WindowsUpdate.com Secured, Permanently

Precisely nineteen months ago, Bill Gates sent out a memo to employees (and the press) announcing that security was Microsoft's number-one priority. Today, about a hundred readers have submitted the news that Microsoft.com went down last night. And now, the company has "extinguished" WindowsUpdate.com (future updates will come from a different domain). All this because of some Microsoft worm that triggers at midnight. Related news: Windows Update says you're protected, but maybe you're not; WU.com briefly ran Linux, heh; worm variant with clever "anatomical term."

Next Week..

[msblaster.exe]

Don't worry next week there will be another memo with the URL for the new update

Re:Next Week..

[Ledskof]

secured permanently? So they unplugged it from the network to finally get that C2 security level eh?

Re:Next Week..

[cravey]

I wonder why they didn't just point DNS for the website to 127.0.0.1.

Let the infected servers work it out amongst themselves. :)

Re:Next Week..

I wonder why they didn't just point it to sun.com

Re:Next Week..

[TheViffer]

Na ... nothing like that.

When Microsoft knows something like this is going to happen they pull in there secret weapon, big-gun software to handle the load ...

Microsoft's secret weapon

Re:Next Week..

[kilgore_47]

I wonder why they didn't just point DNS for the website to 127.0.0.1.

Better still, why not put 30 or 40 round robin DNS entries in? Symantec says there's about 228,000 infected boxes; with 40 different IPs on windowsupdate.com's DNS record, each server would be hit by less than 6,000 attackers. Surely, with the time they've had to prepare, they should have been able to handle this.. I'm really surprised that they actually took windowsupdate offline. I think any competent sysadmin with the financial resources of MS behind them should have been able to weather this storm without any loss of service.

I've been kind of wondering if there might not be some other exploit that some researcher is waiting to release, after everyone's auto update is broken...

Re:Next Week..

[yomamasbooty]

Actually pointing the DNS to 127.x.x.x really doesn't do much. While it does point it back at itself, the SYN flood isn't strong enough to take itself out. With this worm you really need multiple hosts to DoS another.

The best way to deal with the worm is to return a null value in DNS. This ensures the SYN flood never gets started.

Re:Next Week..

[Professor+Bluebird]

When Microsoft knows something like this is going to happen they pull in there secret weapon, big-gun software to handle the load ... According to Netcraft, and the certificate from https://windowsupdate.microsoft.com, MS has moved Windows Update to Akamai. This pushes the DoS on someone else, and obviously protects MS's internal network.

Re:Next Week..

[cdecroes]

I'm suprised microsoft didn't point it to 129.42.19.99 (www.ibm.com)

Re:Next Week..

[gclef]

Because the worm spoofs traffic from it's local subnet to the windowsupdate address. What this means is that any infected machine would spoof traffic to itself from its local subnet, and then flood the local lan with RSTs, presuming it wasn't actually running a webserver, in which case it would flood the local lan with ACKs. Either way, bad.

The worm doesn't sanity check the DNS result, though, so if the name doesn't exist, gethostbyname() returns -1, which translates to an IP of 255.255.255.255. The reports I'm reading say that the windows stack won't allow you to send traffic to that IP, so the machine will just drop it. (that could be wrong, though. We'll find out soon.)

Re:Next Week..

[RevRa]

Overheard:

Co-worker1: "I wonder what would happen if I pinged 255.255.255.255?"

Co-worker2: "Don't do THAT! You'll ping the whole Internet!"

hahah. :-)

Re:Next Week..

[gujo-odori]

Let us not say that.

The MSBlast worm delivers about a 16 kbps stream, so whether the zombie is sitting on a 56k dial, a 256k upstream DSL or cable connection, or has a T-1 or larger uplink doesn't really matter. DDOS zombies don't usually consume all of the available bandwidth, since doing so would be rather counterproductive to the goal of making a DDOS attack.

If an average user, being mostly computer-illiterate but knowing that a reboot fixes most Windows problems for a while, finds that his/her computer can't connect to the Internet (the symptom of having all of your upstream bandwidth utilized), the most likely response will be a reboot. This lowers the effectiveness of the DDOS attack compared to a large number of zombies making the attack without their owners' knowledge, which allows them to continue uninterrupted.

Numbers of attackers are the key to a highly successful DDOS attack, not using up all the bandwidth at the zombie's dispoal. MSBlast could take a lot more bandwidth and still be not noticed by broadband users, but the authors have clearly crafted it to work and not be noticed on machines with dial-up and other low-bandwidth connections (I saw a 32-workstation LAN in a third world country; there was a 64k uplink for the whole office; things like that aren't unusual in many parts of the world. The likelihood of those machines being uptodate on patches is very low, which makes them a good target for MSBlaster.

My purpose for being there was to install a hardware firewall in front of their network, so they are far less likely to get infected, but there are many vulnerable machines like that out there with no protection. A good DDOS client can use them; one that consumes all available bandwidth can't.

Re:Next Week..

[malfunct]

I thought with microsofts great resources they would have funded an effort to change time. The could just never let clocks get to the 16th and the worm would be totally neutralized.

Re:Next Week..

[13Echo]

Most Windows users will know that something is wrong when "svchost" constantly crashes, prompting for a reboot. The hits on port 135 cause it to bork out. My mom, who is quite "computer illiterate", knew that something was wrong, and called me about it. We corrected the problem by upgrading her virus definitions (which were only a week out of date), and installed ZoneAlarm Free on her machine to stealth the ports from now on.

GRISoft's AVG Antivirus, and ZoneAlarm, are two great and free tools that can fix and prevent these things.

AVG Anti-Virus
Zone Alarm

A year or two ago, I wouldn't have thought that firewalls were so essential for dial-up users. Now, it's important for all users to have them, regardless of the OS.

Re:Next Week..

[AngryRodent]

Windows update is already massively load balanced across multiple server farms. They use both a DNS based load balancer (F5 3DNS) and local area load balancers (F5 BIGIP). The server farms are in a number of locations. Early, and not so early in the implementation of this, a number of people were concerned that Microsoft was attacking them because the 3-DNS's would create probes from each datacenter to the end-users system. I'm not sure if that is still being used. I have no knowledge of how they Akamized so quickly since I haven't been involved with this project in years. However, it should be pointed out that the BIG-IP's make Akamizing content a very simple matter. I'm not shilling for F5- I no longer own any of the stock, haven't been an employee for years, and I'm now just a reasonably-satisfied customer.

Re:Next Week..

[nyseal]

I'm not so sure. I have a dial-up and I got the worm IMMEDIATELY. It kept shutting down Windows to the point I couldn't even d/l the patch in time. I eventually found (through Symantec) where the worm was in the system and in the registry. Only then could I keep going long enough to install the patch and the anti-virus definition to fully remove it. It was really frustrating.

Power outage related to Microsoft

[Interesting+Username]

It seems the power in one of the most populated areas of North America was out around the same time Micrsoft was making these fixes? Coincidence? I think not. For those of you in the power outage area, expect it to happen again tomorrow as the DoS is about to begin.

Re:Power outage related to Microsoft

[mfivis]

mmm, I believe it can be attributed to overload. Think about the sheer amount of Windows machines that were frozen and unable to turn off without hard Reset or power buttons, i.e. stupid new gen Dells and so forth.

Re:Power outage related to Microsoft

[RoLi]

Actually, there are rumors that safety systems that would have prevented such widespread failure were running on Windows and were down because of blaster.

If those rumors are true, then the worm didn't cause the power failures, it just disabled the systems that would have prevented them. That this happened at around the same time is just a coincidence, - or maybe minor power failures happen frequently and were just prevented from spreading?

Re:Power outage related to Microsoft

[__past__]

There is an article on heise.de (german) that basically claims that one of the power plants that went down belongs to a customer of a company specialized in DCOM/RPC-based technology, which could be an indication why some security systems failed (because they were busy rebooting).

It's not too convincing, to be honest. It's just saying that there is a possible connection, and that the company running the plant didn't answer their questions yet. (Which is of course very suspicious, what could these people have better to do right now then answering to wild allegiations from a german IT magazine?)

Re:Power outage related to Microsoft

[Judg3]

I don't think blaster caused the power outages or disabled the systems - have you read about the state of the US powergrid as a whole? It's horrendous!
I was watching the discovery channel (or History channel, one of those) and they talked about that large blackout that occured back in NYC in 1977.

The power grid protection system itself is what caused the black out. One substation sees it's getting a huge surge of excess power, can't handle it, and shuts down. This passes this huge surge to the next station, which also shuts itself down to protect itself. It's a huge chain reaction of power surge seen my a substation, substation shuts down to protect itself, surge passes on to next station, etc etc.

The show was about terrorism in the US and how unprotected we are - and it really gets you thinking. If some jackass in Ottawa can plug in their hairblower and toast the power to seberal major metropolitan areas, imagine what a well thought out organized terrorist could do.
Personally, I think we should some new nuclear power plants. 66 reactors provide 769 billion kWh, or about 20% of the total power produced in the US (2001 figures). These plants are old, the newest ones going all the way back to the early 80s, with no new orders for nuclear units since 77.
The US is relying less on its hydroelectric, nuclear and coal plants and building more "peak use" and "daytime" generators, huge gas turbines that are only turned on when there's a peak demand or only on normal business hours, say 9-5.

Why? It's not any more efficient, in fact these giant gas turbines tend to use more fuel then coal systems to produce nowhere near the same power. It's all about asthetics. No one wants a power plant near them, but everyone wants power. So they build these peak use and daytime plants - low output systems that take up almost no room and dont have the usual huge smoke stacks, etc your used to seeing with plants.

I personally wish the US would update it's power infrastructure, and I'd be willing to pay for it. Retire old, inefficient nuclear plants and build new, more powerful, safer ones. Add in more redundancy into the network, more real-time failovers.
They are modernizing it, don't get me wrong, but they aren't going at near the pace I'd like to see.

(Probably kiss my karma goodbye now, oh well. The power grid is something no one cares about or wants to put money into unless something goes wrong - then we all conveinently forget about what happened when theres a bill up to repair and update it at the cost of a couple bucks a week in taxes)

Re:Power outage related to Microsoft

[spectecjr]

If those rumors are true, then the worm didn't cause the power failures, it just disabled the systems that would have prevented them. That this happened at around the same time is just a coincidence, - or maybe minor power failures happen frequently and were just prevented from spreading?

Take it from someone who's soon-to-be-parents-in-law are up to their necks in the power + safety industry ... no, they don't run Windows.

Control frontends and GUIs may run Windows. They may also run Java apps. The back-end is ALL Unix (and specifically NOT Linux), because there are very few OS vendors who will certify and indemnify the use of their OS in that kind of safety critical environment. Windows explicitly states that it's not for use in such an enviornment.

Simon

Re:Power outage related to Microsoft

[BigBir3d]

Power grid in question is older that Microsoft is. I doubt it runs on Windows...

Re:Power outage related to Microsoft

[Cromac]

I personally wish the US would update it's power infrastructure, and I'd be willing to pay for it.

Just send that personal check for several hundred billion dollars to:

U.S. Department of Energy
1000 Independence Ave., SW
Washington, DC 20585

Re:Power outage related to Microsoft

[FreeUser]

Take it from someone who's soon-to-be-parents-in-law are up to their necks in the power + safety industry ... no, they don't run Windows.

Control frontends and GUIs may run Windows. They may also run Java apps. The back-end is ALL Unix (and specifically NOT Linux), because there are very few OS vendors who will certify and indemnify the use of their OS in that kind of safety critical environment.

Ah.

SCO UNIX.

No wonder.

(*duck*)

Re:Power outage related to Microsoft

[harley_frog]

I personally wish the US would update it's power infrastructure, and I'd be willing to pay for it. Retire old, inefficient nuclear plants and build new, more powerful, safer ones. Add in more redundancy into the network, more real-time failovers. They are modernizing it, don't get me wrong, but they aren't going at near the pace I'd like to see.

Interestingly enough, Bush says that the nation's power grid needs to be updated, but doesn't know how or how much it will cost. Hmmm, I wonder if these means replacing the hampsters with ferrets?

Re:Power outage related to Microsoft

[Cyclometh]

No need- end our little war in Iraq and we'll free up the funds needed. I read yesterday that the cost of the war in and occupation of Iraq will cost over $600 billion dollars.

Just close up the operation a little early and divert those funds.

Nah, never happen. Preemptive wars and years-long occupations of nations that are of dubious (at best) threat to US interests are more important than making sure your lights stay on.

Re:Power outage related to Microsoft

[Wingnut64]

"Is there any way this 'DoS' can be stopped?"
"Impossibly, there's too many compromised machines. You'd need to turn off every computer on the East Coast..."

Loopback anyone?

Microsoft should take a clue from User Friendly!
We (a 30,000 student Midwest University) are currently thinking about making our DNS servers authoritive for windowsupdate.com and and pointing the A record bac k to loopback.

What did they do?

[Tirel]

Did they point windowsupdate.com to 127.0.0.1 ? I hope not, there was a mail on FD explaining that such an action would cause it to DOS the local network.. Also, wtf is up with the site running lunix?

Re:What did they do?

[lucifuge31337]

Did they point windowsupdate.com to 127.0.0.1 ? I hope not, there was a mail on FD explaining that such an action would cause it to DOS the local network.. Also, wtf is up with the site running lunix?

No, they took the A record out completely. It's not Akami-ized. That's the linux box you see.

Re:What did they do?

[Tirel]

here it is:
Date: Fri, 15 Aug 2003 08:33:57 +0200
From: Carsten.Truckenbrodt@Bertelsmann.de
Subject: AW: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
To: full-disclosure@lists.netsys.com
Cc: security@microsoft.com

Hi,

This might be a bad idea. If you let windowsupdate.com resolve to 127.0.0.1
the following will happen: The worm uses spoofed IPs from the local /16
subnet as source address. Pointing all the syn packets to 127.0.0.1 will
generate a RST packet from the local host to the spoofed IPs and spread
traffic over the complete internal network.
Even blocking or routing the normally resolved IP to Null0 will be a lot
work because this domain is loadbalanced through the world. That means you
get a different resolution depending on your ISP or place in the world.

If you manipulate your DNS, you should give no A-Record back to the worm.
With this the worm will not start attacking anything. So setting up a
nameserver zone with only a SOA record will do the job for Saturday 0:00.

Best Regards,

Carsten Truckenbrodt
Arvato systems Taco Network SnotIing Security

-----Ursprungliche Nachricht-----
Von: Tobias Oetiker [mailto:oetiker@ee.ethz.ch]
Gesendet: Freitag, 15. August 2003 00:15
An: full-disclosure@lists.netsys.com
Cc: security@microsoft.com
Betreff: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1

Folks,

How about MS standing up for the mess, and changing their own DNS to point
all request for windowsupdate.com and whatnot to 127.0.01 ?

This will null the effect of the syn flood very effectively. Only proxies
will be affected.

As far as I see it, they will not be able to use these names productively
for the foreseeable future anyways ...

So they will have to issue an update for windows-updater thourgh other
channels (like their homepage for example) to point it to a different
web-site .. that should not be all that much of a problem.

If MS does NOT make this change to their DNS, I can see many routers who are
trying to track connections toppling over in interesting ways.

Because the local techs have no clue, it will
take the affected companies ages to get back on the net.

tobi

Re:What did they do?

[ceejayoz]

Pity they don't know the virus writer's IP... heh...

Re:What did they do?

[golgotha007]

why would i want to help allievate the situation? hell, i get to have all my computers attack microsoft for free! and legally! wohoo! sick 'em!

Re:What did they do?

[xanadu-xtroot.com]

Anyone thinking about putting a Win2K box on without MS03-026, and running a packet sniffer to grab IPs?

Sure I was thinking about that. Let's use YOUR network for it...

Re:What did they do?

[Fly+Ricky+-+The+Wine]

I know, I use a mac and I'm about to turn on my copy of virtual PC just to join in on the fun! Rock and roll. Take that for buying Connectix you bastards.

Fly Ricky, the wine taster

Re:What did they do?

[innate]

The Linux hit appears to come from an Akamai server, which is a distributed cache, under contract by Microsoft. You can bet the actual Windows Update servers are in fact running Windows.

I think the windows update botton on the taskbar..

[Squeezer]

always took you to http://windowsupdate.microsoft.com so whats the big deal about cancelling windowsupdate.com? do you think anyone will notice, or care for that matter?

Not just WU...

[angst7]

but Microsoft was seen on Linux today also http://uptime.netcraft.com/up/graph/?host=www.micr osoft.com.

Quoth Billy G: "Linux sucks, it's worthless, not usable for real . . . What? A worm? Aaaiiiieee! Tux Save Me!!!"

---
Jedimom.com, that not-so-fresh feeling.

A moving target is still a target

[bigberk]

This is kind of interesting: Microsoft's insecure Windows platforms is the breeding ground of massively distributed worms, which are designed to attack Microsoft's own servers (karma?)

While Microsoft thinks the "solution" is to move the target server, the real solution is to fix those gaping holes in their products.

Re:A moving target is still a target

[ebh]

Um, not to be a Microsoft apologist or anything, but at least in the case of MSBlast, they DID fix the problem.

This is not like those stupid email trojans that are inexcusable because Microsoft intentionally opened the door (with scriptable email, etc.). This is a garden-variety buffer-overflow exploit of the sort that could just as easily still exist somewhere in Linux.

Re:A moving target is still a target

[crawling_chaos]

While Microsoft thinks the "solution" is to move the target server, the real solution is to fix those gaping holes in their products.

I don't like MS either, but this is blatantly unfair. MS did fix the gaping hole -- last month. The problem is that their customers didn't implement the fix, so they are taking reasonable precautions to avoid damage. Beat them up for the things for which they deserve, but not this.

Re:A moving target is still a target

[RLW]

M$FT doesn't have time to fix bugs. These problems are an annoyance and only after they have been taken to task time and time and time again - they have finally decided to do something about it. They have been rushing software out the door for so long that they don't know how to perform genuine quality control. M$FT is not a software company that makes money so much as it is a company that makes money by making software. Well, buying up other's software slapping on some lip stick and then putting it out as their own.

Bill Gates: "Leave us alone so we can innovate"
User: "You keep using that word. I do not think it means what you think it means."

Re:A moving target is still a target

[blincoln]

This is a garden-variety buffer-overflow exploit of the sort that could just as easily still exist somewhere in Linux.

Active Directory also provides a way to block this type of worm that *ix doesn't. There wasn't time to patch all of our servers during the outbreak, so one of the guys here implemented a group policy that prevents execution of msblast.exe and teekids.exe on any machine on our network. Once they're all patched, the policy can be removed really easily.

Re:A moving target is still a target

[Nothinman]

Too bad the target audience of this worm doesn't have an AD to help them.

Re:A moving target is still a target

[RoLi]

Um, not to be a Microsoft apologist or anything, but at least in the case of MSBlast, they DID fix the problem.

I think the original poster meant fixing it before shipping it.

But as long as nobody complains about the wasted time downloading and patching the systems weekly, I guess Microsoft is fully correct when they use their customers as paying beta-testers.

Re:A moving target is still a target

[imnoteddy]

There wasn't time to patch all of our servers during the outbreak, so one of the guys here implemented a group policy that prevents execution of msblast.exe and teekids.exe on any machine on our network.

There was time to patch before the outbreak and there have been advisories for weeks that the worm was coming. This guy would have been smarter to apply the patches in the first place.

Re:A moving target is still a target

[EnVisiCrypt]

That is a bad idea. Not only does it not account for polymorphism in the name, but is also not foolproof.

For instance, block an image name, then set your Internet Explorer home page to that image. Bam. It executes with no problems. As long as a trusted program executes it, Windows will not complain. The group policy only prevents the user from running it directly.

Security by obscurity.

[grub]

Change the update machines, new names, etc etc. MS is resorting to smoke and mirror tricks. It will only fool the current worms, not future ones that will have the new machine names in them.

Re: Security by obscurity.

[BrynM]

How hard would it be for a worm to do a google (or some other search engine) search for "microsoft windows update site:microsoft.com" and pick a target from the top results? I agree that MS is only forcing the worm writers to be smarter with their targets by shuffling things around. Eventually it will backfire. If they don't find a better solution, all of this "musical websites" shuffling could also make for some serious chaos as more people figure out how to write DOS worms and it becomes more of a common attack.

...in related news...

[Guano_Jim]

...all HTTP requests to WindowsUpdate.com will be directed to goatse.cx.

Some speculate that this will considerably improve Microsoft's customer service.

ran Linux?

netcraft goes by IP, so if the MS servers went down, someone else running Linux got the IP, then it could show up on Netcraft. it's happened to me, where my dns would point to some ip, but then I move apartments, and my net is down for a week, and during that week, netcraft says that my system was running Win2K... but I haven't had Windows in my home at all for about a year.

but with MS, they probably were running Linux, and their IPs likely don't change like that. but you never know.

NetCraft stats

[xrayspx]

Take NetCraft stats with a Big Grain of Salt (big grains of salt, heh). If a site is "Akamized", as this one was, or is otherwise distributed, you'll see the OS of the front end, not what the site actually runs. You'll note that NetCraft lists "linux" for the Akamai site.

Re:NetCraft stats

[terrymr]

Yes but isn't the point that microsoft has chosen to protect it's windows server by putting it behind a load balancer running Linux ?

Re:NetCraft stats

[scumdamn]

MS isn't an ISP, they're not in business to service websites.

Uh, *cough*MSN*cough* maybe they ARE an ISP but they contract to a bunch of other companies for their bandwidth/infrastructure.

Re:NetCraft stats

[Compenguin]

but if linux couldn't be used for anything worthwhile, as they claim, why are they trusting their website to a serving system based off of it?

Well, at least Microsoft

[Rorgg]

Has a license to use those Linux boxes!

[rimshot]

Thanks folks, I'll be here all week!

In other news...

[GillBates0]

Computing is more important than any other part of our work. If we don't do this, people simply won't be willing--or able--to take advantage of all the other great work we do.

Breathing is more important to us than any other activity. If we don't breathe, we will die.

Ahhh, the perfect security

[Froze]

1) Disconnect box from all external cords
2) Encase box in several hundred cubic meters of concrete
3) Surround concrete with meter thick lead lining
4) Bury under radioactive waste in a geologically stable region
5) Saturate the surface with nuclear land mines
6) Curse MicrSoft, becase you still get hacked!

Re:Ahhh, the perfect security

[stwrtpj]

1) Disconnect box from all external cords
2) Encase box in several hundred cubic meters of concrete
3) Surround concrete with meter thick lead lining
4) Bury under radioactive waste in a geologically stable region
5) Saturate the surface with nuclear land mines
6) Curse MicrSoft, becase you still get hacked!

7) Profit?

It sure is a hell of a lot faster

[Hamster+Lover]

Went to check for updates today, just for the hell of it and the speed was a huge improvement over the old URL.

Re:I think the windows update botton on the taskba

[h0tblack]

They're obviously worried that something is in the wild that is hard-coded to attack WindowsUpdate.com, else there would be no point in abandoning that domain and moving to another.

Sensationalism?

[blincoln]

Where in any of those articles does it say that MS is taking down windowsupdate.com? It's always redirected me to windowsupdate.microsoft.com.

windowsupdate.microsoft.com

[anotherone]

Not a huge deal, since the official URL is windowsupdate.microsoft.com . The start menu, Tools in IE, and Windows Help all have that address. The worm author was kinda stupid, he should have pointed it to microsoft.com or windowsupdate.microsoft.com.

Re:windowsupdate.microsoft.com

[Polo]

Not a huge deal, since the official URL is windowsupdate.microsoft.com . The start menu, Tools in IE, and Windows Help all have that address. The worm author was kinda stupid, he should have pointed it to microsoft.com or windowsupdate.microsoft.com.

darn...

cvs co msworm.asm
click. tap. clack. click.
cvs commit -m 'fix url'
make;make install

ok, done. Thanks!

Man....

[frodo+from+middle+ea]

that gotta teach a lesson to those lousy worm writters. Changing domain name, who whold have thunk , microsoft would come up with such an ingeneous solution.
Take that you microsoft hackers, bet you are scratching your head now.

Re:Man....

[Interesting+Username]

They are getting smarter, this time the IP isn't hardcoded.

Permanently Secured == Permanently Offline?

[Matrix272]

So "Permanently Secured" now basically means "Permanently Offline"? Why didn't they just let the worm eat the domain? What's the difference, really? Whether they pull the plug, or the worm does it for them, it still means windowsupdate.com won't work...

Re:Security is #1.... again?

[micromoog]

Wasn't this the subject of a famous memo about a year and a half ago, when they were spending 10 months doing nothing bug security?

Oh, you mean this?

Precisely nineteen months ago, Bill Gates sent out a memo to employees (and the press) announcing that security was Microsoft's number-one priority.

It's the first line of the fucking story! For cryin' out loud, we know you're not going to read the fucking article, we don't really expect you to even read the whole story, but can't you at least fucking read the first line?!?!

Here's the deal on Linux for windowsupdate.com

[djh101010]

They've given the windowsupdate.com site to Akamai to serve for them. Not a bad idea, actually, since Akamai has something like 15,000 webservers distributed around the world, to share the load.

Of course, it's extremely amusing that they're paying to have their content served by a flock of 15,000 penguins. I'm a bit concerned for our own site this weekend, as we use akamai for our static content. It'll be interesting to see how my pageloadtimes are affected (if they are).

Akamai is a great resource for dealing with huge spikes in webserver load - I guess you could say this qualifies as that.

Re:Here's the deal on Linux for windowsupdate.com

[nobodyman]

Of course, it's extremely amusing that they're paying to have their content served by a flock of 15,000 penguins.

Man, that's gotta be embarassing -- their ass is being saved by the OS they are trying to kill. Good thing they paid SCO for that Linux license.

Saved?

[PovRayMan]

Last night I finally went to go upgrade from Windows Media Player 6.4 to 9.0 so I can test out those high definition WMP9 videos for once. I couldn't figure out why microsoft.com wasn't loading but now I find out it was because of a DOS attack.

Now I'm thinking, was this intervention from a higher force to protect me from installing WMP9 or just odd luck?

Re:I think the windows update botton on the taskba

[druske]

"...whats the big deal about cancelling windowsupdate.com? do you think anyone will notice, or care for that matter?"

The virus writers will care. I'd be surprised if a version with a New Improved attack address hadn't already been launched, probably ignoring the semaphore which normally kept the worm from reinstalling itself on an infected machine. If this happens, Microsoft's initial countermeasure won't be worth much for long. Still, it was a necessary and sensible first step.

not quite

[joe_bruin]

OS: Linux
Server: Microsoft-IIS/6.0
Last changed: 15-Aug-2003
IP address: 213.161.82.33
Netblock Owner: Akamai

they did not switch their servers to linux, they used akamai's caching services to handle their massive bandwidth requirements. notice the server is still iis. this is an akamai box (linux) serving a cached copy of microsoft.com (windows/iis)

$ host www.microsoft.com
www.microsoft.com is an alias for www.microsoft.com.edgesuite.net.
www.microsoft.co m.edgesuite.net is an alias for a562.cd.akamai.net.
a562.cd.akamai.net has address 63.236.1.163
a562.cd.akamai.net has address 63.236.1.160
a562.cd.akamai.net has address 63.236.1.153
a562.cd.akamai.net has address 63.236.1.139
a562.cd.akamai.net has address 63.236.1.168
a562.cd.akamai.net has address 63.236.1.147
a562.cd.akamai.net has address 63.236.1.138

Re:not quite

[javatips]

No, technically, they are using Linux to serve the page faster that their Windows box is able to.

Re:not quite

[angst7]

Of course, your right. But it's so much more fun to take the fact that microsoft.com was reported running linux by netcraft at face value. Besides, technically they are making use of linux within the chain of information delivery, and doing so of their own volition. I still kinda think thats worth giggling about.

Re:not quite

[terrymr]

Yes but by doing so they're protecting their Windows box from attack by putting it behind a linux proxy. I doubt microsoft had a problem with bandwidth.

Re:not quite

[RoLi]

What's your point?

The sorry fact is that Micrsoft's complete Internet infrastructure would immediately break down without Unix/Linux.

Remember when microsoft was offline for half a week? They migrated their DNS-servers from Windows to Akamai(Linux)

Now they migrated the whole load-balancing and caching system.

The only thing left is their measly webserver-box, so it seems.

Re:really...

[Eric+Ass+Raymond]

What makes you think that Linux is secure software? Or FreeBSD for that matter. I'd argue that OpenBSD is more secure but so is Trusted Solaris. Given the same marketshare as Windows, Linux would be just as much targetted by the black hats and script kiddies alike as Windows is these days. This time you cannot even blame Microsoft for delaying the patch. It was all because of a fault in software and if you argue that the open source alternatives are immune to remote holes, you're deluding yourself.

governments of the world should heavily fine ms each time a serious bug is found and/or exploited. and people should examine, and demand, better alternatives

Would you prepared to submit the open source community to this same program? Every time a governmental Linux server is cracked, RedHat, SuSe or fundamentally FSF will have to pay.

Gotto think fast

Shit, now I've gotto think of something clever/insulting to say about Microsoft....it's 2:30 in the afternoon....and my great mind isn't too active either, after a heavy lunch.

/. editors should give us some advance warning before posting demeaning stuff about microsoft/RIAA/SCO, so I have enough time to think about rude stuff to write up, before 300+ posts are posted.

I can't wait

[GoatPigSheep]

To see how much microsoft sues the person who wrote that worm, or if it's someone from a third world country, they might just take a nod to the US government and post a 25 million dollar dead or alive bounty.

Whoever it is is in A LOT of trouble now.

Re:Gates Memo repost - slowing...

[otisaardvark]

Today, in the developed world, we do not worry about electricity and water services being available.

You have to give it to the guy; his timing is impeccable...

www.microsoft.com not on Linux

[jared_earle]

Just because netcraft is reporting www.microsoft.com running on Linux, it's unlikely that they ported IIS to it. What you're seeing is a Linux proxy; The webserver itself is still an IIS6 box running on Win32 behind Akamai's Ghost proxy/cache.

We all know that when Microsoft run UNIX, they run FreeBSD.

So...

[Flabby+Boohoo]

the Army, or any large organization with a large install base of MS boxes, does not use SUS?

I started using it here about 6 months ago, it is the only way to go. I cannot imagine using Windows Update as an enterprise solution. One or two PCs at home sure, but SUS is free dammit.

Re:So...

[Darth_Burrito]

Software Update Services. It is Microsoft's free solution for managing the installation of critical updates across a network. As I understand it, you are basically running your own mini Windows Update service to which your clients subscribe. You can download updates on the server and roll them out if and when you want to. I think it has reasonably good scheduling features. All the Windows Update clients need to be updated to a new version, but I think this was already been sent out in older service packs.

Caveats:

Requires Windows 2000/2003 Server (for the server)

Only updates Windows 2000/XP/2003 (Professional or higher?)

Until recently (SUS sp1), you could not install the SUS server on a domain controller.

I think it only installs critical updates, not recommended updates, and not 3rd party software... so (tear, sniffle) no euro conversion tool.

Other than that, I don't know a lot about it either... but I did very recently start a job where I desperately need to deploy something like this. There's a lot of questions I have like how do you ensure the clients actually update? Is there any reporting? Are the updates pushed or pulled? Does anyone have any SUS stories good or bad?

More info

Server Download Page

Random dated article found on google.

Re:Security is #1.... again?

[druske]

Funny, it looks to me like Microsoft's security is #2... ;)

What took out Microsoft.com last night???

[TopShelf]

At least we know where the DDOS attack didn't come from: New York, Detroit, Cleveland, Toronto, et al.

How to get Good MS PR

[linuxislandsucks]

A question ..

Assuming that all old windows systems are unsecure or badly written..

Would it not make sense to take 75% fo $45 billion and offere to replace hardware and update to winXp or longhorn to every MS custoemr worldwide?

It would be the PR stunt of the century..

next work is going to use goofle

[javatips]

I predict (maybe this post will help a little :-( ) that the next iteration of the worm (or another one) will google up "windows update" and will attack the 3-5 bests results.

Let's see what happen then... Microsoft is going to pressure Google to remove www.google.com from their DNS Servers ;-)

Re:next work is going to use goofle

[FedeTXF]

Google runs FreeBSD... Say no more. :-)

cool title

[pyros]

Marc Maiffret, chief hacking officer for security software maker eEye Digital Security

That is the coolest job title. I'd have to negotiate a gold plated machette as a hiring bonus for a title like that. And anyone working for me would be officially titled a Hacking Minion!

Ironic?

[Bandman]

Today, in the developed world, we do not worry about electricity and water services being available.

Maybe he didn't get the memo?

About That Bill Gates Memo...

[tds67]

Quote the Gates:

So now, when we face a choice between adding features and resolving security issues, we need to choose security.

Apparently he changed his mind.

Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.

After it's too late, that is.

A good example of this is the changes we made in Outlook to avoid email borne viruses.

I must've been absent when that came true.

If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first.

Since when are bugs called "features"?

If there is any way we can better protect important data and minimize downtime, we should focus on this.

Lip + service = $$$

Re:really...

[conan_albrecht]

Unix is more secure for (at least) two reasons:

1. Users don't run Unix as root. Viruses have a very hard time attacking programs they have no write permissions on.

2. Unix has a much longer history than Windows NT+. It's had more time for the holes and buffer problems and other stuff to be fixed. Linux essentially "lengthens" its short history because it has so many eyes looking at it.

3. The killer Unix programs (Apache, SSH, PostgreSQL, etc.) don't run as root either. So even if they get exploited, worms can't do much with their rights anyway.

Unix is just built better. It has a longer history. I'll ceed that perhaps with a larger user base (pretend Unix has 90% market share) it would be a bigger target, but it is *not* as susceptible as Windows is. Not by a large margin.

Most Coveted Job Title Ever

[seanmeister]

Marc Maiffret, chief hacking officer for security software maker eEye Digital Security, said the amount of data sent from each infected computer would be small....

Man, how would you like to put THAT on your resume? :-)

Re:Security is #1.... again?

[SillySlashdotName]

I don't know, PISS POOR seems to describe it pretty well - and that would be #1 - unless you were going for shitty, which it is and is, therefore, indeed #2. :->

Today, in the developed world

[elinenbe]

From the memo:

"Today, in the developed world, we do not worry about electricity and water services being available"

Well, at least some people don't have to worry about electricity...

Re:not quite - this is what I get.

[packethead]

host www.microsoft.com
www.microsoft.com is an alias for www.microsoft.com.edgesuite.net.
www.microsoft.co m.edgesuite.net is an alias for a562.cd.akamai.net.
a562.cd.akamai.net has address 206.112.112.69
a562.cd.akamai.net has address 206.112.112.71
a562.cd.akamai.net has address 206.112.112.63
a562.cd.akamai.net has address 206.112.112.64

September's Memo

[msblaster.exe]

From: Bill Gates
To: Microsoft staff


Last month I sent out a memo. Well here is another one. It has come to my attention that people on the website www.slashdot.org make fun of me and how I run my business.
On another note there is another Windows Update available at the url www.windowsupdate2.com please download this due to the fact there were major holes in the last update.

-Bill

Sidechannel attacks

[babbage]

Of course, this leaves them open to alternative attacks.

For example, if someone hijacks or otherwise poisons some DNS servers, then all the traffic to windowsupdate.com will make it through to windowsupdate.microsoft.com anyway.

Or, a future worm could be written to target & attack a variety of Microsoft servers.

Or a future fowm could be written in such a way that the target is not part of the worm's code, but rather can be directed remotely somehow. This way, even if Microsoft tries to switch addresses, the person[s] directing the attack can just change the target.

The real solution isn't to keep trying to dodge the bullet.
The solution to become bulletproof.

Even after all this time, Microsoft still doesn't seem to get that.

Part of the reason Microsoft is such a prominent target is of course because it is so, well, prominent. Taking down (say) an FSF server doesn't raise nearly as many headlines (as this week's headlines will attest to). But I don't think that all of the problem here can be traced to how widespread Windows is -- while the Internet's clients are nearly all running Windows, a large fraction of the server architecture is running some Unix variant, and while there is of course some malware that targets *nix (Linux, Solaris, MacOSX, BSD, etc), the results never seem to be as catastrophic as the typical Windows outbreak

To rip of Bruce Schneier's analogy from his security article in Atlantic Monthly a year ago, it seems to me that the what security mechanisms Windows has tend to be brittle, while those that the *nix etc world have tend to be pliable. That is to say, when a problem comes up with (say) Apache, the damage tends to be isolated. This is partly because each installation will be configured differently, with different features enabled or disabled, and partly because the server runs on a variety of systems, each of which may have different mechanisms for providing underlying security protections. On the other hand, IIS installations tend to be pretty homogeneous, and a flaw with one very well could be a flaw with all.

That's not to say that IIS couldn't be just as secure as Apache, if not much more so. But part of Apache (etc)'s strength is it's heterogeneous nature -- people are able to tinker, adapt, mix & match components to suit their needs, and in the process this will also tend to protect them from catastrophic failure. Microsoft has actively resisted this kind of diversity -- witness their howls about having to come up with "thousands of versions of Windows" if some of the firmer antitrust penalties were put into force. Those thousands of permutations are, arguably, exactly what is needed: this will give their users greater choice, and it will make emergencies like this more rare.

I don't get why they're so opposed to the idea.

Maybe they've got cleverer plans than anything I can think of. I certainly wouldn't claim to be any kind of security expert. But if the best they can come up with is a change of address card, I can't help but wonder if they're fumbling in the dark here...

Re:Sidechannel attacks

[babbage]

I actually don't want to get into whether or not having source code access improves security. A lot of people firmly believe that openness lends to security (and I happen to agree with them, in general), but some of the arguments against source availability are pretty persuasive too. Let's not get into that right now.

You write...

Apache (the core) isn't resistant to attack because it can be compiled and run just about anywhere. It's resistant because the developers assume that it *will* be attacked and they take that very seriously -- beyond adding features.

Well put. After re-reading my post again, I think you've done a better job of putting your thumb on Schneier's argumeent about the pliability of systems that have well designed security. The point, which I guess I didn't really explain well enough, is that a well designed system sags instead of buckles; it softens instead of shatters. Apache tends to sag & soften; IIS tends to buckle & shatter.

No system can ever be completely resistant to catastrophic failure. I think that Godel's incompleteness theorem and Turing's halting problem are, in a way, proofs of this assertion: no matter how well any system is designed, there are always cases that fall out of the design scope, and will cause Interesting Failures.

This can be a depressing insight. You will never have a perfectly safe system. Ever.

You can respond to that in a couple of ways. One is to say "fuck it, we can't win, so why try"? Another way is to say "we can't anticipate what will happen, but we can try to compartmentalize the damage from certain problem classes." You could say that Microsoft has been moving to the second point of view here, but it's taking them an agonizingly long time to get there, while Apache/Linux/etc have long beeen designed from this point of view.

Interestingly, and to go back to Schneier's excellent article again, this sort of thinking also comes up in real world security considerations. Some of our systems are brittle (the airlines), and single failures can have catastrophic results. Other systems tend to be plastic (the power grid), and catastrophic failures are rare -- because single failures are common, expected, and planned for.

This is why I find all the bleating on by the newscasters & politicians that "the power outage was not the result of terrorism." Well of course it wasn't, this isn't the sort of attack that a small malicious party can pull off. Power stations go out all the time, but normally nobody ever notices. Indeed, it is very, very hard to deliberately bring down a power system: NATO spent a month bombing the power grid & computer netwroks in Yugoslavia, but they never managed to do much more than bring a city like Belgrade down for a few hours before power was restored.

If you want to bring down a whole grid, the best way to do it is by plain dumb luck (or an overwhelming lack of luck, depending on your point of view :-). It was a random fluke that caused yesterday's outage, just as it was random flukes that brought down the grid in the last two major outages, in 1977 & 1965. (On the bright side, that suggests that the mean time between power grid failures may be stretching out... :-). (Incidently, the Presidential Report on the 1965 outage makes for fascinating -- and newly relevant -- reading material).

(To get even further off track, this kind of thing is also why Bayesian spam filters are such a good idea: at the micro level, each filter tends to do a fairly good job of being able to classify each user's patterns. But at a macro level, everyone ends up with a unique profile, and spam crafted to circumvent one user's Bay

Scary Vulnerability

[rgmoore]

This strikes me as being a really bad thing:

Windows Update works by adding an entry into the system registry every time it installs a patch. When users log on to the update tool, it scans their registry and offers them list of patches that have not yet been installed. Cooper said that this mechanism was found to be flawed.

"We found that people had got the registry key for the patch, but not the file," he said, explaining that the error could be triggered by a number of reasons -- from an incomplete installation to a lack of system resources.

They're missing a really big flaw, here, which is that this is horribly vulnerable to malicious behavior. There are already plenty of viruses and worms out there that make registry entries for one purpose or another. It seems to me that if you were exploiting a vulnerability for which a patch already existed it would be very easy to automatically modify the registry to make it appear that the patch had already been applied. This would make tracking which systems were vulnerable much, much more difficult. This would work particularly well if you were trying to make a stealth worm.

Re:Scary Vulnerability

[kylef]

There are restrictions on changing the registry- random users aren't allowed to change other users' preferences, for instance- but if a worm can get system privileges then it can alter anything it wants.

Exactly! But what more can you do? I mean, if I get root access to a Red Hat box, I could corrupt the RPM database just as easily as a Windows virus could corrupt the registry. It's just a programmer's API, any way you look at it. If you have the intention and the permissions, you can screw up any OS.

The registry is protected with ACLs just as well as your average access-controlled filesystem (NTFS), so complaining about it being "easy to modify" is irrelevant. Files are easy to modify too, if you have the right permissions. But you EXPECT the permissions to block stupid programs from messing with your files.

Now I'm assuming someone is going to say, "But Windows users run as Administrator!" Well, if that's the case, then running a trojan horse or spyware app is their own damn fault. Running as Administrator all the time basically makes your NT system as secure as Windows 9x was.

Re:Scary Vulnerability

[rgmoore]

But what more can you do?

What you can do is to look in detail at the actual files that the update was supposed to contain. If the correctly named files with the correct MD5 hashes are in the right places, you know that the update has been installed correctly. Fortunately, RPM is actually able to check things like MD5 hashes to confirm that the files that were supposedly installed actually have been installed, and that makes the kind of corruption that would hide the truth much more difficult to carry out.

I'll admit that in this case Microsoft is doing a good thing by releasing a more detailed scanner that will actually check to ensure that the appropriate patches have really been installed, rather than just taking the registry's word for it. But doing so is not a built-in part of the system the way it is for RPM.

It's also imprtant to note that this is an advantage of Linux distributions not being a mono-culture. Corrupting the RPM database won't help you if the system that you've invaded is a non-RPM using system like Debian, Slackware, or Gentoo, each of which uses a different packaging system. It's not even clear how much it would help if you were invading a Suse or Mandrake system instead of a RedHat one, since the expected names of the packages would be different, too.

Re:Scary Vulnerability

[pavera]

sure, running as admin makes the NT box as insecure as 9x, but thats the point, by default ALL USERS ADDED TO WINXP are admin, all of them, and how many grandmas are going to go in and change their account type? How many parents? How many teenagers?? not many, the only ones who do are the ones who are gonna have the patches installed anyway. The permissions issue in windows is MS's fault for having entirely too wide open defaults.

Re:really...

[JWW]

The solution is easy, limit the fine to a maximum of the full amount paid for the software. ;-)

And really that is the case, many billions of dollars were paid to Microsoft for defective software. When auto makers have a recall, they are required to fix the problem for you. With software you have to do it yourself, and if you don't its your fault. Then again if you do install the patch yourself and your machine breaks, its still your fault!

Basically, expect to see no real improvement in Microsoft's software until someone has the guts to sue them or the government gets involved (ala auto recalls). Otherwise there is absolutely zero incentive for them to work any harder than they have to to sell you software.

Re:I think the windows update botton on the taskba

[Pharmboy]

I installed and ran the Microsoft BSA utility that scans your computer for updates (windowsupdate looks in registry only) per the link above. It found 4 problems that WindowsUpdate can't find, so I followed the links, to read about them.

Problem is, when you click on the link to DOWNLOAD the actual patch for XP, it just redirects you to www.microsoft.com, so even their security tool is useless if you cant get to the files to manually install them. Fucking rediculous.

Re:I think the windows update botton on the taskba

[spectral]

Going to 'tools, windows update' in internet explorer takes you to a redir site on microsoft.com, which attempts to forward you to windowsupdate.com NOT windowsupdate.microsoft.com .. even still (~3PM EST). you'd think they'd at least fix that if they were fuckin with the dns..

DOS or real traffic?

[nolife]

I wonder if this "DOS" they claim to be suffering is really too many users actually trying to get updates for once. After all, the code in this virus is not set to DOS MS until the 16th so they can not blame it on that. I doubt they would ever admit to not being able to handle the load. I use MS update at least a few times a day and have been for the last year on various client machines. Sometimes I need 10's of updates from a fresh install, sometimes just a few driver updates or the recently released. I don;t have any specific stats but I have noticed a definate slowing of the update site when the blaster worm was announced and it is getting slower as the days go on, today it took over 5 minutes to get a sound card update that for the previous year, only took 10 seconds. Another time today it took about 60 seconds. DOS causing this? Maybe, but I would guess they are having a hard time providing the update service for everyone and do not want to admit it. I bet hundreds of thousands of people are running the update service for the first time ever and they need a lot of updates. This move of names and connectivity is probably a hidden attempt to get the stuff hosted somewhere else or split up the load more then what they are currently doing and make it appear it is for security reasons. Reading bewteen the lines here but the amount of work involved with name change of this nature is massive compared to the relative ease a virus writer can simply point to the new site. Does MS honestly think a name change will stop a DOS? I doubt it, but it fits into thier FUD compaign of increased security and that they are under attack.

Re:really...

[alcmena]

I could be wrong, but I'm pretty sure that PostgreSQL complains very loudly when run as root, and instead prefers to be run in a separate account named "postgres". Likewise, my Apache was by default set to run in an account named "httpd". As for sshd, I dunno, you may well be right about that one.

This is on RH 7.1, so it may have changed.

Who cares

[bogie]

More importantly when will MS abid by their settlement and allow alternative browsers to be used with WindowsUpdate?(In my eyes that should be implied)

Doesn't seem right that they are allowed to throw up a button for "Program Access and Defaults" while at the same time making sure you actually can't live without the products your trying not to use.

btw, waiting and hoping that the automatics updates works is NOT an alternative. Except for those who never use non-critical updates(IE WMovMaker, WMP9 etc) or love being alpha testers for a company known to CONSTANTLY screw up their patches.

Re:really...

[Nogami_Saeko]

The obvious thing you are missing at this point is that most people have unix installed know what they're doing. Even with all it's recent GUI advances, unix is still a pain to setup and configure.

Disagree? Give a brand new machine to your parents, or grandparents and get them to install unix. See what happens, and if you have any hair left after walking them through.

Now, granted, a good unix installation can be very secure indeed. So can a good windows installation. I know how to configure my webserver (running on apache under windows), and it's never been hacked, and never will. I keep on top of security issues, watch bugtraq, regularly check for updates and patches, etc.

The problem is regular users - just wait until "joe average" who wants to surf the web, look at Pr0n, and read his email installs unix. Maybe he'll be running as root "because it's easier". I'm sure lots of security problems will spring up.

At the moment, I'd argue Unix has the old "security through obscurity" to some extent. As soon as everyone has a Unix/Linux desktop, the exploits will come out in full-force.

N.

Re:I think the windows update botton on the taskba

[Pharmboy]

Adding more salt to the wound I guess. I have also noticed that if their servers are not properly operating, they will say there are no updates available, even when there are. I have confirmed this twice when I KNEW there was an update that was not installed on the laptop (sometimes i go two weeks without using).

That is a pretty shitty way to handle a down server, by convincing your customers they are safe when they are not.

Re:Not really...

[terrymr]

I think given Microsoft's position on Linux that they shoud / would have researched the market to see if the service could be provided by a windows shop before signing a deal with akamai. It looks bad ... almost like saying windows isn't up to the task.

Microsoft's "Security" Record sucks but...

[Eric+Damron]

the Linux community needs to concentrate on not becoming the next big security joke. Okay, it's fun to laugh at Microsoft's pathetic record.... Just a second... Muhahahahahah. I feel better now. But as Linux becomes more and more popular blackhats will put more and more attention into breaking our OS.

We need to all make good design and operational decisions. Bad decisions like the one made by Lindows to run as root be default can lead to Linux having as bad a reputation as Microsoft.

The Linux community is positioned to demonstrate to the world that Linux, not Windows, should be used anywhere that security is an issue. Let's not blow it.

Re:Microsoft's "Security" Record sucks but...

[MicroBerto]

Many people are probably thinking about the kernel, but those guys are doing a relatively good job.

What we really can't overlook are the popular distributions. They can't be putting in ridiculous defaults at startup. They shouldn't use too much beta software that's going to be running a lot. They need to keep pushing updates, and make it easy. And for the most part, I think we're doing pretty good. Learn from Microsoft's mistakes while you laugh at them.

Package Management

[plankers]

Two thoughts here. First, package management

Operating system version control has been a problem for Microsoft Windows for a long time. Especially with runtime software bundled with third-party applications (think DirectX), you need a clear way to identify what is installed on a machine, upgrade it while tracking dependencies, and easily remove it. InstallShield does this sort of thing -- why isn't it built into the operating system?

Furthermore, most package managers provide a facility to verify the files that are running on the machine. While it isn't as conclusive as something like Tripwire, a simple "rpm --verify --all" will give you some insight into whether a system file has been replaced.

Package management on AIX (and probably other UN*Xes, but I haven't used them) gives you the ability to roll back out of a patch that went wrong, too. While that is possible to some extent in Windows, a package management solution could make that very easy.

And while we're at it, why isn't there a framework built into Windows to centralize patching of ALL products, not just Microsoft ones? Certainly the "Microsoft Update" that they are proposing is a good step, but why not build something that can check other vendors' web sites for patches? Couldn't such a framework be built so that when an application is installed it registers with the OS, and tells the OS where to look for updates for that specific product? Then when you run this "update console" or whatever, your local machine goes out to Microsoft, Symantec, Adobe, whoever, and checks to see if there are updates for EVERYTHING that is installed?

The system could also be similar to Red Hat's update mirrors/satellite up2date server, where a corporate customer could set up a central update server, tell it where to get updates for all the products in use in their company, and then that server mirrors it. Then updating the client workstations (and servers) is something that happens in-house. Maybe it could even be smart enough to tell if a client machine hasn't been updated yet, and then when that machine is powered on it could update itself and reboot if necessary, all before the user is able to log in.

These two things together could really put a dent in management for Windows machines. Sorry if this is sort of a ramble, I've been thinking about it for a while and it all just spilled out.

Re:really...

[pyros]

Saying that users don't run as administrator on windows is a fallacy. At every office I've ever worked in the first thing the IT department does when setting up a new user's machine is add them to the administrator group. On top of that, the service run as privileged users by default. It's possible to run windows without admin rights, but very rarely happens in practice. It's possible to run services as unprivileged users, but again it rare in practice. You also don't need to be administrator to open privileged ports on Windows like you do on *nix. Unix and Linux have the advantage that users and services run unprivileged by default.

Two thoughts

[LittleGuy]

1) M$ (and the media) hyped this security patch to the hilt, IMHO, because WU was the target. Other worm exploits that have been cited in the news can be prevented by patches that come out a year or two ago. It would be nice to have the other 30 or so patches released this year equally hyped.

2) Re: WU says you're patched but you're not... I'm sorry, but nothing impresses me more than Shavlik's HFNetChkLT for Win2K, NT, and XP. SCan with this and then download the patch from the M$ Security Bulletins through Technet and install manually.

It's still M$'s fault!

[Thud457]

"I don't like MS either, but this is blatantly unfair. MS did fix the gaping hole -- last month. The problem is that their customers didn't implement the fix, so they are taking reasonable precautions to avoid damage. Beat them up for the things for which they deserve, but not this."

Because they've endgendered a "computing" culture where users are either: 1)ignorant about the need for patching, or 2) have been burned by fucked up M$ patches in the past and hence, don't keep up to date.

"Fool me once, shame on you
Fool me twice ...
...
won't get fooled again"

This country is overrun with idiots. I hope you reap the consequences of your actions. I spit on you all!

Re:Security is #1.... again?

[PhxBlue]

You're new here, aren't you?

Re:I think the windows update botton on the taskba

[Pharmboy]

Going to 'tools, windows update' in internet explorer takes you to a redir site on microsoft.com, which attempts to forward you to windowsupdate.com NOT windowsupdate.microsoft.com .. even still (~3PM EST). you'd think they'd at least fix that if they were fuckin with the dns..

You may not know this, but when you change an entry in DNS, it is not available to everyone for a while. This is due to caching (all ISP DNS servers are caching servers, of course). For instance, the AOL servers may have gotten the ip for the domain at 8am, and if it doesnt expire for 24 hours, their server will assume it is still at the same ip, so when an AOLer tries to go there (using AOL's DNS server) it will simply give that IP address, even tho it has changed. It wont go back to the SOA and check the serial number of the DNS entry to see if it is still valid until after it expires and someone requests it. So, it depends on the expiry of the DNS record before the change. My experience is that it takes 1 to 2 days for all the changes to fully propegate, and sometimes longer on some DNS servers if they override expiry.

Re:I think the windows update botton on the taskba

[Fishstick]

The button on the taskbar is targeted to

%SystemRoot%\system32\wupdmgr.exe

which sends me to http://v4.windowsupdate.microsoft.com/en/default.a sp

which appears to work just file. Didn't try it from IE tools menu, tho

Re:I think the windows update botton on the taskba

[Pharmboy]

Microsoft is about to get into the AV business yet again. Keep in mind, MS does NOT consider those companies friends, rather they are competitors, so I can see MS letting them look bad with old links. That is not new for them.

Re:really...

[pmz]

Unix is more secure for (at least) two reasons:

I'd like to add:

- UNIX is simple (yes, UNIX is simple).
- UNIX is transparent (post-kernel bootstrapping is via shell scripts for god's sake--it don't get better than that).
- UNIX is documented, bugs and all (thirty years of history plus POSIX ain't too shabby).
- UNIX is modular (I can guarantee not everyone runs the same mail server, DNS server, or even window manager).
- As a result, fixing UNIX is easy (all the system administrator has to do is admit "Oops, I was a real dumbass there" and either fix it or replace it (again, UNIX is modular, transparent, and documented)).

A cracker could attack certain subsets of the UNIX realm, but diversity is on the side of the users, in this case. It isn't like 95% of UNIX users happened to leave RPC open to the Internet, or something like that.

windows worm OLE exploits might have broke power.

[Giant+Robot]

Apparently the US National power grid uses "OPC"

OPC stands for "OLE for Process Control"... (if you did some COM/DCOM windows programm you will be familiar with this).

It's the same technology targeted by the W32.Blaster worm that is crawling around the web.

It won't suprise me if some of those computers responsible for failover/grid isolation actually hung themselves on the worm.

In case you don't know what the worm does, not much, but a side effect (because of sloppy coding) it causes the machine to restart very frequently (it also attempts to attack microsoft.com in a DoS attack, I guess that's why microsoft shut down windowsupdate).

what do you think?

Re:I think the windows update botton on the taskba

[Pharmboy]

they obviously don't trust their own users to keep their systems patched and/or behing firewalls

I'm an XP user (among other os's) and I don't trust the average Windows user either. Not ragging, just a fact. My mom is one of them.

My brother and I were joking around because mom asked him what she should do about "that new virus" (blaster). She asked him if unplugging the computer was enough, or if she needed to do more. I told him he should have told her to put the box in the refrigerator because everyone knows that viruses and germs won't grow when they are kept that cold. Yea, I know, slightly cruel, but I'm telling ya, she just MIGHT have done it if we could have kept from laughing.

So its not an insult to Windows users, its just a fact: Most are interested in doing stuff with their computers and expect them to be like a toaster, just plug it in and never think about it again.

Ironically, I bought my 67 year old mom the computer last christmas, she uses it every day, and she WAS smart enough to ask someone about it, more than I can say about a few /.ers , hehehe.

Microsoft != reliable

[Thud457]

"Actually, there are rumors that safety systems that would have prevented such widespread failure were running on Windows and were down because of blaster. "

If those rumors are true, then the worm didn't cause the power failures, it just disabled the systems that would have prevented them. That this happened at around the same time is just a coincidence, - or maybe minor power failures happen frequently and were just prevented from spreading?

Who the fuck runs mission-critical systems on Windows?!! HOMER SIMPSON?!!!

Re:Microsoft != reliable

[pyros]

yes ... yes ... yes ... .. y ... <hmmmm> y ...

<stupid filler to avoid the fscking retarded lameness filter>

Re:Microsoft != reliable

[pyros]

redundant!? Guess I should have quoted the bit I was responding to (who runs windows on ...? HOMER SIMPSON ) The yes over and over being a reference to him running his mission critical system, where he just typed yes all day, until he figured out he could just hit y, until he set up that toy bird which leans forward and stands back up over and over. Man, I can't believe I had to explain that one.

So now...

[TomatoMan]

...hackers will just point at http://windowsupdate.microsoft.com instead. Right?

Re:really...

[Some+Dumbass...]

Given the same marketshare as Windows, Linux would be just as much targetted by the black hats and script kiddies alike as Windows is these days.

I'm getting sick of hearing this particular bit of FUD.

First of all, when a vulnerability of this calibre is found in Linux or in common Linux utilities (e.g. the ssh vulnerability) it _does_ get attacked, despite Linux's smaller marketshare. RedHat lpd anyone?

Second, didn't the last big Windows worm only affect people running MS SQL? What is that, 1% of all Windows installs? So despite the small number of computers which would be affected by this worm, it was still written. Note that it also did a fair amount of damage (took down some root nameservers, I think), which is exactly why worm writers are targetting systems with smaller marketshare -- because "smaller" still means something in the realm of a million or so computers, which is more than enough to do some serious damage!

Thus the argument that Linux's marketshare is the reason why it doesn't get attacked does not make sense. Systems with limited marketshare (like Linux) _do_ get attacked by worms, presumably because they can still do lots of damage.

So why so few Linux worms? I suspect the reason why there have been fewer Linux worms is in the past few years is that there have been fewer vulnerabilities in Linux and common Linux utilities which were severe enough to allow a worm to spread. Linux has its share of security vulnerabilities, but there's a big difference between a bug which allows a user to, say, overwrite arbitrary files on a system, and one which allows them to execute code on the system without even logging in!

Patent

[Arpie]

Will someone please patent something like this before micro$oft:

"Method to prevent worm attacks by changing site hosting locations as many times as needed".

This way they'll either have to fix the damn holes or pay up.

I'm joking... but if someone wants to try and the USPO actually accepts it (not totally unlikely) just give me some credit, and some 10% of the profits will do. ;-)

Holy Misinformation Batman!

[kevlar]

WindowsUpdate.com did not, I REPEAT: DID NOT EVER Run Linux. The scan from Netcraft only shows that during a particular scan the DNS resolved to Akamai's web caching servers. So Puh-LEASE don't try to start misinformed rumors.

Linux AkamaiGHost 15-Aug-2003 213.161.82.37 Akamai

Military Definitions of "Secured"...

[Speare]

Reminds me of the old military joke,

• The reason the Air Force, Army, Navy and Marines bicker amongst themselves is that they don't speak the same language. For instance, take the simple phrase
• "secure the building".

  The Army will post guards around the place.

  The Navy will turn out the lights and lock the doors.

  The Marines will kill everybody inside and set up a headquarters

  The Air Force will take out a 5 year lease with an option to buy.

Don't completely abandon WU.com

[sahonen]

Put a locked-down box on windows-update.com that logs all the IP addresses it gets DOSed from, then trace them back to the actual users whose machines were compromised. Then revoke all of those users' XP licenses for being bloody stupid morons who don't know how to apply a patch.

Re:Don't completely abandon WU.com

[wik]

They already revoked access to WU for people who used pirated licence keys. As a result, there are plenty of XP installations which will never be patched. I believe this is reckless and self-defeating.

Disk Operating System

[Tired_Blood]

While Windows was getting all the attention from their common creator Microsoft, DOS has secretly been waiting for its opportunity to strike at both.

From the infoworld article:
The company is cooperating with federal law enforcement officials to investigate the attack, which is the second successful DOS attack against Microsoft.com this month.

Two successful DOS attacks this month. And what a sense of irony: revolt against the creator by manipulating "the favorite" to do its bidding.

What's so hard about using a lower-case 'o'?

What? That's supposed to be informative?

[Kynde]

This is a garden-variety buffer-overflow exploit of the sort that could just as easily still exist somewhere in Linux.

Active Directory also provides a way to block this type of worm that *ix doesn't. There wasn't time to patch all of our servers during the outbreak, so one of the guys here implemented a group policy that prevents execution of msblast.exe and teekids.exe on any machine on our network. Once they're all patched, the policy can be removed really easily.

Is this guy for real?
This kind of am-an-admin-expert-because-i-have-two-boxes-at-hom e kind of talk should be left at score 1 or so, where it belongs, regardless of wether it praises or bashes M$ or *nix.

That kind of "block" should not be suggested to other clueless admins! This is exactly why the worm got the 2nd generation where the filename had changed.

(I'm trying real hard not to mention also the fact that you shouldn't make false claims like about *nix systems. You really think *nix systems, employed for thousands of users all over the world in thousands of universities don't have elaborate user policies that can be administered swiftly and efficiently? Thenagain you're probably just flaming/trolling...)

(and even you forgot the penis32.exe, which btw is indeed a genius naming stunt! I do loathe the black hats, but every now and then I can't help myself admiring the simplistic beauty in some of their tricks. Thinking how many warning mails that never reached their target because mail filters grabbed them...)

Troll much?

[stewby18]

Because they've endgendered a "computing" culture where users are ... ignorant about the need for patching

Yeah, curse those bastards for making computers that are usable by people other than us techno-elite snobs.

Many people simply have other things they care about more than patching their computer. If 95% of people used *NIX, would it have a reputation for being mostly secure? No, because people who don't care would still be the vast majority. Most people should know the importance of basic car maintenence: checking oil, tire pressure, anti-freeze, etc. Many, many people don't bother to do so. When they have problems, is it Ford's fault?

Re:Troll much?

[Prior+Restraint]

Most people should know the importance of basic car maintenence: checking oil, tire pressure, anti-freeze, etc. Many, many people don't bother to do so. When they have problems, is it Ford's fault?

Your analogy is flawed. The product was defective when it left the manufacturer. The automotive analogy to a patch is a recall. The general public views recalls as an indication that Ford (or whoever) is at fault.

Therefore, Microsoft is to blame.

Re:Troll much?

[RealAlaskan]

If 95% of people used *NIX, would it have a reputation for being mostly secure?

Yes, because 95% of people can't administer a *nix box. They'd have to rely on pre-setup operating systems (just like they do now with Windows!). If those systems were Debian stable, they could be kept secure by a cron job (part of the default install, in this hypothetical situation) which looked like this:

apt-get update;apt-get dist-upgrade

If 95% of people used Debian stable, they'd be happy, just like they are with Windows, because they'd be using the same software everyone else is using, and having the same problems as everyone else.

They wouldn't be having problems with buggy old software on unsecured boxes, and they wouldn't be having the same sort of problems with viruses, either.

Re:windows worm OLE exploits might have broke powe

[batkins]

Actually, it's called RPC (Remote Procedure Call). And the power grid doesn't use RPC (or OPC for that matter). No critical systems like that are run with MS software.

Get a clue.

Dear Jamie

[Keith+Russell]

Interesting article. But did you have to be such an asshole about it?

Yours truly,
Keith

P.S.: If your power is still out tonight, I hope this burning karma lights your path.

No third party distribution of patches

Notably, Microsoft refused to give permission to ISPs to burn CD's or make floppies with the Blaster patch on them. I heard of one outfit that had their lawyer contact MSFT to make sure that they were kosher before giving them to customers. Microsoft refused. As it turns out, stating that the users could easily download the patches directly, even if they had the shutdown bug and were dialing in to download a 1.2 MB patch.

I have no sympathy for MSFT getting DOS-ed. The fuckers deserve it, and they were hoist by their own petard. Sure, there is some nitwit out there that acted on as explout that was known for at least a month, but WTF? What is the problem with letting ISPs distribute the patch to fix this thing?

The ISPs are burning time and support lines over it, bandwidth is getting hosed by the packets on the affected ports, filtering ports helps (but doesn't eliminate the problem). Essentially, third-party companies (ISPs) asked for permission to help put out this fire, and Microsoft gave them a big "fuck you" and I am somewhat gratified by the whole thing.

Fuck you, Microsoft. Here's hoping you get more of the same.

I might post the emails discussing the attempt to get authority to help spread the patches somewhere, but I'm not anxious to cause a slashdotting of my own weenie ISP's servers.

Re:No third party distribution of patches

[Mostly+a+lurker]

Notably, Microsoft refused to give permission to ISPs to burn CD's or make floppies with the Blaster patch on them.

I had not heard this. Do you have any references? On the face of it, this could lay MS open to legal action by the ISPs for damages that could and should have been prevented.

Re:No third party distribution of patches

[GordoSlasher]

From an article in a local newspaper

In Colorado, Comcast and Qwest said customers who couldn't access the Internet bombarded the company with calls. The companies directed their customers to Web sites offering software fixes.

That's some really useful advice for someone who can't access the Internet! Maybe they expect granny to drive to the web site?

Why it actually "runs Linux"

[dodell]

And, if you read further about how Netcraft actually works, you will notice that they state that firewalls and other sorts of software can make it appear that a server's software is actually running on an OS that it would otherwise be impossible to run on. This is why you will find IIS running on Solaris, FreeBSD and Linux. Read first.

Breaking news tomorrow

[the_one_smiley]

The impending DDoS attack on Microsoft scheduled in the MSBlast worm was drastically mitigated by Microsoft's DNS shuffing, the diligent patching by systems administrators around the world, and the lack of electricity in several population centers. However, it was replaced by a much more potent DDoS attack by people checking to see if Microsoft's site was dead yet...

Microsoft hosed their own update service!

[KE1LR]

Microsoft has a free tool called " SUS " which is a localized version of Windows Update - you run it on a W2K server in your enterprise and then redirect your clients to get their automagic updates from the local server instead of going to MS directly.

The SUS server is supposed to synchronize itself (manually or automatically) with Microsoft's servers to get the latest updates, and you get a chance to approve them for distribution to clients. Not a bad idea, and it seems to work OK.

However, the URL that's coded into SUS to synchronize with updates is -- wait for it -- a windowsupdate.com URL!

Error Message:
"Failed to download from URL 'http://www.msus.windowsupdate.com/msus/v1/aucatal og1.cab'. (Error 0x80072EFD: Unable to connect to the server.)"

Anyone using SUS to update their client machines is now stuck with their current update set until Microsoft sets up a new site to sync with and documents how to change the URL that SUS uses to whatever one they come up with.

Lame.

Re:I think the windows update botton on the taskba

[oohp]

Well they bought a Romanian AV company called RAV. They used to have anti virus products for Linux and FreeBSD (to scan for wind0ze viruses of course), but no more now.

Re:really...

[Kombat]

"[Unix] is *not* as susceptible as Windows is. Not by a large margin."

Oh really? I'd just like to point out that while this bug is *attacking* one of MS's sites, it won't successfully *break in*. It was a mere 2 days ago that a hacker successfully broke into GNU.org and compromised the crown jewel of the Linux community.

So who's more secure again? Don't be so quick to jump to Unix's defense. A lot more exploits are publicised for Linux than for Windows.

Wow

[Cyno]

With Microsoft getting DOS attacks and viruses all the time one might begin to think that someone doesn't like them. Hrmm. Wonder who that could be..

Microsoft Security Bulletin MS03-026

[Valiss]

I don't know why this became a big deal. Ok, I lied. It became a big deal because of users who did not patch their systems (for whatever reason). But it isn't like this patch is new. It was originally posted on July 16, 2003. They just revised the bulletin because of the outbreak.

From MS's site:

Why have you revised this bulletin?

Subsequent to the release of this bulletin Microsoft has been made aware that additional ports involving RPC can be used to exploit this vulnerability. Information regarding these additional ports has been added to the mitigating factors and the Workaround section of the bulletin.

If I have installed the patch provided with the original bulletin, am I still protected?

Yes. There has been no update to the patch itself, and the patch will still correct the vulnerability. This additional information is being provided to those customers who may require a temporary workaround until they can apply the patch.

I wish I could make my friends, family, people I know read these security reports on their own, but they never do.

As Reliable as Electricity and Water???

However, even more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony.

Today, in the developed world, we do not worry about electricity and water services being available. "

I guess Bill hasn't seen the news in the last 24-48 hours. I haven't seen a virus yet that can take down all systems in less than nine seconds. If the reliability of power is what Bill aims to achieve we (MS) admins will always have a paycheck...

Boasting Bill

[cyberwave]

From Bill Gates' memo: "We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched - but as an industry leader we can and must do better"

Last time I checked, most everybody, on average, beats microsoft in terms of speed of security fixes. So I suppose unmatched, because Microsoft has been completelysurpassed.

Prepare to pay thru the colon

[Archfeld]

Here in CA you have to fund the switch which allows you to feed from your supply to the lines, even if you don't EVER want to feed back, PG&E got some help in the legislation, this run s around 10K minimal. The CA government in its infinite wisdom also institutied a Farking tax on power feedback, in order to offset the cost of people leaving the system while it is so deep in financial trouble, so now even if you DON'T USE the power grid, you are required to pay a tax on the approx. amount you would use....Our rural neighborhood association just went through the governmental hoops to get this working...what a friggin nightmare.... Unless you have several hundred potential users, there is no way this is financially feasible thanks to our friends in government, always out to protect corporate interests at the expense of taxpayers freedom and choice.....

Re:An easier way to pay...

[Cromac]

Select and buy your favorite combination of solar, wind, gas generators, or whatever else your locale will support. Call the power company and tell them to disconnect you, and would they PLEASE get their damn wires and poles off your property.

It's definately something we've considered. Based on where our house is and living in the Pacific NW wind seems like may be our best option, fortunately windmills are getting more efficient all the time.

I think I'll just leave PSE's wires in the ground and disconnect them at the box though. If they came to dig them up they'd sever my cable, phone and water lines for sure. :)

Re:windows worm OLE exploits might have broke powe

[petwalrus]

Actually this isn't so far off:

http://www.matrikon.com/drivers/opc/whatisopc.asp

OLE for Process Control (OPC) is a new technology designed to bridge Windows based applications and process control hardware. It is an open standard that permits a consistent method of accessing field data from plant floor devices. This method remains the same regardless of the type and source of data. Therefore, end users are free to choose the software and hardware that meets their primary production needs, without having to consider the availability of proprietary drivers.

OPC components fit into two categories: OPC clients and OPC servers. A client is typically a data sink -- an application that uses data in some way, such as an MMI or SCADA package. A server is a data source -a device specific program that collects data from a field device, and then makes it available to an OPC client.

and DCOM definately appears to be in the mix as well:

http://www.opcfoundation.org/Downloads/White%20Pap ers/OPC,%20DCOM%20and%20Security.pdf

Perhaps the lusers who are uneducatedly blaming the blaster virus aren't entirely wrong.

Re:I think the windows update botton on the taskba

[subsolar2]

Going to 'tools, windows update' in internet explorer takes you to a redir site on microsoft.com, which attempts to forward you to windowsupdate.com NOT windowsupdate.microsoft.com .. even still (~3PM EST). you'd think they'd at least fix that if they were fuckin with the dns..

You may not know this, but when you change an entry in DNS, it is not available to everyone for a while. This is due to caching (all ISP DNS servers are caching servers, of course). For instance, the AOL servers may have gotten the ip for the domain at 8am, and if it doesnt expire for

You may not know this, but you are incorrect ... the redirection has nothing to do with DNS dns enteries propagating and everything to do with MS's web site/server. It's redirecting to the old URL and not the new one.

-1 Overrated for that on a +5 post

Re:I think the windows update botton on the taskba

[aWalrus]

That line of reasoning is hogwash, and part of the self-apologizing crap us Software Developers keep throwing out.

It used to be that we could blame the users for running executables they receive via emails. We demanded common sense, and said that it was user error, not Software Developer error. This time, the mere act of being plugged into a network or the Internet is enough to get the computer infected. So what do we do? We say Damn those lusers because they didn't install their latest security patches!.

That's a big, smelly load of shit. Systems administrators should be required to read bugtraq and keep their systems patched. Users should only show common sense. We can't ask them to do these things. There are people working with computers that actually use them as tools to do work, rather than as objects of worship, as we geeks do. They don't want to know about driver install woes or our petty flavour of the month.

We should be bounds-checking our mallocs rather than demanding users take the time to fix the faulty products we put out.

Uhhhh, No

[DesScorp]

"why would i want to help allievate the situation? hell, i get to have all my computers attack microsoft for free! and legally! wohoo! sick 'em!"

I know (think) you're joking, but while we can moan all we want about how Microsoft should design software that's more secure, we can't do anything about existing systems. And windowsupdate was the fastest, easiest way for the non-tech public to protect and repair themselves. Those of you out there that view this impending attack and the shutting down of windowsupdate as a good thing are very shortsighted.

Maybe you don't give a shit about all of those other users out there that use Windows. Maybe you're happy this is happening. Fine. But rest assured, it's not going to cause people to rebel against Microsoft, like many of you are hoping. There will be no enlightenment and mass exodus to Linux or BSD or OSX. This is going to get blaimed on "hackers". And we all know hackers hate God, hate America, root for Saddam, get pentagram tattoos on their foreheads....and use Linux. Pretty soon it'll be "yeah, I saw those Linux guys bragging on slashdot.org that they took windowsupdate down!"

IBM's reps will be going "yeah, thanks heaps for the positive image, slashdotters.........fuckers".

Make fun of people that run Windows all you want, but don't assist in, or support the disabling of one of their few effective means of defense.

Re:Uhhhh, No

[k12linux]

it's not going to cause people to rebel against Microsoft, like many of you are hoping. ...This is going to get blaimed on "hackers".

You got it! Fairly recently I noticed that nearly 100% of the time MS spins Windows problems this way. It's especially true with Outlook. Based on the spin in their press releases and KB articles, all security problems are 100% the fault of those evil hackers. MS on the other hand really isn't responsible for security problems because if it weren't for hackers there would be none.

That's kind of like being a company who builds bank vaults made of wood instead of metal. After all, it's not their fault if it gets broken into. It's those damn bank robbers.

What other industry would people put up with that type of logic?

Re:Uhhhh, No

[thesuperjason]

This is going to get blaimed on "hackers". And we all know hackers hate God, hate America, root for Saddam, get pentagram tattoos on their foreheads....and use Linux.

Unfortunately, this is (in my experience over the last couple of days) correct.

Since the outbreak of blast, I've helped around 5 or 6 family members (you know the ones: "Um, you work with comupters and mine's broken. What do I do?) patch their home systems and remove the worm.

"What was it?" they ask. "Well, it's this worm you see..." and before you can finish your sentence you get a barrage of "Why do these people do this??? Do they think it's fun???".

"Who, Microsoft?" I ask.

"NO! These bloody hackers!!! Where do they get off busting my into system. I wish they'd all get a life. Arseholes".

Sigh... There's really no point explaining that it's because of MS that they have these problems. They don't have an alternative as they see it. Computer = Windows.

TSJ

Re:Uhhhh, No

[sql*kitten]

There's really no point explaining that it's because of MS that they have these problems.

Rubbish. I expect you blame Ford for the existance of car thieves? Damn Ford, they should have used brick-proof glass in the windows!

And it's not as if Linux has never been r00ted via sendmail or BIND, is it? MS Blaster is the same, it just propagates over DCOM.

Eeh, excuse me?

[Jugalator]

And now, the company has "extinguished" WindowsUpdate.com (future updates will come from a different domain). All this because of some Microsoft worm that triggers at midnight.

If you're going to submit a biased article, at least get the facts straight. WindowsUpdate.com was never the primary WU domain, windowsupdate.microsoft.com was. They're just disabling the extra one that was never linked from the Windows OS.

Actually,

[Sevn]

:)

A few of the german microsoft sites used to run Linux. Oh, and their "Switch to Windows" campaign server used to run Linux as well until everyone started picking on them. You don't have to get all huffy because Microsoft had to rely on the awesome power of Linux to save their bacon. They went with Akamai to load balance a site, and Akamai uses industrial strength Linux. So yes, inadvertently WindowsUpdate.com IS running on Linux. The scan from Netcraft was correct. So Sorry. Thank You For Playing. No rumors here. It's the honest to God's truth.

Kinda like you should not have to keep your ...

[Randy+Rathbun]

car in roadworthy condition, huh?

I mean, what business is it of anyone else's if your brakes are bad, you have bald tires, and huge chunks of the car falling off as you drive down the street.

Everybody is missing the point

[grozzie2]

I think everybody is missing the point on this whole issue. Fact :- Blaster is a worm, who's payload was intended to dos windowsupdate.com, rendering it unavailable to the folks using it. Fact :- windowsupdate.com is 100% unavailable. Conclusion :- Blaster is the most successful virus/trojan to date. It didn't just cause a few hours of unavailability, it wiped the domain from existence. Not just any domain, but a prominent microsoft domain (high profile, big budget website) totally obliterated off the internet. Folks can say what they want, and argue about the politics of it all, bicker about who is responsible to update what, and whatever, but you cannot deny the facts. Blaster is head and shoulders above the crowd as a denial of service worm, the first to achieve a 100% success even prior to actually triggering. Say what you want folks, but this has got to go down in history as the most successful worm ever.

Re:C2?

[kjs3]

i thought it was C4 clearance, and that took years to get.

It's C2; there's no such thing as C4. C2 isn't terribly hard to get (lot's of auditing and doco requirements). However, since C2 isn't a particularly interesting or useful security classification except for marketing (DAC systems are strictly for unclassified environments), most vendors don't bother with it until they start selling lots of stuff into the gov/mil/intel areas.

B-level secure systems are another story entirely.

Re:Security is #1.... again?

[PhxBlue]

I dunno. I just saw someone else's signature line say it's a guaranteed +5 Funny, so I figured I'd do a one-shot experiment to see for myself. 'Course, it only got to +3, so I guess the guy wasn't right after all. :)