The Windows Security Nightmare

latif writes "Microsoft has set aside a $5 million fund for paying off informants on malware authors. In my opinion a good chunk of this money deserves to be paid to individuals who help catch the Microsoft employees behind the design of Windows Registry and Windows Update. As I found out, the two mis-features work together to deprive Windows users of all protection from malware. The details of my experience are in the article Why Windows is a Security Nightmare." In a related story, Anonymous Wussie writes "This guy had family with a problem: A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched. His solution? A CD. This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."

Uh huh!

[imidazole2]

A typical Windows system follows a simple lifecycle: it starts out with a clean Windows installation, which gradually deteriorates as programs are installed, and uninstalled. Eventually, the Windows registry accumulates so much crud that the user is forced to do a clean install. When a user does a clean install that user's system loses all the previously applied security updates, and becomes a sitting duck for worms and other malware.

Thats why I'm such a FreeBSD/Mac advocate.

Re:Uh huh!

[VAXGeek]

I like Macs as much as the next guy (probably more), but a function of popularity would be that there are a LOT of them. Walk into 100 random households in the United States, 60 Windows machines, 3 or 4 Macs would probably be a pretty good spread. MacOS may be pretty good, but it's definitely not widespread.

Re:Uh huh!

[zoloto]

"Microsoft has set aside a $5 million fund for paying off informants on malware authors


Maybe microsoft should pay the money to themselves and redesign their software

You know, if the next version of Windows(TM) pulls what Apple did with their OS X, built a bsd underbelly to it and didn't allow backwards compatibility outside of a sandbox of sorts I wouldn't cry. Then it would be possible to secure the system and hopefully they'd get rid of their god forsaken registry / file and drive permissions / insecure nature for the most part.

It won't be infallible, but simply less insecure for the current vulns out there.

Then again, MSFT might implement this shiz so badly and incorrectly that we'd be stuck with a bunch of new prolems of which we haven't a clue to fix.

just my 2cents

Re:Uh huh!

[smittyoneeach]

Yeah, but can you hear the distant howls of derisive laughter echoing back through time from the alternate future where they actually did that?
Admittedly, I can't either, but it sounded kinda cool, so I wrote it.

Re:Uh huh!

[Wolfrider]

--Here you go:

Kernel Traffic

Linux Weekly News

Linux Kernel Mailing List Digest (from google, not tested by me)

--Try and find a site that details the inner workings of the NT kernel, on a weekly or any regular basis -- really -- I dare ya. If you can *find* the date on the NT kernel file, compare it with the downloadable kernels that you can find here:

Kernel.Org

offended

[andy666]

From article:

"so simple, even my grandmother could implement it."

As a 48 yo grandmother, I am offended that technical incompetance is equated with being a grandparent. I don't think anyone would have said "so simple even my grandfather could implement."

I am incidentally, a C programmer of 20+ years.

Re:offended

[JustKidding]

As a 48 yo grandmother, I am offended that technical incompetance is equated with being a grandparent.

He didn't actually say grandparents are incompetent, he just said grandmother is.
It's easy to be offended if you want to be.

Re:offended

[ggvaidya]

She's a C programmer. 'nuff said :).

Re:offended

Uh-huh, right, that's her real name.

"Simcop2387 get off your computer and get down here for dinner!" something you hear often?

Re:offended

[Turambar]

A troll is a post carefully crafted to attract predictable responses and/or flames. The moderator probably read the post, saw the poster was "andy666" and thought some guy was trolling. It was a mistake.

After looking at andy666's posting history, the moderator should have known that andy666 really is a French grandmother named Andrea Tilley, who apparently has a grandchild old enough to post the parent article, and isn't happy that her grandchild considers her technically inadequate for this job. Wow - French and thin-skinned; but I repeat myself.

It's SlashDot - what do you expect?

Re:offended

[Dr.+Smeegee]

It's always wise to avoid Brad's Pitts.

Use the Firewall

People always complain about their computers getting infected before they are able to download the patches - but this is easy to prevent if you just switch on the included firewall software.

Re:Use the Firewall

[jdreed1024]

People always complain about their computers getting infected before they are able to download the patches - but this is easy to prevent if you just switch on the included firewall software.

Too bad the firewall software loads *last* in the startup sequence, leaving a gaping hole of anywhere from 20 seconds to two minutes (on a slow machine) when your machine is on the net and unprotected. And during the height of worm activity, that's *more than enough* time to get infected.

Re:Use the Firewall

[Neil+Blender]

My wife has a laptop that she hardly ever uses. 90% of it is used for Quicken. Once in a while, she will buy a cd or book online. She does not receive email in any form on this computer and never has. Our home network is behind a netscreen 5 with everything blocked. There are no other windows machines in our house. A few weeks back, I went to use her laptop and the thing was absolutely infested with spyware. So, here is an example of being behind a firewall, hardly ever using the computer and spybot is telling me there are something like 50 different spyware apps on it.

Re:Use the Firewall

[radish]

How about you wait until the firewall is loaded before plugging in the network cable?

Re:Use the Firewall

[Sean80]

I still don't get it sometimes when people say this. I would only feel comfortable making this sort of statement based on some evidence. Not a troll or anything, but has anybody ever seen any evidence which indicates what majority of the PC-using community understand what a "firewall" means, and, if they do, how to turn it on when they receive their brand-spanking new PC from Dell?

If that number turned out to be unusually low, perhaps the key is to really shove this sort of education down people's throats. How? I don't know. A series of ads on TV? Not likely. Get it into the headlines? Not likely. So I'm just not sure how this could be done.

One thing's for sure, my mom wouldn't know what a firewall is, nor how to turn it on, and I shudder at the thought of trying to explain it. Honestly.

Re:Use the Firewall

[dylan_-]

Since a few people have mentioned this: He was using Windows 2000. It doesn't have a firewall.

Re:Use the Firewall

[Setti]

Too bad people don't know how to unplug the ethernet until the firewall is up :P

Considering it's all a hassle... Isn't SP2 supposed to resolve the issue with the Firewall loading last?

Re:Use the Firewall

[Marc+Desrochers]

How about Windows not enabling the network inteface before it has all of the network settings loaded for it.

...and I don't believe obtaining a DHCP lease would be a problem through this.

Asking users to plug/unplug their network cable is just plain silly.

Re:Use the Firewall

[SillyNickName4me]

Seems a bit of browsing and some ActiveX funnies can get you that indeed and no firewall is really gonna help against it either, you'll still need virus/worm/malware scanner/remover software to keep the PC clean.

Its funny how MS is now going to include such stuff.. seems their innovation has other priorities then making their products usable most of the time...

This all should not be a problem initially however for installing a windows machine beind a firewall and trying to run update.. tho I rather prefer making an update CD for such cases (and use it untill the next worm or whatever that requires no user actions to become active)

Re:Use the Firewall

[b-baggins]

Isn't it amazing how the solution to so many Windows problems is to jump through hoops, restrict what you can do, and generally make your life a hassle.

Your example is like telling someone in a crime-infested neighborhood that they just need to lock their doors instead of yelling at the city council and cops to clean up the streets.

Re:Use the Firewall

[somethinghollow]

Okay. I'll climb under my desk, unplug my nic, climb out, power on the machine, wait until everything is loaded, climb back under my desk, plug it back in, then climb out and be productive.

That is a great solution. Maybe Microsoft should make a KB article and send it to all the upperlevel business types in corperate America. I can see all the suits in their lavish office hundreds of feed above the city streets doing the Microsoft Shuffle. Now all they need is a catchy pop song to go with it and they'll be on Casey Kasem's Top 40.

I'd rather just use my Mac.

Re:Use the Firewall

[SilentChris]

"Too bad the firewall software loads *last* in the startup sequence"

Supposedly fixed in SP2.

Re:Use the Firewall

[One+Louder]

Unfortunately, that assumes that one is familiar enough with Windows to know that's the order in which things load, that unplugging the network cable won't make the machine somehow think it's not *going* to be on a network.

It's a rational expectation that a brand new machine, or one restored to factory configuration, should have no fatal problems - we certainly expect that the wheels don't fall off our cars just after we drive off the new car lot. We shouldn't have to *know* that we have to tighten the lugnuts or get new tires because the ones I juts bought are about to explode, and I shouldn't have to immediately change the locks because everyone and their grandmother can pick the one I just bought with a toothpick.

Perhaps I'm taking the analogy too far, but can you name another product that is widely sold brand new with massive known defects?

Re:Use the Firewall

[radish]

No, my suggestion was not a "solution" to the general problem. It was an idea for the supposedly technical person trying to fix a b0rked windows box which they couldn't get to stay up long enough to patch. For that person, I would have thought that unplugging a cable would be both obvious and straightforward. Should regular users be disconnecting their boxes every time they reboot? Of course not.

Re:Use the Firewall

[bryanp]

Perhaps I'm taking the analogy too far, but can you name another product that is widely sold brand new with massive known defects?
Ask me again on election day.

Re:Use the Firewall

[AndroidCat]

I set up a box with ZA so that the PPPoE connection isn't started right away. I have an icon on the desktop to start it. The connect program won't even run until ZA is loaded. Also, I assigned a local IP address to the card as part of the trusted LAN zone. The PPPoE connection gets a different DHCP address (and max security setting).

That said, I don't trust ZA for perfect protection. Win XP Pro starts up way too much crud that wants to talk to ports.

Re:Use the Firewall

[liquidsin]

Third sentence of the article: "This was the case with a family member's computer running Windows XP Home." Further down, he also talks about putting XP SP 1a on the disc.

Re:Use the Firewall

[Marc+Desrochers]

This is not a perfect solution but it does greatly reduce the risk of infection:

I only rebuild a WinBox behind some kind of NAT. At least I don't have to worry too much about being nailed by a worm before the updates are done.

Re:Use the Firewall

[needacoolnickname]

Asking users to plug/unplug their network cable is just plain silly.

I'd have to disagree. I think making someone work for something might make them a bit more appreciative of what needs to be done to maintain it.

I told my father to take his computer to a local shop to have it fixed rather than drive up to me. Once he learned how much it costs to have things fixed that can easily be avoided he seemed much more interested in learning how to take care of things than thinking "this thing should just do as I want it to" (and he stopped downloading stupid ass screensavers.

A little work goes a long way.

Re:Use the Firewall

[Rick+the+Red]

No shit. When I turn on the Windows firewall I cannot see/be seen on my network. Zone Alarm has no problem letting me print to my network printer (on another PC), but with Windows firewall I don't even see it. Sorry, but I just don't have time to figure out the settings needed to fix this when Zone Alarm is the real fix.

I don't care how good XP SP2 is, I'm not letting it near my PC.

Re:Use the Firewall

[Rick+the+Red]

Leave ethernet disconnected right up until the moment you're ready to hit Windows Update. You're already booted up with the firewall enabled. Connect cable, wait a few seconds for XP to notice it, hit update. Voila.

Uh, huh. And then, the next day, you have to crawl under the desk and disconnect the NIC until you've booted up for the day, then plug it back in. And the day after that. And the day after that. And the day after that.

You see, it takes 20 seconds to 2 minutes from the network activation to the firewall start every time you turn on the PC, not just when you're getting the latest update. And if you think you only need a firewall when you're running Windows Update, then you're missing the whole point of having a firewall.

Re:Use the Firewall

[yabos]

No offense intended, but you can't expect "normal"(dumbass) users to do what you do. Even though your solution may work well, they just won't do it.

Re:Use the Firewall

[minotaurcomputing]

"And if you're on a wireless LAN?"

Wave you hands in front of the antenae to block the signal.

Re:Use the Firewall

[sik0fewl]

How about you wait until the firewall is loaded before plugging in the network cable?

Yeah, that's an elegant solution:

"Windows has finished starting. It is now safe* to plug in your network cable."
*Warning: may not actually be safe.

Re:Use the Firewall

[Glonoinha]

I am shocked, appalled, and dismayed! Actually I'm not, but I like the way it sounds.

"This guy had family with a problem: A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched. His solution? A CD."

Reality check time. Which of the following are not required to get online via cablemodem :
[ ] Computer
[ ] Monitor
[ ] Keyboard / mouse
[ ] Cablemodem
[ ] Assorted cables, and electricity
[ ] A fscking hardware router / firewall.

Guess what - a fscking hardware router / firewall isn't optional anymore. Linksys BEFSR41 - learn it, know it, live it. Less than $50 at Best Buy, if you actually help someone set up their computer and plug the NIC directly into the cablemodem - you aren't helping. Doesn't matter what OS, what hardware platform, etc.

Patches smatches. Software firewall flufferall. There is no substitute for a hardware firewall. Cheap, easy, effective - this is your one chance to get all three.

Re:Use the Firewall

[pohl]

How about you wait until the firewall is loaded before plugging in the network cable?

+5 Funny. This reminds me of a situation at work. We sort of have two separate halves of the software development department: Java and the Microsofties. One day I wandered by the server room where the most brilliant of the Microsofties was installing some sort PDF-indexing engine on one of their Windows servers. They were being thwarted by some dialog box that kept comming up during the install. His solution to the problem at the moment that I happened by was...I swear to god...to jam a penny into the keyboard such that it kept the return key held down, so that the key-repeat would dismiss the dialog box over & over again, in hopes that it would happen rapidly enough to get through the install.

I swear, it's a totally different culture. Some of us insist on good software architecture. Others have an amazing capacity to assfucked by bad software architecture and keep going back for more. You can bother about yanking and reinsertintg your ethernet if you really want to. I'll work around the problem by being a more selective consumer, thank you.

Re:Use the Firewall

[bonkedproducer]

I have Win XP SP2 Beta running on my XP box. I do notice that the firewall is much better and easier to use (seems like a weak ZA clone,) except it does some weird things. The first time I used Windows Media Player in SP2 Beta, to view some movie trailers, I had the player maximized and after watching three or four, I minimized the player to check my e-mail.

When I minimized I saw my first experience with the new and improved firewall, it was a nice message in the center of the screen that had been obscured by the player stating "The Program: Windows Media Player is trying to access the Internet, should I: Block this program, Unblock this program, Block this program but ask again in the future" (I'm paraphrasing there) even though I hadn't told it to unblock the program, it was allowing it download content from the web.

I thought this was odd, and assumed maybe it only received stuff but wouldn't allow sending. Well, when I used Yahoo Messenger the first time, same thing popped-up, so I left the box on screen and did some IMing, and sent some files to friends - all without interacting with the firewall. So I must assume the the firewall by default lets anything go through until told otherwise. This is security? I've noticed this behavior with many programs, and telling it to block does work, but until told to block it leaves the holes open.

Re:Use the Firewall

[bfischer]

Put it in a lead box. That will also keep it hidden from that Clark Kent guy.

Re:Use the Firewall

[needacoolnickname]

Hey dad!

I still have a few more years to pay off those loans. Maybe you can help me out now? I'll fix your computer for ya.

Re:Use the Firewall

[pyros]

Unlike in the Unix world, where you solve all these problems by simply not running as root. You might not be running as root, but how are all those various programs listening on ports below 1024 running, enk?*

Usually the process is launched by init as root, the port is bound, and then the process forks, calling setuid and setgid to loose root privileges. It's also not unheard of to chroot the fork too. So you're left with a program running in a sandbox without root privileges, bound to a privileged port.

* - bold added to separate GP quote from parent quote, not for emphasis on any particular content in the quote.

Re:Use the Firewall

[AKnightCowboy]

Too bad the firewall software loads *last* in the startup sequence, leaving a gaping hole of anywhere from 20 seconds to two minutes (on a slow machine) when your machine is on the net and unprotected. And during the height of worm activity, that's *more than enough* time to get infected.

A $30 Netgear router would've eliminated that problem. Even if I had one machine I'd still buy a router so I didn't have to worry about software firewalls.

Re:Use the Firewall

[mav[LAG]]

Girls are like Internet domain names, the ones I like are already taken.

You can still get one from a foreign country :)

Re:Use the Firewall

[dasmegabyte]

Actually, the problem isn't Microsoft's innovation making products unusable...it's shady types committing what are essentially con jobs to get people to bypass the browser security Microsoft innovated to make it easy to extend the web with third party plugins such as Flash, or any of a number of useful active X acessibility widgets such as that used by TrendMicro's housecalls free virus scanner or some of the multiple file upload tools used on popular image sites.

Obviously, since this technology hadn't existed before, Microsoft hadn't anticipated that some folks would hijack the API and use it to get people to install software that will spy on them. You can't plug holes in a bucket you haven't made yet! And now that these companies are out there, even Microsoft locks things down tight as can be, there will still be shady types instructing people on how to bypass their own security to install some bitchincool new screensaver (with only a few hundred added pieces of malware).

The reason for this is that it's just too easy to fool people in the digital world, because they don't care about the precious data on their computers as much as they do pretty widgets. Windows software is attacked not because it is inherently insecure, but because so many people who just don't care use it.

Of course, one wonders how useful it is to spy on people who do nothing with their PCs but install spyware...

Re:Use the Firewall

[m_pll]

When you see this message box it means the program is trying to listen for incoming connections. Windows firewall does not block outgoing connections, which is why you can still download stuff etc.

Re:Use the Firewall

[EvilTwinSkippy]

Sigh.

While I run my own Linux box at home, I have several clients and relatives I support. Giving them a happy blue box that blinks and costs $50 trumps any ability to ssh into it and fix.

The Linksys doesn't generally need fixing. And if it does, unplug and plug it back in. They are happy. I am happy. And I'm not getting calls during the weekend when a power outage fries the hard drive and I have to rebuild the Linux partition.

Re:Use the Firewall

[Nintendork]

"Sorry, but I just don't have time to figure out the settings needed to fix this when Zone Alarm is the real fix."

Sorry, but Zone Alarm, Black Ice, etc. are all PIECES OF SHIT. You have no idea how many times I've been troubleshooting broken internet apps only to find out that Zone Alarm/Black Ice is installed. One of my first questions now is to find out if those things are installed. The sole purpose of those software packages is to annoy you every time it blocks a connection and try and convince you to pay money for the enhanced version of the nagware.

You declare that the SP2 firewall broke your ability to print, but you do not know why. You just take a reactive stance and jump back to what works now instead of finding the underlying problem and solving it. I'm sorry, but I just don't believe that the firewall broke your ability to print unless there was an underlying reason. Outbound connections are not blocked by the firewall. The same statement goes for seeing others on the network. Maybe you were just impatient and didn't wait for browsing to stabalize which takes up to something like 15 minutes in a single broadcast domain. If you're really that anxious to connect to another computer and can't wait for the browse list, do a start | run | \\COMPUTERNAME.

If you want the computer to be seen on the network, create an exception list in the firewall configuration! It already has a preset for file and print sharing one tab over from where you enabled the firewall for crying out loud!

God I hate seeing ignorant fucks blaming the software vendor for their own ignorance, then getting modded up for it. It's not Microsoft's fault that you don't RTFM or open your eyes to see that there's other configuration options when you use a feature. Blaming Microsoft may be fun, but it's not always the answer.

-Lucas

Re:Use the Firewall

I'm running XP SP2 beta at home, and this is exactly what it does:
http://slashdot.org/comments.pl?sid=106651& thresho ld=0&commentsort=0&tid=109&mode=thread&cid=9077529

It posts to Slashdot? That's creepy.

Re:Use the Firewall

[Marc+Desrochers]

I am not an admin, I'm a tech... And even if I was, I'd still be at the mercy of the whims of the higher-ups. This University has decided they want to go Active Directory, so that's what we're doing. It doesn't help matters that they decided to centralize everything, and the techs don't have access to fix network problems, we aren't even allowed to open machines, unless it's to change a NIC. What can I say, it's not MY network.

Re:Use the Firewall

[Jim_Maryland]

Both comparisons are flawed. About the only close comparison I can think of would be a car with numerous defects that has been to the dealer for recall service and then losing all those recall repairs the next time you reinstall tires (and I certainly wouldn't want to visit that mechanic again). A fresh installation of MS Win32 will have all the flaws/exploits that have been discovered since your source disk was created.

Obviously a reinstall of an operating system will need to be repatched to obtain the updates unless you obtain a more recent version of the OS with patches included. I haven't noticed MS doing this but then my company rarely has something other than system restore media for MS Win32 systems (maybe Microsoft does this but I haven't seen it). For my Solaris systems, I can locate a newer media pack to get much closer to a patched environment.

Re:Use the Firewall

[endus]

"And if you're on a wireless LAN?" Then you should be running a router that runs a firewall anyway.

Re:Use the Firewall

[mikeee]

And if you're on a wireless LAN?

Wrap your computer in tinfoil.

Re:Use the Firewall

[silicon+not+in+the+v]

Sorry, but Zone Alarm, Black Ice, etc. are all PIECES OF SHIT.

...later...

God I hate seeing ignorant fucks blaming the software vendor for their own ignorance, then getting modded up for it.

Uh, yeah...me too. :)

Re:Use the Firewall

[Brandybuck]

It is a different culture. I'm an system software developer. For the past five years I've worked on Solaris and LynxOS. I'm used to coding the "right thing", even if it takes longer.

But now the company has been taken over by the Microsofties. One of them told me the "secret" to development in Windows: just do what Microsoft wants you to do. Everything is designed to be done in one particular way, and if you don't do it that way you'll end up working ten times as hard.

Re:Use the Firewall

[GigsVT]

..to jam a penny into the keyboard such that it kept the return key held down, so that the key-repeat would dismiss the dialog box over & over again

Ever run fsck on a badly damaged fs? You might use the penny too. (Until you remember to just pipe "yes" output to it).

Re:Use the Firewall

[nzkbuk]

or just use the -y option

Re:Use the Firewall

[Gilmoure]

We have a fairly locked down network and we still get viruses in the dorms. Our little darlings take their laptops (about 70% of our users) off campus and then come back home and plug them in. No matter how many times their network has gone down this year, and no matter how many times we let them know to keep their patches up to date, and to run virus softwear or linux or MacOS, each new virus knocks out a dorm or two.

Seeing as how this is our last week and students are already leaving, even I, the Mac Guy, was pressed into service, running a huge list of various virus killers, pop up blockers, and ad-ware destroyers. What a sand coated, dp pain-in-the-ass. If this is what 95% of the computer using public has to put up with, it's amazing there's even an internet. I suppose porn is the only thing keeping the average Windows user online.

Re:Use the Firewall

[pVoid]

Wow, can this thread get *any* more self righteous??

You are raising yourself high in the air by denigrating "Microsofties"... and the "most brilliant one of them", when we can obviously see they're idiots??

Nice. You should feel proud.

Burn a cd?

[JustKidding]

custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP Home Internet safe. I know I'll be doing this in the future."

Better make that a rewritable...

Re:Burn a cd?

[dicepackage]

I have found that a cheap USB key drive is a great way to keep all of the necessary patches in one place that can be re-written fast.

Re:Burn a cd?

[moojuece]

did you RTFA? author mentions this CD but also states that this is horrible out of date, takes 2-4 weeks to arive and will not ship to his country

that's easy...

the CD held knoppix

Re:that's easy...

[Keruo]

Knoppix is great sysadmin tool to carry around.
I've fixed several NT machines with it skipping the need of complete reinstall.
The read/write ntfs driver is what makes the cd so powerful.
In most of the cases I've come across, it's enough to throw the cd in, reboot, mount the root ntfs, edit/replace boot.ini or some other system file with error, save, reboot, and there you have it, working NT box.
It's awesome if you know what you're doing with it.

Re:that's easy...

[horza]

Knoppix is great sysadmin tool to carry around.
I've fixed several NT machines with it skipping the need of complete reinstall.
The read/write ntfs driver is what makes the cd so powerful.
In most of the cases I've come across, it's enough to throw the cd in, reboot, mount the root ntfs, edit/replace boot.ini or some other system file with error, save, reboot, and there you have it, working NT box.
It's awesome if you know what you're doing with it.

Knoppix was the first thing in my mind... why not take it one further? A specialised Knoppix which boots and then has one clickable icon on the desktop. Launching this automatically detects NTFS/FAT partitions, downloads the latest definition files over the 'net, and automatically cleans up a Windows machine. It can even detect if the user has Norton or another anti-virus and use that engine to do the cleaning.

It can also happen to have a few useful apps installed, plus a GUI to apt-get showing 1000's of titles ready to install immediately for free, in case they shouldn't wish to remove the CD upon next boot...

Phillip.

its not that bad

First off lets say I'm a linux user, and havent used windows as a desktop or a server for about 4 years. I hate windows. My family however still runs windows 2000 on their main computer.

It has no virus scanner, and they have never contracted a virus. As long as you aren't a dumbass (open random exes and stuff off the web), don't use outlook/IE (they use firefox and thunderbird), and run Ad Aware once in a while you should be fine. Running windows update automatic updates has never been a problem.

Re:its not that bad

[Kenja]

"It has no virus scanner, and they have never contracted a virus."

How do you know? If its not running a virus scanner how would you tell if it had a virus or not?

Re:its not that bad

[blastedtokyo]

If it has no virus scanner, how do you know that it's never been infected?

Re:its not that bad

[sik0fewl]

If it has no virus scanner, how do you know that it's never been infected?

Ignorance is bliss :)

Re:its not that bad

[dasmegabyte]

He probably means it has no fulltime virus scanner, but runs HouseCalls from TrendMicro or something similar once in a while. I do the same with my parents, who had never gotten a virus but were fed up with paying $30 a year or whatever to Norton.

my windows security nightmare..

my windows security nightmare involves bill gates breaking all my boxen with a life size stainless steel Clippy.

Heh not me.

[grub]

This article describes the custom made CD he sent to his family member with patches, tools, and instructions to make a fresh install of Windows XP

I took the extreme opposite approach: I don't help family or friends with their Windows problems if they've asked me for advice and gone against it. (as written about in my journal last March.)

Re:Heh not me.

[xplosiv]

Unfortunately, most people can't get away with that attitude, that's almost as bad as burning bridges. Someday your friend/family member will be asked if they know anyone who is willing to accept a high paying Windows admin job, and your friend/family member will say "No, the only person I know doesn't do windows". Instead, refer them to websites where they can download anti-spyware software, anti-virus software and such, you have nothing to lose, and while you give them this information, you can tell them there is not much else you can do, but at least you tried.

Re:Heh not me.

[radish]

Personally, I value my personal relationships above petty "I told you so" point scoring. But then I don't live in a basement, so YMMV.

New "casino" concept is needed

Microsoft should send XP SP2 CD-ROM to everyone that has registered Windows XP. After user installs and visits some web site, they enter into Microsoft award contest. 100 random users that install XP SP2 receive 50.000$ award each. I guess everyone would upgrade if they could receive an award.

Small price for Microsoft, great effect on security.

Big problem

[jdreed1024]

A Windows XP computer hit by worms that couldn't stay on-line long enough to get patched.

This is a serious problem, actually. During the height of the worms last summer, we saw hundreds of machines that got infected while in the middle of downloading updates. It even got to the point that the WinXP "firewall" wasn't good enough, since it loaded *last* in the startup sequence, and there was a good 20 seconds to 2 minutes (depending on the speed of the machine) when the machine was on the net and unprotected, even if you had enabled the firewall settings.

It's the bigger problem of running services by default. The average user doesn't need half of the services that run. Linux figured that out years ago - most services are off these days, and those that are on are fairly secure (ie: sshd). Even if some of these services are required for system operation (like some folks have claimed), there's no reason for them to be listening on addresses other than 127.0.0.1.

Re:Big problem

[Kenja]

"This is a serious problem, actually. During the height of the worms last summer, we saw hundreds of machines that got infected while in the middle of downloading updates. It even got to the point that the WinXP "firewall" wasn't good enough, since it loaded *last* in the startup sequence, and there was a good 20 seconds to 2 minutes (depending on the speed of the machine) when the machine was on the net and unprotected, even if you had enabled the firewall settings."

There is a system called "unplugging the network cable" that can block 100% of the network traffic within the first two min' of booting!

Re:Big problem

[jdreed1024]

Am I the only one thinking:

1) Switch on computer
2) Login
3) Wait until everything is loaded and the disk stops chunking
4) Plug in network

Is that really hard?

Try telling that to an end user. They don't want to be bothered with that. And also, people forget to do things sometimes. And the one time you forget, you'll get infected.

Yes, yes, we all know the most secure computer is the one that doesn't have a network connection. But really, providing firewall software, and loading it last in the startup sequence, instead of immediately following network device startup is sloppy and wrong.

Re:Big problem

[kidgenius]

Right.....because you know that all of the people less techincally adept than you will make sure they do that.

Re:Big problem

[bcrowell]

Why can't MS just supply a very strict software firewall, which would be activated whenever you booted up the computer while holding down a certain combination of keys?

In addition to the problems describedin the article, another problem with MS's approach is that you don't have to be a privileged user to infect a system, but you may have to be a privileged user to disinfect it. I don't use Windows myself, but in the classroom where I teach physics labs, we have 6 Windows machines, and they're constantly getting infected with worms. Often my students and I know exactly what the infection is, but we don't have privs, so we have to wait a week for our IT folks to get around to patching it.

Linux, BSD, and MacOS X on the other hand, are consistent: you can't patch a system without root access, but you basically can't get infected without root access either.

Re:Big problem

[SillyNickName4me]

> instead of immediately following network device startup is sloppy and wrong.

That is still wrong.

You enable the firewall, set a default deny all rule, enable the interfaces, and start loading your rules.

You can't load them beforehand if they depend on characteristics of the interface (address etc) but that means you will still have to be extremely carefull in which order you load them.

A safe way of acomplishing this is to insert the deny all rule as the first rule that your firewall will occur and only remove it once all has been setup properly.

Leaving a window bewteen bringing up your interfaces and having a workign firewall always brings the risk of compromise, and it just takes a slightly determined hacker/work/virus/whatever to get through.

Re:Big problem

[yabos]

Considering most network cables are under the desk, you really expect people to climb under the desk to unplug it, turn on the computer and wait for it to boot, then climb back under the desk to plug the ethernet cable back in? Even if you keep your case on the desk(which most people don't that I've seen), that's still a huge hassle for the lazy asses that can't run windows update once a week.

Microsoft will mail you a CD

[anotherone]

Microsoft will mail you a CD, for free, of the most recent updates and service packs.

http://www.microsoft.com/security/protect/cd/order .asp

Re:Microsoft will mail you a CD

[StacyWebb]

"Your CD should arrive in 2 - 4 weeks. In the meantime, sign up for Microsoft's free Security Newsletter for Home Users. Every other month you'll get valuable information to help you protect your home computer" --Win Update 2004 English NA Feb Direct 2CD Windows Security Kit --- This CD is only for Updates current to February (not including the SASSER updates)

Re:Microsoft will mail you a CD

[LurkerXXX]

Mine just arrived, took about a month like they said it would. 2-4 weeks.

You Mean digital?

[Mordaximus]

the Microsoft employees behind the design of Windows Registry

Ah yes, brought to you by the letter V, as in VMS. IIRC it was a few digital VMS engineers that left and help build many of the more functional components of WinNT. And apart from the ACL, i believe the registry (at least for pathworks) was another digital innovation...

Never forget there is very little you can credit Microsoft with...

Re:You Mean digital?

[IamTheRealMike]

The registry was developed for OLE, and existed in Windows 3.1 though it wasn't used as a global config database until WIndows 95, iirc.

Re:You Mean digital?

[MerlynEmrys67]

Just like in Unix, except there you replace System Registry with /etc.

Time to lose some Karma

Re:You Mean digital?

[ercolano]

It was not developed for OLE. What was created for Windows *NT* 3.1, was not in any way what was used in Windows 3.1 (Don't blame me, I wasn't responsible for what products were named). What was the global configuration database in Windows 95 was a somewhat watered down re-implementation of what was created for Windows NT 3.1.

all he had to do

[xplosiv]

was have them type 'shutdown -a' at the command prompt and the rebooting would have stopped. I have helped people remove this worm many times using Remote Assistance, over dialup without any issues. The firewall software is going to cause more problems in the long run as it will block some of their games, or even him remotely accessing the machines in emergencies.

Ignoring the root cause and fighting the symptom

[kbahey]

I cannot help but see the analogy here.

Microsoft takes the approach of fighting the symptom (malware, ...etc.), and not the root cause (flawed security design, ...etc.).

This is the same way many governments approach things like terrorism. They address it like a security problem only, that Intelligence Agencies and the Military/police handle. Why these ideologies developed, and what are the social, economic, and political reasons that lead to it is never even attempted.

And it is not only America, this has happened before in Ireland, Spain, Egypt and elsewhere.

Unless the root cause is studied, a correct diagnosis is made, and then remedial actions are taken, no amount of policing will fix the problem for good.

Custom patch CD

[prisen]

This isn't anything new -- I've sent plenty of patch CD's with customized .bat/.cmd files along with stupid-easy instructions thanks to an autorun.inf that takes care of everything from hotfixes to updating DirectX and IE, even restarting the box when it's done..all without bothering the user with confusing dialog boxes. It helps quite a bit when your family has dial-up and can't even get to Windows Update before Sasser or equivalent hoses their machine.

But, then again, I've sent many times more Linux distro CD's to my friends.

Re:Custom CD

[rsidd]

Wow...what a concept! I never would have thought of that.

You can get the same from MS, free.

RTFA. (Wow, what a concept!) He covers that.

A grandmother can do it

[AtariAmarok]

""so simple, even my grandmother could implement it."

"(AP) Dateline August 12, 2008. National and international commerce was brought to a halt as the "SugarCookie" worm infected and seized up the installed base of Windows 2006 computers. An FBI task force was able to determine that the worm was written by someone's grandmother who thought she was entering a cookie recipe into her computer. She was quoted as saying 'I did not know that Windows was so insecure that you could bring down networks with accidentally-written worm programs'"

Re:A grandmother can do it

[EvilTwinSkippy]

Grandma's gotta stop getting her recipes from the Anarchist's Cookbook.

Re:Not so fast, sir

[ivan256]

So your solution is to spend $80 on hardware to workaround a defect in $100+ software? Does he have to carry this device around with his laptop everywhere? This is a joke, right?

CD article

[Seft]

This really isn't a great way to do it. How about - install windows, turn on windows firewall, then install adaware, and keep patching regularly - I do this for lots of people and I never have a problem. The rich man's solution to this is to buy a router with a firewall - they really aren't that expensive, and let you use more than one computer on the line. As for Mozilla/Firefox being less suceptible to malware etc on a statistical basis, this is a no-brainer. People who would use an alternative browser also tend to be the type of people who patch their software.

Registry and update? Nah.

[Weaselmancer]

If you're going to go after Windows employees, don't bother with the registry and update guys. Nail the guys who made ActiveX and Outlook.

There ya go, I'm an informant now. When can I expect my check? =)

Weaselmancer

Update CDs for family

[thewldisntenuff]

I think the biggest problem in making an update cd or instructions on how to update their computer is not getting the right programs together - it's getting them to properly use and learn how to be on top of security issues.

Case in point-
I return home for the semester break, and my sister's pc is riddled with spyware, malware, you name it. The thing is no longer functional, so I had to format the hard drive, yadda yaddda yadda...I gave her a full lesson, and made sure she knew exactly what to do. Yet a month later, the computer was back in the crapper again...She stated that she lost all of the programs she liked when I fixed her computer-

That's the problem...Unless I boot linux and pull the internet from the back of the machine, her pc will never be secure...No matter how many times you teach/tell someone about computers and online security, for most noobs or non-users, it just doesn't seem to click...

As far as issues with Windows Update...Best bet is to download from someone else's high-speed pc. I had a similar incident with SoBIG and a reinstallation of XP.

Re:Update CDs for family

[YrWrstNtmr]

That's the problem...Unless I boot linux and pull the internet from the back of the machine, her pc will never be secure...

Why would booting to Linux be any more secure, for that user?
She appears to be the problem, not the OS.

Re:Update CDs for family

[mrchaotica]

You mean the programs she likes, such as the cute little purple gorilla that walks around on the screen, and RealPlayer, and all those screen savers and random assorted games that her friends emailed to her and that she downloaded from questionable sources?

i use windows

[takitus]

and have a hardware firewall, run ie and outlook express and have never had a problem. it can almost always be chalked up to not knowing how to operate things properly. i have made similar cds that are all automated. i used to sell them around the time the blaster worm came out on the side of the streets outside best buy etc for $20 a piece. made a few grand off that. best buy was chargin $80 for the same thing that my cd did =). either way... windows is only as safe as you make it. the only thing required to keep viruses from getting in a windows box is running the patches, and even that isnt that necessary if you have a firewall. all of the rest of the viruses are contracted through user error. poo!

Re:i use windows

[Woogiemonger]

A hardware firewall is practically a requirement these days if you use your computer for anything proprietary and sensitive, at least in the eyes of management. For both my jobs, I've gotten direct requests for me to secure my home computers with a router, but oddly, they wouldn't buy me one. Well, thanks to slickdeals.net, I finally managed to grab an 802.11b wireless router for ten bucks. Security problems solved.

Re:i use windows

[ForemastJack]

Quoth the parent:

i used to sell them around the time the blaster worm came out on the side of the streets outside best buy etc for $20 a piece. made a few grand off that.

I read that and nearly spit coffee on my keyboard. OK, let's assume that the parent poster is being 100% honest, that he made "a few grand" selling home-burned CDs outside Best Buy at $20 a pop. That's, conservatively, 100 CDs!

In other words, at least one hundred people were perfectly willing to shell out money -- cash, presumably -- to some random guy in front of a store, then take this guy's CD home and blindly install whatever the hell he'd given them!

Folks, talk all the shit about Microsoft that you want, but there's your security problem! If this guy is on the level, we've just had a prime lesson in the reason why Blaster, et al spread like typhoid.

You know, don't you feel sorry for Microsoft, sometimes -- just a little bit? I mean, imagine you're a Microsoft engineer. You're hard-working. You really do try, given the massive user base you have to support and the cruft of legacy code you're stuck with. Reasonably fast patching for security holes, updates -- hell, they'll send you a damn CD of updates for free!

And then you read something like this. And request an immediate transfer to the Office development group...working with Clippy would seem like a joy.

And for all the linux advocates out there -- especially the zealots, the Stallman's Witnesses -- this is a cautionary tale. If and when linux starts to hit the desktops, you're going have this same problem. If 100 users are willing to take some guy's CDs and install them, no questions asked, they're not going to flinch when he says, "Oh, and it will prompt you for your administrator password. You'll need to enter that in order to make sure the system is scrubbed." Play out your own nightmare scenario, there. Linux is inherently more secure? Really?

Social engineering-based cracking can't be stopped. Not by Windows, not by Linux.

Almost...

[NickRuisi]

Is it just me or did the article seem like a near-FUD rant?

A Different Perspective . . .

[pariahdecss]

How about creating a CD to make the internet safe from Windows XP
Maybe something that strips out the entire TCP/IP stack - a castration of sorts for the good of all mankind

My name is Bill and I pronounce Windows -- WeenDOHS

Re:Custom CD

[Ann+Elk]

Microsoft's Windows Security Update CD is great in theory, but almost worthless in practice. The lead time for delivery is so long, by the time you get the CD, another batch of viruses/worms are out exploiting newly discovered vulnerabilities.

Install patches right from the installer

[ohad_l]

That's what Mandrake Linux, for example, does (I'm sure many other *nix distributions do as well). Once installation is finished, a small component goes online and downloads all important patches which were made available since the CD it's sitting on was burnt. This makes sense to me from a security standpoint - it should be far easier to secure a single program with independent network code, than a fully up-and-running system.

Re:Not so fast, sir

[sphealey]

So your solution is to spend $80 on hardware to workaround a defect in $100+ software?

The value of a system isn't in the cash-and-carry price of the components; it is in the data and applications running on it, the time and effort to get it configured properly, and the opportunity cost of not having it in operation. $79 isn't much against those costs.

Does he have to carry this device around with his laptop everywhere?

Plenty of corporate travellers do just that, yes. But in the scenario presented he only needs it for freshly installed systems not yet fully configured. Assuming he trusts his WinXP configs to be secure.

This is a joke, right?

Um, no.

sPh

Whether you are offended

[2names]

or not is immaterial. The simple fact is that as one ages, one loses touch with new technology and advancements for many reasons, most of which have nothing to do with a person's abilities or intelligence. Mostly, people just stop caring about the latest gizmo and care more about things that are really important like family.

But, if you don't believe me try this little test:

Take an iPOD, a Laptop with a wireless card in it, and a wireless access point to a retirement home. Place them on a table right next to an Internet connection of any kind. Now ask if any of the residents can get a song from the iTunes store onto the iPOD.

I'll put dollars to doughnuts you won't find a single resident who can do it. Not because they aren't capable of learning how, but because they really just don't care about that kind of thing anymore.

$.02

Re:Whether you are offended

[captainClassLoader]

2names comments:

"Now ask if any of the residents can get a song from the iTunes store onto the iPOD.

I'll put dollars to doughnuts you won't find a single resident who can do it. Not because they aren't capable of learning how, but because they really just don't care about that kind of thing anymore."

Then again, you might be surprised. I once did a benefit ambient gig at a retirement home, and then wound up giving a seminar on my set-up after the gig, as a pile of people crowded around my gear to ask me how I got all those sounds. My impression was that this retirement home was a pretty boring place, and a guy showing up with a bunch of synths to crank out strange quiet downtempo stuff sorta made their day...

Re:Whether you are offended

[bloxnet]

Ridiculous.

My grandparents are in their 80s...and you are probably right, but the generation(s) in their 50s-60s are more likely to have been exposed to technology and it's increasing role in our day to day lives to completely invalidate your theory.

Even more so, each year that passes you will have more grandparents who are moderately tech saavy...it's not in anyway a question of age, but experience. There are still quite a few people in their 20s, 30s, etc who would also not be able to pass your IPOD+ITunes test, because (brace yourself for the shock), they don't drool over tech items like the majority of slashdot readers do.

It's just depressing to see that the rampant ageism that is applied to older people is still going strong in the tech industry...and does not seem to show signs of stopping.

The original poster was offended because she was both a grandparent and a woman into technology, and admittedly, she is a rarity even now....but the real point is that the more time passes, it's more and more possible that this will not be an exception to the standard. And in the spirit of fairness, she was kind of silly to be up in arms about it anyhow...although her point *was* and *is* valid.

Re:Whether you are offended

[jamesmrankinjr]

Take an iPOD, a Laptop with a wireless card in it, and a wireless access point to a retirement home. Place them on a table right next to an Internet connection of any kind. Now ask if any of the residents can get a song from the iTunes store onto the iPOD.

On the other hand, if you tell them that they can use it to download pictures of their grandkids, they'll probably have it up and running faster than a 19 year old nerd could :).

Peace be with you,
-jimbo

Re:Whether you are offended

[RogerWilco]

My favorite writer Isaac Asimov, has said that he considered the problem that when people leave school/education very ofte they are not required to learn much anymore. He said that if you keep learning all your life that you can still do it at a higher age (like he did being a SF writer, and techology column writer well after being 75+)
I endeavour to follow his example and keep learning all my life, to keep the "learning muscles" flexible. I'd like to think i'll be able to use the mobile phones of 2060, if I live that long.
Anf I think I know a few people 70+ that would pass your test.

Re:Whether you are offended

[DrVomact]

Obviously, this poster is at the age where everyone over 28 seems ancient to him. I'm in my mid-fifties (well, the downhill side, if you must know), and I've been working in the computer industry for over 25 years. Yeah, I used to program abacuses in machine language, and walked to work through miles of shoulder-high snowdrifts. I also started back when you could talk your way into a programming job with a liberal arts degree, because there weren't many people around who had a CS degree. I never got used to having stuff spoon-fed to me--I always figured you just have to go out and teach yourself what you need to know.

Believe me, there are still plenty of gadgets out there that I want, and I'm learning lots of new techie stuff every week. Some of it even has to do with work. I just got over a forced career realignment when I was riffed by one company and had to find a way to use my computer skills for a totally different type of company and environment. Let's see you roll with those punches, whippersnapper! You'd give up and go back to pharmacy school.

Of course, the people you would find in a nursing home now are in their eighties or nineties, and they missed out on the big computer wave. And people that age normally aren't that interested in acquiring new skills. But that's not true of everybody who's that age, of course. Just like it's not true that everyone under 25 is a rude twit.

As for the iPod, heck you're right--I couldn't care less. The stuff iTunes sells I wouldn't buy at a penny a song. I hate modern music--if it was composed less than 200 years ago, it's crap. Well, except for 50s and 60s rock, of course...

Insightful?

Flamebait

This article is the biggest piece of flamebait. Ever. It even tops some of the slashdot comments.

If the article had made an indepth study of the patching issues and what can be done about then, that'd have been great and we'd have learnt something new. Instead, he just goes on about how he was so stupid so as to not use his computer properly.

Windows registry is something that people love to rant about, but good grief, its a few megabytes (or hundreds) out of your multi-gigabyte system. Live with it. Don't worry about cleaning up your registry because you're never supposed to know it exists.

What's more - I can almost GUARANTEE that this guy was running everything as Admin. That is akin to running everything as root on linux. Wonderful. Now try writing an article about how you run everything as root on linux and you have security issues.

this is just a good example of...

[mgoodman]

...why stupid people shouldnt use computers.

Just because its made by microsoft, that doesn't mean an idiot should administer it. It certainly doesn't mean its going to be secure and stable out of the box.

The huge divide between Unix/Linux and Windows is that Unix/Linux forces you to know what you're doing when you install something on your computer. Windows assumes the opposite.

However, if you do know what you're doing with Windows, problems of this nature are not really problematic. Fixing Windows without reinstalling is easy for competent administrators. Jeez, I can get around in Windows without a mouse and without explorer.exe.

Here's a hint guys: if something breaks on Windows -- don't install a program to fix your computer. It will break it further. Don't install registry cleaners -- they suck. Slick your system, ghost your system, take registry snapshots now and then. Don't install third party software on production machines without testing on crap boxes first. Do know your system in and out.

What a bozo!

[gregarican]

I can empathize with the author's issues and gripes, but a bit of enduser education could have prevented a decent amount of them. Here's a good document on how to survive your first day with Windows XP.

The author's slanted raving is over the top. I could just as easily read about some Linux newbie's nightmare experience trying to get all of his hardware to work or how they had to rebuild the kernel after applying some new module to their system.

My main gripe with how things are is that all new PC's should be delivered fully patched as of their configuration date. And since Microsoft has switched to their license subscription model they should ship out CD's to all licensed customers with all rollup security packs available. Just like a TechNet subscription operates for previewing beta products. I don't mean a user calls into Microsoft to request a CD. It's their place to send them out. Just like an auto company would mail out recall notices.

Couple points here...

[pointbeing]

After reading the article it's kinda clear to me the author isn't a Windows user ;-)

If the registry or the filesystem gets bloated because of malfunctioning application uninstallers, how is that MS' fault? Blame the nitwits who wrote the malfunctioning application.

Every OS has security patches available - if lack of patch has been exploited that exploit would apply to *any* OS - not just to Windows. If someone decided to write malware for Linux an unpatched machine would be just as vulnerable. Windows is a big target.

Re:Couple points here...

[maximilln]

-----
If the registry or the filesystem gets bloated because of malfunctioning application uninstallers, how is that MS' fault?
-----
The registry was a bad idea from the start. The registry may have been designed and implemented for storage of specific useful information which would contribute to interoperability between applications but it doesn't take a brain surgeon to look ahead and see that every screen saver, toolbar, and "neat app" author would start filling the registry full of excess junk keys that mean nothing to the rest of the system. Additionally there are more than a few ways to hijack .dlls using the registry, Back Orifice, Sub7, and NetBus come to mind.

That is why I blame MS for the registry. It would be a good idea if the user was consulted for every new key added. That can't be done because the user can't be bothered. Unfettered, unrestricted application access to a housekeeping system with as much clout as the registry should plain not be possible. Since it's impossible to secure the registry the registry never should have been implemented.

KDE and Gnome are following the same path to h-e-double-toothpicks.

Re:Not so fast, sir

[jdreed1024]

A D-Link port-80-only firewall can be had at any number of electronics stores (heck, probably at Walgreen's too) for $79. It isn't a total solution, but it will protect a personal machine long enough to get the Windows Updates installed.

Wow. Think of what you're saying. You're telling users that they need to shell out almost a hundred bucks for a device that will allow them to safely download updates. Has Microsoft security gotten so bad that we're just going to accept that you need to buy a firewall just keep your OS up to date? Does anyone else see a problem with this?

Custom CD: "Sysprep", Slipstreamed service packs

[Zerbey]

I skimmed through the article, which didn't have many technical details. Here's what we do at work:

You can integrate the service pack into the setup (which will be especially useful when SP2 arrives) so that it's installed at the same time. This works with Windows 2000 and up.

You can then use Sysprep (brief introduction) to automatically deploy the latest patches the first time the machine boots.

Here's a nice article on how to burn the result to a bootable CD.

It's a bit of work, and requires constant maintenance but it saves a lot of headaches in the long run.

An easier method, if you have a lot of machines with identical specs. Build a template machine with the OS installed, adding all the service packs, patches, etc. Use software like Ghost to make an image for deploying to multiple machines.

Who says the stuff you learn on an MCSE isn't useful? :-)

Teddy Bears of Doom and Windows networking

[Halvard]

That's what the "Teddy Bears of Doom" are/were all about. They were the people that beat up the programmers for buggy code. They were immortalized as one of the four random faces in the Windows 3.1 Easter Egg (I believe Gates, Ballmer, I forget but I think it was the project manager who left after 1 year cycling sabatical, and the Teddy Bear).

Re:Not so fast, sir

[31415926535897]

+5 insightful?

The total cost of his solution was the cost of the CD--your solution costs $80, and it isn't even complete.

He mentioned installing a firewall (such as ZoneAlarm) which is free and would do as effective a job as your $80 solution.

Also, one of the other large problems today is spyware (or hijackware as it should really be called), and that comes over the browser on port 80. Your $80 firewall is not going to stop that. However, the author of that article offered several free (and wise) solutions to combat this problem.

I know I'm not supposed to feed trolls, but common, at +5 I just had to respond.

If you're really pushing this $80 solution over a perfectly reasonable free solution, then you either work for D-Link or you shouldn't be taken seriously.

Re:Ignoring the root cause and fighting the sympto

[takitus]

umm... as far as i know the reason microsoft took the course of action they had been taking up until SP2 is so that a lot of the older poorly written software would work on XP. they have since changed their direction and SP2 fixes alot of serious issues as well as renders some of the older crappy progs written for windows inoperable.

RTFA

[interiot]

RTFA, please.

• Actually, Microsoft does offer a security update CD, and is willing to ship it to customers free of charge. But, as always Microsoft has made a mockery of a decent idea. First of all, 2-4 weeks are needed to deliver the CD. Then there is the problem of availability, the CD is not available everywhere (I live in Pakistan, and the CD is not available for Pakistan). Also, the CD Microsoft is offering is horribly out of date. There is no fix for this last problem, if Microsoft starts updating the CD every other week, then people will start asking for a new CD every other week. Obviously, shipping a CD to every customer every few weeks is quite an expense, and Microsoft doesn't want that. So, the Microsoft Update CD is there just for moral support.

It IS that bad

[einhverfr]

First, I would say that I used to work at Microsoft Product Support Services as a temp, and I triaged XP calls among others (including IIS).

First, you have an incredible problem with overwritten patches-- something can easily happen which will overwrite a patched file with an unpatched one (I have seen this happen several time with production IIS servers, and in my experience this is the largest source of security compromises). Second, the firewall with Windows XP is not enabled by default for supporability reasons, and it is not really designed for small networks anyway (ICF is bypassed by ICS). The fact that Microsoft expects you to be online to get the updates is therefore a problem.

But finally, a point the article missed: Microsoft computers are designed to reduce usability technical support calls, NOT technical support calls regarding misbehavior. Therefore, thinks like Client for Microsoft Networks (SMB, DCOM, etc) are enabled on network interfaces by default. Sure GNOME uses CORBA, and many Linux distros used to make this mistake (CORBA listening on network interfaces by default), but we at least now only let it listen on loopback by default!

In short, I have absolutely NO confidence in Microsoft's ability to secure Windows. It could be done, but why? Especially if there is Linux?

My wife uses Windows 98...

[hal2814]

...and she has never run into a problem that SpyBot can't fix (aside from the occasional reboot when game software goes haywire).

I run Linux and have been hacked once about three years ago (back when I had a cable modem connection). The only reason I knew they hacked me was when I noticed an extra user with several p0rn media files in their home directory. It has gotten me into the habit of patching Linux regularly and being much more strict on my firewall rules.

I think the only real difference between Linux and Windows from a security standpoint is that in Linux you can usually turn off the offending service much more easily until a patch is available.

Sounds like one man's rant

[Paladine97]

I have used Windows for a long long time and have never experienced any of the problems that the author claims. It seems like he has a beef with Windows and generalizes for all installations. For example:
A typical Windows system follows a simple lifecycle: it starts out with a clean Windows installation, which gradually deteriorates as programs are installed, and uninstalled. Eventually, the Windows registry accumulates so much crud that the user is forced to do a clean install. When a user does a clean install that user's system loses all the previously applied security updates, and becomes a sitting duck for worms and other malware.

A Windows system doesn't deterioriate if you know what you're doing. The author clearly assumes that the uninstallation packages actually work. This is a fatal mistake. I always manually look in the registry for left-overs when I do an uninstallation. I just uninstalled Mozilla? I find all Mozilla folders underneath HKLM/HKCU and delete them too. This tends to work well except when dealing with COM object registration (which is a nightmare).

Then he tries to run a registry cleaner on his system. You know those warnings that say "MAKE SURE YOU BACKUP YOUR REGISTRY"? Well they say that for a reason. Back it up. Then when the shit hits the fan like the author said, he can restore from a boot disc.

Yeah the registry is a pain sometimes, but combined with some experience and know-how, you can keep a system running without having to reinstall.

Installing Win is easy, sure. And the sky is green

[Jesus_666]

As a matter of fact the only way to get a working XP is by installing it, connecting to the 'net from behind a NAT router, downloading and executing/installing XP Antispy, a virus scanner and an HTTP filter, fixing a few Registry settings by hand and configuring the system not to use any of the stupid new "features", effectively turning it into Windows 2000. Do not attempt to do this without a NAT router, except if you like to reboot every 60 seconds.
then you can connect to MS Update and try to get your updates (which probably requires disbaling the HTTP filter and some of Antispy's settings).

Seriously, Windows XP takes about a day to set up so you can start installing any programs besides what's absolutely required.
One thing I leanred when I switched to Linux - it's actually faster and easier to set up. Says someone who thinks of himself as a Windows poweruser...

Of course this does not apply to Debian Woody, Slackware, Gentoo and RedHat. (RedHat pretends to be user friendly, but the installer tries to trick innocent Windows emigrants into destroying their MBR. To Win emigrants (if there are any besides me): Don't believe the anaconda propaganda! RedHat/Fedora can boot from /, even if it's not within the first 1024 sectors! anaconda tells you otherwise because it hates you!)

Re:Not so fast, sir

[rowanxmas]

If you RTFA you might notice that by living in Pakistan there is no doubt a noticable lack of Walgreens, BestBuy, CompUSA, etc... At least I didn't notice any around there.

Re:Not so fast, sir

[DMiles]

Also keep in mind that the article's author used a dial-up connection. Conventional hardware firewalls deal with ethernet...

Windows for the Masses

[GraWil]

To all those who are replying with, 'duh, unplug the network cable.' How many times have you tried to lead your computer using mom, grandma, sister, brother through this? It just doesn't work in my family. NB: my mom is a physicist. Microsoft windows is used by the masses, not just tech savvy slashdot users.

Sucks, but he's right

[erikharrison]

I've been working tech support for an ISP for years, and this guys fundamental conclusion is correct - Joe User can't keep his system secure - he just can't. And Joe Sysadmin has a damn hard time of it himself.

The amount of "repair" functionality inside of MS products is a huge sign that users and developers are sick of the reinstall cycle, but that the OS design makes it very difficult to fix. Internet Explorer, Outlook Express, Office all have "repair my installation" tools built in, XP and ME have System Restore.

I have watched users get the Sasser virus, run system restore, have system restore break the XP firewall, cause a port lockdown, resolve the port lockdown so they can run windows update, only to become reinfected with the sasser. Maintainence of Windows is hard, OS reinstall is easy. OEM aren't value adding to the OS by providing solid maintanence tools, their providing restore disks, because writing such a maintanence tool is INCREDIBLY difficult.

I understand MS's need to stay commited to this design, at least through Longhorn and it's revs. But as long as you are, MS, please give us a non network dependent tool for maintaining and distributing patches and updates. Let OEMs and (in my case) ISPs ship critical fixes on CD so that we can help our users. Make System Restore a fine grained tool, where I can back up critical system files and DLLs, as well as the registry. Don't force me to go to a third party for a "registry cleaner". Provide me with the OS for the tools that I need and that vendors need to maintain the OS.

Run QNX on the desktop

[Animats]

One safe option is to run the free version of QNX on the desktop.

The free version of QNX comes with no inbound services enabled. Most of the standard UNIX-type services are available, but they're not installed by default. It's a pure client. In fact, it's very close to what the iOpener ran. Both dial-up and LAN connections are supported.

Mozilla 1.1 runs, but without Flash. There's a word processor, ABIword. The whole GNU toolchain is available. Unfortunately, OpenOffice hasn't been ported.

It's refreshing to run a system without all the Microsoft crap, or the Linux emulations of it.

Re:Run QNX on the desktop

[happyfrogcow]

Great! for you maybe. in the home desktop scheme of things, QNX is irrelevant. Linux is hardly relevant, Linux has dreams of being relevant... and may be some day soon.

telling home desktop users to run QNX, sheesh. good luck on this one, pal.

Small private subnet and proxy fix windowsupdate.

[dameron]

Here's a possible solution I was discussing not twenty minutes ago.

1) add private network ip address (10.0.1.1) to existing public server

2) do no NAT or other routing on this ip

3) have squid running on 10.0.1.1 to accept connections from a handful fo addresses in 10.0.1.x or do proxy authentication

4) when installing/updating/troubleshooting windows boxes assign them a 10.0.1.x address and set windowsupdate to use the proxy

Windows update runs, the machine is on its own tiny network isolated from all legit traffic and can't compromise your network plus it it can't be infected from outside as it's safe behind the proxy. When you feel it's safe (you've got all patches, firewall, etc configured) restart with DHCP and get an address on your "real" network.

Or you could roll your own installation cd with the correct service packs and security updated included, but why fix a software problem with software...?

-dameron

I am asking for it but here goes....

[jwcorder]

I could not help but find myself in quite a humorous state as I read that article. As a Support Analyst for a Fortune 50 company, I see many of the errors that the user was describing in the beginning of the article. Unforunately for him, he reinstalled the OS. All he needed to do was recreate his Windows profile.

The right click locking explorer and the functionality loss of Mozilla were most definely not caused by the Reg, but more likely caused by a corrupted NTUSER.Dat file in the profile folder of his machine.

Furthermore, if you are currently reading this article on your home PC and not sitting behind a firewall of some sort, please send an email to banme@slashdot.org with the attention line reading I am no longer worthy.....just kidding just kidding.

your dad says...

[blastedtokyo]

Son, I think it was a virus that took your name out of the will.

Where is his firewall?

[nsayer]

The real problem with the story told in the article is that there was no firewall between the system and the Internet. It is simply no longer acceptable to connect Windows machines directly to the internet without a firewall.

That statement doesn't really change the conclusions in the article very much, but in the past I've reinstalled friends' windows machines and downloaded and installed all the updates without any trouble at all -- because I did it behind a firewall.

If you wouldn't leave your car parked unlocked with all the windows down in the middle of [bad part of town], then don't connect Windows machines up to the Internet without a firewall. The end.

Re:Not so fast, sir

[jedidiah]

The separate box is simply sound engineering practice: Isolate key parts of a system from anything else that might screw it up. Microsoft has always been a screwup. So people are used to spending something extra to fix it. This might be a virus scanner or a consumer firewall.

This is as old as Norton SI.

Rant or reality?

[doorbot.com]

A typical Windows system follows a simple lifecycle: it starts out with a clean Windows installation, which gradually deteriorates as programs are installed, and uninstalled. Eventually, the Windows registry accumulates so much crud that the user is forced to do a clean install.

Half of the article seems like a rant against the Windows registry, and doesn't appear to even bring that point to a conclusion.

Sure, reinstalling can fix a lot of problems, but the machines I maintain (personal and work) do not get reinstalled unless there is a catastrophic failure. I know it's popular to believe Windows boxes need a reinstall every 6 months, but I have to question the "l33t skillz" of those particular users.

I've actually migrated installations from old hardware because I didn't want to reinstall my apps. Is there "cruft" in the registry on those system? Maybe, in the same sense that you have orphaned .conf files in /etc or old log files on your Linux box. Such files/registry entries are unlikely to interfere with anything, and when they do, it is far more efficient to handle individual cases rather than apply a blanket policy of erase and rebuild.

I have to wonder if the author of the article is trying too hard to fix problems which aren't... registry "cruft" does not harm the computer. If there are lingering problems after software installs/uninstalls, it's due TO THAT SOFTWARE. Don't install it next time.

The company has to move away from its Windows roots in order to create a secure operating system environment.

Is this the article's conclusion? That Windows isn't secure? All this moaning about how hard it is to get Windows updates and the suggestion is to "move away from its Windows roots"? So the registry "cruft" is now a security issue because the "solution" to computer problems is reinstallation? That's quite a stretch...

I call FUD; I thought vague, unsupported claims were reserved for AdTI.

Not a very convincing article

[Quarters]

The author installed a bunch of 30 day trial software that borked his system. He then chose a registry cleaner without doing much research on them and ended up using a pretty poor one. Then he complains because his machine got fuggered when he had to reinstall the OS.

Cry me a river. A tool like Norton System Works that has both an installation watcher and a great Windows configuration diagnostic/repair tool would've solved his problems. Grabbing the first tool listed on Download.com when you type in "Registry Cleaner" is not the inteligent way to go about system maintenance.

why cars and oil make the worst combination ever

[dunedan]

My brother had a car that he had like NO idea how to take care of man. and he like filled up the oil and didn't put the cap back on and ran the car for a few days and a week later or something the car like DIED man, SO DEAD. I mean it's totatlly lame to expect my brother to know that even if the oil light goes back off there's probably still a problem. I mean cars should totally just work. You shouldn't even have to know how to drive or anything, and if you run into phone poles by accident somebody should like fix it for free or it should be made of plastic or something.

Seriously people, If you want to cruise on the info superhighway learn how to drive(get a firewall, AV, know how to work your box). If you don't know that stuff and something breaks its not MS's or Linus'es or anybody elses fault, its yours

Come on people...

Worms have nothing to do with firewalls. Worms propagate due to stupid users who don't have the sense to stay away from porn web sites and who automatically accept any ActiveX or Java they run across and who open any executable e-mail attachment they get. People need to be fixed, not Windows.

Re:This article is a disgrace to slashdot

[jedidiah]

What vmware installs onto a system should not screw it up. This is just an incredibly lame attempt to blame the end user for someone else's engineering incompetence. AT WORST, vmware should only be able to hose your network connectivity.

Re:Where were you when the update came out?

Your dream of sitting at a mighty and invulnerable Windows box because you are an awesome guy and download/install patches right away sounds great...but the question is how vulnerable you are BEFORE the patch becomes available.

11/16/2003: The vulnerability which would be known as MS04-013 is reported by Liu Die Yu
4/8/2004: US-CERT issues security altery TA04-099A because there is an exploit of this vulnerability in the wild
4/13/2004: Microsoft issues MS04-013 and a patch to fix the vulnerability.

How safe was your box from 4/8 to 4/13? Did your vendor warn you about the defect in their product? How many months did they sit on the defect before doing anything? What do you think prompted them to finally release a patch? How long do you think it REALLY took to fix the vulnerability (hint: most Linux vulnerabilities are fixed in under a week, and some of Microsoft's coders are probably as good)

Extra credit: Is it possible that there were active exploits of this bug PRIOR to 4/8 that went undetected?

Re:This article is a disgrace to slashdot

[blincoln]

I was going to post something less colourfully phrased if no one else had.

The author of the article is either inept or trolling. Unless you are doing something dumb like downloading tons of shareware apps, installing them briefly, then uninstalling them, the registry should be fine.

Of course, he *does* seem to be the kind of person that does exactly that, based on his "I downloaded a random 'registry cleaner' program and trusted it with my computer's stability, and now my PC doesn't work!" thing.

The hotfix issue is a legitimate complaint, but anyone who is running Windows 2000 (an enterprise operating system) at home should be comfortable with making slipstreamed install CDs - especially if the user is someone with dialup access who regularly formats and reinstalls their system.

I'm sure MS would be happy to provide physical CDs with the updates on them if more than a tiny fraction of users were willing to pay a small fee for the convenience. It's not like Linux users get magic free CDs mailed to them from the groups that package the distributions.

"They don't recognize them as usability problems"

[dpbsmith]

Best quote in the article: "Windows users are so accustomed to usability problems that they don't even recognize them as usability problems."

Unfortunately, this extends far, far beyond Windows. This is a problem for the entire industry.

It reminds me of the way nuclear power plants are (were?) licensed. If, during review, the nuclear regulatory commission finds a safety issue that is unique to the particular installation, the licensee must address it before it can be licensed. If, however, the licensee can demonstrate that the issue is actually "generic"--that is common to all nuclear power plants--the licensee need not do anything about it.

In the PC world, any problem that persists for more than a few years is not longer perceived as a problem. It becomes "generic."

The phenomenon is even getting worse over time, thanks to the general public's increasing familiarity with computers. During the eighties, when manufacturers were trying to seduce individuals into buying home PCs (and IT managers into abandoning those hard-to-use green screens for easy-to-use GUIs), usability disasters were treated as important. No more.

Computers hit their peak of usability sometime in the eighties and have been in steady decline ever since.

One of the biggest issues noted in the article is the instability of Windows over time as software packages are installed and uninstalled. But this is hardly limited to Windows. The irony here is that the ability to uninstall software properly was supposed to be a logo requirement for Windows NT 4.0 software, and one of the features that Microsoft used to urge its superiority to 3.5.

Unfortunately, software installation and uninstallation is not a trivial problem. To do it right would require a great deal of functionality that can only be performed by the OS, which would need, for example, to track which system components were in use by which applications. And it would need to have the ability to associate specific versions of system components with applications, so that it would not be vulnerable to the assumption that Version 3.6.1 of the Frammis Service is absolutely guaranteed to have fewer bugs and be totally backward compatible with every previous version of the Frammis Service that has ever been released.

And before sixteen people reply explaining that .NET fixes all that, spare me. As I pointed out, it has been true FOREVER that Microsoft has claimed that the next release of NT/Win2K/WinXP/Longhorn/whatever would fix all that.

Microsoft didn't solve the problem. They just sort of declared that it had been solved. Installshield and friends kludge their way through installations, merrily making clumsy guesses and assumptions about the history of the system and the needs of other applications and overwriting files and changing registry settings. SQA departments are happy if the installed application runs after installation on a clean OS with no other software installed and don't have the time or the mission to make sure that (say) installing the application doesn't break anybody else's application. (Indeed, one suspects that in some parts of the industry, it's consider a plus if installing one application breaks other applications, if they happen to be competing applications).

I could go on and on. (Indeed, I already have). In the world of PC's (and I include both WIndows and Macs--and nothing I've read makes me think Linux is very different), an awful lot of things don't work very well and NOBODY SEEMS TO CARE because it's "always" been that way. Laypeople have gotten accustomed to blaming themselves ("my computer hates me,") IT departments don't even expect computers to work properly after about three years; developers/hackers/sophisticated users enjoy the challenge of troubleshooting the latest glitch... ...and formerly tame, humble consumer devices like televisions sets, cars, and cameras are getting computers built into them and are declining in usability too.

Re:Not so fast, sir

[schemanista]

Look, I am not trying to defend Microsoft here. But I do have small tool kit, a first aid kit, a pressure guage, and a fire extinguisher in my car. Purchased at my own expense; not provided by the auto manufacturer.

Did you install your own airbags, brakelines, windshield and headlights? Those came standard with my car--and (metaphorically) with my OS.

Re:Ignoring the root cause and fighting the sympto

[kbahey]

We should not just "figure out ideologies". We should figure out the REASONS these extreme ideologies develop.

It is now a war for the US, but before that it was just extremist political dissent in other countries. Because it was not treated then by the societies that had it, it fled abroad and went out of control.

The analogy to Nazism and Fascism and wars against them is fallacious too. These were countries against countries, with defined armies, leaders, equipment, theaters of operations, ...etc. So, it was easy to attack a well defined enemy, and have a declared state of war.

Terrorism is more amorphous, hidden, and clandestine. It does not have defined head quarters, nor armies, nor a theater of operation.

It is more like crime, than like war.

If it is to be defeated, it is by eliminating the cause(s) for it. Before these causes can be eliminated, they should be diagnosed and identified.

Oh, and I disagree this is a "war of culture", as much as the extremists (on both sides) want it to be.

It's a conspiracy!

Windows NT/2000/XP all have the ability to limit the damage done by virii and worms. I thought this quite nice and created accounts for everyone at my home sans admin privs.

That lasted about 5 weeks. Why? Because every damnable application requires admin priv to install. Huh? Why does turbo-tax need admin? Why does nearly every damned game in the universe need it?

All have admin now. I seem to be hit with some piece of malware once a week or more. My time is valuable (to me anyway) and so I've instructed my "users" to save anything they really want on the network disk -- A Linux/Samba server. It's just plain easier than having them run to me all the time to install Martha's cookbook program or Tiny-tots goes to visit grandma.

Let's save a little bit of the blame here for the app developers too. They are just as guilty at generating the current situation as Mickeysoft.

Messenger Service and Blaster Worm!!

[scrubmuffin]

Come on.. homeboy needs a firewall BAD!
A simple Linksys NAT box would do the trick. Network administration 101: know what ports you have open, what protocols they run and what their vulnerabilities are. This goes for any operating system.
If your system gets a worm via a port you didn't know it had open then you should consider it a valuable lesson.

Firewall

[Pelops]

Well, while i agree with most of the point made, there are simple steps to prevent worms.
At my parent's home, there is a Linux box doing NAT, so, in the box, the windows box on the local network are protected from any worms. They end up having enough time to download all the necessary patches from Windows Update.
Recently, I reinstalled my windows XP. But before reformatting, the first thing i did was to burn a firewall like zone alarm. I then install my box without being connected the internet, and proceed to install the firewall. It is only then that i download the patches.
Else, it would be just plain nightmare.

Registry?

[jon514]

I may be missing something here, but as I understand it the windows registry is just a repository for configuration information. The real problem lies in the system config settings that are exposed in the registry eg. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run & the general lack of access control to update such keys.

On a unix box a virus could achieve similar effects by writing itself into the /etc/init.d directory - except of course the default permissions mean you normally need root access to do that, making unix a little more secure by default. Otherwise, the /etc directory performs a pretty similar function to the windows registry.

Which 3 year old OS would survive?

[Eristone]

Okay, I read through the article and just have a few questions.

1) Which OS that if you reinstalled from the original installation disks (which is what he is doing) would be able survive on a live internet connection long enough to download all the most recent patches and updates?

2) He knew he was going to re-install - why didn't he download SP4 (or already have it downloaded most likely) and make a CD with it before he wiped his system?

3) Along the same vein, why didn't he download the additional patches before wiping the system?

This particular case is more of poor planning on the part of the system rebuilder.

Re:Which 3 year old OS would survive?

[argent]

I can't think of an operating system that wouldn't survive an internet connection for long enough to download updates. I wouldn't have the slightest concern putting any 3 year old UNIX system of any flavor online to download its patches, or even an old-school Mac running that abomination known as Mac OS 9, or for that matter Windows for Workgroups or Windows 3.11...

The security design of Windows was hopelessly comrpomised when they merged the desktop and the browser, and nothing less than the complete reversal of that decision can restore it.

I run XP Pro

[localhost00]

And it hasn't been infected in a long time.

You can throw AAW and NAV at the typical user and hope the computer will remain scumware free, but the best defense is the user learning to not trust any arbitrary website and download.

I skip the CD part for home ...

[twigles]

Since we have 2 win2k boxes and multiple bsd boxes I always have some harddrive with my collection of patches. You can just rename them by prepending the download date like this:
2004-04-13-Windows2000-KB837001-x86-ENU.EXE

and rebuild a machine behind a NAT box while calmly reading a magazine. Yes, it does suck that we need a network appliance between our hosts and the internet but this isn't a windows-only problem, it's just much much worse on windows for many obvious reasons.

Keeping local copies of patches and having a secure network to set boxes up is just what I consider the cost of doing business (on M$, on BSD/Linux you just turn the service off until you dl the patch).

AutoPatcherXP

[Angry_Admin]

AutoPatcherXP is an excellent collection of patches and updates that I've included on CD (along with some other tools) for our user's home computers. It contains about 300Megs of updates/patches/apps and is relatively up to date with all of the critical patches.
After running AutoPatcher, only a few critical updates are needed off of windowsupdate's site. Unfortunately, MS04-011 is one of the critical patches NOT included with AutoPatcher. :(

Re:Not so fast, sir

[kabocox]

You're telling users that they need to shell out almost a hundred bucks for a device that will allow them to safely download updates. Has Microsoft security gotten so bad that we're just going to accept that you need to buy a firewall just keep your OS up to date? Does anyone else see a problem with this?

Our office lan has a hardware firewall and a network installed virsus scanner. I think every network should be secured.

As a home user, do you trust Cable One, AOL, or a generic small time ISP to keep you safe? Are they responible for filtering all network traffic before it hits you? I'm going to say they should have hardware firewalls of there own.

The /. crowd will never want filtered internet for themselves. But for your family? Wouldn't you want your mom on an AOL idiot proofed connection? If anything goes wrong, you could just tell her to call AOL and play dumb.

Issues with Windows

[gmletzkojr]

One of the difficult things associated with Windows is that you can't always get online to download the updates. Where I live, the majority of people still use dialup, and gathering the Windows updates is like sucking peanut butter through a straw. The other problem is that alot of people don't know what updates really are, and how they can affect their pc. Also, try getting the most recent patches for an OS that is not the most current one (or shockingly, one not connected to the internet). MS makes it really hard to download and install updates on a machine that is not running the latest OS and has a slow (or no) connection to the internet.

Custom CD

[Cigamit]

Custom Update CDs are by far the easiest way to fix most of your family members problems without actually having to be there (or netmeeting ect...)

My custom CD auto runs upon insertion, and with the help of a little autoit script, it does this

- Pops up a windows telling them to politely leave the PC the hell alone (and updates the status along the way)
- Locks all user keyboard and mouse input (don't want them screwing anything else up)
- Executes "ipconfig /release" (die network!)
- Runs the latest McAfee Stinger (silently)
- Runs the latest McAfee Command Line scanner from the extracted SuperDat files
- Checks Whether its 2000 or XP and makes sure that the latest SP is installed, if not, it installs it (and then reboots)
- Installs all the latest Critical Updates for that OS
- Updates their McAfee or Norton Anti-Virus with the lastest dats on the CD (unless older)
- Runs Spybot (copies config file over first, which autostarts/autofixes everything upon running)
- Verifies that several of the services are set to the correct status (stopped/disabled or started/automatic)
- Installs a registry file to help speed up the menus, ect...
- Reboots

This has saved me more time than I can possible count. Before switching to this method, my life was hell (not to mention how high my gas bill was), now I just Fedex them a Updated CD anytime they call, and 99% of all problems are solved.

Problems is Computers = Windows for most people

[Ridgelift]

The whole idea of Windows Update is a joke. Using an unreliable and insecure network as the primary means of distributing security updates is simply idiotic. This is like asking people to walk through a minefield to get to a shelter.

And yet, people still want Windows. I work in a high-tech call center, and people still look at me with blank stares when I tell them I don't use Windows at all at home.

Q "What do you run for anti-virus?"
A "Nothing. Linux isn't as succeptible to viruses"

Q "What about spyware?"
A "Same thing. I don't run anti-spyware either because I don't get it. Oh, and I can update my computer without rebooting too"

I've even had a laptop running nothing but Slackware, and technical people _not_ believing that Windows wasn't somehow still on the machine! People just don't see computers with anything other than Windows. If computers = Windows, then how can people get sick of Windows and not be sick of computers? The fact is, Microsoft has done a brilliant job of equating computers with Windows, to the point where even most technical people don't see any other option.

I think my job as an Open Source advocate is to just let people see Linux run on a computer, and let them follow the inevitable logical conclusion themselves.

Re:Problems is Computers = Windows for most people

[Octorian]

You know, that reminds me of when I went to work at a computer camp one summer ('00) during college. When I went there, I brought my recently aquired "purple" computer. (yeah, it looked cool, and had cool-looking screensavers everyone noticed)

When looking at it, one of the counselors (ok, he was the lazy guy who ran the R/C cars stuff) asked if it was running '98 (as in Windows '98) :-)

Of course it wasn't. It was an SGI Indigo2 running IRIX 6.5, with 4Dwm as the X window manager.

I'd love to have some average person ask me about my home "computer" (probably referring to my main desktop, as I have several systems) sometime these days, if only to confuse them. At the moment it is a Sun box running Solaris 9. (and tech people assume Linux, when they see KDE and all that other OSS stuff running on the screen, hehe)

Not Windows, third party apps & drivers

[Malc]

This guy's an idiot. He installs crap and unreliable third party applications and drivers on his system and then blames Microsoft! The article was a rant about security, so why the comments about the registry? It seems that was a dig based on some other personal dislike. He admits he placed his trust in some third party tool to clean his registry! Seems rather foolish.

If Linux were as popular as Windows, there would just as much poor quality crap coming out for it trashing /etc, /lib, rc scripts, etc. Just as time consuming and frustrating to fix. Just as painful for incompetent and computer illiterate people. Just as many people running with root level priviledges. Just as many boxes cracked automatically before security updates can be downloaded.

I ran Windows 2000 for 3.5 years with the only problems coming from Creative Labs DXR3 and SoundBlaster Live! drivers, and Mozilla's graphics resource eating issues. I won't buy anything from Creative Labs again, and Mozilla have fixed their bugs. I only had to re-install Windows after I accidentally trashed the first part of its partition playing around under Linux (Grub, Lilo, dd ... oops!).

Re:Not Windows, third party apps & drivers

[erik_norgaard]

First: You say don't install third party software, so you're really advocating for monopoly. Sure, there exists crap 3rd party software, but the OS should be able to protrect itself such that the system is not rendered unbootable.

Second: His main 2nd point is still valid, regardless of what forced the reinstall. Inability to fetch updates fast enough to avoid being hit by a worm attack, the inability to resume fetch, the inability fetch a cd image, etc. all makes it a pain to get the system up to date. It is a huge problem to maintain and update a vulnerable system when securityexperts claim that an unprotected pc will by hit by Sasser within aproximately 10 minutes.

Why is rpc on by default, on a stand alone machine? Ok, for interprocess communication - but only on the loopback interface!

Microsoft has sold an 'insecure by default' product for years, while they should follow a 'secure by default' philosophy: Disable all services by default. The main reason that windows is so widespread (still) is that this is what the home user knows, and hence companies saves money on training. If MS wants to stay in Buisness they should protect the home user - and the home user does not need all the services enabled by default.

Also, they would isolate kernel space and user space such that your system can boot and fetch updates, regardless of how many user space programs you install and deinstall. Only the OS should mess around in the kernel space.

Again and again people loose data and time because they inadvertendly do something that appears inocent everyday action, but tampers their system and renders it unuseable.

If you could at least get the system up to get backups - ofcourse it's always weeks ago - before you go on to reinstall, you might actually get as far as live (painfully) with the remaining problems.

Maintaining Windows is a pain, in particular for the average Joe.

Re:Not Windows, third party apps & drivers

[Malc]

Thank you! I really would like to hear an explanation about how SP2 will fail in the presence of the registry.

As for your comment about new features in SPs: I think MSFT stopped doing that in NT4 days due a large number of complaints from big corporations. This is a return to days of old. They seem to be handling it better though - recall stories here of the details 6 or months ago.

oki, here is a nice solution or two :

[da5idnetlimit.com]

As we all know, computers, aren't meant to be in the hands of users, but strictly confined to (some) admins.

There is a solution that any knowledgable admin can use : whenever a new service pack is out, you create an updated Windows installation cd (or dvd) that include the latest service pack => When reinstalling, you do that from SP4k or whatever, and it gives you an nice, almost secure config to start updating from...

Also, a standard practice in my home is the use of Ghost just after the installation of all the basics softwares and updates...=> ditto.

Now, a solution I have personnaly used on a friend computer after the usual "crashed before it even updated" episode : I booted her compuer using knoppix, downloaded the latest service pack and quite a bit of separate updates on a separate partition and then made an install without the net on...Ironic, using Linux to get a windows install running...

Also (but that is only true on my own home network) I use a dedicated firewall (yeah, Linux) on my network, and I only keep open the ports I need...So, if I need to make a "virgin" Windows install, the firewall protects me from the nasty worms/exploits/whatsoever...

Repeat after me : No Lusers in my Computer room ! 8)
(Happily supporting my dad since Windows 3.11, I made my preceding comments a rule... backup often, streamline your updates, use a dedicated firewall...and NEVER let your dad (or any Luser) with a root/administrator account...btw, he's still using 98...

Re:oki, here is a nice solution or two :

[Pxtl]

1) working from behind a standard router is good, as you say. Any basic NAT will block most attacks.

2) you outline a problem - using anything but windows update for updating a machine is the domain of super-l33t windows geeks. Not normal people. I know my way around a windows box very very well, but trying to update anything on a win box without the updater I find nearly impossible. Yes, there are admin downloads, but I find them outright scary to slog through.

IMHO, they need something simpler - 2 things.
a) a way to generate an updater CD to re-apply all windows update patches currently installed on your PC (for when you wipe) and b) up-to-date updater CD ISO's available to download for each currently supported MS OS for when you need to set up a friends computer. I recently set up a friends '98 box and it was a headache - a nice "download this disk and burn it for patching" that I could launch from XP would be ideal. If they're concerned about bandwidth, throw some of their mass of coders to make an MS torrent-a-like for said ISOs.

Re:oki, here is a nice solution or two :

[FueledByRamen]

Well, Ghost is a bit more advanced than DD. It copies the filesystem structures and the files exactly (as far as [the NTFS/FAT32 equivalent of] inode numbers and such), but it doesn't bother copying the unallocated space, and it compresses the image on the fly.

Though if you want to do that with dd, you could:

dd if=/dev/zero of=/path/to/partition/zero.dat bs=1048576 count=freespace-in-MB
rm /path/to/partition/zero.dat

which will zero all of the free space in the partition, then pipe the actual dd of the partition through bzip2 or gzip.

Then you have all of the Ghost enterprise features like being able to multicast a Ghost image, netboot to autoghost, push images (remotely trigger a reboot and image download), deploy individual applications (like Windows installer automated deployments, except that it works), etc... which I'm sure you can do with free software anyway, but it's nice to have the convenient package.

Re:oki, here is a nice solution or two :

[IgnoramusMaximus]

but it doesn't bother copying the unallocated space, and it compresses the image on the fly.

True but then you do:

dd if=/dev/my_funky_partition of=- | gzip > image.gz

Actually I tend to do:

dd if=/dev/my_important_stuff of=- | gzip | cdrecord -

Of course there are better ways of handling this in Unix world, things like ole good 'tar' or 'dump' come to mind.

As for the other stuff, sure its nice but it costs pretty penny and you need to upgrade the crap all the time, not to mention the always popular proprietary software trap. A bootable business-card Linux (like Linux-BBC for example) and some custom scripts are all you need to achieve most of these tasks and you get to retain full control of the entire process.

Re:oki, here is a nice solution or two :

[Reivec]

You can already get a CD from microsoft, free even! http://www.microsoft.com/security/protect/cd/order .asp

I am no MS advocate, but I am a tech support guy, and I have recommended this CD to people in the past.

more stupid bullshit...

[NIN1385]

Doesn't this tell us something when linux doesn't even need a cd to install itself, but if you want to even get online with windows...you need a fucking cd to patch all the fuck ups they left in it? This whole problem would be solved if they would place the patches on the computers at the factories they make them in. Then when these idiots get their new gateway computers they don't help spread worms and virus's around the internet. But what does it matter, I am sure that microsoft will probably just create a new way for them to cause problems that they will get paid to "fix".

It's not about your OS, it's about your attitude.

[Etone]

This is pretty typical of the FUD articles about Windows or Linux that /. has been publishing lately. Windows zealots send in articles written by MS puppet "research organizations" that belittle the OSS folks; then the Linux zealots respond in kind with this article.

It's really simple, people. Informed users will lock down their systems and know how to patch appropriately, regardless of their OS. Uninformed users will never lock down their systems or will get fooled into opening an exploit backdoor, regardless of their OS.

As I told others

[Orion+Blastar]

if you insist on using Windows, get used to learning to live with malware. Sooner or later it will get installed on your system. The only secure Windows system is one without network access in any way, shape, or form.

I downloaded the XP SP1a on a Linux box after reformatting my machines and then reinstalled them without net access and applied the CDR the Linux box burned. I also had antivirus tools, software firewalls, etc to install.

Malware can be installed by visiting the wrong web page, try spelling microsoft.com wrong sometime and see what the bogus site does to your system. If you think only ActiveX does this, what about XPI in Mozilla, malware is written in both ActiveX and XPI bundles now.

Make a wrong turn on the information highway and get owned.

My Linux box is fine, except that it suffers from RPM and PKG hell. Which is about as bad as DLL hell, I guess?

similar issue

[cheeseSource]

I have xp pro and one of the worms that hit gave me 20 seconds to resolve the issue before the computer shut down. Damn that was fun. Quckly access the net, search for the patch, download the patch - computer shuts off. Repeat until you are quick enough to beat the worm. It was like a horrible video game...

I don't know what this guy is doing wrong...

[joshv]

He seems to think that as a Windows installation ages, the registry accumulates cruft that eventually makes the system unusable.

The presence of unused registry entries may take up disk space, and slightly slow registry lookups, but it's not going to significantly impact system performance.

I've got systems that have been running on the same windows installation for over 4 years, with plenty of installation/de-installation.

More than likely this guys had a host explorer extensions or system tray applets that he forgot about. The important thing is to vigilantly clear out old services and auto-run entries.

"autoruns", available free at sysinternals.com, will show you every piece of crap that runs automatically when you login. You can use autoruns to delete the entry, or to figure out what programs to de-install. I've also had good success using this tool to whack mal/spyware.

You can also audit your services. Sort the service list by everything that in a "running" status, and stop/disable those services that you know you no longer need.

In my experience, it's the Windows users who don't know what they are doing that are always telling me how they had to "wipe their system and reinstall windows". I've only once met a system that I couldn't repair (a failed Windows XP upgrade).

I just emailed the guy.

[skinfitz]

To: questions@techuser.net
Subject: Solution to your install problem.

Just read your article at http://www.techuser.net/index.php?id=47

Here is how to avoid worms and messenger spam during patching:

Turn on the XP firewall.

Do this BEFORE going online. You can do this by going to the network control panel, getting the properties for your net connection, click the "Advanced" tab then click "Protect my computer...".

You will find this renders you immune to blaster et al while you patch your machine.

Regards. //

For someone who claims to have a Masters Degree in CS he's not too bright is he?

First thing I do with a new Windows install is...

[5n3ak3rp1mp]

1) run any security updates
2) strongly suggest not using Outlook
3) Completely lock down the "Internet" security zone in IE and force users to add sites that don't function properly (due to scripting turned off) to "Trusted Sites" (which has scripting on)
4) Strongly suggest that users use Firefox instead of IE wherever possible
5) Install antivirus software
6) Install Spybot Search & Destroy and AdAware

This keeps most spyware, virii and worms out.

As a curious side-note, the first thing I do with a new OS X install is...
1) Apply security patches
2) There is no Step 2 ;)

Would You Like Some Cheese...

[Macgruder]

... To go with that whine?

At first, I thought he had a valid complaint, but then as he goes through his shopping list of ills, he generalizes and skips over potential fixes any tech worth his salt would pursue. (and these are quite simple enough for any reasonably intelligent user to perform. I have instructed my own father over a the telephone, how to perform these items)

1) I have an IBM Thinkpad A22m, purchased in November 2001. It came with Win2k.

Only once have I performed a system reinstall (3 weeks ago or so) to free up hard drive space from numerous programs, and not because of any issues with the operating system.

In the 2 1/2 years I've used this incarnation of Win2K, I have applied Critical Updates from MS as they were released. I also ran McAfee 6.0 (retail), and IE 6 was the browser of choice.

Until this last fall, I did not run any type of popup blocker or spyware utility.

Prior to starting the system reinstall, I visited the Windows Update site, and used thier tool to determine what updates I had installed. Each item that I no longer had the files for, I d/l again, and burnt all the hotfixes and updates to a CD.

I did the same thing for the most recent drivers for this laptop, as well as for all the peripherals I had.

Then I compiled a list of utils that I find invaluable (Avant Browser, Adaware, Spybot, SpywareBlaster, and other goodies) and put on a CD.

Now, I have the orginal Win2K install CD for the laptop, a CD with all the drivers, a CD with the hotfixes / SP4 and handy utils. (plus CDs for the original applications,such as MS Office, Photoshop, etc)

The whole idea is to not put the machine on the net until it's relatively secure.

So now, I format the drive, and boot from the OEM Win2k CD. 45 mins or so for the install, then another 45 to install SP4 and the hotfixes (using MSs qpatch util, I don't have to reboot the machine until after all the hotfixes are installed)

At this time I turn off Windows Messenger Service, and finish installing my utils. That takes about another 30 mins.

Now, the machine is secure from pop-ups, spyware, viruses, and most MS OS-based exploits.

Time, about 2 hours. It takes me longer than that to setup and patch a RedHat 9 machine.

the kid is educating his dad

[zogger]

he's paying him back. He's showing him that it's much better to not get your computer hosed in the first place, so he IS paying his dad back for his education, in exact kind. Adults can be wrong, but there's no easy way to point this out to them, in a father/son situation. And it worked according to the post, when his father realised what a PITA it is, what it really costs,both in cash in what might be done to his machine or credit card or other personal info, or how he could be used by a malicious zombie-running blackhat, etc, and how easily preventable it was,so he learned something useful and practical.

I think a lot of people honestly do not know that the primary reason they might get hacked is not to get their personal information, but to use their machine to distribute hacked warez and spam email and kiddie porn. So, it's much better to do what it takes to help people understand the ramifications of their actions-or non actions, and to perhaps take a more critical look at the software they are running. To me, it's like a traffic ticket (paying to have your machine cleaned and fixed), you are SUPPOSED to learn something (stop being a no-nothing lamer) about your behavior driving your car (computer) on the public road (internet).

Once people are REALLY aware of it, then they have a chance to correct the problem. If you can't get their attention in the first place, they won't ever learn. Sometimes it takes a fine to do that.

I FULLY support ISPs or private network admins yanking access to the network from infected machines. They don't do it enough, IMO, and if it happens to me because my machine gets hosed and zombied and I don't deal with it in a timely manner, then too bad for me, too. I'd rather be told about it if I don't know myself, and losing your net access is both protecting the innocents, and getting your attention for a problem. And if THAT then kept being pushed back up the food chain to the vendors, where they had to code better, release less often, and be forced to offer products good enough they could be warrantied, then I'm all for that, too.

It shouldn't take 20 years to come up with a more secure out of the box operating system that is network capable, is the real bottom line, no matter which one you are talking about.

You'd see it get chaotic in meatspace if any manufacturer were allowed to sell "caveat emptor" products with no government required warranty, of course they would skip doing quality work then, because there would be very little risk to them. It's time software played by the rules every other manufactuer has to play by, especially if they demand IP ownership and patents and huge profits. They want it treated like a normal product, swell, but let the law treat THEM like any other product as well.

Re:Not so fast, sir

[ivan256]

Insightful? My ass.

Do you people have this same level of expectations for other products you buy? If something, right out of the box, is shitty to the point where it's humorous, why is it so wrong to say so?

You may not thing what you're saying is a joke, but it sure is damned funny. I wonder what other hoops we could get you to jump through.

It's especially ironic that you recognize time and effort as part of the overall cost, but you still find your suggestion reasonable.

Firewalls!!

[diamondsw]

Okay, let's get one thing straight. The only reason Windows is so easily attackable (and why Mac OS X and Linux are not) is that Windows ships with 10 million services running and listening on well-known ports. It's not the registry (although that contributes to instability over time), it's not Windows Update (although that could be much better designed - resumability, and fewer reboots!). The reason Windows is so vulnerable is it has far too many open avenues of attack.

Try to hack a default OS X install, or many default Linux installs - sorry, *no* ports are open by default, so what can you attack? At best you minght be able to DDOS the box, or some upstream piece of network equipment, but you can't crash or hack the box itself.

On my OS X box all I have open is SSH and everything else configured to only listen to localhost. If you manage to crack that, I have a lot more to worry about.

Would you like some cheese with your whine?

[endus]

Listen, normally I'm all about trashing windows for it's security. We all know what's wrong with it, no need to go into it again.

I also agree that the amount of reinstalls required is kinda ridiculous. Windows installations on a working PC run by a computer guy to deteriorate over time. I think this could be fixed by simplifying the registry somewhat.

However, this dude is blaming windows for things he should know better than to do. You went on the internet without a firewall? Why would you do that? What, exactly, did you expect to have happen? In XP you can enable the default firewall with a few clicks, so this issue has pretty much been fixed. Is it really productive to write a whiny article about an issue that Microsoft has already addressed, when there are so many more important security issues with the OS?

The other issue is, what OS is going to be secure upon reinstall??? I mean, you can trash windows for needing frequent reinstalls, but you can't blame it for being insecure upon installation. With OpenBSD I can do an FTP install of the latest release, which requires a large download, or with windows I can install from CD and install the latest SP, which requires a large download. Either way I'm going to be online with an insecure system...unless I have a brain and run a firewall, of course. Even if you have the latest release of your OS somewhere, chances are good that you're going to have to go online to download a few patches.

As far as the registry cleaner...I downloaded one of those too. I spent 3 seconds searching USENET and found an excellent one for free the first time. Do your homework = save yourself a headache.

The amount of reinstalls is ridiculous, no denying that. Simplification of the registry would absolutely be nice. However, the registry serves a purpose. Sure there are other ways of doing it, but it's obvious from the tone of the article that the author has never supported windows in an enterprise environment. There are more than a few times where the registry system has come in handy. With the amount of crappy software vendors writing crappy software that doesnt conform to any standard, I am overwhelmingly glad to have a more or less standardized place to store configuration information. As much as I hate to say it, Microsoft also does a great job updating the registry with information about their own installed products, which makes deploying apps which depend on those products far far FAR easier.

God...I can't beleive I'm even about to say this...but the author should also check out System restore, since he's oviously not that windows saavy. As much as I hate this feature, it does seem to work reasonably well in some cases. There are more advanced tools for backing up the registry as well. Rolling back a windows system is a reality and there are more than a few novice users who I support who have saved themselves this way.

I dunno...I mean the idea that you should have to reinstall so often is valid, and the idea that Windows should be more secure by default is more than valid, but this experience just seems like a really weak case for me. The idea that someone is going to avoid right clicking rather than reinstalling or put fucking VMWARE, of all things, on a system that is trashed to the point of not being able to right click just doesn't say much to me in terms of their qualification to write a technical article. I see the point the author is trying to make, but since XP has a firewall that is insanely simple to enable, I really don't see the point of whining about this.

The other thing is that, somehow, some way, I manage to avoid the problems he is talking about. I do the same kind of fiddling and BSing around, but somehow I have never had my right mouse button stop working or have a browser stop working despite reinstalls. If you're going to mess with the computer, have your shit together, have a firewall (or the latest service pack) on CD, and stop doing whatever you did to screw t

Mac to the Rescue

[Darth+Cider]

I'm dismayed that any reference to Mac security usually gets smacked down in comments here, whenever the subject of Windows insecurity comes up. "Just wait til the worm and virus writers target Macs."

But here's an idea. Buy a used Older Mac for under $50 to download your Windows patches, then burn them to CD and transfer them to your PC. Doesn't hurt to have a backup plan.

Fixes are not as simple as they seem...

[Digital_Quartz]

Such a CD should be shareable amongst users, so that if someone doesn't have an update CD, he/she can simply get one from a friend or an acquaintance.

Well, first off, there's nothing to stop you doing this now. You can just download all the patches individually and burn them to a CD. But what's the problem with this?

The short; this just means you'll be distributing virii by sneakernet. (Which is, admittedly, much slower than the Internet, but none the less...)

You know, back before we had this newfangled "interweeb", we still had virii and worms. They were passed around on corperate networks, from networks to other machines and networks by floppy disk, and also they were sometimes distributed on BBSs with sloppy sysadmins.

A "sharable" disk means that, instead of going through the effort of downloading those hundreads of megs of patches, I can just go copy a friend's disk. A copy of a "friend or an aquaintence"'s disk, however, is not a copy from a trusted source. Where did they get the disk from anyways? Who did they copy it from? It would strike me as very easy to craft a disc which would install a few intentionally malformed patches.

There are a couple of solutions to this problem. You could, for example, make your machine compare a the cryptographic hash of each patch against a known cryptographic hash. In order to get the known hash, however, you'd have to connect to that ol' public network again, with an unprotected machine. Since this functionality does not exist in current versions of Windows, you would also need some kind of initial patch from Microsoft to pull this off.

Another fix would be to cryptographically sign everything with a public key cryptosystem. This works great, so long as noone breaks your cryptosystem and/or finds the private key. Again, the functionality doesn't exist in today's implementations of Windows, so you still need another initial patch. (At least, as far as I know... I suppose XP might have signed updates; I've never tried to forge one.) This might be promising for future versions of windows. Microsoft has already bet your system security on a public key system with signed .NET objects, so this isn't so bad.

Both of these can easily be circumvented by a "sharable CD" that uses autorun to install nasty things before you install any patches at all. Of course, autorun is another feature of windows with questionable security.

In the end, the public network isn't really such a bad tool for delivering patches. Microsoft's implementation could be improved upon; upon installation of a "fresh" copy of XP, for example, the install could connect to the net and download all required patches prior to opening any ports on the system. (You don't need RPC to download patches, afterall). This is, more or less, the idea behind having the personal firewall enabled by default (only that's a little more kludgey).

Very good...let's go a step further.....

[Chanc_Gorkon]

I think that Motorola and other cable modem makers should provide a basic ethernet router with NAT between their public IP and the IP of the internal network. Your NOT going to get Roadrunner and others to do the right thing and install a cheap Linksys router between the Cable Modem and the PC so just build a cheap 1-2 port router into the Cable Modem. The Cable Modem/Router with NAT won't provide for the ultimate security, but will help against these worms immensely. Also, these cable modems/roters should also put a LCD status screen and a few simple buttons on them. Press one to block the internet when your loading a new Windows install and blam....no wormies. When the install is complete, press button 3 or whatever to open up Windows Update and Windows Update ONLY. When your updates are installed, press for to open up most commonly used ports (which may already be open).

Microsoft should also fix this crap too. One great and easy example is have a one button application that creates a CD with all patches you have downloaded. Then when doing a install/re-install, if after x amount of time after release, ask for this disc. If you don't have one, then it should configure your system such that only the Windows Update website can work. Then it will auto download/install the patches. Or...and now I may be giving them too many ideas, change Windows Update such taht it uses port knocking in this situation. WU could even use a different port every time.

Downlaoding all "Windows Updates" is possible

[comcn]

I had this issue just the other day. I found out that Microsoft provide a "hidden" option on Windows Update to allow downloading all patches for a certain operating system.

The following URL describes how to do it: http://support.microsoft.com/default.aspx?scid=kb; en-us;323166

Basically, go to Windows Update, click on "Personalize Windows Update", and then turn on "Display the link to the Windows Update Catalog", and save. You then go back to the main page, where you can access the windows update catalog and download to disk all current patches for a particular OS automatically.

When I found that I was very pleased.

I think there is software to automatically install it all from disk, too, but I haven't had time to look for that, yet.

Now make the CD Autorun

[danZenie]

I've been doing the same for my family members, but with an extra touch. Same type of software (plus the latest stinger) but create an autorun menu driven cd. Something like AMenu for CDs works just fine for me. Or you can search google for some nice cd autorun apps.

sorry, no

[zogger]

government does require warranties on meatspace products. they don't require differing written warranties, but they DO require implied warranties. I posted a link to it just last week in another thread. Here, I'll do it again, this time to just a general overview and not the actual laws:

FTC warranty info

From that page, scroll down some:

Implied Warranties
Implied warranties are created by state law, and all states have them. Almost every purchase you make is covered by an implied warranty.

The most common type of implied warranty--a "warranty of merchantability," means that the seller promises that the product will do what it is supposed to do. For example, a car will run and a toaster will toast.

Another type of implied warranty is the "warranty of fitness for a particular purpose." This applies when you buy a product on the seller''s advice that it is suitable for a particular use. For example, a person who suggests that you buy a certain sleeping bag for zero-degree weather warrants that the sleeping bag will be suitable for zero degrees.

If your purchase does not come with a written warranty, it is still covered by implied warranties unless the product is marked "as is," or the seller otherwise indicates in writing that no warranty is given. Several states, including Kansas, Maine, Maryland,

Massachusetts, Mississippi, Vermont, West Virginia, and the District of Columbia, do not permit "as is" sales.

If problems arise that are not covered by the written warranty, you should investigate the protection given by your implied warranty.

Implied warranty coverage can last as long as four years, although the length of the coverage varies from state to state. A lawyer or a state consumer protection office can provide more information about implied warranty coverage in your state.

---this is why they don't "sell" you software, they "license" it, and in the fine print it is most prominent that it has no fitness for purpose, or merchantability, etc.

That's the part that is a scam, IMO,it's leaglistic legislated snakeoil fraud, and needs to change. It's like GM offering cars "for license" instead of "for sale", and because they got 100 yards mileage on them driving them on and off transporters before they get to the dealers saying they are "used" and "Licensing" them to you for big money "as is". That would be stupid and a scam, and it's the same with software that they "license" but everyone on the planet can see they "sell".

And if you are saying "too bad, that's the contract they click agree on", then I agree, that's why I think it should be outlawed,the law NEEDS to be changed, maybe from a serious major class action suit, because it's a freeking sale, and it needs at a minimum implied warranties like every other product out there. I'm just the kinda guy gonna call a spade a spade, that software is sold. there's free software, then there's for-sale software, everyone knows the difference. They can legal mush mouth it all they want to, it's still sold, that's how most people treat it and think of it, so it needs a warranty, for merchantability and fitness of purpose and so on.

To me only disk imaging does it

[Phatmanotoo]

I've become so fed up with the traditional "windows rot" that I decided that only my own, full-disk-image savepoints will do.

These days hard-disks are cheap. Set up a Linux server with partimage and a large disk, boot the windows workstations with SystemRescueCD, and make your "savepoints" at those times you install drivers, etc. Make sure you partition the disk into "system" and "user data". Partimage works great even on NTFS if you're careful to defrag first.

the guy's an idiot

[Thundersnatch]

All he had to do was turn on the built-in firewall for his dial-up connection BEFORE he connected to the internet. No blaster worm, no problem other than the long download wait.

Any decent systems administrator approaches Windows secuirty in this way: Firewall FIRST, then download patches, then download and update AV software.

Most american ISPs (dial-up and broadband) now turn on the XP firewall when you install their custom dialer/spyware/etc. installs, which is a good thing. Having SP2 preinstalled will be better.

Have you looked at managed code?

[jsburke]

> Microsoft really needs to look beyond short term remedies to solve security problems. The company has to move away from its Windows roots in order to create a secure operating system environment. Microsoft has a huge research and development budget, and it just doesn't make sense why it cannot develop a security centered OS.

I wonder, have you looked at managed code?

Five years ago, Linux-heads made fun of the BSOD; now they make fun of Windows' security. Don't underestimate Microsoft. They will get security right.

Not funny...

[Tug3]

The article behind the link was so familiar reading. Even though I nowadays try to avoid maintenance of Windows systems. The story also reminded me of my "Windows days", as well as something that happened just last night.

I happened to stop by mu ucles house where my father was setting up my uncle's computer. My uncle knows nothing about computers, but uses one for surfing and emails. My father on the other hand has fooled around computers as long as me, since 1981. He is a fan of Windows and now in his retirement helps his friends with Windows problems.

The problem was very typical. Reinstall of Windows (because of regitry problems) and upgrade from 98 to XP home (bad mistake)!

As soon as they connected to Ineternet to download patches, the computer got hit by SoBig and Sasser. And even the antivirus software on the CDs was no help - it was obsolite by the time the CD was pressed.

Luckily I happened to stop by and we could download with my secure laptop all the necessary updates and cleaners. The just move the files with USB-dongle to the sick (although fresh) PC.

All's well that ends well? - I think that my uncle will think twice if he ever buys a new computer, at least which OS he would like to have it run...

If you click on his FAQ

[tdunn]

At the bottom of the referenced page, you'll set this lovely nugget of wisdom:

Buy yourself a Mac and OS X, and you will be rid of security problems for good.

Mac OS X is a standard Unix; therefore, it is no more secure than Windows.

(Emphasis mine.)

His article and FAQ shows him to be the 'average user' - knows enough to be dangerous, more than enough to complain, but not willing to take rudimentary steps to protect himself, such as actually going out and buying some personal firewall software. (Granted, he's in Pakistan, so CompUSA is not an option.)

I agree with his underlying sentiment - a user should not be expected to have to fix known and established holes in software, especially OS. But the "unix is just as insecure as Windows" was a hoot!

nice comparison...

[xpyr]

not. First off windows 2000 is not designed for home users, thats why windows xp was released. Windows 2000 is for business users, who have an administrator that handles updates/fixes etc for them. Now if you are the administrator, the first thing you do when you are installing windows 2000 is to take out the network cable so that the install isn't interrupted at all. Then quickly install a firewall after the installation of windows 2000 is completed. Even zone alarm would work out and it would be installed quickly and quietly. Its standard settings pretty much protect you from anything. Now even before that you should untick client for windows networks and file and printer sharing for microsoft networks on your dial up connection before you connect and those vulnerable ports that the worms have been using would have been closed then. Giving you the necessary time to get the zone alarm firewall. Then you can take ur time getting service pack 4 without being effected by any worm. Having a firewall is a must on any computer connected to the internet. That is why microsoft is enabling it by default in service pack 2 for windows xp. Now as for windows xp users, all they gotta do is make sure the network cable is not plugged in when installing windows during a clean install and enable the firewall on the network connection right before u plug it back in. Then u can download all the updates you need no matter how long it takes you. The standard settings of the firewall in windows xp are just fine when enabled. And after installing all the needed updates, you can then install another software firewall if you want and can disable windows xp's firewall then. But my main point is don't be on the internet without a firewall on. Windows 2000/xp/2003 do have another firewall built in though as well. Go here if you want to read up on it. It's quite useful as it allows you to only block certain ports if you only need certain ones blocked instead of all of them.