Slashdot Mirror
The Windows Security Nightmare
latif writes "Microsoft has set aside a $5 million fund for paying off informants on malware authors. In my opinion a good chunk of this money deserves to be paid to individuals who help catch the Microsoft employees behind the design of Windows Registry and Windows Update. As I found out, the two mis-features work together to deprive Windows users of all protection from malware. The details of my experience are in the article Why Windows is a Security Nightmare." In a related story, Anonymous Wussie writes "This guy had family with a problem: A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched. His solution? A CD. This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."
People always complain about their computers getting infected before they are able to download the patches - but this is easy to prevent if you just switch on the included firewall software.
Wow...what a concept! I never would have thought of that.
You can get the same from MS, free.
Why would you put *any* unpatched box online, whatever the OS?
http://www.microsoft.com/security/protect/cd/order .asp
Username taken, please choose another one.
Ah yes, brought to you by the letter V, as in VMS. IIRC it was a few digital VMS engineers that left and help build many of the more functional components of WinNT. And apart from the ACL, i believe the registry (at least for pathworks) was another digital innovation...
Never forget there is very little you can credit Microsoft with...
was have them type 'shutdown -a' at the command prompt and the rebooting would have stopped. I have helped people remove this worm many times using Remote Assistance, over dialup without any issues. The firewall software is going to cause more problems in the long run as it will block some of their games, or even him remotely accessing the machines in emergencies.
This really isn't a great way to do it. How about - install windows, turn on windows firewall, then install adaware, and keep patching regularly - I do this for lots of people and I never have a problem. The rich man's solution to this is to buy a router with a firewall - they really aren't that expensive, and let you use more than one computer on the line. As for Mozilla/Firefox being less suceptible to malware etc on a statistical basis, this is a no-brainer. People who would use an alternative browser also tend to be the type of people who patch their software.
...why stupid people shouldnt use computers.
Just because its made by microsoft, that doesn't mean an idiot should administer it. It certainly doesn't mean its going to be secure and stable out of the box.
The huge divide between Unix/Linux and Windows is that Unix/Linux forces you to know what you're doing when you install something on your computer. Windows assumes the opposite.
However, if you do know what you're doing with Windows, problems of this nature are not really problematic. Fixing Windows without reinstalling is easy for competent administrators. Jeez, I can get around in Windows without a mouse and without explorer.exe.
Here's a hint guys: if something breaks on Windows -- don't install a program to fix your computer. It will break it further. Don't install registry cleaners -- they suck. Slick your system, ghost your system, take registry snapshots now and then. Don't install third party software on production machines without testing on crap boxes first. Do know your system in and out.
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
I skimmed through the article, which didn't have many technical details. Here's what we do at work:
:-)
You can integrate the service pack into the setup (which will be especially useful when SP2 arrives) so that it's installed at the same time. This works with Windows 2000 and up.
You can then use Sysprep (brief introduction) to automatically deploy the latest patches the first time the machine boots.
Here's a nice article on how to burn the result to a bootable CD.
It's a bit of work, and requires constant maintenance but it saves a lot of headaches in the long run.
An easier method, if you have a lot of machines with identical specs. Build a template machine with the OS installed, adding all the service packs, patches, etc. Use software like Ghost to make an image for deploying to multiple machines.
Who says the stuff you learn on an MCSE isn't useful?
umm... as far as i know the reason microsoft took the course of action they had been taking up until SP2 is so that a lot of the older poorly written software would work on XP. they have since changed their direction and SP2 fixes alot of serious issues as well as renders some of the older crappy progs written for windows inoperable.
First, I would say that I used to work at Microsoft Product Support Services as a temp, and I triaged XP calls among others (including IIS).
First, you have an incredible problem with overwritten patches-- something can easily happen which will overwrite a patched file with an unpatched one (I have seen this happen several time with production IIS servers, and in my experience this is the largest source of security compromises). Second, the firewall with Windows XP is not enabled by default for supporability reasons, and it is not really designed for small networks anyway (ICF is bypassed by ICS). The fact that Microsoft expects you to be online to get the updates is therefore a problem.
But finally, a point the article missed: Microsoft computers are designed to reduce usability technical support calls, NOT technical support calls regarding misbehavior. Therefore, thinks like Client for Microsoft Networks (SMB, DCOM, etc) are enabled on network interfaces by default. Sure GNOME uses CORBA, and many Linux distros used to make this mistake (CORBA listening on network interfaces by default), but we at least now only let it listen on loopback by default!
In short, I have absolutely NO confidence in Microsoft's ability to secure Windows. It could be done, but why? Especially if there is Linux?
LedgerSMB: Open source Accounting/ERP
I know because there is nothing abnormal happening on the box, there are no abnormal processes in the process list, and my OpenBSD router/firewall isn't picking up any abnormal traffic.
Also keep in mind that the article's author used a dial-up connection. Conventional hardware firewalls deal with ethernet...
The free version of QNX comes with no inbound services enabled. Most of the standard UNIX-type services are available, but they're not installed by default. It's a pure client. In fact, it's very close to what the iOpener ran. Both dial-up and LAN connections are supported.
Mozilla 1.1 runs, but without Flash. There's a word processor, ABIword. The whole GNU toolchain is available. Unfortunately, OpenOffice hasn't been ported.
It's refreshing to run a system without all the Microsoft crap, or the Linux emulations of it.
A troll is a post carefully crafted to attract predictable responses and/or flames. The moderator probably read the post, saw the poster was "andy666" and thought some guy was trolling. It was a mistake.
After looking at andy666's posting history, the moderator should have known that andy666 really is a French grandmother named Andrea Tilley, who apparently has a grandchild old enough to post the parent article, and isn't happy that her grandchild considers her technically inadequate for this job. Wow - French and thin-skinned; but I repeat myself.
It's SlashDot - what do you expect?
Turambar
------------------------------
Common sense is not so common.
--Voltaire
I can attest to this. Recently, a technician from my new ISP came to install ADSL on my machine, and when I returned home I discovered that the connection fell every one or two minutes, max download speed of 1Kb/sec and that the PC was not working to full speed as usual. (I blamed the ADSL drivers for this, but later discovered that it was the Sasser worm)
I did not want to reinstall everything, so I went for an alternate solution:
System Restore to the previous day.
It worked wonders! PC back to full speed, installed the ADSL drivers, net to full speed and finally succeeded in updating AVG virus definitions. I've had no problems since.
> instead of immediately following network device startup is sloppy and wrong.
That is still wrong.
You enable the firewall, set a default deny all rule, enable the interfaces, and start loading your rules.
You can't load them beforehand if they depend on characteristics of the interface (address etc) but that means you will still have to be extremely carefull in which order you load them.
A safe way of acomplishing this is to insert the deny all rule as the first rule that your firewall will occur and only remove it once all has been setup properly.
Leaving a window bewteen bringing up your interfaces and having a workign firewall always brings the risk of compromise, and it just takes a slightly determined hacker/work/virus/whatever to get through.
Come on.. homeboy needs a firewall BAD!
A simple Linksys NAT box would do the trick. Network administration 101: know what ports you have open, what protocols they run and what their vulnerabilities are. This goes for any operating system.
If your system gets a worm via a port you didn't know it had open then you should consider it a valuable lesson.
Well, while i agree with most of the point made, there are simple steps to prevent worms.
At my parent's home, there is a Linux box doing NAT, so, in the box, the windows box on the local network are protected from any worms. They end up having enough time to download all the necessary patches from Windows Update.
Recently, I reinstalled my windows XP. But before reformatting, the first thing i did was to burn a firewall like zone alarm. I then install my box without being connected the internet, and proceed to install the firewall. It is only then that i download the patches.
Else, it would be just plain nightmare.
AutoPatcherXP is an excellent collection of patches and updates that I've included on CD (along with some other tools) for our user's home computers. It contains about 300Megs of updates/patches/apps and is relatively up to date with all of the critical patches. :(
After running AutoPatcher, only a few critical updates are needed off of windowsupdate's site. Unfortunately, MS04-011 is one of the critical patches NOT included with AutoPatcher.
Wait a minute. I got it. You could play with your magic nose goblins.
It did say "$50.000" -- that's European for "$50,000". And that is enough of a prod, and about a pittance for Microsoft. Well worth it, if it works, and only about 10-15 business class tix wasted if it doesn't.
if you insist on using Windows, get used to learning to live with malware. Sooner or later it will get installed on your system. The only secure Windows system is one without network access in any way, shape, or form.
I downloaded the XP SP1a on a Linux box after reformatting my machines and then reinstalled them without net access and applied the CDR the Linux box burned. I also had antivirus tools, software firewalls, etc to install.
Malware can be installed by visiting the wrong web page, try spelling microsoft.com wrong sometime and see what the bogus site does to your system. If you think only ActiveX does this, what about XPI in Mozilla, malware is written in both ActiveX and XPI bundles now.
Make a wrong turn on the information highway and get owned.
My Linux box is fine, except that it suffers from RPM and PKG hell. Which is about as bad as DLL hell, I guess?
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Okay, let's get one thing straight. The only reason Windows is so easily attackable (and why Mac OS X and Linux are not) is that Windows ships with 10 million services running and listening on well-known ports. It's not the registry (although that contributes to instability over time), it's not Windows Update (although that could be much better designed - resumability, and fewer reboots!). The reason Windows is so vulnerable is it has far too many open avenues of attack.
Try to hack a default OS X install, or many default Linux installs - sorry, *no* ports are open by default, so what can you attack? At best you minght be able to DDOS the box, or some upstream piece of network equipment, but you can't crash or hack the box itself.
On my OS X box all I have open is SSH and everything else configured to only listen to localhost. If you manage to crack that, I have a lot more to worry about.
I don't know what kind of crack I was on, but I suspect it was decaf.
Well, Ghost is a bit more advanced than DD. It copies the filesystem structures and the files exactly (as far as [the NTFS/FAT32 equivalent of] inode numbers and such), but it doesn't bother copying the unallocated space, and it compresses the image on the fly.
/path/to/partition/zero.dat
Though if you want to do that with dd, you could:
dd if=/dev/zero of=/path/to/partition/zero.dat bs=1048576 count=freespace-in-MB
rm
which will zero all of the free space in the partition, then pipe the actual dd of the partition through bzip2 or gzip.
Then you have all of the Ghost enterprise features like being able to multicast a Ghost image, netboot to autoghost, push images (remotely trigger a reboot and image download), deploy individual applications (like Windows installer automated deployments, except that it works), etc... which I'm sure you can do with free software anyway, but it's nice to have the convenient package.
Every cloud has a silver lining (except for the mushroom shaped ones, which have a lining of Iridium & Strontium 90)
I had this issue just the other day. I found out that Microsoft provide a "hidden" option on Windows Update to allow downloading all patches for a certain operating system.
; en-us;323166
The following URL describes how to do it: http://support.microsoft.com/default.aspx?scid=kb
Basically, go to Windows Update, click on "Personalize Windows Update", and then turn on "Display the link to the Windows Update Catalog", and save. You then go back to the main page, where you can access the windows update catalog and download to disk all current patches for a particular OS automatically.
When I found that I was very pleased.
I think there is software to automatically install it all from disk, too, but I haven't had time to look for that, yet.
True but then you do:
Actually I tend to do:
Of course there are better ways of handling this in Unix world, things like ole good 'tar' or 'dump' come to mind.
As for the other stuff, sure its nice but it costs pretty penny and you need to upgrade the crap all the time, not to mention the always popular proprietary software trap. A bootable business-card Linux (like Linux-BBC for example) and some custom scripts are all you need to achieve most of these tasks and you get to retain full control of the entire process.
I've been doing the same for my family members, but with an extra touch. Same type of software (plus the latest stinger) but create an autorun menu driven cd. Something like AMenu for CDs works just fine for me. Or you can search google for some nice cd autorun apps.
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
FTC warranty info
From that page, scroll down some:
Implied Warranties
Implied warranties are created by state law, and all states have them. Almost every purchase you make is covered by an implied warranty.
The most common type of implied warranty--a "warranty of merchantability," means that the seller promises that the product will do what it is supposed to do. For example, a car will run and a toaster will toast.
Another type of implied warranty is the "warranty of fitness for a particular purpose." This applies when you buy a product on the seller''s advice that it is suitable for a particular use. For example, a person who suggests that you buy a certain sleeping bag for zero-degree weather warrants that the sleeping bag will be suitable for zero degrees.
If your purchase does not come with a written warranty, it is still covered by implied warranties unless the product is marked "as is," or the seller otherwise indicates in writing that no warranty is given. Several states, including Kansas, Maine, Maryland,
Massachusetts, Mississippi, Vermont, West Virginia, and the District of Columbia, do not permit "as is" sales.
If problems arise that are not covered by the written warranty, you should investigate the protection given by your implied warranty.
Implied warranty coverage can last as long as four years, although the length of the coverage varies from state to state. A lawyer or a state consumer protection office can provide more information about implied warranty coverage in your state.
---this is why they don't "sell" you software, they "license" it, and in the fine print it is most prominent that it has no fitness for purpose, or merchantability, etc.
That's the part that is a scam, IMO,it's leaglistic legislated snakeoil fraud, and needs to change. It's like GM offering cars "for license" instead of "for sale", and because they got 100 yards mileage on them driving them on and off transporters before they get to the dealers saying they are "used" and "Licensing" them to you for big money "as is". That would be stupid and a scam, and it's the same with software that they "license" but everyone on the planet can see they "sell".
And if you are saying "too bad, that's the contract they click agree on", then I agree, that's why I think it should be outlawed,the law NEEDS to be changed, maybe from a serious major class action suit, because it's a freeking sale, and it needs at a minimum implied warranties like every other product out there. I'm just the kinda guy gonna call a spade a spade, that software is sold. there's free software, then there's for-sale software, everyone knows the difference. They can legal mush mouth it all they want to, it's still sold, that's how most people treat it and think of it, so it needs a warranty, for merchantability and fitness of purpose and so on.
I've become so fed up with the traditional "windows rot" that I decided that only my own, full-disk-image savepoints will do.
These days hard-disks are cheap. Set up a Linux server with partimage and a large disk, boot the windows workstations with SystemRescueCD, and make your "savepoints" at those times you install drivers, etc. Make sure you partition the disk into "system" and "user data". Partimage works great even on NTFS if you're careful to defrag first.
Any decent systems administrator approaches Windows secuirty in this way: Firewall FIRST, then download patches, then download and update AV software.
Most american ISPs (dial-up and broadband) now turn on the XP firewall when you install their custom dialer/spyware/etc. installs, which is a good thing. Having SP2 preinstalled will be better.
not. First off windows 2000 is not designed for home users, thats why windows xp was released. Windows 2000 is for business users, who have an administrator that handles updates/fixes etc for them. Now if you are the administrator, the first thing you do when you are installing windows 2000 is to take out the network cable so that the install isn't interrupted at all. Then quickly install a firewall after the installation of windows 2000 is completed. Even zone alarm would work out and it would be installed quickly and quietly. Its standard settings pretty much protect you from anything. Now even before that you should untick client for windows networks and file and printer sharing for microsoft networks on your dial up connection before you connect and those vulnerable ports that the worms have been using would have been closed then. Giving you the necessary time to get the zone alarm firewall. Then you can take ur time getting service pack 4 without being effected by any worm. Having a firewall is a must on any computer connected to the internet. That is why microsoft is enabling it by default in service pack 2 for windows xp. Now as for windows xp users, all they gotta do is make sure the network cable is not plugged in when installing windows during a clean install and enable the firewall on the network connection right before u plug it back in. Then u can download all the updates you need no matter how long it takes you. The standard settings of the firewall in windows xp are just fine when enabled. And after installing all the needed updates, you can then install another software firewall if you want and can disable windows xp's firewall then. But my main point is don't be on the internet without a firewall on. Windows 2000/xp/2003 do have another firewall built in though as well. Go here if you want to read up on it. It's quite useful as it allows you to only block certain ports if you only need certain ones blocked instead of all of them.
My Gawd WTF...