Slashdot Mirror
HP Shelves Virus Throttler Program
longlanekid writes "Though HP has apparently designed a great program for slowing the spread/proliferation of virii and reducing the impact of DoS attacks, it's all being shelved due to Windows incompatibilities."
So it throttles Windows in general, thereby slowing the spread of viruses! I like it!
Take out Windows, and you take out the problem. Go HP!
I'd like to know what the problems are with Windows machines. If you're router/gateway/firewall is limiting outgoing connections, your OS should be able to handle it. Even if it does cause problems, how often does the throttle kick in where there isn't a worm/virus present on the host machine? If this false positive rate is low enough then I'd implement it anyways.
...because "we don't own Windows," Redmond says.
It's not compatible with windows, so let's not even try getting MS to make newer versions compatible, or spend resources writing a virtual device driver. They argue that defense is better than treatment, but forget that a 2 pronged attack is better than pure defense. Even the best firewall and antivirus programs can be worked around. What happens when the next virus or worm comes out and antivirus and firewall manufacturers are caught with their pants down again? Do they plan on letting it spread freely until someone makes a removal tool?
'"we don't own Windows," Redmond says.'
WTF?
If it has these bugs, why not release the program? Then the machines will BSOD and they'll stop spreading viruses. Goal achieved!
I'm afraid that this tool will also affect P2P tools which connect to many hosts every second aswell. Novice users will stop using P2P cause they don't understand why it isn't working.
From the article...
Virus Throttler slows the spread of virus and worm attacks by limiting the network destinations that a virus-infected computer can attempt to connect to each second, according to HP.
Wait a second. This doesn't really protect internal networks as much as it protects the Internet from your-machine-gone-mad. That is to say, this product's operation assumes your anti-virus security measures have already failed you, and you've got a server making attack attempts outbound on the world at large. This would kick in and shut down that server's attempted attacks.
That'd be a great thing for all of us to be running to be good citizens of the Internet... but who'd buy such a thing? Afterall, you have to admit that your existing security products may occasionally fail you before you can even start to explain what this thing will do. And, after such a failure, you're already 0wned. So, you really have nothing internal left to protect at that point, and all there is to protect is the outside world. If your IT house is already on fire, it's sure nice to want to protect the neighborhood, but who's going to pay for that in advance?
Pointing to the fact that this would require some changes to Windows is a nice excuse, but anybody can get Microsoft to do anything when they come equipped with a truckload of money. I think the realization that people would run this if it was free, but no business in their right mind is going to buy it. I think HP realized that, and that's why they spiked this product. HP, afterall, is a business and can't afford to spend too much money on a research project that isn't going to lead to a profitable product.
I wonder if there are any academic groups working on similar projects who might be able to finish the work on this one...
In other news a cure for cancer and AIDS is quietly being shelved. The medical wonder has incompatibilities with most HMOs . Maybe I just don't see the point or perhaps the technology really wasn't all that good.
Microsoft introduced similar functionality in Windows XP SP2:
Limited number of simultaneous incomplete outbound TCP connection attempts
Detailed description
The TCP/IP stack now limits the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. Under normal operation, when applications are connecting to available hosts at valid IP addresses, no connection rate-limiting will occur. When it does occur, a new event, with ID 4226, appears in the system's event log.
get nemulator
I can just see me telling my boss...
Me: "I had to shelve the clients project, sorry."
Boss: "Why?!"
Me: "Incompatabilities with Windows."
My arse.
Can we settle this once and for all?
Virii is not a word in the English language; or any other language as far as I know.
I recommend correctional facilities for those using the word 'virii'.
For all intensive porpoises your a bunch of rediculous loosers
Some changes to combat DDoS attacks:
- TCP data cannot be sent over raw sockets.
- UDP datagrams with invalid source addresses cannot be sent over raw sockets.
Some changes to combat worms:
- Updated TCP/IP stack to limit the number of simultaneous incomplete outbound TCP connection attempts. After the limit has been reached, subsequent connection attempts are put in a queue and will be resolved at a fixed rate. This only applies when connecting to unavailable hosts, for example worms like Sasser guessing where to spread to.
Beware: In C++, your friends can see your privates!
true - it protects the internet at large from you. By limiting the number of connection attempts per second.
So, once you're infected, your server fails to spread at a rate of 10,000 connection attempts per second, instead it spreads slowly, maybe 100 attempts per second? Would this actually do anything besides give your sysadmins a few extra seconds to patch your system?
Wouldn't it be better to block the connection attempts instead, like with an outbound firewall? Maybe stop the app that was trying to connect unless authorised by the user (eg a P2P app)?
Yes, HP's Unix may be closed, but seeing as how HP is developing this, they just might be able to get a hold of the source for their own operating system.
No.
HP got it to work on Linux and HPUX, but didn't have the source to Windows XP, and so couldn't implement it for windows.
Someone else asks if they've ever heard of firewalls, but this technology is intended to stop worms once they're inside your lan.
I'm pretty sure the people who wrote Tiny Personal Firewall didn't have access to the Windows source code.
So enlighten me again - what does this have to do with Windows being a "closed proprietary OS" again?
And BTW, this is something already built into XP, as you can tell from the many comments in this article.
This seems like a good idea that they just couldn't get to work. If they're just going to shelve it and not make a penny anyway, how about releasing the source code and see what the community can do with it? HP makes the same amount of money on it either way ($0), but this way they can get open source brownie points and maybe start something that could be useful down the line.
First off, this is not a troll.
Im my experience it has always been easier to sell reactive solutions to DDoS, worms, and virii.
Working on OpenVision*SecureMAX and Securify(kerberos) back at OpenVision (bought by veritas, products sold to PlatniumGroup, then who knows where), we had a very very hard time selling our prevenative security software (for all the *nix platforms of the time and Windows NT). Everyone wanted virus removal software. Even when Satan was released, people didn't want to have an audit of which machines were vulnerable in the company.
I left the computer security buisness back in '97. At which point did it become easier to sell prevenative measures? Was it just this past year or two with all the outbreaks? Or did veritas make a huge mistake is selling off its aquired security products when it did?