Slashdot Mirror
File and Printer Sharing Insecure in XP SP2
ProKras writes "German magazine PC-Welt has discovered a major security flaw in Windows XP SP2 when installing over SP1. The article says that 'with a certain configuration, your file and printer sharing data are visible worldwide, despite an activated Firewall.' The magazine claims they were 'able to discover private documents on easily accessible computers on the Internet' and that the configuration is fairly common."
...wait, no I'm not.
Wow... MS now ADVERTISING XP as a secure computing system with SP2. Now you're fscked for sure!
||| I still can't believe Parkay's not butter.
Finally, we have enough info to get Samba working...
It's a feature! Now you can share all your documents with the world! Think of it as having a server hooked to the internet! Don't have to buy expensive server software or set up very hard to figure out Apache web servers...just install SP2 and you're "online" in more ways than one!
Worry about your ISP not liking you operating a server? They (and you) don't even have to know!
It's a feature!
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Humiliation...
What he can't kill, he has sex on. Trent.
It seems that Slashdot is desperate to publish any story that is negative about SP2, despite coming from a dubious source with little to no detail on this "flaw". I have to say that it really seems to me that MS got it right this time.
Security over features and security over performance... isn't this exactly what we have been asking for? I mean, do you really care that the guy down the hall is running Powerpoint 9% slower?
Cause all I care about is that he is not hammering my webserver with the latest virus.
Microsoft need to get there act togeter, because the fact that a machine could be "0wned" while installed a system upgrade is just poor design. They don't care about anyone expect the side of there wallets, and quite frankly it digestioning how insecure Windows really is.
This signature was left intentionally blank.
SP2 breaks lots of things, but the one argument for installing it was security. Now that's not a good argument I can simply say no to breaking a bunch of applications and crippling my system, but I can site the same "security reasons" any lame sysadmin may site site. Less admin on my laptops. Yay!
These posts express my own personal views, not those of my employer
And when people complain how much a pain Samba can be to set up can now realize at least we're not sharing with the whole world.
Not to be a dick, but Microsoft, wtf?
The Slashdot summary is a little mis-worded such that it'll cause some unneeded alarm.
If you configure File/Print sharing in the "wrong" way as the article talks about, it'll expose those services to the whole 'net even through the Windows Firewall. If there's firewall security installed anywhere else on the way to the Internet, such as at the edge router where firewalls really belong, Windows XP isn't so dumb as to pierce that level of security. Even a simple NAT is enough to be an effective blocker.
In other words... we're running into "That's not a bug, that's a feature!" terroritory. If you ask Windows to share your files and printers accross an IP-based networks, you should be sure that the network is separated by a real firewall from the rest of the Internet. Fail to do that, and you might as well expect this is going to happen.
I think by now we get the picture... don't install SP2!
"You talkin' shit?" -- krapper
I suppose there were a few people out there that were expecting it to be secure...what with MS spending over a year...(maybe longer?) in making SP2 while the world was screaming at it to fix it's security holes.
And THIS is they're response to that. This isn't funny, this isn't a "ha, told you so" kind of thing. This is something that pisses people off. People get fired for this kind of fuck up.
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
Oh, so you can see docs and printers of a XP box? What good news sherlock, that's really a feature, not a "security bug". And I still wonder how on eart that "insecurity" didn't happened in my box when I upgraded from SP1 to SP2.
= 10284438 or http://it.slashdot.org/comments.pl?sid=122264&cid= 10283379) and docens of other news by MrTaco, etc.
But since a well know and famous page like pcwelt.de (or something like that) says it, we must put it in the slashdot's front page without even checking if it's true!!
Just like the "XP SP2 Can Slow Down Business Apps" (read http://it.slashdot.org/comments.pl?sid=122264&cid
It doesn't seems matter all this can be pure FUD It's Windows!!!!1
I can't tell slashdot editors what they have to put in their own page, but I'm not visiting slashdot anymore if this FUD continues. Sure windows sucks - what about putting news about how much it sucks instead of all this senseless FUD?
Although this article is very important, what's more important is a new exploit that seems to be taking out WindowsXP machines these days. It involves DCOM server {00020906-0000-0000-C000-000000000046} and you can read what little is known about this problem at http://www.tek-tips.com/viewthread.cfm?qid=893026.
I started getting the strange DCOM entries on my Windows 2003 machine right after removing my router from the picture. Without Microsoft's firewall (or other software firewall of your choice) enabled, Windows 2003 machines eventually reboot due to a bugcheck. Windows XP machines probably slow right down to a crawl before needing a good reset.
ROFLMFAO!!!!!!!!
(pronounced ROFF-ull-muh-fow)
This service pack has been a complete failure. This is no longer about performance issues or or installation issues.
This a serious bug, and proof of what a poor work Microsoft has done with the Service Pack.
I just remember how Microsoft executives stated (can't find the link, but read it here on slashdot) a bug was never discovered that they didn't know about in beforehand, and wanna laugh.
Let's hope this gets some media attention and people start migrating to other OS's. I'm sure the boys at Redmond would do a better job if they thought their product is under serious threat, because this so far is a joke.
Even when I do everything right--I'm wrong!
With a certain configuration, ssh is accessable from outside, even with a firewall. if the configuration includes passwordless root, well then, a slashdot summary "ssh allows remote root access despite firewall" would be a tad overzealous, right? Unless the certain configuration is ever the default, this is just users not understanding what they are doing and missetting things. Not a MS problem, it's giving users a choice. It's just a very bad choice to make, but no different than, say, root telnet over wireless internet or something.
SAILING MISHAP
This site is getting worse by the day. I mean, come on.
Please PLEASE if you have friends, family, or loved ones that are not behind a NAT router/box, please install one for them.
Not just for flaws like this, but for windows problems in general and basically so you don't have to worry about the win32 machines BEHIND the nat before you worry about the nat box itself.
Hint: ICS doesn't count as NAT IMHO.
Chris
Most of these security issues are solved by simply having an inexpensive netgear or linksys router and up to date virus software. They are cheap and easy enough to use that they should be considered standard equipment on any home PC connecting to the internet.
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better." - Unknown
will REALLY be glad about that 250M download now.
I think I'll stick with slackware.
GETPKG - Package Management for Slackware
Are they talking about sharing files and printers *across* a firewall? If you purposely make holes in your firewall to let others on the other side to access your files and printers, wouldn't you expect everyone on the other side to have access, unless you had some sort of special authentication process or IP based rule to only allow some access?
If I'm understanding it correctly, using the "Subnet" scope for your dialup connections actually allows access from the entire Internet. The article seems to argue that this "bug" is due to Windows ignoring certain settings when it deals with dialup connections. It doesn't say if the firewall code is flawed (and thus not properly calculating the "subnet" scope), or if there is some other DUN code which is overriding the firewall settings.
Backups are for wimps. Real men put their data on a WinXP internal share and have the rest of the world mirror it.
I work at an OEM making bespoke Video Editing systems under XP. We are installing XP SP2 on all of our machines currently - these are machines that need VERY high performance in terms of both IO and actual OS-level resources.
Service Pack 2 has a couple of irritations, and does seem to make things a tad slower on a couple of configurations, but this is just pure BS - I have not seen a single instance where it has enable File & Print Sharing as default on a Dial-up connection - or even where it has had those ports unblocked in the (rudimentary) firewall as default.
Every one of our machines is different, I have NEVER encountered this problem on any of them.
If you're stupid enough to tick a box in the Network Connections settings and you have no idea what it does, then you deserve to be 0wned!
Hmmm... I installed SP2 and could no longer access my printer/scanner and therefore no longer print my files, but, anyone on the internet could see them! removed it and there they were again. I must have done something wrong I guess.
...and send them goat.cx?
Stop the world; I need to get off.
http://shit.slashdot.org/article.pl?sid=04/09/18/2 143242&tid=128&tid=201&tid=1
occultae nullus est respectus musicae - originally a Greek proverb
water is wet and the sky is blue.
both here and in the world.
The reason that this was done likely is because SP2 enables the firewall by default. so you don't want people calling asking why their file shares and printer shares don't work.
In addition to that, if it is a local network like that, they have a router in the first place, they are safe.
In addition to that... remember in windows XP unless you CREATE a share it is not going to be there (even though the file and printer sharing may be turned on).
In addition to THAT... winXP by default has guest turned off, so you would have to be an authenticated user to get access.
someone is trying to be sensationalist and not thinking about things.
RoundTop
My roomie (who I hate) has a printer he was hiding that he's now all of a sudden sharing. 3 words: All. Black. Printjobs. I repeated those, uh, words, about a hundred times. Hilarity did -not- ensue. (Well, it did for me).
The fix is broken on computers that have already been compromised. Which is probably a fair number of them. This bothers me.
Think about it, for a moment. The firewall is blocking internally-generated connections. Which is fair enough. (Though silently dropping would likely have been safer.) However, to lock the machine up, the TCP stack has got to be taking the error as cause to retransmit the packet.
Why am I so certain that this is what's happening? Because Windows has had some degree of preemption for a while. It's not great, but it works. Sort-of. Lock-ups should be next to impossible on a totally pre-emptive OS, as the locked-up program would simply be interrupted. It'd slow the machine down, slightly, but it wouldn't be fatal.
What we're getting here, though, looks like something fouling up big-time in a non-blockable part of Windows. Odds are pretty good that it's the network code. My suspicion is that the TCP stack and firewall are in an unbreakable infinite loop, with the error generated by the firewall causing the TCP code to resend the packet, ad infinitum.
A lot of people have argued that Microsoft isn't to blame for other people's crappy code. Which is fair enough. But they are very much to blame for their own crappy code. If you're going to have non-blockable code (a VERY bad idea!) then you've got to be damn sure that there are no scenarios in which that code will put itself into a spin-dry cycle.
It seems as though Microsoft merely added firewall code, with absolutely no thought as to the possible impact it could have on the rest of Windows.
Further, if my suspicion is correct (and I'm pretty confident it is), then it should be possible to crash any Windows box remotely. Simply generate a packet that Windows cannot reply to. By forcing the TCP stack and the firewall to fight it out, you'd paralyze the machine.
The correct way to handle this kind of situation is to recognise when a connection is administratively prohibited or impossible, and to not keep retrying. You'd then escape out of the non-blockable code, and pre-emption would allow you to continue as normal.
If you want slightly "smarter" behaviour, then if a process repeatedly keeps retrying a connection or activity that is prohibited, every time it gets woken back up, it should drop in priority, be slept a reasonably long time (in the hope the problem can be cleared by then) or get kicked off the system. ("Three strikes and you're out." logic.)
It should absolutely not be possible for any user process, no matter how badly written, to create a situation in which an uninterruptable infinite loop can develop. Either there needs to be some mechanism to interrupt any loop that might be infinite, OR there needs to be a mechanism for recognising when a loop is running unacceptably long.
It's no use Microsoft whining that customers should clean their computers first. That would be like McAffee arguing that you should clean your computer of viruses before running their software. And how are you supposed to do that, if you've no software installed for detecting and/or cleaning the damn things in the first place?
The only way you can know (for certain) that there's nothing trying to access an unauthorised port is by blocking the ports and seeing what happens when you try to use the computer as normal. And the only way you can then do anything about it is if the computer can cope with that situation in a controlled manner.
bw
Get them a mac.
Windows is the only OS in the world where an external NAT device is a "necessity".
to the expression "Butthole Surfers"
I just can't wait to see the **AA go up against M$ over this.
Does this mean that they won't use Microsoft DRM anymore?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
the beta-tester !! You, the customer. They love to save money by outsourcing. It's the in thing , you know ? Well, you do now.
since it's common(enabled by default) for Win2k to share all hard-disc partitions as C$, D$, E$... (you can't see them, but they exist), or is this only a XP specific _problem_ with SP2?
( I didn't read the hole article yet, I wait for localized _native_ german version....................)
Maybe if you posted as a registered user and not a cowardly AC, you might get modded differently. Oh yeah, why don't you use your "secure" web browser to find out the worldwide dollar figure for all the Windows vulnerabilities. And here's one to add to your list:
Which operating system permitted a virus to destroy the data and BIOSes of over one million computers?
Pain is merely failure leaving the body
But why?
You are not the customer.
75 people in Dept A had no reboot today from their Windows XP.
In a small town in France, Jean-Louis had a baguette for lunch along with some delicious red wine from the local winery.
On Slashdot, an Anonymous Coward dared not post under a real name because he was too ashmed of his own rant.
Infuriate left and right
In the persuit of building a secure OS microsift just can not stay ahead of the curve (shamefull)...
if this was the mid 1960's i could see Ralf Nader on TV saying "Windows is unsafe at any speed"...
MS has been so busy smearing Linux they forgot item 2 of their Security Vision!
Or more probably they consciously decided that FUD was of utmost importance.
MS is just digging their own grave with their ulterior motives.
I do a fair share of programming so I can understand some glitches here and there but this one is an enormously major fuckup.
Dont they friggin test their software? What the hell?
This could easily have been prevented if they had just 1 halfway knowledgeable employee trying to break their own security before release!
Now that every(only XP users) PC has a firewall(unless they turned it off), they wont have to spend so much time on making their apps secure!
Its just gunna get worse.
To make laws that man cannot, and will not obey, serves to bring all law into contempt. --E.C. Stanton
Why is this deemed worthy of a slashdot thread? I mean, it's not like security flaws haven't been discovered in Windows before...
That is only true if you have broadband. To get a dedicated (though still software) router that supports dialup is several hundred dollars, and those routers only support dialup as a fallback mode, which means using them in dialup mode for a long time will reduce their lifespan as the serial port hardware wasn't intended for constant use.
This security discovery shows the advantage of "many eyeballs" in software publishing. Modern software, especially a behemoth like XP/SP2, enables so many potential potential states that it cannot be deterministically tested in a useable time. The difference between an "Alpha" and a "Beta" test is not some measure of software stability, but rather the decoupling of the design/development team from the testers, which enables a different path through its features. Public betas, released into the uncontrolled "wild", harness the power of massive simultaneous testing, much of which might be redundant, but some of which can be novel, achieving rare states quickly. Including public tests before release uses that power to improve the software before it's released. While excluding the public until the release means only that some public "testers" might not report discovered flaws, keeping them for exploitation, while the rest of the public depends on the integrity of the release.
Microsoft has takend advantage of the revolution, started by Netscape with its "0.9xb" releases, in "public sourcing" the testing of betas. They combine promotion and time to market, without the time and money expense of a completely tested release. It's time Microsoft copied the really powerful benefit of testing, before they officially release essential software like SP2. Sure, their developer network tests betas of SP2, but that's a restricted, though large community, suffering not so much from small size as from oversimplicity. Nothing can compare with "the wild" for returning surprising results. The issue these days is how to incorporate the wild in the plan.
--
make install -not war
Microsoft goes on a bit about how much better their commercial software is because they have commercial code reviewers to catch this kind of thing, i.e. people who have a job to do and are getting paid to do it must be doing a better job than the great unwashed masses.
Microsoft tells us they do these kinds of things better, but the reality of the situation is that fixing security issues require a group of people who know what they're doing, and honestly, I don't think Microsoft has a whole lot of those people.
--- It is not the things we do which we regret the most, but the things which we don't do.
User is actually providing informative information and not just "insightful" or "funny" witticisms.
you can't see them, but they exist
//random_name
//COMPUTERNAME -U Administrator
:)
Sure you can see them.
# smbclient -I [IP Address] -L
Password: [Enter]
It will list the computers name as:
Domain=[COMPUTERNAME] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
Then use:
# smbclient -I [IP] -L
Password: [Enter]
And it'll list all the shares including IPC$, C$, D$, etc.
Now just mount whatever you want. Or connect to a printer and use 'print <filename>' to print a file from your local drive on their printer. Use 'queue' to make sure it printed. It may be off or out of paper or whatever. Happy hunting.
Congratulations, your 'boring MS security hype' skill has just increased 1 point. Tune in to Secunia for more senseless hype that countless SANS students use to powerlevel their GIAC papers. Good day.
That is what you advocate. Macs also have IP file and print sharing. If they are using them for Windows for a home network, they would also want to use them for the Macs. Guess what? That's a potential security hole. If you open a port for legit use there exists the posibility that it can be used illigitmitly as well. This goes double for something liek this which isn't a hack, just insufficient secrity permissions.
If you think Macs are Linux are immune to stupid users, think again. The good thing about NAT is it provides a no-effort security layer to help with user stupidity.
Add to this that, by default, Windows XP prevents the use of accounts for remote file sharing if the account has no password, so in the case that the user has not put a password on their account no amount of guessing will allow someone into their file system.
And the amount paid should reflect the potential severity of the bug.
As the past shows, the severity of a MS bug is directly proportional to the news coverage it gets. You reporting a bug directly to MS and then waiting for them to fix the problem would never be considered a major bug. Of course it would lead to everyone being exposed, unprotected, and ignorant UNTIL that bug is fixed.
Except you forgot about the people who "delete" there adminstrator account. .
They dont see it at login, it has no password, and other people (and viruses) can and do access your system (C$ anyone?) remotetly
On campus right now we have one worm which has infected about 10% of the resnet computers and spreads through open windows file shares
Now go back in your box.
This is not a flaw. This is a security setting. If you do not bother to look at your firewall settings and exceptions they you are incredibly and emphatically mentally challenged. Please disconnect your PC and send it to me or donate it to poor third world children.
This is, of course, presuming that you have the password to the administrator account. Simply knowing the admin shares (which is what the hidden shares of C$ and so on - in Windows $ suffixed shares are "hidden", though the hiding is from an asthetic perspective rather than any sort of security through obscurity) is useless otherwise.
ROFLMFAO!!!!!!!! (pronounced ROFF-ull-muh-fow)
Get it straight, idiot. It's spelled ROTFLMAO and pronounced Rot-fluh-may-oh. Everybody knows that.
This has been this way for a long time. Comcast cable even blocked the ports used for MS's file/printer sharing.... When my friend first got comcast cable internet he was able to see hundreds of people's shared folders through explorer.
Also... what the hell good is a shared folder if your firewall will block it? I would have assumed anyway that it would allow the file and printer sharing to go through.
Misleading statement. Windows XP does not allow accounts with no password to be used with File and Printer Sharing.
That's not true. I've done it without having to do anything special.
Store your files! Print stuff! For only $4.89 a month! Connect now! \\xxx.xxx.xxx.xxx\ Please, don't copy my pr0n
These computing resources were being placed in the public domain. It's like finding a laser printer lying on the sidewalk and printing something on it.
By leveraging innovative technologies, content providers streamline compelling enterprise solutions.
The legacy firewall configuration, in Control Panel -> Windows Firewall -> Advanced -> Settings..., is extremely confusing and dangerous. The settings from SP1 get carried over to SP2, but only inside the Advanced area.
Unlike the SP2 firewall, changing a legacy firewall setting in the Advanced area requires a reboot, and it doesn't tell you that. Generally, I've seen that the legacy firewall settings poke a much bigger hole in the firewall than the new SP2 exceptions. It's great that the SP2 exceptions are stricter, but Microsoft really should have disabled all of the legacy SP1 firewall settings, with an option to ask you which ones to enable.
Yes, I'm in the Raymond camp, but I think this is a case where breaking compatibility is prudent, especially considering the goals of SP2.
Alternatively, http://www.malfunction.org/fulifier/nph-fulify.cgi ?URL=http%3A%2F%2Fit.slashdot.org%2Farticle.pl%3Fs id%3D04%2F09%2F18%2F2143242%26tid%3D128%26tid%3D20 1%26tid%3D1
That is presuming there is an administrator password, and the guest account is disabled. It seems XP also just authenticates you as a guest if you press enter for the Administrator password.
And let's put one thing to rest - there is no such thing as a "hardware firewall" - a dedicated firewall is a piece of hardware, which runs firewall software.
Author, Shell Scripting : Expert Re
That's why I close all my letters I print on other people's computers with:
Hugs and Kisses, Bill Gates
"There is more worth loving than we have strength to love." - Brian Jay Stanley
with all these insecurities in sp2, why the fvck is it still being pushed?
-Tim Louden
Why is everybody acting suprised about this now. This only compounds what most of us already know about XP... it is NOT secure. This is not really a new issue, file and printer sharing always extends to the NIC's interface and if a host is connected directly to a cable/dsl modem without a firewall of some sort and they are dumb enough to turn on sharing or they're infected with something like nimda it's going to drop their info right out there for the world to see. I've seen everything from corporate bank account info to some really nice pictures of people's girlfriends that have been grabbed using this method. It's not that hard to fix though. For one make sure you're using passworded shares (or at least passwords on the user accounts,) then get a router with a firewall or just install a firewall on your box. For god's sake, people use protection for everything from sex to driving. Those that don't, well it isn't pretty. If more ppl (yeah I know it's cliche) "practice safe hex" they wouldn't have to worry. The ones that don't... that's their mistake, MS can't babysit everybody. Caveat Emptor.
As a side note about the account passwords:
I work tech for one of the big 3 manufacturers and I'd like to let everyone know that ALL of our systems go out without an admin pw, most OEM systems do. It's not because it's too hard to implement, it's just b/c our bosses don't understand or care. Remember, this is not the technology revolution it once was, now the whole thing is run by a bunch of marketing droids that aren't techno-savy. I think it's high time people stopped complaining and started learning to use this wonderful technology a little better. After all, it's OUR internet... it's gonna be what we make of it.
ThisIDalreadyInUse
People really shouldn't rely on the built-in WinXP firewall for protection.
It might be alright for compartmentalization--keeping boxes on a LAN safe from each other. But I sure wouldn't want to put a machine on the internet with just the WinXP firewall between it and the Big Network.
Sygate is easy to use, informative, and more secure than the built-in firewall. Hardware firewalls/routers/NAT-gizmos are cheap and for the most part will keep Joe Sixpack safe* while letting him do what he wants to do with no fuss.
Ideally each machine on a lan has its own software firewall, and then the lan has its own gateway/firewall--either a NAT-in-a-box or a Linux machine. Even in that situation I wouldn't trust Microsoft for the software firewall, mainly because it'll probably get in the way and I can't fine-tune it.
But anyone who puts a WinXP machine on the net with nothing but the built-in firewall is asking for trouble.
*wlan security aside, but that's a whole separate issue--and another argument for software firewalls on every machine.
Funny thing about that administrator password. As I pointed out in my post later in the comments: I work for one of the BIG OEM companies and I can say with all certianty... we don't put Administrator passwords on the comptuers when they ship. Furthermore, we WILL NOT assist in adding/removing/modifying any settings of the sort for less than $2.95 per minute. It's not covered in our scope of support. I guess our bosses figure if you're going to use the technology you should at least know something about it. Oh, don't forget the fact that the suits that run the place don't even know how the stuff works. When our tech call center came down with blaster I was recruited to assist with the removal. With the current admin being clueless, guess who had to plan the whole thing out. The first thing I did was scan for systems that had the symptoms (this was before we knew what it was) and I was amused to find out just how insecure our network is. Do you know what kind of information we collect and warehouse everyday. Scary. BTW, after helping disinfect about 500 systems and saving the company millions of bucks, they were nice enough to label me a security risk and put me on a watch list. Just goes to show, the companies that make the stuff don't know anything about it.
ThisIDalreadyInUse
Well, well, it seems that it's not ONLY posts that are Linux-negative that get modded down. The M$ofties appear to give as good as they get.
And that saying a lot.
Pain is merely failure leaving the body
Once again, I've exposed the true colors of the Micro$ofties. Wassamatter, Bill-lickers? Don't dish it if you can't take it.
Pain is merely failure leaving the body
(For the slow, that was intended to be tongue-in-cheek. Mostly.)
Is it any wonder that when I got a free XP Service Pack 2 cd from school this is what became of it? Before After
Well, there is a flaw in file/print services, in as much as they should be off by default, but THIS is a flaw in the firewall. If the new firewall software can't distinguish between interfaces, it needs to be backed out and replaced with the old software until it can.
...you hate SP2. You hate Windows XP.
Do we need an SP2 article every single day? More Linux news, please!
IIRC, 98 had a window that would warn you when you were sharing files over an internet connection. It used something to the extent of check network security that was in the dial-up properties. Was this small little feature not carried over to XP?
http://dont.spam.me.anymore.com
Sounds like a Troll journalist. Much like the ones at the NY TImes.
Apple Airport base station supports dial-up for much less than that, and is beautiful too. I wish it supported ADSL with an internal modem too!
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Sadly, though, consumer routers arent reallly up to the job. Plug in any Netgear router and try to run bit-torrent or gnutella and watch it lock up inside of 15 minutes..... unless you can afford a Cisco - and no, linksys routers are not as good - you're stuffed.. or dependent on a modem.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
My bike, came with a clear notice to buy and wear a helmet. It even has one on the frame. Every shop you go to will tell you to buy a helmet. It's not a secret that bikes need extra stuff.
When Windows comes with a notice "don't connect this to the internet without a security staff of 100 protecting it", or even just "windows is not designed for normal users to connect to the internet, please ensure that a qualified security professional has secured it before connecting", then we should stop bitching about insecure defaults. Until that time, every criticism is needed.
Even OpenBSD, not renowned for it's insecurity, comes with clear instructions for hardening the box after install which are pointed out to the user first time you log in. If you follow them then you will end up with a system which is carefully firewalled as well as minimal services.
Correct way: Service activation at some point forces you to decide where that service is available. In OpenBSD, this is the point where you set the firewall rules (as following the install instructions, or when adjusting for your new service). In Windows, this could be a dialogue to the user as the start the new service, but it has to be somewhere.
Gary Fisher Tassajara hardtail with basic Hayes disk brakes in case you are wondering.. Great. really great.. The brakes also come with instructions to use a helmet; first time you brake too hard you may find out why...
Second this. Seriously, people complain about MS running FUD campaigns. Know what? Their complaints are legitimate. That's why a lot of people in the know don't like Microsoft much.
.NET is useful, but implement things like inferred static types with ranges used to help detect buffer overruns. Lots of code (most code being run out there) is in C or C++ and will be for a long time to come. I know you hire a ton of people to MS Research from Carnegie Mellon each year, and I know that there are a ton of good language design people at Carnegie Mellon. Use said people.
The solution is to continue to provide better information than Microsoft does, not to do the same damn thing about some stupid Microsoft service pack (which, FWIW, I'd say is the most security-oriented and Slashdotter-happiness-inducing patch Microsoft has come out with in years, beating many Linux distributions to noexec stack protection). FUD bites people on their own asses.
The Slashdot furor over SP2 is absolutely *absurd*. Security? Consider the fact that 95/98 allowed a remote user to extract and print out users' share passwords remotely from anywhere on the Internet in a few seconds using a Wargames-style algorithm (linear time in length of password), just with a few lines of C code added to smbclient. Consider the fact that Windows NT 4, by default, came with a default account (Administrator) with no password, with all drives shared to that account in "hidden" shares that were only hidden because of a client convention not to display shares, and automatically re-enabled said administrative shares at reboot if a user tried disabling them. File sharing problems? Man, nothing Microsoft can *possibly* do will ever come close to the security blunders of their past. Microsoft is getting better. They've got a long way to go -- they don't have a native sandboxing mechanism (a la chroot jails), they have problems with their GUI-oriented API (see "Shatter" style attacks), they have charming comments in the MSDN API documentation like (extracted from memory from one particularly egregious CAPI call) "This parameter should never be used due to security problems. Some developers may wish to use this parameter to provide compatiblity with Microsoft cryptographic service providers."
Microsoft, you want real credibility, the ability to sell coders that you've got some real things going over Linux? Do the following:
* Provide sandboxing functionality. You just purchased Virtual PC, yes, but I'm talking about OS-level sandboxing, not the slow and less functional hardware-level sandboxing. Let me run IIS in an isolated sandbox, where nothing gets out. Enforce this with the OS, not with application conventions.
* You provide the overwhelmingly dominant compiler for your platform. Yes,
* Do not run your RPC/filesharing/printsharing system by default. It's been the source of God knows how many security problems. Yes, I'm sure that you have lots of long-time Microsofties that are thrilled with it. This isn't 1985 any more, and machines are on networks and often poorly administered. A vanilla box shouldn't have a single packet passing up past the level of the TCP stack. There should be no listening ports in a default Windows install. That means that (a) you don't have to worry about pissing off sysadmins after you blame *them* for not firewalling your broken software that runs out of box and (b) you don't have to worry nearly as much about disasterous, media-worthy waves of worms.
* Start an application-level security certification program for certain basic characteristics -- like being able to install and run an application without having administrative rights.
* You *still* don't use key or cert caching with your SMB/CIFS system. This should be a default. When I connect to a server with openssh on my Linux box, that server's key gets *cached*, and if a man-in-the-middle attack is later attempted, I get a warning that the key has changed and that a man-in-the-middle
May we never see th
If only senator Orrin Hatch's 'fry the computer' antipiracy law had made it through. This would end up in a nice huge smouldering pile of smoking computers.
http://it.slashdot.org/article.pl?sid=03/06/20/004 6237&tid=103&tid=185
The default configuration does have an exception for File and Printer Sharing. However, the exception only covers the user's private home network; the internet will not have access to F&P Sharing
No, the default configuration is to open to the world. I've tried to find this magical way of making it close them my default (since the MS weenies on slashdot keep insisting that it exists), for example installing completely standalone, but the default is always set to all when you check the firewall.
Plus, as the article makes clear, 'Local Subnet Only' is broken and doesn't work unless you enable ICS, which opens the firewall to all again.
Damn not awake yet, that reads funny. The last line does not means that ICS opens the firewall (although I wouldn't put it past MS).
...how can we better integrate it into our product line?
...and spool the results to a directory instead of printing them. Every so often, review the .ps files with a suitable veiwer to pick out the good ones, and run stats on all of them.
You could also have SaMBa mimic XP SP2 and run a similar collector in honor of the man who brought us costless (for the sender) paper spam: William Henry "Trey" Gates III and his performing SP2.
"news for nerds" not news for kids or grannies. Even mentioning MS is counter productive. Enough! No more damned articles about XP or MS, etc.
If this is indeed a security flaw, why hasn't http://www.securityfocus.com/ listed it?
Imagine having the printer print out that it requires repairing and to ring a number which you have to pay $1 a second (or whatever).
Hiyall,
... What's the use of having SP2 sharing your resources and not even prompting before doing so? And where is the long-ago-discussed outbound access which is half of the functionality of any decent SW firewall?
6 ,00.as pm age /7/0,1311,sz=1&i=78757,00.jpg
It's funny to read the comments from all you people saying: "but you should have another firewall around the internal network anyway"! I say ho-ho-ho. If you ever studied the basics of security or even worked long enough in the business, you'd know for sure that security is always built on several layers.
That's also the purpose of a software firewall - to be another layer of security inside many other layers. Usually you also have hashed passwords, firewalled networks, encrypted filesystems, virus protection, so forth and so on
Wake up, guys. Have a look at the following article and decide by yourself if SP2 can be relied upon or not:
http://www.pcmag.com/article2/0,1759,163927
http://common.ziffdavisinternet.com/util_get_i
Yes, it is true that there are many security problems with Windows in general. Windows XP, especially the Professional Edition, is a very powerful and configurable Operating System. Therein lies the problem. Windows XP Pro is pre-installed for nearly all business users. At home, more and more people who consider themselves "professional" because of their ability to edit baby pictures with Photoshop, use XP Pro. This is mainly an ego trip.Seeing that "Pro" insignia at boot-up is rather flattering for the average user, who in reality, is a fuckin' techno-idiot. The general insecurity on the net at this moment in time is caused by uneducated, incompetent users.
This is not just a Windows-specific phenomenon. Linux is also an extremely powerful OS that, when in the hands of idiots or uneducated average users if you prefer, causes as many security problems on the web. How many are now running Linspire as root? How many even have a clue as to what IPTables do?
Most of the security problems that now plague the anarchy often known as the WWW community may be corrected with simple configuration adjustments, and that applies to XP as well as Linux. Often, patches issued by Microsoft simply readjust configurations, something that any averted user would have been able to do if competence were not an issue. Same with Linux. The other code-based problems that affect security come also in the form of patches or replacements. How many average (business or otherwise) users really bother?
So the problem my friends is not in "the stars," be they from Redmond or Finland. The problem is in the friggin' stupid heads of non-thinking, uneducated, semi-literate, nose-picking, "DuH"-enouncing end users.
I think you'll find that actually you have to edit the registry, or change the local user security policy. Neither of which a standard moron knows how to do.
Believe me, it took me about an hour to figure out why I couldn't access my WinXP machine from Win98 - all because I can;t be bothered to enter passwords on my machine...
The guest account is disabled by default.
why would you want your firewall to interfere with what you wanted to serve?
Um, because that's what a firewall is for? That's ALL a firewall of this kind is for.
If you don't have any listening ports open, you don't need a firewall. The only point to an IP level firewall is to block access to ports that you would otherwise have open. Putting an IP level firewall on the computer itself is only necessary if you can't control access to listening ports in the services that are opening the ports.
Microsoft's file and print services and all other Lan Manager / Windows Networking services are a hard case, because they run multiple services over a few common ports. You really have to firewall ALL Windows Networking services, and opening the firewall to any of them renders them all open to attack.
So... if the firewall is to be meaningful, it has to disable access to all the Windows Networking ports by default. It can't go around making exceptions when you turn on this or that service.
What Microsoft REALLY needs to do if they want to use a firewall this way is to implement a firewall at the Windows Networking layer itself, and have *that* firewall block or allow access to specific named pipes. Without that, well, there's just so much a firewall can do and the only secure option is to completely block access until it's explicitly turned on, on a per-interface basis.
Summary:
1. This is a flaw in the design of the XPSP2 firewall, compared to the previous one.
2. An IP-level firewall is not an adequate solution to Microsoft Networking security issues in the first place.
I used to get a 10.x.x.x address via DHCP from my ISP. However, my IP address appeared as a routable one when looking from the Internet. In other words, my 10.x.x.x address was mapped to a "real" address and I was able to run servers etc. They scrapped that and now I get a 80.x.x.x address via DHCP.
I'm sorry if I haven't offended anyone
Its funny how when I ever I use Windows Update to update my office PCs, Microsoft tells me how urgent it is to install SP2. Yet, all I hear is how much of a mistake it is to install. Normally, there are some added features touted or some new functionality previously not present. I have heard nothing about the new features, except from Microsoft. I won't be installing SP2 anytime soon!
My Windows 98 configuration of ZoneAlarm prompts me when any program wants to communicate with the network: do I want to allow it or not?
/all/ since I installed ZoneAlarm; that's secure! - but it could be coincidence.
I can't comment with authority on ZoneAlarm with Windows XP with or without Service Pack 2, but the latest version ZoneAlarm is claimed to work in place of Microsoft's firewall (older versions are no go), and presumably doesn't suffer the same loophole as is alleged of Microsoft's (I'm looking out for corroboration of the story; maybe after the weekend). In fact, I haven't managed to get the network card on this thing to work at
I searched this whole thread looking for some solid advice as to how to properly configure the firewall under SP2, but to no avail. Nothing but bitching and ragging on M$. How about some solid advice on the specific ways to optimize the firewall and get around the real or imagined problem!
I seem to remember this "feature" being the case in SP0/SP1...I've never had their built-in firewall block off sharing. I thought it was deliberate on MS's part to give the user a puny firewall that wouldn't intefere with Microsoft's file sharing.
Then again, I also have my hosts on internal IP's on an otherwise unroutable P behind a linux proxy/firewall, so maybe MS's firewall software operates differently because I have a 192.168 addr..?
The MS FW was one of the first things I recognized as flawed when I got an XP laptop -- first thing I tried was an nmap against my host-- and bleh...none of the standard MS ports were hidden. Went to a 3rd party fw product after that...
I'm surpised this hasn't come out before now. It's not like it is a new bug, IME...
-l
That, however, doesn't change the fact that you can hardly be blamed for using resources someone else has made available. Open port is an invitation. If the inviter wanted to limit his invitation to a certain group of people, he should have used a password. Otherwise, people have no way of knowing that this invitation didn't include them.
I'd love to hear someone try this line of bull in front of a judge in a sentencing hearing. Just bring your toothbrush, LOL. The old, "they should protect their money better if they don't want to be robbed," or the "she shouldn't have walked in a dark alley and dressed like a slut if she didn't want to get raped" defense.
Good luck with that.
Slashdot "libertarians": Small government for me, big government for those I disagree with. -1, I disagree with you
Compartmentalization in general makes a lot of sense.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.