Slashdot Mirror
HP Shelves Virus Throttler Program
longlanekid writes "Though HP has apparently designed a great program for slowing the spread/proliferation of virii and reducing the impact of DoS attacks, it's all being shelved due to Windows incompatibilities."
This is a product that was intended for use on Windows, they obviously couldn't get it working on Windows. Don't start blaming MS for this one...
:) j/k
That aside, any coincedence that the vice president and chief technology officer of HP is named Tony Redmond?
So it throttles Windows in general, thereby slowing the spread of viruses! I like it!
Take out Windows, and you take out the problem. Go HP!
I'd like to know what the problems are with Windows machines. If you're router/gateway/firewall is limiting outgoing connections, your OS should be able to handle it. Even if it does cause problems, how often does the throttle kick in where there isn't a worm/virus present on the host machine? If this false positive rate is low enough then I'd implement it anyways.
...because "we don't own Windows," Redmond says.
It's funny when you read a sentence like
"we don't own Windows," Redmond says. and do a double take, thinking it's coming from Microsoft...
This is a pretty interesting idea, I only wish I worked. Of course, the only thing that DOES work in Windows, is everything that you DON'T want to work, such as...you guessed it...viruses.
It's not compatible with windows, so let's not even try getting MS to make newer versions compatible, or spend resources writing a virtual device driver. They argue that defense is better than treatment, but forget that a 2 pronged attack is better than pure defense. Even the best firewall and antivirus programs can be worked around. What happens when the next virus or worm comes out and antivirus and firewall manufacturers are caught with their pants down again? Do they plan on letting it spread freely until someone makes a removal tool?
If it has these bugs, why not release the program? Then the machines will BSOD and they'll stop spreading viruses. Goal achieved!
I'm afraid that this tool will also affect P2P tools which connect to many hosts every second aswell. Novice users will stop using P2P cause they don't understand why it isn't working.
From the article...
Virus Throttler slows the spread of virus and worm attacks by limiting the network destinations that a virus-infected computer can attempt to connect to each second, according to HP.
Wait a second. This doesn't really protect internal networks as much as it protects the Internet from your-machine-gone-mad. That is to say, this product's operation assumes your anti-virus security measures have already failed you, and you've got a server making attack attempts outbound on the world at large. This would kick in and shut down that server's attempted attacks.
That'd be a great thing for all of us to be running to be good citizens of the Internet... but who'd buy such a thing? Afterall, you have to admit that your existing security products may occasionally fail you before you can even start to explain what this thing will do. And, after such a failure, you're already 0wned. So, you really have nothing internal left to protect at that point, and all there is to protect is the outside world. If your IT house is already on fire, it's sure nice to want to protect the neighborhood, but who's going to pay for that in advance?
Pointing to the fact that this would require some changes to Windows is a nice excuse, but anybody can get Microsoft to do anything when they come equipped with a truckload of money. I think the realization that people would run this if it was free, but no business in their right mind is going to buy it. I think HP realized that, and that's why they spiked this product. HP, afterall, is a business and can't afford to spend too much money on a research project that isn't going to lead to a profitable product.
I wonder if there are any academic groups working on similar projects who might be able to finish the work on this one...
In other news a cure for cancer and AIDS is quietly being shelved. The medical wonder has incompatibilities with most HMOs . Maybe I just don't see the point or perhaps the technology really wasn't all that good.
Microsoft introduced similar functionality in Windows XP SP2:
Limited number of simultaneous incomplete outbound TCP connection attempts
Detailed description
The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system's event log.
get nemulator
I can just see me telling my boss...
Me: "I had to shelve the clients project, sorry."
Boss: "Why?!"
Me: "Incompatabilities with Windows."
My arse.
SP2, from what I understand, limits the number of outgoing connections a PC can make. Could it be that HP was just a bit too slow to market on this one? Why pay for a product that does something your OS is about to start doing for free?
Can we settle this once and for all?
Virii is not a word in the English language; or any other language as far as I know.
I recommend correctional facilities for those using the word 'virii'.
For all intensive porpoises your a bunch of rediculous loosers
Though Apple has apparently designed a great OS for slowing the spread/proliferation of virii and reducing the impact of DoS attacks, it's all being shelved due to Windows IT staff job security.
This is what today's Wall Street Journal said:
So how can you get rid of spyware and how can you avoid it in the first place? One nearly surefire cure is to dump your Windows machine and buy an Apple Macintosh.
http://ptech.wsj.com/archive/report-200408.html
The next pasture is always greener
Can anybody find the HP press release that clearly has to be the primary source behind the report? Having nearly every paragraph's main body be a quote attributed to the same source is the tell-tale sign that the report was based on information from a single source...
Some changes to combat DDoS attacks:
- TCP data cannot be sent over raw sockets.
- UDP datagrams with invalid source addresses cannot be sent over raw sockets.
Some changes to combat worms:
- Updated TCP/IP stack to limit the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. This only applies when connecting to unavailable hosts, for example worms like Sasser guessing where to spread to.
Beware: In C++, your friends can see your privates!
true - it protects the internet at large from you. By limiting the number of connection attempts per second.
So, once you're infected, your server fails to spread at a rate of 10,000 connection attempts per second, instead it spreads slowly, maybe 100 attempts per second? Would this actually do anything besides give your sysadmins a few extra seconds to patch your system?
Wouldn't it be better to block the connection attempts instead, like with an outbound firewall? Maybe stop the app that was trying to connect unless authorised by the user (eg a P2P app)?
No.
HP got it to work on Linux and HPUX, but didn't have the source to Windows XP, and so couldn't implement it for windows.
Someone else asks if they've ever heard of firewalls, but this technology is intended to stop worms once they're inside your lan.
This seems like a good idea that they just couldn't get to work. If they're just going to shelve it and not make a penny anyway, how about releasing the source code and see what the community can do with it? HP makes the same amount of money on it either way ($0), but this way they can get open source brownie points and maybe start something that could be useful down the line.
First off, this is not a troll.
Im my experience it has always been easier to sell reactive solutions to DDoS, worms, and virii.
Working on OpenVision*SecureMAX and Securify(kerberos) back at OpenVision (bought by veritas, products sold to PlatniumGroup, then who knows where), we had a very very hard time selling our prevenative security software (for all the *nix platforms of the time and Windows NT). Everyone wanted virus removal software. Even when Satan was released, people didn't want to have an audit of which machines were vulnerable in the company.
I left the computer security buisness back in '97. At which point did it become easier to sell prevenative measures? Was it just this past year or two with all the outbreaks? Or did veritas make a huge mistake is selling off its aquired security products when it did?
Nope. It means HP feels that since Linux is Free Software (as in speach) and they do own HP-UX, they have every right to go through the Operating System source code, write and compile tht tools, utilities, and features they are interested in testing for both Linux and HP-UX, but they are unable to do the same for Windows, because Windows is neither their own product, nor is it an Open Source product that they can do these things with.
The Network stack portion of Windows may be based upon one of the BSD varients, and as a result HP could very possibly test their ideas on all of the BSD varients and see if it works there as well, but there is no assurance that such a change would be possible to roll into Windows as an updated dll for netwroking, or any other fix.
They are claiming to own HP-UX (and from my perspective there are welcome to keep it!) but they make no claims to owning Linux.
Since they are shelving this idea, I doubt that the patchs, or source they wrote for these updates will ever be made available to the Linux community. Then again, perhaps they all ready have been, and I just don't know it.
-Rusty
You never know...
Did you read the article? They had it working on Linux and HPUX! So it wasn't just intended for Windows.
/.worthiness.
Next, so what? Whether you can "blame" MS or not has nothing to do with
My favproite quote was ``"...we don't own Windws'', says Redmond.''
My next favorite:
``Virus Throttling only springs into action after a virus has penetrated an organization's network, which made it "more difficult to sell," he says.''
It's not a hard sell to a company that's just been brought to its knees! I was at [nevermind whom] when one of the major virii hit in 2001 (CodeRed? I forget). The network was literally unavailable for at least a day and a half, and this company's bloodstream was its network. If HP had walked in with Virus Throttler, they could have named about any price.
At least, if it worked with Windows. 8^(
That was the one time it didn't help much to have a non-Win system (we had plenty of Solaris, and some Linux and Mac systems). Because two many of us had the mandated Windows box. Even though everyone in my group was effectively immune, having turned off all the extra crap... But having a Solaris server did help; our group's SA put up a DNS server and a few other things, and we limped along better than most.
It detects /changes/ in the traffic patterns. If your computer sends thousands of packets per second to port 6346, it can probably identify that as your usual traffic. If you suddenly start sending millions of packets to port 25 on various machines, that's out of the ordinary and can be throttled.
Let's see you reverse engineer Windows to the point where your program can integrate seamlessly and reliably with the OS kernel and the networking stacks without any documentation or help from Microsoft.
You think you're cute, but you're not.
Network Throttling is nothing new, the honeynet project has been doing this for years.http://project.honeynet.org/tools/index.html
Now they are using Inline Snort (Snort + IPtables) to make a signature base firewall. Essential a layer 7 firewall, but with the cool feature to modify packets and not just block them.
Nothing more, For me to say; About my life, A life of dreams....
Slowing the OS? Sounds like that's already in XP SP2... kidding.
But really, I believe the concept of virus scanners and throttler's such as this are a temporary patch to a problem, not a solution. What if instead of putting on a governor on the IP stack, the OS or a router down the line detects these types of problems. The infected OS is alerted and optionally suspends the attacking process until it is cleared by the user or administrator.
Some ISP's do something simular. One emails the user saying that they may have a virus because of large number of SMTP connections. I think that's a decent start.
Oz
Damn you for making me defend MS. I can make an OSX box just as insecure as an XP box. It's all about ignorant users and default settings. That's why the market share argument works here. MS's setting, by default, are very weak, at best. If I replace my grandparents Dell with an iMac and security setting equivalent to XP's defaults, they still would break it.
This *always* happens on slashdot when 'virii' is mentionned. It's worth noting, however, that the protests when encountering the word 'virii' are getting less frequent and not as fast as they used to be. A tell-tale sign that, even here, it's slowly becoming accepted. After all, immer more artcles and posts make use of it, outside the pure scriptkiddie/leet speaking populace. Let's face it: it's getting commonly used and well on it's way to some day reach dictionary status. But in the meantime, you always will have those that opose it.
A whole bunch of "It's latin", "no, it's not", "it's slang", "no it's not" posts will pop-up like mushrooms.
While I agree that it's not correct latin, and I understand that some people have difficulties with the 'correctness' of it, it really doesn't matter one bit as to the validity of a word.
1)Language 'lives'; it changes with the passing of time.
2)Slang is not 'inferior' or 'wrong'; it are just words that are used in a subculture.
3)Words of a subculture can and have become 'mainstream'
4)In the past, english (as many other languages) has been 'corrupted' with equally 'wrong' words...yet we use them today as if they always have been correct, mostly not even being aware that once they were considered stupid, wrong, grammatically incorrect, foreign, nonsensical, inferior, ridiculous, the result of laziness, plain misspelled, etc.
Yet they are *all* considered mainstream english now! So, let's face it, there is *no* objective mechanism where you can say; this word has no place in our language or not.
If it's understood and used in this language, then ipso facto, it *IS* part of that language.
Now, anyone understands what is meant by 'virii' and more and more people/posts use the term virii, with purpose, even beyond their 1337 roots.
So it really is silly to fulminate that virii is not a word; it is used as one, it is understood as one, and it even has left it's pure sub-culture 1337 roots behind so that now it's actually becoming slowly mainstream. So what, in a year or 5, it may end up in the dictionary, as so many 'non-existent' words before it...and what will be the the contra-argument then?
Why, in another 20 years most persons won't even know anymore that it was once considered as 'non-existent' or 'wrong'. They will use it, as we use all those other words where people fulminated against, just as with they will with new, totally wrong words that will pop-up. That's what it means when we say a language lives, after all.
--- "To pee or not to pee, that is the question." ---
A program to slow the spread of viruses and it does not work on Windows. So basically, if you can run this program you will (by nature of not running windows) not contribute to the spread of viruses and worms. BRILLIANT!
That's exactly the difference. It takes an experienced user to make Windows secure. It also takes an experienced user to make a Mac insecure. How many "ignorant users" would buy a Mac, and then spend an hour or so de-activating the firewall, changing the default permissions, and enabling the root account?
This feature is already in XP SP2 here Basically, if a program demonstrates worm like behavious, windows makes the network connectivity slower. One of the many steps in the right direction (I'm a very happy linux user, but don't want to always blame MS for all evil).
Perhaps, HP got it a bit too late, unfortunately, thats how software market is. Unless HP was sure they have a better product, no point in competing with something the OS offers now.
If your IT house is already on fire, it's sure nice to want to protect the neighborhood, but who's going to pay for that in advance?
The neighborhood would want to pay for that. Really, we're talking about people who already can't figure out how to operate windows update or install firewalls of their own, they certainly aren't going to buy this because they don't care. But, when their ISP gives them a nice shiny CD that just happens to include this, they'll chuck it onto the machine with the rest of the junk ISPs give you. Think AOL, SBC Yahoo's self-install CD, Roadrunner.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Virus Throttler slows the spread of virus and worm attacks by limiting the network destinations that a virus-infected computer can attempt to connect to each second, according to HP.
HP could have done it by implementing their own network stack, the way VPN and private firewall software vendors do, but it would be much easier if Microsoft was willing to play along.
But then if Microsoft was willing to work with anyone else on fixing Windows, they'd be better of if they started with the many many features of Windows that actively encourage the spread of viruses instead of messing about with half-measures like this. Instead of crippling the OS so it can't do occasionally useful and sometimes vital operations (as Microsoft themselves are doing in XP SP2, don't forget) they should start by splitting IE into a safe HTML-rendering engine and a web-browser that uses it but takes control of its own security...
If HP or somebody would modify the approach, it would work well in a home router, without having to modify any O.S. outside the router.
The software would need to monitor every IP address on the LAN for viral indications, and then kick into throttle mode only for the indicated IP address.
It wouldn't take too much CPU or memory to monitor 1-10 IP addresses, but it might be prohibitive for 100-1000.
I just have a hard time believing that if it were that easy that HP couldn't figure it out. Companies I've worked for in the past have had to completely re-engineer a Kernel to gain all the functionality required to manipulate all aspects of the IP implementation and the way it interacts with the other layers of the OS to achieve the performance, security, routing, etc. required for the application. This isn't possible without Windows source code, which is not available. I wouldn't think the scenario they describe is out of the realm of reasonability.
Microsoft has helped 3rd party vendors in the past (ex: Diskeeper by Executive Software, installed a modified Windows NT kernel to allow NTFS defragging).
I would say in this case, either Microsoft refused to help HP, or they offered help with conditions that were unacceptable to HP. No doubt the details of which are all under some sort of NDA...
HP owns two class A networks (15.* is old HP's, and 16.* is old DEC's which came with the Compaq merger). If you have that much network of your own, you want to suppress infected machines in order to defend your own network. It's not the Internet they are trying to defend. Other companies with big networks may also have similar problems, so they are the potential customers for this technology.
I suspect that the problem is not that HP can't get something to work on some particular Windows configuration, but that they can't create a commercially viable product that can be deployed to all kinds of corporate Windows desktops without an XP SP2 kind of incompatibility nightmare. Remember that it's the corporates who are holding back on SP2 because of compatibility issues, and no sane company wants to stare into that support black hole with no control over the main engines.
Note also that the article did not say that HP were abandoning the work, it is going back into the labs and they are looking for other ways to use it.