Slashdot Mirror
Sasser Worm Takes Down UK's Coastguard
jonman_d writes "The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
It wouldn't be murder per say, but definitely manslaughter. If they catch the guy, I hope the full force of the law comes down on him.
But here in the U.S., I believe it falls under both 18 USC 1030 and some clause in the Patriot Act.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.
However, it's not just the software at fault. Whoever implemented the system was sharing a network with other people's machines in some way, without a firewall. There is fault spread out here, between microsoft, the lifegaurds IT people, and the virus writer.
Why did the the UK Coastguard allow this to happen? The Sasser worm is 100% preventable if your system is properly patched and firewalled.
..., whose mistake caused the security hole, gets identified, can he be held at least partially responsible for any deaths that occurred during this outage?
Like no system except a Microsoft system has ever gone down. The first fucking worm ever written was for Unix, nerds. You lot sound like a bunch of stuck records.
I would rather blame the lazy sysadmin who spent his time surfing for pr0n instead of running windows update and setting the firewall up.
Microsoft has to take part of the responsibility and offer to send consultants out for free to patch and fix the servers. The same is true of all operating systems. Microsoft has the issue of their marketing claiming anyone can manage a windows server when that obviously isn't true and never was. It takes skill and not just any MCSE.
The company or the people that are unable to secure their computer? There is a whole chain here, and in other cases with the law, it always seems the manufacturer gets sued. Shouldn't that be the case here? If there is a single vendor or individual that can be blamed, shouldn't they?
The difference here, possibly, being that Microsoft had patched against this and that could be seen as an equivalent to a warning or a recall. It makes you wonder though, if a worm hits on an unknown exploit, will Microsoft be responsible? In any other industry, I'd have to say yes, but I'm not so sure when it comes to software.
Anyhow, this is just another case for why any infrastructure should not be ran on a single operating system. If you have multiple kernels with multiple implementations that can all work, you'll be much safer. Linux kernels with different versions, BSDs, AIX, Solaris... Those won't have the same exploits and have different strengths and weaknesses. No worm can traverse all of that (hopefully).
That's scary.
Perhaps it's just me, but I say it's just as much the coast guard's fault. They should have kept their systems up to date.
"if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
Replace "outage" with "outrage".
There is no way in hell an important insitution should put up with shit like this. If any arbitrary piece of code that gets sent around could bring my companys systems (as often as it is the case about WIndows XXX) to its knees I'd start seeing red about what the software manufacturer was spending its time on.
And choose a different supplier.
Then again, why was this critical infrastructure not patched last week? Their admins are just as guilty as the virus writer.
It's not just Linux that forms a good alternative to Windows. OPenBSD was built to be a secure OS. Where lives are involved, there is good reason to go the extra mile to use an OS which, though less convenient, has proven to be more reliable. In the current era, with all these worms, Microsoft just isn't the best alternative. On the other hand, all they needed to do was use http://windowsupdate.microsoft.com and enable Windows' built-in firewall software. Worm and Virus writers should be made to know that they are accountable when their creations do what they were (mis)designed to do "take over systems, disable them, disrupt networks?" How do you actually catch the original author of a worm, anyway?
OK I know there's going to be a million comments about how we should all patch vulnerabilities and there'd be no problems... and then the inevitable responses from admins who haven't done so because testing hasn't been complete and the patches are causing more problems after doing them...
But...
Why aren't MS patches single discrete objects? One patch for One vulnerability? That way IMHO clears the problem of a "patch" that comes up, is huge, and attempts to fix ten documented vulnerabilities (but knowing the code used in huge projects, it's possibly many dozen fixes at once).
This kind of fine grained control is what works WELL in debian for example. To update an error in ssh, download it's patch. to update an error in an x library, update that one library. Not bundled in with loads of extra crap
I suspect this is a marketing thing. MS can truthfully say they only had 4 patches in a year, when the patches in linux systems number "in the hundreds", when the reality is far different.
Even MacOS seems to be partway to the debian like approach, where there may be a dozen security updates in a year fixing a small number of vulnerabilities each. It's a consistent line of updates, instead of happening in large steps over which an admin has no control.
As reported on the BBC, this killed their mapping systems, forcing them to revert to the paper maps that they've always used in the past.
No safety critical systems were involved.
Debian: GNU/Linux done the Linux way
With that, are they off the hook? No way. If they are caught, there are lots of laws they could be charged with, some of which are felonies. Murder, or even manslaughter, are not among them, however. At least, not under this limited hypothetical.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
First off, this isn't a flamebait or an all-out attack on Microsoft
However, it seems that software vendors are somehow let off much easily by the law, than say, electrical equipment manufacturers. If someone is electrocuted by say a faulty electrical appliance which was a) interfaced with a third party device/switch, b) caused electrical spikes because of some malicious hacker load shedding/spiking the electrical supply in the local powerhouse, then wouldn't the company be liable for damages if the device fails to withstand such spikes/surges (within a range, of course)?
I agree there is a flaw in this reasoning - it wasn't the original device that was faulty, or that the device was interfaced/affected by a third party with an intent to harm. However, aren't all products made with such situations in mind? If a car skids and causes fatal injuries to drivers and passengers, aren't the car companies responsible (and thus coming up with safer cars or with better anti-skid features)?
http://efil.blogspot.com/
Working tech desk during Sasser outbreak is fun lemme tell you. God save microsoft if they actually were responsible for tech support costs during this thing.
:). I've had two people call recently who - literally - just bought a brand new computer from the local best buy, plugged it into the internet and with 5 minutes got either Sasser or Blaster.
I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.
I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever. Now try pulling down 50 some megs of critical updates over a freaking dialup modem. Remember - not a *single* major PC manufacturer I know of installs ANY critical updates on their home pc's they sell to the end user. Nothing. Nada. Dell, HP, Compaq, etc. I've ranted about how irresponsible and stupid this is before and i'll continue to do so now
I dearly, sincerly wish that Microsoft would actually build not only a real firewall into their products or/and shut off unneeded services to the internet. I also wish manufactures would actually ship their machines with all the critical updates installed. I also want a pony.
This outbreak isn't as bad as blaster was but still. I'm no MS hater, I understand their product code base is massive and keeping track of all that and bug fixes takes an enormous amount of money and time but they *seriously* need to work on security. I would estimate virus cleanup and spyware sucks up 10-15% of my time at work.
That safety critical systems are being maintained in such a shoddy fashion.
Fortunately the coastguards affected were not called on to deal with any emergencies.BBC
The affect on train control systems in Oz preventing drivers talking to signals was to me far more serious and could have resulted in serious loss of life.
As for punishing the writer - reckless endagerment anyone?
"goatse? What's that? Anyone have a link?" - AC
How hard is it to have a BSD or Linux box acting as an el-cheapo firewall between the Internet and your internal network? I have a $200 laptop which has done just that task for several years now. I can never be bothered to patch my (Windows) machines, but they never have trouble because they can only talk within each other and not get attacked from the outside. Jeez, even if you paid someone to install it, you could have the whole job done for $1000 with old hardware and a copy of FreeBSD.
I offer one reason why this doesn't happen too often, particularly in the UK. Way too many 'technical consultancies' for institutions like the coastguard are staffed by MCSEs with no proper computer science knowledge who just install Windows XP on every machine, set up 'Internet Connection Sharing', and leave. They wouldn't even dream of putting a non-Windows box on a network!
Thankfully these worms and virus attacks are showing up these idiotic 'we only touch Microsoft stuff' agencies for what they're worth. Any decent technical consultant should be able to advise companies on the right hardware and software to use, independent of vendors.. so it might be Microsoft on the client end, and UNIX on the back end.. but no, the UK (at least) is filled with MCSE ridden agencies who get totally lost when they don't have a 'Start' button to click.
On the virus writers intentions, they were certainly not to kill people. One would also hope that the Coastguard is smart enough to have some form of backup comminications in place. This was not caused by virus writers alone. It was caused by poorly written software and poor security models at the networks which were affected. Yes, the virus was the spark, but software was an enabler, and the IT crew I would think should have first accountability.
On Monday, thousands of people tried to access the banking services of Deutsche Post.
Due to stricter securities setting (because of Sasser) this was not possible for hours.
that the more we depend on technology the more important it is to realize this dependence and the implications of trusting it blindly
if it wouldn't require you to reboot the OS after installing a secturity patch.
so in that scenario there would be NO excuses for having the system outdated.
While I fully agree that the authors of virus/worms etc must be held accountable for their actions, surely there are other parties that are also liable for any issues that arrise from a virus/worm infestation.
The obvious one is the good old Microsoft. This has been beaten to death so many times that I am not going to delve into it...
The other group to consider is the people who have been infected. They have partially brought any problems upon themselves. This happens because of many things including the choice they made to run the system was vulnerable, the choice to not patch promptly (if a patch was available), the choice to not better secure their critical systems, etc.
Blaming the virus/worm authors and the author of the vulnerable software is easy (and absolutely right), but people really need to start looking beyond that and realise that it is really their decisions that are the core issue. If you don't want to be vulnerable to Windows virii/worms then don't run Windows. If you need to run Windows, secure it. If is a critical app, pay some serious attention to it...
Basically, I am advocating a bit of responsibility for ones own destiny...
Exactly, this is a storm in a tea cup. There was at no time any risk to life, there was no loss of opperational capability.
Since they actually make a profit on those deaths. But ofcourse, in the real world, if windows kills your dog microsoft will hide behind it's EULA.
Upgrade your mission critical systems. Morons. ;)
She's built like a steak house, but she handles like a bistro....
Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault. I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make - I dont think the OS choice is relevent. Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.
I don't think we can say a single programmer made a "mistake"...blaming individuals for secureity holes isn't the way to go. Windows is a very large piece of software - there are bound to be security holes unless the software is subject to many years of testing - Windows XP was released some time ago, and this hole only came to light in the past few months. By your "blame the programmer" logic I should blame the QA team for not catching the bug...
But 5 years from now, when eveyrone gets used to using a GPS and some fancy mapping program, what then?
Paper? what paper? oh! ePaper!
nope, our laptop got the virus last night. Sorry, WE CAN'T RESCUE YOU UNTIL WE GET OUR LAPTOP FIXED!
Boy, im not optimistic tonight.
-Grump
Is it true that more people vote for the winner of American Idol, than vote for the president? -Ali G.
Like no system except a Microsoft system has ever gone down. The first f---- worm ever written was for Unix, nerds.
I think that there is a difference between going down occasionally and going down every week.
BTW, that is Mr. Nerd to you.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
and some clause in the Patriot Act
doesn't everything? seems to me that it get stretched more than a rubber band.
"[I'd] choose a different supplier"
Personally I'd go for a different sysadmin first.
I mean shit - it's not rocket science. Hell, my sister was patched before this thing hit and she only uses Windows for Works and Solitaire . . .
"If being a geek means being passionate about something, then I pity those who aren't geeks." - Pike65
Windows is a consumer operating system (despite labels like Windows XP Professional). It has no business being installed on any critical system. This just goes to demonstrate further that you can't cut corners and make false economies by installing consumer operating systems where they are not appropriate.
Oolite: Elite-like game. For Mac, Linux and Windows
Possessing a long maritime tradition, here in the UK we could offer the writers a selection punishments [1] Keel Hauling from stem to stern [2] Flogging with a cat-o'-9 tails [3] Hanging (if the worm caused a fire in a naval dockyard) [4] Run the Gauntlet [5] Picking okum
You don't need a lab to make mud.
It depends on how you look at it:
The computer mapping system (I presume) is easier to use than the paper maps. So if someone's missing and it takes (say) an extra 5 minutes to get the map out, plot drifts and currents and say "we'll search here", and the searchplane passes overhead 4 minutes after the boat has sunk without trace... is this still safety critical? If an extra life could have been saved if you had the computer system up?
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
How about choosing a system that didn't need to be patched in the first place ?
Ok, would that make the virus writer responsible? Again, no. The virus writer just tossed a ball which somebody else picked up.
Who is this somebody else? Microsoft? No, again. Although, Microsoft did pick up the ball, they didn't throw it at the victim's window themselves. They only threw it to the next "player".
That next player would be coast guard management who decided to run their system on Windows instead of the more secure Linux or OpenBSD. Would they be guilty of manslaugher? Again, no. They just tossed the ball to the next player.
The next player would be the sysadmin who failed to run windows update on his known vulnerable system (A windows system is always deemed vulnerable. Thus, "not having heard of" the worm is no defense). And he would be the final player who tossed that ball through the window.
I do sue Ford though if they later tell me that I also needed to buy doors to my car (firewall) and that the car had a mechanism to allow anyone with the proper knowledge to cause damage to it without even being near it (antivirus).
This isn't a car. Not only do they not give you the full package, they can force the vendors with a license into not giving it to you as well.
"You can't package that, it's against our license."
That's scary.
Dude, the patch is b0rked. It b0rks alot of people's systems.
Aren't they to blame? IT department? They should have fixed that. Virii writers? If yes, then also all weapon designers and such should be locked up. Hell, they designed the weapon. Or sold it or whatever.
... Maybe...
Maybe their IT should use different kind of infrastructure, different software,
The Sig, the sig
What if Microsoft did commit someone to launch this worm (that reboots each computer) in order to force all of their user base to do an upgrade ?
Frankly, this rebooting is so anoying that no one will stand having his computer/server infected... of course with some little side effects !!
American Express also was hit as seen on Netcraft
Monoculture.
If linux was more widespread, you'd get more stuff written for it. It's been pointed out countless times before.
TheHustler
http://www.elmarko.org/ - Useless bilge
http://www.asylum-games.co.uk/ - Co-Founder
Sounds like yesterday's news to me...
I know it's fun to bash Microsoft, but over and over with the same argument...?
Cooper
--
Don't you just love the sound of nature?
- Ginger Snaps II -
The guy who wrote and dispatched this virus knew exactly that what he was doing could cause at worst a lot of inconvience and possibly more serious consequences. he has to be held accountable for his actions. The law should be enforced to the max on this guy
Despite the apparent Slash-Spin of this article it should be noted that Microsoft released the patch for this vulnerablity over two weeks ago, per:
MS's Security Bulletin on April 13th (this is a week before Sasser "hit".) Microsoft did their job, but can the UK Coastguard do theirs? Apparently not... It is so easy to point the finger at the provider or some anonymous joe on the Internet, but it is so hard to take responsibilty for your own lack of action. It's the UK Coastguard's job to apply their patches in a timely fashion so that the services they render can be reliably delivered.
It's possible to get these notices emailed to you as soon as they're available. These people should be fired, er wait.. in UK... sacked.
- Mind
If/when the perpetrator is caught, it would be interesting to see how the law and the international community handles the situation as it obviously would have made a huge impact to businesses and individuals alike. The case would probably set a precedent in itself.
Bad analogy. If Ford find a critical fault, they recall the product. How many critical faults have MS found in XP so far?
The one consistent question that keeps being raised in my mind whenever I hear about mission critical systems being brought down by worms/viruses is: Why were these systems ever connected to the wider world in the first place? Mapping systems? Baggage loading computers? Surely these don't need to talk outside anything but a single discrete group of computers. My fear is that people tend to put web browsers, email clients etc on any system these days, for convenience, which is quite bad for security. Here in my office we have two networks, with two machines on the desk (on a KVM switch), one for external email, internet etc, and one for internal work (it's called COREnet). We've had problems with the former, but the critical, internal stuff has gone on quite happily on the latter, untroubled by worms. Oh, and software patches and antivirus are available centrally on COREnet, so the boxes on the internal network aren't just left to chance should something come on via zipdisk/cd. And our company rolls on....
If you've received any formal marine navigation training, you'll have been taught that your GPS, electronic maps, radar etc are simply navigation aids. Whilst GPS a useful tool, it won't stop me plotting a track on a paper chart and using traditional methods to verify or estimate my current position. The same applies to aircraft pilots who may be equipped with autopilots and sophisticated navigation and safety warning but still learn to fly by compass, map and visual references. Besides all that, using a map, compass and your brain to find your way is far more rewarding than just following the instructions from your GPS.
From the article:
No! Anyone with an infected machine should stop visiting Microsoft's website and never use Windows in such a critical environment as the Marine and Coastguard Agency for God's sake!
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Limited liability exists only when the software was voluntarily and knowingly installed (e.g. after reading a EULA and clicking OK). So you can expect full liabilty (both criminal and civil). In many jurisdications, if a virus directly caused a death they could be charged with murder.
The admin is guilty of negligence, again both criminal (only in the case of gross negligence, which could be failing to patch a critical system), and civil (although as an employee, this usually only means losing his/her job), the employer will probably be liable to (probably civil cases only though).
http://www.gnu.org/philosophy/words-to-avoid.html
Waht if e-mapping cappability lost during some major resque operation ? Like locating sinking boat ? So officers suddenly have to dig out paper maps, print out all relevant information and put it on the paper maps, all the while time ticking ? Still no danger to public safety ?
Coast Guard PCs one assumes are a standard build - all the software on the machines are the same. So testing new patches should only take a couple of days. The admins had 21 days.
Assuming the patch broke something critical and so couldn't be applied. Well the admins could have sat down and cried about it, or they could have done their job, read the security bulletin which details work arounds if the patch can't be applied.
These include activating the local firewall on each machine, blocking a variety of ports on the outer wall, or creating read only dummy files (echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log)
Some of these workarounds could cause you pain - for instance the advice to Block LDAP TCP ports 389, 636, 3268, and 3269 at your firewall. means that if you have an AD structure over a WAN it is going to break, unless you block those ports except for the specific IP addresses of your controllers, or you have a backup controller locally (which you should have anyway) that can take the strain while you work on getting the patch installed.
All this is work, more work than setting up SUS on the LAN and going to the pub. But as admins, this is what you are paid to do.
MS had a patch for this, as soon as the exploit was used they had a clean up tool available, they offer various free patch management systems for admins to use.
Bugs and exploits occur in ALL software. It was the admins who dropped the ball on this one, not MS. There was a patch, there were workarounds available if you couldn't use the patch and XP has a piece of inbuilt software that would have prevented the worm if you had it enabled. 3 ways to fix this, and 3 weeks to do the fix in. I don't see what else MS could be expected to do.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
The danish newspaper Ingeniøren reports that the Sasser virus attack affected the danihs hospital, Herlev Sygehus. The hospital had to cancle scheduled CT-scannings because the scanners crashed. Also MR-scanners were affected, though no scannings were canceled.
"We do actually have a firewall, but aparently it hasn't been updated enough" sais radiographer Jan Bovin. "It was the scanners running Windows 2000 and XP that were affected, the MR-scanners running Linux had no problems," he sais.
The original story is here (in danish).
It appears that the consequences of the Microsoft monopoly are getting worse. Are there any linux-run hospitals?
"If linux was more widespread, you'd get more stuff written for it. It's been pointed out countless times before.
"
Nonsense. It has been CLAIMED many times before, but the claim fail to take into account that Linux by design is much more secure than Windows.
How that is the case should be obvious to anyone who has used both systems.
I don't know about UK, but this guy might be of an early age, and in my country kids are not prosecuted as adults. He (or she) should definitely go through hard punishment, but taking into account which conditions gave him the opportunity to participate in this incident (including, but not limited to, the kind of social environment which stimulates unlawful behavior).
;-)
Now, everyone is mentioning Microsoft's guilt in this. May I remind they are the first to say in their licence that their software is provided "as is"? Remember the "no responsibility in damages" part?
Now, isn't this an ideal case for firing someone for buying Microsoft?
I mean dismissal from job, not execution... I'm not that much anti-M$...
There is a hole in your house, some kid comes, pees through the hole, which causes a short-circuit and destroys your house.
Be a man, don't send the kid to jail. He didn't destroy your house with a bulldoser, he just peed in a hole. Admit that your house was fragile, and blame *yourself* for it.
There are perfectly normal reasons for this:
Linux and MS patch numbers cannot be compared since Linux patches often address problems which are
- hard to exploit(found by the mayn-eyes code review possible in an open source environment).
- fix problems related to the (multi-user) privilege system which is still new in Windows, unused and unprobed (usually runs in single user mode) (basically permissions problems under Windows are considered to be the problem of the administrator, not the OS). I have never heared of anyone trying privilege escalation under Windows, my guess is nobody is interested or one doesn't need it.
- problems in programs that don't usually come with a Windows OS, or which are rarely used in windows (DNS, sendmail).
Well you could say windows is safer because he doesn't have a console/remote administration to toy with.I'm still trying to figure out what people mean by 'social skills' here.
Heathrow hasn't been spared yesterday
http://tinyurl.com/3h7fb
If I were a Linux vendor I would be all over BA and other victims pitching my stuff.... I know this is a bit wrong but hey Business is business and I am sure I would get these guys attention FAST!
Artificial intelligence is no match for natural stupidity
if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?
The authors write such code with malicious intent, no doubt, but how can a programmer foresee any deaths? That too, the ones caused because of a virus? He should be punished to the maximum extent permitted by the law, but shouldn't be charged with slaughter or murder. When someone write a piece of code, good or bad, it is almost impossible to foresee it's use other than the one it's written for.
You don't really think that paper is going to be extinct? Dude, any technology that's been around for 5000 years, with very minor upgrades ain't disappearing. It's basically a tried and tested medium, and ePaper, or iPaper or BillGatesSuxPaper are never gonna replace it. Let's not forget, the "paperless" office consumes more paper than ever before (ok, so that's anecdotal...)
My Favourite Meme
Come on guys if the sysadmin had done his job there would be no problem. Microsoft has a free product called SUS server. If you have this and point all your client machines at it thay will all be kept up to date with the latest patches.
We do this at our UNI and had zero infections. Where as the state government did not and was stuffed as shown here
I work in a small insurance brokers without its own internal IT department, and as token geek I get the job of patching workstations since our external IT support guys can't find their own collective arse with both hands and a map.
/. - I patched twenty odd workstations individually, manually, over two days. (Manually, because our IT experts have set up our system in such a way that the automatic update service doesn't work.)
As soon as the last batch of updates were released - starting about half an hour after I read about the updates on
Which is why it's f*cking galling that I checked our server's update history this morning and there are sixteen critical updates still waiting to be loaded, because the IT guys say we don't need them and, y'know, we shouldn't worry about it.
Aaagh!
People bash Microsoft because their software isn't impeneterable but how many other manufacturers have such high standards thrust upon them?
If someone cut the brake cables on your car would you sue Ford for the security flaw which allowed that to happen?
How many other manufacturers have to cope with thousands of malicous users constantly attempting to break it?
I work at the IRS, and most of the systems were down all day yesterday. A couple networks which were mostly set off from the others escaped infection, but I know several managers that were complaining they couldn't get e-mail or look up employee information.
It's also been pointed out how that doesn't really apply, but thanks for trying to sound official and stuff.
Sure, no system can go without patching as the grandparent suggested, but the assumption that Windows is only more problematic than Linux because it's more common ignores everything that makes Linux better: open source peer review, strong security model, proper code/software structure (ie, HTML rendering isn't done in kernel32.exe or something), etc...
-N
I've nothing to say here...
and why the feaking hell were critical coastguard systems hooked up to the public internet?!
An Education is the Font of All Liberty
And this many-times-made claim fails to tak into account that Linux *isn't* more secure by design than Windows.
How that is the case should be obvious to anyone who has used both systems.
I have used both and studied the design of both in several University courses. The design is sound. Some of the *default settings* are not made with security foremost in mind, but that's understandable due to the priority given to legacy support.
As Linux becomes more popular, the average skill level of its user base will drop and it will be exploited more. Deal with it. The most common weak link isn't the software, it's the user.
IMHO, The person to blame is the one that made the desicsion that the solution was an appropriate one. Surely when the systems were set up there would have been a specification document stating these systems should be secuure and stable and suitable for use in a situation where lives are at stake.
Yes Microsft are to blame for not making their OS reliable and secure enough to use in a critical environment. But it is not exactly a secret that its full of holes and has a reputation for being unstable.
Yes the sysadmin is to blame for not ensuring the systems are patched and up to date.
But the real idiot is the one who made the decision to use the system in such a critical environment. It just seems insane to me that anyone would use an operating system with knwon issues in a situation where peoples lives are at stake.
nick
Electronic Music Made Using Linux http://soundcloud.com/polyp
and it's pointed out wrongly everytime, you fat fuck. why don't you shut up now ?
[Disclaimer: I can't claim to know whether the coast guard's computers are really mission-critical, maybe they only read their fan emails on these machines anyway.]
Why would it be wrong to promote your product now?
This is the right time to promote it, and the positive aspects compared to the current solution. You will likely have an easier time trying to point out some of the flaws with their current situation.
A solution to this problem has been around for weeks now, yet one or more of these system were left unpatched. So yeah, the virus writer surely bears some responsibility, but then again so does the coast guard. And even if an MS OS did not exist at all and these folks had been running linux, if there were a similar exploit floating around in the wild would the admins who left this door open have fared any better then?
You can't hold MS responsible for the incompetence of the coast guard admins. Yeah, their software had an exploit - but they also had a solution available and it's not like this was any kind of secret. I hate to be this trite, but it's appropo here to remind everyone what "mama" always said: stupid is as stupid does...
Although I think they've denied it in public, Delta Airlines was also brought down over the weekend by this worm. I have a friend who came to Church panting, out of breath because he was late and had to rush. He works at Delta and said he had been there since Saturday patching and cleaning machines. Right after services he was going back.
The system effected was one that calculates passenger and cargo weight so it can be distribuited evenly through out the aircraft. It's one of those systems that's easy to forget. It's not like air traffic control or reservations or something people would consider "critical".
It's scary but ironic that a small forgotten local sub-system can bring down a billion dollar corporation and inconvience tens of thousands of people. It was local to Atlanta, used at the ticket counter and for flights leaving Atlanta but, bring down the hub and the entire operation is effected.
moron to let UK costal network connected to internet? he is to blame for the outage, not the guy who wrote the code/virus. if no one is writtine viruses we end up like the aliens in the Independece Day movie: one moron with a laptop destroys the civilation PS 4 costal guard: you don't walk around with your savings in your pockets. you put them in a bank. it's the same with networks: if it has any walue, you protect it!
Slow Down the Security Patch Cycle?
This case would seem to support the reasons made in the computerworld article about slowing down the security patch release cycle.
your view is retarded.
don't blame the "criminals" for acting like criminals; that's who they are! they're a natural part of the environment.
blame the cops for being shitty cops; they're not holding up their end of the balance.
in other words, don't redirect the blame; committees love this because when you blame everyone you essentially blame no one. i'd rather see someone *solve the problem* rather than pointing fingers.
if this worm damaged the IT infrastructure of the coast guard, **stop paying the IT manager**!! (s)he obviously fucked up by not only choosing a microsoft server to begin with, but not sufficiently carrying through on securing it against this threat, which is NOT novel.
if people died because of the failure of the IT department, i hope THEY get sent to federal-pound-me-in-the-ass-prison. "criminals" are just doing their job.
Underfunded, undermanned, rife with bureacracy and managers who haven't a clue (about anything).
A few years ago I was stuck on a large server integration/refresh project for a major global company. For some reason they were installing Dell servers and (ahem), I got to know one of the Dell support technicians very well. He was telling me how wonderful Dell and Windows was one day when he let slip that they had installed a Dell/NT solution in to one of the shipping management centres for one of the UK's biggest ports. I questioned the logic of installing Windows on a critical system and he just laughed and said "Do you honestly think they would put it in if its that unreliable?".
"Those who ignore the past are condemned to live it again" as the saying goes....
Microsoft's Patch CD is well out of date, and won't protect you against Sasser.
Better to use AutoPatcher
I'm not trying to get into the "who's fault is it" argument, but largely I find it's the bean counters and medling middle management that often get int the way. I do a lot of MS stuff, but I'm also a professional and know how to do it properly, and use the appropriate technologies whether it be Windows, Linux, BSD, Cisco, Checkpoint (or whatever you prefer) and most often a mixture of it all. The thing I often find is when you spec out a design, a schedule and a budget to do it right some bean counter always complains that its too long and costs too much even though you carefully analyse the customers requirements and budget and stay within those constraints. More often than not you will lose the bid or walk away from it and they will get Joe's Computer shop down the road to do it. So in short, they get what they pay for and reap their just rewards and unfortunately we all pay for it.
OK, it's early yet - but *no* jokes/dumb remarks about his sister being patched?!?!
I really got the impression that the reporter was trying desperately to make this into a dramatic news story whereas the coastguard person was fairly level-headed about it. Even she stated that every employee has a backup laptop that is not connected to the Internet as a contingency plan in just these circumstances. Plus, they can also rely on paper maps if necessary.
Yes, we all know Windows has security holes (just like any other piece of software) and that Microsoft could do a whole lot more to make their software more secure - however, the fact is that using good firewalling and educating users properly is the best way of stopping 99.9% of all known worms and viruses.
Microsoft must take some of the blame but so should the salesmen and IT people for possibly not deploying the right platform in the first place and then, post deployment, not ensuring it's secure.
Gentoo Linux - another day, another USE flag.
With this Virus a simple blocking firewall on the network (even on the internal machines) would have been enough to stop it... The patches are only for those that run without secured systems.
The fault here is the Admins, not MS.
Yea but you can't run things like LIDS, SELinux and GRSecurity on Windows.
:-)
Sure, maybe if Linux was mainstream people would start writing more viruses for it. So you stop your system being able to run untrusted binaries, without using DRM. Remember we're talking about govt machines used for specific tasks so using such ACLs would be much easier here than for a home users desktop.
The Linux 2.6 kernel even has capability hooks built into it (CONFIG_SECURITY) so what were you saying about it not being more secure by design
They have more cash to settle this than the virus writer. Obviously they do not want to have this kind of "using Microsoft products kills innocent people" cases fight out in court with a lot of publicity.
It's not a question of who is guilty - obviously the virus writers intention was not to kill people by disabling coast guards system, the network admins did not mean this to happen by leaving their systems wide open and Microsoft did not guarantee their OS to work in critical situations like this. The world would be better place with less stupid lawsuits, but if you are still going to sue someone, sue the one with most cash
Is it just my impression, Hotmail/MSN is down completely here. Did MS forget to patch their own servers or are they suffering under the network pressure?
The Awful Truth
IMNSHO, you can't update a firewall enough as much as you can misconfigure it, and by the looks of things, this is what happened.
Same goes for the UK coast guard btw.
I bet these incidents are the results of networks that were not designed and implemented in one go, but has evolved over time (I know, I know, most networks are built this way),
leaving 'grey' or 'forgotten' areas with noone directly responsible for audits and security.
There are no excuses for having an insecure network, regardless of your choise of OS'es attached.
Hooking mission critical machines, not responsible for networking, directly to your DMZ is generally a bad idea[tm]
"if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
.. Big Time in the Big House
HELL YES - HE CAN !! This damm scriptkiddie
crap is getting outta hand. They need to start
paying
Oh, for ----- sake
What's that, for cunt's sake?
But in this case the car comes with the door (firewall). So what's your point again?
-]Phreak Out[-
Move to linux or bsd uk coastgard!
Is there anyone here with more details about what they are actaully using, and where?
Certain classes of systems should have, mandated by law, a required level of security compliance. I mean - I feel sure that already - or merely soon - critical control systems of aircraft are going to be running some sort of MS OS, probably with systems written by some C# .NET muppet. Some fool will probably think it neat to network up the cockpit with 802.11b or some such, and then someone turns on his wireless enabled compromised laptop during landing and it infects the cockpit's various devices.
I hope this hypothetical case does not come about, BUT the only way to prevent it is not to come down hard on virus authors, or the software engineers who made the system with the flaw, you have to put the people who make the descisions asses on the line: management.
I think that there is a difference between going down occasionally and going down every week.
try telling that to my girlfriend...
oh, who am i kidding? i don't even have a girlfriend...
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
Im sick and tired of hearing the same old bull shit that comes with every virus. Never is Microsoft given any stick over this. Sure the writer is an asshole and a criminal, but that doesnt change the fact that Microsoft Windows is full of holes, and never does this get reported, at the very most some 'expert' will be interviewed on TV and will say 'no it wont attack Macs'.
This comment does not represent the views or opinions of the user.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
One thing is using a swiss cheese as a firewall, but hopefully there are sevaral layers of security at play here, like cryptography and authentication, servers inbetween.
Some company asks for a robot, some company specifies it, some comapny builds it, some company writes the software, some person does the training, someone uses it.
/brakes?off on port 56656 lets say.
Someone dies.
How do you find out who is responsible?
The operator didn't hit stop, he didn't know where it was, was he not trained? The training guy showed him, but it was so far misplaced, he forgot, the ui designers?
The system went ok, but the calculation didn't go right, so no error reported, is this the designer, programmer or testers fault? manager? which manager?
You buy a car. Somebody 'hacks' into you car, and you die.
I dunno, they can disable the brakes by doing a GET
Someone does it. you die. is it the fault of the designers for leaving this open, or the person running this program to disable them?
Now lets say someone writes an antivirus program, makes an innocent mistake, and it triggers a whole net wide pulse of gets to all braking systems online, in some funky new tech car.
Whos fault?
If you walk across a bridge, loose you balance, and fall to your death when the bridge railing doesnt support you, is it your fault for loosing you balance, or the bridge for not holing you?
If someone write a piece of software, not called bridge, but windows, and it crashes, is insecure, IS NOT suitable for the proported usage (see the Java must not be used for etc etc clauses, very wise) who is to blame?
I believe microsoft are guilty of false advertising.
THey play the big game in their adverts, the world needs good software, they pretend to have it, people die.
It is not a quesiton of if, but how many deaths directly lead back tothe use of microsoft technology? Not even directly.
Viruses cost the world how much? Don't you think Microsoft is responsible for this?
Latest news, people are getting blowouts because the tyres they got with their new car were too crappy, when they drive them on certain roads, they are risking their lives.
mmm, I see, so the car company isnt at fault, because you were stupid enough to drive on those roads, or the road company didnt maintain them.
fact: it is my right to make any electronic signals go through any electronic equiptment in my house.
If they hit a network, if they hit your computer, erm, hello, sorry, what has it got to do with me?
so there is maliscious intent, but shit, that is clouding the issue.
Let people be as maliscious as they want. WITHOUT maliscious intent we would still be in the dark ages of security.
What it boils down to is yes, even if it is a hacker doing this, or even if it is osama bin laden himself writing this code on a dusty old acorn, is it the fault of the person who wrote the software on your computer if it breaks.
Yes it is.
I know this is off topic but this idea has been running through my mind for the last few days. Why doesn't somebody decompile the virus and change the payload to the actual cure for this security hole? I'm not well versed enough to do something like this but certainly someone on here is.
Yes, I know, this would be as illegal as writing the virus itself but honestly who is going to convict someone of releasing a virus that contains the fix for the security hole?
-= Why can't I add 'Anonymous Coward' to my list of Foes? =-
If it's not running, it can't be exploited!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Me: phew, almost our entire university network down, just by one stupid virus. Luckily I'm using Linux.
The other guy: What the hell is Linux???
int main(void) {while(1) fork(); return 0;}
Not to skip the M$ Bashing, but....
Shouldn't there be a bit better security in an essential service such as that? Why are people allowed to bring insecure machines in, and plug them into the network? Shouldn't they have 24/7 administration? Shouldn't someone have seen a report about Sasser, and patched their machines? We're not talking about Mom & Pop ISP here, we're talking about a branch of a nations military. Why are people coming in with laptops from home, and being allowed on the same network with an essential infrastructure? Haven't their admins read any books on secure networking? What about firewalls between the essential infrastructure machines, and the compromisable network? The way the story sounds, people take their laptops home, browse the Internet, and come to work and plug in pretty much anywhere. I suppose there's more than one CCSP on staff saying "hey boss, told you so" err, maybe "Sir, remember those security recommendations I made last year? May we implement those now?"
Serious? Seriousness is well above my pay grade.
Some anonymous coward (at Microsoft) needs to release a virus that will sit on unpatched Microsoft computers. Then it should first patch the computer - reboot it, change the desktop to "Take this computer back to the store, you're too stupid to own it." and then activly scan for more unpatched computers.
Rinse, wash, repeat.
Usual problems with sys admins having to patch thousands of machines (yes there are tools out there to help).
But also caused with the massive MS Windows monoculture (cf market dominance).
It's times like this that running 3 O/S's at work for the users desktop helps. But then i get stuffed by patching and trying to find tools that cover all my bases....(or run three tools!).
"..if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
No he won't be held responsible because his name is Bill Gates and the worm is called Windows.
No, it should read:
;-)
"Moreover, it raises questions of responsibility: if the _Operating System_ writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage? Shall the original *writer* be held responsible, or he who released the code (script-kiddie-ing it) ?
I would have thought after MSBlaster ripped through the Windows world that people would have learned to keep Windows away from any and all open internet connections. While competent admins ought to keep their systems patched I find it difficult to understand why networks aren't properly firewalled. If you want to be cheap about it you can just have a single firewall at external connections. A little fancier set-up would be transparent packet filters to segment portions of the network from one another. Keeping everything off the network that wasn't intended to be there would nip many of these sorts of worms in the bud.
I think the bigger issue here is why systems like this, even relatively non-critical ones like the UK Coast Guard's mapping system, are running Windows. I would think that an organization like the CG would be able to get their vendors to develop applications for whatever OS they were running. Agencies set some criteria and contractors meet said criteria. If they were running say Linux I don't think it is far fetched to believe that some contractor would be able to develop the required mapping software for it. The CG might be running COTS software that runs only on Windows but I don't find that likely. I'd welcome an answer however.
Windows is known to be an extremely insecure system despite Microsoft's claims. While Service Pack 2 might magically fix all sorts of problems it is not available to end-users yet. Those magical fixes don't mean much to the here and now. It looks as if Windows' vulnerabilities are costing companies quite a bit of money and eating into their bottom line. I would have thought by now Windows would be on its way out the door in many organizations since their competition such as it is can do many of the same tasks either cheaper or more reliably.
I'm a loner Dottie, a Rebel.
They're expert sailors. Paper maps = second nature. I doubt anyone was endangered by this.
1- Some associations formed between organized crime and specific terrorist organizations during the time in which heroin began to be distributed by the mob in the United States- most notably in the last two decades.
2- Organized crime does help back some of the virus and worm writers; in part at the behest and urging of their clients and business associates. This allows for the creation of a "Chinese Wall" of traceability between the money sources and the receipients- two layers of laundering rather than one.
3- One of their primary associates in this affair is the cluster of cells collectively known as al Queda. This known terrorist organization has a vested interest in learning how to disrupt the infrastructure that helps to track them.
4- The ties alleged above are highly defensible, even without resorting to the publication of classified materials. The issues and relevance are both a matter of common knowledge. Therefore it may be said that any authors would be acting with full knowledge of the consequences, both potential and material, of their actions.
5- Those acting as authors of such disruptive tools are acting in the interests of known mass murderers. They are aiding and abetting one of the worst and most virulent lines of humaniform disease ever to stain the human race. All authors of such software must therefore be prosecuted to the fullest extent of the law- as terrorists.
Just my opinion.
"Laugh Quietly- tomorrow is your turn to be rong."
of a safty case I heard.
Someone had been working on a mezanine floor (one of those suspended floors made of grating). They took a section out and went to work on it. Someone fell thru the hole, but luckly suffered broken leg and minor scratches (some of these are quite high up).
The company sued:
1) The guy that removed the floor for not marking the area properly
2) The guy that fell thu the floor for not paying attention to what he was doing
3) A guy who spotted the problem and said nothing.
So even if you are not directly to blame for an event, your actions (or even inaction) can be used against you.
From Microsofts Website,
Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13
I work for the US Army. We knew about this way before the patch came out just by monitoring bugtrack. Less than 72 hours from the bug being confirmed by our service CERT, we firewalled access to this kind of thing. The patch was confirmed for deployment almost 48 hours after the patch became available. If it was not deployed 96 hours after the order, we shut the node down until we can confirm its patched and ready to rejoin the network. The impact of Sasser on our networks? Almost ZERO.
All of our responce is coordinated by the US Army CERT (ACERT). Where did the British Coast Guard equivelent do? Is there such a thing? This is preventable, especially given the time from patch to exploit. Its not like this sprang up overnight. Even then, dont they have a team that monitors this stuff and has authority to order massive disconnet? It seems that MS is not at fault, the British CG CERT failed them here. If they did try to prevent this, what failed them? Anitvirus? Admins who failed to patch? Lack of informing them downrange?
SPC Gruhn
TNOSC-K, Systems Management Branch
1st SIG BDE
"First to Communicate!"
Do you have windows boxes that crash every week? If you do, the problem isn't with the software. I use windows on servers at work, and they stay up for months at a time. They're just as reliable as the linux servers we use for similar tasks. The whole "windows crashes every 4 minutes" joke is exactly that - a joke. It's like saying that linux only has a command-line interface, and the most modern browser is lynx. Funny? yes. Any base in reality what-so-ever? No.
But they still used the paper copies when their computers were ok. They dont fully trust the one eyed beasty yet. Who can blame them
It's not exactly news that running Microsoft systems is the only sure-fire way of getting the living daylights kicked out of you. There are many levels of culpability here.
Remember that there is a woman in California in the process of instigating a class action against Microsoft because 1) she bought a PC unaware of how crappy the Microsoft code is; and 2) became through that code a victim of identity theft.
But the blame falls equally on the morons who continue to house Microsoft systems in Microsoft shops. I quote from a Slashdot comment four years ago in the wake of the Love Bug from the Phils:
I heard some TV news this morning describe it as 'a wakeup call'. Forgot Melissa already, eh? How many wakeup calls does it take? Methinks wakeup calls now come with a snooze control.
It is just as much the fault of those responsible for continuing to rely on Microsoft systems. The last instance of prevention is often the legally most culpable. That instance can and most likely will be accused of negligence. And sad to say, that is just what we need in this world.
Put another way by Scott Petersen of eWEEK:
If you leave your keys in the car while you pop into the convenience store to buy a gallon of milk, is it the thief's fault your car was stolen?
It has been said that by merely connecting a computer running Microsoft Windows (which some might say is a type of infection all by itself) to the Internet, you will be infected within about 10 minutes. Just search Google News for "10 minutes infected sasser" (without the quotation marks).
Granted, there was a patch out before the worm started to spread, but if someone were to explout a previously unknown vulnerability, then anyone with a connection fast enough to download the patch would already have been infected. And even if you took your infected computer off the Internet and did a clean install with the original Windows installation disks (assuming you even *got* any of these), you wouldn't be able to update over the Internet because you would get infected the first moment you connected again.
What's really needed is a more secure operating system. They exist, but most people are not using them.
The real solution is to give users the thinnest possible client machine. No CD drive, no floppy, minimum locked down drive. No downloads of anything except HTML pages and images off the web. Applications centrally installed.
Give users the tools they need, take off the games. In many cases, take off the web.
And then steal a few cents from a bunch of bank accounts? Sounds like a job for Zero Cool...
Member of Orkut? Annoyed with spam?
In a twisted way it'd be fun to see MS being forced to recall and fix all their broken products - would cost them quite a lot to have a few million computers sent to them, fixed and shipped out again :)
http://blog.nexusuk.org
Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault.
... one need only peruse their website and their past marketing of Windows, coupled with their slanderous misrepresentations of competitors such as Linux.
I find this propensity for blaming the victim to be very disturbing. Microsoft has been fraudulantly representing their system as both stable and secure, just as they have been fraudulantly representing their system as less expensive than their competitors' products (GNU/Linux, OS X, *BSD, etc). This is a matter of public record
Now, one can argue that the technical staff of the coast guard should have known better (so too should every victim of every fraud perpetrated), but the fact that they didn't is hardly negligence on their part, when their vendor misrepresents their product's security on a daily basis.
I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make
I dont think the OS choice is relevent.
Clearly the data do not support this. Mac OS X is demonstrably more secure than windows, both systematically through an architectural analsys, and through historical emperical data (number of exploits, timeliness of patches, effectiveness of patches, etc.). Ditto for the various flavors of BSD, ditto for Linux, ditto for IBM's various mainframe operating systems, and the list goes on.
Clearly, as the underlying architect and definition of a system's security design, policy, and implimentation, the operating system is the single most relevant design choice one can make.
Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.
That is unrealistic. Systems which are networked together can save lives. A ship is in trouble and automatically reports its position for rescue, allowing the crew to get on with the more immediate task of not drowning. A hospital computer notes a patient's decline and automatically notifies other systems, which notify the appropriate physicians and medical staff. Proper implimentation is critical, of course, but the "cut the cable" solution is nonsensical, particularly when reasonably secure alternatives such as Linux, Mac OS X, and *BSD exist and are well proven.
The worm writer, and Microsoft's fraudulant representation of their operating system as stable and secure, are the primary culprits in this fiasco. It is time we stopped blaming their victims, and held the perpetrators responsible instead.
The Future of Human Evolution: Autonomy
Doesn't the Ministry of Defense dictate what is allowed on government and commercial networks in the UK?
Ask me about my vow of silence!
The Sasser worm is 100% preventable if your system is properly patched and firewalled.
Sure it is.
But I would venture to guess that their IT admins are like the admins around here who find that the new security patches often break some other functionality that they're using.
So it's just a choice of being dead in the water one way (no functionality) or dead in the water another way (sploit puts Windows box into constant reboot)...
"Provided by the management for your protection."
cs
"Now, isn't this an ideal case for firing someone for buying Microsoft?"
Better yet, how about seeing to it that someone inside MICROSOFT gets fired?
Microsoft seems to take great pride in building OS's that literally CAN'T BE PATCHED!
How else can you explain it otherwise when major corporations and government agencies are among the main victims of such an obvious bug. Presumably, these people all have a large IT departments and all knew of the bug in advance! Think of it!
Yes a patch is available, but for whatever reason, the patch is not actually useable.
The only answer should be to identify who at Microsoft was responible for the design of such a defective product and demand that he be fired! Large Microsoft users should be able to do this! Simply refuse to buy any new Microsoft product until the responsible OS designer is identified, black-listed and fired!
But there is a more serious problem within Microsoft. All top Microsoft decision makers are independently wealthy on Microsoft stock options, granted over the years. They literally can't be fired!
If such a top level employee was fired and decided to get even he could simply cash in all of his options, sell all of his Microsoft stock, trigger a chain reaction and level the whole pyramid scheme to the ground!
I reach the conclusion that Microsoft, as a corporation, is completely out of control. They literally CAN'T design, build and maintain reliable products, because top level people can no longer be held accountable for their actions!!!
MS is still partly responsible, for trying to ensure that their products are the only ones that the coastguard can effectively used. Their anticompetitive practises (and broad marketing) has tried to ensure that the coastguard has not alternative.
If MS will not provide a secure OS, they should at least mitigate their responisiblity by helping other people do so.
... are a LOT more responsible about their products as a rule then almost any industry, perhaps airplanes might be the closest, they always recall and repair or replace defective products, and go to some lengths to get the word out to the owners, and it goes beyond 90 days, and beyond the original owner on any defects. I know because I worked in a firearms warranty repair center before and been an enthusiast since I was about as tall as a .22 rifle. It's years and years in some cases with warranties. Many now come with a default "forever" warranty. In fact, they have some of the best warranties and repair/recall efforts in any industry. We would be *lucky* if all products had as good a warranty. Like name a major manufactured mechanical product that comes with a lifetime warranty now. Washing machine? Automobile? Bicycle? Hard drives? Radio? Anything? There might be but I can't think of any off the top of my head, but firearms are treated that way in a lot of cases now, and even in other cases where the warranties expire, recalls are still done if a defect is found.
The big problem is software got a compoletely 100% "free ride" in the beginning, it was allowed to be sold with zero warranties, I guess to get the business off the ground or something. Or maybe... I dunno, can't think of a good reason really. They just slap got away with something no other industry has as far as I know. You can't sell a 1 cent stick of gum without it having actual and implied warranty to it.
This deal was way back when it first really took off (I really need to research this now,it's gonna bug me why they got such a sweet deal), now it's been decades. DECADES. Untold hundreds of billions of dollars in pure profits. Huge numbers of wealthy people and businesses involved with it. It's "mature" now. Time to insist on "profitable" software to have warranties, and hold the manufacturers liable for obvious defects. They have "Get out of any Responsibility" EULAs, but still "enjoy" full ME ME ME IT'S ALL MINE MY PRECIOUSSSS protection "under law" for "Intellectual Property" and make tons of cash, well, that is teh obvious suck now and ayone can see that.
It's one or the other, if the software makers want to treat electronic digits as some sort of extremely valuable commodity product, with PATENTS on it even, which they sell at a very, very good profit, they need some sort of a minimum consumer warranty applied to them, or strip them of their profitability, one or the other. Enough's ENOUGH on the free ride they get. The software industry is "mature" enough to treat those business people as normal adults, same as anyone else in any other industry.
We NEED a class action suit in general against free ride EULAs across the board for for-profit software, and it needs to go to the supreme court and be won.
I am surprised as all get out with all the other litigation that goes on in our society that a set of profitable businesses who have gotten hosed over and over and over again by these obvious defects haven't challenged those EULAs as being absurd and illegal in the first place. Name another industry that would dare to put out such a "contract" for consumers and have it accepted. It's quite absurd, they'd be laughed at, but "software" is now the biggest example of legal "conware" there is.
And YEP, I could care less if it meant that "releases" slowed to a crawl, wouldn't bother me one bit or byte. Consumers want quality, few if any defects, they just been faked out that crapware is "good enough" and the industry as a whole has all colluded to profit off of crap and conware. It's just plain stupid, and ethically wrong. We can see now that software is so "embedded" in our society that you can't really say now that "no one is effected" when defects show up. it can get downright dangerous, and it certainly costs consumers tons of cash to keep fix and repaired stuff that shouldn't be shipped broken in the first place. We need less patches, and more "it don't need to be patched" software
Win2k came with a firewall? WinXP came with a firewall that was on by default? That's the same as having to snap the doors in.
Pointless though, I see that you're right when it comes down to it.
That's scary.
Don't blame the script kiddies for this. They are just kids, after all ..... kids are by nature explorers and experimentalists, and this is pretty much hard-coded into the human firmware.
..... an unfortunate consequence, not one that could reasonably have been foreseen by the "perpetrators" {all manner of crap already gets blown around railway lines, what difference does anyone suppose a coin will make?} but one that should have been taken into account by the implementors of the system. If the train makers can't be sure that a coin on the tracks won't derail their trains, then the trains are no good. What if a bird eats a berry, then shits the seed out and it lands on the track and that derails a train? Do you blame the bird? Blame the owner of the hedge the berry was growing on? Or do you blame the person who designed a train so badly that an object on the track would throw it off altogether?
It's like placing a coin on a railway track to see what happens to the Queen's face when a train runs over it, and ending up derailing the train
This is an excellent opportunity to sow seeds of change. Open people's minds to the possibility that there might be an alternative to Windows. Ask questions. Did they know there were vulnerabilities? Well, did they not look at the source code? [the what?] The source code -- you know, the human-readable form of the code that can be examined and modified. What scrutiny did you subject the source code to? [but that's a secret!] What -- you bought a locked box that you knew you weren't going to be allowed to look inside, and you didn't get even the tiniest little bit suspicious that somebody might be trying to hide something from you?
Every piece of food you buy is clearly labelled with a list of the ingredients. {this was actually used in an anti-drug propaganda advertisement in the mid-1990s, till some bright spark suggested that surely legal drugs would be properly labelled and the problems caused by not knowing what was in pills and powders were merely a side-effect of prohibition}. The analogy between Microsoft and Tom Lehrer's Old Dope Peddler is a strong one. Give out free samples {educational licence discount}, get people hooked {file format lock-in}, watch the little puppets dance to your tune.
For my part, I have pledged never again to work with Windows, ever. At all. The only repair I will ever again do to a Windows box is to install Linux on it -- barring that, I will simply unplug the power cable, leave it unplugged and consider that an improvement. The time has already come when I would sooner forego a computer altogether than touch Windows.
Je fume. Tu fumes. Nous fûmes!
These are soft crimes. There should be no hard punishment. It is coast guard's fault that they didnt have elementary backup systems which are klutzy to use and work most of the times - eg. ham radio.
How the fuck will a worm writer be responsible for the infficacy of some patrolling force?
Finally all you slashdotters will land in jail because of the stupid lines on which you think and the corresponding laws you may support.
dumbasses.
Microsoft.nl can't cope. This is the error message I just got when I tried to get to their website. Perhaps they haven't patched?
m mandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream) +723) +194f ic(Int32 siteID, Int32 redirectID) in c:\data\project\ms-cmo\redirect\redirecthome\redir ecthttphandler.cs:225R equest(HttpContext context) in c:\data\project\ms-cmo\redirect\redirecthome\redir ecthttphandler.cs:158t pApplication+IExecutionStep.Execute() +179S tep step, Boolean& completedSynchronously) +87
.NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.969
Server Error in '/' Application.
-
Procedure or function TrafficInsert has too many arguments specified.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Procedure or function TrafficInsert has too many arguments specified.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SqlException: Procedure or function TrafficInsert has too many arguments specified.]
System.Data.SqlClient.SqlCommand.ExecuteReader(Co
System.Data.SqlClient.SqlCommand.ExecuteNonQuery(
Microsoft.Nl.Redirect.RedirectHttpHandler.LogTraf
Microsoft.Nl.Redirect.RedirectHttpHandler.Process
System.Web.CallHandlerExecutionStep.System.Web.Ht
System.Web.HttpApplication.ExecuteStep(IExecution
-
Version Information: Microsoft
read my
Once upon a time maybe... but they haven't been military now since 1948
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Weight and Balance is an extremely critical factor for flight safety. Even the largest airliners must have carefully controlled weight-distribution to avoid the CofG going 'out of bounds' during various stages of flight (including different trim and fuel states).
Some examples from the British AAIB archives:
12 Jan 1999: Fokker F27-600 crash nr Guernsey.(load moved)
18 Sep 1996 Boeing 737-4Q8, G-BSNW (Uncommanded roll due to incorrect fuel balance).
18 June 1972 Trident G-ARPI crash after takeoff at Heathrow (Weight and Balance as a contributory factor).
Ripping an new rectum in the fabric of spacetime.
how is this at all microsoft's fault? They caught the exploit and FIXED it before this worm even came out? People just haven't been keeping up with windows update...
Many organisations pay lots of money to get the best, fastest, shiniest developments (like putting flat screens on desks) because that is the visible side of computing.
What gets left out are the backups, mirroring data, firewalls, system updates, virus checkers, disaster recovery.
The scenario around Sasser was known, avoidable, and relatively easy to prevent.
If you use a computer (any kind, mainframe, Unix, Linux or MS) for any mission critical application, or even as a serious home machine with accounts, documents etc on it, then the data is worth something. Have a plan to secure that data in the event of a disaster. Anyone who does not do this does not value their data. Remind them of this fact when they are standing in the jobless queue because their company went bust following a disaster.
Fantasy? I don't think so!
see here
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Believe it or not, not everyone is allowed to take their systems offline at a moment's notice and have you seen the amount of patching which has to be done on Windows systems?
We have a *team of 3 people* who do nothing but talk to the customers to arrange downtime for windows boxes and then apply patches.
Government of the people, by corporate executives, for corporate profits.
cars originally shipped with normal glass windows and windshields. When it was found that they were just too wimpy,defective, flawed, unsuitable, etc., for the purpose intended, they INDEED were forced to develop shatterproof glass and it's mandatory now to have such glass, by law. It comes uber hardened by default. Yes, it can still be broken, but not near as easy as just normal household glass, it is x-times better made and has the laws and warranties that reflect that. I guess it's a matter of degree. If a default install of a car window was such that anyone could just use their hands and push it in and reach inside, it wouldn't be allowed, it just wouldn't, yet OSes and other profitable softwares are allowed about that ease of penetration and unsuitability to be shipped and profited from.
I know what you are trying to say, but car glass is a bad analogy there, it actually proves the opposite point, "windows" needs to be effective and suitable, not defective and unsuitable. And car windows cannot be sold with a EULA that states you are accepting the fact that despite it's clear and obviously designed to look out of, that the manufacturer insists you accept the fact that they can become opaque, or are not necessarily designed for looking out or keeping you reasonable safe inside your vehicle. That wouldn't happen, and it falls into "reasonable expectations", which has a history of legal precedent behind it.
Software = obvious total free ride that no other giant industry gets, obvious as all get out. Sweet deal for them, sucks for everyone else.
Sure lets all bash MS,
"Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems"
but think hard, what if they had of been runing Operating Sytem and that had of gone down, whos fualt would that of been then??
Do you blame the OS developers for only realseing a patch two weeks before and not makeing the idots runing "critical systems" update.
Do we relay think that if the SYSOP for the coastguard couldnt use windowsupdate when a knowen new worm was runing wild that they would of updated operating system?
If they cant configer a firewall for a MS product right, woudl they have goten an open source one runing correctly??
mind you,
i have just a zonealarm free on standerd setings and i pay no attchion to these worms as ive yet to be infected, so im not one to speek on MS worms am i?
You have 5 Moderator Points!
Which Helpless Linux zealot/MS basher do you want to mod down today?
Nevertheless some guy wrote this:
My reply to that (unposted) was that it would be very difficult for a worm/virus to propagate under Linux. Specially if all "servers" are switched off. Simply because Linux is the opposite of Windows - there is no homogeneity
With Linux we have:
- Different Kernel versions (2.2,2.4,2.6), patched versions, hardened versions
- Different commercial and free distributions (Red Hat, Mandrake, Gentoo, Debian, Slackware).
- Different packaging managers (rpm,apt,yum,portage,or none build from source code)
- Different set of libraries (XFree w/wo Nvidia acceleration,gcc, all with different versions)
- Different Window-Managers (none just console,fvwm,FluxBox,Gnome,KDE,Enlightenment)
- Different mail-client - if we are assuming a mail-enabled virus here - (mutt,pine,sylpheed,evolution,kmail,web browser-clients)
And that is a small list of the differences between my Linux and someone else's. Soon we might have even different alternatives to X-window itself. Of course most seem to have Mozilla, so some common denominator is emerging. But I think most people don't use the email client (and address book).Any biologist would reinstate that if you have a species which is highly homogeneous (and the analogy here is Windows-XP) it is in great danger of being wiped out to extiction by some common plague (worm/viruses). The thing most people hate about Linux - is what protects it from widespread attack (dependencies,lack of homogeneity)
Linux makes you more security-aware anyway. It endorses/teaches that practice instead of you just setting your (often innefectual) "Windows-Update" on auto. Ok there is no such thing as a 100% secure system, but there is something at least 10x more secure than Windows: Linux
For how much longer are you Window users going to put up with all this?
Another virii attack, another M$ stinks vs. is-not! debate...
Instead of repeating the usual routine how '*u**x rulz' and 'by far Mo$T-buggy-s/w in the galaxy sux', I'd like to point out another angle of this.
There's no such thing as 100% security and no such thing as bugless s/w. But what is the real reason that lead most of humanity into this install-exploit-ddos-fix'n'remove-update-patch merry-go-round?
I had little trouble using MS-DOS, there was only a few tricks to learn. With windows, M$ started to sell a popular illusion that now every Tom, Dick and Harry can be a computer wizzard - with no education but a little 'training' in, for example, Office products.
This additude produced an army of users that claim to be computer litterate, backed up with now three generations of computer salesmen, consultants and advisors, all working under false assumptions about what a computer is and how it works. Nowdays, they all stare blankly into their systems with network down, bitch over their sysadmins while ignoring 'security efforts' at the same time and refusing to learn anything.
These M$ centric folks now only have their adaptabiltity and common sense to fight the
monstrous systems they were supposed to manage like 'so easily'.
A (true) computer expert can (learn to)
lock down any system, and a good unix system engineer will easily adapt to M$ as well. Not neccessarily vice-versa, but as long as enough (academic) knowlegde is around, experts have a chance.
If you want to name names and call culprits, Bill G. and the Redmond squad being your target, you should pick the real issue: an army of half-literates that will hardly be able to compete in the next steps technological progress brings allong. Understanding how a computer works and how to use (any) one may become as important as reading/writing...
There should be a special class in CS universities: 'the impact of the choice of computer architecture' about how the economically simpler solutions through 70's and 80's prevailed over clearly better academical concepts and paved the way for the three ring circus we have today. M$ is the one who got all the cream in what was really a 80[n]86 story to start with.
Watching my friends that majored in everything else but computers, they somehow get along, provided they treat computers with a distance: as an unreliable, nasty and unpredictable accessory only to use on a must basis. Those who are advanced enoguh that they want to use their machines and their computer skills for an actual advantage over rock, scissors and paper - add new words to the dirty dictionary every day while asking each other WT{F | H} went wrong again.
And there is little you can do now to help them. Explaining all the whys and hows of M$ concepts and how the Redmond conspirators managed to work around every sane concept in CS, setting loose into the world disastrous monsters like Outlook simply takes too much time and doesn't help anyone one bit.
So we should probaly stop whining and try to make the world a better place by assuring that our kids are taught useful stuff.
They're expert sailors. Paper maps = second nature. I doubt anyone was endangered by this.
I would have to disagree. If this "mapping" system is used for predicting the drift of objects and for coordinating a search, having it go down could endanger lives. When a person is overboard, or a vessel is in distress, any time delays can cost lives.
I work with such a system (CANSARP) and while it is true that you could do most of the calculations manually, it would take a lot more time to do so. When you are dealing with a vessel in distress or a person overboard, any increase in time can cost lives. That's why CANSARP is considered a critical application for the Canadian Coast Guard.
An an aside, CANSARP is a Unix based application and has remained so despite a push to windows in the department. The critical nature of the application has allowed us to swim against the tide.
Why is it when Microsoft machines get hacked its all Microsoft's fault, even when a patch has been available for sometime.
But, if a Linux machine gets hacked its the fault of the stupid admin?
Oh great!
That means all you losers can go on using your Windoze boxes and supporting Windoze shops - right?
I wonder how many people would use Microsoft servers and desktops if their jobs were on the line. If I'm the boss, and my network constantly goes down due to worms and viruses, I'm firing my network administrators for putting in such faulty software. Why doesn't this happen in the computer world? It happens with other products.
Wooohooo.
Time to leave my pirate cove and hit the sea.
With the coast guard out of the way, I can finaly sail to Calais
and resume my booze and sigarette trade.
My other Sig is very funny.
And only today they told me how well they do it with the informative blurb below, Secure by Design, Secure by Default, Secure in Deployment, indeed. If it is so f'ing secure why do we find ourselves in the present Sasser worm hell? What worm won't MS be responsible for next week - remember MS04-011 isn't just a LSASS vulnerability, its many flaws all rolled up into one helpful patch and security bulletin:-
LSASS Vulnerability - CAN-2003-0533
LDAP Vulnerability - CAN-2003-0663
PCT Vulnerability - CAN-2003-0719
Winlogon Vulnerability - CAN-2003-0806
Metafile Vulnerability - CAN-2003-0906
Help and Support Center Vulnerability - CAN-2003-0907
Utility Manager Vulnerability - CAN-2003-0908
Windows Management Vulnerability - CAN-2003-0909
Local Descriptor Table Vulnerability - CAN-2003-0910
H.323 Vulnerability - CAN-2004-0117
Virtual DOS Machine Vulnerability - CAN-2004-0118
Negotiate SSP Vulnerability - CAN-2004-0119
SSL Vulnerability - CAN-2004-0120
ASN.1 "Double Free" Vulnerability - CAN-2004-0123
Anyway for your reading pleasure here is Microsoft's take on the situation:-
Microsoft is committed to enabling every customer to work, communicate, and transact business more securely. Behind the global security mobilization announced in October 2003, we will continue toward that goal by working closely with customers, partners, and the industry. We measure our efforts using the SD+C Framework:
Secure by Design: Implementing threat modeling and other key security considerations in design and development stages. These considerations include: mandatory training in writing secure code; code reviews and penetration testing; automated code diagnostic tools; and redesigned architecture to maximize software resilience.
Secure by Default: Maximizing security in default configurations of shipped software. To reduce risk of attack, Microsoft has changed default configurations so that service settings are not enabled at delivery.
Secure in Deployment: Promoting more secure deployment and management of our software. These efforts include scanning tools, services-including patch management with configuration verification functions, and localized versions of security bulletins and tools, such as Software Update Services and Baseline Security Analyzer.
Communications: Keeping customers informed. These efforts include timely communication about software update releases and our worldwide Security Response Process. In addition, we are working with government, partners, and academia to deliver security education, offer security certification programs for IT professionals, and conduct consumer protection campaigns worldwide.
Be prepared.
There is not much difference in the car evolution and the computer evolution. With computers, we're entering the "regulation and bureaucracy" phase that hit vehicles in the early 1970s all the way through the 80s.
The computer aspect is going to involve "Government Agency #31337" full of washed up NSA agents ready for a life of peace and tranquility busting 'corporations' who will know how to pay them off and small business and personal (yes, open source) programmers who will be unable to release code that doesn't pay some stupid government certification.
The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems.
Naturally this event *doesn`t* raise doubts about running unpatched systems that arent even protected by packet filters (which, for al their faults would have prevented this) and connected to way to many other computers (Not limited to but, usually meaning the Internet) and listening on to many ports/interfaces with to much code at to high privileges anywhere (let alone in critical systems).
Naturally...
No sir, this is just a microsoft problem. This isn`t another case of RPC gone a little to easily accesable. This has nothing to do with RCP api`s being undocumented (security through obscurity). This isn`t another example of just running the whole piece of networking code with as much privileges as we can come up with and keeping dumping functionality in. It is just naturally microsofts fault. No I am not saying it isn`t microsofts fault, it is, naturally. They could have learned that coding rpc services in a buffer overflow prone way without tripple checking buffers isn`t all that smart. And they could have learned this years ago. But they didn`t, they went the "natural"/go with the flow way about this. Lazy. I mean everybody does RPC services in C with every privilege out there without caring for bugs enough. And they never released documentation for these network related api`s so, lets just keep doing it like that, its the natural order of things.
The software industry needs some natural selection on this..... this goes for all operating systems, naturally.
... for when the metal ones come. And they will.
That's right. All your base.
It also raises doubts over the reliability of the administrators of critical systems that haven't secured them enough that they're taken down by a worm. In other words, they've been outsmarted by a script kiddie and their scripts. It's one thing for a home user to have an infected machine, but there's absolutely NO EXCUSE to have one in a corporate environment, I don't care what OS you run. The systems didn't fail because of a worm, the administrators failed and should be fired. Out of a cannon.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
To be fair to the coast guard although there computer system was inoperative they did have a perfectly workable backup solution in place which they were able to use to exactly the same end result as they would have achieved using the computers.
OK so it was a worm which took down the systems this time which is something you can protect against but at the end of the day you shouldn't rely on any computer system without a manual backup process ( if it is possible to implement one ) which can take over for safety critical work. Computers are complex things and can fail for a huge variety of reasons some of which should be preventable ( in this case ) and some which aren't reasonably preventable.
If your home builder didnt put in any door locks assuring you 'its safe, dont worry', then yes they should share in the blame. ( notice i said share, not accept all blame )
This would be more accurate of an analogy then just someone 'breaking in'.
---- Booth was a patriot ----
Yesterday at my local Super Stop & Shop grocery store, all 6 of the self-checkout lanes were down, and all of the human checkout lanes were directing people to the service desk, where one poor woman was hand-imprinting who knows how many hundreds of credit card transactions per hour.
Why?
Apparently the system that reads my credit card number around four times a week for the past year has been running unpatched and unfirewalled.
Coool! Thanks, Stop & Shop IT!
Wouldn't be cruel enough. Wyrms* would be better:
"aaAAAAGHGH!"
<flame sound> <CRUNCH> <CRUNCH> <GULP>
* (read up on your fantasy fiction)
I think the problem lies in the name. I believe that the US Coast Guard is a defence agency, or is at least part of the military. In the UK the Royal Navy handles the defence part, while the coast guard is merely a non-military agency dealing with rescue and safety. This could be part of the reason why the UK coast guard systems aren't as secure - ther just isn't the infrastructure to do it compared to the military.
Most firewalls these days are what they call "stateful" firewalls. What that means is, they block all incoming traffic on all blocked ports.
HOWEVER if a service running on your computer dials out to talk to another computer, they let the response (ESTABLISHED/RELATED) traffic back in. For example if you block SSH, you can still connect OUT to other computers.
So the port 9996 notify would still happen with most firewalls, even if you blocked that port. If they modified the FTP server, so that it went out and got the file instead of waiting, that would also pass a good number of firewalls.
Agree with you about 445 though. That should be explicitly dropped, and never allowed near the open net.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I have a problem with this, you see the virus targets unpatched systems that are security risks. Where I live the building has a couple of morons with completely unpatched systems and the network in my building is shotty at best. Now that their computers are knocked off the network I have my interenet connection back I couldn't be more thrilled, so do I congradulate them or scorn them. I mean they were probably in the same position as me and got tired of their stupid neighbors. Now making major systems come down is bad, however patch your systems when the patches come out. Seesh.
For this? A month ago? I'm just saying is all...
When i saw a link on CNN last week about this I immediately checked my patches to make sure I was all up to date and read it was released a month ago. A month is more than enough time for IT folks to make sure the patch doesn't break anything.
I'm thinking there are still people out there who shouldn't have the job they have...maybe all the bloodletting wasn't enough and more is needed?
How dare they suggest a solution that will improve my situation.
When someone breaks their leg or their computer, they should just suffer.
We have to stop these people preying on the vulnerable!!
(Guess who disagrees with you)
uptime 67 days here - MS? nope
The quick brown fox jumped over the lazy dogs back 123456789
I was in the Coastguard for two years and not once during that time did we ever use a computerised map. This outbreak only affected the central control stations (such as the one in Swansea), not the actual Coastguard stations themselves, which work independently. There are hundreds of Coastguard stations around the UK.
Next to the computerised map systems in the main stations, guess what they have? Laminated maps! Our particular region (in the Bristol channel), is on map sheet 67.
This is far from a life-threatening situation. This is simply a case of the press getting excited because it has something to do with the emergency services. We didn't even have a computer at our station, and we had the fastest response time in the Bristol Channel (about two minutes from station empty to full readiness).
All the critical systems at the stations (such as communication), were entirely unaffected. Computerised maps are a low priority system.
Virus writers liable? Of course not: didn't you read the EULA?
Bad analogies are like waxing a monkey with a rainbow.
but the people responsible for administrating that network should be canned!
What ever happened to the IT guys taking responsibility for not keeping an eye on things?
The majority of IT departments in the UK are filled with ignorant buffoons without any regard for true security, as I've had to deal with a lot over the years. The "If It's Working At All, Then It's Working" mentality is a constant problem I had to deal with. Customers just wouldn't install critical patches on systems, no matter what the circumstances were. Even in one case someone failed to install a critical update bundled with the base OS media, and shipped placed in an envelope with the words "IMPORTANT - Please Install" printed on the outside in big red lettering.
There seems to be a great deal of technical ignorance in UK IT. I'm out of work at the moment, but actively looking, and I've not yet had an interview where the interviewer has submitted technical questions. Other worthless factors (psychometric tests) seem more important to these morons.
Anyway enough of my ranting; I'm off to shout at another recruitment consultant who refuses to handle my application as a database admin because I've not worked in the public utility sector, which seems to be more important that actually being able to admin the machine.
As someone who might at some time need the coastguard ( I boat a lot ) I say hang 'em high, both the virus writter and the idiot who didn't patch, and while your at it, the moron who specced the system.
Its not the fact that MS is any worse than linux software for bugs etc. BUT it is more at risk from virus attack so, all things being equal, the lower risk strategy is to pick Linux or similar in such a mission critical application.
A bit off topic, but a week or so ago there was a reality tv prog showing the coastguard/RNLI (RNLI is our volunteer rescue service for those not in the UK ) and some stupid moronic woman was hogging the rescue and calling channel 'for a laugh' these people should be removed from the gene pool too. ****RANT OVER****
Why doesn't the most popular operating system come with a built in virus scanner that can be updated from the M$ update site?
Why isn't M$ held partially responsible for worm/virus related incidents?
For example; if there is a known exploit and it is not addressed in a timely manner by M$ then should they be held partially responsible?
Sort of like a landlord that knowingly rents an unsafe apartment.
"If any question why we died, Tell them because our fathers lied."
Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems
Since the patch for this has been out for months, what this really raises doubts over is the competence of the admins who run affected systems. Anybody stupid enough to not install critical updates is too stupid to keep a Linux system running right either.
It also raises questions about the intelligence of people who submit articles to Slashdot.
Our PC guys swore up and down that all MS systems in the company were all set up with automagic patching through our corporate SUS service.
Sasser, which is a non-destructive worm (sure, you can suffer some damage if you stupidly set up a dependency on unreliable, unpatched, black-boxed software - but that's your own idiocy) that does not destroy files yet cannot be ignored, practically forces you to immunize against the ASN1.ber flaws!
When the ASN1.ber worm hits, those who patched in response to sasser will be very grateful for this timely kick in the pants.
I'm already glad that the PC guys got their noses rubbed in their own incompetence; at least 25 systems were infected despite their claims of immunity.
Thank you sasser authors!
It's easy to say "MS sucks, look at this proof" but the fact is MANY systems are vulnerable to malicious intent and the free solutions escape much of this attention simply because fewer people seem to be - for now - writing exploits.
/. crowd, but computer users as a whole) keep sticking our hand in a fire and getting it burned, why do we keep sticking it back in?
M$ stuff has historically proven... and re-proven multitudes of times over and over, that it is the single most "attractive nuisance" to writers of viruses, trojans, worms, malware in general. Why? Two things that we already know, #1 it is in most widespread deployment, and #2 because it has historically been written in a negligent manner... piling on of features mindlessly rather than asking if those features are really necessary, and how will they interact with other things and how will they affect security of the system, before even considering implementing them.
Step back, look at the situation and ask yourself, "What's wrong with this picture?" Sometimes the answer is "Us". We're what's wrong with the picture. When we (not the
Canadian Customs: Where are you headed?
American: New York
Canadian: Anything to declair or weapons?
American: Well actualy I have a cannon, powder and canonballs in plain view on the trailer that I'm pulling
Canadian: Sir do you have any hand-guns?
American: No Hand-guns
Canadian Customs agent: Enjoy your stay in Canada
Apocalypse Cancelled, Sorry, No Ticket Refunds
What requirement was there for putting the Coast Guard machines on the Internet?
They were saving lives before the Internet. Obviously connectivity isn't mandatory.
Critical services should have only the connectivity they absolutely need. I mean default-deny firewalls, proxies, text-only email or none at all, with the ideal being no networking whatever.
You'll still need to harden the hosts, of course, to protect from the infected-laptop problem.
the worm writer should be easy to find. Usually they post the code on "hacker" sites and take full credit. He should not get into any trouble at all. He is providing a service for microshaft. "Here is a way to exploit your crappy OS, now do something about it."
However, the bastard that turned it loose and actually put it into use, breaking the internet connected PC's, should be burned at the stake. Microsoft doubly so for not patching the problem.
l8,
AC
Microsoft's EULA has disclaimers that remove their liability to their customers for bugs, but could non-customers have a successful case against them for all of the pain their bugs cause the rest of us?
I'm sure others will confirm, I haven't seen any news coverage on it. I work in a law office and had to contact the IRS for a dispute holding up the closing on a home. I was informed by the clerk that they were hit with a virus and their computer systems were unavailable.
Good, I hope this virus wrecked everything. MUWhahahahaha. Maybe I'll get an extra check this year, or not audited for my shady return. MUWHAHAHAHA!
All the DRM and fine-grained ACLs in the world won't matter if a service the system has buffer overruns. Then you can remotely modify the service by inserting your own code into the running, *trusted* program.
MS has a "windows update" feature. It doesn't take a genius to enable it. Now, granted this feature can cause headaches if you have a large number of systems to update, but you can also perform similar processes under your own control (if you are an admin) and yet this wasn't done. Turn off all those ports? It doesn't take a genius to download the shavlik lockdown tool linked to by MS itself that will "audit" your system and close any unused ports. It also doesn't take a genius to click to e-eye for an external audit.
There are so many ways to fix these systems it's nuts. Yeah, they require a tiny bit of effort - one would think that's why the British taxpayers pay these administrator's salaries.
I'm no shill. I run both windows and linux, although I've been using windows a LOT longer and am, therefore, more able to exploit it. So are a lot of people, which makes it that much more vulnerable. And yet my own linux firewall was hacked one time because... tada... I was running a version of Smoothwall, didn't know the distro or what I was doing, and in the setup config the SSL port was left open and the service running and no explanation was made of the significance of this. As a result my "firewall" was owned within days, zone alarm disabled on one of my (unpatched) windows boxen, and (in short) the entire network became owned. I migrated to IPCOP then reloaded and patched the windows box, just a little wiser and smarter.
Just as so many here are fond of saying "slashdot doesn't have just one mind" I'll remind others who are dumping on MS over this there have been and are plenty of linux distros, and not all of them uniformly secure or stable "out of the box."
Holding the software maker responsible for something like this is as stupid as holding the coca-cola company responsible when some idiot pulls one of their vending machines over onto himself. Would you be so quick to call for heads on a stake if this were a network of Redhat boxes? How about a few dozen Suse desktops? It doesn't matter what OS you are using, problems like this almost always come down to one thing: PEBKAC.
Autopatcher.com carries a cd people have put together than carries many and many of the patches MS has released.
I've seen good reviews, along with a decent community around it, but ymmv.
>you shouldn't rely on any computer system without a manual backup process ...
>Computers are complex things and can fail for a huge variety of reasons
Bravo.
A firewall can't keep you running after an earthquake but a good incident response plan can.
The manual backup needs to be rehearsed regularly, though, or it decays into uselessness.
Or we could blame the victims. They should have installed patch xyz123foo. "It was announced weeks ago." And some of them may have spread the virus to other computers. Maybe we should fire them, as someone suggested, and hire people with even less knowledge.
No, I think all this just avoids facing the fact that these viruses (and all the other various worms, trojan horses, and even spam) came from the hand of a computer expert, a hacker, nerd, geek. One of us. I know you don't write viruses and I certainly don't but when we blame Micro$oft or computer users, we are pointing the blame away from the group which certainly deserves it: a small but very destructive subset of us.
So I think we should find these people who are engaging in network terrorism and throw them in jail. These are not heroes, folks. These are terrorists. If we knew who they were, we should be turning them in and stop wasting our efforts blaming Micro$oft. God knows there are plenty of other things to blame them for.
The flaws that permit exploits are also the flaws that cause failures under unexpected operating conditions. The failure of the Mars rover wasn't the fault of hackers--but the flaw that caused it, if it were first found by a hacker, would never be blamed on the real perpetrator: the engineers.
Yes, your win2k terminal server, that has access to your win2k file server has a problem.
Patch it, and potentially knock out terminal services.
Firewall it, and prevent file share access from working
Leave it, and get 0wn3d.
Good set of choices there, thanks Microsoft....
Before jumping to conclusions and pointing the finger at the admin how about having a go at microsoft for:
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Certain M$ programs, which blow away or cripple other installed software (even the act of installing Windoze into a partition blows away the MBR, which may have been set up for Linux, BSD etc in other partitions, clearly constitutes an offence, it would be nice to get Sir Bill in court to invoke the only possible offence, which is to admit ignorance....). The law is applied to hackers when caught, AFAIK there are a few in prison now, and others have faced huge fines.
Even before this excellent law was introduced, they used to get you for the catch-all of "stealing electricity", which was also used for phone hackers etc. The fact is that now, if it is a deliberate act, as writing, and then releasing a virus would be, there is no defence, and rightly so.
If he was involved with any other people and there was the slightest intention to cripple the coastguard, or anything else, the charge of "conspiracy" would also stick, if it extened to "conspiracy to pervert the course of justice", i.e. disrupting any part of the legal system, police, (and I think that would include Coastguard) etc, the maximum sentence AFAIK is life imprisonment, and it would be well-deserved.
I would hope that in cases like this, every civilised country would apply their maximum penalty (in China that consists of summary execution, and the family get the bill for the bullet, maybe a little extreme, but I did say civilised country), it is the only way that viruses will be brought under control.
Of course, using any M$ system for anything critical is extreme folly, and if someone was injured or killed, could be alleged to be criminal negligence. So might be the act of connecting a nominally secure system to a public network without good cause and extremely good firewalls.
I usually work in safety-critical industries, aircraft, railway at the moment, and shortly nuclear, and the thought of using any M$ product in any of these areas is quite horrific. It has been said that certain imbecilic people in the US and elsewhere do control nuclear reactors, oil/gas installations, chemical plants etc with NT, and I know that some years ago, M$ were trying to get into aircraft systems. All of this would be illegal in the UK, none of the relevant certification authorities would allow such a thing, however there may be a gap between the perception of things which would directly cause disaster if the software failed, and those which are part of a management system. If the emergency services lose functionality and an ambulance is not promptly dispatched to the scene of an accident, someone may die, (and tragically have very recently, only I don't know if computer systems were involved or if it was a human foul-up or just inadequate resourcing, the enquiry will determine which), and the same here for the rescue side of the coastguard. But, I don't know that what are basically management systems, need or get any kind of certification by any competent authority. Even the banks, who stand to lose billions, have insecure systems, again no proper certification, because the only bodies who are able to introduce mandatory standards enforceable by law are the various government agencies concerned with air, rail and nuclear safety, for example.
There are big issues which need to be addressed, involving not only software, but adequately redundant hardware, power supplies, etc, and it would be useful (but sadly unlikely) if there were common world-wide standards which people could work to. Food for thought?
obviously, no software is "bug free" or "100% secure", and anyone who thinks otherwise is living in an alternate reality. it's also fun to blame microsoft for everything "just because they suck". but do they deserve it? i can remember seeing one of ms's ads in a computer magazine recently, claiming that win2k server is orange book certified and 99.999% secure. surely this is an outright lie, as has been proven time and again. in my opinion, if you CLAIM something is perfect, then YES, you ARE responsible if it turns out otherwise. is it the coast guard's fault that they were operating under the misapprehension that they had a secure platform, just because they were sucker'd by microsoft's sales force? I'd say YES to both counts. Microslop is to blame for selling a third rate product and claiming it's first rate.. but the coast guard is also to blame for not researching the product and hiring proper technical staff. imho, the very last person to blame is the virus author. that's just stupid. think of it this way: you build a house of cards and tell me that it's the most secure house of cards ever, and nothing i can do will knock it down... then i discover that by removing a particular card from the base the whole thing crumbles... am *I* to blame for finding a flaw you didn't think existed? certainly not...
if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?
The answer is no. Ethically and morally speaking, it is not possible to be partially responsible for a death. Death, the extinguishing of a sentient life, is a moral absolute that cannot be diluted.
Being part of a mob that stoned an innocent man to death makes you no less guilty than if you killed him by yourself.
I am disrespectful to dirt! Can you see that I am serious?!
Wouldn't bundling a virus scanner in be about the same to the virus scanner market as, say, Internet Explorer is to the browser market or Media Player is to the media player market?
Just a thought. There's one reason right there, there are probably quite a few more.
"I have used both and studied the design of both in several University courses. The design is sound. Some of the *default settings* are not made with security foremost in mind, but that's understandable due to the priority given to legacy support.
As Linux becomes more popular, the average skill level of its user base will drop and it will be exploited more. Deal with it. The most common weak link isn't the software, it's the user.
"
Ah, tell me how the user is to blame for say, Blaster infections ? How about the latest worms that infect the PC if you merely SELECT the infected file in your mailbox ?
In a user environment on a Linux box, a virus would be stopped dead when it has to ask for root access to the OS core outside active user directories. You may lose your own files, but the OS will be unharmed by a rogue virus.
But the numbers should tell all: 50000+ virii for Windows, almost none for Linux. I havent heard of any Linux virii yet, at least.
I'm at a loss to explain how a man claiming to have university experience in CS don't know this.
Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
Hopefully he gets caught and charged with him crimes in a county where they still believe in cruel and unusual punishment. You kill someone here in the states, and you're a good boy in prision - you're back out in 4 years.
Proof that our legal system is too weak. We implimented tourture, strecth racks, and iron maidens again, we'd have a lot less crime.
-- If we don't stand up for our rights, now, there will be no right to stand up for them later.
Virus and Worm authors are our friends. They help raise awareness and defeat the weak. This is computerized darwinism. The strong survives.
Your logic is inconsistent. Virus/worm authors should be searched for and severely punished. That is also part of darwinism, virus/worm authors are a niche subject to environmental pressures as well. Going to prison and losing the ability to pass on their genetic material to the next generation is just part of that pressure.
I work for a county ambulance service. We carry a decide called a "LifePack 12" that we use to monitor patients hearts, check blood pressures, check oxygen saturation levels in the blood, and even shock patients.
You can bet your sweet ass that it's not running Windows XP Home.
It's powered by Java.
There's no place like
This should be the rule. Hire on coders to just sift through all the data on previous applications and operating systems.
Streamline or fix code that was carried over into subsequent versions, close off those damnned security holes.
Take what you've compiled by sifting through that code, and make THAT your next OS.
All it seems, for the most part, is coders trying to reinvent a wheel while ignoring the 6 foot wide potholes in the road.
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
I think Sasser is great!
Cute girls now shows up at the computer help desk at the university. They really appreciate my the help.
But sometimes these really weird guys come...
--have lifetime warranties, I can think of some readily, that I own actually, say craftsman wrenches and other hand tools,some kitchen knives we have here, etc. I was more meaning over-all mechanical or electrical do-dads, the entire product, not just a chunk of the product. Very rare if impossible to find anything where the entire product will have a lifetime warranty that has multiple moving parts and is subject to a lot of abuse and stress outside the firearms industry. The frames and forks on bikes I can see that, even with frame flex, but not all the other stuff, not the crank assembly or free wheel or brake assemblies,or chains, wheels, etc ie, the "whole" bike. Although I admit there might be some examples out there, the bulk of products sold now have limited and specific warranties, but at least they have SOMETHING, softwares have zee-ro, no matter how much they cost. Well, yes, you can get "we might fix it if it breaks" contracts,this is true, but those are not default built in warranties like we think of them with other products. I will also admit there might be specific, small niche, custom built softwares that I am not aware of that have a warranty automatically sold with them, but the bulk don't, they have those get out of any responsibility EULA "voluntary contracts", all the software I ever used/saw had them anyway. That's the stuff I am talking about.
The company is one of Swedens largest insurance companies, it's called "IF" and I think I'll change to a company that has their shit more in order.
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison
There are two problems I see: trojan horses and worms. We can help deter the worms, not defeat, by setting intelligent network firewalls (or buying cheap $50 NAS-firewalls like Linksys, D-link, etc.). Portscanning seems to be the big payoff for internet connected computers -even with brain-dead firewall software. We can deter the trojan horses by educating users about how to maintain a secure computer. This entails showing them how to check for updates/vulnerabilities through mailing lists, websites for their software and for their virus checker. This also entails showing the user a broad spectrum of choice, particularly in web browsers. This also entails teaching them how to understand email headers, dns and dns lookups, whois queries, and webpage loading, cookies, SSL, and javascript. Armed with this intelligence, the user can spot something fishy immediately as well as avoid falling prey to crafted web pages, IM messages and URLs, malware, spyware, and trojan-ware.
;) How is it that Windows never came with instructions on how to use the command line? Why try to make all the system programs hard to find in the system folder while not providing any shortcuts in the Start menu? (like winipcfg, ping, nbtstat, ipconfig, netstat, route, msconfig) And the instructions for these programs were a bit lacking too. Also why in a release version of ANY windows version do the default settings SUCK? Lets see, firewalling OFF, WFP/SFP SILENT, etc.
Whoever came up with this concept of "transparent" computing should be dragged into the street and shot. How is it, developers never thought of using log daemons in Win9x? How is it that hex code should be printed to the BSODs and error windows instead of REAL english in the release version of the OS? (oh, wait, that was MAC-OS 6-9...
The real problem is not stupid users (though they DO exist), the real problem is that windows has not created a Smart User Environment (SUE) for users to operate their computer. This is analagous -I believe- to the problems of the USA lacking female mathematicians, physicists, and computer scientists, as opposed to other countries. The moment we realize that software and automation (though, helpful) cannot replace security-conscious users, is the moment we make a leap forward in computer security.
...small furry creatures from Alpha Centauri...
Perhaps this is the day that Sealand and its' armored canoes have been waiting for...
Yes.
I can be so certain because the Internet affects many countries. So the effects take place where there are many different laws used. So what laws might be applied? Well...
If it displeases the King, the worm writer can be punished.
This worm has taken down some sort of rail system in Austrailia, as did Blaster with CSX, and just about every month a large, important mission-critical institution is brought to it's knees for the slightly-bigger institution of the Virus cartel.
When your business is defending your nation or keeping trains from colliding or watching a nuclear bomb turn water into steam...don'tcha get it? Why on Earth would you entrust such infrastructure to the same kind of computers that connect Aunt Tilly to the internet for email and browsing?
Someone has gone to a lot of trouble to hide the fact that back around 1985 we called this platform "The Personal Computer (PC)". But when institution after institution gets knocked down and puts people at risk, the virus writer isn't the only one at fault.
--- For a good time mail uce@ftc.gov
Somebody needs their ass kicked over this one. Hopefully nobody dies as a result.
Dude, that would have to be one hell of an ass-kicking...
Any "important" systems should be on a segmented network!!!! It's crazy to think that admins that deal with systems that directly affect peoples lives allow any old system on their network. I know they brought in infected work laptops....Well they should have the critical systems on a segmented/firewalled network where they can never be affected by stuff like this. What was it last year, a Nuclear Power Plant got infected. I mean come on....What's next the missle silos in the desert.
The Internal Revenue Service(US)has benn down off and on for the last two days. And this is an agency that still uses NT 4.0 for the desktop and tape drives for archive. Newest and baddest doesn't come into it.
I want revenge. I'll settle for justice. Mercy is optional, but not very.
"Two things that we already know, #1 it is in most widespread deployment, and #2 because it has historically been written in a negligent manner" Another possibility as to why MS has as many security issues is enmity. It seems there are quite a few individuals who are not particularly fond of Microsoft, and so actively seek exploits. Not as many people seem to bear a similar grudge against the other Operating Systems, so exploits aren't found.
How the gun companies have managed to, ahem, dodge the bullet in this regard so long is beyond me.
Lots of $$$$$, which buys them plenty of puppet congressmen. Just look at the power of the NRA.
Consumers don't always go for reliability and quality.
For a long time Apple was a better computer than IBM. Apple had way less 'issues'. You bought an Apple and it worked. You bought an IBM and if you installed anything, you had problems. That didn't matter to the consumers; me included.
In the beginning, VHS was way worse than Beta. I didn't buy Beta either.
Don't try tell me anyone ever really thought that Microsoft software would be reliable in critical systems. You'd have to have been living under a rock for the last thirty years. And for the last few years there have been regular reports of crippling widespreads viruses/worms in mainstream media. Nobody can claim to ever have thought that MS systems were reliable and secure against downtime-causing attacks ... no, people buy Microsoft anyway in spite of knowing this. So this doesn't raise any new "doubts" to anyone in the world.
The worm writer, and Microsoft's fraudulant representation of their operating system as stable and secure, are the primary culprits in this fiasco. It is time we stopped blaming their victims, and held the perpetrators responsible instead.
Man...just so much garbage in your post, where to start. We'll start with exploits. Of course there are more exploits on the OS that is on the majority of computers out there. If someone replaces MS, they will have just as many exploits. The problem lies in that if you want a more secure system, you are going to have to convince the users to use it. People (not slashdotters) are not going to log on to a seperate account to install software. It just isn't going to happen. You might say, "but it's so easy". Well, so is running a software firewall and applying patches in a timely manner. As far as your other points, show some credible sources that are independant sources rather that just Linux advocate pages.
I find your idea of blaming the OS company particularly disturbing as well. The patch that could stop this was out there. A firewall would have stopped this. Locking down ports would have stopped this. If you have critical systems running on Windows, then you do these simple measures. An unpatched Linux/Mac/BSD box is just as easily compromised.
I know this isn't a popular opinion around here, and I will take a karma hit, but please, take of your "OMG LINUX is the be0mb" hat and realize that this problem will occur in ANY OS that is left vulnerable. Complaining that they should use a Mac isn't going to solve the problem. Their software probably only runs on Windows. This is the problem: how do we make people with computers on networks more aware of how to protect their machines and data. This will be a problem no matter who is #1 and who gets exploited.
The scum who wrote this is to blame. He should be prosecuted and thrown in jail for a long time. MS should continue to improve their security (as should all OSs). The coast guard should learn how to secure their network. That's all there is to it.
(And as far as the rest of your argument: the fraudulant claims of stability and security garbage. Who cares? It's freaking marketing and absolutely irrelevant on who should be at fault for the damages that occured)
Support a great indie game: http://www.abaddon360.com
Should microsoft be held responsible for any deaths that occur from this outage?
... I hear you but have no easy answer for it. Never coded much except bogus little html and whatnot, few apple scripts, that's it.
Eventually this EULA stuff is gonna go, SOMEONE is gonna challenge this thing, probably some business that gets hosed for millions of dollars and the CEO just goes ballistic over it. I'm amazed it ain't happened yet actually. people are just going to demand it eventually, if this web hacking nonsense goes on, and we'll wind up with all sorts of big brother 'web security" nonsense if the software manufacturers don't do it themselves first.
About the only dodge I can think of,for paid software, that is both ethical and would be legal, is for paid for software to only be released to "beta testers" and you hire them for a buck or something to "test" your software, and beta testers can be anyone. Sorta like those private bring your own bottle key clubs in dry counties that have no public bars..
With free/open source, I always assume I am a beta tester, been my default position since I switched from mac classic. I paid for mac classic, and so fewissues with it I never even thought of complaining, it just mostly always worked and I was quite happy with it, all of apples stuff anyway, the hardware and the software, and I never had zip for security problems, musta lucked out or something, but no getting owned especially, never got a worm or virus anything, with nothing more special than default install and make sure appletalk and sharing was turned off unless I needed it. Hmm, system 6 on up there. That was about it, certainly never even looked for a firewall. And I keep my old PB 1400 right handy here, always waiting for the mother of all windows wurms to snag out 7/8ths of the web. Don't know if I could still get back online, but know I won't be a problem if I do to anyone. I'm still not sure enough of myself with linux though, I'll put it between MS and apple on security. Linux is way too complex to take anything for granted with it, not much different than windows in that respect, IMO. But I pay 4.89$ for an OS and a ton 0 apps on disks plus some cheap shipping to get it too, not 100 clams for an OS and a few apps. Big ole hairy difference there in my mind, and I KNOW the folks working on all that stuff are like "here, check this out, help out if you can, this is for everyone, share it, help fix it, and etc".
cool beans, I dig the philosophy, sorta like the old timey neighborhood barn raisings. I don't got a problem with something like that if occassionaly it gets borked..
Third party stuff on classic was sometimes flaky, netscape browser always gave me fits, but I preferred the way they rendered pages the best, and that was free (eventually, I remember when it wasn't), so I thought of it as beta ware, and certainly sent in every talk back crash bug report that popped up.
Hey, be the first on your block to offer a warranty for your for-sale code! Just word it carefully, that's all. Announce it on slasherdotted. SOMEONE has to do it, first guy gets some very cool cred methinks.
... you still can't. I ran apples for years, but I'll be the first to admit they were hard to find unless you lived in a big city. Like, right now, I can go to the nearest towen, there are at least 6 places i can think of that sell computers, not a one of them carries apple products. And by staying expensive, they kept quality, but never expanded beyond the niche markets they developed, and basically used owner loyalty to maintain that market. They WERE very expensive, and when we had the explosion of the clones, and most of them had DOS on them, well, buh bye neck and neck race, hello dominance of MS and commodity hardware. Back in 85 I was helping these guys build peecees then install them in LANS, they were making serious coin with them, too, geez, what were they then, 286s? I can't remembver, but they were going for over 3 grand and I think apples were 4 easy. Not too many folks wanted to pony up the scratch for them, all the early buyers were mostly businesses and schools and government.
But, my other point, they just never SOLD them too hard,it's like they play acted at it or something, a few real creative decent TV ads, a few lame attempts at some stores, etc, still pretty dismal. I got my last one mail order, only way I could get one without huge driving and time involved. And I can't answer why they didn't (and still don't) try better, luxury cars sell well, inside a market that has yugos to whatevers. I mean, really, every time there'sa new windows virus they could run TV spots showing "they don't have that problem", or they could have the past buncha years. anything but what they were doing. They built good stuff, no idea on how to sell it until just lately it seems.
Where did you get this information??
I've installed it and Terminal services works perfectly fine. There are caveats about installing on Terminal Services for NT 4.0, but nothing indicating that it breaks terminal services at all.
In America today you can murder land for private profit. You can leave the corpse for all to see, and nobody calls the c
Apart from not keeping their systems patched, they aren't.
However, worms like Blaster make up a *minority* of the malicious code running around out there, and are *trivial* to protect against.
How about the latest worms that infect the PC if you merely SELECT the infected file in your mailbox ?
Sorry, I'm not up on the latest Outlook vulnerability, what's it called ?
In a user environment on a Linux box, a virus would be stopped dead when it has to ask for root access to the OS core outside active user directories. You may lose your own files, but the OS will be unharmed by a rogue virus.
Not this idiotic response again.
Firstly, the exact same principles and functionality of user privileges and separation applies to any competently administered Windows machines. So the "running as a regular user" excuse applies equally to Windows.
Secondly, most of the time malicious code doesn't need elevated privileges.
Thirdly, the bulk of machines are either completely or primarily single user. OS files that can be restored onto a machine in, at worst, a few hours, barely even qualify as irrelevant compared to the hours, days, months and/or years of work contained in "user files".
The same users who create all the "stuff" that make a business valuable also have the rights to destroy it. A computer does not know the difference between a user and malicious code that looks like a user.
This may be difficult for you to grasp, but the OS files are usually the *least* important data on a system.
But the numbers should tell all: 50000+ virii for Windows, almost none for Linux. I havent heard of any Linux virii yet, at least.
There's a few, but due primarily to a) the scarcity of Linux machines and b) a much higher average competency among Linux users, they rarely get very far or cause much damage. This will change as the platform gains popularity (or won't, if it doesn't).
I'm at a loss to explain how a man claiming to have university experience in CS don't know this.
Doesn't know what ? That Linux can have separate user contexts ? That there's more malicious code out there for Windows that Linux ? The some malicious code doesn't require user intervention to run ? That a less common platform with more competent users will have a lower infection and propogation rate and a much lower potential to cause damage ?
.... tons of laws out there. Here's the first google hit on Consumer warranty codes.
:
Under that, we have
Sec. 2304. - Federal minimum standards for warranties
(a) Remedies under written warranty; duration of implied warranty; exclusion or limitation on consequential damages for breach of written or implied warranty; election of refund or replacement
In order for a warrantor warranting a consumer product by means of a written warranty to meet the Federal minimum standards for warranty -
(1)
such warrantor must as a minimum remedy such consumer product within a reasonable time and without charge, in the case of a defect, malfunction, or failure to conform with such written warranty;
(2)
notwithstanding section 2308(b) of this title, such warrantor may not impose any limitation on the duration of any implied warranty on the product;
(3)
such warrantor may not exclude or limit consequential damages for breach of any written or implied warranty on such product, unless such exclusion or limitation conspicuously appears on the face of the warranty; and
(4)
if the product (or a component part thereof) contains a defect or malfunction after a reasonable number of attempts by the warrantor to remedy defects or malfunctions in such product, such warrantor must permit the consumer to elect either a refund for, or replacement without charge of, such product or part (as the case may be). The Commission may by rule specify for purposes of this paragraph, what constitutes a reasonable number of attempts to remedy particular kinds of defects or malfunctions under different circumstances. If the warrantor replaces a component part of a consumer product, such replacement shall include installing the part in the product without charge.
---and yada yada yada,paragraph b, sub section whosis, and etc, legalese out the wazoo. It's real long and complex. Nope, warranties are required, implied use, etc. Basically, whatever you read in the fine print in a software EULA that they want a free skate on, applies to most other meatworld things that are "for sale" new. If you sell a kids wagon, that thing better have wheels that roll, it got to haul some stuff, and it can't fall apart or spontaneous combust or whatever for such and such a time. Companies USE warranties sometimes as bragging points, but they are required to have them, almost without exception. We USED to have "caveat emptor" that was like a long time ago, long gone now. too many scams when on with it, "snakeoil" was the norm, not the rule. Hmm, reinforces my stance on software warranties, and why we need them, especially when they get "patents" on them and sell them. My favorite "this software may not work for anything, not suitable for yada yada'. Phooie, what ELSE you gonna do with the thing? You are gonna cram it in your machine and it should work like the shiny box or blinkenlights website says it does. What ELSE you gonna do with an OS on a disk but try to use it as a OS? What ELSE you gonna do with acme tax prep software, or amalgamated video vue-er? It's nuts, they get a free skate, times up, they need warranties for suitability of purpose and for defects. End of story. Same as any other product.
Magda Hzrova, the gypsy woman who channels through me, on occcasion has this curse for Microsoft: "Let it be on your heads if anyone dies from the
Sasser virus. You have been warned!"
I am now back to normal.
Air traffic control systems being interupted?
Shipping lanes brought down?
Discuss.
Premeditated Vandalism? Terrorism? scampish kids "having a larf"?
Governments/Courts should stop fucking about and Nail 'em. Hard. Everytime.
I don't know which is worse. The apparent worsening of Windows spawned worms, or the apologists who continually maintain that Linux is being left alone in the virus department because it isn't as popular as Windows.
Learn a tiny bit about Linux/Unix shell scripting and then a tiny more about downloading, configuring compiling, testing and installing a Linux/Unix executable as a user then try to maintain with a straight face telling the world that Linux is vulnerable to the same hilly shit, the same sloppy ass programming failues Windows is vulnerable to.
You people who continually maintain that Windows is a victim of its own success are waaay behind the power curve in computer operating systems.
You have zero knowledge of the kind of hoops you have to jump through as a user to get a script to run, let alone trying to compile and install an executable.
Okie... I have jerked off enough on Windows people. Strangely, I feel loads better.
Dawn of the Dead
Hey you guys are always blaming MS for these virus problems! Why don't you put the blame where it REALLY BELONGS: on the PEOPLE WRITING THE VIRUSES!
According to YOU guys, if somebody's house gets burgled, it's THEIR fault for not making their house as secure as a bank vault or a fortress!
Think about a house. It has WINDOWS, right? And it's EASY TO BREAK WINDOWS! They're just made of glass! You can throw a brick right through one and get in and pinch all of somebody's stuff.
Shouldn't all you ANTI-MS geeks REPLACE all your windows with STEEL ARMOR PLATES to avoid getting burgled?
It's not up to MICROSOFT to stop viruses! It's up to the VIRUS WRITERS to stop writing them! Put the blame where it belongs: on the virus writers! If your granny's house got burgled, would you say "YOU STUPID BITCH! YOU LIVE IN A HOUSE WITH GLASS WINDOWS?? Of COURSE you got burgled! You should live in a BANK VAULT!"
STOP BLAMING MICROSOFT FOR PROBLEMS WHICH ARE SOMEBODY ELSE'S FAULT! THEY ARE AN HONEST COMPANY PRODUCING A GOOD PRODUCT AND THEY DESERVE YOUR RESPECT AND THANKS, NOT CONTINUAL ABUSE!
Trying to assert population size has no bearing on infection rates and damage scale is just plain ignorant.
The apparent worsening of Windows spawned worms, or the apologists who continually maintain that Linux is being left alone in the virus department because it isn't as popular as Windows.
Not popular, common.
When Linux is as common as Windows and has a similar end user demographic, it *will* suffer from more attacks and more problems. What truly boggles my mind is the people who try to assert it won't, because Linux has $SECURITY_FEATURE_ALREADY_IN_WINDOWS and for some (unstated) hand-waving reason it will actually make a difference. Are you naive, simply inexperienced in Real World Computing, or just plain stupid ?
Learn a tiny bit about Linux/Unix shell scripting and then a tiny more about downloading, configuring compiling, testing and installing a Linux/Unix executable as a user then try to maintain with a straight face telling the world that Linux is vulnerable to the same hilly shit, the same sloppy ass programming failues Windows is vulnerable to.
I know a great deal about both, which is why I'm well aware that a shell script using the standard tools installed on just about every unix box you'll ever sit in front of, could do pretty much everything the vast majority of malicious code that targets Windows does.
You have zero knowledge of the kind of hoops you have to jump through as a user to get a script to run, let alone trying to compile and install an executable.
"sh r00tme.sh". Damn, that's all of about about one step harder than clicking over the option button from "save" to "run" and hitting "OK".
no no, really. We just got a really nice looking coke vending machine with moving conveyer belts and whatnot. But it is a ton less reliable than the old machine, which was largely regarded as a piece of shite. Coke wanted to look good, but they really could have had a better engineer look at the possible flaws in this design. Someone could have put a sensor in to determine if the machine had actually dispensed product, or if it should give a refund.
If coke put out a top heavy coke machine with spindly front legs, you could be damned certain I'd hold them partly responsible. If some idiot pulled the machine over on themselves I wouldn't argue that he should be financially compensated for his own stupidity, but I would certainly complain that such a problem shouldn't have left out in the open and should be fixed immediately in all installations, past present and future.
I blame microsoft for pushing their bottom line's importance over the importance of anything else. I blame for using marketing to improve market share instead of engineering. I don't blame them for trying to patch the systems, but for having a total lack of foresight into the problems they should have seen coming down the line. Really. XP wants you to have an admin account with no password. C'mon now. We figured out that was bad - what - 20 years ago?
I blame the people who put windows in critical installations. I'm currently waiting for a frelling forensics analyst to determine if a windows machine that had SSN's and CC#'s in it was accessed after it had been broken into at my place of business. That information should not be present on that OS when the OS is accessible to the public through any interface.
And sure, the virus writer did something malicious. He should be held financially responsible for the statistical likelihood of the damage he was creating. But manslaughter? If I choose to run a publicly accessbile webserver and have a cgi script on that webserver control a mechanical arm the held a knife inches from my face, I have no reasonable justification for blaming apache when I poke my own eye out.
Oh, and hey. Have you ever run something mission critical on windows? You don't just run the system updates. You'd be fired. They break what you rely on as often as they prevent you from getting infected. Software writers rely on bugs in windows. It's really that bad. The bigger the app, the more likely it is it seems. I can't blame someone running a critical service for trying to determine that a patch won't break anything before deploying it. That would just as likely leave everyone tracking with pens and paper.
-theed
I have several versions of the truth:
1. This is good for Linux and other open source projects because the Coast Guard can inspect the code before deploying it. And if something goes wrong they'll be able to fix it.
2. UK engineered this to hurt Microsoft.
3. The virus was written by a Microsoft competitor, to boost their own security. Watch who advertises tomorrow.
4. The virus was written by an ex-Microsoftie, "to get back at them because my stock options didn't rise dramatically these past few years".
5. The virus just evolved on its own.
6. There is no number 6.
7. The aliens are now on the UK beaches, having landed safely offshore.
I feel fantastic, and I'm still alive.
nntp://msnews.microsoft.com
the microsoft.public.windowsupdate newsgroup.
Lots of people on Win2k SP4 having bluescreens when this update is applied - and unable to log in to windows.
Solution? Uninstall the update... Doesn't happen to everyone it seems...
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
If the service is denied network access, cannot access any files other than its own configuration, cannot launch any other programs or processes and cannot change privileges then your inserted code won't do much.
You're right that ACLs don't solve all problems, but no individual step will. The point with them is to remove the affect that those buffer overflows will have on the system by restricting each programs access to the minimal required to run.