Slashdot Mirror
Worms Jack Up the Total Cost of Windows
rbrandis writes "Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday. "This is part of the carrying cost of using Windows," said Mark Nicolett, research director at Gartner. "The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology." "The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely," said Nicolett and his Gartner colleague, John Pescatore, in an alert posted on the Gartner site."
I'm switching back to the Commodore 64.
The TCO for Windows for the vast majority of slashdotters however is still steady and holding at "free".
;-)
I keed, I keed!
Quidquid latine dictum sit, altum viditur
I work at a computer science department, and I'm currently compiling a CD of patches that people have to install before they get on the internet. Right now, the number of patches is nearing 30.
Ahem. This is -1, Redundant. No shit viruses/worms raise TCO. This is the case for ANY operating system, not just windows. Of course, the homogenous nature of Windows makes it a lot easier for worms to affect machines in a wide range. But we'd still need to take precautions with any system in use.
This is news? This wasn't included in TCO estimates before? (Actually, that would be news, but not the kind I'd want blasted out to the world about me!). Seriously, how can "common maintenance" NOT be included in a TCO estimate? Isn't that the major ongoing part of TCO? Geez....
The cesspool just got a check and balance.
An when Linux gets exploited, the people fix it for free and very quickly. Then the next person to download this FREE system is a-ok.
Thats just plain sexy.
-- The box said Windows 2000 or better... so I installed Linux
I thought dealing with these Windows consistencies saved money!
;-)
It's nice to know that it took an industry analyst to tell us this.
I wonder if the cost of antivirus subscriptions has traditionally been included in the TCO studies out there comparing Windows and Linux. Somehow I bet not.
At some point somebody (Windows apologist or not) is going to point to Longhorn as the solution to security problems. Is there hard data on whether or not worms have been increasing or decreasing (in frequency and effects) the past couple of years?
We know what problems they've caused and how the media's gone nuts over each virus, making things seem bigger and bigger. But some old viruses were much nastier, and I sure don't hear about those types of infections anymore.
-Rob
Marriage doesn't have to suck!
Not anymore...
http://www.internetnews.com/article.php/3317211
(It's a link to the story about Microsoft including antivirus software in Windows XP Service Pack 2.)
Most people rarely patch their computers until something happens. (Me being one of them) It's something that people really need to be aware of. Prevention is the key.
Like my Pappy says..."Never bitch about the guy who signs your paycheck."
Lately about 1/3 of my job consists of dealing with Windows vulnerabilities. And there are four other full-time staffers here with the same job description. We're not especially well paid, but that sure adds up. And when you add in the downtime of the people whose computers we're fixing...
http://alternatives.rzero.com/
Actually, Just install the latest service pack and then install Autopatcher. It has all the updates, hotfixes, and some cool extras all rolled into one scripted install so you can just start the install and walk away. I've used it and I can say that it makes life a million times easier.
There are versions for 9x all the way up to XP. You could fit everything onto one cd, and if you wanted you could even script that install. Thanks Autopatcher guys!
Quidquid latine dictum sit, altum viditur
Scientists confirmed today that water is indeed wet, Abraham Lincoin is dead, and the earth is round.
Well.. maybe. Or Maybe not. But Definitely not sort of.
What makes Linux and its software (generally) more secure is the design and the security consciousness of its developers.
We all know that Lunux's TCO is often lower than windows' but one shouldn't count on the absence of worms.
then the macs would be on many more corporate desktops. they are far esier to maintain and admin. but, businesses are pennywise and pound foolish. admin costs are not necessarily up front costs. so, bottom line bean counters can justify purchase from vendor A because of lower initial cost. also, don't count out the paper mill MCSE's that influence purchasing decisions.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
This in itself is not taken to justify big changes. Like high linux retraining costs (for corporations) or living with an unsupported and hard to interoperate computer (for households).
The problem with these costs is that they are probably never added into operating expenses. My fiance's company, a huge conglomerate, got hit with the Sasser worm and basically handed out disks with a virus update on them to manually install. Needless to say her HR department was idled while they tried to fix all the installs that went poorly. You can probably guarantee that her manager has no way, and probably wouldn't think of, adding that cost into their bottom line.
heh. If you want to see the TCO for something increase dramatically, all you have to do is provide support for it over a long enough span of time that people feel comfortable in ceasing to learn.
:(
Perhaps one of the reasons that Linux has an inherently low TCO is because the users who have installed it, configured it, compiled it and made it run on their toaster have taken the time to read the docs. They're familiar with the hardware, the apps they run, the OS under the apps they run, and viola -- things run nicely.
But in the Windows world? Everybody has a support line to call for absolutely everything. Almost every product offered has some form or another of support to it, to an extent that the people who are using these systems no longer have to use any mindshare whatsoever to get their stuff working. At your place of business a PC tech is waiting to coddle you. At your home you can call your ISP, call your PC vendor, call your OS manufacturer, call your application developer, call everybody in order to figure out what's wrong with the system. The suggestions they give you to fix it may seem arcane and strange, but if you follow them assiduously you have a 30 to 40% chance of getting things working... and if it doesn't work out, you can always call back 'til you get ahold of someone who really knows what's going on.
Small wonder the TCO is so incredible. I can understand that worms have an impact on this number - hell, I've logged plenty of overtime hours securing machines against the latest potential threat (the Army is rather proactive in locking things down against explotation - with good reason). I've spent countless nights securing our systems against worms that use ports that are not open on our firewall. I've spent hours updating virus signatures and restoring systems lost because a user thought it was a fine idea to open up an encrypted zip file they received from someone they didn't know. I've spent many a fine weekend and holiday at work restoring people's email because they deleted without consideration for the fact that bringing it back takes serious time.
My site would have far lower TCO if the users exercised a small, trifling fraction of their potential intelligence. Am I overestimating the abilities of the average human, here?
sigh... *Lots* of things go into TCO. My overtime, paid to fix these kinds of problems, is a significant part of it at the site I work for. End of rant.
apt does the job alright.
Black holes were created when god tried to divide by zero
I know it isn't perfect, and I shouldn't even have to pay for a server to keep our MS stuff up-to-date, but it has saved us tons of time and hasn't given us any problems yet. Maybe we are an exception.
I struggled for days and days and all I got was this lousy sig.
What will these analysts discover next?
I've been hearing rumors that MS products cost more than the open source alternatives too. But it's just a rumor...
"Fate favors the bold"
...from his SNL Weekend Update days:
"This, and many other fine articles are available in the current issue of Duh! magazine."
These are some of the large-scale operations that were affected by the worm, some of the frantic preparing for the worm strike. I have never, ever believed for a second that the TCO for Windows is lower than e.g. Linux of BSD, past the first month of switching. Even with higher sysadmin costs, the overall increase in productivity equals this and then some. Christ, potentially sick people had to reschedule their CAT / MR exams because of a fucking Microsoft Worm (TM)?
How much more are we willing to up up with? I made two switches, first from Windows to Linux and then from Linux to Mac. The only thing I regret is not switching earlier.
Today, my employer lost 25 USD, since an article I wrote disappeared when Word crashed and I had to re-write it for one half hour. It seems the defaut Word behaviour in custom OEN installs that our IS get is to NOT autosave for recovery due to "performance issues"
Lower TCO my ass.
If Mac OSX were the dominant OS, then worms would be predominantly written for it, and would drive up its TCO. If Linux were the dominant OS, then worms would be predominantly written for it, and would drive up its TCO. Etc., etc. Sure, OSX or Linux or [insert pet OS here] would be tougher to exploit, but that wouldn't mean much in the long run against people dedicated to making mischief. The fact that Windows' codebase is such a piece of Swiss cheese makes it particularly worm-prone, but the main problem it has with worms and viruses is due to Windows being the monoculture, and not due to Windows' shortcomings as an OS. So maybe the point is, everyone wins if there is less monoculture, and more heteroculture, in the mix of OSes in general use.
First they say you shouldn't use Linux. Now, they don't want us using Windows 'cuz of worms. Tell me, gartner, what should I do? Oh, that's right, you don't ever do anything. You just make stupid recommendations.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
It only raises your TCO if you connect a Windows computer to a network.
I wonder if Gartner or anyone else does any serious quantitative study of the true "value" of having a new distro via the net.
If I go to download Fedora or Debian via ISO images, and burn them, I often have a maintained distrobution that is very young. Less than a month old.
If I go and buy Windows XP via Amazon and have it delivered next day, I still have an OS image which is over a year old, even the new one that rolls up SP1.
I don't have to make a CD up with 30+ patches on it, before it is safe to plug my machine on a network.
If I worked at Redmond, and was thinking about this problem, I think what I may do is work an installation script that combines with the firewall - and keeps all inbound connections out until a "tunnel" is established to Windowsupdate, and all patches are applied before "releasing" the IP stack.
Many of these systematic advantages come from the fact that Linux doesn't need a license key to install the OS. If Microsoft gave Windows away, there would be 0-day distros on their website as well.
Sounds like they are trying to make yet more arguments against disclosure of problems. Either that, or an indirect comment on why proprietary systems could be better, if disclosure of problems were not allowed.
"The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely,"...
We all knew these attacks were likely. Did their timing have something to do with the disclosure? Possibly. Would they have happened without the disclosure? Yes, I think they would have.
The root of the problem, in this case, lies squarely with Microsoft, and the various design decisions they made implementing their OS and other products.
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
Seriously, though, it's good that stuff like that surfaces on PHB-radar range. Maybe somebody will ask things like "So why should *I* be taking all these measures because *your* software is buggy?" the next time the M$ rep comes in, hawking the latest and greatest from Redmond.
There are also a lot of secondary costs to windows worms as well. Increased network traffic affects those that do not even use windows(or those who are careful). Also, if a windows worm brings down a banking system, there is a cost again to innocent people who may not even use windows. Or for instance, if a supplier for a business goes down, then the buisness itself is adversely affected.
Windows worms(and malware in general) do not just adversely affect windows users, they have the potential to harm society in general(though I don't agree with the figures that some of these anti-virus people put out, they are just looking for sensationalism to sell their products)
Windows worms are everyone's problem, do your part to stop them!
Its interestig that they say it is the worms that cause extra work rather than the security holes. After all, if the security holes weren't there then the worms wouldn't work.
http://www.popularculturegaming.com -- my blog about the culture of videogame players
This is all well and good, but the PHBs still need to be made aware of the ramifactions of their addiction to 'doze in the simplest terms possible. I've been trying to migrate some of my clients off of 'doze for months now and it's a slow painstaking process as they stop me every step of the way and ask why they need to give up their outlook, or their "really easy integration with their iPaq". So, I'm stuck doing part time admin on windowboxen.
I'm not there often enough to make sure they patch their systems every time they should (they don't want to shell out the cash for a full-time IT guy) So the best I can do is email them the reports I get from eEye and bugtraq and just send an all points to patch and hope they do. (They don't of course, I just spent the last four hours rooting out the crap on a machine that hadn't been updated since mid March.) There needs to be maybe a "Windows Patching for Dummies" or something that will get the point across to these guys that the price of a secure 'doze box is eternal vigilance.
But hey, if they want to shell out the extra cash for my emergency services and the lost productivity incurred, who am I to argue?
Mod me down and I will become more powerful than you can possibly imagine...
Unfortunately, this is not true. Although maintainance cost might be the largest cost for Windoze, it does not appear on the price tag. There will be many uninformed people who will buy Windoze without taking into account the hidden costs.
BTW, are upgrade costs included in the estimates?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Actually, Just install the latest service pack
This costs money for a CD from Microsoft. If the user tries to download the service pack instead of buying the CD, the user will probably get hit with Blaster or Sasser while trying to download the service pack itself, as the size of the service pack exceeds what a dial-up user can download within the time it takes for Blaster or Sasser to shut down the computer.
There are versions for 9x all the way up to XP.
Really? I read from here: "AutoPatcher 2000 is still being worked on."
LSASS is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server (in technical jargon : it generates the process that is responsible for authenticating users for the Winlogon service). There is also another worm that affects this service. If the full path to this program is not C:\WinNT\System32\LSASS.exe (Windows 2000) or C:\Windows\System32\LSASS.exe (Windows XP, 2003), then you have the W32.Nimos.Worm virus or some other virus.
Dunno about any Linux ones, but currently the only real reason to run a virus scanner on the Mac is essentially as a courtesy to Windows users you may send files to, so you don't pass on anything that's infected.
Most of the a/v software firms who sell Mac products will grudgingly admit as much, except for (judging by their Chicken Little-esque press release) Intego.
Differing discussions on if patches really do break Windows.
In my case, working with 10,000+/- clients, I have seen this on repeated occasions.
Various MS patches would break the following:
Novell client on 2k/XP (but not 98/95)
Some third party business-specific applications (stat software, database, etc.)
Video drivers (easily fixed, but still)
In one case, recently, it BSOD'd several NT boxes (the IE 6 security rollups)
Irritating to be sure, so on one hand, you need to patch immediately (or risk the wrath of a new worm/virus)
On the other hand, patching immediately can lead to loss of productivity
On the third hand (you do have three hands don't you?) you can't wait for an AV package to have the proper updates, as (to my viewpoint anyway) AV products should be the last line of defense, not the 1st.
On the fourth hand, training is key to clients, but as the saying goes, you can lead a luser to enlightenment, but you can't make them think.
I keep waiting for *seriously* damaging viruses to show up in the wake of the leaked (partial) source code to Windows 2000. That may be the last straw to many a business.
So rise up, all ye lost ones, as one, we'll claw the clouds.
Of course it is true that owning and operating a Windows computer costs more because of the need to keep current with patches, to test them and to apply them in a timely manner. Every sysadmin knows this even if their cost-conscious boss doesn't see this big picture.
But, to be fair [and I'm no MS apologist - they need to be taken to task all over the place for lots of reasons], even if you run a MacOS X, Linux or even an OpenBSD system, there are implicit costs associated with maintaining those systems, too.
Since the software cost for FOSS is zero, the single most important cost is this installation and maintenance. As such, it ought to be quantified.
The advantage of doing this is that these kinds of costs are no longer swept under the rug and people can start asking more detailed questions about Windows maintenance costs in terms of sysadmin time- not just estimated costs of downtime on the business.
Then maybe, too, people will start to ask questions about what kinds of implicit future costs they incurred via early decisions to use some vendor's application that locks their valuable business data inside a proprietary format.
"Provided by the management for your protection."
Doesn't the O in TCO stand for Ownership? What exactly do you own with Microsoft products? Aren't you really just Licensing them?
My beliefs do not require that you agree with them.
Why are their more viruses that target IIS than Apache, when Apache is the leading web server then? Until there is a different leading OS than Windows and it is more frequently the target of attack, your comment is nothing but speculation.
This is my sig, there are many like it, but this one is mine...
worms/viruses are currently Windows-only problems.
Emphasis on the "currently." Has everybody forgotten the Sadmind worm, which spread among servers running Solaris OS and defaced web servers running Windows OS and Solaris OS?
I'm not sure if this is old news, or even if i'm just stating the obvious, but i worked out a way to delay the Sasser countdown when it starts.
Once the 60 second countdown starts just open the date and time properties page and roll back the date a month or two and click apply - sorted - you now have 30-60 days before the machine reboots - plenty of time to download the patches, even on a modem.
So SP2 is going to include a Microsoft add-on that monitors third-party add-on's that monitor the Microsoft OS.
Who said these guys didn't know how to design an OS?
Or at least permitted..
Think about it, if the TCO of current windows versions ( and related apps ) are skyrocketing, it gives more weight to the 'you need to upgrade to longhorn' speech we will start hearing in another 3 or 4 years..
Since they cant sell you on so-called new features that are irrelevant, then this might be a successful alternative tactic..
Just a thought.....
---- Booth was a patriot ----
I see one bad thing and two good things here...anyone else with me? I mean, shouldn't we work our best to keep our environments 1) current and 2) as secure as we can afford to?
The patches and the closed-sourcedness are, however, a PITA.
As far as TCO goes, I see the same people just working more salaried hours to fix issues arising from bugs, etc. And they haven't had to have the admittedly more extensive training behind running a *nix environment.
and many wonder why jobs are all going overseas. Lazy admins that don't do squat all day, they can't even install patches. Microsoft never cared about security, it seems system admins never did either. Everytime a new virus comes out they run around like beheaded chickens watching their house of cards fall down.
This isn't just a windows problem, it is an admin problem. There are tons and I mean tons of hacked unix boxes that script kiddies use for distributing warez etc because they are connected to huge bandwidth pipes.
did you forget to take your meds?
You could just install an SUS server, point all your clients at it and enable auto-update. Test the patches, put on SUS, play golf.
It's things like this that make me wonder if the "TCO of Windows" is more likely the "TCO of having highly unqualified people working in your IT department who know how to spell XP, but nothing more than that". If you have idiots running your network, you're paying to throw money out the window (no pun intended).
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
Microsoft has priced themselves out of the market.
And it isn't the initial purchase cost. They could give away Windows and it would still be too expensive. Dealing with the virus du jour and the patch du jour is just too much anymore. Add to this (from recent Slashdot stories) large companies' estimates that half of all their Internet traffic was to/from Windows Update and the cost of maintaining Windows goes even higher.
Well, I quit. I am just done with patching Windows. All Windows machines are hidden behind a firewall (Linux based and I do patch it religiously; gee, there's been one critical patch in 1 1/2 years!), we don't use IE or Outlook and I only patch Windows when there are functionality problems.
Now, I know I'm gonna get a lot of flack from everyone here about "firewalls not being the final solution", "you gotta patch every day" yada, yada, yada. But the combination of a firewall, not using IE or Outlook and scanning ANY computer from outside before it is allowed on our LAN works for us. We weathered SQL Slammer, Blaster, Netsky, Bagel, Sasser, etc, etc with not one hiccup in our daily operation.
The key here is not to trust Windows on the Internet. No, one step further: don't trust any Microsoft software on the Internet! Don't use it for e-mail, don't use it to browse the Web and never, ever hook up a Windows machine unprotected to the 'net!
Virus authors have nothing to worry about from this security group.
Some excerpts:
-
While strong out-of-the-box security configurations are preferred, it is recognized that updating existing products to
comply with this requirement can be costly, time-consuming and can result in various incompatibilities with current
and supported versions of the product. As a result, it may not be possible for a vendor to transition a product to a
more secure out-of-the-box state for several years, depending on product release cycles.
...
Whose side are these guys on?In conjunction with the above recommendations, the requirement for medium or higher assurance evaluations (Evaluation Assurance Level 4+ [EAL4+]) for commercial products should be dropped, since the stated reason for higher assurance evaluations by the proponents is the ability to do vulnerability analysis. Higher assurance evaluations for commercial software impose a cost burden that even the largest IT vendors cannot bear or should not bear; they do not substantially improve product security, but may result in vendors paying multiple times for the same evaluation in different markets. Furthermore, finding faults in software that has already shipped is far more expensive and less effective than giving vendors the tools to be used during the development process. ...
In order to promote the evaluation of more products, the U.S. Government should help offset the expenses of CC evaluation through research and development tax credits or paying part of the evaluation costs.
They did.
They got sued.
They don't anymore.
IIRC, it was MS-DOS 6 that included MSAV, their antivirus program -- as well as a couple other technologies that they stol^H^H^H^Hinnovated, such as the first go-round of their disk compression software (DiskSpace? DriveSpace? I can never remember which is which). It wasn't until about 6.22 that the offending technologies were stripped out.
However, with their recent invulnerability to litigation (by the Justice Department, even!), I 'spect they're prolly ballsy enough to try again.
Predicting that multiple recently announced security flaws in windows will be exploited is like predicting the sun won't explode tomorrow.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
i am starting to beleive that there is such a thing as virus season. Often these big worms come out around summer. I guess it is becasue kids are out of school and ahve nothing better to do
The war with islam is a war on the beast
The war on terror is a war for peace
Windows XP Pro for 200 systems: $30,000
Anti-Virus Software for Windows XP corporate: $7000
The billing rate for 10 contractors to come out and clean your systems: 700$/hour
Seeing the face of your CEO when you tell him linux is free: Priceless
There are some things money is wasted on, for everything else there is linux.
Upgrading IE is a complex process that upgrades most of your major libraries with it. The actual IE executable is quite small but is linked against several crucial libs, which are all available to (and used by) the most of the rest of userland.
All's true that is mistrusted
If OS X were the dominant OS, there would be zero worms wreaking this kind of havoc.
A default OS X installation has exactly zero ports listening for connections, and the root account is disabled. Even administrator-level accounts must authenticate before making any changes of significance to the system. These factors make it nearly impossible for a worm to spread on OS X machines like a Blaster, Sasser, or Slammer can on Windows machines.
Marketshare has nothing to do with the security of an OS. There are way more Apache-based web servers than IIS-based, but IIS gets pwned much more often than Apache.
If you consider worms and virii as "free software that downloads itself off the internet" then the TCO for Windows goes down!
I Am My Own Worst Enemy
no virus writer/hacker is going to spend all of its time to maybe interrupt 5% of the market share. in all fairness if the tables were turned and M$ had only 5% and linux had 90% of the users out there you can bet we'd be seeing virues/trojans/worms and hacks coming from all over the place, and we'd be talking about that instead of windows. think about if we really want linux to b/c the main O/S. in the end we are inviting more hackers to spend more time writing stuff for linux as well as windows. not so sure if that is good for the community..
Total Cost of being 0wnzed
Escher was the first MC and Giger invented the HR department.
in all fairness if the tables were turned and M$ had only 5% and linux had 90% of the users out there you can bet we'd be seeing virues/trojans/worms and hacks coming from all over the place, and we'd be talking about that instead of windows.
And this would only infect people running Linux as root all the time who use email clients that execute scripts sent from complete strangers without telling them. Yes, people would write Linux viruses and worms (they already do), but the effect would be minimal at best.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
I've endlessly heard the argument that if Linux were the standard OS, there would be just as many worms as there are for Windows. I have no idea why anyone could believe that. When you install a Windows machine, you can pretty much guarantee that ports 135/139 will be running, there are numerous services listening (ex. LSASS.EXE), and on a wide scale, there are thousands of machines with those open. But when you install a Linux/BSD system.. what ports are open? What services are running? Exactly. You don't know. There are soo many different variations durng install, and so many different versions and programs depending on the Distribution. You could not write a "Linux worm". All the worms in existance would target specific applications, such as Apache or WU-FTPD, not the operating system. Sure there could possibly be a kernel exploit, but there are so many different kernel versions. You would not hear headlines such as "Windows virus takes down UK Coast Guard". At most, you would hear "Apache exploit takes down a UK Coast Guard server".
Visit Phrite's Tech News/Security Tools
So if we're all here high and mighty that Linux Will Solve World Hunger because of this, why aren't we doing everything (and I mean EVERYTHING) we can to solve this? It is certainly true that almost everything has been ported to Linux, but many applications have yet to appear on places like Sourceforge and Freshmeat. Sure, yeah, I've started Yenta on sourceforge as a replacement for Act! or Goldmine, but it was only recently started - with little useable code to speak of.
(Yes, I need help with that project.)
Point to this rant is that we still have a way to go before it becomes acceptable to just drop Windows in favor of Linux, but it is also up to us to make sure that if, God forbid, a worm or series of them comes out, we can patch in a hurry.
This sig no verb.
And they laid out some bad trouble. Virus writers DO do this, even if the marketshare is small. Remember Ramen?
And of cours there's the Lion worm, etc..
It doesn't take a lot of computers to cause trouble, and no platform is wormsafe. Windows is prolific, of course, which doesn't help, but it's also got so many ways in. That's the real catalyst.
Rule for ANY operating system; When the default install is weak, you'll see worms. The big catalyst for Ramen and Lion (I hate to say it) was in my observations default RedHat installs that had tonnes of services on by default.
-- The unsig...
Since "Stevey-boy" testified that IE was too tightly tied to the OS to be removed. This was reinforced to me when my file-browser began to display the "yahoo toolbar" that my wife had installed in IE.
In a defensive move I am thinking about redirecting the EI short-cut Icon to Mozilla, but I'm not sure if this is even possible. Mean while I'm glad that we had both a software firewall running on the WinXP machine, and a hardware router running Linux(tm), between us and the mean-old internet.
Apocalypse Cancelled, Sorry, No Ticket Refunds
then that's not a cost of using linux,
that's a cost of trading off good security for a (little) ease of use.
compare that to windows, where the "default" is running as administrator.
people would write viruses, and they would still propagate if linux had 90% of the market share. just not as quickly and wouldn't affect as many people.
Here's the URL's to some other updates that'll "patch" things up:
Enjoy!
I'm not tense. I'm just terribly, terribly, alert.
Why don't we all migrate over to the Mac OS-X and OpenBSD? Linux as well. (Oh - I forgot - Lawyers at SCO may be knocking at your door). Sure, people are clueless on how to best make use of some systems, but that's OK, there are plenty of /. ers who can probably use a little contracting work (if there are any jobs left after they all went to India). It would help the job situation, although it would be painful at first for the person doing the "migration", it would be better all around.
I'm dealing with fed up customers all the time, getting frustrated by having to patch so often, but they ARE wiseing up and starting to take the plunge.
To make it less painful, I find it much easier to setup a parallel system, keeping the older WinBlows systems operational, while slowly putting together their servers and work stations under either Linux or Macs, and using OpenBSD for all the server related work.
It means MORE JOBS here, especially for us Open Source affectionatos.
We've completed a few such "Migrations", and our clients are happy campers now. Of course we still find a need to deploy security patches, but they are much less often, and now becoming a lot more painless.
Hey man - don't shoot the messenger - it's just an idea, and we only have to convince the corporate Phat cats that parhaps M$ may NOT be the solution to all the worlds problems.
And I don't believe you're going to convince many people here that pirated software equals lost revenue. That's about as weak an argument as the RIAA's.
Mmmm... that's not entirely true. Lately, a lot of virus writers have just been preying on the stupidity and gullibility of the average user. Hell, I got one of them zipped one day that practically had freakin' installation instructions... and people were STILL getting infected!
However, for this to work on a Linbox, there are two requirements: 1) the user must save the binary and make it executable and 2) the user must then run it. Now, once that happens, there's really not much going to go differently on a Linbox than a Winbox. The thing can still bind to a high port and zombify the machine for spammers, which is what the majority of viruses do as of late. On a desktop, there's no reason to believe that granny Gretchen won't do just that once she learns how to whip out chmod +x on everything's ass. The nice thing, however, is that if you're running in a corporate environment, you can isolate users to their own filesystems to protect them from doing stupid things like this. Yea, maybe they'll trash their own data, but at least they'll be isolated from critical system information and the network (excepting zombification... but you would be smart and block all those ports, right... you don't have chewy on the inside network security... right?). Great for corporate networks, FAR better than the Windows situation (Yea, I know.. you can use Active Directory, but that's not a native part of Windows). However, for desktop users at home... well... they'd still shoot themselves in the foot.
Worms, on the other hand, are another story. First, patching a Linbox is often a matter of grabbing a patch a day or two after the vuln is known and slapping it into the system. Since Linux is built on the Unix philosophy of tools in a toolbox, you don't have to worry that a patch for program x is going to change code that program's y and z also use (unless it's a library or something). Windows? Not the case. If you have to patch MSHTML, anything from IE to your damned titlebars can get fucked up as a result.
On top of that, Linux systems are not (currently) very homogenous. Part of what makes Linux a tantalizing target for manual attacks is that it's just damned hard to write malicious code that will work on a widespread number of systems. Unfortunately, as the dust settles and some companies really do start to take up the mantle of "desktop linux", that heterogeny may just go away for desktop users...
The point is this: Linux CAN be much, much, MUCH more secure than Windows. However, Linux also does the same thing Unix does: "Look, you can make me secure if you want, but you can also use me to blow your toes off one at a time... YOU choose.. I'm not going to decide for you." A lot of geeks forget that. Linux is not inherently secure (OpenBSD is inherently secure... and I don't think it's going mainstream desktop like that any time soon), and it WILL happily let you shoot yourself and your nearby friends if you so choose. Desktop users at home will do just that. It does do some things inherently better, but it still won't protect the world from people who don't bother to learn anything at all about their new toy. You can code against stupid people, but your system isn't going to do much when you're done.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
SUS sucks keeping computers up to date in a complex work area. Primarily because of the stupid reboot necessity.
You have two options:
1. Give people administrative rights so that they can manually click to install updates when the reboot is convenient, or
2. Have the computer try to install the update at a specific time. But if the computer is turned off then you have more problems. You can have the computer install and reboot when they next try to start the computer which slows down the boot up from 2 minutes to 5-7 minutes.
Then you have the OS covered but you have other software that can be used to access your computer. I wish there was an apt-get option for windows. Then you could run one command and update your entire system with all software that needs security updates. The only problem would be that Windows would still need to reboot at the end!
You don't need root to run a mass mailing email worm. If you could convince a user to run a trojaned executable, regular user permissions will do just fine. It could even open a spam proxy backdoor without root. All you really need root for in network code is for raw sockets and to listen on low TCP ports (below 1024).
Some email worms exploited an autoexecute from the preview pane bug in IE, but most of them were social engineering exercises in convincing the user to run the attachment. I think it's easy enough to launch an attachment in say Kmail or Evolution. The only challenge is delivering an executable that'll run on enough Linux machines (perl? bash? static binary?). The only reason we don't have a mass mailing Linux worm is because noone's tried it yet . It's not THAT hard.
There are lies, damned lies and TCO numbers.
A dyslexic man walks into a bra.
Perhaps one of the reasons that Linux has an inherently low TCO is because the users who have installed it, configured it, compiled it and made it run on their toaster have taken the time to read the docs. They're familiar with the hardware, the apps they run, the OS under the apps they run, and viola -- things run nicely.
It's more like there ARE manuals to read for the rare ocasion an install script does not work or you don't like the default settings. People would customize windoze just as much if the information was easy to get at.
But in the Windows world? Everybody has a support line to call for absolutely everything. Almost every product offered has some form or another of support to it, to an extent that the people who are using these systems no longer have to use any mindshare whatsoever to get their stuff working.
Some companies have call lines. Microsoft charges some outrageous fee for theirs and it's been compared unfavorably with psychic consultation.
My site would have far lower TCO if the users exercised a small, trifling fraction of their potential intelligence. ... I've spent hours updating virus signatures and restoring systems lost because a user thought it was a fine idea to open up an encrypted zip file they received from someone they didn't know.
I got one of them yesterday. Did it hurt me? No. I unziped it and had a look at it. Is it possible to craft such a thing for Linux? I don't think so. You would have to go through a lot to trouble to undo system defaults to make something like that work. Then the author would have to know which of the hundreds of programs I use to look at such things. Unlikely.
All of that "patching" and bandaid application is not required in the reasonable world of *nix. It's a well known fact that you need about five times the number of administrators for Windoze than you do for any flavor of Unix. Those administrators are not the cheap drooling morons Microsoft would have you think can run your network, but they would be much better informed if they were working on any flavor of Unix.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
I am never sure of this argument.
There is the Apache thing.
Also I am sure there would be some kudos within the hacker community if you were to put in a competent virus for Solaris, GNU/Linux, OS X or whatever.
I ordered this CD almost two months ago!!! It still hasn't arrived. Perhaps they are delalying roll-out until they can include all security fixes???
However, for this to work on a Linbox, there are two requirements: 1) the user must save the binary and make it executable and 2) the user must then run it. Now, once that happens, there's really not much going to go differently on a Linbox than a Winbox.
By LinBox, do you mean Lindows or Linux? Lindows lets the user run as root by default, just like Windows, but Linux generally does not.
So I didn't see the step where the running program gets root permissions, presuming you weren't talking about Lindows. Or are you saying that a user process can open ports without root-level permissions?
Sincerely confused,
--IceAgeComing
A liability?
TCL.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Not to pick nits, but while the Commodore 64 never had viruses to worry about, its external 1541 disk drive was another story. Unlike PC drives, the 64's was a computer in its own right, with a CPU, memory, and an operating system. They also got hot enough to keep your coffee warm! The viruses were few, but available.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
You do realize that you don't need to stay logged in as root, right? The "su" or "sudo" commands, similar to MS Win32's "runas" command, are available to users (unless you apply additional security by limiting access via access and ownership permissions) so that they do not run as root. Unlike MS Win32 though, just about any process (actually can't think of any that wouldn't) can be run using "su" or "sudo" while logged in with your regular user account. If you need to display a GUI, simply add the "xhost +" (or a more limited argument to the "xhost" command) and your set.
The concept of running with as a priviledged account by default seems to be based on MS Win32 practices. Users didn't want to put up with logout as user, log in as administrator, install/config, log out as administrator, log in as user. For UNIX, that isn't necessary. I do think though that users converting from MS Win32 will likely continue that bad habit, but it's not a fault of the OS, just years of a limited OS.
You will need about 1/5 the manpower windoze requires to maintain any flavor of Unix. You can mix and match the flavors without adding too much to your costs.
What you do with the manpower is up to you but you can save money anyway you slice it. You can shitcan your people and have an improved level of performance for much less money. You can keep them on, without overtime and have much better performace and custom applications and still spend less money.
The above applies regardless of how large or small your company is. You can get more out of your single computer expert, employee or consultant, for the same money with free software or commercial Unix. At the other end of the extreem, Google has shown the world all about free goodness. The results are the same between the extreems, though it is difficult for me to say where the sweet spot is. You will always spend more money, one way or another, with M$ crap.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
from: coed_hotties68@hotmail.com
subject: superhotsexy screensaver
Hi! My hot lesbian coed friends and I made this hot lesbian coed screensaver! To install it, just do the following in a shell:
hope you enjoy!
do not read this line twice.
When the vulnerability was announced, we saw it was going to be a bad one. What did we do? Well, we downloaded the update, tested it on a few machines (which had no problems) and a few days later clicked a check box on a SUS server that approved it for distribution to clients.
Over the next few days, just the one SUS server I monitor reported over 1200 clients successfully installed the update. Others reported similar results. By time time sasser showed up (or any of its slower-moving predecessors, some of which were poking around within a week), we'd patched thousands of systems with no user interaction at all. The only people who got hit were people running unmanaged machines... and many of them had ignored the little green globe which was telling them that their system needed to be updated. If they'd clicked on it, they would have been OK too.
Oh yeah, SUS is free, a piece of cake to install, and works great. It even locks down the server it runs on to resist attack. Anyone who runs more Windows machines than they can reach from their desk chair should be using it.
Gartner should stop with the "nyah nyah we said it was going to be a bad one... look how cool we are". Everyone else with a clue knew it was going to be a big problem too. They should instead point out ways for Windows shops to get out in front of the curve.
Counterexample: MacOS X
Normal users aren't admins, but can have sudo access. When some installation requires elevated privileges, the user is presented with a dialog box for typing their password. It's considerably more convenient than having to log in as root, but doesn't let malicious code run at an elevated privilege level without the user knowing it.
5... 4... 3... 2... 1...
Dawn of the Dead
It doesn't matter if only a very small minority of gullible users get infected. In the scheme of things, it doesn't cost the worldwide community that much. The cost becomes significant however when a significant percentage of the population gets infected.
The problem with Microsoft is that it wants to remote control your box. It wants to know what you have installed and how you're using it. That's why Microsoft boxes are insecure, it's not because Microsoft isn't smart enough, it's because it's not in their interest to make your box too secure.
...of problems with libc versions?
You have no excuse to steal Windows.
Nobody "stole" Windows(unless they lifted the actual disk). They're just using a copy.
What?
Ah but the difference is diversity.
With Microsoft Windows you now get one family 2000-XP-2003 all which share the same security problems. So 94% of the compurters out there come with some really bad security settings and flaws. Some will patch, but by default most of those systems are insecure.
If you don't like it, what do you do? Windows from Dell is as insecure out of the box as Windows from Compaq or Gateway, no choice, you can't buy a "safe" windows machine out of the box.
On the other hand.......
Default security in the Linux world is determined by the distribution. So if a distrubtion defaults to having a firewall, no insane file assocaitions for email and web browsing, limited services running, automatic security updates and practically forcing the user create and run a non root account. Then that distrubition will be pretty much virus free.
What will happen is this
Distribution A will have 12% share and gets infected 2% of the time
Distibution B will have 14% share and get infected 2.5% of the time
Distribution C will have 8% share and get infected 18% of the time.
It won't take long for Distribution C to get a bad rep. Computer makers will no longer offer Distribution C, or will add "value" by fixing the defaults.
To believe that Linux boxen will be as virus riden as Windows, you would have to belive that everyone will use Linux someday and that people will choose and stick with an insecure distribtuion.
Unlike Windows or MacOS, if Linux ruled, there would be healthy compitition and consumers would have a choice of which OS they ran.
vi +
Dealing with burglars puts up the cost of Windows. I need to spend extra on secure frames, locks, sacrificial edgings, insurance policies ...
I know! I'll just stop using Windows, and brick up the holes! That'll make my life better won't it!
Anyways, I just loaded SUSE Linux onto my machine, and with the exception of a few quarks getting it set up, I'm pretty satisfied with the experience. I know that the process of installing new programs needs to be smoothed out a lot before the masses would want to use this, but the only time I ever miss Windows is when I want to run a Windows-only program. I never could get Half-Life to play with WINE. Actually, I'm pretty disgusted with new games in general ( see my journal ); I've been playing with ZSNES.
But really, I guess my point is that MS software is a stinking pile of ---- and I hope that the day comes soon that people will see through their smoke and mirrors that they charge a high price and manipulate the market with crappy software. Heck, I even got my grandmother using Mozilla; and I'm sure she doesn't miss pop-up ads one bit. All these worms, with the patches that require a reboot everytime are just one more reason to move away from Windows.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
Windows XP can be just as locked down as Linux. In our environment WinXP is locked down, secretairies and other employees cannot install programs and if they need or want one installed they have to get approval and I sign in as admin and install the program, hell I dont even sign in as an admin for everyday use I have my own limited account for daily productivity work. I make sure all my machines are up2date and I have never gotten infected with a virus or worm or trojan and we handle a lot of clients and customers and are publicly visited, Im not saying we are unhackable but I am very, very paranoid when seeting up security and alot of my colleagues love it when I pass on information.
Universities often have fat pipes and don't have "closed by default" firewalls. Even if they have the "Windows ports" closed at the Internet borders, there's bound to be other ways in at which point, with a fast worm, it's all over.
Am I the only one who's discovered that Automatic Updates are actually automatic?
No. You are one among many that apparently think Automtic Updates covers everything when it doesn't. The Automatic updates are not all-inclusive of the patches released to address vulnerability/security issues.
"Users didn't want to put up with logout as user, log in as administrator, install/config, log out as administrator, log in as user. For UNIX, that isn't necessary."
It's not necessary with Windows either. The "run as" command has no problems running installers or other graphical applications.
Heck, I've installed service packs fine using "run as".
Not to mention the fact that you can set Windows Installer to automatically request administrator privelages.
Why is this any different from Linux?
I don't know where to start discrediting your post.
The "running as root" argument is garbage. Any privilege escalation vulnerability in Linux history (or any other history, for that matter) is an existence proof.
The "without telling them" argument is garbage. The vast majority of viruses transmitted by e-mail are done so because the user did something dumb, not because of some long-fixed auto-execute vulnerability in a popular mail client. You wouldn't need root access to fall for something like that, by the way.
You think a major Linux worm would have a minimal effect? Do you have any idea how many critical systems run on Linux these days? Hit Windows, hit the desktops. Hit Linux, hit the servers. Put your sysadmin hat on and tell me which is worse.
Linux is not immune to security issues, and any claim that many eyes make for few bugs and thus OSS is fundamentally safer than Windows-based equivalents can be discredited with the slightest thought about reality rather than theory. Linux remains relatively safe because of the culture surrounding it, not because it's inherently flawless.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
And when you sudo, you enter YOUR password, not root's.
Which brings up the point that sudo requires configuration by an IT admin for a user to run it successfully. So, for most users, running the program as root requires them to login as root first. Hence the grandparent post's instructions get even more complex and tedious, and gives more time for alarm bells to go off in the user's head. All of this will allow most people to return to their senses before following through. Certainly more than clicking on a VB attachment in MS Outlook.
Keeping viruses like this from running is normally as simple as telling people "Do not login as root and run unknown commands". Maybe a future distro will display this message when someone logs in as root:
"DO NOT COMPILE AND RUN PROGRAMS AS ROOT UNLESS YOU TRUST THE SOURCE".
Hmm, sounds a lot like "Do not run unknown attachments from email". Doesn't work. Been telling users for years. Doesn't work.
When I was young and foolish, I bought MS Frontpage. I also have two computers running Windows XP (thinking of switching one to Mandrake, if I can manage it). Microsoft has refused to let me reinstall both Frontpage and their OS because they said I "reinstalled it too many times already."
I bought and paid for the crappy program, and now I can't even install it on my computer?
I'd like to see a few more lemon laws on softeware if they want to start treating IP as real property.
Heck, I'd like to see imported IP properly subject to tarrifs as well, thanks. I mean, if it is actually property and all...
You can't have it both ways.
___
It's the end of my comment as I know it and I feel fine.
And KDE as something similar called kdesu (and there is the same for gnome) that open a dialog asking the root password, then run the program with root privileges.
That's how if you're running Mandrake that you can launch easily the Mandrake configuration tools.
wtf.n0x.org
100 attacks each hitting 1000 computers does as much damage as 10 attacks each hitting 10,000 computers. True, small isolated incidents regarding virus attacks are insignificant in the grand scheme of things, but its not like Microsoft can leave it alone.
For every kiddie script or virus variant out there, theres a hundred Joe Average users screaming at their computers. For every hundred screaming Joe Average users, theres 10 system admins having to go around and remove the virus, update their computers, and then give a lecture on how to prevent from something like this happening again (not that Joe Average will listen). For every 10 system admins running around needing to solve every virus problem, theres one programmer out there who has to come up with a program that bypasses the virus, seeks out the virus, and eliminates the virus. That and they have to figure out how it works, how it spreads, how can they get rid of it, if theres any clues as to who made it, etc.
So like you said, yeah in the scheme of things one or two attacks doesn't cost the worldwide community much. Except for the fact that one or two of these types of incidents seem to happen everyday. Now if you'll excuse me, I have to download anti-virus protection for my parent's computer, install it, update it, run it regularly, then debate on whether its worth paying $200 for an official CD-key, scream at the fact that the computer slows to a halt due to new anti-piracy software methods, call up the company and complain, and then come back to Slashdot to post a 'Askslashdot' topic regarding the sheer amount of frustration of dealing with anti-virus programs as the 'system admin' of my house.
SUS (Software Update Services, a LAN version of Microsoft's Windows Update site) has been out for, what, two years now? Any decent-sized network should consider it essential. I am running SUS on my LAN at work (about 50+ Windows 2000/XP workstations) and we haven't had any problems from these worms, simply because all my machines are patched within a day of the patches being released. Considering the patch for the Sasser worm has been out for over two weeks now, I think it should be considered dereliction of duty for Sysadmins to take so damn long installing the patches!!!!
Blame MS all you want, at the end of the day, if MS have released the patch and the sysadmins haven't installed it (for whatever reason), then its not MS's fault.
Still, I wouldn't mind breaking the fingers of the prick who wrote the worm in the first place.
The "running as root" argument is garbage. Any privilege escalation vulnerability in Linux history (or any other history, for that matter) is an existence proof.
I had my RH5 box hacked into a few years ago, so I know that linux isn't invulnerable, and I know the grandparent uses strong words like "only" and "all the time". But isn't it true that Linux at least makes it much easier to keep users from unintentionally harming their machines?
It's one thing to click on a VB attachment in Outlook. It's another to follow install instructions that involve first logging in as root. (as in this post; note that "sudo" isn't usually allowed by default).
Because linux follows a model where a user can't affect important OS resources easily, it is possible to isolate the OS vulnerabilities from user stupidity. This makes it easier to update the OS without affecting the user, which makes the system more stable in the long run.
Any disagreements with what I've written?
Also, am I the only person who logs on to slashot whose jaw hits the floor everytime I read remarks from our far more knowlegible Windows administering comrades about Unix/Linux?
For eaxmple, one of the saddest/funniest remarks I have ever seen about Linux versus Widnows was the complaint by a Windows wizard remarking how stoopid it is to be able to run a script from a simple text file. The funny part of the remark was the reply suggesting the user save the following command as test.bat and double click the icon:
deltree c:\windows Y OK
Or something like that.
Dawn of the Dead
If it is above port 1024...yes. You can start an Apache process and bind it to port 8080 without being root.
Sure there could possibly be a kernel exploit, but there are so many different kernel versions. Sure you could write a worm like blaster that exploits a vulnerablity that's already been patched, but there are so many machines that are already patched... But when you install a Linux/BSD system.. what ports are open? What services are running? Exactly. You don't know. As the number of users increases, the knowledge of each user decreases... therefore, the more people will run as root (or an account with close enough privs) to make the closed/open ports or running services point moot. Come on. Tell me what AV Software is your linux box running? None right? Kinda like the way it was back when we were running Windows 3.1 right? Linux is inherently more secure, but that doesn't make in invulnerable.
1. In 1999 I worked at a company with 30,000 workstations. The second year in a row they spent nearly $1 million fixing up machines after virus/worm attacks, they 'banned' outlook express in favor of Eudora, though most people continued using OE anyway. (Said cost did not include lost time.)
2. IIRC a couple of years ago one of the Big five accounting firms, the only all-MS shop among the five, was shut down completely for several days due to NIMDA (?) Assuming $1 billion/year gross revenues, three lost days amounts to $120 million loss - or at least deferred, or packed into later overtime, etc. This is a back-of-napkin estimate, but still indicative of the potential costs.
It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
That's because it is unnecessary.
I don't know why this mistaken idea that "malicous code not running as root can't do any real damage" has gained acceptance, but please stop repeating it.
of course, that is not the best example, because X is often a suid binary...
Did you mount a military-grade, variable-focus MASER on an unlicensed artificial intelligence?