Slashdot Mirror
Sasser Worm Takes Down UK's Coastguard
jonman_d writes "The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
It wouldn't be murder per say, but definitely manslaughter. If they catch the guy, I hope the full force of the law comes down on him.
Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.
However, it's not just the software at fault. Whoever implemented the system was sharing a network with other people's machines in some way, without a firewall. There is fault spread out here, between microsoft, the lifegaurds IT people, and the virus writer.
Why did the the UK Coastguard allow this to happen? The Sasser worm is 100% preventable if your system is properly patched and firewalled.
I would rather blame the lazy sysadmin who spent his time surfing for pr0n instead of running windows update and setting the firewall up.
"if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
Replace "outage" with "outrage".
There is no way in hell an important insitution should put up with shit like this. If any arbitrary piece of code that gets sent around could bring my companys systems (as often as it is the case about WIndows XXX) to its knees I'd start seeing red about what the software manufacturer was spending its time on.
And choose a different supplier.
It's not just Linux that forms a good alternative to Windows. OPenBSD was built to be a secure OS. Where lives are involved, there is good reason to go the extra mile to use an OS which, though less convenient, has proven to be more reliable. In the current era, with all these worms, Microsoft just isn't the best alternative. On the other hand, all they needed to do was use http://windowsupdate.microsoft.com and enable Windows' built-in firewall software. Worm and Virus writers should be made to know that they are accountable when their creations do what they were (mis)designed to do "take over systems, disable them, disrupt networks?" How do you actually catch the original author of a worm, anyway?
With that, are they off the hook? No way. If they are caught, there are lots of laws they could be charged with, some of which are felonies. Murder, or even manslaughter, are not among them, however. At least, not under this limited hypothetical.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
Microsoft provided a patch that prevents this. If you insist on holding them responsible for this, then the OpenBSD folks are responsible for anyone who (against recommendations) uses a version with the remote root exploit in it.
Working tech desk during Sasser outbreak is fun lemme tell you. God save microsoft if they actually were responsible for tech support costs during this thing.
:). I've had two people call recently who - literally - just bought a brand new computer from the local best buy, plugged it into the internet and with 5 minutes got either Sasser or Blaster.
I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.
I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever. Now try pulling down 50 some megs of critical updates over a freaking dialup modem. Remember - not a *single* major PC manufacturer I know of installs ANY critical updates on their home pc's they sell to the end user. Nothing. Nada. Dell, HP, Compaq, etc. I've ranted about how irresponsible and stupid this is before and i'll continue to do so now
I dearly, sincerly wish that Microsoft would actually build not only a real firewall into their products or/and shut off unneeded services to the internet. I also wish manufactures would actually ship their machines with all the critical updates installed. I also want a pony.
This outbreak isn't as bad as blaster was but still. I'm no MS hater, I understand their product code base is massive and keeping track of all that and bug fixes takes an enormous amount of money and time but they *seriously* need to work on security. I would estimate virus cleanup and spyware sucks up 10-15% of my time at work.
can he be held at least partially responsible for any deaths that occurred during this outage?
That's an interesting point, which my college CS prof demonstrated to good effect. He asked the class one day - "How many of u expect your cars to be engineered such that they will run safely and properly 99.9% of the time?" Everbody's hand's go up. "How many of u think that if there is a life-threatening fault in the car, the engineers responsible for building it should be held accountable?" Everbody's hand goes, up, along with a few grunts of "DUH!". Then the next question: "How many of you feel that if mission-critical software, like the stuff that runs airplanes, fails, the programmers should be held accountable too?" Silence.... granted writing code ain't quite like building a car, but he got his point across. He wanted to bring home the fact that most software comes with the rider that it won't just one-day break. This applies to non-M$ as much as M$, though with a lot less frequency....
My Favourite Meme
Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Does it? Maybe it should raise some doubts over hiring admins that don't understand a firewall is important, can't figure out how to implement Microsoft SUS in their environment to auto-apply patches, can't properly secure their machines, etc.
This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
How hard is it to have a BSD or Linux box acting as an el-cheapo firewall between the Internet and your internal network? I have a $200 laptop which has done just that task for several years now. I can never be bothered to patch my (Windows) machines, but they never have trouble because they can only talk within each other and not get attacked from the outside. Jeez, even if you paid someone to install it, you could have the whole job done for $1000 with old hardware and a copy of FreeBSD.
I offer one reason why this doesn't happen too often, particularly in the UK. Way too many 'technical consultancies' for institutions like the coastguard are staffed by MCSEs with no proper computer science knowledge who just install Windows XP on every machine, set up 'Internet Connection Sharing', and leave. They wouldn't even dream of putting a non-Windows box on a network!
Thankfully these worms and virus attacks are showing up these idiotic 'we only touch Microsoft stuff' agencies for what they're worth. Any decent technical consultant should be able to advise companies on the right hardware and software to use, independent of vendors.. so it might be Microsoft on the client end, and UNIX on the back end.. but no, the UK (at least) is filled with MCSE ridden agencies who get totally lost when they don't have a 'Start' button to click.
that the more we depend on technology the more important it is to realize this dependence and the implications of trusting it blindly
if it wouldn't require you to reboot the OS after installing a secturity patch.
so in that scenario there would be NO excuses for having the system outdated.
While I fully agree that the authors of virus/worms etc must be held accountable for their actions, surely there are other parties that are also liable for any issues that arrise from a virus/worm infestation.
The obvious one is the good old Microsoft. This has been beaten to death so many times that I am not going to delve into it...
The other group to consider is the people who have been infected. They have partially brought any problems upon themselves. This happens because of many things including the choice they made to run the system was vulnerable, the choice to not patch promptly (if a patch was available), the choice to not better secure their critical systems, etc.
Blaming the virus/worm authors and the author of the vulnerable software is easy (and absolutely right), but people really need to start looking beyond that and realise that it is really their decisions that are the core issue. If you don't want to be vulnerable to Windows virii/worms then don't run Windows. If you need to run Windows, secure it. If is a critical app, pay some serious attention to it...
Basically, I am advocating a bit of responsibility for ones own destiny...
Does that mean if I leave my bicycle unchained, and a person takes advantage of the situation it's my fault? I say anyone who creates a virus solely for the destruction of private property should not only be partially responsible but fully, for all setbacks caused. The worst thing that could happen to microsoft is a case of false advertising, if they specifically said it is more secure than this. Otherwise, no one forced you to buy windows.
Karma: -2^0.5 . Mainly due to the imbibing of dihydrogen monoxide
Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault. I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make - I dont think the OS choice is relevent. Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.
But 5 years from now, when eveyrone gets used to using a GPS and some fancy mapping program, what then?
Paper? what paper? oh! ePaper!
nope, our laptop got the virus last night. Sorry, WE CAN'T RESCUE YOU UNTIL WE GET OUR LAPTOP FIXED!
Boy, im not optimistic tonight.
-Grump
Is it true that more people vote for the winner of American Idol, than vote for the president? -Ali G.
Like no system except a Microsoft system has ever gone down. The first f---- worm ever written was for Unix, nerds.
I think that there is a difference between going down occasionally and going down every week.
BTW, that is Mr. Nerd to you.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
and some clause in the Patriot Act
doesn't everything? seems to me that it get stretched more than a rubber band.
Windows is a consumer operating system (despite labels like Windows XP Professional). It has no business being installed on any critical system. This just goes to demonstrate further that you can't cut corners and make false economies by installing consumer operating systems where they are not appropriate.
Oolite: Elite-like game. For Mac, Linux and Windows
It depends on how you look at it:
The computer mapping system (I presume) is easier to use than the paper maps. So if someone's missing and it takes (say) an extra 5 minutes to get the map out, plot drifts and currents and say "we'll search here", and the searchplane passes overhead 4 minutes after the boat has sunk without trace... is this still safety critical? If an extra life could have been saved if you had the computer system up?
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
I do sue Ford though if they later tell me that I also needed to buy doors to my car (firewall) and that the car had a mechanism to allow anyone with the proper knowledge to cause damage to it without even being near it (antivirus).
This isn't a car. Not only do they not give you the full package, they can force the vendors with a license into not giving it to you as well.
"You can't package that, it's against our license."
That's scary.
Bad analogy. If Ford find a critical fault, they recall the product. How many critical faults have MS found in XP so far?
The one consistent question that keeps being raised in my mind whenever I hear about mission critical systems being brought down by worms/viruses is: Why were these systems ever connected to the wider world in the first place? Mapping systems? Baggage loading computers? Surely these don't need to talk outside anything but a single discrete group of computers. My fear is that people tend to put web browsers, email clients etc on any system these days, for convenience, which is quite bad for security. Here in my office we have two networks, with two machines on the desk (on a KVM switch), one for external email, internet etc, and one for internal work (it's called COREnet). We've had problems with the former, but the critical, internal stuff has gone on quite happily on the latter, untroubled by worms. Oh, and software patches and antivirus are available centrally on COREnet, so the boxes on the internal network aren't just left to chance should something come on via zipdisk/cd. And our company rolls on....
From the article:
No! Anyone with an infected machine should stop visiting Microsoft's website and never use Windows in such a critical environment as the Marine and Coastguard Agency for God's sake!
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Limited liability exists only when the software was voluntarily and knowingly installed (e.g. after reading a EULA and clicking OK). So you can expect full liabilty (both criminal and civil). In many jurisdications, if a virus directly caused a death they could be charged with murder.
The admin is guilty of negligence, again both criminal (only in the case of gross negligence, which could be failing to patch a critical system), and civil (although as an employee, this usually only means losing his/her job), the employer will probably be liable to (probably civil cases only though).
http://www.gnu.org/philosophy/words-to-avoid.html
There is a hole in your house, some kid comes, pees through the hole, which causes a short-circuit and destroys your house.
Be a man, don't send the kid to jail. He didn't destroy your house with a bulldoser, he just peed in a hole. Admit that your house was fragile, and blame *yourself* for it.
You assume that an admin knows everything, and has infinite time on his hands.
In reality, companies have selected Windows after being told that its administration is much easier than for competing systems. Admins only need to know which buttons to click to setup a new system. In-depth knowledge about the underlying principles is often not available, with the excuse that it was supposed to be unneccessary.
In the end, it may be better to install a system that is a bit more difficult to administer, and thus avoid the administration by unqualified personnel.
Microsoft has to take part of the responsibility and offer to send consultants out for free to patch and fix the servers.
Or, even better, ship Windows with a piece of software that does that automatically? Oh, wait, they already do that...
It needs to be said again: YOUR COMPUTER IS YOUR RESPONSIBILITY! The patch for this one was available for some time (a month or so). You can't pin this one on Microsoft any more than you can blame the car manufacturer for car breakdown after you missed your scheduled service.
Isn't it about time to start introducing fines for people who propagate worms and viruses? Yes, fines for getting your machine infected. It's illegal to drive a malfunctioning car, why should it be legal to operate a malfunctioning computer? Both are a danger to the public.
Why would it be wrong to promote your product now?
This is the right time to promote it, and the positive aspects compared to the current solution. You will likely have an easier time trying to point out some of the flaws with their current situation.
A solution to this problem has been around for weeks now, yet one or more of these system were left unpatched. So yeah, the virus writer surely bears some responsibility, but then again so does the coast guard. And even if an MS OS did not exist at all and these folks had been running linux, if there were a similar exploit floating around in the wild would the admins who left this door open have fared any better then?
You can't hold MS responsible for the incompetence of the coast guard admins. Yeah, their software had an exploit - but they also had a solution available and it's not like this was any kind of secret. I hate to be this trite, but it's appropo here to remind everyone what "mama" always said: stupid is as stupid does...
They have more cash to settle this than the virus writer. Obviously they do not want to have this kind of "using Microsoft products kills innocent people" cases fight out in court with a lot of publicity.
It's not a question of who is guilty - obviously the virus writers intention was not to kill people by disabling coast guards system, the network admins did not mean this to happen by leaving their systems wide open and Microsoft did not guarantee their OS to work in critical situations like this. The world would be better place with less stupid lawsuits, but if you are still going to sue someone, sue the one with most cash
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
One of the comments made about it on TV was that the PCs used for checking coordinates went wonky.
However, as part of the procedure for locating vessles, they check them against paper charts.
Looks like they didnt trust PCs to start with. Now they've been proven right.
I would have thought after MSBlaster ripped through the Windows world that people would have learned to keep Windows away from any and all open internet connections. While competent admins ought to keep their systems patched I find it difficult to understand why networks aren't properly firewalled. If you want to be cheap about it you can just have a single firewall at external connections. A little fancier set-up would be transparent packet filters to segment portions of the network from one another. Keeping everything off the network that wasn't intended to be there would nip many of these sorts of worms in the bud.
I think the bigger issue here is why systems like this, even relatively non-critical ones like the UK Coast Guard's mapping system, are running Windows. I would think that an organization like the CG would be able to get their vendors to develop applications for whatever OS they were running. Agencies set some criteria and contractors meet said criteria. If they were running say Linux I don't think it is far fetched to believe that some contractor would be able to develop the required mapping software for it. The CG might be running COTS software that runs only on Windows but I don't find that likely. I'd welcome an answer however.
Windows is known to be an extremely insecure system despite Microsoft's claims. While Service Pack 2 might magically fix all sorts of problems it is not available to end-users yet. Those magical fixes don't mean much to the here and now. It looks as if Windows' vulnerabilities are costing companies quite a bit of money and eating into their bottom line. I would have thought by now Windows would be on its way out the door in many organizations since their competition such as it is can do many of the same tasks either cheaper or more reliably.
I'm a loner Dottie, a Rebel.
Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault.
... one need only peruse their website and their past marketing of Windows, coupled with their slanderous misrepresentations of competitors such as Linux.
I find this propensity for blaming the victim to be very disturbing. Microsoft has been fraudulantly representing their system as both stable and secure, just as they have been fraudulantly representing their system as less expensive than their competitors' products (GNU/Linux, OS X, *BSD, etc). This is a matter of public record
Now, one can argue that the technical staff of the coast guard should have known better (so too should every victim of every fraud perpetrated), but the fact that they didn't is hardly negligence on their part, when their vendor misrepresents their product's security on a daily basis.
I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make
I dont think the OS choice is relevent.
Clearly the data do not support this. Mac OS X is demonstrably more secure than windows, both systematically through an architectural analsys, and through historical emperical data (number of exploits, timeliness of patches, effectiveness of patches, etc.). Ditto for the various flavors of BSD, ditto for Linux, ditto for IBM's various mainframe operating systems, and the list goes on.
Clearly, as the underlying architect and definition of a system's security design, policy, and implimentation, the operating system is the single most relevant design choice one can make.
Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.
That is unrealistic. Systems which are networked together can save lives. A ship is in trouble and automatically reports its position for rescue, allowing the crew to get on with the more immediate task of not drowning. A hospital computer notes a patient's decline and automatically notifies other systems, which notify the appropriate physicians and medical staff. Proper implimentation is critical, of course, but the "cut the cable" solution is nonsensical, particularly when reasonably secure alternatives such as Linux, Mac OS X, and *BSD exist and are well proven.
The worm writer, and Microsoft's fraudulant representation of their operating system as stable and secure, are the primary culprits in this fiasco. It is time we stopped blaming their victims, and held the perpetrators responsible instead.
The Future of Human Evolution: Autonomy
... are a LOT more responsible about their products as a rule then almost any industry, perhaps airplanes might be the closest, they always recall and repair or replace defective products, and go to some lengths to get the word out to the owners, and it goes beyond 90 days, and beyond the original owner on any defects. I know because I worked in a firearms warranty repair center before and been an enthusiast since I was about as tall as a .22 rifle. It's years and years in some cases with warranties. Many now come with a default "forever" warranty. In fact, they have some of the best warranties and repair/recall efforts in any industry. We would be *lucky* if all products had as good a warranty. Like name a major manufactured mechanical product that comes with a lifetime warranty now. Washing machine? Automobile? Bicycle? Hard drives? Radio? Anything? There might be but I can't think of any off the top of my head, but firearms are treated that way in a lot of cases now, and even in other cases where the warranties expire, recalls are still done if a defect is found.
The big problem is software got a compoletely 100% "free ride" in the beginning, it was allowed to be sold with zero warranties, I guess to get the business off the ground or something. Or maybe... I dunno, can't think of a good reason really. They just slap got away with something no other industry has as far as I know. You can't sell a 1 cent stick of gum without it having actual and implied warranty to it.
This deal was way back when it first really took off (I really need to research this now,it's gonna bug me why they got such a sweet deal), now it's been decades. DECADES. Untold hundreds of billions of dollars in pure profits. Huge numbers of wealthy people and businesses involved with it. It's "mature" now. Time to insist on "profitable" software to have warranties, and hold the manufacturers liable for obvious defects. They have "Get out of any Responsibility" EULAs, but still "enjoy" full ME ME ME IT'S ALL MINE MY PRECIOUSSSS protection "under law" for "Intellectual Property" and make tons of cash, well, that is teh obvious suck now and ayone can see that.
It's one or the other, if the software makers want to treat electronic digits as some sort of extremely valuable commodity product, with PATENTS on it even, which they sell at a very, very good profit, they need some sort of a minimum consumer warranty applied to them, or strip them of their profitability, one or the other. Enough's ENOUGH on the free ride they get. The software industry is "mature" enough to treat those business people as normal adults, same as anyone else in any other industry.
We NEED a class action suit in general against free ride EULAs across the board for for-profit software, and it needs to go to the supreme court and be won.
I am surprised as all get out with all the other litigation that goes on in our society that a set of profitable businesses who have gotten hosed over and over and over again by these obvious defects haven't challenged those EULAs as being absurd and illegal in the first place. Name another industry that would dare to put out such a "contract" for consumers and have it accepted. It's quite absurd, they'd be laughed at, but "software" is now the biggest example of legal "conware" there is.
And YEP, I could care less if it meant that "releases" slowed to a crawl, wouldn't bother me one bit or byte. Consumers want quality, few if any defects, they just been faked out that crapware is "good enough" and the industry as a whole has all colluded to profit off of crap and conware. It's just plain stupid, and ethically wrong. We can see now that software is so "embedded" in our society that you can't really say now that "no one is effected" when defects show up. it can get downright dangerous, and it certainly costs consumers tons of cash to keep fix and repaired stuff that shouldn't be shipped broken in the first place. We need less patches, and more "it don't need to be patched" software
Disabling emergency systems is *not* a "soft" crime. The have radio, unfortunately radio can't store and retrieve information.
The worm writer is responsible for damages caused by their disabling any system they target. Just because they target the world doesn't excuse them from the smaller impacts.
No, the great bulk of shashdotters don't write and distribute malicious code.
To be fair to the coast guard although there computer system was inoperative they did have a perfectly workable backup solution in place which they were able to use to exactly the same end result as they would have achieved using the computers.
OK so it was a worm which took down the systems this time which is something you can protect against but at the end of the day you shouldn't rely on any computer system without a manual backup process ( if it is possible to implement one ) which can take over for safety critical work. Computers are complex things and can fail for a huge variety of reasons some of which should be preventable ( in this case ) and some which aren't reasonably preventable.
MS has a "windows update" feature. It doesn't take a genius to enable it. Now, granted this feature can cause headaches if you have a large number of systems to update, but you can also perform similar processes under your own control (if you are an admin) and yet this wasn't done. Turn off all those ports? It doesn't take a genius to download the shavlik lockdown tool linked to by MS itself that will "audit" your system and close any unused ports. It also doesn't take a genius to click to e-eye for an external audit.
There are so many ways to fix these systems it's nuts. Yeah, they require a tiny bit of effort - one would think that's why the British taxpayers pay these administrator's salaries.
I'm no shill. I run both windows and linux, although I've been using windows a LOT longer and am, therefore, more able to exploit it. So are a lot of people, which makes it that much more vulnerable. And yet my own linux firewall was hacked one time because... tada... I was running a version of Smoothwall, didn't know the distro or what I was doing, and in the setup config the SSL port was left open and the service running and no explanation was made of the significance of this. As a result my "firewall" was owned within days, zone alarm disabled on one of my (unpatched) windows boxen, and (in short) the entire network became owned. I migrated to IPCOP then reloaded and patched the windows box, just a little wiser and smarter.
Just as so many here are fond of saying "slashdot doesn't have just one mind" I'll remind others who are dumping on MS over this there have been and are plenty of linux distros, and not all of them uniformly secure or stable "out of the box."
Holding the software maker responsible for something like this is as stupid as holding the coca-cola company responsible when some idiot pulls one of their vending machines over onto himself. Would you be so quick to call for heads on a stake if this were a network of Redhat boxes? How about a few dozen Suse desktops? It doesn't matter what OS you are using, problems like this almost always come down to one thing: PEBKAC.
How the gun companies have managed to, ahem, dodge the bullet in this regard so long is beyond me.
Lots of $$$$$, which buys them plenty of puppet congressmen. Just look at the power of the NRA.