Slashdot Mirror
Lessons Learned From Blaster
CowboyRobot writes "It's been nearly a year since Blaster struck, causing hundreds of millions of dollars in fixes and lost revenue.
Jim Morrison of Symantec goes step-by-step in looking at how the Blaster worm got out of control so quickly, and what lessons can be learned from that event, by studying how one utility company dealt with it." The story is written as a fun, technothriller narrative; here's an snippet: "The laptops, usually out in the field, were always a hit-and-miss proposition to find on the network and deliver a patch or to have the user take the machine to a field office. That meant that on the 16th they could see a flood of traffic launched against Microsoft. The second phase of Blaster, launching a DoS (denial of service) attack against windowsupdate.com, was imminent."
Don't run windows. :D
Eheh, I couldn't help but chuckle when I read "Jim Morrison". Totally destroys the seriousness of the article.
All Hail Discordia. Hail Eris. Fnord.
I thought Blaster was a RPC virus, i.e. not one broacast via email? I'm sure that's the one that got me a couple of times before I installed a decent firewall (you have 5 seconds to close all work...). Bloody swine of a thing it was - I'd always seem to be winning at Counterstrike too! (Well, that was my excuse, anyway)
The main weakness that allowed ingress was that any outside machine with a VPN connection also has a real IP address as well. Those machines, since they were unpatched, were sitting ducks for the virus... and then the trusted nature of the VPN assured that the virus would spread to the inside.
A basic firewall on the deployed machine to drop any packet not from the VPN could have stopped this before it started...
Blaster didn't spread through email. It used a DCOM exploit if I remember correctly.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
Back when Messenger Service popups happened and started using $80 hardware firewalls that doubled as Internet sharing boxes.
When Blaster hit I was sitting pretty and so was every client that took my advice.
*yawn*
Use Evolution instead of Outlook? Bewa
Oh sure, that's how it spread -- but you just know that some twat somewhere opened the original Pandora's box on this one in an email attachment titled "Cindy Crawford Strip Tease.scr" and that was that.
Disclaimer: The above comment was made while under the influence of too much coding and not enough sleep.
Blaster didn't require user intervention to run. Default Windows installations came with the RPC service turned on, and that was all it took to be at risk. If your machine listened on port 135, the virus had a way in.
No the best posts will be the ones from 'experts' who will tell you not to run Windows because MS is evil and trying to destroy your computer.
"I use a Mac because I'm just better than you are."
I use OSX since I never get virii or worms, but they are coming to the mac soon enough. Although, everyday I am using windows less and less and only for Oracle development (OAF/JDEV) because of my job.
;)
I guess the only thing to learn from the blaster worm is to switch to OSX.
GroupShares Inc. - A Free Stock Trading Community. Over a 100 active members daily!
-------
artlu.net
The article starts with a story about someone having trouble completing a bill payment.
I thought the requirements for systems that handle financial transactions were so stringent that nobody would use Windows for such a purpose. Have I got it wrong?
A contractor using the guest offices brought Blaster inside. His laptop infected the security-counter image-storage system, which then found its way to the HR server. That in turn spawned the infections to the HR XP laptops where the patch failed.
The first thing you learn in ANY security job is that most breaches are from the inside.
As someone standing right behind the front lines, I will tell you that employees with laptops are the worst. Most end up with administrator access (not that hard to crack if you don't have it). And the fact that they bring their computers home and on the road makes them feel a certain entitlement to install whatever they feel like. Contractors are even worse, since most of the time these laptops ARE their personal PCs. Desktops and servers inside the DMZ are the least likely originators of malware. (Not to say you couldn't surf pr0n on the company mail server as an admin. But then you deserve what you get.)
Network admins need to lock down MAC addresses and start treating their network like the PBX folks. Nothing gets wired except approved company equipment.
Have you Meta Moderated t
If it gets really high, eg 50 or so (your average AOL user) automatically turn on the Windows Firewall, and include a flag on every outgoing packet indicating that the user cannot be trusted to operate their computer in a safe fashion. Webmasters can then block traffic from these PC's at their discretion - Problem solved.
Making the moon less necessary since 1998.
I wrote an in depth analysis of the Blaster worm for my GIAC Certified Incident Handling Analyst (GCIH) practical:
Is that the lesson?
John Kerry is a Joke!
Lost in a Roman
Wilderness of Pain
And all the Children
Are insane!
A key paragraph in the story...
"We had to do some research, but we found out that the way we locked down the users prevented the patch from running properly," lamented one of the policy admins. "What we discovered was that the software restriction policy for the local computer allowed only local computer administrators to select trusted publishers. Because our patch agent ran as a pseudo user, the agent did not have the necessary rights. This was causing the failure. We changed the group policy for the HR systems so that we can patch remotely from now on."
Sometimes, locking your system too tightly ends up locking the keys in the car. When you really need something to run, it doesn't...
Automatic Updates and Norton...and try to minimize office guests access to the network...
See Sig! See Sig Zig! Zig Sig Zig!!!!!
Every penny of the losses due to this should be charged to Microsoft for neglegence. They were told over and over to fix their shit.
http://www.giac.org/practical/GCIH/John_VanHoogstr aten_GCIH.pdf
On the one hand, virus writers are aggressively pursued and prosecuted with claimed damages of billions of dollars; on the other hand, these losses are not included in the TCO of Windows! What gives?
Heh.
The conference room used for the first discussions had been converted to a war room. The whiteboards were filled with IP addresses gathered by the help desk of systems suspected of being infected and trying to propagate the worm. Another list for all of the nonfunctional pay systems covered the entire portable whiteboard. These systems would have to be patched before they could be used to receive payments again.
:)
Red Alert! All senior officers to the battle bridge. Prepare for saucer seperation in T minus 3 minutes and counting.
Picard: Data, can you locate the origin of infection?
Data: It will take aproximatly 10 minutes to scan each subnet.
Picard: We don't have that kind of time. Number One, options?
Riker: Disconnect the OC3 and raise the firewall, leave no ports open.
Captain: That should buy us some time but we need a better solution than that.
Diana: I am sensing something captain, it feels as if the SUS server has fallen offline, we may have missed the latest patches
Data: Her hypothesis could be correct
We are the Borg, We will assimilate you!
Captain: Damn, and here I was thinking it was The Boy and his nanites again
No offense Wil
Im dreaming ofa big bndwdth, That can resist the
EOM
--- Ban humanity.
The Blaster Worm awoke before dawn.
He put his boots on.
The utility company lost more than $1 million in revenue that would normally have been generated from the pay systems during the time they were down.
Wait a second. Blaster didn't directly cut off any customers. How could the virus cost revenue?
Well, in the case of this story's Mona, it was because her power was cut off despite the fact she had the money to pay her bill through the last-minute pay system. That means a few days that she didn't use power, plus the cost of a needless disconnect that they couldn't charge for.
If the power company had a brain or heart, they would have not done any disconnects due to non-payment during this time frame. Sure, some deadbeats would get 3 days of free power, but the majority of people who missed their payment deadline would happily pay if just given the chance.
In short, they could have saved time and money if the bill collectors would have been told to take some time off...
The first thing I did when Blaster started doing the rounds was put DCOMbobulator in the login script -- bought me more than enough time to get patches in place.
But if these biyearly "connects to a flaw in an enabled-by-default MS service that serves no real purpose" worms have proved anything, it's that when something goes wrong, if looking at the problem critically would result in them having to make actually hard choices, then people will continually blame absolutely everything except the actual problem.
I've clicked on the words "Cindy Crawford Strip Tease.scr" in your post, but it doesn't seem to open the picture. What am I doing wrong?
I thought the lesson was, software monoculture in the global computing industry is opening the door for disaster -- what we need is diversity in platforms and applications.
NAT makes a very good poor man's firewall. Unsolicited packets get dropped... and services you didn't realize you had listening can't be reached.
this was modded insightful?? as in driving, modding should not be done while on the effects of crack people, i know this is /. but this hardly "insighful" people... come on a little more seriusness
If your machine listened on port 135, the virus had a way in.
well, if your machine was listening on port 135, and you hadn't bothered to apply the patch that had been available for, what was it, 7 months?
You could've turned off Messenger service in Admin Tools->Services, but I guess you probably would've been pwned by the blaster (assuming you don't patch right away...).
...as a norton rep.
:(
so sad
Huh?
The blaster worm spreads through the network to other PC's through the DCOM expliot where it gets spread and ran on the other machine.
No email was nessecary to start it.
.Mac Email complaints.
Lots of other complaints from Mac Users.
Is it only the slashdot geek crowd that's happy with Apple ?
I think that was his point, was it not?
when did GNAA go from troll to OT? did i miss the memo?
Make sure you have the codes to shut down SkyNet. Oh yeah, lock yourself into a hardend underground base with Claire Daines to reproduce and save the world. Damn worms.
I wanted to thumb my nose at you from my high and mighty perch..
Whats that sound? Oh, its my ego expanding and my capability to form reasoned thought escaping.
OK, so M$ has designed a bad OS. But nobody that I know who has Windows XP and knows how to use it ever got infected with a virus.
Simple rules:
1. firewall software (eg. Norton) before connecting
2. You don't use Outlook/Outlook Express and preferably not MSN
3. Preferably don't use IE
4. windowsupdates
5. update your norton firewall/antivirus
Don't get me wrong I'm a OS X, and Debian user, but come one, all I can say is if it wasn't for all the dumb people out there who don't get what I call the essentials I would be unemployed.
Oh crap, I just spilled the beans.
Warren Peace
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Daniel
http://people.cinn.ca/daniel/
What I found outrageous is that they disconnected customers. Even though they knew there was a payment issue. Surely the first thing to do would have been to put all disconnections, late fees etc on hold until after you know what the situation is.
They didn't include the cost of alienating customers or destroying their own brand image in the post mortem. But then again it would be a breath of fresh air to find a utility company that shows compassion or cares about its own image.
no text
Yes, my only tool is a hammer. And you're starting to look like a nail.
Someday people are going to start develloping worm that automatically patch the hole they got in through... that'll be the day, no more Windows Updates
the school that I go to, and work at, learned from blaster. we got pounded by it and after that we put the systems that should have been in place, in place. when sasser hit it was much less pain because of it. we learned all right
-Tim Louden
Blaster was a worm, and of worms in general I would say that there is little new to be learned from them. I did learn something new with blaster though.
I was doing some security work for an ISP at the time of blaster. They have a number of Cisco 12000 series GSR routers as well as Foundry Big Iron Switches. For those who are not familiar with the Cisco 12000 series routers, let it be sufficed to say that it is Cisco's biggest, baddest router that stands up to 6 feet tall and comes from the factory with a 4 barrel carburetor, dual testosterone modules and a custom paint job with flames painted on the side (pin stripes are optional). These switches are designed to handle hundreds of gigs of traffic across their backplane and through their interfaces. If the ISP were forewarned that they would be seeing 300 mbps of traffic coming from the MS Blaster worm, they would have said "Bring it on!"
For those of us that aren't CCIE's, Cisco routers and Layer 3 switches have a function called CEF, or Cisco Express Forwarding. CEF is a technology that by its simplest definition caches routes.
If a packet from my computer is destined for yahoo.com, it will first hit the DNS server to resolve the host name to its IP address. My computer will then send packets to my ISP with the destination IP of yahoo.com (66.218.71.198). My ISP's router, presuming it's a Cisco router with CEF enabled, will look at its internet BGP tables and determine the optimal route my packet should take on the internet to arrive at that destination. Once the router has processed the route, it caches it so that all future packets coming from my home IP address, destined for yahoo.com will automatically be routed using the cached route. This takes a tremendous load off the router CPU as each packet no longer needs to be processed by the CPU, hence the term "Express Forwarding".
What the blaster worm did was send out hundreds of thousands of ICMP pings per second. This usually wouldn't be a problem for the router, except for each packet was destined for a unique IP address. What started happening is that each route was looked up, routed, and stored in its cache for future packets - only there weren't any future packets. What happened next was the memory space allocated for caching CEF routes filled up, and once full, the router simply purged its cache so that every packet had to then go to the CPU to be routed. Once this happened, all hell broke loose.
CPU utilization on the routers jumped to 100%, which should never happen under normal conditions, but this was clearly not a normal condition, and the internet came to a crawl.
There we were, with a router that should handle hundreds of gigs across the backplane without breaking a sweat being brought to its knees by 100mb of traffic... it was incredible.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
See... that's the problem. All those people running Windows with Keyboards and Networks and Unlocked Rooms attached.
Q: How do you know your Windows PC is lying?
A: It's plugged in.
It takes my power company more then one day to disconnect my power. I doubt they would send a truck out just to disconnect me because I was one day late. I've been more then 30 days late and have never been disconnected. Something smells fishy about the whole "Mona" part of the story. It also seems a bit too dramatic. I hate it when they mess up a story by trying to synthesize a "human" element to it.
They're lucky that Blaster was removable by remote control. A more effective virus would lock out any attempt to change system files.
naahh.. he had to fix the draft coming in from the Windows.
In the world of computer viri, is revinue conserved?
One day, in a galaxy...never mind...One day, internet connections won't even be possible with an exposed PC address. DSL/cable won't even be permitted to connect directly to a PC without DHCP/NAT interposed between. The sky will be clear of pollution. All people will clasp hands in a show that we are all from the same human family and we all have rights......
I'm getting loopy. It must be those packets I solicited from that guy downtown.
1) On home machines, *all* network accessible services should default off. In most cases, this will mean that remote exploits aren't going to happen - kernel level remote exploits are fairly rare. This means that if I port scan a machine out of the box, I should find 65535 closed TCP ports, and 65535 closed UDP ports.
2) On buisness workstations, all network accessible services should also default off, but the administrator should be able to provide a configuration to enable services needed for remote management.
3) Unneeded use of privledged accounts should be actively discouraged. M$ - consider defaulting to popping up "don't do anything stupid" reminders to users running with administrator rights under "end-user" versions of windows. Make it easier to obtain administrator rights when needed without having to log off and log back on. Educate users about the "Run As User" facility.
4) Operating systems designed for end users should have a facility to lock down the system temporarily while doing emergency maintainance, a "No services" mode if you will, which allows the user to obtain updates without being exposed while doing so.
5) While it can be argued that automatic updates are themselves a security risk, in practice, lack of updates are a far bigger risk. Anything thats remotely exploitable should be updated frequently and automatically by default.
6) Reboots are absolutely unacceptable to many users. Microsoft needs to work harder to eliminate unneeded reboots, *including* making changes to the way file locking works so that a reboot isn't needed to replace a file that's in use, or so that the affected subsystems can be stopped and restarted without restarting the entire system.
7) While blaster didn't use ActiveX, quite a bit of spyware and other ratware does. Fully executable web pages without any kind of sandboxing is a bad idea. Please, Microsoft, *disable* ActiveX out of the box, or require controls to be manually authorized by the administator by adding them to an "Allowed controls" list in the Tools -> Internet Options dialog - NOT as a pop up "Do you want to install and run" box.
8) Expand user education campaigns. Encourage users to obtain basic computer training, and a basic understanding of computer security.
9) Provide readily accessable documentation that adresses security concerns. Warning labels get old, but perhaps a big red "STOP: Please review this security information" is appropriate.
10) Discourage software developers from enabling network-accessible services automatically. (Hopefully the "new" Windows Firewall in SP2 will go a long ways towards making users aware of what they are running, but time will tell.)
The "loss" numbers are bogus figures that include the time people stand in the halls talking instead of pretending to do work. There's no actual difference in the amount of "work" that gets done, but the company gets to write it off as an expense. The numbers also include things like "well our corporate website brings in $x million/month worth of sales (on average), and we were down for Y hours, so that comes to $Z of lost profits."
I can't help but feel sorry for Mona and the uncountable other people in her situation. She had her power disconnected for three days because of this, lost all the food in her refrigerator through no fault of her own, and all she got in return was her reinstatement fees waved. All through the article I kept waiting for somebody to correct their cranial-rectal insertion and put a hold on any disconnects or late fees until the system was back up. Clearly, they know that not everybody can get to their office during normal business hours -- why else have the payment centers in convenience stores -- and having their payment system down wasn't going to change that. When Mona called in on Day 2, she should have been told that the disconnect had been moved back until two days after the system was back up. If somebody isn't investigating why this wasn't done, and firing the people that dropped the ball,it's only because Pointy-haird middle managers tend to be employed by Pointy-haired CEO's.
Good, inexpensive web hosting
Of our elaborate plans, the end.
No safety or surprise, the end.
Was Jim singing about Microsoft or SCO?
(Visions of slow-mo helicopter fly-bys and napalm exploding.)
If you don't want to repeat the past, stop living in it.
It's too bad power companies are monopolies. If I were Mona, I'd want to switch to a different provider for (a) being stupid and (b) cutting me off when it wasn't my fault they were stupid.
How were they stupid? Lots of ways, including poor security and using Windows for critical systems.
How did the Blaster worm got out of control so quickly?
Stupid people still using Microsoft products... that's how.
How do we solve this problem?
Install Linux... that's how.
dammit, I knew I was forgetting one. I know what .com, .exe, and .scr is but what is .etc I can't find any reference to that, is it the email trojan controll applet specification?
Seriously though, it's a good idea to auto-flag such emails and make the recieving user jump through a simple hoop or two to recieve those, but you can't just auto-delete such in many environments, there can be legitimate reasons for sending such things.
But for one thing, e-mail clients should at least pop up a warning box, one that contains usefull info for joe sixpack. EG: "warning this e-mail contains an runnable program attachment. If you're NOT expecting to recieve a program from this person, it is most likely a virus. In that case likely the sender has no knowledge his machine sent it to you. Viruses can have severly harmfull effect on your computer up to and including rendering it unuseable without expensive repairs" with click-boxes that take a second to figure out forcing the reciever to think rather than blindly click OK.
In the meantime why not have the mail server send a warning e-mail with message inlined, but not the attachment, and instruction on how to get the attachment the server has quarantined if it turns out to be a legitimate e-mail.
Mycroft
https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
Well lets see. Basic measures are necessary for us, since people tend to not follow security policies, and our Tech:PC ratio is so damn high we have had to be pretty ... well creative I guess is the word. Since we haven't the funding, manpower, or infrastructure to deploy anything that would require client reconfiguration 100% we have resorted to the following:
1. DHCP access listing. (Indexed systems get ips, others don't)
2. Router Access lists (in non-cisco language port filtering)
3. Heavily restricted nat firewalls (ipcop+snort)
4. NAV/Deep Freeze (www.faronics.com... if you can use it, do... no spyware, no viruses, no deliberate destruction of the local system, reboot and it's all fixed.)
5. Software Update Services (Deepfreeze plays nice if you schedule it right)
So obviously we use windows... and obviously we have a relatively secure (at least from the current and past virus/worm attacks.)
About 95-99% of the systems on a campus are frozen. In the case of an outbreak we can shutdown all systems (removing the obviously infected systems from the DHCP access list) and booting the frozen systems back up. This is assuming the virus is 0 day, and it hits us before the SUS updates...
Still there are horrible gaping holes... for instance, a virus that spreads quickly, before a patch is released, and happens to still be spreading during the SUS thaw could result in a complete infection... but the odds there are pretty slim. And really, it puts us in a better position for 23 hours a day... and on par with most companies for 1 hour a day.
... they seems to keep using Windows.
R T F A ! The reason the laptop got infected WAS because it was locked down. THAT WAS A COMPANY notebook! . Now, having to use my work computers gets annying. THe admins will lock some software down for NO REASON, JUST BECAUSE THEY CAN. Even when attending GSU (Georgia State University) Some of the library computers were similarly locked prohibiting legitimate uses. Other campuses like Georga Tech (where I transfered, now a happy camper) have a very liberal policy applied. Haven't had any problems with viruses worms etc.
I bought a mac.
Break on through
Break on through
Break on through
The open ports, yeah
How the hell is this a troll? Open your eyes around here. This little tidbit of 'expert' opinion pops up EVERYWHERE. Half the people here don't live in the real world and look upon anyone who touches Windows as some lowlife scum. Unless you run your own business and can therefore choose what you use, Microsoft is a cost of doing business. Unless you never want to play a game or have infinite patience and limitless optimism, Most people at home are going to run Windows. No not everyone wants to run Linux. No not every has a choice not to use Microsoft products. No Microsoft is not out to get you by breaking everything when you install an update. It is unfortunate when it happens, but its just that, an unfortunate accident. It happens in Linux too.
"I use a Mac because I'm just better than you are."
Poor Mona...I'm glad to see that they oversimplified someone's life and made them look like a poor struggling soul. That helps for pity value and gains extra credibility.
"Without an extra day to pay her bill she was facing certain disconnection, meaning extra reconnection fees and no lights or stove to fix hot meals for her kids."
"Mona's alarm woke her up--a good sign that she still had electricity. Maybe, because of the problems with the pay systems, the power company was giving her extra time. She set out to fix a hot breakfast for her children, get them dressed, and walk them to school before facing another day of dealing with customer service to buy more time before disconnection."
Yea, remember to think of the kids. Let us all shed a tear for Mona and her children.
I'm not sure why people think "hardware firewalls" are better. Experience shows that they are often shipped with huge gaping holes. One of them had a root password of "uclinux". Most of them probably have a static root password that's the same on every unit.
If you want a cheap, trustworthy firewall put a free Unix on a cheap PC and configure it per the community's advice.
Um, The kernel doesn't have to be compiled daily to maintain stability. The only way to 'hose' your system, would be to add the -j to the end of the make command on a system with little memory. Do you even use linux!?
I need a sig.
We'll start off by assuming the story is a fabrication and not all facts are equal, now the analysis I noticed.
1. The first TCPdump was supposedly taken from the firewall - but the packets were destined for the same network - it would be unlikely that the firwall should see this traffic being non broadcast - unless we assume the utility company did not have their network either properly routed (traffic from the internal lan should not hit the gateway) or their network is not properly set up with a switch and everything is on hubs.
From my suspession of disbelief I had a hard time believeing either of these facts - it would have been more logical to state it was an IDS system of a network scanning utility plugged into a mirrored switch port - sorry I just didn't buy the firewall would see it since there would be no reason to make the firewall be able to see any unnec. packets, therefore increasing the load on the firewall - esp in a mission criitcal company liek the utility company.
2. That hte utility company lost millions in revenue - it was the utility company - they would get their money one way or another - so all "lost" income would come and they would get what is coming to them - but we wouldn't have heard the tale of the innocent bystander Mona.
Sorry these just irked me - but beyond that was a fairly good write up.
Did anyone else read to the end where the employees discuss "lessons learned"? Really encapsulates whats wrong with IT. First, nobody says the obvious, that they shouldn't have used Windows for a dedicated, distriubted application. I guess at least someone must have thought that, and was afraid to speak up. There are hints in the article of an upper manager beating his chest and making the peons shake.
Second, they vow to not let contractor notebooks on their network without a thorough security vetting. Great, more IT-fascism, and totally impractical. IT needs to support the organization's business objectives, not obstruct them. If you have an attorney who bills $400/hour coming in to meet with the Chief Counsel, and he's got one hour before he has to drive to the airport, who is going to hold him up and scan his notebook? What if you screw it up in the process? There are lots of more practical solutions to this problem, once you accept the basic fact that IT is not an end in itself but just a business enabler.
Also, did you notice how Windows' overly complicated permission system caused a disaster? The machines were locked down to prevent tampering, which prevented the patch scripts from running. In the end, they had to send people out to each location to fix the machines. I've never had this problem with Unix, because Unix permissions are simple and logical; therefore a sysadmin can easily understand the implications of any permission setting.
I particularly liked the phrase (quoting from memory) "one of the policy admins". One? Not only do they seem to have a full time employee maintaining these tragic "policies", but they have a team? And still caused a train wreck? Windows is close to being a job-creation program for mediocre technical types.
What does it mean to "ping port 135"?
It did nothing to the files, just rebooted the computer, and waited for a precise date to attack Microsoft site. I wanted to participate to this huge distributed computing effort.
To do this, no patch was required: just open the control panel, clic on ugly icons, and go to the RPC panel. Here, I was surprised to see that the main annoying comportment of this worm was due to a default windows setting!
The default option on RPC failure is to "restart computer"! So I chose the "restart service" option for every failure and that worked fine! All my friends could now live with this worm and contribute to this distributed computing effort!
Default options in Windows are users' worst choices: restart the computer on every failure!! The most funny, an stupid, one is the default restart computer on... boot failure!
To Fix every virus under Windows, put a Knoppix CD in your box and then restart your computer for the last time.
9.5 for style, 0 for content.
Patching is dead. In a world where worms can spread faster than patches, patching is by definition a failed paradigm.
Of course, too much so-called security business depends on the model of adding layer after layer after layer (each layer another product that can be sold) to achieve "security". Whereas security (without quotation marks) is often reached by reducing rather than increasing complexity.
My bet is 18 months or less before a worm uses some exploit in an anti-virus or anti-worm software to propagate.
Assorted stuff I do sometimes: Lemuria.org
Hey, come on, guys. Windows XP has a personal firewall built right in. You just have to activate it for your Internet connection. It's about three clicks from the desktop.
While the XP firewall is certainly not the holy grail of secure computing, it does prevent your PC from being blasterized while you download the necessary updates. Don't tell me that you didn't know this, having been a Linux user since 1995 and being security-conscious.
As a state gets corrupt, its laws multiply; the most corrupt states have the most numerous laws. (Tacitus, Annales 3:27)
The utility company lost more than $1 million in revenue that would normally have been generated from the pay systems during the time they were down.
Huh? No-one's going to get by without paying their utility bills, as illustrated in the sob story. That revenue was likely deferred, not lost.
deus does not exist but if he does
1. Silly: there's no purpose to such an exercise. We all know what the cause was, and these 'cottage industries' that feed off the weaknesses of you-know-who aren't fooling anyone except themselves.
2. Stupid: I mean REALLY - how much is it going to take until these idiots get a grip and realise it's Microsoft technology? I'd like to see one of these idiots in the Alps during an avalanche:
'Run! Get out of the way! Avalanche!'
'Huh?'
'It's an avalanche! Run for it! Hurry!'
'Huh?'
And so forth. Yell 'Microsoft' and it's the same thing. Trouble is, some of these idiots think Windows is a GROOVY platform - something I will never get.
3. Slanted: Anything that refuses to look the truth in the face at this late a stage in the game is slanted. I think there's money involved, but exactly what prompted this idiot to offer us his pearls of wisdom I cannot of course know. Still - basic bottom line: I could give a flying F. If I could pass a law about anything at all right now, it would be a law that muzzled these idiots once and for all.
Sure, it's a riot how Windows machines get the shit knocked out of them, but it's a disastrous waste of global resources and it long ago ceased being funny. Muzzle these idiots and don't encourage them by linking to them.
Well said.
-]Phreak Out[-
... and DSL/cable users will no longer be hosts on the Internet, in the sense of RFC1122 - the Internet is, after all, peer-to-peer. Since even dial-up users have traditionally been real Internet hosts, that would be a shame.
I would support ISPs blocking incoming connections by default, but only if it's easy to unblock them.
...no. you TEST stuff. rigorously. if you're using automated builds and locked clients, then this is pretty easy - get a preproduction lab setup, test everything and THEN roll it out. if you don't have the skills, hire a contractor that does to set it up for you.
i can tell you that changing group policies on a domain level is something that brings me out in sweats - you NEED TO TEST IT as otherwise some tiny check box will fsck all your clients domain wide of a monday morning.
now many people made sure their virus software was up to date after reading that? For the 3 mac users, I don't care what AV software you don't run, for the 7 Linux users, I don't care either, for the 10 windows users that claim to be Linux fans, but only use Linux for a server, your vote doesn't count, for the 933,343,343 windows users, did you make sure your AV software was up to date?
My NAT/fw is a P166 box running IPCOP.
Easy to patch. Easy to use. Easy to set up.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
I think the most important lesson is that the more proprietary software is, the more difficult it is to mature. Microsoft's closed development model does not help in the direction of code maturity, no matter how many programmers there may be. One of the reasons is that the open source developer may feel more pressure to deliver something that works flawlessly than the closed sourced developer.
If it's one thing people should have learned from Blaster and the like is that it's still out there. It's on the wires, passing through routers and scanning for its next victim. It's not going to go away anytime soon. So before anyone just blindly plugs into the Internet, just remember that it's out there, waiting for you.
We got hit by Nachi/Welchia at the end of August 2003 while I was on holiday with my daughter.
I came back to work to find the place in chaos (the volume of traffic that critter produced on our network was astounding).
I knocked up a KiXtart script which, when run remotely with Administrator credentials using Sysinternals.com's PSExec detected the presence of the worm, killed the process if it was running, ran McAfee's Stinger and patched the workstation.
A modifed version of that script which detects over 100 common viruses is now run on every workstation when the users log in.
In my experience, there's a residual 2 to 3 percent of workstations which, for a variety of reasons, refuse to be patched remotely (usually no ADMIN$ share, sometimes in need of a service pack).
Every month I use the same techniques to push out critical patches to our 2000+ desktop PCs.
It's amazing what you can do with free software.
Fairly recently, there was a worm ("Witty") exploiting a hole in BlackIce Defender (a server-grade firewall and intrusion detection system). A damn nasty specimen, too -- it randomly wrote bogus data to random sectors of the hard drives, slowly destroying the server (and immediately rendering it untrustable).
One article on the worm can be found here; I'm sure the usual gang has advisories out for Witty as well.
the real answer is oss doesn't have a critical mass to attract the ire of virus writers. Once Linux or any other open operating system hits critical mass, you'll see plenty of viruses and exploits and they'll be easy to write since the author will have a copy of the source code available. I also don't buy the pressure to perform well argument, well I think you have it backwards. Proprietary software will have more pressure to perform for the author or owner's livelihood is on the line with it, but oss is written more by hobbiest that do it for fun so they receive little pressure in that regard. That hobbiest mentality is what makes oss good, but not from pressure, but desire to do something right. With proprietary software, the engineers aren't always excited or interested in the project so don't give it their best and have immense pressure to get things done in the shortest period of time. In oss, the engineers volunteer for the project because they believe in it or are interested in it and so put lots of energy into the project. They also deliver when they want to and so wait until the internal pluming is a more consistent state. So back to the point, once oss hits critical mass, we'll see how much time volunteers spend updating security holes, releasing patches and the like when the authors would rather write new code, not maintain old stuff. It could all work and the trigger for this mini rant is the lies and spinning of the oss community that every good attribute of software is an attribute of oss and every negative attribute of software is an attribute of proprietary software. They both have positive and negative qualities and the lying will do more harm to the oss community in the long run than just admitting that there are positive qualities to your enemy.
Patching isn't dead, it's still needed.
What's frightening, however, is that Antivirus vendors still haven't got it. Weekly, or even daily pattern updates are NOT sufficient to prevent the spread of viruses and worms.
For example, W32/Zafi.b@MM was in the wild on June 11th this year, and was detected and stopped on the same day by Bitdefender and ClamAV on our MailScanner box. McAfee released its 4366 DAT files 2 1/2 days later, on June 14th.
Similar slow responses happened with Netsky and Bagle, IIRC.
The biggest trouble we have is getting past the mindset which says "we have up to date antivirus on our PCs therefore we're safe". I beg to differ.
Phil
use DOORS instead of WINDOWS !!!
vir viri m. [a man , male person]; esp. [a grown man; a husband; a man of character or courage, 'he-man']; milit. [a soldier, esp. an infantryman; a single man, individual].
virus -i n. [slimy liquid , slime; poison, esp. of snakes, venom; any harsh taste or smell].
Latin Dictionary and Grammar Aid
sic !
CC.
TaijiQuan (Huang, 5 loosenings)
I find the parent quite Funny indeed, not that the post has too much truth in it though. ;)
Seriously, I think we've already compiled our kernels.. Next!!
- Voice of Ambience -
I thought he had gone under the name of RMS since 1971?
I'm suprised ISPs aren't taking proactive steps and setting up firewalls in front of their DSL/cable/dialup users. Even a Cisco CBAC firewall or simple router access-lists would be better than nothing. I know some of them block NetBIOS ports, but they should really just block anything incoming to an enduser unless it is part of an established connection. Also, block outbound SMTP and require HTTP/HTTPS access to go through a proxy server to stop worms from just hitting other ISPs willy-nilly.
This sounds like a party game. You get a used computer bought at some sort of closeout, a Windows95 OSR2 installation disc, and a wide-ass open internet connection.
When you get a virus, you yell "Gates Rape", and someone hits a stopwatch to time your run. Whoever can get raped the fastest wins!
who are those slashdot people? they swept over like Mongol-Tartars.
I'm with you on the REAL firewall thing.
Get something with stateful packet inspection, ability to recognize port scans and cut off access (i.e. an intrusion detection system), response time in under half a second, and a logger that shows everything that has happened for the last four weeks, just in case. Oh, and just in case it gets hacked, make sure you have a way of showing it's process listings.
What can do all of these things? Certainly not the cheap Linksys router you suggested. Those don't even come with an IDS. I know because I have one of the latest models.
For that you're going to have to buy something that costs over a grand...or a $40 133Mhz machine.
How about instead of suggesting a hardware firewall, we say a dedicated firewall, since a grand is a bit much to pay for the good features.
As far as fruit goes, I don't think the analogy fits too well. It suggests that it is only slightly more difficult to make a virus for a well-firewalled system with user process levels. It's more like the difference between getting a leaf off the top of a shrub and getting one off the top of a giant redwood.
Mod me down and I will become more powerful than you can possibly imagine!
How bad would it be for the router to be tracking state on EVERY packet for EVERY internal customer?
An alternative would be to go stateless, and just block incoming SYN packets. That would leave UDP open. How big an exposure would that be, or how big a burden would it be to go pseudo-stateful on UDP, blocking incoming SYN on TCP?
But then again, I don't want to solve ISP problems like this, because I'd like to have remote access to MY systems at home.
The living have better things to do than to continue hating the dead.
my isp (small mom and pop outfit) is also a whitebox shop and has a big sign out front that says "we will fix your viruses". I think they like they can make a nice chunk of change off of relatively simple repairs, it's a steady business model. AFAIK talking to the guy who runs it, I'm the only linux user he has. Not saying this is true for all ISPs, but it's like "you" as joe homeuser getting them to do an oil change and tuneup and tire rotation for these shops, and most of them I have been in charge a pretty snazzy rate for de infesting machines and applying patches-all things the owners of the PCFs could do themselves, but most users choose to remain ignorant it appears,and don't make the effort, so the fixit repair shops take advantage of that, at least the first few times the users get nailed. Say 50$ or something a pop to have your box cleaned, it adds up. I imagine a lot of /. readers here make some nice loot off of windows insecurities and viruses, especially the ones who get hired to run networks or who get called in to fix stuff. No problems and everything running smooth = much less money made in *some* cases. I know that's a bit cyncical, but I bet it's true.
A: That depends on what your doing if you want windows installed the way Microsoft Want it is easy, but try something like installing a raid drive and you better have a second machine on the internet to get all the drivers that Windows doesn't have because the manufactures didn't pay to have there driver to be "signed" E.G. Windows would not install to Raid drive without help, this took 1 hour to find a driver and then remove unnecessary files so said driver would fit on disk for installation Red hat Linux was installed and configured in the time it took to find the driver.
1.2 Q: What's the point of all these options during install?
A: A lot of these options are not necessary or useful to you but you don't have to use them. Windows allows you to easily pick and chose what you want as only an idiot would install everything that came with there OS and your not and idiot are you?
1.3 Q: It's installed now what.
A: If you are connected to the internet then you will have to reformat and start again without the internet connected due to the amount of malicious software targeted at windows, my record is 2 minutes from start-up to first infection. Now you install as many firewalls, anti virus and spy ware removal programmes as you can now reconnect to the internet and download the latest updates for said software this will take a long time as there is a lot out there. Remember NEVER connect to the internet until you have installed every type of AV and firewall possible.
1.4 Q: What happens if I'm in the middle of an install and the installation freezes or just stops? A: You get to reboot and start all over again. This happens very so often with Windows. It seems like its buggy install routines or something. Isn't Windows grand?
SECTION TWO - CONFIGURATION --
2.1 Q: Wasn't it supposed to be easy to setup a home network.
A: It is when the software doing it doesn't crash are even break another network connection already setup. Learn how to do it manually it is more reliable more flexible and once you know what your doing quicker
2.2 Q: Why is the Command line so week.
A: Microsoft believes its users are idiots with little understanding of how an OS works so have taken away your ability to do any damage. The fact that you where in a position to do damage by being root straight from start-up is nothing to do with Microsoft honest!
2.3 Q: What is this driver signing all about?
A: This is a scheme. were a manufacturer pays a fee and gets there driver signed the advantage of this is that when a user try to install your driver windows doesn't advice against this thus rendering your device useless if you follow this "advice".
SECTION THREE - APPLICATIONS --
3.1 Q: What happens if my Application doesn't work?
That's it your stuffed most shops will not refund the goods blaming Windows for the failure Microsoft will blame the Application maker and you end up in Catch 22. They don't care they have your money now.
3.2 Q: What about all my old Applications from previous versions of Windows will they Work?
A: Rarely a handful will but most will not especially 9x programmes on XP. Where as compared to Linux you have some handy programmes that can get around this but with windows all you have is double click when that fails you no other options.
3.3 Q: Why does this blue screen come up so often
A: That's Windows crashing don't worry it happens so often you get used to it.
SECTION FOUR - SPEED ISSUES --
4.1 Q: Why is Windows so slow?
A: Windows is built on the Grounds of it's good enough so long as it sort of works It doesn't have to be fast, doesn't have to be effective, doesn't have to do it very well, They just have to be able to claim it as a feature and move onto the next "feature". Also Windows contains some hangovers from MS
Saying Apple is better than MS is like saying Botulism is better than rabies.
Didn't those MIS experts think to install anti-virus software on any of those hundreds-if-not-thousands of PCs?!
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
For large corporations, I always quite liked the idea of sending occasional spoofed e-mails with dodgy attachments, similar to your average e-mail virus. If a user opens the attachment, MIS gets notified, and a "three strikes" rule applies.
The first time, they get a polite warning about their behaviour and how damaging it could be if that had been a real virus, and a friendly reminder to read the corporate IT policy. You're not trying to piss these people off and alienate them, you're trying to educate them.
The second time, they get another warning, and all non-essential access revoked for a week: no personal mail, no web browsing, nothing. You might mention that this is the sort of thing that viruses try to do to everyone in the company, which is why it's so important not to run attachments carelessly.
The third time, they get the book thrown at them: automatic formal disciplinary procedures, loss of all personal usage privileges and direct monitoring of their usage by MIS, etc.
Of course, you need some very senior people on your side to make this work, particularly because managers are often the most incompetent in this respect. However, if your CIO has any clout at all, a quick explanation about the impacts of a real virus on the company and the most likely way to get one should get the CFO and CEO on-side.
The nice thing about this approach is that it's fair. No-one who's not a liability will be affected. Anyone who's simply naive will be given a friendly reminder of the danger, and how to avoid it. You have to screw up spectacularly several times before really bad stuff happens. And if you really are that stupid, inconsiderate or incompetent, the rest of the organisation doesn't have to suffer the risk you bring to their livelihoods.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
What did _you_ learn from this?
There are a _ton_ of problems spelled out in the article.
Incompetently set permissions. Incompetently managed network, including unpatched production servers, not just the client machines. (Yes, that would also explain needing the tons of policy admins. You haven't seen the kind of drooling incompetents that some companies hire.)
An incompetently programmed application, presumably written by the cheapest clueless monkey that could be found. (How _do_ you write an application, so that it needs the _OS_ to be unpatched and unprotected?)
A management who's more into chest thumping and scaring peons into submissions, than actually managing.
A total contempt for the paying customers too. (It would have taken just a couple of phonecalls to tell everyone _not_ to disconnect everyone's electricity, when it was the company's system that failed to accept payments. But did anyone even think of the customers? Nope. Fuck 'em. Who cares about 'em?)
Etc, etc, etc.
But what do _you_ understand from that? "Waah! Microsoft sucks! They shouldn't have used Windows!" Well, see, that's the problem with the IT world indeed.
And I'm talking about the ever increasing reliance on some magical "+3 cloak of IT protection (+5 against bugs)". The rush to rely 100% on the OS, framework or whatever, to protect you.
"If only it was _____ (random hyped IT product), it would have been 100% invulnerable!" Where the product may be Linux, WebSphere, EJB, ASP, XML, or whatever fashionable buzzwork or framework.
Heck, I don't doubt that, back in the caveman times, the same kind of people were busy whining about how just upgrading to Stone Axe v2.0 from Sharpened Stick v1.5 didn't automatically keep tigers at bay. Now if we had bought the hyped Wooden Club v2.6 instead, that one surely would have swung itself against the tigers! All by itself, and without requiring any skill!
No, sorry. It never worked like that, and never will. A system is only as secure as the people using it.
And that's the problem written all over that story. That a big team of incompetents crafted an insecure network, with insecure computers on it. And would have been just as bad off with any other OS or framework, if they stick to those incompetents.
But no, let's hope for some magical cloak of protection instead. Maybe this time it will actually work. Right?
A polar bear is a cartesian bear after a coordinate transform.
...until someone brings in an infected laptop.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
A user that does all of those dangerous things or Microsoft for allowing users to do all of those dangerous things?
This is a problem with the "modern user". They just accept that Windows and computers in general behave this way. That problems like Blaster are "just the way it is." Those who work on multiple platforms and systems see this and call "bullshit" because we get things done and don't have to deal nearly with this level of crap.
Throwing more software at XP is not going to solve the problem. What needs to change is Microsoft!!
- Above all else, why are users forced to run under a prelivaged account? Although not exactly necessary for Blaster, many rogue programs use this as a vector to infect machines. As long as Microsoft does not address how aweful the premission scheme is on Windows, people will have to run at highly elevated permissions which means its easy to infect people. Change this and many virii just go away...
- For 1: Why do you need to buy more software to use a computer out of the box? Mac, Linux, BSD all can all install and go and even do live installs. Even though you can do a live install of XP it isn't safe. So the solution on Windows is "you need more software"?? I call BS again. The installation process should be secure because its a custom kernel that is heavily scripted. There is no reason why the install process is vulnerable!!
- For 2: You can say that but as long as Microsoft allows users to start the application they will use it. Any other vendor by now would have gutted, disabled, etc. such a problematic application but Microsoft seems to know better....
- For 3: look at "For 2:"
- For 4: Windows Updates and beating "keep your system up to date" drum is all nice and neat but once again if you need run it manually (versions of Windows before XP) then there is a big chance it won't be done at all. Even then its dumb to have to login to apply a patch in an enterprise. No wonder why IT time is expensive. They have to babysit hundreads of machines!
- For 5: Just like "For 4:" this can get problematic in a hurry. To make things worse, this even more incidious because for each piece of "security" software you install you now have a seperate process to keep it up to date.
Microsoft made Windows into the monster we have today. There are less bugs and in general a better user experience than previous versions of Windows but that is no excuse for having such idiotic exploits still floating around. Many platforms figured this out years ago (some aspects are 20+ years old for security) and yet Microsoft just dances along milking vendors and OEMs for as much money as they want with inane licensing schemes.
Its interesting to note that firewalls and networking solutions are discussed in the conclusions of the article.
.NET, and documentation. I've only seen DCOM used once in my life, and it was a very specialized application where DCOM was used to control a smartcard reader on another computer for enrollment purposes. Obviously, this kind of applicaton should _not_ be world accessble either.
IMHO, only necessary ports/services should be available to the internet. Period.
Do I export my NFS shares to the world? No.
Do I expose my rpc portmapper to the world? No.
What percentage of Window's ports 135 need to be exposed to the internet? I did a search for "DCOM application" and "DCOM applications" and found nothing interesting except how to migrate from DCOM to
I don't blame Microsoft for these exploits, they are networking/sysadmin issues.
I have never been compromised from network intrusion, ever. The last virus that I had on my machine was the "Monkey" virus (I belive) that a roomate brought onto my computer from a floppy that he used in a computer lab at school 10 years ago.
Again, I'd like to reiterate that these are networking/sysadmin issues, not OS issues. Although, its worth mentioning that these kinds of things have never seemed to affect Macs, which are almost always on the same network as window's machines.
Yup, the dreaded .etc trojans. Nasty little buggers.
Actually, I've found that mail fitering works better when the burden is placed on the sender of the email. I use a notification email that explains why the mail was blocked, and instructs the sender to reply to that email if it's legitimate, and that reply goes straight to me, where I can retrieve the mail and send it on. If on the other hand a notification goes to the user, then the next time there's a zero day netsky, bagel, or mydoom worm out there I'll be fielding 6 metric shitloads of mail from users who "just want to see what it is".
Yes, my only tool is a hammer. And you're starting to look like a nail.
Poor Mona. All these rug rats because of putting out for the home-boys. Want to give them sex but not have children?
Try sodomy.
The problem with pop-up warnings is that Windows users are already in the habit of clicking OK or hitting enter without reading them. They're already bombarded with so many that it's a pavlovian response. I know I've even had a few experiences on Windows machines of hitting enter too quickly and then thinking dang! what did that last dialog say? it looked different and might have been important.
> out of control so quickly, and what lessons can be learned from that event...
- Lesson #1 - Don't run Microsoft OS
- Lesson #2 - Don't run any Microsoft apps
- Lesson #3 - See lesson #1
If you want to stop viruses (and spam, it seems) you cannot run any MS software.--
If I actually could spell I'd have spelled it right in the first place.
From the article: ...it was given access to the main production network to place image files on an open share on the server used by human resources. ...bypassed patching the HR server because we were going to take it offline and replace it at the end of the same week that Blaster hit.
A contractor using the guest offices brought Blaster inside. His laptop infected the security-counter image-storage system, which then found its way to the HR server.
I saw this on the Three Stooges once. Seriously, note that it took three failures to get Blaster into their network:
1. Why was the contractor able to reach the image computer? Why weren't the guest office connections DMZ'd on their own branch: common sense says you barrier everything and only punch holes in the barrier when they are needed, as they are needed.
2. why was the image computer allowed access to the main production network? to hit an open share? that was pure laziness! There are a number of ways to do that without granting internal access: this was a publicly accessible system!
3. Who cares if the HR server was due to be replaced at the end of the week? Someone took the time and effort to remove it from the list of patched servers: isn't it less effort to just leave it on the list until no longer connected?
Note that it took a fourth failure that allowed it to run rampant:
"Did we find out why the XP systems in HR did not get patched on the first go-round?" asked the director.
"We had to do some research, but we found out that the way we locked down the users prevented the patch from running properly," lamented one of the policy admins. "What we discovered was that the software restriction policy for the local computer allowed only local computer administrators to select trusted publishers. Because our patch agent ran as a pseudo user, the agent did not have the necessary rights. This was causing the failure. We changed the group policy for the HR systems so that we can patch remotely from now on."
Who implemented the policy? Who tested the policy? Fire him/her/them! Don't they have any logging to tell them when an update fails?
I hope never... .scr trojans, spam and things alike. It's called FREEDOM, people... I want my FREEDOM to receive as much trojans as I want. If they start filtering screensavers, whats next? porn? 'political' e-mail? bleh.
I love to get my dayly dosis of
cheers.
``If a program can't rewrite its own code, what good is it?'' - Mel
AS un fortunate as it may be, Microsoft does have a history of breaking compatability with other aplications that they are directly competing with, This was brought up in the anti trust case and was an isue that the judges ruled on. They blamed it on unsuported api's and stuff like that but it is an issue that has happened.
As far as microsoft being a cost of doing business, i would agree. i don't however see the conection between using linux instead of microsoft at work and then "never being able to play games" if you want to use linux at home. Various game play on linux nativly and do it well. You act as if they don't.
One thing to note is that when someone does somethign bad, or not looked upon with good intentions, thbat reputation will stick with them for a while. people remeber who was acused of raping a young girl even after they found out it was made up to get attention. People remeber those in thier neiborhood that register as sexual offenders, excons, thieves or any other thing that makes them look bad. Microsoft didn't do anythign as bad as that in my opinion but the stigmata is there because they have done shady things in the past. That is why that "little tidbit of 'expert' opinion pops up EVERYWHERE".
microsoft has a long walk in front of it if they ever expect the majority of users that remeber these practices to have the same types of opinions youy have about them. For most the trust that is inherant when buying somethign is lost when reflecting on buisiness pratices of the old and it will take some time and maybe a special effort to make up for it. I for one was using a product that microsoft broke for 6 months and majicaly fixed with another update but after i had to shell out over 10 thousand dollars to get the competing product from them so our work could go on. I am one of those (because of this) that remeber microsoft for the bad they have done instead of the good they have potential for doing. I view evereythign they do as a scan to screw someone else out of competing with them. Thier get the facts circus-road show whatever it is, skips over the positive stuff about linux (that rebute some of their statments) that is listed in the same paid reports/studies they have posted at thier website and cite durring the show. It is a great example of creative marketing at it's best. you should read them sometime. Pay specific attention to all the apenicies and foot notes (that add more information about the cliams made earlier in the reports) they may be placed there as facts or maybe to avoid lawsuites?
>My pet peeve, for example, is the Finder: it's 2004, why can't they make Finder windows update immediately when a new file is created, and why can't icons stay in the same place when files are modified?! I mean, if Windows has been able to do it for 10 years, it shouldn't be that hard!
As to the former, Panther seems to have fixed that, with views usually updating when files are created elsewhere. (Jaguar and prior did have issues with this.) As to the latter, I wouldn't know, given that I use Column View exclusively...
>hmm... I should have realized it would have the BSD firewall. I wonder why there's no GUI for it?
Under Panther (and I think Jaguar as well), there is.
System Preferences App > Sharing Panel > Firewall Tab
And what makes you think that joe user will do anything other than login as root.
As for User consent, most of the windows viruses out there at the moment require the user to run the
The biggest vulnerability in computers is the users. Just you see how secure your beloved OS (pick any OS here, not just linux) once you unlease the great general public on it.
No matter how well you idiot proof something, you can always find a better idiot.
And what makes you think that joe user will do anything other than login as root.
joe doesn't do that on a Mac, and should be steered away from it on linux (usually is during the install). yes, there will always be stupid people who do stupid things, but that is not the system's fault. plus, i believe that such users will inspire *nix developers to design better systems. the market (think business/corporate ppl) is becoming so frustrated with OS vulnerabilities that it will soon be demanding better systems, and the open, competitive nature of Linux lends itself to such development.
As for User consent, most of the windows viruses out there at the moment require the user to run the .exe ... "ooh a new task bar that stores my credit card info for me and its free?" ...click click.
that's always an issue, but the biggest problem is that windows user accounts generally allow people to install such crapware. linux and windows make installing programs a more restricted process. in a corporate environment, it can be locked down better as well.
No matter how well you idiot proof something, you can always find a better idiot.
agreed. however, that doesn't mean it's not possible to prevent a lot of problems and avoid others altogether by switching to a better designed system.
I saw it on Slashdot, it must be true!
No, it's not fixed in Panther - if it were, I wouldn't have a problem, since Panther is the only version of Mac OS I've ever used (for more than a few minutes).
If you don't belive me, here's a way to reproduce the problem: open the terminal, cd to the desktop, and type "touch foo" - the icon doesn't show up until you task-switch to the finder (i.e. click on the desktop). The problem doesn't only apply with the Terminal either; it happens when you create the file with other programs too. (this is in 10.3.4, by the way)
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
They are a utility, and a natural monopoly (since it makes little sense to have multiple sets of power lines in the same neighbourhood).
This is why I believe utilities serve society best when they are either crown owned (like BC Hydro) or users cooperatives (like Laurens Electric Cooperative)
I've done that. The immediate shrieking from my userbase for blocking .dll's and .exe's and .bat's they were shipping to each other was quite serious, and took backup from the company management to enforce, including a day's samples of the virus traffic, showing how much of our total email traffic it was.
Fast forward six months, to the day I had to block .zip files for precisely the same reasons. My butt was scheduled for a serious ass-paddling by a bunch of department heads, who got handed an even worse breakdown of exactly how much .zip traffic was coming in, 99.9% of it viral traffic.
People are still complaining bitterly about that one, and being forced to educate their correspondents in how to rename files to "*.zi" to get it past the filter safely.
I think you also over estimate the market when you suggest "business/corporate ppl [are]
Big business has a huge amount invested in their IT Infrastructure and so any change is going to cost a large sum of money, and if they make the wrong choice, someone loses their job. The old case of "no one got fired for buying IBM" is becoming true for microsoft. It may not be the best choice, but it's unlikely to get you fired.
very true, I'm not convinced that linux is that system yet, it solves many issues but then causes others. There is a lot to be said to the microsoft approach of treating your users as if they don't understand, and don't care. And then providing good documentation for those that seek it out.
my experience of linux is that documentation is either information overload, or nothing useful, and not much in between
I think we need a paradigm shift in computing with relation to security, comparable to that between command line and gui [ yes yes, I know real men use command lines, but most users aren't real men]. Unfortunately I don't know what that shift is, otherwise I'd be potentially very rich, but I don't think it's any of the current unix offspring.
If your mail server is running a Linux OS, or if you have the ability to deploy client side rules across your network, I can hook you up. I do this server side, but you could also do it client side. Blocking all .zip files is guaranteed to make you an unpopular guy. I'm guessing your primary reason for blocking them is the Netsky, Bagel, and Mydoom virii. Even if you run antivirus software on your mail server (which hopefully you are) these buggers get new strains out before the AV vendors can get dats/sigs out. After two zero day infections (the first mydoom and netsky.p are the two I got burned on) I said fsck this and put together a system of blocking all .zip attachments below a certain size.
.zips as a means of ifection had a payload of 60 KB. So I picked a comfortable size and instructed our help desk that any tickets involving lost email with zip attachments should be sent my way. I did that 3 or 4 months ago and haven't heard a complaint yet.
Think about it, a legitimate zip file is going to be either one big ass file or several small files. To the best of my knowedge, the largest mass mailing virus/worm (the definition gets fuzzy here) that used
If you have a linux mail server in your environment, I can post the script I run if you want, just lemme know. Sorry for the long post, but I was in the same situation you're in not too long ago and I know it sucks ass. Since I put that script on our external servers, that plus blocking the usual suspect attachment types has made it so that email-borne virii are an afterthought. We still update the AV signatures on our mail servers as well, but the content filters are what really pull the weight. Lemme know if you (or anyone else) want me to post that script. I wrote it for use on a postfix server, but it could probably be adapted for something else.
Yes, my only tool is a hammer. And you're starting to look like a nail.
Thank you for the offer, I'm set. Procmail is your friend for this, and there are plenty of published tools for doing this as procmail or Perl script. The "small payload" test is usually valid, but I'm waiting for some smart ass to start using bulky attachments to help worm-transmit a DOS against mail servers by bogging them down with many thousands of 1 Megabyte attachments.
OK no prob. Someone could get around the small payload test pretty easily, you're right, but if they did then the worm would spread that much slower. Since the kiddies are looking for maximum number of zombieboxen in minimum amount of time, I'm thinking it will be a while before they try that. And if they do, AV dats should be available before it spreads to far. Cheers!
Yes, my only tool is a hammer. And you're starting to look like a nail.
You got the first part right, Sparky!
The ONLY Mac virus I've ever encountered in my 15+ years as a Mac user was found on a used Color Classic I bought five or so years ago from a now defunct Computer Renaissance shop over in Porter Square, Cambridge.
A quick application of Disinfectant destroyed the virus.
As long as the suckers continue to use Windows, and are too stupid to protect their machines, they'll be the target, not me.
Guaranteed! This comment 100% Anthrax free!
Yeah, that makes a lot more sense. Should tip off senders if they've been zombied too. "huh 300 people said I sent them b1gg3r_p3n1s.exe, what the heck is going on here"
Well hopefully at least.
Mycroft
https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
Yeah, I Know. This is one case (trully critical messages) where dialogs should be designed to slow down a user and require them to read the message to figure out which button to click. And no default button for the enter key, unless there is a guaranteed safe button.
Mycroft
https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
Unfortunately I don't know what that shift is, otherwise I'd be potentially very rich, but I don't think it's any of the current unix offspring.
my theory is that the nature of the "current unix offspring" is such that it lends itself towards meeting needs and demands placed upon it by users, developers, et al. there is a world of potential in these systems. it doesnt hurt, either, that as of right now they're also more stable and secure, regardless of their market share. the more developers rise to the challenge and demands of (mostly) the business world, the more market share you'll see going to not necessarily superior systems (even tho i think they are), but systems better suited for whatever the company needs.
i remain unconvinced that joe uses a mac, my suspicion, (based on personal observation) is that mac users are neither average nor ordinary.
you're right..."joe" uses windows by and large. i'm not saying joe DOES use mac, i'm saying he'd be BETTER OFF if he used mac (not 'yelling' here, i just like emphasis ;). once the basic interface differences are overcome, it's a very easy, very stable system that is MUCH less likely to give him problems.
my $0.02 ;)
I saw it on Slashdot, it must be true!
Somebody can ride off my comment and get a 4 but I get "off topic"... wow, slashdot is stupid.
Here's an idea. Tell me what you think:
:)
You know the way some viruses appeared in the wake of Blaster, that actually uninstalled Blaster so they can take control? Well, what I say is, why not make counter-viruses like these, that do only this nice part (skipping the take-control one). If somebody's computer has a security hole that can be used for infection, then it can be used for disinfection as well.
A sort of "Protect yourself, or we'll do it for you..."