason

[bigberk]

that this may be an issue for national security is because the nation has a homogenous composition of operating systems: almost purely Microsoft Windows.

In this age of terrorism and electronic dependence it seems stupid to form our nation's business infrastructure upon one operating system. Now if we had a proper diversity of systems, this would not be a big problem.

Diversity == hard target for disaster

Doing a good job.

[twitter]

I like the advisories. It's the first time the media has had some straight talk and they are getting it right now. All the major news stories are clear about his being a Microsoft problem instead of a "computer" problem. That's a great change from the smoke media writers kept getting blown up their asses by "Computer Experts" in Microsoft's pay.

The advisory's impact statement is especially good. They say your M$ box can be owned and then used to screw other people. Clear?

If all Homeland Security was like this, it would be a much better agnecy. This branch providing information so that people can take care of themselves rather than spying on everyone. I like that.

The Net is safe from my computer

[frovingslosh]

I have right here a computer that is much more powerful that the million dollar plus CDC computer that provided services to my entire University when I went to school. It's more powerful than the 90 user time sharing system I was in charge of for another university. But the Internet is safe from having all of this potential computing power unleashed against it. Why? Because I hobble that dangerous computing power with Microsoft(R) brand software! Yes friends, that's right. No matter how powerful your computer is, you can rest assured that it can do little harm on the 'Net when it's running Microsoft(R) brand software, the software that not only opens security vulnerabilities but makes your system so slow that it just can't do much harm to the rest of the 'Net. And , as an added bonus, my Microsoft(R) software crashes frequently, so I reboot it often and just maybe that might eliminate or at least confuse some exploits. And when a world full of computers are crashing several times a day, it's just that much harder for exploits to find ones that are up long enough to exploit. And any exploit is likely to be minimally more inconvenient that running the Microsoft(R) software in the first place.

Don't unleash your powerful computer on the Internet. Tame it with Microsoft(R) brand software today.

haha good marketing

[guest12]

they just want users of win 98 and other unsupported OS to upgrade.

not funny.

[twitter]

Microsoft is now officially a threat to Homeland Security. ... We know where they are and they keep putting out a product that threatens our security.

Oh yeah, don't forget about them selling Communist China their source code after swearing that releasing their source code would constitute a threat to national security. They not only comprimise US secutity, they do it willfully. That's called treason. Perjury or treason, take your pick, they are not the kind of people you should trust. Bobming is a bit heavy, but hanging might be too good for them.

Multiple systems?

[intermodal]

Why would they want to make a worm that runs on multiple systems? If they did that, they might get hit when they run a different operating system, or perhaps they feel like not being a dick to people who run what they consider in their elitism to be superior to Windows (not saying I agree or disagree that Linux, BSD, Unix, OSX, and so on are better, just that it may be a purely political or philosophical reason).

How to distribute patch to hundreds of machines?

Any ideas on how to distribute the RPC patch to hundreds of machines on the LAN, with a mix of W2K, XP, NT? Any tools out there to allow this?

its obvious!

[michajoe]

Before you know it, running Windows 95/98 will be a dead giveaway that youre a terrorist and need some chill out time in Guantanamo. Maybe you need your lights turned out for good. Your friendly hotel staff in Cuba will determine further details.

(check what your browser sends out as HTTP_User_Agent, if it contains Win 95 or 98 and you hit the DHS site with it, youll see what I mean RSN ;-)

MS Insecure - News @ 11...

[mdielmann]

...weekly for the last 10 years, and into the forseeable future...

better ways to reduce risks cost effectively?

glad you asked. It's SO simple...

IMMEDIATLY STOP FUCKING WITH OTHER PEOPLE'S COUNTRIES, TELLING THEM WHAT TO DO AND STOP SUPPORTING ISRAEL. 99.99% of all U.S. of A problems will magically instantly dissapear . Problem solved. The problem is LOTTO people then will have to be laid off for there won't be ANY reason for them to be at the gov tit, drawing BIG salaries.

Routers, hubs, bridges

[fm6]

OK, if we're going to pick semantic nits, let's settle on some terminology. In my mind, there are routers (which connect two or more networks), , and . I'm guessing when you talk about a system that's "just a firewall" you mean some kind of smart hub with firewall software.

Anyway, the last internet sharing gadget I bought was (a) the same $50 price previously mentioned and (b) a true router. There was no mistaking this: by default, all the systems you plugged into it got assigned 10.*.*.* addresses.

And I really think this is a better approach than the one you use. At least it is for most people. Is there better way to prevent a system from being attacked than making it inaccessible from outside your local network? Of course, this means you can't "dial in" to your network -- but most people don't need to do that, and especially don't need the extra headache such a capability implies.

Incidentally, hubs seem to be disappearing. When you can buy a router or bridge for $50, a hub no longer makes economic sense.

Re:Routers, hubs, bridges

[drinkypoo]

Yes, hubs are going away. This is because you can buy an 8 port 10/100 switch for about $25 shipped.

Hopefully in a few more years, dumb switches will go away, and you'll only be able to buy managedswitches due to no one wanting to buy non-managed switches any more.

Re:Routers, hubs, bridges

[fm6]

In case it got lost in my screwed up HTML, let me reiterate my basic point: most people are better off with just a simple cheap router. The ones I've used isolate your home network from the internet (using network 10), which is far more effective than any kind of packet filtering. Not for everybody, of course, but for the typical home user who just wants to isolate their systems from malicious intrusion, it's ideal. It doesn't matter how simple-minded the route is -- in fact, the simpler the better, since that minimizes the possibility of security holes.

Re:Routers, hubs, bridges

[drinkypoo]

The problem with idiot cheap devices like the linksys BEFSR41 is that there's a large number of things they can't do. For instance, you can't use IRC's DCC SEND function, though you can DCC get, as long as the SENDer isn't firewalled. There's no reason it couldn't do this, they could be using linux 2.4 with netfilter/iptables and the IRC module, which would handle this problem. But they don't. Simple little things which you would expect to work through an "appliance"-type gateway simply don't, and more to the point, there is typically no way to make them work. Sure you can make yourself the DMZ host, that makes DCC work, but then you're bare-ass open to the world which defeats the whole damned purpose of having a firewall/gateway.

If someone actually did one of those systems right then yes, the average person would be better off with one. But I think the best solution would be to have a CD-booting linux distribution with a config store on a floppy, zip disk, or other removable media, and use a PC rather than one of those little devices. It's simple enough to autodetect the basic necessity type hardware (like network devices) and configure them. Cheap old PCs are, well, cheap -- and plentiful. You only need 8 or 16MB of ram to not even need a swap partition on a system like that.

Re:Routers, hubs, bridges

[fm6]

I'd never claim that cheap routers are the right fit for everybody. But not everybody needs peer-to-peer file transfer.

With a Linksys router, you completely isolate your system from outside access without interfering with any client-server web apps. And you do so with a minimum of administration hassle. It seems to me that this fits the needs of 90% of all home users far better than any alternative.

Re:How to distribute patch to hundreds of machines

[gregarican]

Personally I still use logon scripting. There's a third-party addon called KixTart that allows more sophisticated scripting. Most of the time I take this route with desktop clients.

If your desktop clients aren't Win2k and higher (therefore not vulnerable to the RPC hit) and don't have publicly exposed IP address (i.e. - inside a Internet firewall or proxy) then you are just talking about servers.

In that case don't have you any remote control software (e.g. - VNC, SMS, PC Anywhere, etc.)? If so just put the patches on a common network share and remote into the boxes to install. If you aren't talking about more than 10-20 boxes it shouldn't take too long. If you are talking about more than that perhaps script out AT jobs to the boxes to execute KixTart scripts or something.

Give me a break.

[twitter]

Patch your stuff and for goodness sake put up a firewall!

That's not going to help much. It can get in through port 80, try blocking that. Patches, M$ style just don't work. Everyone running M$ has to periodically "rebuild". They do that from ... the CD they have, sometimes a cracked copy with it's own backdoors. Think that those patches are going to all get back on? Fat chance! M$ uses it's "security patches" to force things that are completely unrelated and are sometimes larger than 500MB in size. The average shop is no more likely to have that patch burt to CD than they are willing to download the latest and greatest again or indeed apply the damn thing that broke their favorite Windoze based program. Even larger institutions with lots of M$ help get burnt because Microsoft continues to ignore best practices for marketing and user control reasons.

I get sick of hearing Astroturfers repeat this mindless "patch" mantra. It implies that there is something that the user of an M$ system can do and that somehow the user is to blame for Microsoft's poor security. It's never the user's fault because Microsoft puts out closed source binary crap that users can't fix if they wanted to. The users are not to blame and the only real solution to Microsoft insecurity is to dump Microsoft software.

Scanning != virus

[intermodal]

Did anyone else notice that they equated scanning to cracking? While I know that's certainly one of the possible preludes to attacks, it's certainly not a definite. I've used scanners quite legitimately more than once (checking what was visible from outside a firewall for my father in law, and testing to see if a non-responding server that I myself was responsible for even had its services running, despite it not being at my present locality). The internet was built to be open initially, and while it's understandable that it now needs security, people need to realize there's more to the internet than ports 80 and 6667, (plus those ones that most users don't ever see, like their port 25 services or port , ). There is far more to networking than HTTP, and the internet is a network.

It's getting to where knowledge is a crime, and while I feel it would be prudent to learn more and more about computer security, I fear that merely knowing it might make me liable to be wrongly prosecuted. There's just come to be so many legal barriers or poltergeists that it just carries too great of risks for the curious to enter the field.

"Mr Gates, if you don't mind..."

[Tactical+Skyrider]

Here's another thought... the U.S. Dept of Homeland Security is backing this wholeheartedly -- what if this is really a ploy to get users of microsoft software to install a remote tracking patch designed by microsoft to send usage information to the DoHS? What if this patch to handle remote control security actually sends information to the government? or better yet, ALLOWS certain types of remote control BY the government?

Surely I'm not the only one out there who's considering this possiblity...

"Hello, Bill Gates?"

"Uh, how did you get this number?"

"This is the Dept of Defense. $500,000,000 is being wired to your account in exchange for launch of Operation MS Probe as previously agreed. We will expect patches online within the hour."

"Swell! You can count on it!"

Service packs required for patch

[nurb432]

Rather interesting that you MUST update to the latest service pack, with all its privacy/license isses, to utilize the patch.

Nice backdoor way to get to the people that 'just said no' for various reasons.

Conputer???

[Evil-G]

Unplug any conputer with really sensitive data from the network

is a conputer one which is running windows?

your account

[nakedbonzai]

Hello there, I would like to inform you about important
information regarding your operating system.It
is a piece of shit. Please delete it and
install Linux
Please read attachment for details.

---
Best regards, Administrator
omfozerz

You're right.

[EdlinUser]

*hangs head in shame*
I'm running 384 Mb of RAM.

Not losing everything...

[Xformer]

Instability, yes...
Games? No...

WWW.MICROSOFT.COM IS DOWN....RELATED???

www.microsoft.com is down down down right now...do ya think it's related????

panthertek

Re:Arabs really aren't that bright!

[FlyGirl]

Left myself logged in and a co-worker thought this was funny

Speaking of security problems... :-)

Question: do I need to patch?

[caspy7]

I'm running Win98 SE, but am also running ZoneAlarm with security on High. So I believe any attempt to access my box (with DSL) is moot.

Maybe MS wouldn't be so insecure...

[halepark]

...if the gov't banned all that penis enlarger spam it keeps getting to make it feel inadequate.

i'm not a conspiracy theorist

but I get the distinct feeling microsoft is using this to help sell their millenium edition.

HomeSec should stay out of this

[gad_zuki!]

Wow, a malicious worm. I'm completely bewildered by the fact that melissa, code red, etc didn't have a seriously nasty payload. It seems like the virus authors just wanted propagation for bragging rights. It wouldn't be so tough to write a function that will corrupt the registry or start formatting important parts of the disk after x amount of hours.

Windows has yet to see a serious threat by a popular worm and when it does there will be a lot of heat on Microsoft, whether they deserve it or not. "Wintel everywhere" is a classic eggs in one basket gambit and heads are going to roll if 1/3rd of all computers on the internet suddenly refuse to boot up again. Something like 40% (?) of all computers on the net are not behind a firewall and who knows how many are patched.

What I'm afraid of is that if something this bad and on this scale happens then DRM will go from controversial content protection to a Tom Ridge mandated upgrade. Your computer WILL download the newest patch and you will not rip MP3s from the newest Shania Twain CD or face the consequences (ISP banning you, fines, etc).

Re:HomeSec should stay out of this

[ratfynk]

The more security holes that can be found the better things are for Microsoft and Symantec, well at least for now. The whole trusted computing innitiative is being shoved down out throut by Sen Fritz and his co-horts. What better way to do that then to close up the internet to so called untrusted traffic from anything other than Win/Intel Fritz encoded bits. That is what the gist of the trusted computing innitiative is all about, being able to disable computers remotely. The whole MS virus routine has been a smoke screen, they could have stopped virus and worm bullshit years ago but had too much trouble on their hands with a law suite that they settled out of court. Since then MS has been very reluctant to really do squat about the virus problem, security and some system utils that would be really nice to have included in you OS. I use 32 bit XXcopy not ghost to give you a hint. They can come after me and sue me I do not care. But the bullshit has got to stop, before they really setback the tech revolution with the so-called trusted computing innitiative. Just maybe something good may come out of this maybe there will be a real free internet and the other one for castrated MS/Intel computers users, but we had better act fast to keep xml from being totally co-opted by .NET

Background checks at Microsoft?

[Big+Sean+O]

The US Department of Transportation recently required shippers of Hazardous Materials to improve the security of the shipping process.

One of the results is more background checks are being done on the people who are hired to haul Hazardous Materials.

One would think that the Department of Commerce, responsible for regulating interstate commerce, would want to make sure that the 'predominate business information infrastructure' (i.e. Microsoft Windows) has strong security. After all, a large percentage of business is conducted on the Microsoft Windows platform.

But is Microsoft doing background checks on sensitive personnel? Durned if I know.

MS Windows is a failure point we have little control over. I define "risk" as the severity of consequence and liklihood of consequence. Perhaps people are finally realizing that the risk is higher than they're comfortable with.

Inquiring minds want to know...

[Rohan427]

...why the government, specifically the military, continues to use M$ software in mission critical (and this term takes on a whole new meaning within this context) applications, when there are ever more warnings and announcments about vulnerabilities.

PGA

I think it's funny...

that the CNN can be posted without modifications on a weekly basis.

What does not kill you makes you stronger...

[vuud]

I've got a 4 year old. If a kid never gets sick, the first germ that comes along is gonna give a super big whomping to em.

These worms that come and go, viruses and such, all really serve to harden the internet overall.

Just think if we had no worms, not viruses or anything. Then someone unleashed something that took advantage or all the holes and vulnerabilities over the past five years... If it went off in one big boom, we may have an interruption of service...

Just my .02

worm request, please...

[LifesABeach]

given the past track record of m$ to NOT effectively clean up their product droppings; i have the following worm creation request:

1. that the worm infect o.s. distros of ALL flavors, quietly.

2. the worm, in stages, upgrades the operating system to an open source solution. WHERE-BY any viruses, worms, and any other treaspassers in the wild are openly discussed, and countered in the usual successful manner.

3. the worm, quietly, goes on to upgrade performance of the o.s., and any other related software products; based on use for that machine.

4. the worm, daily, quietly goes to known security sites to inquire about any new updates on new security holes, and automatically fixes such holes, AND reports any observed existing security abuses on that machine.

5. the worm look at repetative patterns of executed binary code for the purpose of optimizing such code for the still existing hardware of that computer.

HEY! wait a minute, this has all been done by using existing linux distros. please ignore this request.

"where do you want to go to next? ha-ha-ha-ha-ha-ha" --the fat man, 1938

Coast Guard and Border Patrol

[billstewart]

People may join the military or the Coast Guard with the intent of serving their countries, and the government abuses them by creating lots of publicity about how that's what their job is, and then uses them for entirely different jobs that advance the government's political agendas (such as stomping out Communism and supporting politically convenient dictators around the world) and in general endangers the American public by creating hostility against us (such as the recent Middle Eastern terrorism problems.)

Occasionally the Coast Guard is a military organization, keeping Nazi submarines from invading the US, and they have done a lot of really excellent work rescuing people from ship and boat accidents. Unfortunately, they've been largely turned into tax collectors and pirates, because they've been given the job of enforcing Prohibition (essentially all of the cargo container inspection is looking for drugs and import tax evaders, not to keep our bloody arses safe), and are authorized to attack ships that might be smuggling.

But unlike the Coast Guard, who have some good jobs as well as bad jobs, the people who "monitor land border crossings" are entirely bad - at best they're tax collectors (a few years ago the Customs department had the gall to be wearing uniform patches saying "US Customs Service - Defenders of Liberty") and at worst they're the thugs who want to keep immigrants with the wrong skin color from entering our country.

The airport security officials are primarily there to make the American public think that the Bush Administration is doing something to make us safer, and they've been interfering with civil liberties for years. Yes, they've probably kept a few wanabee hijackers from doing hijacking, but after the TWA Flight 800 explosion was shown to have been from mechanical causes, they didn't stop the unAmerican practice of demanding travel documents, and they've had a consistent policy of lying about policies, having secret policies, and encouraging the airlines to lie about policies.

Cost-effective ways to actually increase our security? Stop the US military and US foreign aid from supporting abusive regimes around the world - Saddam Hussein and Osama bin Laden aren't the first bad guys that we've provided military assistance to and then later gone to war against. Get rid of America's weapons of mass destruction. Do free trade with everybody.