The Cost of Computer Naivete

wiredog writes "What happens when you put an unprotected Windows 98 box on a broadband connection? Two perspectives from two reporters for the Washington Post (frr,yyy): The User's " an odyssey that has taken $800 and roughly 48 man-hours over nearly three weeks" and Digital Doctor's "Her PC was in such bad shape, it required 10 1/2 hours of surgery to restore it to working condition.""

Windows 98? What about XP?

[Brain+Stew]

It is bad enough with 98, but what if the same experiment where conducted with XP, considering all the wild RPC attacks?

Re:Windows 98? What about XP?

[MadRocketScientist]

My recent XP experiment:
I was installing a firewall for a client a couple of months ago after they got a new DSL circuit installed. The connection failed, so I called the provider and was informed that the line was disabled for security violations. Someone had plugged in the WinXP home edition desktop before I got there. Needless to say, it was so laden with trojans we didn't bother trying to clean it, we just went straight to the system restore disk.

This reminds me..

[manavendra]

..of my initial days of tinkering around with RedHat 6.x.

My old office had two RH boxes on a static IP. There was no such thing as an administrator. As a programmer, I was supposed to install all applications, configure them and also *ensure* it was up and running.

Got a call from the ISP two days later. They had shut down the machine because of complaints from other users - apparently some application from these machines were flooding the network (I never did find out what they were doing though). Got the ISP to restart them. Frantic googling and few "security guide" downloads later, I started exploring what was wrong with them (incidentally, I was *still* accessing those machines remotely - my office wouldn't pay for me to go to the site to check the machines). Turned out there were THREE rootkits installed on one of thsoe machines. Found the traces of one of the possible three attackers - was some IP space in netherlands. Later found that that range of IP addresses was actually under contention and was thought to be not allocated and probably belonged to some malicious/rogue ISPs (I haven't understood this part yet).

Not knowing much, I got them to reinstall the OS. Of the three, two rootkits appeared within 2 days. Another re-install, this time with the Linux security guide implementations for securing the box. Things were ok for about 2 weeks or so. I then had yet another attack and someone was using my box as a IRC relay host (or something) and I was still in trouble.

Finally, after some RH updates and more tweaks (and ipchains and iptables install/config), I was able to have reasonably secure machines.

Trial by fire, but I learnt a lot!

*shiver. I hate to think how it would have been, had those been '98 machines

Not uncommon

[lukewarmfusion]

My mother's machine was the same way. Win 98, no windows updates for nearly three years. On a cable broadband connection, no firewall. Anti-virus wasn't updated since 2000.

Between an updated McAfee, Ad-aware, and a few other spyware removal tools - I spent nearly eight hours on getting her machine back to a working condition. Once I was able to back up her data, I formatted and moved her to XP Pro.

She had enough trouble learning XP - I wouldn't dare put Linux in front of her.

Almost 20 viruses.
Over 150 spyware components, files, etc.
Three hours of Windows Updates to download over a broadband connection.

Don't clickety-click on everything on your screen. Some of those links are bad.

Re:To be fair to Microsoft

[dave420]

Yes, and that OS can't do as much as Windows 98 can for that particular user. Let's compare like with like here. I mean, I could say "and I can turn on my Spectrum 128 +2 and it would run fine!" - technically true, but hardly a real comparison.

And this is /., so no-one expects microsoft to be absolved, even if they did nothing wrong ;)

Needs an `OBVIOUS` tag

[Wingchild]

A few years back a buddy of mine came over to my apartment and plugged into my hub. I wasn't using a router at the time, just a hub with a WAN port for broadband. (I know it sounds terrible, but I keep my system configured according to DISA's security guidelines; sometimes I feel like testing it against real-world attacks. Bit of a masochistic streak.) I was running a locked-down Win2k box; he brought an unsecured Win98 system -- with it's C drive shared. To EVERYONE.

Things were going pretty well, and we left the systems on overnight. When we signed back on in the morning, my machine was fine; his machine had been compromised -- in grand style. We found the following:

- two separate users were connected to it.
- Cygwin, which my friend had managed to break and wasn't operational, had been either repaired or reinstalled.
- gcc was added.
- eight (!) separate viruses were on the system; two had been compiled with the local gcc, from the look of it.
- those viruses were being sent out around the net.

The main data on the system was not compromised and while there was a minor virus infection, for the most part things were not touched. I should say, "things were not touched that we could detect" -- they could have taken a full copy of his HD for all I know, not that anything important was on there (it was just a gaming box).

He probably wouldn't have noticed the attack itself except that his processor wasn't all that hot and he was on a 10M/sec network card; between the heavy compiling and the constant sending of virii system performance had dropped noticably.

The fix?

Unplug from the internet, make sure no data on the box is needed, and format it back to the stone age. It isn't like reinstalls take a long time. (Backups are your friends. :) )

Re:To be fair to Microsoft

[callipygian-showsyst]

Actually the ONLY time I was ever 0wn3d--either Windows or other--was with a circa 1996 version of RedHat!

Someone got into my pc using the LPD Root Exploit. Of course, I was stupid enough to put a Linux box on the Internet with no firewall! Still my personal experience from that time was the Linux had a problem!

Something sounds fishy

[darkjedi521]

I've put unpatched '98 installs and unpatched XP installs side by side on my school's network. Guess which one got nailed with viruses?

The XP box, which caught Sasser, and probably a few other nasties, but I didn't bother looking, and just nuked the box.

The purpose of the exercise was to make a CD containing all the updates as of April, 2004 that a clean 98, 2000, or XP install required to be usable.

Neatly illustrated

[maximilln]

I finally decided to install Apache. I had been running an ftpd for a long time to transfer files between home/work/family/friends but so many of them began asking for me to appeal to the least common denominator that I finally did the apt-get install apache. Honestly speaking it was the easiest fileserver I've ever set up. Granted I didn't look into authentication or restricting access yet. I simply wanted to install it and offer files. In terms of basic functionality apache was much easier to achieve liftoff than ftpd or samba.

Here's the rub that fits with this article: Apache was not up and running for more than 2 hours before I had 3 IP addresses, two of them on my own ISPs /24, poking around for overflow vulnerabilities by sending SEARCH and GET requests with more than 8190 bytes.

Why can't these script kiddies be stopped? It is obvious what the intent was.

MS is, alas, targeted Re:To be fair to Microsoft

[swschrad]

and a switch is definitely in order. when you have blight, nematodes, and rot in a soybean field, you have to rotate out of soybeans and plant anything else unrelated for several years to clear the land.

in the MS software monoculture, we are also at that point. pick Mac OS or Linux, but switch. you can't grow anything in that MS patch any more.

if you can't/wont, I have had multiple update choke-n-hangs with norton antivirus in the last year plus. each has finally been resolved by switching that user to Grisoft's AVG program, www.grisoft.com... and using Zone Alarm and Ad-Aware to deal with the other types of threats.

Re:To be fair to Microsoft

[DCheesi]

Err, if you haven't noticed, many of the worst M$ security problems lately have affected only the WinNT codebase, including some that are WinXP-specific. As long as you're only running client apps, Win9x derivatives may actually be safer than the newer ones!

The problem here isn't the OS version, it's that she didn't install the necessary security apps before exposing her computer to a direct internet connection. True, WinXP includes a very basic firewall app, but ZoneAlarm is just as easy to install and probably works better anyway...

This is how I learned about computers

[Gregoyle]

I don't think I'm alone here; problems like this (although not this exact one) were how I learned about computers. It's during these agonizing multi-hour sessions that you really get a glimpse of what goes on behind the curtains.

I learned how to build and modify my own box after many agonizing sessions installing new hardware, much like the doctor in the Post story who couldn't get her printer working for love or money. When you go through all the troubleshooting procedures for figuring out why your new RAM, hard drive, or video card doesn't work you learn very quickly how it all goes together. The second or third time you do it is much easier.

I was never really all that interested in computer security until my first Linux box got rooted. Luckily for me I had it configured for a graphical login where all accounts were listed as icons, or I might never have noticed that there was an extra account. After that I became a computer security nut, getting updates from 5 different sites and configuring multi-tier systems. Being interested in security is also what got me into OpenBSD. The experience I got with OpenBSD was extremely useful for me in getting one of my first IT jobs; I think my broad experience with multiple Unices is what got me that job and allowed me to be successful there.

Troubleshooting problems like these, annoying and frivolous as they may seem at the time, is a great way to become the guy that people go to for their problems. Now whether or not *that's* desireable I'll leave up to you ;-).

Re:To be fair to Microsoft

[jellomizer]

But still back in 1996 Linux was made with high speed networking in mind. Windows 95, 98 were made with mostly dial up networking in mind. Linux in 1996 wasn't even seriously trying to invade desktop or even much of the server market. At this time Linux was just trying to go "Hello!!! We exist and we can do a lot of stuff that you 10k Unixes can do for free." So it was busy porting all the Unix utilities to it. So we had netscape 3.0 which didn't have enough features to support the viruses and spy-ware. While Windows 98 Has the market share Apple was dead, Unix was dead Linux was just a bit player for hackers. So Microsoft worked on putting on features to the product to sell more, and to kill off netscape. Integrated everything, that was the buzzword of the late 90s. No one really (Who had enough say at Microsoft) had foresight of todays problems to make windows 98 still run in 1994. So features were added. And if Linux had the technology at the time there was a good chance that they would do the same as well.

Disagree with your conclusions

[siskbc]

Windows 98 is 6 years old and isn't sold with computers anymore. This test just shows remaining Windows 98 users they should keep up to date or upgrade to XP.

First, no it doesn't - they didn't do the necessary control experiment, which would be leaving an unpatched, no-AV machine with XP hanging around on the broadband network. Do that and your box is fried a lot faster than 98.

...I have some Win 98 boxen around here, as well as some Win XP/2K. I have MANY more problems from the newer boxes, mainly because most of the newer worms are no longer "compatible" with the older machines.

Yes, it's security by obscurity, but that's good in addition to having current antivirus signatures! With the XP/2K machines, we can't patch them fast enough to keep them clean on our notoriously insecure university network. The 98 machines are dedicated to running some specific lab hardware, and are sufficient to the task. They aren't getting replaced, or upgraded. Well, I did upgrade them from 95, but even I'm not that crazy. ;)

same old stuff but more of it.

[twitter]

XP gets wiped out the same way, but the user does not notice it as soon. XP is generally running on better hardware and the "slowness" is not as evident. The software and design is mostly the same, so most of the same hacks apply. Just do an "upgrade" at a fortune 500 company and you will see that the best M$ can deliver for the money and kept up by dedicated professionals is still totally owned. Small offices and home users are just as wiped out.

They also get owned through dial up. Just as fast. Once again, the slowness of the connection itself masks the fact that the thing is broken. It makes the user think that dial up is unusable, when I've shared a dial up connection with my wife under Linux without problems. Dial up users are also targeted by a special class of worms, porn dialers, which can cost the user plenty. I've heard users tell me about their computers dialing on their own in the middle of the night. Nasty.

With all the broken Windoze boxes out there able to launch all manner of attacks, the web is a really ugly place right now.

Oh please

[bigberk]

Shall I list the ways you can remotely root a 5 year old *UNIX (FreeBSD, OpenBSD, Linux, whatever) that hasn't been kept up to date?

• wuftpd
• sunrpc, portmapper
• imapd
• sendmail!!
• bind!!!
• openssh
• openssl
• apache
• php
• samba

I'm sure I forgot a dozen other common packages, but you get the idea. Any outdated, Internet-connected system is a disaster waiting to happen.

Re:Whose fault is it? The ISP.

[Rick+Genter]

I maintain computers for a set of Curves for Women gyms owned by a couple of friends of mine. I run into the spyware/malware problem all the time.

Each gym uses DSL to connect to the internet. While working on one of the computers this weekend, I noticed that McAfee Personal Firewall (I stopped using Norton a while ago) wasn't seeing any inbound events, unlike the other gyms where it sees 10,000 to 20,000 events per week. A little investigation showed that the DSL modem at this site has a built-in DHCP server/router/firewall/NAT function. Seems like the DSL providers are getting a clue and building necessary capabilities into the hardware that the customer has to have just to connect to the Internet.

I just went through this

[Durandal64]

My girlfriend's aunt's computer was acting up, and they asked if I could fix it. They complained about pop-ups mainly. When I sat down at the computer, it was just excruciatingly slow. After I finally got the hardware properties to display, I saw that they were running a 2.6 GHz P4 with 512 MB of RAM and a Radeon 9800 Pro. But spyware alone had brought that computer to its knees. It was a mess.

I installed Ad-Aware and Spybot and let both of them run, and just got rid of everything. I removed a ton of crap with Add/Remove Programs, as well (lots of online casino shit and other useless garbage). I then removed those irritating TVMedia pop-ups by booting into Safe Mode and removing the necessary programs and running Hijack This.

I explained to them that, by running Spybot and Ad-Aware regularly, as well as keeping Windows up to date with Windows Update, they could keep their computer mostly clean. But one point I made very clear to them was never to use Internet Explorer unless absolutely necessary. I downloaded Firefox for them and set it as the default browser. I explained that Internet Explorer was probably the cause of 90% of their problems, because it's possible for websites to install things silently by using it or any number of other undesirable things. So I made it very clear that they should stick with Firefox. I also uninstalled Kazaa and installed Kazaa Lite for the kids.

Now their computer is running as it should. No more pop-ups or any shit like that. It took about 3 hours, but I did a damn fine job with that box, and they were grateful. All throughout that ordeal, I was thinking, "God I'm so glad I'm a Mac user."

Re:Yes but...

[kzinti]

Mum's computer doesn't have enough horsepower to run XP, but it does have enough horsepower to run all the viruses and spyware that she will accumulate? That sounds like false economy to me.

Anyway, I think your Mum's computer will run XP just fine with a few tweaks. Turn off all the visual effects, every one of them. And tell Mum not to turn them on again. Turn off unnecessary services (there are a bunch) and don't tell Mum how to turn them on again. Tweaking the services may take you a few hours (don't let Mum do it - do it for her), but in the end XP will run just fine. There are lots of XP-tuning sites out there that will give you loads of other advice - like turning of fast-user switching if Mum shares her computer - seek out those sites and heed their advice.

I have an old 433MHz PII-Celeron laptop with just 128MB of memory, and it runs XP just fine. It's not the fastest computer in the world, but for things like email, web browsing, and occasional Word processing, it does just fine. And it's far more stable than 98, which would crash daily even with just light usage.

Set Mum up with XP. She'll love it. And maybe she'll even bake you some cookies to munch on while you work.