Slashdot Mirror
Stop Christmas-Gift PCs From Feeding Worms
An Anonymous Reader writes "If you recently set up a new PC with Windows XP,
or if you had the pleasure to do a 'reinstall from scratch,' you probably found that many XP systems as they are shipped today are not patched against common issues like Blaster. Given that these worms are still going strong, it doesn't take long for a new system to be infected. In particular, if you have to connect it to the Internet to download all the patches.
Well, help is in sight. The SANS Institute released a paper entitled Windows XP: Surviving the First Day." (Read on below.) Update: 12/24 17:59 GMT by T : Thanks for reader Bill Curnow for the updated link. Update: 12/24 19:15 GMT by T : Besides the workaround suggested below, Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.
"With many screen shots, it will walk you through the procedure to enable the XP firewall and downloading the patches without getting infected while doing so. This could be the (free) stocking stuffer that may save Christmas for your folks ;-). Given that its probably to late now to start downloading your favorite Linux distro."
But if you do have the time and bandwidth, and you're stuck on Windows, a nice live-CD distro like Knoppix or Mepis means you can download patches without racing the worms, and install your patches while offline. (And if you have time to download 50MB, you have time to grab Damn Small Linux.)
It's a classic catch-22 when you need to download the patches, but the act of downloading them makes you vulnerable ... I have just bought my parents a new PC (with XP, they're not up to Linux just yet ...) and I never thought twice about doing the windows-update thing... OTOH, they are behind a decent firewall (that does run Linux :-) so the risk is pretty minimal.
:-)
Perhaps all these DSL/WiFi combo boxes will be a blessing in disguise because they all come with a firewall (on by default, with Cisco's Linksys ones
Simon
Physicists get Hadrons!
My systems are behind a Hardware Proxy and a software firewall. I feel safe and have not been compromised... yet.
Those poor home users who are not technically savvy are pretty screwed. They won't be able to figure out *nix and don't want to pay the bucks for Apple.
Microsoft should offer (no not MSN) a method for new Windows machines to dial direct for patches before connecting to the Internet.
This method should be over ridable for the safer crowd.
www.thejulingtoncreekplantaion.com
Or, they should let you boot your system without all those exploitable services that are turned on by default ( rpc, messanger, etc )
Browse at -1, because trolls are often the most creative part of
Or you can just do what I did & get your Mom an iMac....
Jaysyn
There is a war going on for your mind.
Odds are, your parents never will be. The only way you'll get the majority of the population to linux is to bring linux down to them.
c'mon, we live in a society where people can't figure out how to set the time on a VCR. You think they're going to take the time to 'learn' an OS? Most people are happy with a 4 year old system that lets them check their e-mail, save the pictures people send them, view web pages, and maybe word processing and a spreadsheet.
Now, to keep this from being completely off topic -- you're probably doing more harm than good by putting them behind a home brew firewall, unless you're going to be keeping it updated for them. I'd recommend for general consumer use sticking with ZoneAlarm, along with AdAware and some virus protection software, and maybe some anti-spam service.
Build it, and they will come^Hplain.
Because someone brought in a laptop that was infeceted? Firewalls don't help a lot when the attacks are internal.
Boy, something about this just doesn't ring true!
Within ten minutes, the traffic sniffers the security team has up were getting alarms caused by the machines we had set up and their ports got blackholed in about 15 minutes. One of the machines was already being used as a spam relay, the rest all had whatever viruses are still floating around.
So your security team was savvy enough to have sniffers for strange traffic but didn't have a firewall secure enough to prevent the machines from getting compromised in the first 10 minutes?
Do you have any more details on what they were compromised with? and how?
Your ISP shouldnt have to filter out random ports because someone somewhere wrote some crap software which is now easily explotaible over those ports . .
The fault is all the users who didnt patch there systems
I dont know about you but when my ISP starts port filtering I get pissed off , that my decision to make not theres (stupid monkies blocked of port 20 through 25 . I had to run ssh on a different port!)
I finally had to give in and purchase a new computer with xp. 2 things that frustrated me right off the bat was the fact that this new computer was way behind on patches, secondly...just how big the patches were I had to download. Even though I'm on highspeed dsl it still took a good 15-20 minutes to download and install all critical updates.
:)
I can just imagine how inexperienced people getting new computers for Christmas will feel, especially on dial up connections. When your excited about a new machine, who wants to spend the first couple of hours just trying to secure the machine before you can even browse to your first website?!
Vendors should be forced to ensure that any computers they sell are already up to date. While we're at it, Microsoft should be forced to ensure that there products aren't so insecure before sales either
Compare that to a godawful dialup VNC session on a home shopping network XP box where I needed to fix blaster and the person didn't know how to get to system settings.
I sold a mac that day with "Guess what, buy a mac and you will never have to deal with this again."
(and I won't either, to myself) That's why it is the best Christmas present you can give yourself, if you are the designated "computer-guy". Not having to deal with other people's XP is worth its weight in Half-Life Gold, Al Franken, and Myth II: Soulblighter.
And I'm still scratching my head as to what you are suggesting. As a happy Linux user, I have more than my fair share of MS Windows users running around asking me to help them with this, and set up that. Most /.ers have played the role of family/friend's computer geek. So this is nothing new.
In the beginning I was tempted to convert them all over to Linux. Now some of the more zealous are probably still thinking this is the best solution, but the sad truth is, Linux isn't compatible with the Microsoft Internet that they want to see. Their friends send them *.exe, *.scr, and *.wmv attachments that they want to run, and you just can't do that from Linux. (OK, theoretically, you can, but it takes a lot of customizing that no one has enough time & money for.)
If you give them the gift of Linux, you will soon get non-stop whining, followed by the ungrateful cretin in question running out to some department store where they'll purchase a new PC with Windows XP Pro and a service contract. Then they'll brag about how nice their computer runs, and they'll brag about how the customer support is always availble to them, and they'll even brag about how nifty AOL is, and they'll ask if you've ever tried AOL, or any of the other questions that will make a seasoned computer user's flesh crawl.("Have you ever played that `sling-o'? That's just the funnest game!")
But they won't ask for *your* help again. You just get to stand on the sidelines and watch the approaching train wreck.
Come to think of it... That sounds like fun! Damn... Why did I agree to install Windows on my brother's computer again?! Why?!
I'll probably be marked as a troll for this, but Roblimo is just wrong wrong wrong.
Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.[link to article]
Right, until his daughter/granny buys a webcam from the store and wants to hook it up and use it, etc. Or she wants to use x program that only runs on Windows. Grannies and relatives buy lots of this stuff off shelves at the store. The Sims, nearly another other quality game on the planet? Probably isn't going to run on Linux, is it?
She does websites for pay... what happens when she decides she needs something like Dreamweaver, or Frontpage (gag, but a lot of people still use it) or Photoshop, in those rare cases when the (superior, IMHO) The Gimp won't fulfill her needs?
Sure, you could use VMWare or some other such deal, but then you'll require a copy of Windows and you'll have spent more time and money than if you had just put Windows on the machine in the first place.
What a load of narrow-minded horseshit, Roblimo. Your job as a self-appointed Linux advocate should be telling it to the people straight, and you aren't. They'll listen to you and get burned, and won't trust you or any other Linux person, next time.
It may seem wrong to you personally, but it *is* outside the scope of your job. You are a help desk to get people connected to the internet, not their personal windows guru. If they want windows help, let them call the PC manufacturer.
If we use a car idea model, that would be the difference between calling the DMV/BMV to ask how to change your oil, or have them explain why it's important to do so.
I understand wanting to advocate alternatives at all times, but come on now Rob.
There is no way in HELL that I'd consider giving a linux machine to a friend or relative who is light on technical ability.
I am already on call to fix the computers of my friends and family, my girlfriend, my girlfriend's best friend, my girlfriend's sister, and my girfriend's sister's girlfriend.
I'd easily double the amount of free support that I've have to give if I gave someone a linux machine. Even if most of the calls ended up being "No, I can't help you install 'Barbie goes to the beach' because the version that you have is for Windows", that is still crap that I don't want to deal with.
I'd rather burn a disk with Ad Aware and Spybot Search & Destroy and give it to people than to have to educate people on a system that they know nothing about.
So many people these days don't know a thing about DOS, so how can you expect them to take the time to learn bash? More times than I would like to remember, I had to use the console to fix a problem on one of my linux machines that just couldn't be done through X. Sometimes the problem was that I couldn't launch X.
Windows is the devil that most people know. As awful as the security is, as awful as Microsoft's business practices are, Windows is the top dog and most mundanes don't care about anything but being able to check the weather, get email, bring up a few web pages, and play some games. For most people, that is easier to do with Windows.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
if the author of that guide seriously thinks that only enabling TCP/IP and activating microsoft's crappy internet connection firewall is going to protect your computer from malicious packets after connecting to the network, he's got another thing coming.
sure, that methodology is easy and at the very least will help, but it certainly wont ensure security.
at the very least he could say that if you have a good hardware or software firewall that you should install that before connecting to the network.
still, the safest way is to simply take use a secured machine (i.e. linux) to download the MS patches and burn them to a CD, then install them from the CD.
my 2 cents.
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
"...Mods - mod as troll all you want. I am not trolling, though - these are the facts. Windows really sucks..."
Why do people make statements such as this? We all know that mods can be biased, the system is imperfect, and karma really doesn't matter. What does matter is having the ability to state one's opinions/beliefs and being able to defend them.
(tig)
Ignorance and prejudice and fear
Walk hand in hand
XP firewall still leaves a large number of exploitable ports open, like much of Microsoft's product range it operates on the basis of closing the stable door after the horse has bolted (i.e. fix the problem after it has already caused a problem rather than trying to anticipate problems and fix them before they go wild). ZoneAlarm Pro (the payed for version) does have an antivirus function but it is true that the basic package does not detect viruses, neither will XP firewall. It will however block those that propagate through RPC and similar processes rather than email.
Combining Zonealarm with a decent antivirus package (I use Sophos because I can get it for free through work, we have an enterprise license which basically says that every employee who has a licensed copy on their work PC is entitled to also have it on their home PC) and switching from IE and Outlook Express to Mozilla gives probably about as secure an XP system as you can get and still have it connected to the internet.
Running a dedicated hardware firewall might be more secure but I suspect that is beyond most non-techie home users and harder for their techie friends to sell them on than just setting up their PC with Zonealarm and Mozilla then giving them a quick intro to the internet.
Stephen
"Don't write down to your readers, the only people less intelligent than you can't read" - Sign on Newspaper Office Wall