WindowsUpdate.com Secured, Permanently

Precisely nineteen months ago, Bill Gates sent out a memo to employees (and the press) announcing that security was Microsoft's number-one priority. Today, about a hundred readers have submitted the news that Microsoft.com went down last night. And now, the company has "extinguished" WindowsUpdate.com (future updates will come from a different domain). All this because of some Microsoft worm that triggers at midnight. Related news: Windows Update says you're protected, but maybe you're not; WU.com briefly ran Linux, heh; worm variant with clever "anatomical term."

Next Week..

[msblaster.exe]

Don't worry next week there will be another memo with the URL for the new update

Re:Next Week..

[Ledskof]

secured permanently? So they unplugged it from the network to finally get that C2 security level eh?

Re:Next Week..

[cravey]

I wonder why they didn't just point DNS for the website to 127.0.0.1.

Let the infected servers work it out amongst themselves. :)

Re:Next Week..

[kilgore_47]

I wonder why they didn't just point DNS for the website to 127.0.0.1.

Better still, why not put 30 or 40 round robin DNS entries in? Symantec says there's about 228,000 infected boxes; with 40 different IPs on windowsupdate.com's DNS record, each server would be hit by less than 6,000 attackers. Surely, with the time they've had to prepare, they should have been able to handle this.. I'm really surprised that they actually took windowsupdate offline. I think any competent sysadmin with the financial resources of MS behind them should have been able to weather this storm without any loss of service.

I've been kind of wondering if there might not be some other exploit that some researcher is waiting to release, after everyone's auto update is broken...

Re:Next Week..

[gclef]

Because the worm spoofs traffic from it's local subnet to the windowsupdate address. What this means is that any infected machine would spoof traffic to itself from its local subnet, and then flood the local lan with RSTs, presuming it wasn't actually running a webserver, in which case it would flood the local lan with ACKs. Either way, bad.

The worm doesn't sanity check the DNS result, though, so if the name doesn't exist, gethostbyname() returns -1, which translates to an IP of 255.255.255.255. The reports I'm reading say that the windows stack won't allow you to send traffic to that IP, so the machine will just drop it. (that could be wrong, though. We'll find out soon.)

Re:Next Week..

[gujo-odori]

Let us not say that.

The MSBlast worm delivers about a 16 kbps stream, so whether the zombie is sitting on a 56k dial, a 256k upstream DSL or cable connection, or has a T-1 or larger uplink doesn't really matter. DDOS zombies don't usually consume all of the available bandwidth, since doing so would be rather counterproductive to the goal of making a DDOS attack.

If an average user, being mostly computer-illiterate but knowing that a reboot fixes most Windows problems for a while, finds that his/her computer can't connect to the Internet (the symptom of having all of your upstream bandwidth utilized), the most likely response will be a reboot. This lowers the effectiveness of the DDOS attack compared to a large number of zombies making the attack without their owners' knowledge, which allows them to continue uninterrupted.

Numbers of attackers are the key to a highly successful DDOS attack, not using up all the bandwidth at the zombie's dispoal. MSBlast could take a lot more bandwidth and still be not noticed by broadband users, but the authors have clearly crafted it to work and not be noticed on machines with dial-up and other low-bandwidth connections (I saw a 32-workstation LAN in a third world country; there was a 64k uplink for the whole office; things like that aren't unusual in many parts of the world. The likelihood of those machines being uptodate on patches is very low, which makes them a good target for MSBlaster.

My purpose for being there was to install a hardware firewall in front of their network, so they are far less likely to get infected, but there are many vulnerable machines like that out there with no protection. A good DDOS client can use them; one that consumes all available bandwidth can't.

Re:Next Week..

[13Echo]

Most Windows users will know that something is wrong when "svchost" constantly crashes, prompting for a reboot. The hits on port 135 cause it to bork out. My mom, who is quite "computer illiterate", knew that something was wrong, and called me about it. We corrected the problem by upgrading her virus definitions (which were only a week out of date), and installed ZoneAlarm Free on her machine to stealth the ports from now on.

GRISoft's AVG Antivirus, and ZoneAlarm, are two great and free tools that can fix and prevent these things.

AVG Anti-Virus
Zone Alarm

A year or two ago, I wouldn't have thought that firewalls were so essential for dial-up users. Now, it's important for all users to have them, regardless of the OS.

Re:Next Week..

[AngryRodent]

Windows update is already massively load balanced across multiple server farms. They use both a DNS based load balancer (F5 3DNS) and local area load balancers (F5 BIGIP). The server farms are in a number of locations. Early, and not so early in the implementation of this, a number of people were concerned that Microsoft was attacking them because the 3-DNS's would create probes from each datacenter to the end-users system. I'm not sure if that is still being used. I have no knowledge of how they Akamized so quickly since I haven't been involved with this project in years. However, it should be pointed out that the BIG-IP's make Akamizing content a very simple matter. I'm not shilling for F5- I no longer own any of the stock, haven't been an employee for years, and I'm now just a reasonably-satisfied customer.

I think the windows update botton on the taskbar..

[Squeezer]

always took you to http://windowsupdate.microsoft.com so whats the big deal about cancelling windowsupdate.com? do you think anyone will notice, or care for that matter?

NetCraft stats

[xrayspx]

Take NetCraft stats with a Big Grain of Salt (big grains of salt, heh). If a site is "Akamized", as this one was, or is otherwise distributed, you'll see the OS of the front end, not what the site actually runs. You'll note that NetCraft lists "linux" for the Akamai site.

In other news...

[GillBates0]

Computing is more important than any other part of our work. If we don't do this, people simply won't be willing--or able--to take advantage of all the other great work we do.

Breathing is more important to us than any other activity. If we don't breathe, we will die.

Ahhh, the perfect security

[Froze]

1) Disconnect box from all external cords
2) Encase box in several hundred cubic meters of concrete
3) Surround concrete with meter thick lead lining
4) Bury under radioactive waste in a geologically stable region
5) Saturate the surface with nuclear land mines
6) Curse MicrSoft, becase you still get hacked!

Re:Ahhh, the perfect security

[stwrtpj]

1) Disconnect box from all external cords
2) Encase box in several hundred cubic meters of concrete
3) Surround concrete with meter thick lead lining
4) Bury under radioactive waste in a geologically stable region
5) Saturate the surface with nuclear land mines
6) Curse MicrSoft, becase you still get hacked!

7) Profit?

It sure is a hell of a lot faster

[Hamster+Lover]

Went to check for updates today, just for the hell of it and the speed was a huge improvement over the old URL.

Re:I think the windows update botton on the taskba

[h0tblack]

They're obviously worried that something is in the wild that is hard-coded to attack WindowsUpdate.com, else there would be no point in abandoning that domain and moving to another.

windowsupdate.microsoft.com

[anotherone]

Not a huge deal, since the official URL is windowsupdate.microsoft.com . The start menu, Tools in IE, and Windows Help all have that address. The worm author was kinda stupid, he should have pointed it to microsoft.com or windowsupdate.microsoft.com.

Re:What did they do?

[lucifuge31337]

Did they point windowsupdate.com to 127.0.0.1 ? I hope not, there was a mail on FD explaining that such an action would cause it to DOS the local network.. Also, wtf is up with the site running lunix?

No, they took the A record out completely. It's not Akami-ized. That's the linux box you see.

Permanently Secured == Permanently Offline?

[Matrix272]

So "Permanently Secured" now basically means "Permanently Offline"? Why didn't they just let the worm eat the domain? What's the difference, really? Whether they pull the plug, or the worm does it for them, it still means windowsupdate.com won't work...

Re:Security is #1.... again?

[micromoog]

Wasn't this the subject of a famous memo about a year and a half ago, when they were spending 10 months doing nothing bug security?

Oh, you mean this?

Precisely nineteen months ago, Bill Gates sent out a memo to employees (and the press) announcing that security was Microsoft's number-one priority.

It's the first line of the fucking story! For cryin' out loud, we know you're not going to read the fucking article, we don't really expect you to even read the whole story, but can't you at least fucking read the first line?!?!

Here's the deal on Linux for windowsupdate.com

[djh101010]

They've given the windowsupdate.com site to Akamai to serve for them. Not a bad idea, actually, since Akamai has something like 15,000 webservers distributed around the world, to share the load.

Of course, it's extremely amusing that they're paying to have their content served by a flock of 15,000 penguins. I'm a bit concerned for our own site this weekend, as we use akamai for our static content. It'll be interesting to see how my pageloadtimes are affected (if they are).

Akamai is a great resource for dealing with huge spikes in webserver load - I guess you could say this qualifies as that.

Saved?

[PovRayMan]

Last night I finally went to go upgrade from Windows Media Player 6.4 to 9.0 so I can test out those high definition WMP9 videos for once. I couldn't figure out why microsoft.com wasn't loading but now I find out it was because of a DOS attack.

Now I'm thinking, was this intervention from a higher force to protect me from installing WMP9 or just odd luck?

Re:I think the windows update botton on the taskba

[druske]

"...whats the big deal about cancelling windowsupdate.com? do you think anyone will notice, or care for that matter?"

The virus writers will care. I'd be surprised if a version with a New Improved attack address hadn't already been launched, probably ignoring the semaphore which normally kept the worm from reinstalling itself on an infected machine. If this happens, Microsoft's initial countermeasure won't be worth much for long. Still, it was a necessary and sensible first step.

not quite

[joe_bruin]

OS: Linux
Server: Microsoft-IIS/6.0
Last changed: 15-Aug-2003
IP address: 213.161.82.33
Netblock Owner: Akamai

they did not switch their servers to linux, they used akamai's caching services to handle their massive bandwidth requirements. notice the server is still iis. this is an akamai box (linux) serving a cached copy of microsoft.com (windows/iis)

$ host www.microsoft.com
www.microsoft.com is an alias for www.microsoft.com.edgesuite.net.
www.microsoft.co m.edgesuite.net is an alias for a562.cd.akamai.net.
a562.cd.akamai.net has address 63.236.1.163
a562.cd.akamai.net has address 63.236.1.160
a562.cd.akamai.net has address 63.236.1.153
a562.cd.akamai.net has address 63.236.1.139
a562.cd.akamai.net has address 63.236.1.168
a562.cd.akamai.net has address 63.236.1.147
a562.cd.akamai.net has address 63.236.1.138

Re:really...

[Eric+Ass+Raymond]

What makes you think that Linux is secure software? Or FreeBSD for that matter. I'd argue that OpenBSD is more secure but so is Trusted Solaris. Given the same marketshare as Windows, Linux would be just as much targetted by the black hats and script kiddies alike as Windows is these days. This time you cannot even blame Microsoft for delaying the patch. It was all because of a fault in software and if you argue that the open source alternatives are immune to remote holes, you're deluding yourself.

governments of the world should heavily fine ms each time a serious bug is found and/or exploited. and people should examine, and demand, better alternatives

Would you prepared to submit the open source community to this same program? Every time a governmental Linux server is cracked, RedHat, SuSe or fundamentally FSF will have to pay.

Re:Gates Memo repost - slowing...

[otisaardvark]

Today, in the developed world, we do not worry about electricity and water services being available.

You have to give it to the guy; his timing is impeccable...

Re:What did they do?

[Tirel]

here it is:
Date: Fri, 15 Aug 2003 08:33:57 +0200
From: Carsten.Truckenbrodt@Bertelsmann.de
Subject: AW: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
To: full-disclosure@lists.netsys.com
Cc: security@microsoft.com

Hi,

This might be a bad idea. If you let windowsupdate.com resolve to 127.0.0.1
the following will happen: The worm uses spoofed IPs from the local /16
subnet as source address. Pointing all the syn packets to 127.0.0.1 will
generate a RST packet from the local host to the spoofed IPs and spread
traffic over the complete internal network.
Even blocking or routing the normally resolved IP to Null0 will be a lot
work because this domain is loadbalanced through the world. That means you
get a different resolution depending on your ISP or place in the world.

If you manipulate your DNS, you should give no A-Record back to the worm.
With this the worm will not start attacking anything. So setting up a
nameserver zone with only a SOA record will do the job for Saturday 0:00.

Best Regards,

Carsten Truckenbrodt
Arvato systems Taco Network SnotIing Security

-----Ursprungliche Nachricht-----
Von: Tobias Oetiker [mailto:oetiker@ee.ethz.ch]
Gesendet: Freitag, 15. August 2003 00:15
An: full-disclosure@lists.netsys.com
Cc: security@microsoft.com
Betreff: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1

Folks,

How about MS standing up for the mess, and changing their own DNS to point
all request for windowsupdate.com and whatnot to 127.0.01 ?

This will null the effect of the syn flood very effectively. Only proxies
will be affected.

As far as I see it, they will not be able to use these names productively
for the foreseeable future anyways ...

So they will have to issue an update for windows-updater thourgh other
channels (like their homepage for example) to point it to a different
web-site .. that should not be all that much of a problem.

If MS does NOT make this change to their DNS, I can see many routers who are
trying to track connections toppling over in interesting ways.

Because the local techs have no clue, it will
take the affected companies ages to get back on the net.

tobi

Re:A moving target is still a target

[ebh]

Um, not to be a Microsoft apologist or anything, but at least in the case of MSBlast, they DID fix the problem.

This is not like those stupid email trojans that are inexcusable because Microsoft intentionally opened the door (with scriptable email, etc.). This is a garden-variety buffer-overflow exploit of the sort that could just as easily still exist somewhere in Linux.

What took out Microsoft.com last night???

[TopShelf]

At least we know where the DDOS attack didn't come from: New York, Detroit, Cleveland, Toronto, et al.

next work is going to use goofle

[javatips]

I predict (maybe this post will help a little :-( ) that the next iteration of the worm (or another one) will google up "windows update" and will attack the 3-5 bests results.

Let's see what happen then... Microsoft is going to pressure Google to remove www.google.com from their DNS Servers ;-)

cool title

[pyros]

Marc Maiffret, chief hacking officer for security software maker eEye Digital Security

That is the coolest job title. I'd have to negotiate a gold plated machette as a hiring bonus for a title like that. And anyone working for me would be officially titled a Hacking Minion!

Ironic?

[Bandman]

Today, in the developed world, we do not worry about electricity and water services being available.

Maybe he didn't get the memo?

Re:really...

[conan_albrecht]

Unix is more secure for (at least) two reasons:

1. Users don't run Unix as root. Viruses have a very hard time attacking programs they have no write permissions on.

2. Unix has a much longer history than Windows NT+. It's had more time for the holes and buffer problems and other stuff to be fixed. Linux essentially "lengthens" its short history because it has so many eyes looking at it.

3. The killer Unix programs (Apache, SSH, PostgreSQL, etc.) don't run as root either. So even if they get exploited, worms can't do much with their rights anyway.

Unix is just built better. It has a longer history. I'll ceed that perhaps with a larger user base (pretend Unix has 90% market share) it would be a bigger target, but it is *not* as susceptible as Windows is. Not by a large margin.

Sidechannel attacks

[babbage]

Of course, this leaves them open to alternative attacks.

For example, if someone hijacks or otherwise poisons some DNS servers, then all the traffic to windowsupdate.com will make it through to windowsupdate.microsoft.com anyway.

Or, a future worm could be written to target & attack a variety of Microsoft servers.

Or a future fowm could be written in such a way that the target is not part of the worm's code, but rather can be directed remotely somehow. This way, even if Microsoft tries to switch addresses, the person[s] directing the attack can just change the target.

The real solution isn't to keep trying to dodge the bullet.
The solution to become bulletproof.

Even after all this time, Microsoft still doesn't seem to get that.

Part of the reason Microsoft is such a prominent target is of course because it is so, well, prominent. Taking down (say) an FSF server doesn't raise nearly as many headlines (as this week's headlines will attest to). But I don't think that all of the problem here can be traced to how widespread Windows is -- while the Internet's clients are nearly all running Windows, a large fraction of the server architecture is running some Unix variant, and while there is of course some malware that targets *nix (Linux, Solaris, MacOSX, BSD, etc), the results never seem to be as catastrophic as the typical Windows outbreak

To rip of Bruce Schneier's analogy from his security article in Atlantic Monthly a year ago, it seems to me that the what security mechanisms Windows has tend to be brittle, while those that the *nix etc world have tend to be pliable. That is to say, when a problem comes up with (say) Apache, the damage tends to be isolated. This is partly because each installation will be configured differently, with different features enabled or disabled, and partly because the server runs on a variety of systems, each of which may have different mechanisms for providing underlying security protections. On the other hand, IIS installations tend to be pretty homogeneous, and a flaw with one very well could be a flaw with all.

That's not to say that IIS couldn't be just as secure as Apache, if not much more so. But part of Apache (etc)'s strength is it's heterogeneous nature -- people are able to tinker, adapt, mix & match components to suit their needs, and in the process this will also tend to protect them from catastrophic failure. Microsoft has actively resisted this kind of diversity -- witness their howls about having to come up with "thousands of versions of Windows" if some of the firmer antitrust penalties were put into force. Those thousands of permutations are, arguably, exactly what is needed: this will give their users greater choice, and it will make emergencies like this more rare.

I don't get why they're so opposed to the idea.

Maybe they've got cleverer plans than anything I can think of. I certainly wouldn't claim to be any kind of security expert. But if the best they can come up with is a change of address card, I can't help but wonder if they're fumbling in the dark here...

Re:Sidechannel attacks

[babbage]

I actually don't want to get into whether or not having source code access improves security. A lot of people firmly believe that openness lends to security (and I happen to agree with them, in general), but some of the arguments against source availability are pretty persuasive too. Let's not get into that right now.

You write...

Apache (the core) isn't resistant to attack because it can be compiled and run just about anywhere. It's resistant because the developers assume that it *will* be attacked and they take that very seriously -- beyond adding features.

Well put. After re-reading my post again, I think you've done a better job of putting your thumb on Schneier's argumeent about the pliability of systems that have well designed security. The point, which I guess I didn't really explain well enough, is that a well designed system sags instead of buckles; it softens instead of shatters. Apache tends to sag & soften; IIS tends to buckle & shatter.

No system can ever be completely resistant to catastrophic failure. I think that Godel's incompleteness theorem and Turing's halting problem are, in a way, proofs of this assertion: no matter how well any system is designed, there are always cases that fall out of the design scope, and will cause Interesting Failures.

This can be a depressing insight. You will never have a perfectly safe system. Ever.

You can respond to that in a couple of ways. One is to say "fuck it, we can't win, so why try"? Another way is to say "we can't anticipate what will happen, but we can try to compartmentalize the damage from certain problem classes." You could say that Microsoft has been moving to the second point of view here, but it's taking them an agonizingly long time to get there, while Apache/Linux/etc have long beeen designed from this point of view.

Interestingly, and to go back to Schneier's excellent article again, this sort of thinking also comes up in real world security considerations. Some of our systems are brittle (the airlines), and single failures can have catastrophic results. Other systems tend to be plastic (the power grid), and catastrophic failures are rare -- because single failures are common, expected, and planned for.

This is why I find all the bleating on by the newscasters & politicians that "the power outage was not the result of terrorism." Well of course it wasn't, this isn't the sort of attack that a small malicious party can pull off. Power stations go out all the time, but normally nobody ever notices. Indeed, it is very, very hard to deliberately bring down a power system: NATO spent a month bombing the power grid & computer netwroks in Yugoslavia, but they never managed to do much more than bring a city like Belgrade down for a few hours before power was restored.

If you want to bring down a whole grid, the best way to do it is by plain dumb luck (or an overwhelming lack of luck, depending on your point of view :-). It was a random fluke that caused yesterday's outage, just as it was random flukes that brought down the grid in the last two major outages, in 1977 & 1965. (On the bright side, that suggests that the mean time between power grid failures may be stretching out... :-). (Incidently, the Presidential Report on the 1965 outage makes for fascinating -- and newly relevant -- reading material).

(To get even further off track, this kind of thing is also why Bayesian spam filters are such a good idea: at the micro level, each filter tends to do a fairly good job of being able to classify each user's patterns. But at a macro level, everyone ends up with a unique profile, and spam crafted to circumvent one user's Bay

Scary Vulnerability

[rgmoore]

This strikes me as being a really bad thing:

Windows Update works by adding an entry into the system registry every time it installs a patch. When users log on to the update tool, it scans their registry and offers them list of patches that have not yet been installed. Cooper said that this mechanism was found to be flawed.

"We found that people had got the registry key for the patch, but not the file," he said, explaining that the error could be triggered by a number of reasons -- from an incomplete installation to a lack of system resources.

They're missing a really big flaw, here, which is that this is horribly vulnerable to malicious behavior. There are already plenty of viruses and worms out there that make registry entries for one purpose or another. It seems to me that if you were exploiting a vulnerability for which a patch already existed it would be very easy to automatically modify the registry to make it appear that the patch had already been applied. This would make tracking which systems were vulnerable much, much more difficult. This would work particularly well if you were trying to make a stealth worm.

Re:A moving target is still a target

[blincoln]

This is a garden-variety buffer-overflow exploit of the sort that could just as easily still exist somewhere in Linux.

Active Directory also provides a way to block this type of worm that *ix doesn't. There wasn't time to patch all of our servers during the outbreak, so one of the guys here implemented a group policy that prevents execution of msblast.exe and teekids.exe on any machine on our network. Once they're all patched, the policy can be removed really easily.

Re:I think the windows update botton on the taskba

[Pharmboy]

I installed and ran the Microsoft BSA utility that scans your computer for updates (windowsupdate looks in registry only) per the link above. It found 4 problems that WindowsUpdate can't find, so I followed the links, to read about them.

Problem is, when you click on the link to DOWNLOAD the actual patch for XP, it just redirects you to www.microsoft.com, so even their security tool is useless if you cant get to the files to manually install them. Fucking rediculous.

DOS or real traffic?

[nolife]

I wonder if this "DOS" they claim to be suffering is really too many users actually trying to get updates for once. After all, the code in this virus is not set to DOS MS until the 16th so they can not blame it on that. I doubt they would ever admit to not being able to handle the load. I use MS update at least a few times a day and have been for the last year on various client machines. Sometimes I need 10's of updates from a fresh install, sometimes just a few driver updates or the recently released. I don;t have any specific stats but I have noticed a definate slowing of the update site when the blaster worm was announced and it is getting slower as the days go on, today it took over 5 minutes to get a sound card update that for the previous year, only took 10 seconds. Another time today it took about 60 seconds. DOS causing this? Maybe, but I would guess they are having a hard time providing the update service for everyone and do not want to admit it. I bet hundreds of thousands of people are running the update service for the first time ever and they need a lot of updates. This move of names and connectivity is probably a hidden attempt to get the stuff hosted somewhere else or split up the load more then what they are currently doing and make it appear it is for security reasons. Reading bewteen the lines here but the amount of work involved with name change of this nature is massive compared to the relative ease a virus writer can simply point to the new site. Does MS honestly think a name change will stop a DOS? I doubt it, but it fits into thier FUD compaign of increased security and that they are under attack.

Re:Not really...

[terrymr]

I think given Microsoft's position on Linux that they shoud / would have researched the market to see if the service could be provided by a windows shop before signing a deal with akamai. It looks bad ... almost like saying windows isn't up to the task.

Microsoft's "Security" Record sucks but...

[Eric+Damron]

the Linux community needs to concentrate on not becoming the next big security joke. Okay, it's fun to laugh at Microsoft's pathetic record.... Just a second... Muhahahahahah. I feel better now. But as Linux becomes more and more popular blackhats will put more and more attention into breaking our OS.

We need to all make good design and operational decisions. Bad decisions like the one made by Lindows to run as root be default can lead to Linux having as bad a reputation as Microsoft.

The Linux community is positioned to demonstrate to the world that Linux, not Windows, should be used anywhere that security is an issue. Let's not blow it.

Re:Microsoft's "Security" Record sucks but...

[MicroBerto]

Many people are probably thinking about the kernel, but those guys are doing a relatively good job.

What we really can't overlook are the popular distributions. They can't be putting in ridiculous defaults at startup. They shouldn't use too much beta software that's going to be running a lot. They need to keep pushing updates, and make it easy. And for the most part, I think we're doing pretty good. Learn from Microsoft's mistakes while you laugh at them.

Re:I think the windows update botton on the taskba

[Pharmboy]

they obviously don't trust their own users to keep their systems patched and/or behing firewalls

I'm an XP user (among other os's) and I don't trust the average Windows user either. Not ragging, just a fact. My mom is one of them.

My brother and I were joking around because mom asked him what she should do about "that new virus" (blaster). She asked him if unplugging the computer was enough, or if she needed to do more. I told him he should have told her to put the box in the refrigerator because everyone knows that viruses and germs won't grow when they are kept that cold. Yea, I know, slightly cruel, but I'm telling ya, she just MIGHT have done it if we could have kept from laughing.

So its not an insult to Windows users, its just a fact: Most are interested in doing stuff with their computers and expect them to be like a toaster, just plug it in and never think about it again.

Ironically, I bought my 67 year old mom the computer last christmas, she uses it every day, and she WAS smart enough to ask someone about it, more than I can say about a few /.ers , hehehe.

Microsoft != reliable

[Thud457]

"Actually, there are rumors that safety systems that would have prevented such widespread failure were running on Windows and were down because of blaster. "

If those rumors are true, then the worm didn't cause the power failures, it just disabled the systems that would have prevented them. That this happened at around the same time is just a coincidence, - or maybe minor power failures happen frequently and were just prevented from spreading?

Who the fuck runs mission-critical systems on Windows?!! HOMER SIMPSON?!!!

Re:Microsoft != reliable

[pyros]

yes ... yes ... yes ... .. y ... <hmmmm> y ...

<stupid filler to avoid the fscking retarded lameness filter>

Re:Microsoft != reliable

[pyros]

redundant!? Guess I should have quoted the bit I was responding to (who runs windows on ...? HOMER SIMPSON ) The yes over and over being a reference to him running his mission critical system, where he just typed yes all day, until he figured out he could just hit y, until he set up that toy bird which leans forward and stands back up over and over. Man, I can't believe I had to explain that one.

Re:What did they do?

[golgotha007]

why would i want to help allievate the situation? hell, i get to have all my computers attack microsoft for free! and legally! wohoo! sick 'em!

Holy Misinformation Batman!

[kevlar]

WindowsUpdate.com did not, I REPEAT: DID NOT EVER Run Linux. The scan from Netcraft only shows that during a particular scan the DNS resolved to Akamai's web caching servers. So Puh-LEASE don't try to start misinformed rumors.

Linux AkamaiGHost 15-Aug-2003 213.161.82.37 Akamai

Military Definitions of "Secured"...

[Speare]

Reminds me of the old military joke,

• The reason the Air Force, Army, Navy and Marines bicker amongst themselves is that they don't speak the same language. For instance, take the simple phrase
• "secure the building".

  The Army will post guards around the place.

  The Navy will turn out the lights and lock the doors.

  The Marines will kill everybody inside and set up a headquarters

  The Air Force will take out a 5 year lease with an option to buy.

Disk Operating System

[Tired_Blood]

While Windows was getting all the attention from their common creator Microsoft, DOS has secretly been waiting for its opportunity to strike at both.

From the infoworld article:
The company is cooperating with federal law enforcement officials to investigate the attack, which is the second successful DOS attack against Microsoft.com this month.

Two successful DOS attacks this month. And what a sense of irony: revolt against the creator by manipulating "the favorite" to do its bidding.

What's so hard about using a lower-case 'o'?

Re:Power outage related to Microsoft

[Judg3]

I don't think blaster caused the power outages or disabled the systems - have you read about the state of the US powergrid as a whole? It's horrendous!
I was watching the discovery channel (or History channel, one of those) and they talked about that large blackout that occured back in NYC in 1977.

The power grid protection system itself is what caused the black out. One substation sees it's getting a huge surge of excess power, can't handle it, and shuts down. This passes this huge surge to the next station, which also shuts itself down to protect itself. It's a huge chain reaction of power surge seen my a substation, substation shuts down to protect itself, surge passes on to next station, etc etc.

The show was about terrorism in the US and how unprotected we are - and it really gets you thinking. If some jackass in Ottawa can plug in their hairblower and toast the power to seberal major metropolitan areas, imagine what a well thought out organized terrorist could do.
Personally, I think we should some new nuclear power plants. 66 reactors provide 769 billion kWh, or about 20% of the total power produced in the US (2001 figures). These plants are old, the newest ones going all the way back to the early 80s, with no new orders for nuclear units since 77.
The US is relying less on its hydroelectric, nuclear and coal plants and building more "peak use" and "daytime" generators, huge gas turbines that are only turned on when there's a peak demand or only on normal business hours, say 9-5.

Why? It's not any more efficient, in fact these giant gas turbines tend to use more fuel then coal systems to produce nowhere near the same power. It's all about asthetics. No one wants a power plant near them, but everyone wants power. So they build these peak use and daytime plants - low output systems that take up almost no room and dont have the usual huge smoke stacks, etc your used to seeing with plants.

I personally wish the US would update it's power infrastructure, and I'd be willing to pay for it. Retire old, inefficient nuclear plants and build new, more powerful, safer ones. Add in more redundancy into the network, more real-time failovers.
They are modernizing it, don't get me wrong, but they aren't going at near the pace I'd like to see.

(Probably kiss my karma goodbye now, oh well. The power grid is something no one cares about or wants to put money into unless something goes wrong - then we all conveinently forget about what happened when theres a bill up to repair and update it at the cost of a couple bucks a week in taxes)

Re:Power outage related to Microsoft

[spectecjr]

If those rumors are true, then the worm didn't cause the power failures, it just disabled the systems that would have prevented them. That this happened at around the same time is just a coincidence, - or maybe minor power failures happen frequently and were just prevented from spreading?

Take it from someone who's soon-to-be-parents-in-law are up to their necks in the power + safety industry ... no, they don't run Windows.

Control frontends and GUIs may run Windows. They may also run Java apps. The back-end is ALL Unix (and specifically NOT Linux), because there are very few OS vendors who will certify and indemnify the use of their OS in that kind of safety critical environment. Windows explicitly states that it's not for use in such an enviornment.

Simon

No third party distribution of patches

Notably, Microsoft refused to give permission to ISPs to burn CD's or make floppies with the Blaster patch on them. I heard of one outfit that had their lawyer contact MSFT to make sure that they were kosher before giving them to customers. Microsoft refused. As it turns out, stating that the users could easily download the patches directly, even if they had the shutdown bug and were dialing in to download a 1.2 MB patch.

I have no sympathy for MSFT getting DOS-ed. The fuckers deserve it, and they were hoist by their own petard. Sure, there is some nitwit out there that acted on as explout that was known for at least a month, but WTF? What is the problem with letting ISPs distribute the patch to fix this thing?

The ISPs are burning time and support lines over it, bandwidth is getting hosed by the packets on the affected ports, filtering ports helps (but doesn't eliminate the problem). Essentially, third-party companies (ISPs) asked for permission to help put out this fire, and Microsoft gave them a big "fuck you" and I am somewhat gratified by the whole thing.

Fuck you, Microsoft. Here's hoping you get more of the same.

I might post the emails discussing the attempt to get authority to help spread the patches somewhere, but I'm not anxious to cause a slashdotting of my own weenie ISP's servers.

Re:Power outage related to Microsoft

[Cromac]

I personally wish the US would update it's power infrastructure, and I'd be willing to pay for it.

Just send that personal check for several hundred billion dollars to:

U.S. Department of Energy
1000 Independence Ave., SW
Washington, DC 20585

Microsoft hosed their own update service!

[KE1LR]

Microsoft has a free tool called " SUS " which is a localized version of Windows Update - you run it on a W2K server in your enterprise and then redirect your clients to get their automagic updates from the local server instead of going to MS directly.

The SUS server is supposed to synchronize itself (manually or automatically) with Microsoft's servers to get the latest updates, and you get a chance to approve them for distribution to clients. Not a bad idea, and it seems to work OK.

However, the URL that's coded into SUS to synchronize with updates is -- wait for it -- a windowsupdate.com URL!

Error Message:
"Failed to download from URL 'http://www.msus.windowsupdate.com/msus/v1/aucatal og1.cab'. (Error 0x80072EFD: Unable to connect to the server.)"

Anyone using SUS to update their client machines is now stuck with their current update set until Microsoft sets up a new site to sync with and documents how to change the URL that SUS uses to whatever one they come up with.

Lame.

Re:Power outage related to Microsoft

[FreeUser]

Take it from someone who's soon-to-be-parents-in-law are up to their necks in the power + safety industry ... no, they don't run Windows.

Control frontends and GUIs may run Windows. They may also run Java apps. The back-end is ALL Unix (and specifically NOT Linux), because there are very few OS vendors who will certify and indemnify the use of their OS in that kind of safety critical environment.

Ah.

SCO UNIX.

No wonder.

(*duck*)

Re:Power outage related to Microsoft

[harley_frog]

I personally wish the US would update it's power infrastructure, and I'd be willing to pay for it. Retire old, inefficient nuclear plants and build new, more powerful, safer ones. Add in more redundancy into the network, more real-time failovers. They are modernizing it, don't get me wrong, but they aren't going at near the pace I'd like to see.

Interestingly enough, Bush says that the nation's power grid needs to be updated, but doesn't know how or how much it will cost. Hmmm, I wonder if these means replacing the hampsters with ferrets?

Re:Power outage related to Microsoft

[Cyclometh]

No need- end our little war in Iraq and we'll free up the funds needed. I read yesterday that the cost of the war in and occupation of Iraq will cost over $600 billion dollars.

Just close up the operation a little early and divert those funds.

Nah, never happen. Preemptive wars and years-long occupations of nations that are of dubious (at best) threat to US interests are more important than making sure your lights stay on.

Re:Power outage related to Microsoft

[Wingnut64]

"Is there any way this 'DoS' can be stopped?"
"Impossibly, there's too many compromised machines. You'd need to turn off every computer on the East Coast..."

Prepare to pay thru the colon

[Archfeld]

Here in CA you have to fund the switch which allows you to feed from your supply to the lines, even if you don't EVER want to feed back, PG&E got some help in the legislation, this run s around 10K minimal. The CA government in its infinite wisdom also institutied a Farking tax on power feedback, in order to offset the cost of people leaving the system while it is so deep in financial trouble, so now even if you DON'T USE the power grid, you are required to pay a tax on the approx. amount you would use....Our rural neighborhood association just went through the governmental hoops to get this working...what a friggin nightmare.... Unless you have several hundred potential users, there is no way this is financially feasible thanks to our friends in government, always out to protect corporate interests at the expense of taxpayers freedom and choice.....

Re:I think the windows update botton on the taskba

[subsolar2]

Going to 'tools, windows update' in internet explorer takes you to a redir site on microsoft.com, which attempts to forward you to windowsupdate.com NOT windowsupdate.microsoft.com .. even still (~3PM EST). you'd think they'd at least fix that if they were fuckin with the dns..

You may not know this, but when you change an entry in DNS, it is not available to everyone for a while. This is due to caching (all ISP DNS servers are caching servers, of course). For instance, the AOL servers may have gotten the ip for the domain at 8am, and if it doesnt expire for

You may not know this, but you are incorrect ... the redirection has nothing to do with DNS dns enteries propagating and everything to do with MS's web site/server. It's redirecting to the old URL and not the new one.

-1 Overrated for that on a +5 post

Uhhhh, No

[DesScorp]

"why would i want to help allievate the situation? hell, i get to have all my computers attack microsoft for free! and legally! wohoo! sick 'em!"

I know (think) you're joking, but while we can moan all we want about how Microsoft should design software that's more secure, we can't do anything about existing systems. And windowsupdate was the fastest, easiest way for the non-tech public to protect and repair themselves. Those of you out there that view this impending attack and the shutting down of windowsupdate as a good thing are very shortsighted.

Maybe you don't give a shit about all of those other users out there that use Windows. Maybe you're happy this is happening. Fine. But rest assured, it's not going to cause people to rebel against Microsoft, like many of you are hoping. There will be no enlightenment and mass exodus to Linux or BSD or OSX. This is going to get blaimed on "hackers". And we all know hackers hate God, hate America, root for Saddam, get pentagram tattoos on their foreheads....and use Linux. Pretty soon it'll be "yeah, I saw those Linux guys bragging on slashdot.org that they took windowsupdate down!"

IBM's reps will be going "yeah, thanks heaps for the positive image, slashdotters.........fuckers".

Make fun of people that run Windows all you want, but don't assist in, or support the disabling of one of their few effective means of defense.

Everybody is missing the point

[grozzie2]

I think everybody is missing the point on this whole issue. Fact :- Blaster is a worm, who's payload was intended to dos windowsupdate.com, rendering it unavailable to the folks using it. Fact :- windowsupdate.com is 100% unavailable. Conclusion :- Blaster is the most successful virus/trojan to date. It didn't just cause a few hours of unavailability, it wiped the domain from existence. Not just any domain, but a prominent microsoft domain (high profile, big budget website) totally obliterated off the internet. Folks can say what they want, and argue about the politics of it all, bicker about who is responsible to update what, and whatever, but you cannot deny the facts. Blaster is head and shoulders above the crowd as a denial of service worm, the first to achieve a 100% success even prior to actually triggering. Say what you want folks, but this has got to go down in history as the most successful worm ever.