Slashdot Mirror
The Windows Security Nightmare
latif writes "Microsoft has set aside a $5 million fund for paying off informants on malware authors. In my opinion a good chunk of this money deserves to be paid to individuals who help catch the Microsoft employees behind the design of Windows Registry and Windows Update. As I found out, the two mis-features work together to deprive Windows users of all protection from malware. The details of my experience are in the article Why Windows is a Security Nightmare." In a related story, Anonymous Wussie writes "This guy had family with a problem: A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched. His solution? A CD. This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."
People always complain about their computers getting infected before they are able to download the patches - but this is easy to prevent if you just switch on the included firewall software.
Ah yes, brought to you by the letter V, as in VMS. IIRC it was a few digital VMS engineers that left and help build many of the more functional components of WinNT. And apart from the ACL, i believe the registry (at least for pathworks) was another digital innovation...
Never forget there is very little you can credit Microsoft with...
was have them type 'shutdown -a' at the command prompt and the rebooting would have stopped. I have helped people remove this worm many times using Remote Assistance, over dialup without any issues. The firewall software is going to cause more problems in the long run as it will block some of their games, or even him remotely accessing the machines in emergencies.
...why stupid people shouldnt use computers.
Just because its made by microsoft, that doesn't mean an idiot should administer it. It certainly doesn't mean its going to be secure and stable out of the box.
The huge divide between Unix/Linux and Windows is that Unix/Linux forces you to know what you're doing when you install something on your computer. Windows assumes the opposite.
However, if you do know what you're doing with Windows, problems of this nature are not really problematic. Fixing Windows without reinstalling is easy for competent administrators. Jeez, I can get around in Windows without a mouse and without explorer.exe.
Here's a hint guys: if something breaks on Windows -- don't install a program to fix your computer. It will break it further. Don't install registry cleaners -- they suck. Slick your system, ghost your system, take registry snapshots now and then. Don't install third party software on production machines without testing on crap boxes first. Do know your system in and out.
01100111 01100101 01110100 00100000 01101111 01110101 01110100 00100000 01101101 01101111 01110010 01100101 00101110
I skimmed through the article, which didn't have many technical details. Here's what we do at work:
:-)
You can integrate the service pack into the setup (which will be especially useful when SP2 arrives) so that it's installed at the same time. This works with Windows 2000 and up.
You can then use Sysprep (brief introduction) to automatically deploy the latest patches the first time the machine boots.
Here's a nice article on how to burn the result to a bootable CD.
It's a bit of work, and requires constant maintenance but it saves a lot of headaches in the long run.
An easier method, if you have a lot of machines with identical specs. Build a template machine with the OS installed, adding all the service packs, patches, etc. Use software like Ghost to make an image for deploying to multiple machines.
Who says the stuff you learn on an MCSE isn't useful?
Also keep in mind that the article's author used a dial-up connection. Conventional hardware firewalls deal with ethernet...
The free version of QNX comes with no inbound services enabled. Most of the standard UNIX-type services are available, but they're not installed by default. It's a pure client. In fact, it's very close to what the iOpener ran. Both dial-up and LAN connections are supported.
Mozilla 1.1 runs, but without Flash. There's a word processor, ABIword. The whole GNU toolchain is available. Unfortunately, OpenOffice hasn't been ported.
It's refreshing to run a system without all the Microsoft crap, or the Linux emulations of it.
A troll is a post carefully crafted to attract predictable responses and/or flames. The moderator probably read the post, saw the poster was "andy666" and thought some guy was trolling. It was a mistake.
After looking at andy666's posting history, the moderator should have known that andy666 really is a French grandmother named Andrea Tilley, who apparently has a grandchild old enough to post the parent article, and isn't happy that her grandchild considers her technically inadequate for this job. Wow - French and thin-skinned; but I repeat myself.
It's SlashDot - what do you expect?
Turambar
------------------------------
Common sense is not so common.
--Voltaire
> instead of immediately following network device startup is sloppy and wrong.
That is still wrong.
You enable the firewall, set a default deny all rule, enable the interfaces, and start loading your rules.
You can't load them beforehand if they depend on characteristics of the interface (address etc) but that means you will still have to be extremely carefull in which order you load them.
A safe way of acomplishing this is to insert the deny all rule as the first rule that your firewall will occur and only remove it once all has been setup properly.
Leaving a window bewteen bringing up your interfaces and having a workign firewall always brings the risk of compromise, and it just takes a slightly determined hacker/work/virus/whatever to get through.
Well, while i agree with most of the point made, there are simple steps to prevent worms.
At my parent's home, there is a Linux box doing NAT, so, in the box, the windows box on the local network are protected from any worms. They end up having enough time to download all the necessary patches from Windows Update.
Recently, I reinstalled my windows XP. But before reformatting, the first thing i did was to burn a firewall like zone alarm. I then install my box without being connected the internet, and proceed to install the firewall. It is only then that i download the patches.
Else, it would be just plain nightmare.
AutoPatcherXP is an excellent collection of patches and updates that I've included on CD (along with some other tools) for our user's home computers. It contains about 300Megs of updates/patches/apps and is relatively up to date with all of the critical patches. :(
After running AutoPatcher, only a few critical updates are needed off of windowsupdate's site. Unfortunately, MS04-011 is one of the critical patches NOT included with AutoPatcher.
Wait a minute. I got it. You could play with your magic nose goblins.
Okay, let's get one thing straight. The only reason Windows is so easily attackable (and why Mac OS X and Linux are not) is that Windows ships with 10 million services running and listening on well-known ports. It's not the registry (although that contributes to instability over time), it's not Windows Update (although that could be much better designed - resumability, and fewer reboots!). The reason Windows is so vulnerable is it has far too many open avenues of attack.
Try to hack a default OS X install, or many default Linux installs - sorry, *no* ports are open by default, so what can you attack? At best you minght be able to DDOS the box, or some upstream piece of network equipment, but you can't crash or hack the box itself.
On my OS X box all I have open is SSH and everything else configured to only listen to localhost. If you manage to crack that, I have a lot more to worry about.
I don't know what kind of crack I was on, but I suspect it was decaf.
I had this issue just the other day. I found out that Microsoft provide a "hidden" option on Windows Update to allow downloading all patches for a certain operating system.
; en-us;323166
The following URL describes how to do it: http://support.microsoft.com/default.aspx?scid=kb
Basically, go to Windows Update, click on "Personalize Windows Update", and then turn on "Display the link to the Windows Update Catalog", and save. You then go back to the main page, where you can access the windows update catalog and download to disk all current patches for a particular OS automatically.
When I found that I was very pleased.
I think there is software to automatically install it all from disk, too, but I haven't had time to look for that, yet.
True but then you do:
Actually I tend to do:
Of course there are better ways of handling this in Unix world, things like ole good 'tar' or 'dump' come to mind.
As for the other stuff, sure its nice but it costs pretty penny and you need to upgrade the crap all the time, not to mention the always popular proprietary software trap. A bootable business-card Linux (like Linux-BBC for example) and some custom scripts are all you need to achieve most of these tasks and you get to retain full control of the entire process.
FTC warranty info
From that page, scroll down some:
Implied Warranties
Implied warranties are created by state law, and all states have them. Almost every purchase you make is covered by an implied warranty.
The most common type of implied warranty--a "warranty of merchantability," means that the seller promises that the product will do what it is supposed to do. For example, a car will run and a toaster will toast.
Another type of implied warranty is the "warranty of fitness for a particular purpose." This applies when you buy a product on the seller''s advice that it is suitable for a particular use. For example, a person who suggests that you buy a certain sleeping bag for zero-degree weather warrants that the sleeping bag will be suitable for zero degrees.
If your purchase does not come with a written warranty, it is still covered by implied warranties unless the product is marked "as is," or the seller otherwise indicates in writing that no warranty is given. Several states, including Kansas, Maine, Maryland,
Massachusetts, Mississippi, Vermont, West Virginia, and the District of Columbia, do not permit "as is" sales.
If problems arise that are not covered by the written warranty, you should investigate the protection given by your implied warranty.
Implied warranty coverage can last as long as four years, although the length of the coverage varies from state to state. A lawyer or a state consumer protection office can provide more information about implied warranty coverage in your state.
---this is why they don't "sell" you software, they "license" it, and in the fine print it is most prominent that it has no fitness for purpose, or merchantability, etc.
That's the part that is a scam, IMO,it's leaglistic legislated snakeoil fraud, and needs to change. It's like GM offering cars "for license" instead of "for sale", and because they got 100 yards mileage on them driving them on and off transporters before they get to the dealers saying they are "used" and "Licensing" them to you for big money "as is". That would be stupid and a scam, and it's the same with software that they "license" but everyone on the planet can see they "sell".
And if you are saying "too bad, that's the contract they click agree on", then I agree, that's why I think it should be outlawed,the law NEEDS to be changed, maybe from a serious major class action suit, because it's a freeking sale, and it needs at a minimum implied warranties like every other product out there. I'm just the kinda guy gonna call a spade a spade, that software is sold. there's free software, then there's for-sale software, everyone knows the difference. They can legal mush mouth it all they want to, it's still sold, that's how most people treat it and think of it, so it needs a warranty, for merchantability and fitness of purpose and so on.