Sasser Worm Takes Down UK's Coastguard

jonman_d writes "The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"

He should be

[Heartz]

We must come down hard on these individuals. Virus/Worm writters write code with malicious intentions.

It wouldn't be murder per say, but definitely manslaughter. If they catch the guy, I hope the full force of the law comes down on him.

Re:He should be

[rokzy]

but also some responsibility on the retards who didn't get a secure system - MS is officially unsuitable for this sort of thing.

if the virus writer is the "terrorist" then the coast guard admin is the idiot who ignored the "we're coming to bomb $building at $time on $day in a $colour van with registration $reg" message.

Re:He should be

[Willeh]

I think it would be a lot better for companies to persue options that would help prevent these kinds of things, not a short term asskicking to some scriptkiddy, when you know thousands more are willing to jump into his shoes for some "internet notoriety" or other BS.

Re:He should be

[bnet41]

actually a better analogy would the gun makers. Should we put gun makers in jail b/c their products are used to kill people? The fault here lies with the malicious person, not the maker of the item. Sure, faults do exist in the product, but not anything that can cause problems usually without someone with malicious intent putting things into motion. With car makers, they usually get nailed b/c they ignore a defect that gets people killed in the normal day to day operation of the vehicle. For this to apply here, the software would have to crash on its own, and cause the breakdown, which is not what happened, an outside malicious force had to act first.

Re:He should be

if the virus writer is the "terrorist" then the coast guard admin is the idiot who ignored the "we're coming to bomb $building at $time on $day in a $colour van with registration $reg" message.

Don't forget the 'oh, and please leave the gate open or we'll have to go somewhere else'.

Yes, it is partially Microsoft to blame as well - which twit thought it would be a good idea to have ports open by default with services listening to whatever crap other computers might send? You really have to trust your programming to allow something like that. If it's not actually necessary, why do it?

Re:He should be

[dexterpexter]

You see, I disagree. I see this another way: If this were a car company, security would be an issue that wouldn't even be feigned with interest from the court system.

Operating systems are designed to be just that...an operating system. No matter how secure they make it, there will be some dirty virus writer out there that shatters that security. Now, I think it is good business practice for software companies to protect the best that they can against hackers, scripts, viruses, etc. However, that really isn't the business they are in... security. The deplorable human state has forced them into this position, but I pose the question: is it fair?

I mean, back to your car reference: If you drove through a bad neighborhood and a guy runs out, beats your window in with a baseball bat, and steals your backback, is the car company responsible for not making unbreakable windows? (pun intended) This would probably be laughed out of court, so I don't see how we can really blame the Operating System companies for a lack of security when all they are selling is an operating system.

Now, again, I think that they should secure it to the best of their ability... and that some of the security holes I have seen are ridiculous. And, if they tout complete security as a feature, then they are taking on that part of the business.
But, and correct me if I am wrong, I don't think most companies advertise 100% security anymore for this very reason. Because that is just a pipedream.

If someone breaks into my house, I am not suing the person who built my house. I am buying a security system (firewall) and using it. However, I assume that this isn't 100% effective, either.

Just I thought. I could be wrong.

Re:He should be

[Donny+Smith]

>which twit thought it would be a good idea to have ports open by default with services listening to whatever crap other computers might send

oh pleeze are you saying Microsoft opened secret ports about which they didn't know? the organization didn't have a security policy that mandated closing unnecessary services or they did not follow the policy (if it's really "unneccessary services" that screwed them up).

until a year ago Linux would ship with a bunch of services running by default, which woudn't usually matter (just remember sendmail's default - open relay). but any reasonable sysadmin (or organization) would either stop those services or block them on the firewall level.

Re:He should be

[shrykk]

If your gun exploded in your hand you'd sue the manufacturer.

It's not so simple as 'microsoft is accessory to manslaughter' though. I'm sure the Microsoft EULA says it's not for use in safety-critical applications. People need to "vote with their feet" and switch to other products if they want secure systems, then MS may address the problem.

Re:He should be

[bnet41]

if the gun exploded in someones hand then that would be a result of a defect, and something that is not caused by a malicious user. Slam Microsoft all you want, nothing wrong with that, but realize this specific incident would not have happened with out a malicious user.

Re:He should be

[cherokee158]

I completely agree. If some moron breaks a window, you don't blame the windowmaker.

Sadly, though, people still insist upon hounding the easy target. Look at the plight of the tobacco companies. I smoked for ten years, and let me tell you: I never met a smoker who did not know that smoking was bad for them, even potentially fatal. Unfortunately, once they've succumbed to the big C, their survivinng heirs go nuts and sue everyone remotely connected with their deaths.

This is true in aviation, too...half the price of a new plane just covers the manufacturer's liability insurance. Surviving heirs seem to insist upon driving another nail into their dead spouses' favorite hobby whenever the poor slob augers in.

How the gun companies have managed to, ahem, dodge the bullet in this regard so long is beyond me.

Anyway, I think it's obvious that you cannot have a completely secure OS unless you bury it in a box somewhere and don't let it talk to anybody. Fat lot of good it would do anyone then.

String the little vandals up, they deserve it. I think most of these little punks do it for the power trip, anyway (Dude, we shut down the Eastern Seaboard power grid, huh, huh). Let them have a little taste of the responsibility that comes with power.

Maybe we could lock them in a little room with a bunch of REAL worms...

Re:He should be

[ottawanker]

If your gun exploded in your hand you'd sue the manufacturer.

Actually, there'd probably be people pointing fingers at everyone else. Was the problem with the gun, or the bullet? Maybe the problem was caused because you didn't keep the gun in proper care. Maybe the gun was old and out of date.

Re:He should be

[fucksl4shd0t]

if the gun exploded in someones hand then that would be a result of a defect, and something that is not caused by a malicious user. Slam Microsoft all you want, nothing wrong with that, but realize this specific incident would not have happened with out a malicious user.

The analogy is still wrong.

Say a gun manufacturer manufactures a gun that will work for most people most of the time, and failures only involve reloading, no actual damages. This same gun, through poor engineering, has a weakness in the barrel that can only be affected by a certain type of ammunition. The manufacturer doesn't consider this important because nobody manufactures that type of ammunition, it's worthless ammo.

So someone handcrafts the ammunition that will exploit the flaw, sneaks into your house and loads your gun with it, then escapes without leaving any trace other than the ammo in the gun.

Now the gun blows up in your hand. Who's at fault?

Even stretched to the limits as the analogy is, there's one primary difference between this analogy and the actual topic. For guns there aren't thousands of individuals building ammunition specifically designed to ruin the guns and possibly hurt the people firing them. For computers, there are. If this were to happen for real with a gun manufacturer, the manufacturer would be acquitted of all charges, because he had a reasonable expectation that what became an engineering flaw through exploit would not ever be a problem. Not so with the OS producer. They have a reasonable expectation that their OS will be attacked, and the more market share they have, the more this expectation resembles waiting for the sun to rise, i.e. you *know* it'll happen.

The OS producer must bear some responsibility for it, for the same reason a car manufacturer must bear some responsibility for injuries sustained in a car accident due to safety systems not well-engineered. Even then, we tend to forgive the car manufacturer, because accidents aren't supposed to happen, and there's usually some idiot at fault.

I'm all for pointing at Windows and saying it sucks any day of the week, but I'm not so sanguine to blame microsoft for the script kiddie that wrote the virus. It's grey area, there. And let's not forget that our beloved GPL disclaims all warranties as well...

Re:He should be

[dexterpexter]

Why is that the Operating System companies responsibility, though? When does the act of booting a machine and writing a document imply security? An operating system, in the beginning, likely did not have security in mind at all. It was crimminal behavior that forced them, at the cry of the market, to start securing the system. However, how much responsibility is it of the OS company to provide security against crimminal behavior when that isn't a part of their business model? Why not leave that responsbility to the companies for whom it is their business model, like Norton or McAfee?

In assuming security is the responsibility of the OS company, then yes, they are selling you an inferior part (which you still bought). However, I know we have insisted that it is their responsibility, but the question is: is it really?

Why exactly is it incumbant of the provider to include state of the art security when third party security programs are available? Why can't an OS company focus on its core business without branching into crime prevention?
And, with alternative operating systems available and the track record of MS insecurity, then why don't people make the switch over to another system if the OS they currently use doesn't live up to their expectations?

Re:He should be

[richie2000]

And, if they tout complete security as a feature, then they are taking on that part of the business.

"Amid increasingly frequent and sophisticated network attacks, users expect their systems to remain resilient, and for system and data confidentiality, integrity, and availability to be maintained. (...)As a leader in the computing industry, Microsoft carries a substantial responsibility."
Microsoft

If someone breaks into my house, I am not suing the person who built my house.

Even if the lock and indeed the whole of the front door is pathetic, has known vulnerabilities and the maker still touts it as secure with the well-known chairman of the company that built the house (door, lock and all) having announced a big push for increased security almost two years ago? How is the buyer of that house supposed to know that his front door is made of a material that looks like steel and feels like steel but offer about as much protection from burglars as Aerogel?

Microsoft claims Windows is secure. It isn't.

Re:He should be

[Faluzeer]

"but also some responsibility on the retards who didn't get a secure system - MS is officially unsuitable for this sort of thing."

Hmmm

How about any unpatched operating system is officially unsuitable for this sort of thing.

Yes blame can and should be placed on MS for the design and security features of their software however a large portion of blame should go to the individuals and organisations that do not regularly update their systems.

As linux takes off in the corporate world I expect there will be an increase in worms targetting that operating system, let's just hope that individuals and organisations learn the lessons and keep the systems patched or the problems will keep occurring regardless of the operating system being used.

Re:He should be

[AllUsernamesAreGone]

The problem with patching Windows systems is that a responsible admin will not simply roll out the patches across all the systems. Microsoft is very good at giving you two problems for the price of fixing one so a lot of Windows admins do extensive testing of patches before applying them across all their systems. In another situation, I would give them the benefit of the doubt and say they were hit while testing the patch.

However, this isn't another situation and, if their machines had been properly firewalled (can someone please explain to me why any ports other than those for servers running in a DMZ should be visible over the net, because I'll be damned if I can think of any) they wouldn't have been infected. Hell, if they had zonealarm running on all the boxes they'd be safe even if they don't have a decent firewalls between their LANs and the net.

Yes, Microsoft isn't without blame (maybe if they made patches that didn't crap all over your machines life would be better) but in this case sloppy admins have struck again.

Re:He should be

[andy+landy]

I still don't buy the "Microsoft is responsible" talk, sure their software is buggy, but so is many other software. I've seen Linux and other Unix systems rooted, yet nobody starts claiming "It's all Linus' fault" etc.

Okay, so the Free Software folk invariably have patches out within hours of an exploit being discovered, but this hole has already been patched too.

The onus is on the virus writers (and Script Kiddies etc) who write malicious code and to some degree on people not maintaining their systems.

Not locking your front door doesn't give you the right to blame the door-making companies when you get burgled. You can still blame the burglars, but you're out of luck if you claim insurance since it's your own fault.

It's different if there aren't any patches, and I'm well aware that Microsoft have their problems and need to be more secure, but I still stand by my judgement that they can't be held responsible for every virus outbreak that happens!

Re:He should be

[ichimunki]

There is little comparison between unlocked doors and computer worms. If my nieghbor doesn't lock his door and gets robbed, this probably doesn't mean that the robbers will now use my neighbor's house as a place from which to launch a robbery of my house. However, on the net, when someone leaves an unsecured, hacked system running, their computer increases the risks for everyone else because, whether they know it or not, they are helping the virus writers breed their nasty little piece of software.

Whether or not my neighbor is to blame for having been robbed (which I don't believe he is), the point is: if my neighbor's computer is hacked and starts to attack mine, that's when we start to have a heightened sense of his responsibility in the matter.

Re:He should be

[Alan+Cox]

In the UK at least the police would have quite a list of things to charge the virus writer with. The coastguard and microsoft might also have liabilities.

As with most of the EU you cannot disclaim liability for death and some forms of injury, whatever you write on the license. (Nowdays "Not verified for use in safety critical systems" seems to have become an accepted way of ensuring the liability lands on the user though).

Considering the car analogy

You can be liable if you make a car with dodgy
brakes (unsuitable product, forseeable that it will cause an accident)
You can be liable if you knowingly drive a car with bad brakes (because its forseeable that this will cause an accident)
and you are most definitely going to get into trouble if you empty a bucket of oil over the road surface (aka writing the worm)

Re:He should be

[jadenyk]

I think that MS should be held accountable, but only by the consumer. To use your door example, if I buy a door and I have to constantly monitor the thousands of locks on this door to make sure they don't open by themselves or fall out of the door, etc., then, when I finally turn my back to go down to the store and grab a dew, I come home to find my house empty and my door wide open, even though all of the locks are still locked. (The manufacturer calls it a "feature.") I don't know about you, but I wouldn't buy that door again. I'd go buy a different door.

Too many people get hit with these worms, have their systems fall completely, just to recover, update Windows and carry on as normal. Then, in another year or so, the next major worm comes out and they have to do it all over again.

There's too many people who use 'doze simply because it's "easy" and, probably mostly, "because everyone else is doing it..." I mean, if seeing these virus warnings on the news isn't enough to make people think "hmmm, when's the last *nix/Mac virus I heard about" and maybe actually look into it, I don't know what will work.

Maybe when Bill Gates finally grows the horns and starts talking in toungues, people will get the hint.

Re:He should be

[chamenos]

I suspect if everyone started using Linux and Macs, then we'll start seeing more viruses and worms written for them. For the most part, if you regularly keep your MS system updated and patched, these worms and viruses aren't really a problem.

Re:He should be

[infinite9]

Not locking your front door doesn't give you the right to blame the door-making companies when you get burgled.

What if the door company advertised their doors in a way that led you to believe that the door was locked when a design flaw meant it wasn't? And when the design flaw was pointed out to them, they mentioned it with a free fix on their website, but did nothing else? And a hundred thousand people were all robbed on the same night? In meatspace, people would be screaming for blood. I think the admins may have also been at fault here. But as someone else pointed out, what if they were still testing that patch?

Re:He should be

[Atzanteol]

Bill Gates never claimed that Windows would be invulnerable to viruses and other security holes. It's not the OS's "job" (according to MS) and it's not what the customers expect. It's sorta like suing Levis because your jeans don't stop bullets. They never claimed they would.

Caveat emptor if you will.

Re:He should be

[budgenator]

The sysadmins are not without blame nor are the netadmins, but the honest fact is people in the British Coastguard Agency took laptops home, plugged them into the internet and exposed them to hazards that they were not configured for. Then they returned to work and plugged those exposed laptops into their network carrying traffic for their critical application; and critical in this context means protecting life, limb and major property.

I'm going to make a guess here but I'd say that those people "borrowing" government laptops for personal use aren't joe or jane able-bodied-seaman types but people with brass on their shoulders, intelligent people who almost know enough and so are truely dangerous. Additionaly when the Leutenant who writes your evaluation, plugs in his laptop and the network gets swamped with worm traffic, do you blame him or say that an "internet exxposed" computer in the office helpped.

Microsoft has lower the bar so low in the quest for ease of use, that is't easy to change configurations without knoweldge of the theories behind their actions or understanding of the possible results. Sys-admins test microsoft- certified patch to make sure they don't break things while the users on the network willingly install known-spyware; it's just insanity.

Re:He should be

[TiggsPanther]

until a year ago Linux would ship with a bunch of services running by default, which woudn't usually matter (just remember sendmail's default - open relay). but any reasonable sysadmin (or organization) would either stop those services or block them on the firewall level.

Even a year ago and before, distros (certainly Mandrake) would often end the installation process by telling you what services would be active at boot-time, and were you sure you wanted them to be?
That was often where I'd turn off anything (insecure or otherwise) that I didn't want running.

Why can't Windows do something similar?

Tiggs

Re:He should be

[fucksl4shd0t]

Well, it is grey area. ;) I was responding more to the "I hate Micro$oft, they must be hung from the highest tree!" mentality than anything else.

There's plenty of blame to spread around, here. As other posters have mentioned, the sysadmin who installed Windows on these machines without taking preventive maintenance steps is to blame, as well as the person who made the purchasing decision to put Microsoft Windows in this installation, and also the virus writer himself.

I like some of the other analogies given, actually. The situation is more like a car manufacturer who makes a car with doors that appear to lock, but in reality don't lock. In that case, this situation is analogous to such a car that has been widely reported on not working, no consumer groups rising to defend consumer rights, so the car continues to be produced with its flaw. A buyer, probably not being able to avoid the news, still buys the car. POssibly not being aware of a recall being issued, he continues to depend on it for his business, and then whammo. The virus writer comes along and opens the door and sets fire to the interior.

It's too easy to just blame Microsoft, but I'm not saying they don't get any blame. Just make sure it gets spread around to all accountable parties, that's all. ;)

Re:He should be

[squiggleslash]

No, I'm sorry, but that really doesn't work. Ok, try this.

You have a bus, except the bus has unlocked windows, but all the seats have safety belts. There's a driver at the front of the bus with a credit card, but all the passengers are holding tickets. Made of paper. Then it rains. Meanwhile there's a guy on the street corner trying to sell chickens, who gets on the bus. Except the bus is full. So he opens one of the windows, and his bag, which has chickens in it (remember, he sells chickens) falls off his shoulder because he wasn't using a strong enough strap. Meanwhile because the window's open, rain starts getting into the bus, making several of the passengers, and their tickets, wet. As a result, that makes the writing on them illegable and they get thrown off the bus, because the bus driver thinks they're going to Basingstoke when they're actually going to Boston, MA, which is where the bus goes. What the guy selling the chickens doesn't know is that the people who get thrown off the bus end up with the chickens.

Now that's an analogy.

I don't know about Britain...

[Tuxedo+Jack]

But here in the U.S., I believe it falls under both 18 USC 1030 and some clause in the Patriot Act.

Re:I don't know about Britain...

[dexterpexter]

I agree that it isn't appropriate, but we in the U.S. have seen the application of the DMCA extend beyond its original intentions to be used to prosecute anyone who violates not only copy protection, but basically any sort of protection scheme. The DMCA has grown beyond simple copyright legislation, unfortunately, and that is why I suggested it.

I don't believe that it should be used in such as way, but if it is used to go after the "good" guys, then why not the bad as well?

Lately, it seems, the DMCA is trying to become the all-encompasing way to prosecute anyone who peeks somewhere they "shouldn't." This wouldn't work if someone explicitly opened the virus and it infected the system. However, if the virus sat there and hammered at holes in the software until it wormed its way in, then I don't see why they couldn't use the DMCA against that, as well.

I wasn't really suggesting it so much as putting it out there as a thought open for discussion...

Safety Critical Systems

[Interruach]

Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.
However, it's not just the software at fault. Whoever implemented the system was sharing a network with other people's machines in some way, without a firewall. There is fault spread out here, between microsoft, the lifegaurds IT people, and the virus writer.

Re:Safety Critical Systems

[upside]

My thoughts exactly. Back here in Finland a bank had to close shop in the entire country for a day because of Sasser. Instead of being worried about how they didn't update their systems I'm more worried why MS is being used on mission critical systems like banks and the coast guard.

Re:Safety Critical Systems

[matth]

Perhaps you didn't read the article. It says the problem occurred when people brought infected computers (probably laptops) onto the network.

Re:Safety Critical Systems

[salvorHardin]

Is Microsoft Software actually certified for safety critical systems?
Depends on what version of Windows they were running. Windows NT 4 (SP3) is the only version of Windows to have been evaluated against ITSEC criteria. It's unlikely they'd be running a certified product, however, as the second you apply a new Service Pack to the machine, it's no longer certified. Every evaluation I've been part of has been where a vendor has wanted to sell something to the Ministry Of Defence, and have needed to obtain certification under ITSEC or Common Criteria in order to do that.

Re:Safety Critical Systems

[mpe]

Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.

Back to the issue of using the right tool for the right job. In many situations no "Off The Shelf" ("Commercial" or otherwise) is suitable.
From an engineering POV an Open Source System is more likely to be a good tool, even if you use some standard package/distribution as a starting point. Since you can then verify that it does what it should do and only what it should do. (A lot of malware involves use of unneeded "features".) Something which is very difficult with proprietary software since you need to take things of trust from the vendor and virtually impossible with something like Windows. Which in addition to being proprietary software contains deliberate "sphagetti code".

Re:Safety Critical Systems

[arivanov]

Err... Who told you that the UK coast guard is a safety critical system? Who actually told you that they do anything besides wasting public money?

All the real work is done either by RAF or by volunteer lifeboats which do not get a single penny of government money. Frankly, I find it shamefull and disgusting that a country in the big 8 wich is also an island is incapable of even financing its lifeboat crews.

So frankly, if someone will wipe off the coast guard completely noone will notice. Emergency services have direct lines to the RAF anyway, and most of the lifeboat crewes are listening on the SOS frequencies as well.

Re:Safety Critical Systems

[Hogbert]

Does it make a difference ?

The bank offices were closed; they did not do business. No data was lost but the customers were not given service. No good.

Hogbert

Re:Safety Critical Systems

[keith6689]

"Who told you that the UK coast guard is a safety critical system? Who actually told you that they do anything besides wasting public money?"

If you actually believe that then you either are poorly informed, or are trolling.

Take a look at their website to see what they do. As someone who spends significant amounts of time off the coast of the UK on a boat, I am quite glad they are only a VHF call away.

The real question is

[rudy_wayne]

Why did the the UK Coastguard allow this to happen? The Sasser worm is 100% preventable if your system is properly patched and firewalled.

Re:The real question is

[Shimbo]

Well, who is there to do it ? out coastgaurd (for you non-UK is actually called the RNLI which stands for the Royal National Lifeboat Institution)

You are misinformed; the Coastguard *is* a government agency. The RNLI is a fine charity but nothing to do with this story.

Re:The real question is

[isorox]

The AA - To their members they're the fourth emergency service

Re:The real question is

[Gumshoe]

out coastgaurd (for you non-UK is actually called the RNLI which stands for the Royal National Lifeboat Institution)

That's not true. The coastguard is an executive agency of the Department for Transport (DfT), whereas the RNLI is a charitable organisation. It is true that a lot of the sea based rescues are performed by RNLI volunteers but a lot of the coastal emergencies are tended by the coastguard itself. Helicopter rescues for example, don't involve the RNLI.

In other words, it is the Government's responsibility to hire competent administrators.

Re:The real question is

[JamesD_UK]

HM Coastguard != RNLI.

The Coastguard is responsible for coordinating various organizations (RNLI,RAF, RN etc.) in search and rescue operations in the UK. It is a agency of the department of transport. They monitor the emergency broadcast channels for the UK and a large section of the Atlantic ocean and often further a field. Throughout the UK they have a number of rescue teams who often get involved with more than just maritime emergencies. The RNLI as you stated is a charity, staffed almost completely by unpaid volunteers. If a ship at sea needed assistance, HM Coastguard would be contacted and possibly send the nearest RNLI lifeboat to assist.

Re:The real question is

[zakezuke]

Why did the the UK Coastguard allow this to happen? The Sasser worm is 100% preventable if your system is properly patched and firewalled.

If their Coastguard's mentality is anything their American counterpart's I can think of a damn good reason why this happened. *Support contracts*. Legendary documents written in stone that require that a specific agency do all maintance and repair of their PCs. Dispite the fact that the operator is more then able to click on the reccomended patches, doing so could get you into alot of trouble. Your not going to trust your military's computer system to enlisted folk, and chances are the officers are not aware of preventive measures. Those who are assign such tasks to contract companies.

Taking these matters on your self opens you up to a whole bunch of no fun, such as the military justice system. So one learns it's not their job... nothing will ever get done about it... and hope one's tour of duty is up reall soon before you go insane.

Re:The real question is

[BiggerIsBetter]

Damn straight. Somebody needs their ass kicked over this one. Hopefully nobody dies as a result.

When your systems are that important, it's madness to run them unsecured. There should be strong firewalls on the networks and virus scanners on every machine. If the virus finds a way in (say a managers laptop) there's no way it should be able to spread. And vulnerable systems (*cough* Windows *cough*) should be kept to a minimum.

I know some folks say if it's behind the firewall it's safe, but as we see again and again, that's rarely the case. It's my policy to ensure *every* machine is updated as required, and the servers and Windows machines run AV software.

Re:The real question is

[sotonboy]

Unfortunately, there is one more option. That is the cost of maintaining windows systems. Believe it or not, there are people out ther (my self included) who dont have broadband. Please try keeping a windows install up to date over dial-up. It cant be done. Once a month I unplug my machine and take it to a friends house to update it. For people like myself (who exist in our millions) windows cannot be kept up to date, and Gates denys that we exist. If microsoft were really taking security seriously, then all patches would be included weekly on magazine cover discs. And ISO images would be downloadable from msupdate so that we could download elsewhere. Unfortunately this is not the case and there is _NO_ good reason for it. Cost is zero to ms.

Re:The real question is

[akadruid]

Microsoft will send you an update on CD for free. There was a link posted here a while back, or try googling for it.

Re:The real question is

[matth]

I tried that update cd (figured if nothing else it would be useful to take to friends houses who have dialup and need patches). The cd took no less then three months to get to my house! The post mark was like 4 days before I received it so it was in proccessing for 3 months. In that time several news security patches had come out....
If they can't get the CD out in a few days, it's worthless. For instance, sasser? That CD would have been useless... as I still wouldn't have it.

Re:The real question is

[johnw]

> Helicopter rescues for example, don't involve
> the RNLI.

Helicopter rescues quite often involve the RNLI. The RNLI however do not (AFAIK) have any helicopters. Helicopters from the coastguard or RAF frequently cooperate with the RNLI in effecting rescues.

John

Re:The real question is

[supersnail]

Not quit correct?

There is a UK Coast Guard service. But this is a comparativlely small organisation which monitors radios traffic for distress calls, does traffic management on busy shipping routes and coordinates search and rescue operations.

The actual rescue is usually done by the RNLI which has boats manned by volenterr crews and is funded as a charity, or, if anything airborne is required it is supplied by the airforce, (additionally police, fire brigade etc. may be called in).

The actual effect of the outage doesn't seem to severe as computers are not extensively used. Radio and telephone being perfectly adequate to coordinate this sort of stuff.

Re:The real question is

[akadruid]

Oh yeah, the CD is useless as a rapid response option. The only use of it is to take off the top 200Mb of your download, hence saving you some of the dialup costs. once the CD is installed, you must get the latest stuff, hopefully just a few mb, from win update.

Re:The real question is

[iainf]

Just a note for the nun-British: in the UK, the Coastguard are not a part of the millitary.

Re:The real question is

[drsmithy]

MacOS X ships with *0* ports open.

So how do you remotely administer one of these machines ? Telekinesis ?

Re:The real question is

[gruhnj]

Your not going to trust your military's computer system to enlisted folk, and chances are the officers are not aware of preventive measures. Those who are assign such tasks to contract companies.

I dont speak for all military, but the Army has an entire major command dedicated to nothing but computers. Formed in 99 NETCOM has actully done a fairly good job in keeping things working. As far at threat detection, patch verification, and orders to deploy, NETCOM tends to be on a 72 hour turnaround. Given that the patch was issued April 13, its way ahead of an outbreak like Sasser. Even better, they have the authority to disconnect. The orders to patch go straight to company commanders and sysAdmins who can be repremanded if their unit goes down. Even if they give the task to a contractor, they are still liable Id hate to be the company commander who sees the brigade commander over virus outbreaks. That seems to keep them in line pretty well.

SPC Gruhn
TNOSC-K, Systems Management Branch
1st Signal BDE
"First to Communicate!"

Re:The real question is

[necrognome]

No, It just works. The ports open themselves automatically when they sense that another host wants to connect. :)

Re:The real question is

[blakestah]

So how do you remotely administer one of these machines ?

You turn on the services.

The real point is that no outside software can do anything bad to a Mac machine by default, because no ports are open.

If you turn a service on, then you KNOW IT IS ON, and you KNOW YOU NEED TO CHECK IT FOR SECURITY.

We're talking consumer client OSs. The vast majority of the users never turn anything on (and by default, never get a worm).

Imagine if Windows took that same philosophy...

In general, I am perfectly happy for even server machines to be shipped with only those ports open that I manually specify, or turn on myself. It's secure by default, services on demand, not unadministered services by default. The latter is insanity in today's networks.

Re:The real question is

[Frogbert]

You don't, if you want to change the configuration you just pick it up, throw it out and buy a new one with the service enabled. Couldn't be more simple.

If the programmer at Microsoft...

[greppling]

..., whose mistake caused the security hole, gets identified, can he be held at least partially responsible for any deaths that occurred during this outage?

Re:If the programmer at Microsoft...

[tarunthegreat2]

can he be held at least partially responsible for any deaths that occurred during this outage?

That's an interesting point, which my college CS prof demonstrated to good effect. He asked the class one day - "How many of u expect your cars to be engineered such that they will run safely and properly 99.9% of the time?" Everbody's hand's go up. "How many of u think that if there is a life-threatening fault in the car, the engineers responsible for building it should be held accountable?" Everbody's hand goes, up, along with a few grunts of "DUH!". Then the next question: "How many of you feel that if mission-critical software, like the stuff that runs airplanes, fails, the programmers should be held accountable too?" Silence.... granted writing code ain't quite like building a car, but he got his point across. He wanted to bring home the fact that most software comes with the rider that it won't just one-day break. This applies to non-M$ as much as M$, though with a lot less frequency....

Re:If the programmer at Microsoft...

[jeffs72]

Why is it Microsofts fault? If it were Linux systems that hadn't been properly secured, weren't behind a firewall, and weren't patched properly, would we try to place some responsibility on college student / developer number #34875897 and #09875872 and demi-god Linus?

Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Does it? Maybe it should raise some doubts over hiring admins that don't understand a firewall is important, can't figure out how to implement Microsoft SUS in their environment to auto-apply patches, can't properly secure their machines, etc.

Re:If the programmer at Microsoft...

[Flingles]

Does that mean if I leave my bicycle unchained, and a person takes advantage of the situation it's my fault? I say anyone who creates a virus solely for the destruction of private property should not only be partially responsible but fully, for all setbacks caused. The worst thing that could happen to microsoft is a case of false advertising, if they specifically said it is more secure than this. Otherwise, no one forced you to buy windows.

Re:If the programmer at Microsoft...

[Cooper_007]

Does that mean if I leave my bicycle unchained, and a person takes advantage of the situation it's my fault?

According to the insurance company, HELL YEAH!

Cooper
--
This truth probably doesn't come as shocking news to any of you,
and if it does then you're stupid and I hate you.
- Everything Can Be Beaten -

Hmmmm

[Professeur+Shadoko]

I would rather blame the lazy sysadmin who spent his time surfing for pr0n instead of running windows update and setting the firewall up.

What about...

[HolyCoitus]

The company or the people that are unable to secure their computer? There is a whole chain here, and in other cases with the law, it always seems the manufacturer gets sued. Shouldn't that be the case here? If there is a single vendor or individual that can be blamed, shouldn't they?

The difference here, possibly, being that Microsoft had patched against this and that could be seen as an equivalent to a warning or a recall. It makes you wonder though, if a worm hits on an unknown exploit, will Microsoft be responsible? In any other industry, I'd have to say yes, but I'm not so sure when it comes to software.

Anyhow, this is just another case for why any infrastructure should not be ran on a single operating system. If you have multiple kernels with multiple implementations that can all work, you'll be much safer. Linux kernels with different versions, BSDs, AIX, Solaris... Those won't have the same exploits and have different strengths and weaknesses. No worm can traverse all of that (hopefully).

Critical Services Should Use Hardened Systems

[osewa77]

It's not just Linux that forms a good alternative to Windows. OPenBSD was built to be a secure OS. Where lives are involved, there is good reason to go the extra mile to use an OS which, though less convenient, has proven to be more reliable. In the current era, with all these worms, Microsoft just isn't the best alternative. On the other hand, all they needed to do was use http://windowsupdate.microsoft.com and enable Windows' built-in firewall software. Worm and Virus writers should be made to know that they are accountable when their creations do what they were (mis)designed to do "take over systems, disable them, disrupt networks?" How do you actually catch the original author of a worm, anyway?

Re:Critical Services Should Use Hardened Systems

[Lumpy]

on the other side, through the past 7 years, the netware 4.X server hidden in the closet and forgotten until 2 years ago has ran and not had ONE problem in that entire time. no viruses, no hacks, no break ins no crashes no nothing but doing it's job.

I also like to mention it at every IT meeting when the windows guys are scrambling about the latest virus threat.

Patches

[Amiga+Lover]

OK I know there's going to be a million comments about how we should all patch vulnerabilities and there'd be no problems... and then the inevitable responses from admins who haven't done so because testing hasn't been complete and the patches are causing more problems after doing them...

But...

Why aren't MS patches single discrete objects? One patch for One vulnerability? That way IMHO clears the problem of a "patch" that comes up, is huge, and attempts to fix ten documented vulnerabilities (but knowing the code used in huge projects, it's possibly many dozen fixes at once).

This kind of fine grained control is what works WELL in debian for example. To update an error in ssh, download it's patch. to update an error in an x library, update that one library. Not bundled in with loads of extra crap

I suspect this is a marketing thing. MS can truthfully say they only had 4 patches in a year, when the patches in linux systems number "in the hundreds", when the reality is far different.

Even MacOS seems to be partway to the debian like approach, where there may be a dozen security updates in a year fixing a small number of vulnerabilities each. It's a consistent line of updates, instead of happening in large steps over which an admin has no control.

Re:Patches

[gazbo]

They are. If you use Windows Update then you get some of them bundled together in service packs etc, but if you actually look through the KB you'll find specific patches for individual vulnverabilities.

Re:Patches

[ThogScully]

In the example of the grandparent, you type
apt-get update && apt-get -u upgrade

It tells you exactly what software has updates and offers to install them. It does the rest for you. Should you want to install one at a time because of potential/expected problems with upgrading them, type apt-get install package-name.

It's not tough.
-N

"no danger to the public" BBC

[Phil+Hands]

As reported on the BBC, this killed their mapping systems, forcing them to revert to the paper maps that they've always used in the past.

No safety critical systems were involved.

Just generally ...

[Quixotic+Raindrop]

... no. To be guilty of any kind of homicide or manslaughter, your act has to have been the proximate cause of a person's death. The writer(s) of the Sasser worm might have prevented the Coast Guard from rescuing someone in danger, but the fact that that person was in danger in the first place was not the fault of the virus writer, which would prevent even an involuntary manslaughter charge. Unless the worm caused, say, a malfuntion in the boat's bilge system, which caused the boat to take on too much water and capsize ...

With that, are they off the hook? No way. If they are caught, there are lots of laws they could be charged with, some of which are felonies. Murder, or even manslaughter, are not among them, however. At least, not under this limited hypothetical.

Re:Just generally ...

[dexterpexter]

In addition, I was fairly sure that there was a limited liability policy on software that limited damages that could be recovered from death or other injuries caused by software (this includes both the Microsoft product, since people have mentioned their potential liability, and the virus itself, if you want to extend the definition of software to viruses) to the price of the CD. In this case, since it was a virus propagating, then the price of the CD is nothing, which would limit the liability of the virus writer to nothing. I know that this is true of the United States; I am not sure about the U.K., however.

On the other hand, one could take the Patriot Act into consideration, at least in the U.S. If it were shown that the attack was intentional to take down the system of rescue personnel, this could consider an act of terror and thus the virus writers could be tried as terroritsts.

We must also consider the administrator who did not patch the system. He might not be legally held responsible, but I am sure that his bosses will see this another way.

In the U.S., the virus writers probably wouldn't be prosecuted for software-caused manslaughter (because of the limited liability thing), but they would still get charged with felonies, as you pointed out.

The U.K, on the other hand... that is something different entirely.

The question is, if the Virus Writers themselves even came from the U.K.
Wouldn't they be prosecuted under their country's laws unless expediated? Which, since we don't know who they are, this question shall remain unanswered.

Sasser FUn!

[ender81b]

Working tech desk during Sasser outbreak is fun lemme tell you. God save microsoft if they actually were responsible for tech support costs during this thing.

I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.

I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever. Now try pulling down 50 some megs of critical updates over a freaking dialup modem. Remember - not a *single* major PC manufacturer I know of installs ANY critical updates on their home pc's they sell to the end user. Nothing. Nada. Dell, HP, Compaq, etc. I've ranted about how irresponsible and stupid this is before and i'll continue to do so now :). I've had two people call recently who - literally - just bought a brand new computer from the local best buy, plugged it into the internet and with 5 minutes got either Sasser or Blaster.

I dearly, sincerly wish that Microsoft would actually build not only a real firewall into their products or/and shut off unneeded services to the internet. I also wish manufactures would actually ship their machines with all the critical updates installed. I also want a pony.

This outbreak isn't as bad as blaster was but still. I'm no MS hater, I understand their product code base is massive and keeping track of all that and bug fixes takes an enormous amount of money and time but they *seriously* need to work on security. I would estimate virus cleanup and spyware sucks up 10-15% of my time at work.

Re:Sasser FUn!

[harikiri]

I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever.

What's even worse is the fact that most internet users are still stuck on dialup! According to this recent article at CBS, 3 out of 5 internet users don't have broadband.

The very issue of security patches, their sizes, and the problems for dialup users trying to download them was covered here as well.

Re:Sasser FUn!

[Zocalo]

I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.

Or try this: According to Microsoft 1.5m users downloaded the cleanup tool via Windows Update. This does not include users that cleaned off their systems via a third party tool from an AV vendor of course. At 10min/infection that's 15m wasted minutes or about 28 *years* of people's time wasted - and that's probably a conservative estimate. Tell me again why the current sentencing guidelines for computer crimes are too harsh...

Re:Sasser FUn!

[DrDebug]

Why does Microsoft ship OS software with so many ports open in the first place? Most people who buy computers are not all that computer savvy, and have no idea what a port is. But the security people want these same computer-halfliterates to close those ports.

If you know what a port is, then it is just as easy to open a closed one then to close an opened one.

What we need is an on-computer port-monitor service that scans every port on the machine while it is not otherwise busy. It should report to the user any opening of any non-solicited port, and identify the source program that asked for that port to be opened. Of course, the port-monitor should be configurable by the savvy user to skip over ports that the user may want to use.

Just my 2 cents.

I blame 'Microsoft only' consultants for this.

[Peter+Cooper]

How hard is it to have a BSD or Linux box acting as an el-cheapo firewall between the Internet and your internal network? I have a $200 laptop which has done just that task for several years now. I can never be bothered to patch my (Windows) machines, but they never have trouble because they can only talk within each other and not get attacked from the outside. Jeez, even if you paid someone to install it, you could have the whole job done for $1000 with old hardware and a copy of FreeBSD.

I offer one reason why this doesn't happen too often, particularly in the UK. Way too many 'technical consultancies' for institutions like the coastguard are staffed by MCSEs with no proper computer science knowledge who just install Windows XP on every machine, set up 'Internet Connection Sharing', and leave. They wouldn't even dream of putting a non-Windows box on a network!

Thankfully these worms and virus attacks are showing up these idiotic 'we only touch Microsoft stuff' agencies for what they're worth. Any decent technical consultant should be able to advise companies on the right hardware and software to use, independent of vendors.. so it might be Microsoft on the client end, and UNIX on the back end.. but no, the UK (at least) is filled with MCSE ridden agencies who get totally lost when they don't have a 'Start' button to click.

Re:I blame 'Microsoft only' consultants for this.

[sholden]

Firewalls aren't enough.

Someone always manages to bring an infected laptop inside the firewall.

Those 'technical consultancies' need to include keeping the systems patched in that TCO they love to rant about so much.

Re:I blame 'Microsoft only' consultants for this.

[b4rtm4n]

Here Here!

Doesn't even need a *nix box.

A cheap NAT router would break the direct link to the network that sasser needs to spread.

No way does anyone need a publicly addressable IP on their office workstation.

Vive la RFC 1918

Re:I blame 'Microsoft only' consultants for this.

[Zak3056]

How hard is it to have a BSD or Linux box acting as an el-cheapo firewall between the Internet and your internal network? I have a $200 laptop which has done just that task for several years now. I can never be bothered to patch my (Windows) machines, but they never have trouble because they can only talk within each other and not get attacked from the outside. Jeez, even if you paid someone to install it, you could have the whole job done for $1000 with old hardware and a copy of FreeBSD.

If you're talking about your home network, yeah, I guess that's okay--but in a business environment (which is what you're talking about, since you mention armies of MS only consultants) what happens when your road warriors VPN in, and infect your ENTIRE FUCKING NETWORK because you thought that a simple NATing firewall was "good enough" security, and didn't bother to patch your boxes?

Don't get me wrong--what you suggest will reasonably protect you from quite a few threats--but it's NOT the panacea you make it out to be.

Also affected Deutsche Post

[Meijer]

On Monday, thousands of people tried to access the banking services of Deutsche Post.
Due to stricter securities setting (because of Sasser) this was not possible for hours.

a reminder...

[ptolemu]

that the more we depend on technology the more important it is to realize this dependence and the implications of trusting it blindly

Devil's advocate

[pleitner]

While I fully agree that the authors of virus/worms etc must be held accountable for their actions, surely there are other parties that are also liable for any issues that arrise from a virus/worm infestation.

The obvious one is the good old Microsoft. This has been beaten to death so many times that I am not going to delve into it...

The other group to consider is the people who have been infected. They have partially brought any problems upon themselves. This happens because of many things including the choice they made to run the system was vulnerable, the choice to not patch promptly (if a patch was available), the choice to not better secure their critical systems, etc.

Blaming the virus/worm authors and the author of the vulnerable software is easy (and absolutely right), but people really need to start looking beyond that and realise that it is really their decisions that are the core issue. If you don't want to be vulnerable to Windows virii/worms then don't run Windows. If you need to run Windows, secure it. If is a critical app, pay some serious attention to it...

Basically, I am advocating a bit of responsibility for ones own destiny...

No - the Coast Guards IT department is at fault.

[baadfood]

Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault. I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make - I dont think the OS choice is relevent. Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.

Re:"no danger to the public" BBC

[ForestGrump]

But 5 years from now, when eveyrone gets used to using a GPS and some fancy mapping program, what then?

Paper? what paper? oh! ePaper!
nope, our laptop got the virus last night. Sorry, WE CAN'T RESCUE YOU UNTIL WE GET OUR LAPTOP FIXED!

Boy, im not optimistic tonight.
-Grump

Re:Methinks.

[upside]

Yup, a new supplier and a contract that stipulates a certain level of service. I'm also surprised why critical systems are linked to the Internet.

Re:Oh, for ----- sake

[eclectro]

Like no system except a Microsoft system has ever gone down. The first f---- worm ever written was for Unix, nerds.

I think that there is a difference between going down occasionally and going down every week.

BTW, that is Mr. Nerd to you.

Doesn't everything?

[Bender+Unit+22]

and some clause in the Patriot Act
doesn't everything? seems to me that it get stretched more than a rubber band.

Re:Doesn't everything?

[AKnightCowboy]

and some clause in the Patriot Act
doesn't everything? seems to me that it get stretched more than a rubber band.

Questioning the intent of the Patriot Act falls under section 14 of the Patriot Act. I hope you don't have anything to hide terrorist, because the FBI are on their way.

Re:Doesn't everything?

[spoonyfork]

and some clause in the Patriot Act doesn't everything?

seems to me that it get stretched more than a rubber band.

Why do you hate freedom?

Re:Doesn't everything?

[frankie]

Questioning the intent of the Patriot Act falls under section 14 of the Patriot Act

The funniest (saddest) part is that he's telling the truth. When the ACLU sued to challenge the Patriot Act, the very existence of their lawsuit was covered up by order of the Patriot Act!!!

The message is simple

[Alioth]

Windows is a consumer operating system (despite labels like Windows XP Professional). It has no business being installed on any critical system. This just goes to demonstrate further that you can't cut corners and make false economies by installing consumer operating systems where they are not appropriate.

A nautical option

[FraggedSquid]

Possessing a long maritime tradition, here in the UK we could offer the writers a selection punishments [1] Keel Hauling from stem to stern [2] Flogging with a cat-o'-9 tails [3] Hanging (if the worm caused a fire in a naval dockyard) [4] Run the Gauntlet [5] Picking okum

Re:"no danger to the public" BBC

[ColaMan]

It depends on how you look at it:

The computer mapping system (I presume) is easier to use than the paper maps. So if someone's missing and it takes (say) an extra 5 minutes to get the map out, plot drifts and currents and say "we'll search here", and the searchplane passes overhead 4 minutes after the boat has sunk without trace... is this still safety critical? If an extra life could have been saved if you had the computer system up?

Proximate cause

[ArsenneLupin]

Quoting from your link, second paragraph:

Responsibility for injury lies with the last negligent act that produces the injury (after the ball rolls down the hill, a stranger picks it up, throws it through a window which breaks the glass, causing the glass to shatter and strike a person who was sitting next to the window, cutting her arm and requiring her to obtain medical treatment). In this example, although you caused the ball to roll down the hill, your act is not the proximate cause of the injury to the lady sitting next to the window, the stranger's act is the proximate cause of the lady's injury and the stranger, not you, should be held responsible for the injury that she suffered.

I think this would put responsibility squarely on the "virus" side of the chain of events. Indeed, although some initial malfunction may have put the person at sea in danger in the first place, it was only the crippling of the coast guard that caused the sea accident to become fatal.

Ok, would that make the virus writer responsible? Again, no. The virus writer just tossed a ball which somebody else picked up.

Who is this somebody else? Microsoft? No, again. Although, Microsoft did pick up the ball, they didn't throw it at the victim's window themselves. They only threw it to the next "player".

That next player would be coast guard management who decided to run their system on Windows instead of the more secure Linux or OpenBSD. Would they be guilty of manslaugher? Again, no. They just tossed the ball to the next player.

The next player would be the sysadmin who failed to run windows update on his known vulnerable system (A windows system is always deemed vulnerable. Thus, "not having heard of" the worm is no defense). And he would be the final player who tossed that ball through the window.

Re:Leave MS out of this

[HolyCoitus]

I do sue Ford though if they later tell me that I also needed to buy doors to my car (firewall) and that the car had a mechanism to allow anyone with the proper knowledge to cause damage to it without even being near it (antivirus).

This isn't a car. Not only do they not give you the full package, they can force the vendors with a license into not giving it to you as well.

"You can't package that, it's against our license."

You can lead a horse to water...

[mindmaster064]

Despite the apparent Slash-Spin of this article it should be noted that Microsoft released the patch for this vulnerablity over two weeks ago, per:

MS's Security Bulletin on April 13th (this is a week before Sasser "hit".) Microsoft did their job, but can the UK Coastguard do theirs? Apparently not... It is so easy to point the finger at the provider or some anonymous joe on the Internet, but it is so hard to take responsibilty for your own lack of action. It's the UK Coastguard's job to apply their patches in a timely fashion so that the services they render can be reliably delivered.

It's possible to get these notices emailed to you as soon as they're available. These people should be fired, er wait.. in UK... sacked.

- Mind

Re:You can lead a horse to water...

[TiggsPanther]

It's easier said than done, though.

Does anyone really trust MS Updates anymore? There've been to many horror stories of Updates breaking other stuff for 100% of Windows Admins to trust Windows Update immediately.

Plus there are the basic "rules" about never installing something on a production machine until you're sure it doesn't break anything, combined with never installing anything until someone else has dicovered all of the bugs.
Put these together, and it becomes hard to risk putting patches on anymore.

Also there is another factor. What if you test something only to find out that the "fixed" version fundamentally breaks a mission-critical system?
Unless you can can re-code your mission-critical system, or get MS or the Software Vendor to fix the but that breaks - well, it leaves you either vulnerable or unable to work.

It doesn't change the fact that updates should be deployed ASAP, but there are times when it's simply ot a viable option.

(Oh, and "fired" is still a valid term here)

Re:Leave MS out of this

[m_dob]

Bad analogy. If Ford find a critical fault, they recall the product. How many critical faults have MS found in XP so far?

Whatever happened to isolation?

[thesp]

The one consistent question that keeps being raised in my mind whenever I hear about mission critical systems being brought down by worms/viruses is: Why were these systems ever connected to the wider world in the first place? Mapping systems? Baggage loading computers? Surely these don't need to talk outside anything but a single discrete group of computers. My fear is that people tend to put web browsers, email clients etc on any system these days, for convenience, which is quite bad for security. Here in my office we have two networks, with two machines on the desk (on a KVM switch), one for external email, internet etc, and one for internal work (it's called COREnet). We've had problems with the former, but the critical, internal stuff has gone on quite happily on the latter, untroubled by worms. Oh, and software patches and antivirus are available centrally on COREnet, so the boxes on the internal network aren't just left to chance should something come on via zipdisk/cd. And our company rolls on....

Re:Oh, for fuck sake

[Unique2]

Hook, line and sinker but...

According to Wikipedia Elk Cloner was the first virus to be caught "in the wild" i.e. outside of a research lab. It ran on Apple II systems, more than likely because MS-DOS was barely capable of running programs at the time.

Also, lets keep things in context, Sasser can install and execute itself remotely without any user interaction -- there is a big difference between that and booting from a random floppy disk or logging in as root, downloading, chmod +x virus, and executing ./virus.

Morons!

[Pan+T.+Hose]

From the article:

The Sasser worm, which exploits a flaw in Microsoft's Windows software, disrupted work at the Marine and Coastguard Agency, forcing staff to use pencil and paper to find ships and locate distress calls on maps. [...]

Anyone with an infected machine should visit Microsoft's website to download a software "patch" to fix their system.

No! Anyone with an infected machine should stop visiting Microsoft's website and never use Windows in such a critical environment as the Marine and Coastguard Agency for God's sake!

Wrong

[mericet]

IANAL, but:
Limited liability exists only when the software was voluntarily and knowingly installed (e.g. after reading a EULA and clicking OK). So you can expect full liabilty (both criminal and civil). In many jurisdications, if a virus directly caused a death they could be charged with murder.

The admin is guilty of negligence, again both criminal (only in the case of gross negligence, which could be failing to patch a critical system), and civil (although as an employee, this usually only means losing his/her job), the employer will probably be liable to (probably civil cases only though).

Re:Wrong

[dexterpexter]

Interesting. I didn't consider the not clicking on some EULA. However, wouldn't the liability still only be manslaughter. If a car directly runs over someone, but the intent was not to kill, then isn't it still manslaughter, not murder? In this case, I doubt that the virus was intended to kill. So, perhaps limited liability might not apply here. However, I have been toying with the idea of also being able to get the virus writer with the DMCA.

The idea of the admin being responsible intrigues me. What if they don't have a system administrator? Can one still argue legally that since the average user is not technologically savvy and that they bought a product with the idea that it performed its function (especially in the case that the company claims it is secure), then could they argue that it is not their responsibility to make sure that the internal workings of the system work? I mean, you and I know better, but can an ignorant user rightfully claim that it is the software writer's responsibility to provide the service they paid for, without requiring the end user to pay for experts to monitor their system?

You and I know that is bunk, but I wonder how that would hold up legally...

Re:Wrong

[mericet]

No, the car analogy is wrong. At least in the jusrisdictions I'm familiar with, as long as you commited a crime (virus writing/distributing) deliberatly, you commited all side effects of said crime. A more accurate analogy would be an accidental death caused by arson. At least in my jurisdiction, virus writing/distributing is a crime by itself.

If they didn't have an admin. Managment would still be potentially liable (negligence of not having a competent admin), and civil liability would not be diminished.

Bad Admins

[NexusTw1n]

"Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems."

Well no, this brings into question the reliability of the Coast Guards Admins.

Coast Guard PCs one assumes are a standard build - all the software on the machines are the same. So testing new patches should only take a couple of days. The admins had 21 days.

Assuming the patch broke something critical and so couldn't be applied. Well the admins could have sat down and cried about it, or they could have done their job, read the security bulletin which details work arounds if the patch can't be applied.

These include activating the local firewall on each machine, blocking a variety of ports on the outer wall, or creating read only dummy files (echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log)

Some of these workarounds could cause you pain - for instance the advice to Block LDAP TCP ports 389, 636, 3268, and 3269 at your firewall. means that if you have an AD structure over a WAN it is going to break, unless you block those ports except for the specific IP addresses of your controllers, or you have a backup controller locally (which you should have anyway) that can take the strain while you work on getting the patch installed.

All this is work, more work than setting up SUS on the LAN and going to the pub. But as admins, this is what you are paid to do.

MS had a patch for this, as soon as the exploit was used they had a clean up tool available, they offer various free patch management systems for admins to use.

Bugs and exploits occur in ALL software. It was the admins who dropped the ball on this one, not MS. There was a patch, there were workarounds available if you couldn't use the patch and XP has a piece of inbuilt software that would have prevented the worm if you had it enabled. 3 ways to fix this, and 3 weeks to do the fix in. I don't see what else MS could be expected to do.

Re:Bad Admins

[pe1chl]

You assume that an admin knows everything, and has infinite time on his hands.

In reality, companies have selected Windows after being told that its administration is much easier than for competing systems. Admins only need to know which buttons to click to setup a new system. In-depth knowledge about the underlying principles is often not available, with the excuse that it was supposed to be unneccessary.

In the end, it may be better to install a system that is a bit more difficult to administer, and thus avoid the administration by unqualified personnel.

Re:Bad Admins

[clare-ents]

How about :-

Don't have any services running on any ports unless the computer owner has explicitly asked for them.

Here's a question. Suppose I buy a new computer and I want to connect it to the internet over dialup to activate my copy of Windows XP. I now have to hunt around a bunch of menus to turn on the inbuilt firewall before I can do this. Then I have to download some megabytes of patches to make it safe. At a per bit cost that's ridiculous.

That's just not acceptable.

CT scanners at major hospital affected

[erik_norgaard]

The danish newspaper Ingeniøren reports that the Sasser virus attack affected the danihs hospital, Herlev Sygehus. The hospital had to cancle scheduled CT-scannings because the scanners crashed. Also MR-scanners were affected, though no scannings were canceled.

"We do actually have a firewall, but aparently it hasn't been updated enough" sais radiographer Jan Bovin. "It was the scanners running Windows 2000 and XP that were affected, the MR-scanners running Linux had no problems," he sais.

The original story is here (in danish).

It appears that the consequences of the Microsoft monopoly are getting worse. Are there any linux-run hospitals?

"real" businesses hit too (cf BA)

[OlivierB]

Heathrow hasn't been spared yesterday

http://tinyurl.com/3h7fb

If I were a Linux vendor I would be all over BA and other victims pitching my stuff.... I know this is a bit wrong but hey Business is business and I am sure I would get these guys attention FAST!

Sasser Frazzed

[zenmojodaddy]

I work in a small insurance brokers without its own internal IT department, and as token geek I get the job of patching workstations since our external IT support guys can't find their own collective arse with both hands and a map.

As soon as the last batch of updates were released - starting about half an hour after I read about the updates on /. - I patched twenty odd workstations individually, manually, over two days. (Manually, because our IT experts have set up our system in such a way that the automatic update service doesn't work.)

Which is why it's f*cking galling that I checked our server's update history this morning and there are sixteen critical updates still waiting to be loaded, because the IT guys say we don't need them and, y'know, we shouldn't worry about it.

Aaagh!

Re:virii are a fact of life

[jpop32]

Microsoft has to take part of the responsibility and offer to send consultants out for free to patch and fix the servers.

Or, even better, ship Windows with a piece of software that does that automatically? Oh, wait, they already do that...

It needs to be said again: YOUR COMPUTER IS YOUR RESPONSIBILITY! The patch for this one was available for some time (a month or so). You can't pin this one on Microsoft any more than you can blame the car manufacturer for car breakdown after you missed your scheduled service.

Isn't it about time to start introducing fines for people who propagate worms and viruses? Yes, fines for getting your machine infected. It's illegal to drive a malfunctioning car, why should it be legal to operate a malfunctioning computer? Both are a danger to the public.

Salesmen and ethics

[nuggz]

Why would it be wrong to promote your product now?

This is the right time to promote it, and the positive aspects compared to the current solution. You will likely have an easier time trying to point out some of the flaws with their current situation.

we should be

[poptones]

Yup, it comes down to everyone. It's easy to say "MS sucks, look at this proof" but the fact is MANY systems are vulnerable to malicious intent and the free solutions escape much of this attention simply because fewer people seem to be - for now - writing exploits.

A solution to this problem has been around for weeks now, yet one or more of these system were left unpatched. So yeah, the virus writer surely bears some responsibility, but then again so does the coast guard. And even if an MS OS did not exist at all and these folks had been running linux, if there were a similar exploit floating around in the wild would the admins who left this door open have fared any better then?

You can't hold MS responsible for the incompetence of the coast guard admins. Yeah, their software had an exploit - but they also had a solution available and it's not like this was any kind of secret. I hate to be this trite, but it's appropo here to remind everyone what "mama" always said: stupid is as stupid does...

Re:we should be

[Phragmen-Lindelof]

This sounds like the argument "Well, our tires do tend to blow-out at high speeds but why should we be held responsible? The EULA which comes with our tires specifically says that we are not liable for any damages and you agreed to our EULA by using our tires."

Re:we should be

[SillyNickName4me]

Yup, it comes down to everyone. It's easy to say "MS sucks, look at this proof" but the fact is MANY systems are vulnerable to malicious intent and the free solutions escape much of this attention simply because fewer people seem to be - for now - writing exploits.

That almost sounds like a real argument, it is not.

• Most other systems that want to call themselves 'modern' listen to a very limited group of services only by default, and those are services to be known to be generally safe (tho at times things do happen with those as well) and have been comming with built in firewall software for at least half a decade. Note that that includes almost all free unix variations.
• OSS software has a much better track record documenting and fixing problems

Both MS and those admins are responsible. MS for knowingly selling an unsafe system, and the admins for knowingly using it.

That MS systems still listen to the entire world on a whole variety of different ports is a huge part of the problem, and it not comming with a product like ZoneAlarm by default to at least mitigate the problem a bit is really a very significcant part of what makes worms like sasser go well.

The impopular platforms don't get targetted argument is old, and if you'd just take a peak at the insane amount of malware for the Amiga platform, you'd see how stupidl;y wrong the argument is proven to be by reality.

THe only partial truth in your argument is that the admins are aslo to be blamed.

Re:we should be

[Jim_Maryland]

OSS software has a much better track record documenting and fixing problems

Just wanted to point out that in this case, the system admins that didn't patch the MS OS probably wouldn't take the time to update their OSS either.

I agree that most OSS is more secure, but if admins don't do their part, the system will be vulnerable no matter what OS or application is used. That being said, MS certainly keeps admins busier than other OS's. I find updating my UNIX systems (Solaris and IRIX) much simpler than my MS Win32s (although sometimes patching a single MS Win32 system can be easier than a single UNIX box but for labs or remote locations, UNIX is definitely easier).

Re:we should be

[SillyNickName4me]

Well, the reason that a Windows admin is more busy with such stuff is twofold:
- More bugs
- Have to keep fixing things that are not being used at all, but that can't just be uninstalled/disabled.

For example, on my (FreeBSD in this case) Open Source OS based server, I can simply ignore patches for web browsers, mail clients, and generally any gui based program since they are not installed or at least not functioning, and definitely not listenign to the outside world without me havign set it up that way very explicitly.

I do have to watch a very specific shortlist of products that need to be kept uptodate, and I'll get a message on my phone in case a critical bug in one of those products is published in any of the known ways.

Having this shortlist of products (FreeBSD core, openssl, openssh, Apache, PHP) makes it very managable, and in the end I don't have to update things that often.

It would also really help a lot if MS patches didn't break so much and so often. I can remember virtually every case where a FreeBSD patch managed to messup my system over the last 8 years, and the last one goes back to the 3.x era some years ago. It seldom happens, and its in fact so exceptional that I can run the risk of it happening on my production servers. The risk and consequences are waaay smaller then the much more likely breakins that would result if I dont apply the patches.

At any rate, it doesn't take much time, and it is very clear what I have to watch and patch to keep secure. That is one of the main problems with Windows, even when you are a competant admin, you have so many things to watch, and keep discovering new things all the time.

Yes, I do believe that MS can be blamed for that problem. Such a system is not suitable for anything other then connecting to an isolated and trusted local area network. THe fact that windows uses IP for many LAN orriented services makes the problem a lot worse.

Re:we should be

Except one small problem. Extending your logic: The tire company has put a recall on the tire that says the the tire blows out at high speed, please have them fixed. We'll give the the repair for free.

If the person doesn't make the repairs....

Re:we should be

[It'sYerMam]

Having said that, if an admin followed the instructions on a Linux install (not Linspire, mind), then they would have been running as an unprivileged user.
Therefore, the damage would've been quite limited - sure it could've hosed the guy's home directory and stuff he'd been working on, his preferences, etc. But it wouldn't have taken out vital operating system stuff.

Re:we should be

[Jim_Maryland]

I wasn't meaning to imply that MS shouldn't be blamed for the problem. Just trying to point out that even with a good patching solution, even the best ones will fail if the system admin doesn't apply them.

MS should bear the blunt of the blame. For as much revenue that is generated by their products you would expect them to have a better product by investing into it. By no means though is MS the sole bearer of the blame. The organization that chooses to use the OS and the administrators that don't keep up with the OS maintenance also share some of this responsibility.

Re:we should be

[Lobster+Cowboy]

no no no...

this isn't microsoft's fault. they aren't purposely trying to create an insecure platform. WHY would a company that wants to make money even consider that? why don't you try building a product the scope of windows, and make sure its 100% airtight?

it also isn't the fault of system admins. despite the grumblings of many /. users, microsoft makes legitimate server software, and using it is not necessarily a bad thing. it has its strengths and weakness just like *nix and linux.

how 'bout we blame the real culprit, THE VIRUS WRITER. you make it seems as if microsoft was paying this pimple-faced kid to make this thing. this guy/gal created this worm of their own volition. it was their CHOICE. to blame MS and sys admins is like giving this person a free pass. place the blame where it belongs--on the malicious little shit who wrote and distributed it. when they sat down to make sasser, they weren't doing it for noble reasons, they were doing it to be dicks.

Re:we should be

[sjgm]

No, it's like the argument "Well, if you don't make sure you check your tire pressures regularly and they go flat, you might end up with a blowout".

It's not hard to install patches (perhaps by using SUS or similar), or to get a firewall.

Re:we should be

[default+luser]

This sounds like the argument "Well, our tires do tend to blow-out at high speeds but why should we be held responsible?"

If by "tires" you mean H-rated radials, and by "high speed" you mean over 130MPH, then that's all your fault. Most passenger cars ship with H-rated radials, and most car makers try to pervent such situations by providing 130MPH or less spedometers (the psychological barrier), or installing 130MPH speed governors (the physical barrier).

Still, with all this, you could potentially push your car over 130MPH and have a blowout, and it would most certainly be your fault. Now, if you had a blowout at 125MPH on the other hand...

Re:we should be

[SillyNickName4me]

Lets see... I think you are the one who got it almost all wrong..

Blame the writer for writing the virus, agreed, and you are right on that one.

Blame MS for unknowingly creating a system that makes it so easy to infect thousands of computers over a shared network and then for over a decade knowingly not fixing it and yet selling it as being secure, why do you have such trouble with that?

It is not the first worm/virus that happens to them, not the last either I'd bet, and they still take years to address simple and very clear problems in their design that causes this.

Blame system admins for not being knowledgable in what should be their area of expertise, what is wrong with that?

When a burgler enters my house because the lock in the door didn't prove a problem at all while the company that sold it guaranteed it to be upto all modern standards concerning its security... Sure I'll blame the burgler and hope he'll get caught and such. I'll however also blame the lock manufacteror for 1. providing me with a lousy product, and 2. lying about their product specifications. I may even blame the maintenance guy for not installign and maintaining it properly.

Delta Airlines

[DeanFox]

Although I think they've denied it in public, Delta Airlines was also brought down over the weekend by this worm. I have a friend who came to Church panting, out of breath because he was late and had to rush. He works at Delta and said he had been there since Saturday patching and cleaning machines. Right after services he was going back.

The system effected was one that calculates passenger and cargo weight so it can be distribuited evenly through out the aircraft. It's one of those systems that's easy to forget. It's not like air traffic control or reservations or something people would consider "critical".

It's scary but ironic that a small forgotten local sub-system can bring down a billion dollar corporation and inconvience tens of thousands of people. It was local to Atlanta, used at the ticket counter and for flights leaving Atlanta but, bring down the hub and the entire operation is effected.

Slow Down the Security Patch Cycle?

[The+Cookie+Monster]

Slow Down the Security Patch Cycle?

This case would seem to support the reasons made in the computerworld article about slowing down the security patch release cycle.

Overexagerrated

[pandrijeczko]

Being in the UK myself, I saw this news report on the TV yesterday with a reporter interviewing an employee of the coastguard.

I really got the impression that the reporter was trying desperately to make this into a dramatic news story whereas the coastguard person was fairly level-headed about it. Even she stated that every employee has a backup laptop that is not connected to the Internet as a contingency plan in just these circumstances. Plus, they can also rely on paper maps if necessary.

Yes, we all know Windows has security holes (just like any other piece of software) and that Microsoft could do a whole lot more to make their software more secure - however, the fact is that using good firewalling and educating users properly is the best way of stopping 99.9% of all known worms and viruses.

Microsoft must take some of the blame but so should the salesmen and IT people for possibly not deploying the right platform in the first place and then, post deployment, not ensuring it's secure.

Re:Overexagerrated

[oshy]

One of the comments made about it on TV was that the PCs used for checking coordinates went wonky.

However, as part of the procedure for locating vessles, they check them against paper charts.

Looks like they didnt trust PCs to start with. Now they've been proven right.

Yeah but the difference is ...

[DrYak]

is the car company responsible for not making unbreakable windows?

There's something wrong with your exemple.
There are car company that do make unbreakable windows and they do advertise their windows as such. (used by diplomats, etc...)

The other companies don't make unbreakable windows, and never advertise their car as such.

BUT !!!!

There are some Operating system designers, that create unreliable OS, but still advertise them as secure.

So in your example, if the car was Royce diplomatic model with unbreakable glass, when this happens, the court won't laugh but take it very seriously.

And the Operating System compagniy should be blamed because it pretends it software is secure, when it clearly isn't.

Know your systems and do not rely on a firewall

[Spoing]

If you're using Windows, take a page from Linux/*BSD and other *nix hardening;

If it's not running, it can't be exploited!

1. Isolate each system and check it before bringing it on the network or exposing it to the Internet (and do the latter rarely).
2. Do external port scans *without* the use of a firewall to see what might be running that is hidden.
3. Use dependency checkers when encountering unknown software or libraries. (Under Windows, Dependency Walker is your friend.)
4. Turn it off and remove it if you don't need it, can't trust it, or it seems suspect.
5. Find trustworthy software and use that instead; popularity isn't trustworthyness.
6. Isolate systems at the router; it should be difficult to dammage any machine (misconfigured or not) from most any other random machine.
7. Your systems should be secure even without a firewall. Are they?

On the train

[cazzazullu]

On the train this morning, with some guy I know:

Me: phew, almost our entire university network down, just by one stupid virus. Luckily I'm using Linux.

The other guy: What the hell is Linux???

...

Network security?

[JWSmythe]

Not to skip the M$ Bashing, but....

Shouldn't there be a bit better security in an essential service such as that? Why are people allowed to bring insecure machines in, and plug them into the network? Shouldn't they have 24/7 administration? Shouldn't someone have seen a report about Sasser, and patched their machines? We're not talking about Mom & Pop ISP here, we're talking about a branch of a nations military. Why are people coming in with laptops from home, and being allowed on the same network with an essential infrastructure? Haven't their admins read any books on secure networking? What about firewalls between the essential infrastructure machines, and the compromisable network? The way the story sounds, people take their laptops home, browse the Internet, and come to work and plug in pretty much anywhere. I suppose there's more than one CCSP on staff saying "hey boss, told you so" err, maybe "Sir, remember those security recommendations I made last year? May we implement those now?"

monoculture problems

[martin]

Usual problems with sys admins having to patch thousands of machines (yes there are tools out there to help).

But also caused with the massive MS Windows monoculture (cf market dominance).

It's times like this that running 3 O/S's at work for the users desktop helps. But then i get stuffed by patching and trying to find tools that cover all my bases....(or run three tools!).

Natja

[Graymalkin]

I would have thought after MSBlaster ripped through the Windows world that people would have learned to keep Windows away from any and all open internet connections. While competent admins ought to keep their systems patched I find it difficult to understand why networks aren't properly firewalled. If you want to be cheap about it you can just have a single firewall at external connections. A little fancier set-up would be transparent packet filters to segment portions of the network from one another. Keeping everything off the network that wasn't intended to be there would nip many of these sorts of worms in the bud.

I think the bigger issue here is why systems like this, even relatively non-critical ones like the UK Coast Guard's mapping system, are running Windows. I would think that an organization like the CG would be able to get their vendors to develop applications for whatever OS they were running. Agencies set some criteria and contractors meet said criteria. If they were running say Linux I don't think it is far fetched to believe that some contractor would be able to develop the required mapping software for it. The CG might be running COTS software that runs only on Windows but I don't find that likely. I'd welcome an answer however.

Windows is known to be an extremely insecure system despite Microsoft's claims. While Service Pack 2 might magically fix all sorts of problems it is not available to end-users yet. Those magical fixes don't mean much to the here and now. It looks as if Windows' vulnerabilities are costing companies quite a bit of money and eating into their bottom line. I would have thought by now Windows would be on its way out the door in many organizations since their competition such as it is can do many of the same tasks either cheaper or more reliably.

Where was the British CG CERT during this?

[gruhnj]

From Microsofts Website,

Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13

I work for the US Army. We knew about this way before the patch came out just by monitoring bugtrack. Less than 72 hours from the bug being confirmed by our service CERT, we firewalled access to this kind of thing. The patch was confirmed for deployment almost 48 hours after the patch became available. If it was not deployed 96 hours after the order, we shut the node down until we can confirm its patched and ready to rejoin the network. The impact of Sasser on our networks? Almost ZERO.

All of our responce is coordinated by the US Army CERT (ACERT). Where did the British Coast Guard equivelent do? Is there such a thing? This is preventable, especially given the time from patch to exploit. Its not like this sprang up overnight. Even then, dont they have a team that monitors this stuff and has authority to order massive disconnet? It seems that MS is not at fault, the British CG CERT failed them here. If they did try to prevent this, what failed them? Anitvirus? Admins who failed to patch? Lack of informing them downrange?

SPC Gruhn
TNOSC-K, Systems Management Branch
1st SIG BDE
"First to Communicate!"

Stop Blaming the Victims of Microsoft's Fraud

[FreeUser]

Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault.

I find this propensity for blaming the victim to be very disturbing. Microsoft has been fraudulantly representing their system as both stable and secure, just as they have been fraudulantly representing their system as less expensive than their competitors' products (GNU/Linux, OS X, *BSD, etc). This is a matter of public record ... one need only peruse their website and their past marketing of Windows, coupled with their slanderous misrepresentations of competitors such as Linux.

Now, one can argue that the technical staff of the coast guard should have known better (so too should every victim of every fraud perpetrated), but the fact that they didn't is hardly negligence on their part, when their vendor misrepresents their product's security on a daily basis.

I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make

I dont think the OS choice is relevent.

Clearly the data do not support this. Mac OS X is demonstrably more secure than windows, both systematically through an architectural analsys, and through historical emperical data (number of exploits, timeliness of patches, effectiveness of patches, etc.). Ditto for the various flavors of BSD, ditto for Linux, ditto for IBM's various mainframe operating systems, and the list goes on.

Clearly, as the underlying architect and definition of a system's security design, policy, and implimentation, the operating system is the single most relevant design choice one can make.

Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.

That is unrealistic. Systems which are networked together can save lives. A ship is in trouble and automatically reports its position for rescue, allowing the crew to get on with the more immediate task of not drowning. A hospital computer notes a patient's decline and automatically notifies other systems, which notify the appropriate physicians and medical staff. Proper implimentation is critical, of course, but the "cut the cable" solution is nonsensical, particularly when reasonably secure alternatives such as Linux, Mac OS X, and *BSD exist and are well proven.

The worm writer, and Microsoft's fraudulant representation of their operating system as stable and secure, are the primary culprits in this fiasco. It is time we stopped blaming their victims, and held the perpetrators responsible instead.

firearms manufacturers.....

[zogger]

... are a LOT more responsible about their products as a rule then almost any industry, perhaps airplanes might be the closest, they always recall and repair or replace defective products, and go to some lengths to get the word out to the owners, and it goes beyond 90 days, and beyond the original owner on any defects. I know because I worked in a firearms warranty repair center before and been an enthusiast since I was about as tall as a .22 rifle. It's years and years in some cases with warranties. Many now come with a default "forever" warranty. In fact, they have some of the best warranties and repair/recall efforts in any industry. We would be *lucky* if all products had as good a warranty. Like name a major manufactured mechanical product that comes with a lifetime warranty now. Washing machine? Automobile? Bicycle? Hard drives? Radio? Anything? There might be but I can't think of any off the top of my head, but firearms are treated that way in a lot of cases now, and even in other cases where the warranties expire, recalls are still done if a defect is found.

The big problem is software got a compoletely 100% "free ride" in the beginning, it was allowed to be sold with zero warranties, I guess to get the business off the ground or something. Or maybe... I dunno, can't think of a good reason really. They just slap got away with something no other industry has as far as I know. You can't sell a 1 cent stick of gum without it having actual and implied warranty to it.

This deal was way back when it first really took off (I really need to research this now,it's gonna bug me why they got such a sweet deal), now it's been decades. DECADES. Untold hundreds of billions of dollars in pure profits. Huge numbers of wealthy people and businesses involved with it. It's "mature" now. Time to insist on "profitable" software to have warranties, and hold the manufacturers liable for obvious defects. They have "Get out of any Responsibility" EULAs, but still "enjoy" full ME ME ME IT'S ALL MINE MY PRECIOUSSSS protection "under law" for "Intellectual Property" and make tons of cash, well, that is teh obvious suck now and ayone can see that.

It's one or the other, if the software makers want to treat electronic digits as some sort of extremely valuable commodity product, with PATENTS on it even, which they sell at a very, very good profit, they need some sort of a minimum consumer warranty applied to them, or strip them of their profitability, one or the other. Enough's ENOUGH on the free ride they get. The software industry is "mature" enough to treat those business people as normal adults, same as anyone else in any other industry.

We NEED a class action suit in general against free ride EULAs across the board for for-profit software, and it needs to go to the supreme court and be won.

I am surprised as all get out with all the other litigation that goes on in our society that a set of profitable businesses who have gotten hosed over and over and over again by these obvious defects haven't challenged those EULAs as being absurd and illegal in the first place. Name another industry that would dare to put out such a "contract" for consumers and have it accepted. It's quite absurd, they'd be laughed at, but "software" is now the biggest example of legal "conware" there is.

And YEP, I could care less if it meant that "releases" slowed to a crawl, wouldn't bother me one bit or byte. Consumers want quality, few if any defects, they just been faked out that crapware is "good enough" and the industry as a whole has all colluded to profit off of crap and conware. It's just plain stupid, and ethically wrong. We can see now that software is so "embedded" in our society that you can't really say now that "no one is effected" when defects show up. it can get downright dangerous, and it certainly costs consumers tons of cash to keep fix and repaired stuff that shouldn't be shipped broken in the first place. We need less patches, and more "it don't need to be patched" software

Don't blame the script kiddies

[ajs318]

Don't blame the script kiddies for this. They are just kids, after all ..... kids are by nature explorers and experimentalists, and this is pretty much hard-coded into the human firmware.

It's like placing a coin on a railway track to see what happens to the Queen's face when a train runs over it, and ending up derailing the train ..... an unfortunate consequence, not one that could reasonably have been foreseen by the "perpetrators" {all manner of crap already gets blown around railway lines, what difference does anyone suppose a coin will make?} but one that should have been taken into account by the implementors of the system. If the train makers can't be sure that a coin on the tracks won't derail their trains, then the trains are no good. What if a bird eats a berry, then shits the seed out and it lands on the track and that derails a train? Do you blame the bird? Blame the owner of the hedge the berry was growing on? Or do you blame the person who designed a train so badly that an object on the track would throw it off altogether?


This is an excellent opportunity to sow seeds of change. Open people's minds to the possibility that there might be an alternative to Windows. Ask questions. Did they know there were vulnerabilities? Well, did they not look at the source code? [the what?] The source code -- you know, the human-readable form of the code that can be examined and modified. What scrutiny did you subject the source code to? [but that's a secret!] What -- you bought a locked box that you knew you weren't going to be allowed to look inside, and you didn't get even the tiniest little bit suspicious that somebody might be trying to hide something from you?

Every piece of food you buy is clearly labelled with a list of the ingredients. {this was actually used in an anti-drug propaganda advertisement in the mid-1990s, till some bright spark suggested that surely legal drugs would be properly labelled and the problems caused by not knowing what was in pills and powders were merely a side-effect of prohibition}. The analogy between Microsoft and Tom Lehrer's Old Dope Peddler is a strong one. Give out free samples {educational licence discount}, get people hooked {file format lock-in}, watch the little puppets dance to your tune.

For my part, I have pledged never again to work with Windows, ever. At all. The only repair I will ever again do to a Windows box is to install Linux on it -- barring that, I will simply unplug the power cable, leave it unplugged and consider that an improvement. The time has already come when I would sooner forego a computer altogether than touch Windows.

Microsoft.nl down as well

[robsky]

Microsoft.nl can't cope. This is the error message I just got when I tried to get to their website. Perhaps they haven't patched?

Server Error in '/' Application.
-

Procedure or function TrafficInsert has too many arguments specified.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Procedure or function TrafficInsert has too many arguments specified.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SqlException: Procedure or function TrafficInsert has too many arguments specified.]
System.Data.SqlClient.SqlCommand.ExecuteReader(Com mandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream) +723
System.Data.SqlClient.SqlCommand.ExecuteNonQuery() +194
Microsoft.Nl.Redirect.RedirectHttpHandler.LogTraff ic(Int32 siteID, Int32 redirectID) in c:\data\project\ms-cmo\redirect\redirecthome\redir ecthttphandler.cs:225
Microsoft.Nl.Redirect.RedirectHttpHandler.ProcessR equest(HttpContext context) in c:\data\project\ms-cmo\redirect\redirecthome\redir ecthttphandler.cs:158
System.Web.CallHandlerExecutionStep.System.Web.Htt pApplication+IExecutionStep.Execute() +179
System.Web.HttpApplication.ExecuteStep(IExecutionS tep step, Boolean& completedSynchronously) +87

-
Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.969

Examples of how weight/balance causes crashes.

[reality-bytes]

Weight and Balance is an extremely critical factor for flight safety. Even the largest airliners must have carefully controlled weight-distribution to avoid the CofG going 'out of bounds' during various stages of flight (including different trim and fuel states).

Some examples from the British AAIB archives:

12 Jan 1999: Fokker F27-600 crash nr Guernsey.(load moved)

18 Sep 1996 Boeing 737-4Q8, G-BSNW (Uncommanded roll due to incorrect fuel balance).

18 June 1972 Trident G-ARPI crash after takeoff at Heathrow (Weight and Balance as a contributory factor).

Re:American mentality?

[Oligonicella]

Disabling emergency systems is *not* a "soft" crime. The have radio, unfortunately radio can't store and retrieve information.

The worm writer is responsible for damages caused by their disabling any system they target. Just because they target the world doesn't excuse them from the smaller impacts.

No, the great bulk of shashdotters don't write and distribute malicious code.

Visuses on Linux - can it be done?

[The+MESMERIC]

I posted a comment on BBC website - maybe its bad luck, but they *never* post my comments :(

Nevertheless some guy wrote this:

"Anyone that thinks Linux or Apple Macs are invunerable to viruses and worms really need to wake up and smell the binary. There are just as many flaws in Linux systems as Windows, and there are many Mac based viruses. There are also java-based attacks that can affect many different types of system. The only real answer is to get a firewall and antivirus system, and learn how to use it!"
Steve Lake, Reading, UK

My reply to that (unposted) was that it would be very difficult for a worm/virus to propagate under Linux. Specially if all "servers" are switched off. Simply because Linux is the opposite of Windows - there is no homogeneity .
With Linux we have:

• Different Kernel versions (2.2,2.4,2.6), patched versions, hardened versions
• Different commercial and free distributions (Red Hat, Mandrake, Gentoo, Debian, Slackware).
• Different packaging managers (rpm,apt,yum,portage,or none build from source code)
• Different set of libraries (XFree w/wo Nvidia acceleration,gcc, all with different versions)
• Different Window-Managers (none just console,fvwm,FluxBox,Gnome,KDE,Enlightenment)
• Different mail-client - if we are assuming a mail-enabled virus here - (mutt,pine,sylpheed,evolution,kmail,web browser-clients)

And that is a small list of the differences between my Linux and someone else's. Soon we might have even different alternatives to X-window itself. Of course most seem to have Mozilla, so some common denominator is emerging. But I think most people don't use the email client (and address book).
Any biologist would reinstate that if you have a species which is highly homogeneous (and the analogy here is Windows-XP) it is in great danger of being wiped out to extiction by some common plague (worm/viruses). The thing most people hate about Linux - is what protects it from widespread attack (dependencies,lack of homogeneity)

Linux makes you more security-aware anyway. It endorses/teaches that practice instead of you just setting your (often innefectual) "Windows-Update" on auto. Ok there is no such thing as a 100% secure system, but there is something at least 10x more secure than Windows: Linux

For how much longer are you Window users going to put up with all this?

Re:No - the Coast Guards IT department is at fault

[CmdrGravy]

To be fair to the coast guard although there computer system was inoperative they did have a perfectly workable backup solution in place which they were able to use to exactly the same end result as they would have achieved using the computers.

OK so it was a worm which took down the systems this time which is something you can protect against but at the end of the day you shouldn't rely on any computer system without a manual backup process ( if it is possible to implement one ) which can take over for safety critical work. Computers are complex things and can fail for a huge variety of reasons some of which should be preventable ( in this case ) and some which aren't reasonably preventable.

All kinds of stupid interruptions

[fsck!]

Yesterday at my local Super Stop & Shop grocery store, all 6 of the self-checkout lanes were down, and all of the human checkout lanes were directing people to the service desk, where one poor woman was hand-imprinting who knows how many hundreds of credit card transactions per hour.

Why?

Apparently the system that reads my credit card number around four times a week for the past year has been running unpatched and unfirewalled.

Coool! Thanks, Stop & Shop IT!

personally

[stewwy]

As someone who might at some time need the coastguard ( I boat a lot ) I say hang 'em high, both the virus writter and the idiot who didn't patch, and while your at it, the moron who specced the system.
Its not the fact that MS is any worse than linux software for bugs etc. BUT it is more at risk from virus attack so, all things being equal, the lower risk strategy is to pick Linux or similar in such a mission critical application.


A bit off topic, but a week or so ago there was a reality tv prog showing the coastguard/RNLI (RNLI is our volunteer rescue service for those not in the UK ) and some stupid moronic woman was hogging the rescue and calling channel 'for a laugh' these people should be removed from the gene pool too. ****RANT OVER****

Re:People need to be fired

[knghtrider]

No, they should be fired because they didn't keep up with the patches necessary. All software is 'faulty' and requires patches and updates. For as much hue and cry there is for Unix or Open source software, even these systems need patching from time to time, and some of the software used there has had HUGE problems if it wasn't patched.

Sendmail anyone?? BIND??? and wasn't there an Apache Chunk Handling Vulnerabilty a couple of years ago?

Microsoft software is used heavily in the world, but the problem is that for years, no training existed that *focused* on WHY we patch our software..there was no emphasis on patching. Add to that the fact that with the economy being the way it is, companies are doing more work with less people.

No one wants to work 12-14 hours a day; least of all sysadmins. We all have our own lives..families...other obligations too. Yet all too frequently, we're expected to patch and update the servers and desktops, the anti-virus software (don't deploy things without testing them first, of course), ancilliary software and etc. while keeping up with upgrade projects, daily problems, and keeping on top of technological advances as well. Yet, the boss goes home at 5. We're like residents in a med program--overworked, but unlike them, we never get to stop being that way.

Solutions

[poptones]

As another poster in this thread so proudly pointed out, there have been seven exploits for Apache in the wild. Is this accurate? I don't keep track of such numbers, but I'll point out that if true this points out exactly what I said: fewer exploits, fewer attacks.

MS has a "windows update" feature. It doesn't take a genius to enable it. Now, granted this feature can cause headaches if you have a large number of systems to update, but you can also perform similar processes under your own control (if you are an admin) and yet this wasn't done. Turn off all those ports? It doesn't take a genius to download the shavlik lockdown tool linked to by MS itself that will "audit" your system and close any unused ports. It also doesn't take a genius to click to e-eye for an external audit.

There are so many ways to fix these systems it's nuts. Yeah, they require a tiny bit of effort - one would think that's why the British taxpayers pay these administrator's salaries.

I'm no shill. I run both windows and linux, although I've been using windows a LOT longer and am, therefore, more able to exploit it. So are a lot of people, which makes it that much more vulnerable. And yet my own linux firewall was hacked one time because... tada... I was running a version of Smoothwall, didn't know the distro or what I was doing, and in the setup config the SSL port was left open and the service running and no explanation was made of the significance of this. As a result my "firewall" was owned within days, zone alarm disabled on one of my (unpatched) windows boxen, and (in short) the entire network became owned. I migrated to IPCOP then reloaded and patched the windows box, just a little wiser and smarter.

Just as so many here are fond of saying "slashdot doesn't have just one mind" I'll remind others who are dumping on MS over this there have been and are plenty of linux distros, and not all of them uniformly secure or stable "out of the box."

Holding the software maker responsible for something like this is as stupid as holding the coca-cola company responsible when some idiot pulls one of their vending machines over onto himself. Would you be so quick to call for heads on a stake if this were a network of Redhat boxes? How about a few dozen Suse desktops? It doesn't matter what OS you are using, problems like this almost always come down to one thing: PEBKAC.

Re:Solutions

[SillyNickName4me]

Turn off all those ports? It doesn't take a genius to download the shavlik lockdown tool linked to by MS itself that will "audit" your system and close any unused ports. It also doesn't take a genius to click to e-eye for an external audit.

If that is all so easy, and MS is aware of it, why don't they solve the problem by locking it down before selling it?

The problem is that anyone who is selling a product that is claimed to be internet ready, and didn't properly lock it down, is simply lying, their product is NOT internet ready.

MS has known this for a decade now, and ignored it. During the same time they tried buying their way into the server market with the low cost administration argument, based on needing lower skilled administrators and it all being made 'easier'.

Don't get me wrong btw, it is good to make things easier and to try to reduce the cost and time aspects of administration. It is utterly wrong to say you did so, give every impression you did so to the casual viewer, and then turn out to have made things more expensive and time consuming, and also having ensured companies no longer employ people skilled enough to deal with it.

Its simple, security requires people skilled in securing things. Requirements for the average home user are relatively low, and can often be provided for by standard solutions (door/window locks, alarm systems and so on for physical security of the house, a limited set of security features for the computer) and there exists no level of security that will prevent every possible problem.

IF MS would stop today with giving the impression that administratign and securing a corporate network or large network of small users (like the average isp) is simple, I'd stop putting that large a part of the blame on them. Of course they'll also need to cange their policy to a disable everything by default unless the user asks for it and has been informed about the security consequences.

As you sated correctly, not every OSS product is immune from this either, and I'm personally not very fond of smoothwall, or any of the linux based firewall packages for that matter. When I want a firewall I want either OpenBSD's pf or FreeBSD's ipfw2. On top of that, I want NO gui management or remote management of such a firewall product by default, and untill I go delve into the system to change things, no management ever using the outside port. That means no listening services whatsoever, and to get services listening on the outside port should require sufficient knowledge of the system first.

You amke me wonder btw.. WHAT ssl port was left open? SSL is usually used to encrypt/decrypt and sign the trafic for another service such as a http server. I assume in your case there was a webserver with ssl listening on the outside port?

At any rate, for a home user, get yourself a simple firewall box that simply doesn't do anything more then that, and in most cases it should be enough. It wont listen to the outside world, and it also wont allow too much flexibility that usually just results in messing up stuff

If you want the flexibility, go get the knowledge to use it or don't expect security.

as stupid as holding the coca-cola company responsible when some idiot pulls one of their vending machines over onto himself.

No, it compares to Coca-cola putting vending machines out there of which they know then when not maintaining them for 2 hours/week, they'll blow up on random customers, or spray them with cola, or cause any other random effect.

I'd understand your comparison if this was a matter of MS making casual mistakes while having a generally healthy design. They don't have a healthy design, and have known so for at least a decade and didn't fix it. You really think Coca-cola would even be in business if they ignored such problems with their products for a decade causing comparable damage?

www.if.se

[haeger]

That's another company that was struck by Sasser. Nothing worked for a little over a day there. I wonder if these things are counted in the TCO of owning windows...

The company is one of Swedens largest insurance companies, it's called "IF" and I think I'll change to a company that has their shit more in order.

.haeger

Hopefully!

[6Yankee]

Somebody needs their ass kicked over this one. Hopefully nobody dies as a result.

Dude, that would have to be one hell of an ass-kicking...

Gun Companies

[MonkeyCookie]

How the gun companies have managed to, ahem, dodge the bullet in this regard so long is beyond me.

Lots of $$$$$, which buys them plenty of puppet congressmen. Just look at the power of the NRA.