Slashdot Mirror
Worms Jack Up the Total Cost of Windows
rbrandis writes "Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday. "This is part of the carrying cost of using Windows," said Mark Nicolett, research director at Gartner. "The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology." "The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely," said Nicolett and his Gartner colleague, John Pescatore, in an alert posted on the Gartner site."
An when Linux gets exploited, the people fix it for free and very quickly. Then the next person to download this FREE system is a-ok.
Thats just plain sexy.
-- The box said Windows 2000 or better... so I installed Linux
something that might ease the pain for a network of XP machines is a method to rollout patches, or have machines that were just ghosted to check with the domain controller to see if it is allowed to automatically install the patches into itself. auto-fixing windows... a man can dream can't he?
then the macs would be on many more corporate desktops. they are far esier to maintain and admin. but, businesses are pennywise and pound foolish. admin costs are not necessarily up front costs. so, bottom line bean counters can justify purchase from vendor A because of lower initial cost. also, don't count out the paper mill MCSE's that influence purchasing decisions.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
The problem with these costs is that they are probably never added into operating expenses. My fiance's company, a huge conglomerate, got hit with the Sasser worm and basically handed out disks with a virus update on them to manually install. Needless to say her HR department was idled while they tried to fix all the installs that went poorly. You can probably guarantee that her manager has no way, and probably wouldn't think of, adding that cost into their bottom line.
So can I:
Our lab is in a sad state because our windows server and its security patches: Patch the server, oracle breaks / don't patch the server, someone hacks it... so now while we scramble to find an alternative DB engine we have to apply/un-apply this patch when ever we want to do any work. thanks M$ for wasting our time.
the end
These are some of the large-scale operations that were affected by the worm, some of the frantic preparing for the worm strike. I have never, ever believed for a second that the TCO for Windows is lower than e.g. Linux of BSD, past the first month of switching. Even with higher sysadmin costs, the overall increase in productivity equals this and then some. Christ, potentially sick people had to reschedule their CAT / MR exams because of a fucking Microsoft Worm (TM)?
How much more are we willing to up up with? I made two switches, first from Windows to Linux and then from Linux to Mac. The only thing I regret is not switching earlier.
Today, my employer lost 25 USD, since an article I wrote disappeared when Word crashed and I had to re-write it for one half hour. It seems the defaut Word behaviour in custom OEN installs that our IS get is to NOT autosave for recovery due to "performance issues"
Lower TCO my ass.
I wonder if Gartner or anyone else does any serious quantitative study of the true "value" of having a new distro via the net.
If I go to download Fedora or Debian via ISO images, and burn them, I often have a maintained distrobution that is very young. Less than a month old.
If I go and buy Windows XP via Amazon and have it delivered next day, I still have an OS image which is over a year old, even the new one that rolls up SP1.
I don't have to make a CD up with 30+ patches on it, before it is safe to plug my machine on a network.
If I worked at Redmond, and was thinking about this problem, I think what I may do is work an installation script that combines with the firewall - and keeps all inbound connections out until a "tunnel" is established to Windowsupdate, and all patches are applied before "releasing" the IP stack.
Many of these systematic advantages come from the fact that Linux doesn't need a license key to install the OS. If Microsoft gave Windows away, there would be 0-day distros on their website as well.
I'm about to install SQL 2000 Server on a Windows Server 2003 machine. There is a vulnerability in SQL 2000 Server that allows the machine to be infected with the slammer worm. Unfortunatly I must install SQL and then each of the 3 service packs individually. I'm not safe from the worm until I get to the 3rd SP. My boss suggested that I simply disconnect the WAN connection but thats really not going to help me much when I'm trying to do this over the internet via Terminal Services (Its at a well known colo site). I wish there were a way to slipstream the service packs into the install like you can with XP. Does anyone have suggestions besides use MySQL?
Im dreaming ofa big bndwdth, That can resist the
which is why I love OSX, I was SO annoyed at restarting 6 times patching up XP for my girlfriends father, With Apple, its everything that needs updating is downloaded and installed at once, including "service pack" updates When they force you to only download a Win Media 9 update and restart without being able to download and install anything else, you know there is something wrong.
"Slashdot, where telling the truth is overrated but lying is insightful."
I'm sure plugging an unpatched XP box in it is easier than finding the viruses myself, no joking, I bet I would have Blaster or Sasser before I managed to find them manually.
Antivirus software can also be compromised by viruses/worms. I will never again buy Norton products after having some kind of virus on my Win2K box that disabled Norton in the background, while making it appear that the antivirus software was working.
This was a year ago. Maybe Norton has finally admitted that their product is vulnerable and has supplied fixes. At that time, there was no fix or admission of a problem.
Dunno about any Linux ones, but currently the only real reason to run a virus scanner on the Mac is essentially as a courtesy to Windows users you may send files to, so you don't pass on anything that's infected.
Most of the a/v software firms who sell Mac products will grudgingly admit as much, except for (judging by their Chicken Little-esque press release) Intego.
Differing discussions on if patches really do break Windows.
In my case, working with 10,000+/- clients, I have seen this on repeated occasions.
Various MS patches would break the following:
Novell client on 2k/XP (but not 98/95)
Some third party business-specific applications (stat software, database, etc.)
Video drivers (easily fixed, but still)
In one case, recently, it BSOD'd several NT boxes (the IE 6 security rollups)
Irritating to be sure, so on one hand, you need to patch immediately (or risk the wrath of a new worm/virus)
On the other hand, patching immediately can lead to loss of productivity
On the third hand (you do have three hands don't you?) you can't wait for an AV package to have the proper updates, as (to my viewpoint anyway) AV products should be the last line of defense, not the 1st.
On the fourth hand, training is key to clients, but as the saying goes, you can lead a luser to enlightenment, but you can't make them think.
I keep waiting for *seriously* damaging viruses to show up in the wake of the leaked (partial) source code to Windows 2000. That may be the last straw to many a business.
So rise up, all ye lost ones, as one, we'll claw the clouds.
The reason so many viruses exist for XP deals more with the fact that XP still uses code that was vulnerable in 98 in some spots and that its just too damn easy to exploit. Make something hard and only diehard skriptkiddies will take the time to hack it, right now any jack or jane punk 11 year old can pretend to be a "hacker" and send out a virus, usually varients of the same virus.
But truth be told I quiet enjoy your idea of a more mixed OS base. The problem is programmers HATE it which is why you have more code written for Microsoft and less for Linux or OS X
"Slashdot, where telling the truth is overrated but lying is insightful."
Any AV software is vulnerable to being "disabled." Newer worms and virus exploits simply kill these AV processes. For example, the KILL.EXE command was included with the Windows NT 4.0 Resource Kit and from that version on it works like a champ. Simply issue that command with the -f switch to force the processes to terminate. Gives you an idea of what the malware does.
There typically are dozens of EXE process names that are terminated so that the AV software is inactive from that point on during the same session when a host is infected. How pray tell can a fix be issued for this from an AV vendor?
This simply points to the fact that the initial line of defense is a hardware-based Internet firewall and an OS that has all of the latest security patches. By the time that you have to worry about AV software definitions you are already past that initial line of defense.
I'm not sure if this is old news, or even if i'm just stating the obvious, but i worked out a way to delay the Sasser countdown when it starts.
Once the 60 second countdown starts just open the date and time properties page and roll back the date a month or two and click apply - sorted - you now have 30-60 days before the machine reboots - plenty of time to download the patches, even on a modem.
Or at least permitted..
Think about it, if the TCO of current windows versions ( and related apps ) are skyrocketing, it gives more weight to the 'you need to upgrade to longhorn' speech we will start hearing in another 3 or 4 years..
Since they cant sell you on so-called new features that are irrelevant, then this might be a successful alternative tactic..
Just a thought.....
---- Booth was a patriot ----
Microsoft has priced themselves out of the market.
And it isn't the initial purchase cost. They could give away Windows and it would still be too expensive. Dealing with the virus du jour and the patch du jour is just too much anymore. Add to this (from recent Slashdot stories) large companies' estimates that half of all their Internet traffic was to/from Windows Update and the cost of maintaining Windows goes even higher.
Well, I quit. I am just done with patching Windows. All Windows machines are hidden behind a firewall (Linux based and I do patch it religiously; gee, there's been one critical patch in 1 1/2 years!), we don't use IE or Outlook and I only patch Windows when there are functionality problems.
Now, I know I'm gonna get a lot of flack from everyone here about "firewalls not being the final solution", "you gotta patch every day" yada, yada, yada. But the combination of a firewall, not using IE or Outlook and scanning ANY computer from outside before it is allowed on our LAN works for us. We weathered SQL Slammer, Blaster, Netsky, Bagel, Sasser, etc, etc with not one hiccup in our daily operation.
The key here is not to trust Windows on the Internet. No, one step further: don't trust any Microsoft software on the Internet! Don't use it for e-mail, don't use it to browse the Web and never, ever hook up a Windows machine unprotected to the 'net!
Yes, there are plenty in the Linux world. But chances are, the Linux administrator is going to do some forward thinking in that regard. I hate to say it, but a fair majority of the MCSE's I've encountered are booksmart, but don't take necessary precautions. They took the course, and are now riding by on a fat Windows admin salary, and unwilling and unable to properly lock down a machine.
- oZ
// i am here.
Virus authors have nothing to worry about from this security group.
Some excerpts:
-
While strong out-of-the-box security configurations are preferred, it is recognized that updating existing products to
comply with this requirement can be costly, time-consuming and can result in various incompatibilities with current
and supported versions of the product. As a result, it may not be possible for a vendor to transition a product to a
more secure out-of-the-box state for several years, depending on product release cycles.
...
Whose side are these guys on?In conjunction with the above recommendations, the requirement for medium or higher assurance evaluations (Evaluation Assurance Level 4+ [EAL4+]) for commercial products should be dropped, since the stated reason for higher assurance evaluations by the proponents is the ability to do vulnerability analysis. Higher assurance evaluations for commercial software impose a cost burden that even the largest IT vendors cannot bear or should not bear; they do not substantially improve product security, but may result in vendors paying multiple times for the same evaluation in different markets. Furthermore, finding faults in software that has already shipped is far more expensive and less effective than giving vendors the tools to be used during the development process. ...
In order to promote the evaluation of more products, the U.S. Government should help offset the expenses of CC evaluation through research and development tax credits or paying part of the evaluation costs.
i am starting to beleive that there is such a thing as virus season. Often these big worms come out around summer. I guess it is becasue kids are out of school and ahve nothing better to do
The war with islam is a war on the beast
The war on terror is a war for peace
Since "Stevey-boy" testified that IE was too tightly tied to the OS to be removed. This was reinforced to me when my file-browser began to display the "yahoo toolbar" that my wife had installed in IE.
In a defensive move I am thinking about redirecting the EI short-cut Icon to Mozilla, but I'm not sure if this is even possible. Mean while I'm glad that we had both a software firewall running on the WinXP machine, and a hardware router running Linux(tm), between us and the mean-old internet.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Why don't we all migrate over to the Mac OS-X and OpenBSD? Linux as well. (Oh - I forgot - Lawyers at SCO may be knocking at your door). Sure, people are clueless on how to best make use of some systems, but that's OK, there are plenty of /. ers who can probably use a little contracting work (if there are any jobs left after they all went to India). It would help the job situation, although it would be painful at first for the person doing the "migration", it would be better all around.
I'm dealing with fed up customers all the time, getting frustrated by having to patch so often, but they ARE wiseing up and starting to take the plunge.
To make it less painful, I find it much easier to setup a parallel system, keeping the older WinBlows systems operational, while slowly putting together their servers and work stations under either Linux or Macs, and using OpenBSD for all the server related work.
It means MORE JOBS here, especially for us Open Source affectionatos.
We've completed a few such "Migrations", and our clients are happy campers now. Of course we still find a need to deploy security patches, but they are much less often, and now becoming a lot more painless.
Hey man - don't shoot the messenger - it's just an idea, and we only have to convince the corporate Phat cats that parhaps M$ may NOT be the solution to all the worlds problems.
When you get that window warning you that the computer will reboot in 59 seconds, you can just type "shutdown -a" in the run prompt and it will cancel the auto-reboot. We had to do this for all the computers at my school while they were patching. (Our IT guys are total morons, they left all 6 of our web servers unprotected on the internet, and all but 1 of them runs Windows Server 2003).
I've heard that in early versions of 2000/XP there's a window during bootup where your TCP/IP stack is active, some services have started, and the firewall is still inactive.
Under these circumstances, an box could be wormed before the firewall comes up. However, this was something I heard in a Slashdot comment, so I can't comment on its validity.
Anyone have any information?
But the newer or newest distributions generally have most things turned off by default now. And if you want to turn these services on, you are warned by the install program. It's a misconception that default installs are insecure now.
<subversive mode>Create Linux "loaner" systems, when they get taken down by the next worm, give them the loaner as a temporary stop gap while you decontaminate and update their system (i.e. wipe the OS, reinstall and apply updates). Then take back the loaner when you deliver the fixed system. </subversive mode> ;-)
You do realize that you don't need to stay logged in as root, right? The "su" or "sudo" commands, similar to MS Win32's "runas" command, are available to users (unless you apply additional security by limiting access via access and ownership permissions) so that they do not run as root. Unlike MS Win32 though, just about any process (actually can't think of any that wouldn't) can be run using "su" or "sudo" while logged in with your regular user account. If you need to display a GUI, simply add the "xhost +" (or a more limited argument to the "xhost" command) and your set.
The concept of running with as a priviledged account by default seems to be based on MS Win32 practices. Users didn't want to put up with logout as user, log in as administrator, install/config, log out as administrator, log in as user. For UNIX, that isn't necessary. I do think though that users converting from MS Win32 will likely continue that bad habit, but it's not a fault of the OS, just years of a limited OS.
You will need about 1/5 the manpower windoze requires to maintain any flavor of Unix. You can mix and match the flavors without adding too much to your costs.
What you do with the manpower is up to you but you can save money anyway you slice it. You can shitcan your people and have an improved level of performance for much less money. You can keep them on, without overtime and have much better performace and custom applications and still spend less money.
The above applies regardless of how large or small your company is. You can get more out of your single computer expert, employee or consultant, for the same money with free software or commercial Unix. At the other end of the extreem, Google has shown the world all about free goodness. The results are the same between the extreems, though it is difficult for me to say where the sweet spot is. You will always spend more money, one way or another, with M$ crap.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Counterexample: MacOS X
Normal users aren't admins, but can have sudo access. When some installation requires elevated privileges, the user is presented with a dialog box for typing their password. It's considerably more convenient than having to log in as root, but doesn't let malicious code run at an elevated privilege level without the user knowing it.
That was one of the most insightful things I've seen here in a long time.
Anyways, I just loaded SUSE Linux onto my machine, and with the exception of a few quarks getting it set up, I'm pretty satisfied with the experience. I know that the process of installing new programs needs to be smoothed out a lot before the masses would want to use this, but the only time I ever miss Windows is when I want to run a Windows-only program. I never could get Half-Life to play with WINE. Actually, I'm pretty disgusted with new games in general ( see my journal ); I've been playing with ZSNES.
But really, I guess my point is that MS software is a stinking pile of ---- and I hope that the day comes soon that people will see through their smoke and mirrors that they charge a high price and manipulate the market with crappy software. Heck, I even got my grandmother using Mozilla; and I'm sure she doesn't miss pop-up ads one bit. All these worms, with the patches that require a reboot everytime are just one more reason to move away from Windows.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
Windows XP can be just as locked down as Linux. In our environment WinXP is locked down, secretairies and other employees cannot install programs and if they need or want one installed they have to get approval and I sign in as admin and install the program, hell I dont even sign in as an admin for everyday use I have my own limited account for daily productivity work. I make sure all my machines are up2date and I have never gotten infected with a virus or worm or trojan and we handle a lot of clients and customers and are publicly visited, Im not saying we are unhackable but I am very, very paranoid when seeting up security and alot of my colleagues love it when I pass on information.
Universities often have fat pipes and don't have "closed by default" firewalls. Even if they have the "Windows ports" closed at the Internet borders, there's bound to be other ways in at which point, with a fast worm, it's all over.
"Users didn't want to put up with logout as user, log in as administrator, install/config, log out as administrator, log in as user. For UNIX, that isn't necessary."
It's not necessary with Windows either. The "run as" command has no problems running installers or other graphical applications.
Heck, I've installed service packs fine using "run as".
Not to mention the fact that you can set Windows Installer to automatically request administrator privelages.
Why is this any different from Linux?
When I was young and foolish, I bought MS Frontpage. I also have two computers running Windows XP (thinking of switching one to Mandrake, if I can manage it). Microsoft has refused to let me reinstall both Frontpage and their OS because they said I "reinstalled it too many times already."
I bought and paid for the crappy program, and now I can't even install it on my computer?
I'd like to see a few more lemon laws on softeware if they want to start treating IP as real property.
Heck, I'd like to see imported IP properly subject to tarrifs as well, thanks. I mean, if it is actually property and all...
You can't have it both ways.
___
It's the end of my comment as I know it and I feel fine.
The nice thing, however, is that if you're running in a corporate environment, you can isolate users to their own filesystems to protect them from doing stupid things like this.
Oh, yes. Unlike on Windows where you have even finer control over filesystem access and so clearly have no way whatsoever to do this.
Ever heard of ACLs? Restricted user accounts? In a corporate environment, Windows can be VERY secure. Why it isn't, I can't say. Probably unclueful policy. It's not like you have to worry about The Sims needing administrative access to run.
Great for corporate networks, FAR better than the Windows situation (Yea, I know.. you can use Active Directory, but that's not a native part of Windows).
Active Directory? I have never used AD, and yet I have a machine in the other room that you can run these email viruses on all you like and they're gone after a reboot. NT, 2000, and XP Pro all have powerful filesystem security built in to them. But sure, if you're using XP Home or Win9x in a corporate environment then you're screwed.
Since Linux is built on the Unix philosophy of tools in a toolbox, you don't have to worry that a patch for program x is going to change code that program's y and z also use (unless it's a library or something). Windows? Not the case. If you have to patch MSHTML, anything from IE to your damned titlebars can get fucked up as a result.
This is a ridiculous argument. If one tool in your toolchain has a flaw in it, the whole chain is affected. If, somehow, there was a bug in tail that needed patching, everything using tail would be affected.
MSHTML is a perfect example of the toolbox approach. Sure, everything is affected if it needs patching, but everything is fixed if you patch MSHTML.
Never mind that the situation is even closer if you need to patch zlib or glibc...
1. In 1999 I worked at a company with 30,000 workstations. The second year in a row they spent nearly $1 million fixing up machines after virus/worm attacks, they 'banned' outlook express in favor of Eudora, though most people continued using OE anyway. (Said cost did not include lost time.)
2. IIRC a couple of years ago one of the Big five accounting firms, the only all-MS shop among the five, was shut down completely for several days due to NIMDA (?) Assuming $1 billion/year gross revenues, three lost days amounts to $120 million loss - or at least deferred, or packed into later overtime, etc. This is a back-of-napkin estimate, but still indicative of the potential costs.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
of course, that is not the best example, because X is often a suid binary...
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?