Slashdot Mirror
Worms Jack Up the Total Cost of Windows
rbrandis writes "Dealing with widespread worms like Sasser raises the cost of using Windows, a research analyst said Wednesday. "This is part of the carrying cost of using Windows," said Mark Nicolett, research director at Gartner. "The cost of a Windows environment has gone up because enterprises have to install security patches very rapidly, deal with outages caused by secondary problems with these patches, and deploy additional layers of security technology." "The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely," said Nicolett and his Gartner colleague, John Pescatore, in an alert posted on the Gartner site."
I'm switching back to the Commodore 64.
The TCO for Windows for the vast majority of slashdotters however is still steady and holding at "free".
;-)
I keed, I keed!
Quidquid latine dictum sit, altum viditur
I work at a computer science department, and I'm currently compiling a CD of patches that people have to install before they get on the internet. Right now, the number of patches is nearing 30.
Ahem. This is -1, Redundant. No shit viruses/worms raise TCO. This is the case for ANY operating system, not just windows. Of course, the homogenous nature of Windows makes it a lot easier for worms to affect machines in a wide range. But we'd still need to take precautions with any system in use.
This is news? This wasn't included in TCO estimates before? (Actually, that would be news, but not the kind I'd want blasted out to the world about me!). Seriously, how can "common maintenance" NOT be included in a TCO estimate? Isn't that the major ongoing part of TCO? Geez....
The cesspool just got a check and balance.
An when Linux gets exploited, the people fix it for free and very quickly. Then the next person to download this FREE system is a-ok.
Thats just plain sexy.
-- The box said Windows 2000 or better... so I installed Linux
I wonder if the cost of antivirus subscriptions has traditionally been included in the TCO studies out there comparing Windows and Linux. Somehow I bet not.
At some point somebody (Windows apologist or not) is going to point to Longhorn as the solution to security problems. Is there hard data on whether or not worms have been increasing or decreasing (in frequency and effects) the past couple of years?
We know what problems they've caused and how the media's gone nuts over each virus, making things seem bigger and bigger. But some old viruses were much nastier, and I sure don't hear about those types of infections anymore.
-Rob
Marriage doesn't have to suck!
Most people rarely patch their computers until something happens. (Me being one of them) It's something that people really need to be aware of. Prevention is the key.
Lately about 1/3 of my job consists of dealing with Windows vulnerabilities. And there are four other full-time staffers here with the same job description. We're not especially well paid, but that sure adds up. And when you add in the downtime of the people whose computers we're fixing...
http://alternatives.rzero.com/
Actually, Just install the latest service pack and then install Autopatcher. It has all the updates, hotfixes, and some cool extras all rolled into one scripted install so you can just start the install and walk away. I've used it and I can say that it makes life a million times easier.
There are versions for 9x all the way up to XP. You could fit everything onto one cd, and if you wanted you could even script that install. Thanks Autopatcher guys!
Quidquid latine dictum sit, altum viditur
Scientists confirmed today that water is indeed wet, Abraham Lincoin is dead, and the earth is round.
Well.. maybe. Or Maybe not. But Definitely not sort of.
then the macs would be on many more corporate desktops. they are far esier to maintain and admin. but, businesses are pennywise and pound foolish. admin costs are not necessarily up front costs. so, bottom line bean counters can justify purchase from vendor A because of lower initial cost. also, don't count out the paper mill MCSE's that influence purchasing decisions.
My problem? I was perfectly gruntled, until some numbnuts came by and dissed me.
Read the article again. There's a footnote at the bottom:
Corrects earlier version which incorrectly stated SP2 would include a built-in virus scanner. The offering actually includes a pop-up monitor that checks the settings of third-party anti-virus and firewall applications, and allows users to modify them if necessary.
heh. If you want to see the TCO for something increase dramatically, all you have to do is provide support for it over a long enough span of time that people feel comfortable in ceasing to learn.
:(
Perhaps one of the reasons that Linux has an inherently low TCO is because the users who have installed it, configured it, compiled it and made it run on their toaster have taken the time to read the docs. They're familiar with the hardware, the apps they run, the OS under the apps they run, and viola -- things run nicely.
But in the Windows world? Everybody has a support line to call for absolutely everything. Almost every product offered has some form or another of support to it, to an extent that the people who are using these systems no longer have to use any mindshare whatsoever to get their stuff working. At your place of business a PC tech is waiting to coddle you. At your home you can call your ISP, call your PC vendor, call your OS manufacturer, call your application developer, call everybody in order to figure out what's wrong with the system. The suggestions they give you to fix it may seem arcane and strange, but if you follow them assiduously you have a 30 to 40% chance of getting things working... and if it doesn't work out, you can always call back 'til you get ahold of someone who really knows what's going on.
Small wonder the TCO is so incredible. I can understand that worms have an impact on this number - hell, I've logged plenty of overtime hours securing machines against the latest potential threat (the Army is rather proactive in locking things down against explotation - with good reason). I've spent countless nights securing our systems against worms that use ports that are not open on our firewall. I've spent hours updating virus signatures and restoring systems lost because a user thought it was a fine idea to open up an encrypted zip file they received from someone they didn't know. I've spent many a fine weekend and holiday at work restoring people's email because they deleted without consideration for the fact that bringing it back takes serious time.
My site would have far lower TCO if the users exercised a small, trifling fraction of their potential intelligence. Am I overestimating the abilities of the average human, here?
sigh... *Lots* of things go into TCO. My overtime, paid to fix these kinds of problems, is a significant part of it at the site I work for. End of rant.
I know it isn't perfect, and I shouldn't even have to pay for a server to keep our MS stuff up-to-date, but it has saved us tons of time and hasn't given us any problems yet. Maybe we are an exception.
I struggled for days and days and all I got was this lousy sig.
What will these analysts discover next?
I've been hearing rumors that MS products cost more than the open source alternatives too. But it's just a rumor...
"Fate favors the bold"
These are some of the large-scale operations that were affected by the worm, some of the frantic preparing for the worm strike. I have never, ever believed for a second that the TCO for Windows is lower than e.g. Linux of BSD, past the first month of switching. Even with higher sysadmin costs, the overall increase in productivity equals this and then some. Christ, potentially sick people had to reschedule their CAT / MR exams because of a fucking Microsoft Worm (TM)?
How much more are we willing to up up with? I made two switches, first from Windows to Linux and then from Linux to Mac. The only thing I regret is not switching earlier.
Today, my employer lost 25 USD, since an article I wrote disappeared when Word crashed and I had to re-write it for one half hour. It seems the defaut Word behaviour in custom OEN installs that our IS get is to NOT autosave for recovery due to "performance issues"
Lower TCO my ass.
First they say you shouldn't use Linux. Now, they don't want us using Windows 'cuz of worms. Tell me, gartner, what should I do? Oh, that's right, you don't ever do anything. You just make stupid recommendations.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
I wonder if Gartner or anyone else does any serious quantitative study of the true "value" of having a new distro via the net.
If I go to download Fedora or Debian via ISO images, and burn them, I often have a maintained distrobution that is very young. Less than a month old.
If I go and buy Windows XP via Amazon and have it delivered next day, I still have an OS image which is over a year old, even the new one that rolls up SP1.
I don't have to make a CD up with 30+ patches on it, before it is safe to plug my machine on a network.
If I worked at Redmond, and was thinking about this problem, I think what I may do is work an installation script that combines with the firewall - and keeps all inbound connections out until a "tunnel" is established to Windowsupdate, and all patches are applied before "releasing" the IP stack.
Many of these systematic advantages come from the fact that Linux doesn't need a license key to install the OS. If Microsoft gave Windows away, there would be 0-day distros on their website as well.
Sounds like they are trying to make yet more arguments against disclosure of problems. Either that, or an indirect comment on why proprietary systems could be better, if disclosure of problems were not allowed.
"The Sasser worm attacks confirm our prediction that mass worm attacks against the multiple vulnerabilities disclosed by Microsoft on April 13 were likely,"...
We all knew these attacks were likely. Did their timing have something to do with the disclosure? Possibly. Would they have happened without the disclosure? Yes, I think they would have.
The root of the problem, in this case, lies squarely with Microsoft, and the various design decisions they made implementing their OS and other products.
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
Seriously, though, it's good that stuff like that surfaces on PHB-radar range. Maybe somebody will ask things like "So why should *I* be taking all these measures because *your* software is buggy?" the next time the M$ rep comes in, hawking the latest and greatest from Redmond.
There are also a lot of secondary costs to windows worms as well. Increased network traffic affects those that do not even use windows(or those who are careful). Also, if a windows worm brings down a banking system, there is a cost again to innocent people who may not even use windows. Or for instance, if a supplier for a business goes down, then the buisness itself is adversely affected.
Windows worms(and malware in general) do not just adversely affect windows users, they have the potential to harm society in general(though I don't agree with the figures that some of these anti-virus people put out, they are just looking for sensationalism to sell their products)
Windows worms are everyone's problem, do your part to stop them!
Actually, Just install the latest service pack
This costs money for a CD from Microsoft. If the user tries to download the service pack instead of buying the CD, the user will probably get hit with Blaster or Sasser while trying to download the service pack itself, as the size of the service pack exceeds what a dial-up user can download within the time it takes for Blaster or Sasser to shut down the computer.
There are versions for 9x all the way up to XP.
Really? I read from here: "AutoPatcher 2000 is still being worked on."
Yet if what you say is true, that it would be tougher under Linux than under Windows, the total number of exploits and therefore the total cost of operation would be lower under Linux and Mac under Windows.
Analogy: Cars A and B have lower power engines and higher efficiencies than car C. Sure as gas prices go up, Cars A and Cars B will still see increases in fuel consumption dollars, but in comparison to Car C which has lower mileage per gallon, will *still* beat it.
I agree, a heteroculture is best; each machine for each best use, and a proper mix for maximum robustness, but I disagree that the TCO wouldn't matter in the long run. It would still be cheaper on a Mac or Linux setup, I believe, at least until the competition caused Micrsoft to shore up it's design!
GPL Deconstructed
Differing discussions on if patches really do break Windows.
In my case, working with 10,000+/- clients, I have seen this on repeated occasions.
Various MS patches would break the following:
Novell client on 2k/XP (but not 98/95)
Some third party business-specific applications (stat software, database, etc.)
Video drivers (easily fixed, but still)
In one case, recently, it BSOD'd several NT boxes (the IE 6 security rollups)
Irritating to be sure, so on one hand, you need to patch immediately (or risk the wrath of a new worm/virus)
On the other hand, patching immediately can lead to loss of productivity
On the third hand (you do have three hands don't you?) you can't wait for an AV package to have the proper updates, as (to my viewpoint anyway) AV products should be the last line of defense, not the 1st.
On the fourth hand, training is key to clients, but as the saying goes, you can lead a luser to enlightenment, but you can't make them think.
I keep waiting for *seriously* damaging viruses to show up in the wake of the leaked (partial) source code to Windows 2000. That may be the last straw to many a business.
So rise up, all ye lost ones, as one, we'll claw the clouds.
Of course it is true that owning and operating a Windows computer costs more because of the need to keep current with patches, to test them and to apply them in a timely manner. Every sysadmin knows this even if their cost-conscious boss doesn't see this big picture.
But, to be fair [and I'm no MS apologist - they need to be taken to task all over the place for lots of reasons], even if you run a MacOS X, Linux or even an OpenBSD system, there are implicit costs associated with maintaining those systems, too.
Since the software cost for FOSS is zero, the single most important cost is this installation and maintenance. As such, it ought to be quantified.
The advantage of doing this is that these kinds of costs are no longer swept under the rug and people can start asking more detailed questions about Windows maintenance costs in terms of sysadmin time- not just estimated costs of downtime on the business.
Then maybe, too, people will start to ask questions about what kinds of implicit future costs they incurred via early decisions to use some vendor's application that locks their valuable business data inside a proprietary format.
"Provided by the management for your protection."
Doesn't the O in TCO stand for Ownership? What exactly do you own with Microsoft products? Aren't you really just Licensing them?
My beliefs do not require that you agree with them.
The reason so many viruses exist for XP deals more with the fact that XP still uses code that was vulnerable in 98 in some spots and that its just too damn easy to exploit. Make something hard and only diehard skriptkiddies will take the time to hack it, right now any jack or jane punk 11 year old can pretend to be a "hacker" and send out a virus, usually varients of the same virus.
But truth be told I quiet enjoy your idea of a more mixed OS base. The problem is programmers HATE it which is why you have more code written for Microsoft and less for Linux or OS X
"Slashdot, where telling the truth is overrated but lying is insightful."
Why are their more viruses that target IIS than Apache, when Apache is the leading web server then? Until there is a different leading OS than Windows and it is more frequently the target of attack, your comment is nothing but speculation.
This is my sig, there are many like it, but this one is mine...
So SP2 is going to include a Microsoft add-on that monitors third-party add-on's that monitor the Microsoft OS.
Who said these guys didn't know how to design an OS?
I see one bad thing and two good things here...anyone else with me? I mean, shouldn't we work our best to keep our environments 1) current and 2) as secure as we can afford to?
The patches and the closed-sourcedness are, however, a PITA.
As far as TCO goes, I see the same people just working more salaried hours to fix issues arising from bugs, etc. And they haven't had to have the admittedly more extensive training behind running a *nix environment.
You could just install an SUS server, point all your clients at it and enable auto-update. Test the patches, put on SUS, play golf.
It's things like this that make me wonder if the "TCO of Windows" is more likely the "TCO of having highly unqualified people working in your IT department who know how to spell XP, but nothing more than that". If you have idiots running your network, you're paying to throw money out the window (no pun intended).
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
Microsoft has priced themselves out of the market.
And it isn't the initial purchase cost. They could give away Windows and it would still be too expensive. Dealing with the virus du jour and the patch du jour is just too much anymore. Add to this (from recent Slashdot stories) large companies' estimates that half of all their Internet traffic was to/from Windows Update and the cost of maintaining Windows goes even higher.
Well, I quit. I am just done with patching Windows. All Windows machines are hidden behind a firewall (Linux based and I do patch it religiously; gee, there's been one critical patch in 1 1/2 years!), we don't use IE or Outlook and I only patch Windows when there are functionality problems.
Now, I know I'm gonna get a lot of flack from everyone here about "firewalls not being the final solution", "you gotta patch every day" yada, yada, yada. But the combination of a firewall, not using IE or Outlook and scanning ANY computer from outside before it is allowed on our LAN works for us. We weathered SQL Slammer, Blaster, Netsky, Bagel, Sasser, etc, etc with not one hiccup in our daily operation.
The key here is not to trust Windows on the Internet. No, one step further: don't trust any Microsoft software on the Internet! Don't use it for e-mail, don't use it to browse the Web and never, ever hook up a Windows machine unprotected to the 'net!
Virus authors have nothing to worry about from this security group.
Some excerpts:
-
While strong out-of-the-box security configurations are preferred, it is recognized that updating existing products to
comply with this requirement can be costly, time-consuming and can result in various incompatibilities with current
and supported versions of the product. As a result, it may not be possible for a vendor to transition a product to a
more secure out-of-the-box state for several years, depending on product release cycles.
...
Whose side are these guys on?In conjunction with the above recommendations, the requirement for medium or higher assurance evaluations (Evaluation Assurance Level 4+ [EAL4+]) for commercial products should be dropped, since the stated reason for higher assurance evaluations by the proponents is the ability to do vulnerability analysis. Higher assurance evaluations for commercial software impose a cost burden that even the largest IT vendors cannot bear or should not bear; they do not substantially improve product security, but may result in vendors paying multiple times for the same evaluation in different markets. Furthermore, finding faults in software that has already shipped is far more expensive and less effective than giving vendors the tools to be used during the development process. ...
In order to promote the evaluation of more products, the U.S. Government should help offset the expenses of CC evaluation through research and development tax credits or paying part of the evaluation costs.
Predicting that multiple recently announced security flaws in windows will be exploited is like predicting the sun won't explode tomorrow.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
Windows XP Pro for 200 systems: $30,000
Anti-Virus Software for Windows XP corporate: $7000
The billing rate for 10 contractors to come out and clean your systems: 700$/hour
Seeing the face of your CEO when you tell him linux is free: Priceless
There are some things money is wasted on, for everything else there is linux.
no virus writer/hacker is going to spend all of its time to maybe interrupt 5% of the market share. in all fairness if the tables were turned and M$ had only 5% and linux had 90% of the users out there you can bet we'd be seeing virues/trojans/worms and hacks coming from all over the place, and we'd be talking about that instead of windows. think about if we really want linux to b/c the main O/S. in the end we are inviting more hackers to spend more time writing stuff for linux as well as windows. not so sure if that is good for the community..
Total Cost of being 0wnzed
Escher was the first MC and Giger invented the HR department.
in all fairness if the tables were turned and M$ had only 5% and linux had 90% of the users out there you can bet we'd be seeing virues/trojans/worms and hacks coming from all over the place, and we'd be talking about that instead of windows.
And this would only infect people running Linux as root all the time who use email clients that execute scripts sent from complete strangers without telling them. Yes, people would write Linux viruses and worms (they already do), but the effect would be minimal at best.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
I've endlessly heard the argument that if Linux were the standard OS, there would be just as many worms as there are for Windows. I have no idea why anyone could believe that. When you install a Windows machine, you can pretty much guarantee that ports 135/139 will be running, there are numerous services listening (ex. LSASS.EXE), and on a wide scale, there are thousands of machines with those open. But when you install a Linux/BSD system.. what ports are open? What services are running? Exactly. You don't know. There are soo many different variations durng install, and so many different versions and programs depending on the Distribution. You could not write a "Linux worm". All the worms in existance would target specific applications, such as Apache or WU-FTPD, not the operating system. Sure there could possibly be a kernel exploit, but there are so many different kernel versions. You would not hear headlines such as "Windows virus takes down UK Coast Guard". At most, you would hear "Apache exploit takes down a UK Coast Guard server".
Visit Phrite's Tech News/Security Tools
And they laid out some bad trouble. Virus writers DO do this, even if the marketshare is small. Remember Ramen?
And of cours there's the Lion worm, etc..
It doesn't take a lot of computers to cause trouble, and no platform is wormsafe. Windows is prolific, of course, which doesn't help, but it's also got so many ways in. That's the real catalyst.
Rule for ANY operating system; When the default install is weak, you'll see worms. The big catalyst for Ramen and Lion (I hate to say it) was in my observations default RedHat installs that had tonnes of services on by default.
-- The unsig...
then that's not a cost of using linux,
that's a cost of trading off good security for a (little) ease of use.
compare that to windows, where the "default" is running as administrator.
people would write viruses, and they would still propagate if linux had 90% of the market share. just not as quickly and wouldn't affect as many people.
Why don't we all migrate over to the Mac OS-X and OpenBSD? Linux as well. (Oh - I forgot - Lawyers at SCO may be knocking at your door). Sure, people are clueless on how to best make use of some systems, but that's OK, there are plenty of /. ers who can probably use a little contracting work (if there are any jobs left after they all went to India). It would help the job situation, although it would be painful at first for the person doing the "migration", it would be better all around.
I'm dealing with fed up customers all the time, getting frustrated by having to patch so often, but they ARE wiseing up and starting to take the plunge.
To make it less painful, I find it much easier to setup a parallel system, keeping the older WinBlows systems operational, while slowly putting together their servers and work stations under either Linux or Macs, and using OpenBSD for all the server related work.
It means MORE JOBS here, especially for us Open Source affectionatos.
We've completed a few such "Migrations", and our clients are happy campers now. Of course we still find a need to deploy security patches, but they are much less often, and now becoming a lot more painless.
Hey man - don't shoot the messenger - it's just an idea, and we only have to convince the corporate Phat cats that parhaps M$ may NOT be the solution to all the worlds problems.
And I don't believe you're going to convince many people here that pirated software equals lost revenue. That's about as weak an argument as the RIAA's.
Mmmm... that's not entirely true. Lately, a lot of virus writers have just been preying on the stupidity and gullibility of the average user. Hell, I got one of them zipped one day that practically had freakin' installation instructions... and people were STILL getting infected!
However, for this to work on a Linbox, there are two requirements: 1) the user must save the binary and make it executable and 2) the user must then run it. Now, once that happens, there's really not much going to go differently on a Linbox than a Winbox. The thing can still bind to a high port and zombify the machine for spammers, which is what the majority of viruses do as of late. On a desktop, there's no reason to believe that granny Gretchen won't do just that once she learns how to whip out chmod +x on everything's ass. The nice thing, however, is that if you're running in a corporate environment, you can isolate users to their own filesystems to protect them from doing stupid things like this. Yea, maybe they'll trash their own data, but at least they'll be isolated from critical system information and the network (excepting zombification... but you would be smart and block all those ports, right... you don't have chewy on the inside network security... right?). Great for corporate networks, FAR better than the Windows situation (Yea, I know.. you can use Active Directory, but that's not a native part of Windows). However, for desktop users at home... well... they'd still shoot themselves in the foot.
Worms, on the other hand, are another story. First, patching a Linbox is often a matter of grabbing a patch a day or two after the vuln is known and slapping it into the system. Since Linux is built on the Unix philosophy of tools in a toolbox, you don't have to worry that a patch for program x is going to change code that program's y and z also use (unless it's a library or something). Windows? Not the case. If you have to patch MSHTML, anything from IE to your damned titlebars can get fucked up as a result.
On top of that, Linux systems are not (currently) very homogenous. Part of what makes Linux a tantalizing target for manual attacks is that it's just damned hard to write malicious code that will work on a widespread number of systems. Unfortunately, as the dust settles and some companies really do start to take up the mantle of "desktop linux", that heterogeny may just go away for desktop users...
The point is this: Linux CAN be much, much, MUCH more secure than Windows. However, Linux also does the same thing Unix does: "Look, you can make me secure if you want, but you can also use me to blow your toes off one at a time... YOU choose.. I'm not going to decide for you." A lot of geeks forget that. Linux is not inherently secure (OpenBSD is inherently secure... and I don't think it's going mainstream desktop like that any time soon), and it WILL happily let you shoot yourself and your nearby friends if you so choose. Desktop users at home will do just that. It does do some things inherently better, but it still won't protect the world from people who don't bother to learn anything at all about their new toy. You can code against stupid people, but your system isn't going to do much when you're done.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
You don't need root to run a mass mailing email worm. If you could convince a user to run a trojaned executable, regular user permissions will do just fine. It could even open a spam proxy backdoor without root. All you really need root for in network code is for raw sockets and to listen on low TCP ports (below 1024).
Some email worms exploited an autoexecute from the preview pane bug in IE, but most of them were social engineering exercises in convincing the user to run the attachment. I think it's easy enough to launch an attachment in say Kmail or Evolution. The only challenge is delivering an executable that'll run on enough Linux machines (perl? bash? static binary?). The only reason we don't have a mass mailing Linux worm is because noone's tried it yet . It's not THAT hard.
There are lies, damned lies and TCO numbers.
A dyslexic man walks into a bra.
However, for this to work on a Linbox, there are two requirements: 1) the user must save the binary and make it executable and 2) the user must then run it. Now, once that happens, there's really not much going to go differently on a Linbox than a Winbox.
By LinBox, do you mean Lindows or Linux? Lindows lets the user run as root by default, just like Windows, but Linux generally does not.
So I didn't see the step where the running program gets root permissions, presuming you weren't talking about Lindows. Or are you saying that a user process can open ports without root-level permissions?
Sincerely confused,
--IceAgeComing
You do realize that you don't need to stay logged in as root, right? The "su" or "sudo" commands, similar to MS Win32's "runas" command, are available to users (unless you apply additional security by limiting access via access and ownership permissions) so that they do not run as root. Unlike MS Win32 though, just about any process (actually can't think of any that wouldn't) can be run using "su" or "sudo" while logged in with your regular user account. If you need to display a GUI, simply add the "xhost +" (or a more limited argument to the "xhost" command) and your set.
The concept of running with as a priviledged account by default seems to be based on MS Win32 practices. Users didn't want to put up with logout as user, log in as administrator, install/config, log out as administrator, log in as user. For UNIX, that isn't necessary. I do think though that users converting from MS Win32 will likely continue that bad habit, but it's not a fault of the OS, just years of a limited OS.
from: coed_hotties68@hotmail.com
subject: superhotsexy screensaver
Hi! My hot lesbian coed friends and I made this hot lesbian coed screensaver! To install it, just do the following in a shell:
hope you enjoy!
do not read this line twice.
When the vulnerability was announced, we saw it was going to be a bad one. What did we do? Well, we downloaded the update, tested it on a few machines (which had no problems) and a few days later clicked a check box on a SUS server that approved it for distribution to clients.
Over the next few days, just the one SUS server I monitor reported over 1200 clients successfully installed the update. Others reported similar results. By time time sasser showed up (or any of its slower-moving predecessors, some of which were poking around within a week), we'd patched thousands of systems with no user interaction at all. The only people who got hit were people running unmanaged machines... and many of them had ignored the little green globe which was telling them that their system needed to be updated. If they'd clicked on it, they would have been OK too.
Oh yeah, SUS is free, a piece of cake to install, and works great. It even locks down the server it runs on to resist attack. Anyone who runs more Windows machines than they can reach from their desk chair should be using it.
Gartner should stop with the "nyah nyah we said it was going to be a bad one... look how cool we are". Everyone else with a clue knew it was going to be a big problem too. They should instead point out ways for Windows shops to get out in front of the curve.
Counterexample: MacOS X
Normal users aren't admins, but can have sudo access. When some installation requires elevated privileges, the user is presented with a dialog box for typing their password. It's considerably more convenient than having to log in as root, but doesn't let malicious code run at an elevated privilege level without the user knowing it.
It doesn't matter if only a very small minority of gullible users get infected. In the scheme of things, it doesn't cost the worldwide community that much. The cost becomes significant however when a significant percentage of the population gets infected.
The problem with Microsoft is that it wants to remote control your box. It wants to know what you have installed and how you're using it. That's why Microsoft boxes are insecure, it's not because Microsoft isn't smart enough, it's because it's not in their interest to make your box too secure.
...of problems with libc versions?
Ah but the difference is diversity.
With Microsoft Windows you now get one family 2000-XP-2003 all which share the same security problems. So 94% of the compurters out there come with some really bad security settings and flaws. Some will patch, but by default most of those systems are insecure.
If you don't like it, what do you do? Windows from Dell is as insecure out of the box as Windows from Compaq or Gateway, no choice, you can't buy a "safe" windows machine out of the box.
On the other hand.......
Default security in the Linux world is determined by the distribution. So if a distrubtion defaults to having a firewall, no insane file assocaitions for email and web browsing, limited services running, automatic security updates and practically forcing the user create and run a non root account. Then that distrubition will be pretty much virus free.
What will happen is this
Distribution A will have 12% share and gets infected 2% of the time
Distibution B will have 14% share and get infected 2.5% of the time
Distribution C will have 8% share and get infected 18% of the time.
It won't take long for Distribution C to get a bad rep. Computer makers will no longer offer Distribution C, or will add "value" by fixing the defaults.
To believe that Linux boxen will be as virus riden as Windows, you would have to belive that everyone will use Linux someday and that people will choose and stick with an insecure distribtuion.
Unlike Windows or MacOS, if Linux ruled, there would be healthy compitition and consumers would have a choice of which OS they ran.
vi +
Dealing with burglars puts up the cost of Windows. I need to spend extra on secure frames, locks, sacrificial edgings, insurance policies ...
I know! I'll just stop using Windows, and brick up the holes! That'll make my life better won't it!
Am I the only one who's discovered that Automatic Updates are actually automatic?
No. You are one among many that apparently think Automtic Updates covers everything when it doesn't. The Automatic updates are not all-inclusive of the patches released to address vulnerability/security issues.
"Users didn't want to put up with logout as user, log in as administrator, install/config, log out as administrator, log in as user. For UNIX, that isn't necessary."
It's not necessary with Windows either. The "run as" command has no problems running installers or other graphical applications.
Heck, I've installed service packs fine using "run as".
Not to mention the fact that you can set Windows Installer to automatically request administrator privelages.
Why is this any different from Linux?
I don't know where to start discrediting your post.
The "running as root" argument is garbage. Any privilege escalation vulnerability in Linux history (or any other history, for that matter) is an existence proof.
The "without telling them" argument is garbage. The vast majority of viruses transmitted by e-mail are done so because the user did something dumb, not because of some long-fixed auto-execute vulnerability in a popular mail client. You wouldn't need root access to fall for something like that, by the way.
You think a major Linux worm would have a minimal effect? Do you have any idea how many critical systems run on Linux these days? Hit Windows, hit the desktops. Hit Linux, hit the servers. Put your sysadmin hat on and tell me which is worse.
Linux is not immune to security issues, and any claim that many eyes make for few bugs and thus OSS is fundamentally safer than Windows-based equivalents can be discredited with the slightest thought about reality rather than theory. Linux remains relatively safe because of the culture surrounding it, not because it's inherently flawless.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Hmm, sounds a lot like "Do not run unknown attachments from email". Doesn't work. Been telling users for years. Doesn't work.
When I was young and foolish, I bought MS Frontpage. I also have two computers running Windows XP (thinking of switching one to Mandrake, if I can manage it). Microsoft has refused to let me reinstall both Frontpage and their OS because they said I "reinstalled it too many times already."
I bought and paid for the crappy program, and now I can't even install it on my computer?
I'd like to see a few more lemon laws on softeware if they want to start treating IP as real property.
Heck, I'd like to see imported IP properly subject to tarrifs as well, thanks. I mean, if it is actually property and all...
You can't have it both ways.
___
It's the end of my comment as I know it and I feel fine.
100 attacks each hitting 1000 computers does as much damage as 10 attacks each hitting 10,000 computers. True, small isolated incidents regarding virus attacks are insignificant in the grand scheme of things, but its not like Microsoft can leave it alone.
For every kiddie script or virus variant out there, theres a hundred Joe Average users screaming at their computers. For every hundred screaming Joe Average users, theres 10 system admins having to go around and remove the virus, update their computers, and then give a lecture on how to prevent from something like this happening again (not that Joe Average will listen). For every 10 system admins running around needing to solve every virus problem, theres one programmer out there who has to come up with a program that bypasses the virus, seeks out the virus, and eliminates the virus. That and they have to figure out how it works, how it spreads, how can they get rid of it, if theres any clues as to who made it, etc.
So like you said, yeah in the scheme of things one or two attacks doesn't cost the worldwide community much. Except for the fact that one or two of these types of incidents seem to happen everyday. Now if you'll excuse me, I have to download anti-virus protection for my parent's computer, install it, update it, run it regularly, then debate on whether its worth paying $200 for an official CD-key, scream at the fact that the computer slows to a halt due to new anti-piracy software methods, call up the company and complain, and then come back to Slashdot to post a 'Askslashdot' topic regarding the sheer amount of frustration of dealing with anti-virus programs as the 'system admin' of my house.
SUS (Software Update Services, a LAN version of Microsoft's Windows Update site) has been out for, what, two years now? Any decent-sized network should consider it essential. I am running SUS on my LAN at work (about 50+ Windows 2000/XP workstations) and we haven't had any problems from these worms, simply because all my machines are patched within a day of the patches being released. Considering the patch for the Sasser worm has been out for over two weeks now, I think it should be considered dereliction of duty for Sysadmins to take so damn long installing the patches!!!!
Blame MS all you want, at the end of the day, if MS have released the patch and the sysadmins haven't installed it (for whatever reason), then its not MS's fault.
Still, I wouldn't mind breaking the fingers of the prick who wrote the worm in the first place.
If it is above port 1024...yes. You can start an Apache process and bind it to port 8080 without being root.
That's because it is unnecessary.
I don't know why this mistaken idea that "malicous code not running as root can't do any real damage" has gained acceptance, but please stop repeating it.