Slashdot Mirror
WindowsUpdate.com Secured, Permanently
Precisely nineteen months ago, Bill Gates sent out a
memo
to employees (and the press) announcing that security was Microsoft's
number-one priority.
Today, about a hundred readers have submitted the
news that Microsoft.com
went down last night.
And now, the company has
"extinguished" WindowsUpdate.com
(future updates will come from a
different domain).
All this because of some Microsoft worm that triggers at midnight. Related news:
Windows Update
says you're protected, but maybe you're not;
WU.com
briefly ran Linux, heh;
worm variant with clever "anatomical term."
but Microsoft was seen on Linux today also http://uptime.netcraft.com/up/graph/?host=www.micr osoft.com.
Quoth Billy G: "Linux sucks, it's worthless, not usable for real . . . What? A worm? Aaaiiiieee! Tux Save Me!!!"
---
Jedimom.com, that not-so-fresh feeling.
StrategyTalk.com, PC Game Forums
Wasn't this the subject of a famous memo about a year and a half ago, when they were spending 10 months doing nothing bug security? Good job guys. Interesting enough Scoble has some things to say about windows and security. Some good comments as well (both for and against). Of course, as he's an MS cheerleader you can't expect completely unbiased reporting.
Not a huge deal, since the official URL is windowsupdate.microsoft.com . The start menu, Tools in IE, and Windows Help all have that address. The worm author was kinda stupid, he should have pointed it to microsoft.com or windowsupdate.microsoft.com.
Username taken, please choose another one.
They've given the windowsupdate.com site to Akamai to serve for them. Not a bad idea, actually, since Akamai has something like 15,000 webservers distributed around the world, to share the load.
Of course, it's extremely amusing that they're paying to have their content served by a flock of 15,000 penguins. I'm a bit concerned for our own site this weekend, as we use akamai for our static content. It'll be interesting to see how my pageloadtimes are affected (if they are).
Akamai is a great resource for dealing with huge spikes in webserver load - I guess you could say this qualifies as that.
To see how much microsoft sues the person who wrote that worm, or if it's someone from a third world country, they might just take a nod to the US government and post a 25 million dollar dead or alive bounty.
Whoever it is is in A LOT of trouble now.
GoatPigSheep, the 3 most important food groups
Just because netcraft is reporting www.microsoft.com running on Linux, it's unlikely that they ported IIS to it. What you're seeing is a Linux proxy; The webserver itself is still an IIS6 box running on Win32 behind Akamai's Ghost proxy/cache.
We all know that when Microsoft run UNIX, they run FreeBSD.
-- Jared Earle | "There is no spork"
the Army, or any large organization with a large install base of MS boxes, does not use SUS?
I started using it here about 6 months ago, it is the only way to go. I cannot imagine using Windows Update as an enterprise solution. One or two PCs at home sure, but SUS is free dammit.
Do you think anyone will notice, or care for that matter?
... oh, wait, maybe they don't trust their own systems and sysadmins to be able to deal with it!
Well, isn't the last Microsoft virus supposed to "attack" windowsupdate.com tomorrow? That might be an explanation as to why they are changing this - they obviously don't trust their own users to keep their systems patched and/or behing firewalls
Don't try to fix me. I'm not broken.
I predict (maybe this post will help a little :-( ) that the next iteration of the worm (or another one) will google up "windows update" and will attack the 3-5 bests results.
;-)
Let's see what happen then... Microsoft is going to pressure Google to remove www.google.com from their DNS Servers
I don't like MS either, but this is blatantly unfair. MS did fix the gaping hole -- last month. The problem is that their customers didn't implement the fix, so they are taking reasonable precautions to avoid damage. Beat them up for the things for which they deserve, but not this.
You can only drink 30 or 40 glasses of beer a day, no matter how rich you are.
-- Colonel Adolphus Busch
No, technically, they are using Linux to serve the page faster that their Windows box is able to.
While not a fan of Microsoft, I don't think non-Microsoft products can claim 100% security either.
I think the problem comes from two directions:
1) A large majority of nodes on the Internet running the same software. And,
2) The (generally) lower understanding of security issues on the part of the Microsoft users.
I think "1" is a bigger issue. With 90% or so of all desktops running Microsoft, any security issue has the potential to exploit explosively. I would argue that things would be better if no single operating system had this kind of market penetration, regardless of the manufacturer. Then, if a security exploit is running around it has less of an impact on the Internet as a whole.
"2" is a contributing factor. Given that more Microsoft users are (in general) non-IT professionals or non-sysadmin-aware (not a crack against Microsoft as much as an acknowledgement that most Microsoft users are end-users and not developer/server types), they are less likely to set up their systems correctly or to quickly apply patches when holes are found.
So, I'd like to see larger penetration of alternative OS's just to dilute the strength of any Microsoft based security exploit.
Sleep is for the Weak
Of course, your right. But it's so much more fun to take the fact that microsoft.com was reported running linux by netcraft at face value. Besides, technically they are making use of linux within the chain of information delivery, and doing so of their own volition. I still kinda think thats worth giggling about.
StrategyTalk.com, PC Game Forums
The solution is easy, limit the fine to a maximum of the full amount paid for the software. ;-)
And really that is the case, many billions of dollars were paid to Microsoft for defective software. When auto makers have a recall, they are required to fix the problem for you. With software you have to do it yourself, and if you don't its your fault. Then again if you do install the patch yourself and your machine breaks, its still your fault!
Basically, expect to see no real improvement in Microsoft's software until someone has the guts to sue them or the government gets involved (ala auto recalls). Otherwise there is absolutely zero incentive for them to work any harder than they have to to sell you software.
This is a garden-variety buffer-overflow exploit of the sort that could just as easily still exist somewhere in Linux.
Active Directory also provides a way to block this type of worm that *ix doesn't. There wasn't time to patch all of our servers during the outbreak, so one of the guys here implemented a group policy that prevents execution of msblast.exe and teekids.exe on any machine on our network. Once they're all patched, the policy can be removed really easily.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Going to 'tools, windows update' in internet explorer takes you to a redir site on microsoft.com, which attempts to forward you to windowsupdate.com NOT windowsupdate.microsoft.com .. even still (~3PM EST). you'd think they'd at least fix that if they were fuckin with the dns..
Yes but by doing so they're protecting their Windows box from attack by putting it behind a linux proxy. I doubt microsoft had a problem with bandwidth.
How hard would it be for a worm to do a google (or some other search engine) search for "microsoft windows update site:microsoft.com" and pick a target from the top results? I agree that MS is only forcing the worm writers to be smarter with their targets by shuffling things around. Eventually it will backfire. If they don't find a better solution, all of this "musical websites" shuffling could also make for some serious chaos as more people figure out how to write DOS worms and it becomes more of a common attack.
US Democracy:The best person for the job (among These pre-selected choices...)
I wonder if this "DOS" they claim to be suffering is really too many users actually trying to get updates for once. After all, the code in this virus is not set to DOS MS until the 16th so they can not blame it on that. I doubt they would ever admit to not being able to handle the load. I use MS update at least a few times a day and have been for the last year on various client machines. Sometimes I need 10's of updates from a fresh install, sometimes just a few driver updates or the recently released. I don;t have any specific stats but I have noticed a definate slowing of the update site when the blaster worm was announced and it is getting slower as the days go on, today it took over 5 minutes to get a sound card update that for the previous year, only took 10 seconds. Another time today it took about 60 seconds. DOS causing this? Maybe, but I would guess they are having a hard time providing the update service for everyone and do not want to admit it. I bet hundreds of thousands of people are running the update service for the first time ever and they need a lot of updates. This move of names and connectivity is probably a hidden attempt to get the stuff hosted somewhere else or split up the load more then what they are currently doing and make it appear it is for security reasons. Reading bewteen the lines here but the amount of work involved with name change of this nature is massive compared to the relative ease a virus writer can simply point to the new site. Does MS honestly think a name change will stop a DOS? I doubt it, but it fits into thier FUD compaign of increased security and that they are under attack.
Bad boys rape our young girls but Violet gives willingly.
More importantly when will MS abid by their settlement and allow alternative browsers to be used with WindowsUpdate?(In my eyes that should be implied)
Doesn't seem right that they are allowed to throw up a button for "Program Access and Defaults" while at the same time making sure you actually can't live without the products your trying not to use.
btw, waiting and hoping that the automatics updates works is NOT an alternative. Except for those who never use non-critical updates(IE WMovMaker, WMP9 etc) or love being alpha testers for a company known to CONSTANTLY screw up their patches.
If you wanna get rich, you know that payback is a bitch
Two thoughts here. First, package management
Operating system version control has been a problem for Microsoft Windows for a long time. Especially with runtime software bundled with third-party applications (think DirectX), you need a clear way to identify what is installed on a machine, upgrade it while tracking dependencies, and easily remove it. InstallShield does this sort of thing -- why isn't it built into the operating system?
Furthermore, most package managers provide a facility to verify the files that are running on the machine. While it isn't as conclusive as something like Tripwire, a simple "rpm --verify --all" will give you some insight into whether a system file has been replaced.
Package management on AIX (and probably other UN*Xes, but I haven't used them) gives you the ability to roll back out of a patch that went wrong, too. While that is possible to some extent in Windows, a package management solution could make that very easy.
And while we're at it, why isn't there a framework built into Windows to centralize patching of ALL products, not just Microsoft ones? Certainly the "Microsoft Update" that they are proposing is a good step, but why not build something that can check other vendors' web sites for patches? Couldn't such a framework be built so that when an application is installed it registers with the OS, and tells the OS where to look for updates for that specific product? Then when you run this "update console" or whatever, your local machine goes out to Microsoft, Symantec, Adobe, whoever, and checks to see if there are updates for EVERYTHING that is installed?
The system could also be similar to Red Hat's update mirrors/satellite up2date server, where a corporate customer could set up a central update server, tell it where to get updates for all the products in use in their company, and then that server mirrors it. Then updating the client workstations (and servers) is something that happens in-house. Maybe it could even be smart enough to tell if a client machine hasn't been updated yet, and then when that machine is powered on it could update itself and reboot if necessary, all before the user is able to log in.
These two things together could really put a dent in management for Windows machines. Sorry if this is sort of a ramble, I've been thinking about it for a while and it all just spilled out.
If those rumors are true, then the worm didn't cause the power failures, it just disabled the systems that would have prevented them. That this happened at around the same time is just a coincidence, - or maybe minor power failures happen frequently and were just prevented from spreading?
Na ... nothing like that.
...
When Microsoft knows something like this is going to happen they pull in there secret weapon, big-gun software to handle the load
Microsoft's secret weapon
-- Knowing too much can get you killed, but knowing who knows too much can make you rich.
Uh, *cough*MSN*cough* maybe they ARE an ISP but they contract to a bunch of other companies for their bandwidth/infrastructure.
Apparently the US National power grid uses "OPC"
OPC stands for "OLE for Process Control"... (if you did some COM/DCOM windows programm you will be familiar with this).
It's the same technology targeted by the W32.Blaster worm that is crawling around the web.
It won't suprise me if some of those computers responsible for failover/grid isolation actually hung themselves on the worm.
In case you don't know what the worm does, not much, but a side effect (because of sloppy coding) it causes the machine to restart very frequently (it also attempts to attack microsoft.com in a DoS attack, I guess that's why microsoft shut down windowsupdate).
what do you think?
they obviously don't trust their own users to keep their systems patched and/or behing firewalls
/.ers , hehehe.
I'm an XP user (among other os's) and I don't trust the average Windows user either. Not ragging, just a fact. My mom is one of them.
My brother and I were joking around because mom asked him what she should do about "that new virus" (blaster). She asked him if unplugging the computer was enough, or if she needed to do more. I told him he should have told her to put the box in the refrigerator because everyone knows that viruses and germs won't grow when they are kept that cold. Yea, I know, slightly cruel, but I'm telling ya, she just MIGHT have done it if we could have kept from laughing.
So its not an insult to Windows users, its just a fact: Most are interested in doing stuff with their computers and expect them to be like a toaster, just plug it in and never think about it again.
Ironically, I bought my 67 year old mom the computer last christmas, she uses it every day, and she WAS smart enough to ask someone about it, more than I can say about a few
Tequila: It's not just for breakfast anymore!
I wonder why they didn't just point DNS for the website to 127.0.0.1.
Better still, why not put 30 or 40 round robin DNS entries in? Symantec says there's about 228,000 infected boxes; with 40 different IPs on windowsupdate.com's DNS record, each server would be hit by less than 6,000 attackers. Surely, with the time they've had to prepare, they should have been able to handle this.. I'm really surprised that they actually took windowsupdate offline. I think any competent sysadmin with the financial resources of MS behind them should have been able to weather this storm without any loss of service.
I've been kind of wondering if there might not be some other exploit that some researcher is waiting to release, after everyone's auto update is broken...
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
...hackers will just point at http://windowsupdate.microsoft.com instead. Right?
-- http://frobnosticate.com
It's not too convincing, to be honest. It's just saying that there is a possible connection, and that the company running the plant didn't answer their questions yet. (Which is of course very suspicious, what could these people have better to do right now then answering to wild allegiations from a german IT magazine?)
Programming can be fun again. Film at 11.
I don't think blaster caused the power outages or disabled the systems - have you read about the state of the US powergrid as a whole? It's horrendous!
I was watching the discovery channel (or History channel, one of those) and they talked about that large blackout that occured back in NYC in 1977.
The power grid protection system itself is what caused the black out. One substation sees it's getting a huge surge of excess power, can't handle it, and shuts down. This passes this huge surge to the next station, which also shuts itself down to protect itself. It's a huge chain reaction of power surge seen my a substation, substation shuts down to protect itself, surge passes on to next station, etc etc.
The show was about terrorism in the US and how unprotected we are - and it really gets you thinking. If some jackass in Ottawa can plug in their hairblower and toast the power to seberal major metropolitan areas, imagine what a well thought out organized terrorist could do.
Personally, I think we should some new nuclear power plants. 66 reactors provide 769 billion kWh, or about 20% of the total power produced in the US (2001 figures). These plants are old, the newest ones going all the way back to the early 80s, with no new orders for nuclear units since 77.
The US is relying less on its hydroelectric, nuclear and coal plants and building more "peak use" and "daytime" generators, huge gas turbines that are only turned on when there's a peak demand or only on normal business hours, say 9-5.
Why? It's not any more efficient, in fact these giant gas turbines tend to use more fuel then coal systems to produce nowhere near the same power. It's all about asthetics. No one wants a power plant near them, but everyone wants power. So they build these peak use and daytime plants - low output systems that take up almost no room and dont have the usual huge smoke stacks, etc your used to seeing with plants.
I personally wish the US would update it's power infrastructure, and I'd be willing to pay for it. Retire old, inefficient nuclear plants and build new, more powerful, safer ones. Add in more redundancy into the network, more real-time failovers.
They are modernizing it, don't get me wrong, but they aren't going at near the pace I'd like to see.
(Probably kiss my karma goodbye now, oh well. The power grid is something no one cares about or wants to put money into unless something goes wrong - then we all conveinently forget about what happened when theres a bill up to repair and update it at the cost of a couple bucks a week in taxes)
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
Get a clue.
Notably, Microsoft refused to give permission to ISPs to burn CD's or make floppies with the Blaster patch on them. I heard of one outfit that had their lawyer contact MSFT to make sure that they were kosher before giving them to customers. Microsoft refused. As it turns out, stating that the users could easily download the patches directly, even if they had the shutdown bug and were dialing in to download a 1.2 MB patch.
I have no sympathy for MSFT getting DOS-ed. The fuckers deserve it, and they were hoist by their own petard. Sure, there is some nitwit out there that acted on as explout that was known for at least a month, but WTF? What is the problem with letting ISPs distribute the patch to fix this thing?
The ISPs are burning time and support lines over it, bandwidth is getting hosed by the packets on the affected ports, filtering ports helps (but doesn't eliminate the problem). Essentially, third-party companies (ISPs) asked for permission to help put out this fire, and Microsoft gave them a big "fuck you" and I am somewhat gratified by the whole thing.
Fuck you, Microsoft. Here's hoping you get more of the same.
I might post the emails discussing the attempt to get authority to help spread the patches somewhere, but I'm not anxious to cause a slashdotting of my own weenie ISP's servers.
Last time I checked, most everybody, on average, beats microsoft in terms of speed of security fixes. So I suppose unmatched, because Microsoft has been completelysurpassed.
Here in CA you have to fund the switch which allows you to feed from your supply to the lines, even if you don't EVER want to feed back, PG&E got some help in the legislation, this run s around 10K minimal. The CA government in its infinite wisdom also institutied a Farking tax on power feedback, in order to offset the cost of people leaving the system while it is so deep in financial trouble, so now even if you DON'T USE the power grid, you are required to pay a tax on the approx. amount you would use....Our rural neighborhood association just went through the governmental hoops to get this working...what a friggin nightmare.... Unless you have several hundred potential users, there is no way this is financially feasible thanks to our friends in government, always out to protect corporate interests at the expense of taxpayers freedom and choice.....
errr....umm...*whooosh* *whoosh* Is this thing on ?
It's definately something we've considered. Based on where our house is and living in the Pacific NW wind seems like may be our best option, fortunately windmills are getting more efficient all the time.
I think I'll just leave PSE's wires in the ground and disconnect them at the box though. If they came to dig them up they'd sever my cable, phone and water lines for sure. :)
That line of reasoning is hogwash, and part of the self-apologizing crap us Software Developers keep throwing out.
It used to be that we could blame the users for running executables they receive via emails. We demanded common sense, and said that it was user error, not Software Developer error. This time, the mere act of being plugged into a network or the Internet is enough to get the computer infected. So what do we do? We say Damn those lusers because they didn't install their latest security patches!.
That's a big, smelly load of shit. Systems administrators should be required to read bugtraq and keep their systems patched. Users should only show common sense. We can't ask them to do these things. There are people working with computers that actually use them as tools to do work, rather than as objects of worship, as we geeks do. They don't want to know about driver install woes or our petty flavour of the month.
We should be bounds-checking our mallocs rather than demanding users take the time to fix the faulty products we put out.
Overcaffeinated. Angry geeks.
What you can do is to look in detail at the actual files that the update was supposed to contain. If the correctly named files with the correct MD5 hashes are in the right places, you know that the update has been installed correctly. Fortunately, RPM is actually able to check things like MD5 hashes to confirm that the files that were supposedly installed actually have been installed, and that makes the kind of corruption that would hide the truth much more difficult to carry out.
I'll admit that in this case Microsoft is doing a good thing by releasing a more detailed scanner that will actually check to ensure that the appropriate patches have really been installed, rather than just taking the registry's word for it. But doing so is not a built-in part of the system the way it is for RPM.
It's also imprtant to note that this is an advantage of Linux distributions not being a mono-culture. Corrupting the RPM database won't help you if the system that you've invaded is a non-RPM using system like Debian, Slackware, or Gentoo, each of which uses a different packaging system. It's not even clear how much it would help if you were invading a Suse or Mandrake system instead of a RedHat one, since the expected names of the packages would be different, too.
There's no point in questioning authority if you aren't going to listen to the answers.
The Linux hit appears to come from an Akamai server, which is a distributed cache, under contract by Microsoft. You can bet the actual Windows Update servers are in fact running Windows.
No, I don't want to explore the Recycle Bin.