Slashdot Mirror
Stop Christmas-Gift PCs From Feeding Worms
An Anonymous Reader writes "If you recently set up a new PC with Windows XP,
or if you had the pleasure to do a 'reinstall from scratch,' you probably found that many XP systems as they are shipped today are not patched against common issues like Blaster. Given that these worms are still going strong, it doesn't take long for a new system to be infected. In particular, if you have to connect it to the Internet to download all the patches.
Well, help is in sight. The SANS Institute released a paper entitled Windows XP: Surviving the First Day." (Read on below.) Update: 12/24 17:59 GMT by T : Thanks for reader Bill Curnow for the updated link. Update: 12/24 19:15 GMT by T : Besides the workaround suggested below, Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.
"With many screen shots, it will walk you through the procedure to enable the XP firewall and downloading the patches without getting infected while doing so. This could be the (free) stocking stuffer that may save Christmas for your folks ;-). Given that its probably to late now to start downloading your favorite Linux distro."
But if you do have the time and bandwidth, and you're stuck on Windows, a nice live-CD distro like Knoppix or Mepis means you can download patches without racing the worms, and install your patches while offline. (And if you have time to download 50MB, you have time to grab Damn Small Linux.)
Check those links, people.
Click Start > Network and Dial up connections
Right click on your internet connection, choose "Properties"
Click "Advanced"
Click the box to turn on the firewall
Voila. You are safe from Blaster.
As an added precaution, deselect "Client for Microsoft Networks" from all interfaces except any you really need it on.
Our Server: Surviving the Slashdotting
Sig (appended to the end of comments you post, 120 chars)
Try this instead.
http://www.sans.org/rr/papers/index.php?id=1298
There's been a lot of "Slashdot posts ever anti-Windows article that exists", but this article debunks that.
I usually recommend a hardware firewall, in particular the little blue Linksys firewalls. Home users can hook up their ADSL connection, plug in the firewall, and then their PC. Then as long as they don't download email until their system is patched and anti-virus is updated, they're relatively safe from most malware.
This year I've also begun recommending anti-spyware as well. It's amazing how ubiquitous that stuff's become over the past year.
Ruby on Rails Screencast
I figure if you're reading this on slashdot you don't need screenshots to find your way around a monitor...
Obviously, this should be done before you plug the machine into any kind of internet connection.
-Go to Start and then Control Panel.
-Once in Control Panel, choose Network Connections
-Right click on your connection of choice (if there's more than one, do it for all of them) and choose Properties.
-Go to the advanced tab and check the Firewall check box.
If you want to know more about how to configure it and modify the settings, click the link below that checkbox for directions.
-
Click Start > Network and Dial up connections Right click on your internet connection, choose "DISABLE" Voila! The proper config for any Windows Box!
I had just plugged my joystick into the USB port when it started wildly moving in my hand! Worms infected it I swear!
It's a classic catch-22 when you need to download the patches, but the act of downloading them makes you vulnerable ... I have just bought my parents a new PC (with XP, they're not up to Linux just yet ...) and I never thought twice about doing the windows-update thing... OTOH, they are behind a decent firewall (that does run Linux :-) so the risk is pretty minimal.
:-)
Perhaps all these DSL/WiFi combo boxes will be a blessing in disguise because they all come with a firewall (on by default, with Cisco's Linksys ones
Simon
Physicists get Hadrons!
xpsurvivalguide.pdf
Some might argue that WinXP comes with the Best Before date already expired, but there's a lot of CDs for many OSs out there with "open security". (The main problem with standard XP is the stupid requirement to phone home to register before downloading the patches to make it safe to be on the net in the first place.)
One line blog. I hear that they're called Twitters now.
People should return non-patched systems that are shipped from the manufacturer, and return systems where the install CDs don't put them to the same patch level they are shipped with.
while this isn't a cure-all solution to the patch mania that is necessary, but will go a long way to help bring up the baseline security of all these end-user hosts on the internet.
Try first ten minutes.
Due to some oddities in the purchasing orders for new hardware this year, it ended up that some of us unix guys were tasked with hauling new windows boxes around the workplace for people. We weren't expected to set them up, just unpack, plug em in, and turn em on. Ignorant of how vulnerable windows boxen are, we did just that, doing the silly clicky crap that any OEM relase makes you do, and walked off.
Within ten minutes, the traffic sniffers the security team has up were getting alarms caused by the machines we had set up and their ports got blackholed in about 15 minutes. One of the machines was already being used as a spam relay, the rest all had whatever viruses are still floating around.
Was quite an eye opener, I'd thought those viruses were over and done with and weren't a cause for concern anymore. Made me wonder how much bandwidth is being wasted that we don't even acknowledge. Spam is easy because it generates email.. but there's this underlying background noise sucking up bandwidth that you don't even see.
Course us "unix guys" had a good laugh over it, patting ourselves on the back in true bigot fashion over how secure unices are. But later that afternoon the nfs server that serves our home directories puked it's guts up so it put us in our place pretty quick.
My systems are behind a Hardware Proxy and a software firewall. I feel safe and have not been compromised... yet.
Those poor home users who are not technically savvy are pretty screwed. They won't be able to figure out *nix and don't want to pay the bucks for Apple.
Microsoft should offer (no not MSN) a method for new Windows machines to dial direct for patches before connecting to the Internet.
This method should be over ridable for the safer crowd.
www.thejulingtoncreekplantaion.com
click start -> shutdown
Gyrate Dot Org - "Where high-tech meets low-life"
We received a couple of new machines from Dell last week. They were missing just a few patches... actually a few *months* worth of patches. Inexcusable on the vendor's part- how hard is it for them to keep their base install/image up to date??? I had a CD ready to go with the relevant patches etc. & got all of the critical stuff installed before ever connecting to the internet. No wonder that so many home machines are unpatched, people incorrectly (but justifiably) assume that the new PC they just purchased will be reasonablt current as far as security patches goes. That and getting the plethora of XP patches, service packs etc. over a dial-up is very nearly impossible...
No, the proper technique is called a "reach around". You reach around behind the box, unplug the network cable or phone line (I caught a worm over dialup once, that was the most hilarious thing ever), and consider yourself lucky.
Or you can just do what I did & get your Mom an iMac....
Jaysyn
There is a war going on for your mind.
Just get a mac and be done with it.
I am the Alpha and the Omega-3
I was recently called upon to fix the neighbor's pc (No, I will not fix your computer). His brother "who does computers for a living" had recently installed XP, no service packs, not hotfixes, and Norton AntiVirus with defs from December of 2000. They wanted to know why their pc wasn't working. And we wonder why all of our tech support is getting outsourced to India...
i get lots of help calls from friends, ralatives, etc. i honestly answer that i can't help them with XP problems. i haven't used windows since 98. i do it nicely, and don't try to be mean, but i expalin that i use linux, and os x, and that i don't know to solve their problem. when they ask about viruses, i explain that i don't have that problem. just say no , and do it politely. if you help them, you are really just perpetuating the problem. and if they persist, at least bring them a cd with OO.org, ,mozilla, and a few other open source goodies. besides, with all the probelms you'll try to solve, you remember once again why it is that you don't use windows!!
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
I believe that we should start trying to make Linux CDs available for checkout at the local public library.
No enough people have the broadband or fast enough download capabilities to handle file sets that above a few megabytes.
Having the inexpensive CD-R sets available for checkout at the local public library would go a long way to solving the distribution problem of the general public.
Plus the local Linux group could keep the circulating distributions current and the latest patches available.
I think that there was a discussion about this on Slashdot recently, but I don't recall.
You can slipstream all the patches for XP and install from that.
I would hope even the geeks are giving it a rest on xmas eve. Is anyone really going to start patching computers today? Ahh, hell I'm busted. I'm posting on slashdot arn't I? Anyway, I'll try that DamSmallLinux, thanks for the gift!
Odds are, your parents never will be. The only way you'll get the majority of the population to linux is to bring linux down to them.
c'mon, we live in a society where people can't figure out how to set the time on a VCR. You think they're going to take the time to 'learn' an OS? Most people are happy with a 4 year old system that lets them check their e-mail, save the pictures people send them, view web pages, and maybe word processing and a spreadsheet.
Now, to keep this from being completely off topic -- you're probably doing more harm than good by putting them behind a home brew firewall, unless you're going to be keeping it updated for them. I'd recommend for general consumer use sticking with ZoneAlarm, along with AdAware and some virus protection software, and maybe some anti-spam service.
Build it, and they will come^Hplain.
My gf's sister got a Dell PC, which normally I'm against but got it for a hell of a deal ($480 CDN) for a decent p4 2.6ghz machine including 17" monitor, and as I'm setting it up, keeping it offline till I can apply the trusy blaster patch, it was already there! :)
I recentally had to install xp from scratch (because my roomate downloaded some virus). After I get xp running again, and get all my programs installed again. I went and bought Nortin Anti-Virus. After the first scan a few hours after I re-insalled everything I already had the blaster worm and some other type of worm! I guess that is what I get for not installing the patches the moment I install xp...
When your only link to the internet runs at 19kBps or less due to telephone line noise, you're paying for the internet telephone call by the second, and you are given a PDF file which turns out to be 1.4Megabytes in size, the first thing I do is hit the cancel button and forget it. Can you summarise the conclusions or does anyone have a small ASCII version of the file please?
Scroogle
Steve B and Bill G install a new Windows PC, without any help, or special privileges, or special help lines.
Now, that is what I call a reality show.
Because someone brought in a laptop that was infeceted? Firewalls don't help a lot when the attacks are internal.
Microsoft agree:m ?storyID =3541058&thesection=technology&thesubsection=gener al
http://www.nzherald.co.nz/storydisplay.cf
Using Knoppix and Mozilla, I am getting all the patches from here: TechNet.
I mean, really. All an ISP (or corporate network admin) needs to do to stop Blaster is block incoming/outgoing NetBIOS ports on their main connection to the internet. It's not hard. And no one should be using them anyway. I'm surprised that all the routers and firewalls sold aren't blocking these ports by default. They really should. It would save THE WORLD so much hassle.
I have a friend who primarily uses his PC to surf for porn and download music, and does all that on a unfirewalled cable modem connection. So naturally, every now and then someone fucks his box up. At which point in time I get my ass over to his house, format the drive, and reinstall everything from scratch.
Then one day he asks me why this never(or rather very rarely) happens to me. At which point I came to a realization that I theoreticaly could lock his box down as much as I locked my windows box down(behind firewall, most services disabled, don't use IE, etc.) but then I'd end up spending a whole lot more time in his house unlocking ad installing things that he's probably going to need at one point or another(Flash, configuring ports for e-donkey, etc.)
Which brings me to a conclusion: If you're giving this PC as a gift to someone who's not as technicaly advanced as you are, don't even bother securing it unless they intend to keep some important info on it. You will be called upon anyway, most likely to reinstall it because someone sent them a screen saver that formated the C drive.
I do DSL tech support for a large telco with a three letter name starting with "S" and ending with "C" and I have to bite my lip every time these poor, dumb people call in connecting their brand new Dells and Compaqs to the DSL with no firewall and not a clue as to what Windows Update is and why they need it. The reason I bite my lip is that Windows Update and firewalls are outside my scope of support and I was already told by my team lead not to waste time helping people with that stuff. Even worse, offical training tells us to leave the Windows firewall off when configuring a PPPoE connection - I am not making that up!
It's sad and irresponsible to let these people wander onto the Internet with their unprotected Windows computers like dogs wandering onto the freeway.
If Microsoft could reduce the size of patches then they could create a tool that creates a list of downloads required. This list could be placed on a USB memory card, then another tool could be used on a PC with all the patches installed (and a net connection). This tool would download all the patches onto the memory card. The patches could then be installed on the new PC, which could then be connected to the net safely.
I installed XP SP1 today, and the first thing I did after rebooting was to intsall the security patches, then Norton AV. As soon as Norton AV was installed I started getting warnings about welchia. I ran the Welchia removal tool, and then installed ZoneAlarm. Since I won't have much time to work on the machine before getting out of here for the day (and year for that matter,) I've just turned the machine off, just to be safe.
-- Charles A. Plater
It took me five tries to get the PDF, so here is a mirror if anyone needs it.
xpsurvivalguide.pdf
I'll forgive you for not having read the chkdsking article (it was a bad link at the time), but what you mentioned was one of the steps listed in the article, as was the "reach around" that B3ryllium mentioned.
That's all well and good.. but how do you survive (suffer?) Windows XP after the first day? ;)
A friend of my Dad gave him XP Pro as a gift a month ago. He installed it then connected to the net. It took 4 minutes until he was hit by blaster.
He finally had to resort to getting the guy that gave him XP to make a CD up of the patches so he could actually use XP on the net.
Personally I just have to say thanks to my linux firewall.
Given that these worms are still going strong, it doesn't take long for a new system to be infected. In particular, if you have to connect it to the Internet to download all the patches.
Just uhh... use a router/firewall. Problem solved
They give away printers these days, why not just give each customer a free single port firewall...
And a cdR with the latest Service Pack/Security Patches.. ( and make it auto-run for the newbees )
What would that cost a vendor.. 10 bucks tops?
---- Booth was a patriot ----
Most worms are either email, script faults or RPC/fileshare.
So don't read email, visit non-update sites or open your ports below say 1000 to the outside world.
Wow I'm a fucking genius. Since most homes have multiple computers anyways you will want a cheapo 100$ router anyways.
Praise me!
Someday, I'll have a real sig.
Happy holidays, everyone.
Ph-nglui mglw'nafh Gates M'dna wgah'nagl fhtagn.
Your ISP shouldnt have to filter out random ports because someone somewhere wrote some crap software which is now easily explotaible over those ports . .
The fault is all the users who didnt patch there systems
I dont know about you but when my ISP starts port filtering I get pissed off , that my decision to make not theres (stupid monkies blocked of port 20 through 25 . I had to run ssh on a different port!)
I finally had to give in and purchase a new computer with xp. 2 things that frustrated me right off the bat was the fact that this new computer was way behind on patches, secondly...just how big the patches were I had to download. Even though I'm on highspeed dsl it still took a good 15-20 minutes to download and install all critical updates.
:)
I can just imagine how inexperienced people getting new computers for Christmas will feel, especially on dial up connections. When your excited about a new machine, who wants to spend the first couple of hours just trying to secure the machine before you can even browse to your first website?!
Vendors should be forced to ensure that any computers they sell are already up to date. While we're at it, Microsoft should be forced to ensure that there products aren't so insecure before sales either
What happens when a borrower asks for help installing/configuring Linux? An average librarian probably won't be able to help, especially if it involves anything esoteric. The obvious answer would be a "No support is offered" rule, but what happens when someone sues or brings an official complaint? You know this will happen, especially in our litigation-centric world. All it takes is one successful appellate case and suddenly every library will have to offer support for Linux if they want to keep distributing it. If it came down to spending MORE money developing library Linux support versus spending NO money by yanking Linux distributions, I think the average state government would drop distribution in a second.
I hate being a law student. I keep thinking in terms of liability. I wholeheartedly support the idea of making Linux available at the library, but I just don't think it would last very long.
Depends... are there any switches around clever enough to stop this sort of thing?
Step one: Return machine to store and get a Mac.
Step two: ?????
Step three: Enjoy your computer.
Just where do you download the patch files to do this? I'd love to have a way to maintain an up-to-date patch disk for XP, since I support several dozen XP boxes. Not having to run Windows Update on them individually would be SOOOOO nice!
Your ISP shouldnt have to filter out random ports because someone somewhere wrote some crap software which is now easily explotaible over those ports.
Well, yes but what happens when the ISP's network is flooded with worm traffic? They really don't have much choice.
Comment removed based on user account deletion
http://download.fedora.redhat.com/pub/fedora/linux /core/1/i386/iso/
The cure for all that ails Microsoft.
I am the unwilling control for my Origin.
I had to nuke & rebuild my parents' machine this past Thanksgiving. I set up a dial-up connection on it and proceeded to the Windows Update site. It wasn't able to get through the first round of updates (which would've been Win2K SP4) before it was hit by the Blaster worm. (I ended up reinstalling Windows again and sharing my notebook's dial-up connection over a crossover cable to finally get it up and running. Downloading tens of megabytes of updates over dial-up sucks. :-P )
Dealing with the worms in circulation is bad enough when you at least have one "hardened" PC to fend off attacks while you get a new machine up and running. Someone who's buying/building a new PC who doesn't have access to another system is screwed in the present environment if the new machine is to run Windows. (Mac OS X, Linux, etc. aren't viable options for all people in all situations, as much as we might like for them to be.)
20 January 2017: the End of an Error.
Computers don't get viruses, users do.
Yawn.
Windows Update is great for keeping up to date, but a fresh install requires that you connect to the internet before it is "safe" to connect to the internet. This is a problem.
It would be nice if you could go to the windows update page and download a zip file of all the updates necessary for a fresh install (maybe it requires a CD key or something so it knows what to give you).
Use another computer that is safe to DL this zip and burn it onto a CD, then you can be guarenteed to have your windows box up to date before going on line.
This would also be useful for me when I update my brother's laptop which only has a modem connection. It's hell to figure out what it needs and hunt down the seperate files on microsoft.com.
First off, the first time any machine is connected to the net by default XP will prompt you to apply updates in the taskbar.
On new OEM PCs you need to click on START before you see Windows Update icon to launch it.
At worst on your own install of XP, you'll have to click on START and then PROGRAMS.
You can't really be serious can you?
1994 called. It wants its internet connection back.
When some areas' phone lines were strung up in the 1960s or earlier, which was long before telephone modems became commonplace, what's your legitimate gripe about mentioning 1994-class speeds?
How about Hannukah and Kwanzaa? Lots of people get pcs for those holidays, too!
Here are some other things I do for my clients when they get a new PC:
1. Have them buy a new hardware router
2. Turn on the Windows firewall
3. Right-click on My Computer, then Manage, Services, and disable: Universal Plug and Play and Messgenger.
4. I download the newer RPC patch at MS03-039 and install it.
When installing any operating system, you need to be protected before you open your machine to the depravatoins of the internet.
Although Windows users incur a higher risk due to the ubiquity of the product. all operating systems are vulnerable to oen degree or another.
Personally, I am unable to install Windows and download the updates without being infected with at least one virus. When I need to install Windows, the first thing I do is to disconnect the machine from the internet. After the install, I set up my internet connection, enable the Windows firewall, and reboot. Then I download the minimim number of updates needed to install the current version of the Norton antivirus/firewall product. Then I disable the Windows firewall and install Norton.
The first widespread Linux virus will do damage to the OS' reputation beyond any reasomable limits. Consumer Linux distributions should disable all servers and activate a simple firewall by default. Give the user the option to turn it , not on.
-- Slashdot: When Public Access TV Says "No"
This brings up an interesting point about OEMs and patching. I've never bought a Dell, I usually build my box. Does Dell ship with the latest service pack as soon as it is available, and do they apply this critical patches to the line immediately or at all? I would at least expect the lastest service pack to be on.
Another idea would to simply put the machine in a safe boot mode when the machine first comes up. This basically blocks all incoming traffic, and then attempts to connect to the MS site. Either via dial-up, or attempts to do a DHCP thing. Maybe even fire this the first time the network is initiated. It would definately stop the machines from getting infected before they can get patched.
I was looking for a way to do it from a safe computer, i.e., Linux-based. But, thanks - I didn't know about the customization, since I rarely do much on windowsupdate.microsoft.com other than click "Scan for updates".
Well, yes but what happens when the ISP's network is flooded with worm traffic? They really don't have much choice.
Wouldn't it be much better to just disable the ports where virus floods are coming from and have an auto-dialer call up the customer and tell them their computer is infected, giving them a phone number to call once the system is fixed? Then they would be aware of their problem and probably take some more measures in the future to prevent it...
Compare that to a godawful dialup VNC session on a home shopping network XP box where I needed to fix blaster and the person didn't know how to get to system settings.
I sold a mac that day with "Guess what, buy a mac and you will never have to deal with this again."
(and I won't either, to myself) That's why it is the best Christmas present you can give yourself, if you are the designated "computer-guy". Not having to deal with other people's XP is worth its weight in Half-Life Gold, Al Franken, and Myth II: Soulblighter.
Since no one else has actually done this yet, I went to the trouble of creating a:
text version for you to download (11K).
It looks like its all there but no guarentees.
"...but what happens when someone sues or brings an official complaint? You know this will happen, especially in our litigation-centric world."
"I hate being a law student. I keep thinking in terms of liability."
wow... just wow...
Ladies and gentlemen, this has been a rather harrowing look into the mind of a lawyer.
The obvious answer would be a "No support is offered" rule, but what happens when someone sues or brings an official complaint?
Have you seen the disclaimer of liability that GPLed (and most other Free) software carries? It's pretty damned heavy-duty.
If you can show me a US case in which a distributor of Free software was forced to offer support to a customer who had no separate and paid-for support contract, then perhaps I'll consider your argument to have merit. At present, though, I disagree that the liability is so severe as you make it to be.
It doesn't seem unreasonable to me to expect the manufacturers, particularly the just-im-time ones like Dell, to ship a machine already patched and with the firewall enabled. They slap a disk image on the drive already preconfigured with their junk anyway. Can't they update the disk image more than once a year?
-- Gary Goldberg KA3ZYW 301/249-6501 AIM:OgGreeb Digital Marketing Inc., Bowie, MD
This is're really a valid reason in large corps. Case in point: The company I work for was recently acquired by a much larger company. They required us to establish a trust with their domain, as well as with other subsidiary domains. There's NO way to filter out this crap in such an environment. Add to that the fact that sales people usually carry laptops with out-of-date virus definition files. Sure, you can script your logon for your domain, but then you have the same situation from other domains. Virtually impossible to coordinate virus def files across so many domains/subsidiaries (we're talking well over 100,100 desktops and laptops).
Microsoft's patching system makes it a snap to update your computer. Under Linux I have to groan over long and cryptic commands like "apt-get dist-upgrade" and lumber off to get a snack while my system is automatically updated. With Windows Update and a CD writer you can get a clean, protected computer with just a few easy steps. Allow me to elaborate.
I run a Windows 2000/Redhat 9 system. I got sick of reinstalling the OS and every single driver, recustomizing, etc, everytime Windows started acting up. So I came up with a solution. I downloaded Service Pack 4. Then I ran Windows Update until it had installed all the patches. I went into the "Add-Remove" programs listing and wrote down the numbers of all the patches I had installed, then went to Microsoft.com and downloaded the standalone installers. I burned them all to CD along with my backups and installers for all the programs I use (OpenOffice, etc) unplugged the network interface, and reinstalled Windows. Apply SP4, all patches, reboot, shut down. Then I booted into Linux and used PartImage (which has decent but experimental NTFS support) to take a snapshot of the installation (size ~600M with compression), reboot, install all applications, customize, reboot, shutdown, boot into Linux, take _another_ snapshot of the partition with all the programs installed (size ~3G). Then I booted into Windows, plugged in the interface, downloaded the things I had forgotten, and had a working system. Now when I need to reinstall I just download the new patches and programs, burn them, unplug, re-image, patch and install, reboot, image, and reboot. If I need to go back to the pristine image (like if one of the patches has an "incompatibilty" I don't notice at first before I blow away the old image), I have it on CD.
I was hoping to get a boyfriend this year but I suppose that'll have to wait. For some reason I never seem to have the time...
And I'm still scratching my head as to what you are suggesting. As a happy Linux user, I have more than my fair share of MS Windows users running around asking me to help them with this, and set up that. Most /.ers have played the role of family/friend's computer geek. So this is nothing new.
In the beginning I was tempted to convert them all over to Linux. Now some of the more zealous are probably still thinking this is the best solution, but the sad truth is, Linux isn't compatible with the Microsoft Internet that they want to see. Their friends send them *.exe, *.scr, and *.wmv attachments that they want to run, and you just can't do that from Linux. (OK, theoretically, you can, but it takes a lot of customizing that no one has enough time & money for.)
If you give them the gift of Linux, you will soon get non-stop whining, followed by the ungrateful cretin in question running out to some department store where they'll purchase a new PC with Windows XP Pro and a service contract. Then they'll brag about how nice their computer runs, and they'll brag about how the customer support is always availble to them, and they'll even brag about how nifty AOL is, and they'll ask if you've ever tried AOL, or any of the other questions that will make a seasoned computer user's flesh crawl.("Have you ever played that `sling-o'? That's just the funnest game!")
But they won't ask for *your* help again. You just get to stand on the sidelines and watch the approaching train wreck.
Come to think of it... That sounds like fun! Damn... Why did I agree to install Windows on my brother's computer again?! Why?!
I'll probably be marked as a troll for this, but Roblimo is just wrong wrong wrong.
Roblimo has a good suggestion on avoiding the first-day-of-Windows altogether.[link to article]
Right, until his daughter/granny buys a webcam from the store and wants to hook it up and use it, etc. Or she wants to use x program that only runs on Windows. Grannies and relatives buy lots of this stuff off shelves at the store. The Sims, nearly another other quality game on the planet? Probably isn't going to run on Linux, is it?
She does websites for pay... what happens when she decides she needs something like Dreamweaver, or Frontpage (gag, but a lot of people still use it) or Photoshop, in those rare cases when the (superior, IMHO) The Gimp won't fulfill her needs?
Sure, you could use VMWare or some other such deal, but then you'll require a copy of Windows and you'll have spent more time and money than if you had just put Windows on the machine in the first place.
What a load of narrow-minded horseshit, Roblimo. Your job as a self-appointed Linux advocate should be telling it to the people straight, and you aren't. They'll listen to you and get burned, and won't trust you or any other Linux person, next time.
I remember one person mentioned giving this a try, and having to fight an uphill battle to get the library to understand that CD-R does not allways equal warez. It's a good idea though, and I'm tempted to give it a shot. Barring anything newer, I've got at least a couple old boxed sets of SUSE and Mandrake I couuld donate.
Everything will be taken away from you.
There needs to be a new moderation added. Call it "Tired" as in this joke is old and isn't really that funny. Kind of like how the French always surrender and that Bush is a moron.
(Not agreeing or disagreeing with the comments including the fact that MS has always been security unconscious but that the jokes are no longer funny)
Plus setting any unpatched box Windows or Linux on the Internet with no Firewall in between is stupid
SOHO routers are freakin easy.
Plug WAN side into cable/dsl CPE, plug LAN side into computer, have computer set to DHCP, which out of the box machines are anyway, reboot.
if the answer isn't violence, neither is your silence / freedom of expression doesn't make it alright
I'm glad to hear that the user on linux.com is happy with her copy of Mandrake, but I can't help but think that a Mac would be much, much better so long as a given person can afford it (remember, you don't need a dual G5, just an eMac or iBook).
The reason would be the support network for when you do need support. Not everyone is or can afford to drop by, and saying "go check Ars Technica" isn't really helpful. IF they ever need professional support, it would be better to have actual phone and store support for the product.
Not to mention that you can actually expect to find common peripherals which will work out of the box, or at least have company-supported drivers that you can install.
Not everyone can justify the cost when you can get a new Linux box for half the price, but I wouldn't want someone spending extra on tech support (or downtime) just to save some money on the initial purchase.
I understand wanting to advocate alternatives at all times, but come on now Rob.
There is no way in HELL that I'd consider giving a linux machine to a friend or relative who is light on technical ability.
I am already on call to fix the computers of my friends and family, my girlfriend, my girlfriend's best friend, my girlfriend's sister, and my girfriend's sister's girlfriend.
I'd easily double the amount of free support that I've have to give if I gave someone a linux machine. Even if most of the calls ended up being "No, I can't help you install 'Barbie goes to the beach' because the version that you have is for Windows", that is still crap that I don't want to deal with.
I'd rather burn a disk with Ad Aware and Spybot Search & Destroy and give it to people than to have to educate people on a system that they know nothing about.
So many people these days don't know a thing about DOS, so how can you expect them to take the time to learn bash? More times than I would like to remember, I had to use the console to fix a problem on one of my linux machines that just couldn't be done through X. Sometimes the problem was that I couldn't launch X.
Windows is the devil that most people know. As awful as the security is, as awful as Microsoft's business practices are, Windows is the top dog and most mundanes don't care about anything but being able to check the weather, get email, bring up a few web pages, and play some games. For most people, that is easier to do with Windows.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
No, the proper technique is called a "reach around". You reach around behind the box, unplug the network cable or phone line (I caught a worm over dialup once, that was the most hilarious thing ever), and consider yourself lucky.
;)
So what you're saying is, when your getting screwed by Microsoft, and they don't have the common courtesy to give you a reach around; I should go ahead and give myself one?
Seems like a great idea to me! Thanks
--
I have been looking all over for an automated (wget style) way to download *ALL* patches available on windowsupdate, for say, windows XP SP1, for offline use, so i can download them all, slipstream them onto my installation media, like i do with the service packs, and voila! have a completely secure installation (as much as a windows install can be completely secure) from its first boot....havent found one yet....anyone managed to do this?
any help appreciated!
thx,
Ghoul
Sigura Non Grata
I'm not alone in making the first. If you're using a highspeed connection, get a connection sharing router/firewall. These things are amazingly cheap now (as low as a 1/10 of what I paid for mine) and will protect you from a lot of problems.
My second suggestion is to download a copy of Knoppix and run it from CD before you ever update the Windows software. See if Knoppix cleanly connects to other computers as well as to the Internet. This likely sounds like a strange suggestion, so let me explain why I'm making it: I got a notebook this year and it ran Knoppix fine, connecting to my local network and (through the router) to the Internet. After a few weeks I installed the Windows "security updates". Now Knoppix will no longer boot from the same CD's and connect to the network! I've found some work arounds, but it's clear to me that the security updates are the likely cause for some really evil changes made (I suspect to the built-in NIC's configuration ROM) that stop some Linux configurations from working.
If you get that new PC and you ever want to run something else other than Windows, it might be nice to know if Knoppix (Linux) ran fine and connected to the network without problems before installing the "security updates"
I'm an American. I love this country and the freedoms that we used to have.
I'm not the only one who noticed that he set up his step-daughter to spam, am I?
3rd paragraph, her 'simple web site maintenance tasks' are obviously sending spam.
Nice job Robby,
-bZj
.sig
So if I borrow a book on building bird feeders and accidentally nail my hand to my foot I can sue the librarian? God I love this country. But seriously, this would get so complicated for librarians that are having trouble accessing their books on their "digital card catalog." Librarians were probably English majors in college, not computer science. They'd lose it in this venture.
My mother and father both use linux. Take time to set the computer up so they can do things they want to do. Help them out on how to do things. You can easily customise the system for them. Thus making it much better than an off the shelf system. For example, set up their digital camera to copy the pics into a dated directory, make smaller versions for sending to family via email, and/or for upload to the web. Try and figure out what programs they would like, Set up the apps they use the most on their desktop. Put all their music into ogg format so they don't have to fire up their CD player each time they want to listen to music. Have fun!
if the author of that guide seriously thinks that only enabling TCP/IP and activating microsoft's crappy internet connection firewall is going to protect your computer from malicious packets after connecting to the network, he's got another thing coming.
sure, that methodology is easy and at the very least will help, but it certainly wont ensure security.
at the very least he could say that if you have a good hardware or software firewall that you should install that before connecting to the network.
still, the safest way is to simply take use a secured machine (i.e. linux) to download the MS patches and burn them to a CD, then install them from the CD.
my 2 cents.
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
you won't get any spyware or data-mining cookies sneaked onto your computer
What, you're saying that not a single Linux web browser supports cookies? A "data-mining" cookie is just a cookie to track you as you browse the web - one set by an advertising site such as doubleclick. They work just as well whatever OS you're running.
6. Use your new shiny computer as you're pleased
Well, y'see, it pleases me to run games like Dungeon Siege, Postal 2, Warcraft 3, and a whole host of others that don't have native Linux versions (don't mention Wine, please). It also pleases me to write code in C# (again, forget mono, it's not nearly there yet). Until Linux provides me the means to do these things, it'll always be my secondary OS, Windows will be my primary, and "advice" to secure my PC by wiping Windows and installing Linux will be treated with the contempt that it deserves.
However, none of those bugs/holes will expose your PC to worms such as Blaster
You are of course aware that the first internet-borne worm utilised a buffer overflow in sendmail to infect computers? Don't go getting over-confident - true, I can't think of any Linux-targetting worms at the moment, but it's been done before, and it will be done again.
It's official. Most of you are morons.
"Kind of like how the French always surrender "
Now thats not true. The French did win the French revolution. Of course that might have been because they were fighting the French but still lets no go around making broad generlizations.
That's a tiny file. Thank you! Happy Christmas!
Scroogle
So, what about the people who don't have an extra computer to install Linux with NAT routing on and have satellite, or can't configure the Actiontec 56K modem+2 port router?
If I brought a computer with Linux on it for someone I bet they would never give me a gift or invite me to their Christmas party again.
Tim
Omnia vestra castrorum habetur nobis.
I hate to be a downer, but Blaster spreads via vulnerabilities in Windows RPC, i.e. via open network ports. That's what a worm is.
"America has done some terrible things. But I know that Americans don't cheer when innocents die." -Dave Barry
Have you read anything about Blaster? It's spread via email attachments posing as Microsoft patches.
Apparently you've read absolutely nothing about Blaster.
The Blaster worm does not spread via email, but does distribute itself via the internet looking for vulnerable computers that have not been patched against a security hole first reported by Microsoft in mid-July 2003.
That kind of ignorance is just another reason we have so many machines on the internet that are left vulnerable to these kinds of exploits.
A firewire isn't going to do a damn thing to keep it out.
I do totally agree with you there, though... a firewire won't help protect you from Blaster.
Comment removed based on user account deletion
In the case of Blaster, I believe that the packets had forged source IP addresses. The ISPs shouldn't let them out past their border routers if the IP address didn't originate from inside their network.
One line blog. I hear that they're called Twitters now.
OK, I won't mention Wine, the project itself. However, SuSE seems to be taking a VERY nice approach here. They've got a CD with CodeWeavers' two products, and WineX, called the SuSE Linux Wine Rack for $30. Not bad, huh?
If you install any Windows OS "from scratch", keep it off the net until you have the latest updates installed from your own patch CD. Turn off RPC, enable MS's internal FW, then go and get the patches you missed!
/.
It is simple, really. It only takes a few hours.
Or you can install Mandrake 9.x for most of what you want to do, like surf
Why not go with a slipstreamed copy of WinXP that includes SP1a and RU1? Hell you can even make it install all of your apps and drivers automatically, or even tweak the hell out of it! Now from the initial install you've got a protected system, plus if your relatives system gets too screwed up they can pop in their cd and reinstall XP and all their default apps without being tech savvy!
Jonah Hex
Horror & SciFi Erotic Nudes
Wouldn't it be much better to just disable the ports where virus floods are coming from...
I am sure it would be. Now suppose you are a cable company with a million subscribers. I'd bet that implementing this would cost you several hundred thousand dollars.
The point is, NOBODY should be doign NetBIOS over the internet anyway. It's a massive security hole. If you need to do Windows networking over a WAN, use a VPN. That's why VPNs exist. It *is* an ISP's job to block ports that do nothing but cause trouble.
I would never do this for a relative or friend. If they are new to computers, now is not the time to introduce them to Windows. Set 'em up on a Linux distro, or even a Mac.
Yeah, yeah, I know, this sounds like a troll and all, but I am quite serious. Unless you are locked in to Windows for some reason, and given what the Windows world has endured in 2003 and what Microsoft itself says it is going to do to users in the future, please don't inflict this on yet another computer newbie. They won't thank you down the road.
"...Mods - mod as troll all you want. I am not trolling, though - these are the facts. Windows really sucks..."
Why do people make statements such as this? We all know that mods can be biased, the system is imperfect, and karma really doesn't matter. What does matter is having the ability to state one's opinions/beliefs and being able to defend them.
(tig)
Ignorance and prejudice and fear
Walk hand in hand
I plugged a 98 box into a freshly installed cable modem (Time-Warner RoadRunner if it matters). Within 20 minutes the box was rooted. It was my mistake. I had brought the machine from a network that was behind a hardware router, and placed it directly on the cable modem. I had sharing enabled directly to the c: drive, password protected.
The worm reset the password to null and enabled sharing of other drives.
It then tried to write itself to all the fixed disks on the machine (that is how I detected it: I was transferring photos from a compact flash card, thru a USB, when it hanged. A copy of the virus was found on the card.
It is possible that the infection would not have been detectable without running trojan scan and online antivirus particularly when the speed of cable is considered.
The worm installed a backdoor on a Windows box, and then tries to locate and infect and windows shares on the block.
Needless to say, surfing without a condom on a windows machine is dangerous indeed.
Have you read anything about Blaster? It's spread via email attachments posing as Microsoft patches. A firewire isn't going to do a damn thing to keep it out.
The fact that you apparently write technical manuals for a living, makes this rather amusing.
I suggest you go and read Microsoft KB article KB823980 and take a look at Microsoft patch MS03-026.
While it is entirely feasible that someone could email the Blaster payload in an email message that appears to be a page from Microsoft's website, this is not how the worm spreads itself.
I just know Christmas day, or the day after, I will get a call from at least 3 relitives who got something 'cool' for their PC for christmas, and they are going to want some free 'tech support' from me.
This is why some geeks truly do cringe when they hear a phone ring on Christmas day.
>> Was quite an eye opener
You don't read slashot more than once a year, do you?
Am I the only one who has been getting XP SP1 cd's? I haven't seen a new pre-SP1 CD in over 6 months, any system/copy of XP on the shelves nowadays surely has SP1 built in.
I wrote a little thing about putting together a WiFi+modem setup nearly two years ago -- the prices have dropped since then; if you follow a site like techbargains.com, you can probably find a suitable WiFi/DHCP server/3- or 4-port router for something between free and $50 (after rebate), and a 56K hardware modem that would work fine for about $30 -- so I think you can say it's no more expensive than a linksys home router's regular price, anyhow. Hard to believe how much I paid for the same stuff a few years ago, but it's all H2O under the bridge now.
I'm surprised there aren't yet integrated modem+switch+WiFi boxes as I predict in that writeup that by now there would be.
timothy
jrnl: http://tinyurl.com/c2l8yr / foes: http://tinyurl.com/ckjno5
KerioPersonal Firewall
If you're going to be installing a relative's computer, I'd just suggest that to put all of the nice tools and programs(Kerio, SpyBot Search & Destroy, Mozilla, MP3 and movie players, patches, etc. etc.) onto a CD or USB drive, and avoid downloading this stuff alltogether.
Grandma probably dosen't have DSL or cable, afterall.
Constitutional rights may be respected, repealed, or modified; but they must never be ignored.
Well, the only way to ensure not being marked as a troll is to tell the mods to go ahead and mark them as troll.
Stop the Slashdot effect! Don't read the articles!
well, not bad if you don't mind slower performance and unsupported games. WineX doesn't work for every game, and when a new one is released,I would have to wait until it is supported, whether or not it will be supported is determined through voting, taking even more time. if you want to play games under Linux, and dont mind performance lag (i get about 70 fps in Unreal Tournament under windows XP pro, and 30 fps at the most under Linux (SuSE 8.2) with the same hardware), then SuSE's Wine Rack is the thing for you. if you care about graphics so choppy the game is virtually unplayable and entirely unenjoyable, dont bother with it. Windows will remain on hard drive with SuSE until games are worth playing on Linux.
--daniel
pushing is the answer.
pushing will protect you from the terrible secret of space.
Let's not get picky about about what's a worm and what's a virus. Nobody uses these terms with any consistency.
Tech writers do sometimes get their facts wrong. That's why we have technical reviews -- if you can get the engineers to do them. But that's another issue!
I bought one Lindows and one Lycoris machine for my kids for christmas. Good deal at $199 each at Walmart.com. Both have used Knoppix, Mandrake Move, and Fedora with on thier older machines with good results. I've had the new ones running periodically to configure everything for the local network and creating shortcuts to various places on the home file server and both have been good so far. The Lycoris "looks and feels" nicer but I could not get any video when I played movies with various codecs. I only have two complaints so far with Lindows. Every sub menu has a link to the click and run software library. A bit overboard I think. The other is the always run as root thing. Does not seem like such a good idea. I may look into changing that or wait until they trash it and try something else. I added an extra 256MB in each. The specs and hardware for the computers are identical. I forget the MB type but the CD is an LG and the hardrive is a Maxtor.
Bad boys rape our young girls but Violet gives willingly.
is called "TCP/IP port filtering". I have encountered this experience personally, on my dorm network. When I reinstalled WinXP, I didn't even have time to download SP1 before a virus made its way onto my computer and the IS dept shut off my port. However, I've found that if I leave my network cord unpliugged (card disabled, etc) until I have setup my TCP/IP filtering settings to allow only port 80, I can then download the necessary patches, update, and remove the filter. No problems yet!
The power of Christ compiles you.
A Random Blog
No, sooner or later, a computer newbie is going to want to run the latest games, productivity apps, etc. How many of those run on Linux? Not many, unless you're a real fan of America's Army, which for some odd reason, they released for Linux..
I stand behind every word I ever said about windows - it isn't half-assed blubbering for the sake of it, it's my opinion based on experience I have day-in-day-out supporting both products for years.
Windows server and windows desktop are from hell. Linux is not.
All these services are far superior and easier to use than windows update.
Thanks. The one linked in the story keeps downloading as a corrupted file. Your's works.
I'll mirror it at http://www.spywareinfo.com/downloads/tools/xpsurvi valguide.pdf also. I intended to write a story about it, so I'll just mirror it myself.
Only on
hard vs. soft real time. "Soft" means that e.g. in a video game, it's OK to skip an occasional frame.
The reason were 2 posts above mine. They were moded trolls and mine would appear as such also. I hate being moded as troll whenever I tell what I think of Microsoft and their OS.
And that is pretty much what I said. And I also said I am doing my part to protect such opinions from biased moderation. So, are you complaining or what?
"it pleases me to run games like Dungeon Siege, Postal 2, Warcraft 3, and a whole host of others that don't have native Linux versions (don't mention Wine, please). "
Don't mention Wine, and don't mention Windows. Do you know how many worms my GBA has had? The same number as my Xbox, SNES, GameCube, PS2, TG16, and every other game console. Plus, I don't have to spend 500$ on a video card every year so I can play 2 new games (while breaking 2 old games)!
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The other option is to do what some universities do . .
Your computer gets infected with worm X , automatic network program Y detects this and adds ACL Z to direct all of your traffic to a (secure) download site for patch and once patch is downloaded (and run) remozes ACL Z
Sure it might cost a couple thousand to set up but if you are a huge cable company (with millions of subscribers) whats a few k ?
Nope just confirming what you said.
Well, y'see, it pleases me to run games like Dungeon Siege, Postal 2, Warcraft 3, and a whole host of others that don't have native Linux versions
At least someone liked that game...
Consider the following statements:
1) Windows sucks. Linux is the best.
2) Linux sucks. Windows is the best.
If we take these statements to be opinions, then they can co-exist peacefully. Two different preferences have been presented, and no contradiction has occurred, as it would be mad to assume that people do not have different preferences from one another.
However, if we take the statements to be facts, then there is a conflict. The two are mutually exclusive; both cannot be true. One must be argued, modded, or shouted down, so that only the other remains. Hence, troll moddings, arguments, flaming, and holy wars erupt, instead of rational discourse and discussion.
It's sad, but seems to be true: Most people believe their own opinions to be facts, and would rather be proven right than learn something about the other side of the argument. You can find ample evidence of this on any message board online. The reason that people make statements such as:
Ph-nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn.
Grannies and relatives buy lots of this stuff off shelves at the store.
No, they don't. What the hell kind of Granny you got? Granny (my wife's) surfs the web, and sends lots of email (STOP with the email if you're reading this, Granny!). Grannies may do their bills online or compose a letter and print it. AND MAYBE, at the outer limits, they might even play some music. Linux does 99.9% of what granny wants, and it does it better than M$.
I play UT:GOTY on both Linux AND Windows, and the only issues I've seen are that it's a bit choppier on spawning, and that there's no sound (both through Wine - haven't tried the native installer). Framerates seem the same (Intel 845) other than on spawning.
On a side note, sometimes the Trash works as a great backup if you know how to use it. I had a caller once delete some system files as part of removing/replacing Dial-Up Networking to make sure these files got replaced. Alas, it crashed at just the wrong moment, before the files got replaced. Now, it can't boot at all. Deo gratis, she had a boot disk. I talked her into going into the directory containing the Trash in DOS, found the files by size, copied them back to \Windows\System, renamed them and got her system working again. I doubt she ever realized that she'd probably been talking to the only tech in the company that could have done that, and it really didn't matter. Yes, I know how to keep files from going to the Trash when they're deleted, but I never have callers do it. Just In Case. That was the worst problem solved that way, but not the only one.
Good, inexpensive web hosting
Parent was a worst-case scenario post, and I admit it sounds pretty paranoid in hindsight. I still think that there could be some sort of case made for forced support. Perhaps some sort of estoppel? There would have to be some pretty severe circumstances for an estoppel argument to work, I imagine. I dunno, you're probably right and I'm just being paranoid.
DCOM's interface is the reason for worms like blaster and welchia. Shutting it off gives those worms nothing to bind to. I seriously think that OEM's should consider selling their PC's with DCOM turned off. Almost nobody uses it and it's a security risk. The same goes for Windows Messenger. It's an unnecessary service that should be turned off.
Qchain will automate the task of installing patches and can be used during installation.
You would be modded to -6 for flamebait, -6 for trolling and your IP would be banned for 48 hours
I recently upgraded a friends PC from ME to XP Home. She purchased XP, which came with a sticker proclaiming that it included SP1a.
Since this was a recent purchase and the after thought SP1a sticker was there, I mistakenly assumed that it would be safe against Blaster.
Regardless, I enabled the built in firewall on the external interface NIC before I connected to the internet via her ADSL.
I couldn't get it going. I was using the ISP PPPoE driver which was supposed to work, but the ISP suggested I use the built in XP PPPoE driver, which worked fine. The phone tech also said that I must disable any firewall due to the use of a heartbeat initiated at their end.
So, I reluctantly did...
Her PC had Blaster literally within a minute or two of connecting.
But here comes the funny part... to get around the 60 seconds to shutdown, I double clicked the time to set the year back to give me a chance to remove the virus and patch her system. Unfortunately, during this, I had to reboot. At this stage the 30 day registration period was still in effect because I had not registered. Upon reboot, the 30 day period was up, XP was demanding I register now without giving me the desktop! Luckily it seems that it automatically connected.
Next time I'll just set it back an hour!
This kind of crap just has not happened to me on my Apple. In the end, I enabled the firewall and she has not had a problem. It might not have happened if I knew XP better (first install), but then I gave up on Microsoft long ago.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
I get 90fps on the Linux version and I can't get the ()&@#Ing nvidia driver to enable AGP without crashing my system. So that's better than windows :)
My other car is first.
> I have gotten really tough on down-mods while metamoderating. If it looks at all ideological (rather than about the worth of the content) in either direction, then I mark it unfair. If others do the same, hopefully, many of the moderators who let their bias show can be removed, and we won't need comments with disclaimers about the intent
I have gotten really tough on people who don't moderate good comments about M$ down. "M$ had a patch out months ago"? Oh really? -1 Overrated. Hahahah.
Frankly, I don't want to hear about windows. I fucking hate it. I only want to read about why Linux is good, etc. Hearing about M$ is about as fun as eating shit. And that's not very fun.
In summary, fuck microsoft. And this most isn't flamebait, I'm sure other people want to say the same thing.
My other car is first.
Windows sucks. Linux is the best.
My other car is first.
Frankly, people who are having a love affair with Mr. Balmer's micro-company need to go back into their closets and shut up.
This is Slashdot. Here we cater to a UNIXish majority - as well as a fanatic Apple minority (lol just kidding).
Don't like it? Don't post - its still a free country. Don't like your Microsoft-worshipping posts getting modded -999? Tough - you were asking for it.
My mom and stepfather bought my sister an eMachine for Christmas with XP on it. They live 2000 miles from me, so when I talked to them this Christmas morning, I immediately told them not to plug in the RJ45 until they read the guide I was emailing them (this one). Another shitty proprietary machine saved from becoming an RPC-infected netizen!
And who's going to mod the meta-mods ?
Frankly, I don't want to hear about windows. I fucking hate it. I only want to read about why Linux is good, etc. Hearing about M$ is about as fun as eating shit. And that's not very fun. . . In summary, fuck microsoft. And this most isn't flamebait, I'm sure other people want to say the same thing.
Well, I'm no MS fan either. I use Linux. That does not mean that MS fanboys should be modded down just because they state their preference. Nor should people be modded down because they make a joke about Microsoft. If you think they should, then you'd better go read the faq about moderation, and you need to get a life - it will give you some perspective, and it will make the teensy irritants easier to bear. Oh, BTW, Merry Christmas, and have a less stressed New Year.
Offtopic? See you in META, asshole :)
455fe10422ca29c4933f95052b792ab2
Because of first-day (day zero?) vulnerabilities with Windows XP, IMO Microsoft should have to provide all vendors of Windows XP with a CD to give to purchasers of Windows XP that will install all critical updates, and design the installer for all future revisions of the operating system package to have an "Insert Critical Updates CD" stage so that one need not ever boot a new Windows installation before patching these problems (abortable if there is no such CD).
And in cases where older versions are still on the shelf, CDs should still be provided free of charge to the end user, cost for Microsoft to bear. The company is rich enough to provide this service and not even feel it.
And every other OS vendor as well. Apple should be providing for free security update install CDs automatically at each of its points of sale (Apple stores will download them and burn them to CD for you), the various Linux vendor packages as well (those who download ISOs can get the updates just as easily), and anyone else I might be forgetting (SCO?).
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Agreed! I work for a place selling PCs and it's often my job to get them ready for sale. Typically, I'll use the OEM setup kit for XP, set it up on my master PC, connect it to the internet, run Windows update, enable the firewall, disable odd services and so on before whipping out the hard drive and duplicating it.
A pain! I'd much rather give the customer another CD that the Windows Welcome setup asks them for and that they can use in the future. At the moment, we still have a problem that if the user decides they're going to reinstall XP then they'll have a classic patch-less XP install!
Ah well...