Slashdot Mirror
Sasser Worm Takes Down UK's Coastguard
jonman_d writes "The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
It wouldn't be murder per say, but definitely manslaughter. If they catch the guy, I hope the full force of the law comes down on him.
But here in the U.S., I believe it falls under both 18 USC 1030 and some clause in the Patriot Act.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.
However, it's not just the software at fault. Whoever implemented the system was sharing a network with other people's machines in some way, without a firewall. There is fault spread out here, between microsoft, the lifegaurds IT people, and the virus writer.
Why did the the UK Coastguard allow this to happen? The Sasser worm is 100% preventable if your system is properly patched and firewalled.
It's not just Linux that forms a good alternative to Windows. OPenBSD was built to be a secure OS. Where lives are involved, there is good reason to go the extra mile to use an OS which, though less convenient, has proven to be more reliable. In the current era, with all these worms, Microsoft just isn't the best alternative. On the other hand, all they needed to do was use http://windowsupdate.microsoft.com and enable Windows' built-in firewall software. Worm and Virus writers should be made to know that they are accountable when their creations do what they were (mis)designed to do "take over systems, disable them, disrupt networks?" How do you actually catch the original author of a worm, anyway?
OK I know there's going to be a million comments about how we should all patch vulnerabilities and there'd be no problems... and then the inevitable responses from admins who haven't done so because testing hasn't been complete and the patches are causing more problems after doing them...
But...
Why aren't MS patches single discrete objects? One patch for One vulnerability? That way IMHO clears the problem of a "patch" that comes up, is huge, and attempts to fix ten documented vulnerabilities (but knowing the code used in huge projects, it's possibly many dozen fixes at once).
This kind of fine grained control is what works WELL in debian for example. To update an error in ssh, download it's patch. to update an error in an x library, update that one library. Not bundled in with loads of extra crap
I suspect this is a marketing thing. MS can truthfully say they only had 4 patches in a year, when the patches in linux systems number "in the hundreds", when the reality is far different.
Even MacOS seems to be partway to the debian like approach, where there may be a dozen security updates in a year fixing a small number of vulnerabilities each. It's a consistent line of updates, instead of happening in large steps over which an admin has no control.
As reported on the BBC, this killed their mapping systems, forcing them to revert to the paper maps that they've always used in the past.
No safety critical systems were involved.
Debian: GNU/Linux done the Linux way
With that, are they off the hook? No way. If they are caught, there are lots of laws they could be charged with, some of which are felonies. Murder, or even manslaughter, are not among them, however. At least, not under this limited hypothetical.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
Working tech desk during Sasser outbreak is fun lemme tell you. God save microsoft if they actually were responsible for tech support costs during this thing.
:). I've had two people call recently who - literally - just bought a brand new computer from the local best buy, plugged it into the internet and with 5 minutes got either Sasser or Blaster.
I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.
I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever. Now try pulling down 50 some megs of critical updates over a freaking dialup modem. Remember - not a *single* major PC manufacturer I know of installs ANY critical updates on their home pc's they sell to the end user. Nothing. Nada. Dell, HP, Compaq, etc. I've ranted about how irresponsible and stupid this is before and i'll continue to do so now
I dearly, sincerly wish that Microsoft would actually build not only a real firewall into their products or/and shut off unneeded services to the internet. I also wish manufactures would actually ship their machines with all the critical updates installed. I also want a pony.
This outbreak isn't as bad as blaster was but still. I'm no MS hater, I understand their product code base is massive and keeping track of all that and bug fixes takes an enormous amount of money and time but they *seriously* need to work on security. I would estimate virus cleanup and spyware sucks up 10-15% of my time at work.
can he be held at least partially responsible for any deaths that occurred during this outage?
That's an interesting point, which my college CS prof demonstrated to good effect. He asked the class one day - "How many of u expect your cars to be engineered such that they will run safely and properly 99.9% of the time?" Everbody's hand's go up. "How many of u think that if there is a life-threatening fault in the car, the engineers responsible for building it should be held accountable?" Everbody's hand goes, up, along with a few grunts of "DUH!". Then the next question: "How many of you feel that if mission-critical software, like the stuff that runs airplanes, fails, the programmers should be held accountable too?" Silence.... granted writing code ain't quite like building a car, but he got his point across. He wanted to bring home the fact that most software comes with the rider that it won't just one-day break. This applies to non-M$ as much as M$, though with a lot less frequency....
My Favourite Meme
How hard is it to have a BSD or Linux box acting as an el-cheapo firewall between the Internet and your internal network? I have a $200 laptop which has done just that task for several years now. I can never be bothered to patch my (Windows) machines, but they never have trouble because they can only talk within each other and not get attacked from the outside. Jeez, even if you paid someone to install it, you could have the whole job done for $1000 with old hardware and a copy of FreeBSD.
I offer one reason why this doesn't happen too often, particularly in the UK. Way too many 'technical consultancies' for institutions like the coastguard are staffed by MCSEs with no proper computer science knowledge who just install Windows XP on every machine, set up 'Internet Connection Sharing', and leave. They wouldn't even dream of putting a non-Windows box on a network!
Thankfully these worms and virus attacks are showing up these idiotic 'we only touch Microsoft stuff' agencies for what they're worth. Any decent technical consultant should be able to advise companies on the right hardware and software to use, independent of vendors.. so it might be Microsoft on the client end, and UNIX on the back end.. but no, the UK (at least) is filled with MCSE ridden agencies who get totally lost when they don't have a 'Start' button to click.
While I fully agree that the authors of virus/worms etc must be held accountable for their actions, surely there are other parties that are also liable for any issues that arrise from a virus/worm infestation.
The obvious one is the good old Microsoft. This has been beaten to death so many times that I am not going to delve into it...
The other group to consider is the people who have been infected. They have partially brought any problems upon themselves. This happens because of many things including the choice they made to run the system was vulnerable, the choice to not patch promptly (if a patch was available), the choice to not better secure their critical systems, etc.
Blaming the virus/worm authors and the author of the vulnerable software is easy (and absolutely right), but people really need to start looking beyond that and realise that it is really their decisions that are the core issue. If you don't want to be vulnerable to Windows virii/worms then don't run Windows. If you need to run Windows, secure it. If is a critical app, pay some serious attention to it...
Basically, I am advocating a bit of responsibility for ones own destiny...
Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault. I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make - I dont think the OS choice is relevent. Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.
Like no system except a Microsoft system has ever gone down. The first f---- worm ever written was for Unix, nerds.
I think that there is a difference between going down occasionally and going down every week.
BTW, that is Mr. Nerd to you.
Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
and some clause in the Patriot Act
doesn't everything? seems to me that it get stretched more than a rubber band.
Windows is a consumer operating system (despite labels like Windows XP Professional). It has no business being installed on any critical system. This just goes to demonstrate further that you can't cut corners and make false economies by installing consumer operating systems where they are not appropriate.
Oolite: Elite-like game. For Mac, Linux and Windows
It depends on how you look at it:
The computer mapping system (I presume) is easier to use than the paper maps. So if someone's missing and it takes (say) an extra 5 minutes to get the map out, plot drifts and currents and say "we'll search here", and the searchplane passes overhead 4 minutes after the boat has sunk without trace... is this still safety critical? If an extra life could have been saved if you had the computer system up?
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
Despite the apparent Slash-Spin of this article it should be noted that Microsoft released the patch for this vulnerablity over two weeks ago, per:
MS's Security Bulletin on April 13th (this is a week before Sasser "hit".) Microsoft did their job, but can the UK Coastguard do theirs? Apparently not... It is so easy to point the finger at the provider or some anonymous joe on the Internet, but it is so hard to take responsibilty for your own lack of action. It's the UK Coastguard's job to apply their patches in a timely fashion so that the services they render can be reliably delivered.
It's possible to get these notices emailed to you as soon as they're available. These people should be fired, er wait.. in UK... sacked.
- Mind
The one consistent question that keeps being raised in my mind whenever I hear about mission critical systems being brought down by worms/viruses is: Why were these systems ever connected to the wider world in the first place? Mapping systems? Baggage loading computers? Surely these don't need to talk outside anything but a single discrete group of computers. My fear is that people tend to put web browsers, email clients etc on any system these days, for convenience, which is quite bad for security. Here in my office we have two networks, with two machines on the desk (on a KVM switch), one for external email, internet etc, and one for internal work (it's called COREnet). We've had problems with the former, but the critical, internal stuff has gone on quite happily on the latter, untroubled by worms. Oh, and software patches and antivirus are available centrally on COREnet, so the boxes on the internal network aren't just left to chance should something come on via zipdisk/cd. And our company rolls on....
Hook, line and sinker but...
./virus.
According to Wikipedia Elk Cloner was the first virus to be caught "in the wild" i.e. outside of a research lab. It ran on Apple II systems, more than likely because MS-DOS was barely capable of running programs at the time.
Also, lets keep things in context, Sasser can install and execute itself remotely without any user interaction -- there is a big difference between that and booting from a random floppy disk or logging in as root, downloading, chmod +x virus, and executing
No trees were harmed in the posting of this message. However, a great number of electrons were terribly inconvenienced.
From the article:
No! Anyone with an infected machine should stop visiting Microsoft's website and never use Windows in such a critical environment as the Marine and Coastguard Agency for God's sake!
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
The danish newspaper Ingeniøren reports that the Sasser virus attack affected the danihs hospital, Herlev Sygehus. The hospital had to cancle scheduled CT-scannings because the scanners crashed. Also MR-scanners were affected, though no scannings were canceled.
"We do actually have a firewall, but aparently it hasn't been updated enough" sais radiographer Jan Bovin. "It was the scanners running Windows 2000 and XP that were affected, the MR-scanners running Linux had no problems," he sais.
The original story is here (in danish).
It appears that the consequences of the Microsoft monopoly are getting worse. Are there any linux-run hospitals?
Heathrow hasn't been spared yesterday
http://tinyurl.com/3h7fb
If I were a Linux vendor I would be all over BA and other victims pitching my stuff.... I know this is a bit wrong but hey Business is business and I am sure I would get these guys attention FAST!
Artificial intelligence is no match for natural stupidity
You assume that an admin knows everything, and has infinite time on his hands.
In reality, companies have selected Windows after being told that its administration is much easier than for competing systems. Admins only need to know which buttons to click to setup a new system. In-depth knowledge about the underlying principles is often not available, with the excuse that it was supposed to be unneccessary.
In the end, it may be better to install a system that is a bit more difficult to administer, and thus avoid the administration by unqualified personnel.
I work in a small insurance brokers without its own internal IT department, and as token geek I get the job of patching workstations since our external IT support guys can't find their own collective arse with both hands and a map.
/. - I patched twenty odd workstations individually, manually, over two days. (Manually, because our IT experts have set up our system in such a way that the automatic update service doesn't work.)
As soon as the last batch of updates were released - starting about half an hour after I read about the updates on
Which is why it's f*cking galling that I checked our server's update history this morning and there are sixteen critical updates still waiting to be loaded, because the IT guys say we don't need them and, y'know, we shouldn't worry about it.
Aaagh!
Microsoft has to take part of the responsibility and offer to send consultants out for free to patch and fix the servers.
Or, even better, ship Windows with a piece of software that does that automatically? Oh, wait, they already do that...
It needs to be said again: YOUR COMPUTER IS YOUR RESPONSIBILITY! The patch for this one was available for some time (a month or so). You can't pin this one on Microsoft any more than you can blame the car manufacturer for car breakdown after you missed your scheduled service.
Isn't it about time to start introducing fines for people who propagate worms and viruses? Yes, fines for getting your machine infected. It's illegal to drive a malfunctioning car, why should it be legal to operate a malfunctioning computer? Both are a danger to the public.
Why would it be wrong to promote your product now?
This is the right time to promote it, and the positive aspects compared to the current solution. You will likely have an easier time trying to point out some of the flaws with their current situation.
A solution to this problem has been around for weeks now, yet one or more of these system were left unpatched. So yeah, the virus writer surely bears some responsibility, but then again so does the coast guard. And even if an MS OS did not exist at all and these folks had been running linux, if there were a similar exploit floating around in the wild would the admins who left this door open have fared any better then?
You can't hold MS responsible for the incompetence of the coast guard admins. Yeah, their software had an exploit - but they also had a solution available and it's not like this was any kind of secret. I hate to be this trite, but it's appropo here to remind everyone what "mama" always said: stupid is as stupid does...
Although I think they've denied it in public, Delta Airlines was also brought down over the weekend by this worm. I have a friend who came to Church panting, out of breath because he was late and had to rush. He works at Delta and said he had been there since Saturday patching and cleaning machines. Right after services he was going back.
The system effected was one that calculates passenger and cargo weight so it can be distribuited evenly through out the aircraft. It's one of those systems that's easy to forget. It's not like air traffic control or reservations or something people would consider "critical".
It's scary but ironic that a small forgotten local sub-system can bring down a billion dollar corporation and inconvience tens of thousands of people. It was local to Atlanta, used at the ticket counter and for flights leaving Atlanta but, bring down the hub and the entire operation is effected.
I really got the impression that the reporter was trying desperately to make this into a dramatic news story whereas the coastguard person was fairly level-headed about it. Even she stated that every employee has a backup laptop that is not connected to the Internet as a contingency plan in just these circumstances. Plus, they can also rely on paper maps if necessary.
Yes, we all know Windows has security holes (just like any other piece of software) and that Microsoft could do a whole lot more to make their software more secure - however, the fact is that using good firewalling and educating users properly is the best way of stopping 99.9% of all known worms and viruses.
Microsoft must take some of the blame but so should the salesmen and IT people for possibly not deploying the right platform in the first place and then, post deployment, not ensuring it's secure.
Gentoo Linux - another day, another USE flag.
If it's not running, it can't be exploited!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault.
... one need only peruse their website and their past marketing of Windows, coupled with their slanderous misrepresentations of competitors such as Linux.
I find this propensity for blaming the victim to be very disturbing. Microsoft has been fraudulantly representing their system as both stable and secure, just as they have been fraudulantly representing their system as less expensive than their competitors' products (GNU/Linux, OS X, *BSD, etc). This is a matter of public record
Now, one can argue that the technical staff of the coast guard should have known better (so too should every victim of every fraud perpetrated), but the fact that they didn't is hardly negligence on their part, when their vendor misrepresents their product's security on a daily basis.
I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make
I dont think the OS choice is relevent.
Clearly the data do not support this. Mac OS X is demonstrably more secure than windows, both systematically through an architectural analsys, and through historical emperical data (number of exploits, timeliness of patches, effectiveness of patches, etc.). Ditto for the various flavors of BSD, ditto for Linux, ditto for IBM's various mainframe operating systems, and the list goes on.
Clearly, as the underlying architect and definition of a system's security design, policy, and implimentation, the operating system is the single most relevant design choice one can make.
Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.
That is unrealistic. Systems which are networked together can save lives. A ship is in trouble and automatically reports its position for rescue, allowing the crew to get on with the more immediate task of not drowning. A hospital computer notes a patient's decline and automatically notifies other systems, which notify the appropriate physicians and medical staff. Proper implimentation is critical, of course, but the "cut the cable" solution is nonsensical, particularly when reasonably secure alternatives such as Linux, Mac OS X, and *BSD exist and are well proven.
The worm writer, and Microsoft's fraudulant representation of their operating system as stable and secure, are the primary culprits in this fiasco. It is time we stopped blaming their victims, and held the perpetrators responsible instead.
The Future of Human Evolution: Autonomy
... are a LOT more responsible about their products as a rule then almost any industry, perhaps airplanes might be the closest, they always recall and repair or replace defective products, and go to some lengths to get the word out to the owners, and it goes beyond 90 days, and beyond the original owner on any defects. I know because I worked in a firearms warranty repair center before and been an enthusiast since I was about as tall as a .22 rifle. It's years and years in some cases with warranties. Many now come with a default "forever" warranty. In fact, they have some of the best warranties and repair/recall efforts in any industry. We would be *lucky* if all products had as good a warranty. Like name a major manufactured mechanical product that comes with a lifetime warranty now. Washing machine? Automobile? Bicycle? Hard drives? Radio? Anything? There might be but I can't think of any off the top of my head, but firearms are treated that way in a lot of cases now, and even in other cases where the warranties expire, recalls are still done if a defect is found.
The big problem is software got a compoletely 100% "free ride" in the beginning, it was allowed to be sold with zero warranties, I guess to get the business off the ground or something. Or maybe... I dunno, can't think of a good reason really. They just slap got away with something no other industry has as far as I know. You can't sell a 1 cent stick of gum without it having actual and implied warranty to it.
This deal was way back when it first really took off (I really need to research this now,it's gonna bug me why they got such a sweet deal), now it's been decades. DECADES. Untold hundreds of billions of dollars in pure profits. Huge numbers of wealthy people and businesses involved with it. It's "mature" now. Time to insist on "profitable" software to have warranties, and hold the manufacturers liable for obvious defects. They have "Get out of any Responsibility" EULAs, but still "enjoy" full ME ME ME IT'S ALL MINE MY PRECIOUSSSS protection "under law" for "Intellectual Property" and make tons of cash, well, that is teh obvious suck now and ayone can see that.
It's one or the other, if the software makers want to treat electronic digits as some sort of extremely valuable commodity product, with PATENTS on it even, which they sell at a very, very good profit, they need some sort of a minimum consumer warranty applied to them, or strip them of their profitability, one or the other. Enough's ENOUGH on the free ride they get. The software industry is "mature" enough to treat those business people as normal adults, same as anyone else in any other industry.
We NEED a class action suit in general against free ride EULAs across the board for for-profit software, and it needs to go to the supreme court and be won.
I am surprised as all get out with all the other litigation that goes on in our society that a set of profitable businesses who have gotten hosed over and over and over again by these obvious defects haven't challenged those EULAs as being absurd and illegal in the first place. Name another industry that would dare to put out such a "contract" for consumers and have it accepted. It's quite absurd, they'd be laughed at, but "software" is now the biggest example of legal "conware" there is.
And YEP, I could care less if it meant that "releases" slowed to a crawl, wouldn't bother me one bit or byte. Consumers want quality, few if any defects, they just been faked out that crapware is "good enough" and the industry as a whole has all colluded to profit off of crap and conware. It's just plain stupid, and ethically wrong. We can see now that software is so "embedded" in our society that you can't really say now that "no one is effected" when defects show up. it can get downright dangerous, and it certainly costs consumers tons of cash to keep fix and repaired stuff that shouldn't be shipped broken in the first place. We need less patches, and more "it don't need to be patched" software
MS has a "windows update" feature. It doesn't take a genius to enable it. Now, granted this feature can cause headaches if you have a large number of systems to update, but you can also perform similar processes under your own control (if you are an admin) and yet this wasn't done. Turn off all those ports? It doesn't take a genius to download the shavlik lockdown tool linked to by MS itself that will "audit" your system and close any unused ports. It also doesn't take a genius to click to e-eye for an external audit.
There are so many ways to fix these systems it's nuts. Yeah, they require a tiny bit of effort - one would think that's why the British taxpayers pay these administrator's salaries.
I'm no shill. I run both windows and linux, although I've been using windows a LOT longer and am, therefore, more able to exploit it. So are a lot of people, which makes it that much more vulnerable. And yet my own linux firewall was hacked one time because... tada... I was running a version of Smoothwall, didn't know the distro or what I was doing, and in the setup config the SSL port was left open and the service running and no explanation was made of the significance of this. As a result my "firewall" was owned within days, zone alarm disabled on one of my (unpatched) windows boxen, and (in short) the entire network became owned. I migrated to IPCOP then reloaded and patched the windows box, just a little wiser and smarter.
Just as so many here are fond of saying "slashdot doesn't have just one mind" I'll remind others who are dumping on MS over this there have been and are plenty of linux distros, and not all of them uniformly secure or stable "out of the box."
Holding the software maker responsible for something like this is as stupid as holding the coca-cola company responsible when some idiot pulls one of their vending machines over onto himself. Would you be so quick to call for heads on a stake if this were a network of Redhat boxes? How about a few dozen Suse desktops? It doesn't matter what OS you are using, problems like this almost always come down to one thing: PEBKAC.