Internet Security Warnings

Juha-Matti Laurio writes "Internet Storm Center's Diary reported today: Due to a number of very well working Windows exploits for this weeks patch set, and the zero-day Veritas exploit, we decided to turn the Infocon to yellow. The following Internet Threat Level meters are at level 2/4 because of Windows Plug and Play vulnerability's several exploit codes too: Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."

It hate to say it...

[confusion]

But it's been a while since we've had a good/effective worm.

Jerry
http://www.cyvin.org/

Re:It hate to say it...

[ciroknight]

Eh, just wait for Vista.

Oh, but of course that's a troll, so I've gotta say something constructive.. Microsoft's been doing a lot better with security now that everyone on earth is making a buck off of "securing" Windows. As more and more security-related technologies such as antivirus, firewall and antispyware make their way into Windows, however, lots of these companies will die or be bought by MS, and they'll be held a lot more responsible for security, and thus, when Vista rolls around, security is likely to be absymal again. Maybe it'll be just what's needed for a huge evacuation from the MS dependency...

Here's for hoping..

Re:It hate to say it...

[confusion]

It means that I'm not looking forward to another worm, but I'm realizing that the circumstances are right for one to happen.

That's what I meant.

Jerry
http://www.cyvin.org/

Re:It hate to say it...

[ciroknight]

No drugs here, but then again, my argument does make sense; Security left in the hands of Microsoft is security that should be questioned.

I mean just look at the terrificly terrible job they've done with the Xbox, or the bang up job they've done to date with patching well known security issues in Windows. Their attempts at security seem half-assed at best, as most of the more critical bugs are found by companies outside of Microsoft, and as Microsoft acquires more of these companies, I doubt if their advisories will ever make it out the front door.

Thus, I believe when Vista comes out, there will be a million new exploits, just as were delivered with Windows XP when it came out. And as most of these exploits will be retroactive (as the NT platform is known for carrying bugs for years without them being detectable), WinXP and 2000 will be at risk as well. It's only an opinion, but it's a well thought out one. At this point it's all speculation.

Re:It hate to say it...

[tomhudson]

Maybe it'll be just what's needed for a huge evacuation from the MS dependency...

My "threat meter" isn't even plugged in - but then again, I'm not running Windows.

What are the chances of Microsoft making a secure anti-virus or a secure anything? Remember their last "security push?" 1 month of "emphasis on security" isn't a magic wand to fix 20 years of code; nor will it change the underlying corporate culture. It was all for the media. And they ate it up, being too lazy (or too addicted to free meals - see the story on groklaw about that) to bother telling the truth. http://www.groklaw.net/article.php?story=200508121 9304040 or, for those too lazy to click, Microsoft is offering free pizza:

Speaking of FUD, I have a copy of the email Microsoft sent out to journalists inviting them to lunch.

Here's a snip:

Why spend 10 bucks on a burger at Moscone when you can have a slice on Microsoft? Come join the Microsoft Embedded group at Moscone Pizza (across the street from the Moscone Center) on Tuesday, August 9 from 1pm - 4pm for lunch and discussion on the Windows Embedded operating systems. Product managers Mike Hall and Dan Javnozon will be available to provide demos of Windows Embedded developer tools and answer questions about Microsoft's strengths in the embedded space.

For instance, did you know... .

- Microsoft embraces shared source, and makes more than 2.5 million lines of source code broadly available to customers, partners, developers, governments, academicians and other interested individuals. In fact, more than 275,000 developers have downloaded Windows CE Shared Source

- Microsoft offers a shared success model that translates to low up-front investments for device makers, in addition to faster time-to-market. The Windowsembedded motto? "We don't make money until you do."

- Windows Embedded designs, on average, get to market 43% faster, on average, than embedded Linux designs - 14.3 months with embedded Linux vs.. 8.1 months with embedded Windows; 14.2 engineers with embedded Linux vs.. 7.9 engineers with embedded Windows (Embedded Market Forecasters, November 2003)

- Windows Embedded designs, on average, cost 75% less to bring to market than embedded Linux designs. (Embedded Market Forecasters, November 2003)

I'll be in touch to gauge your interest in setting up a one-on-one briefing with Mike or Dan during the lunch.

A little nauseating, don't you think (love the carrot -- a one-on-one -- which is hard for journalists to turn down), to set up camp across the street and trash talk Linux at LinuxWorld?

Burns also mentions that the Microsoft Linux Lab session was well attended. I believe that falls into the category of keep your friends close, but your enemies closer. If I had been there, I'd have attended that session too, even though I would prefer that Microsoft never be given a platform at any FOSS conference, personally. Shared source is not Open Source even, and it for sure isn't Free Software, and don't ever kid yourself about it. It's Brand X, and there is no reason to settle for so little.

Anyone guillible enough to believe there really is such a thing as a free lunch deserves what they get.

Re:It hate to say it...

[Neoncow]

It hate to say it...

I didn't even notice it until the second AC. =)

Re:It hate to say it...

[advocate_one]

the final two paragraphs you quoted are not from the email, but are PJ's comments on the matter... please give proper attribution NEXT TIME... for our regular readers, here's the link to the proper article he quoted from...

Re:It hate to say it...

[Afrosheen]

Well, the first few sentences exposed the BS factor. Read carefully:

  Why spend 10 bucks on a burger at Moscone when you can have a slice on Microsoft?

What's the big deal here? Next sentence down...

  Come join the Microsoft Embedded group at Moscone Pizza...

Ok..so they ask why spend $10 on a burger at Moscone PIZZA. Well, the answer should be obvious. Nobody in their right mind would buy a burger at a good pizza joint, it just defeats the purpose. Unless you're the kind of genius that walks into China Wok and demands the 1971 vintage Cabernet Sauvignon to go with the grilled halibut. In which case...someone probably saw another person that thinks like you at the Microsoft CE-ME-NT hoedown at Moscone Pizza.

Re:It hate to say it...

[Effugas]

Thank XP SP2.

I'm serious, look at it for a sec:

"There should be a firewall on every desktop" done
"Patches should just show up one day, stupid users shouldn't have to think to install them" done
"Damn compiler shouldn't allow buffer overflows" done (to the degree to which it's possible)

All these exploits are against a five year old OS. XP's moved on.

Re:It hate to say it...

[barnaclebarnes]

I wonder if they were giving away free beer as well?

Re:It hate to say it...

[wfberg]

But it's been a while since we've had a good/effective worm.

In the virus top-10 7 out of 10 spots are variants of the (self-updating, turning your machine into a spam-zombie) MyTob worm, accounting for 39% of infections (excluding any that the virusscanner can't pick up because MyTob will stop it from updating itself). That's fairly effective. MyTob accepts commands from a channel on IRC (of course) and usually makes your zombie machine send out a lot of spam.

Re:It hate to say it...

[RAMMS+EIN]

So you don't believe they're making a great effort rewriting parts of the system for Longhorn^WVista, in order to make it more secure. If not that, then what is taking them so long? Certainly not all the great new features, because most of these are not going to make it into the first release.

Re:It hate to say it...

[David+Horn]

The security fixes were automatically installed on my computer two days ago - there would be very few worms or viruses if people installed security updates.

Re:It hate to say it...

[Antique+Geekmeister]

They're busily encumbering the core software with patents, creating tons of demoware, tightly weaving MS Office and Internet Explorer even more tightly into the operating system, and trying to address a few core performance issues that have finally started to get people not to buy Windows, such as the complete joke of a DLL management system and the instability of that Windows Registry. They're also re-discovering that fixing one broken piece in one lower layer tool, such as the file system security flaws, breaks a lot of bad code further up the chain, such as the MS Office "undo" capability.

Re:It hate to say it...

[inode_buddha]

Seconded.

Re:It hate to say it...

[aaronl]

That makes it even worse. As they have demonstrated, they do not write secure code. If they rewrite large parts of the system for Longhorn, it will just mean that they duplicate all the old bugs and add a lot of new ones. There will be a crazy patch-fest for the first year the OS is out, and nobody will be able to touch the platform because of it.

As it is, everything they've announced about Longhorn has made people cringe. OK, they're updating the GUI... who cares? They're adding yet *another* set of new APIs, making the platform further complicated to develop for. They're adding absolutely silly amounts of DRM, which their customers just don't want. And they're rewriting parts of the system that are finally stable and tested.

Re:It hate to say it...

[Ucklak]

It's Microsoft logic.

Burgers are $10 at a pizza joint
Pencils are guaranteed to not work underwater
Windows TCO is far less than Linux's TCO
Our platform is secure

Re:It hate to say it...

[glesga_kiss]

I mean just look at the terrificly terrible job they've done with the Xbox

Terrible? Every single exploit requires physical access to the box and the creation of false data on the filesystem. It's a pretty good system actually, no one has broken it yet. I can't think of any OS that is secure if you have access to the box and can hook up hacked hardware (e.g. USB card readers). All bets are off under those circumstances.

Re:It hate to say it...

[tomhudson]

... that would have gotten all the "free as in beer" types :-)

How does this affect my PowerBook?

Oh, I guess it doesn't, ror.

Re:How does this affect my PowerBook?

[buro9]

Erm, it DOES affect your powerbook.

IIRC we're all plugged into the same internet. A potentially mid to high level set of Windows exploits raises the *Internet* Storm Center's alert level to yellow.

This should tell you something. Ideally it should tell you that when X million Windows boxes are exploited, that there will be a noticeable degradation of quality or service on the internet. That the resultant poor quality traffic and noise created by a large scale (poorly written) worm will degrade the connection your PowerBook is enjoying.

Don't ever forget that we're all in the same boat, and it does little good to sit at the stern and laugh at the suckers at the bow as they dip gently under the water for the Nth time.

Damn, I posted, and I had mod points to burn too.

Re:How does this affect my PowerBook?

[A+beautiful+mind]

Totally agreed. This is why i flame my isp with all the front i've got. According to that recent zombie report they are the fourth most zombie infested isp in the world (not in sheer numbers but in the ratio of infected / non-infected). They still don't give a shit about it. I would consider it necessary to perform some anti-infected machine checks on the network and disconnect those with infections so that MY service/connection would improve. I'm not worried about viruses on my linux box, but when i see 1500-2000 bots pounding my webserver from MY OWN home ISP alone (note, i got my dedi at a different company) then i'm starting to get pissed.

They can't even say that they couldn't invest in some simple antivirus-on-network thing because they had tens of millions of euro profit on 600k users last year and this one is projected to be even better.

I realise, that it's not my isp's fault alone, but they significantly contribute. Users cannot be fixed, they are just stupid en-masse. Windows doesn't have a huge tendency to improve either. The ISP owns their own network which happens to be part of the internet, so they should at least take some responsibility for that small part they have actually control over.

Re:How does this affect my PowerBook?

[RAMMS+EIN]

So you want your ISP to cut off paying customers, because said customers have infected computers? And your ISP has one of the highest infected/clean ratios in the world? So you want them to cut off a large part of their customer base? Forget it.

Also, how are they going to do it? Inspect their traffic and see who's spreading viruses? Do you have any idea of how much overhead per packet that's going to cause them? Do you have any idea how troublesome it is for an ISP to inspect your traffic (they could be held liable for what they let through)? Do you _really_ want your ISP to wiretap you?

I think you'd be much better off switching ISPs. You say your current ISPs state bothers you? Then it must be worth something to you to have a better ISP, right? Surely there must be another ISP in your region, even if it's more expensive.

Re:How does this affect my PowerBook?

[A+beautiful+mind]

Surely there must be another ISP in your region, even if it's more expensive.

No there isn't. Also, if BT managed to do it (which is a huge monopoly) then my isp could do it too.

Re:How does this affect my PowerBook?

[Antique+Geekmeister]

It's affect on Apple and Linux users is secondary, but real. When your ISP helpdesk is hammered because the Windows machines are running slow and they're used as zombie spam units, for rent to spammers anywhere, your email will be clogged by it on your ISP's servers. Your prices go up because they have to support 4 times as many helpdesk people, and your password becomes more likely to be stolen from an FTP session through an unsecured router because the security people who should have secured the router have all been tied up cleaning up after the latest Windows worm.

Couple in the basic lack of security of core services such as DNS and routers and many ISP firewalls, and you have a serious disaster just waiting to take your ISP down for days at a time.

Re:How does this affect my PowerBook?

[RAMMS+EIN]

``So you want your ISP to cut off paying customers, because said customers have infected computers?

Stated more effectively, "because the infected computers send pornographic advertisements to schools and libraries throughout our community and beyond."''

Unless the law indicates otherwise, it's not the ISP's business what its customers use their connections for.

``And your ISP has one of the highest infected/clean ratios in the world

Again, more effectively, "this danger to our community needs to be resolved before more adolescents are prematurely exposed to sex and sexual predators."''

I don't believe there is such a thing as "prematurely exposed to sex", so your rhetoric is wasted on me. However, spam is, indeed, annoying, regardless of what is being advertised. I still don't think you could hold the ISP liable for what its customers are doing. I even question if you could hold the customers liable; after all, they are probably sending out spam unknowingly and unwillingly.

``A Beautiful Mind's ISP is clearly in Denial and needs to be given a choice: lose money by cutting off systems that are sending pr0n-spam and viruses, or lose money in civil litigation and government regulation.''

As you suggest, you should take this up with the local authorities. Failing that, you could sue the ISP. If the court agrees with you, you will have set a precedent, and other ISPs can be judged more easily, based on that. At least, that's how I think Common Law works.

``Forget it.

This is the worst thing that people like A Beautiful Mind can do''

I didn't mean that as in "don't do anything about it", but much rather as in "it's unrealistic that the ISP will change its ways". See my earlier post for the reasons.

Another color-code system?

[green+pizza]

Seems to me these color coded systems do more to confuse than they do good. Should I relax if we're at green? Should I be paranoid if we're at Red? Should I even care since I run UN*X rather than Windows? Every day there are at least a few new sploits. Every few weeks there's a sploit that affects me as a sysadmin and requires my attention to preserve the security of my servers and internet-attached LAN. Given this I still don't understand the value in these color coded alert systems. Yellow? What does that mean? Wake up an extra hour early to read the logs? The terrorists can attack just as easily if we're at green than if we are at red. I'm uncertain of the value in the announcements at the airport every 15 minutes to remind me that we're at yellow or orange.

Re:Another color-code system?

[confusion]

To the security departments of companies the elevated levels mean that we have something new to pay attention to that we haven't been looking for before. Certainly being green doesn't mean that we can let our guards down.

Applying these alert levels doesn't make any sense at the individual level, for the exact reason you gave.

Jerry
http://www.cyvin.org/

Re:Another color-code system?

[TapeCutter]

"I'm uncertain of the value in the announcements at the airport every 15 minutes to remind me that we're at yellow or orange."

I've never been to the US, do they really do that in the airports or are you just pulling my chain?

Re:Another color-code system?

[Medieval_Thinker]

Perhaps I could recommend yet another terror alert system that seems to work pretty well.

Re:Another color-code system?

[toddbu]

The current threat level is brown - meaning that I don't give a shit. Just patch your systems when the patches are available and you should be good to go. Your users are a much bigger threat than the new exploits based on vulnerabilities that have already been patched.

Re:Another color-code system?

[Ingolfke]

Seems to me these color coded systems do more to confuse than they do good.

I totally agree w/ you. We need more clear statements about what the problem is and what we should do about it... like this.

Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon.

LOLOMGWTFBBQ? At least with the colors you can say, oh well red is bad, and green is good... and so that's that. When AlertCons are X-Forced w/ 3 points of Increased Vigilence and 1 point of Vitality, whose to know what could happen or what arcane anti-sploit knowledge you should call upon.

Re:Another color-code system?

[saskboy]

At least they didn't raise it to threat Level Fuschia, the level at which the gayness of Linus converts even the most hardened heterosexual to the likes of *nix programmer.

I'm sorry, after seeing the lunacy of coloured threat levels hyped for decades, and the /. phenomenon of claming linux users are homosexuals, it only made sense that I combine the two into a semi-constructive joke to link the two cliches.

Re:Another color-code system?

[lgw]

I don't think the alert level has been below yellow since the system was invented, and I've never heard such a thing. There are occasionally announcements saying somehting to the effect of "we're being particularly vigilant right now", but I'm not sure that's tied to anything.

You do get searching of vehicles at the airport entrance when the threat level is orange, however, or at least of vehicles with ferners in 'em.

None of these color codes is intended to be useful to the common man - they're indicators for security professionals, in whatever field is relevent. The media can't go 3 days without a "crisis" however, so they're good for a scare on a slow news week. I'm not sure why people still pay attention to media hysteria, but apparantly it still gets ratings.

Re:Another color-code system?

[briancurtin]

threatcon? infocon? alertcon? "hey bob are you going to be at the meetingcon about threatcon at infocon in room z-force? theres an x-force alertcon for the internetcon."

Re:Another color-code system?

[Ugly+American]

The alert level is currently yellow for the general population and has been for months now. The orange alert level was confined to certain areas like mass transit, and was also recently lowered to yellow.

Re:Another color-code system?

[RAMMS+EIN]

Why are you even trying to attach any meaning to the color codes at all? Isn't it obvious that the only thing the system is good for is drawing attention to the threat, so that the people who supposedly work on your security can be employed?

Re:Another color-code system?

[Minwee]

That means that it's a good time to play a red or blue card with at least three points of Concern or a Toughness special ability. With the right card in tyour hand you could win the round quickly.

Re:Another color-code system?

[asdfghjklqwertyuiop]

Should I even care since I run UN*X rather than Windows?

Yes. Windows users and non-windows users alike need to care because unfortunatley, we're all connected to the same network. Non-windows users just need to be ready for the bugus requests to their servers for attempted infection, increase of worm emails or spam, maybe a DOS here or there... all a result of these new zombified windows machines being on the internet.

Re:Another color-code system?

[houghi]

I'm uncertain of the value in the announcements at the airport every 15 minutes to remind me that we're at yellow or orange.

This is so everybody will undertstand that there is a war going on, even when the situition is green and that all the eyescanning and fingerprinting of all people around the world is a Good Thing© for the public of the USofA.

Re:Another color-code system?

[Anonymous+Brave+Guy]

It doesn't matter! Just equip the Patch of Unyielding +5, and you get immunity to worms as a special ability. :-)

Re:Another color-code system?

[jswalter9]

*nix programmers are gay? No wonder I got fired...

Windows Update

[quasi_steller]

I set my Windows update to manually update (too paranoid?) but anymore it might just be better to set it to update automatically so I don't have to keep checking on security vulnerabilities. I don't run Windows enough for it to be a big problem, but still.

Re:Windows Update

[Slayk]

http://www.microsoft.com/technet/security/bulletin /notify.mspx

I used to subscribe to the mailinglist back when I actually used windows, as I wasn't too keen on stuff getting automagically installed.

IIRC it was what kept me safe during Blaster while the campus network went to crap. :-)

Re:Windows Update

[Fizzl]

I also had the automatic updates set to wait for my approval. For a long time. Then I finally realized that in the years approving the updates, I haven't rejected a single one. I can't remember even researching most of the updates to see if there's something I don't want. To the extent that I didn't even bother reading the descriptions because they always were pretty useless.

Now I just have it on full auto. What the heck. If they fuck up, I think I'll be reading about it on slashdot within few minutes and some comment will have link to instructions on how to undo the evil one.

Re:Windows Update

[rekenner]

I finally thought of a way to get in contact with you.

Email, TSL, everything has been blocked from school and, of course, I lack net still. /. is a good site, though, apparently.

However, I have a reaaaaaally sneaky idea as to how to try something... I think, if I can get an FTP client that can either be run off a USB disk or an installation can just be copied from computer to computer, I can at least throw stuff onto my space on TVH. I know kriatyrr had a bunch of that sort of thing ... So ask spoon to ask her for me, please?

After that, I might want to try some magic with a certain variety of Live CD ... Ubuntu (Yay for grabbing about 3 live/install sets when I met spoon awhile back). Spoon and Kria have used it, and you're the resident linux guru. So... yeah. I'll need some support through this. My ingenuity and googling can only go so far. (especially with the swaths of things blocked on Google from here.)

And now, you hopefully see this.

Windows Threat Assessment

[joelparker]

It would be cool to have a little app that reports the current Windows threat level.

The app could download data automatically using IE and ActiveX, format the data using an Excel Macro, then email results to me using Outlook.

Because I care about security.

Re:Windows Threat Assessment

[Dynamoo]

Actually.. there is a Windows-based tool that sits in the taskbar called ISCAlert which you can download from LaBrea Technologies. No security vulnerabilities in that tool that I know of!

Re:Windows Threat Assessment

Maybe clippy can get in on the action.

"Hi, it looks like you're fucked!"

Re:Windows Threat Assessment

[Diag]

It would be cool to have a little app that reports the current Windows threat level.

The ISC "threat level" is available in a text feed, so this wouldn't be hard to do.

Re:Windows Threat Assessment

[mousse-man]

Do you mean something like that just replacing the department of homeland security with Billy's building in Redmond?

Color for security level is great

[Unsus]

On related news, the US puts it's security level color at pink. Again, on related news, Bobby's mom chooses to wear an orange shirt. No need to actually read the security threat -- we have colors for that.

Re:Color for security level is great

[Anonymous+Brave+Guy]

Finally, a system GWB might understand!

Plug and Play vulnerabilities already known

[Parallax+Blue]

Correct me if I'm wrong but haven't there already been warnings about Plug and Play prior to this? I know at least one security website that had warnings about Plug and Play a long time ago, along with a handy utility to disable it. See below.

http://grc.com/UnPnP/UnPnP.htm

You'll notice this was circa December 2001, fully 4 years before these new exploits.

Re:Plug and Play vulnerabilities already known

[insecuritiez]

That link refers to UPnP, Universal Plug and Play, a networking based technology for device discovery and configuration. The vulnerability concerning the ISC is a PnP vulnerability. Plug and Play is used for internal device discovery and configuration. The two are totally different. Microsoft, in a fit of brilliance though that exposing the internal PnP via RPC to the rest of the world was a good idea. As it turns out there is an unchecked buffer than with Windows 2000 machines in accessible via a NULL Session. In XP and 2003 the buffer requires a valid account or even and admin account to expose. The threat of a Windows 2000 based worm in the next few days is very real. All of you with XP and 2003 aren't in immediate worm danger.

Re:Plug and Play vulnerabilities already known

[homesteader]

This is not an old exploit. It's quite fresh . . .

August 9th Release, which is 4 days ago. Exploits were reported in the wild on Friday, 3 days after the release. There's also a remote exploit in the Spooler service, which is of course enabled by default on all Win2k/XP/2k3 machines. I approved this patch on Friday, hopefully Monday won't bring scores of hosed machines.

Microsoft Security Bulletin MS05-039 (899588)
http://go.microsoft.com/fwlink/?LinkId=48900/

Re:Plug and Play vulnerabilities already known

[baadger]

Media whore or not his Shields Up test is the best firewall test on the net i've found that you can use without registration. It let's me choose what ports to test etc and has information on all the port numbers in reach.

Care to make an alternative recommendation?

Alert level to Yellow

[rossdee]

"Are you sure, sir? It means changing the bulb...

Re:Alert level to Yellow

[Fjornir]

Cat: Forget red - let's go all the way up to brown alert!
Kryten: There's no such thing as a brown alert sir.
Cat: You won't be saying that in a minute! And don't say I didn't alert you!

Re:Alert level to Yellow

[rob_squared]

For all those confused by this quote, it is on topic, and comes from the British Comedy show Red Dwarf. http://www.reddwarf.co.uk/

Re:Alert level to Yellow

[duguk]

Damn series 7 and 8... the original quote was soooo much better ;)

Good on ya for rememberin it tho :D

Dug

Netcraft Confirms It.

[bmo]

Windows is dying.

Well, it's deathly ill, mostly. The average Windows end user is in a never ending battle against the baddies. They buy their systems at the Best Buy, bring them home, run for a couple of months, and then complain that they can't login.

Then they call me, or someone like me. With disdain, I inform them that I'm wicked busy but I'll do it "this time".

When I get my grubby hands on their machines, they're fubar. It's not for lack of trying either, because there are multiple Virus, Trojan, and Firewall apps, all fighting over the same machine, including the odd fake anti-trojanwares. You know the one's I'm talking about. We've all seen them. "Click here for a FREE security scan!" and then the machine gets YET another bit of evil.

I simply don't know what to do anymore. I clean them up, set up security, knowing - just KNOWING that it's all in vain. Just yesterday, I got an "e-postcard" in the mail, and it was just an overt attempt at infection. There wasn't anything that would trip an AV or firewall in the mail, just an obfuscated link that actually pointed at a crypically named .exe. I know far too many people who are e-card addicts, and I am SURE they would have clicked.

Toast. Totally goddamn toast. The fact that Windows programs have their execute bit as part of the filename is probably the worst thing ever to happen to an OS. One click, and yet another "svchost.exe" process. No lube, no kiss, no reach-around, just total PC anal rape.

And without a total redesign of Windows or dumping the platform for Apple or Linux, Joe and Josephine User are SOL. Vista is going to be more of the same, as it's going to be simply XP SP3 with more chrome.

Ah well.

If anyone knows anything about a0190313376667.gif.exe, mail me at my alias AT Entropy dawt TMOK dawt com. There's hardly anything on the 'net about it except some German blogs.

--
BMO

Re:Netcraft Confirms It.

[chris_mahan]

With a couple of people, I'v just put the knoppix cd and said "use that for a while"

The others, I tell then it's $1,000. So far, no taker... And guess what, people don't call me much anymore... :)

Re:Netcraft Confirms It.

[SnprBoB86]

I've actually found that post-SP2 the number of people calling me with issues has substantially dropped.

Although. it might have something to do with my new payment policy: $40/hr or sexual favors of equal or greater value.

Re:Netcraft Confirms It.

[sound+vision]

Windows will never die, not unless something major happens like Microsoft shuts down... not likely.

It's just that people don't care enough, or don't know enough. "Here's a Mandrake install disc, have fun." Maybe they'll mess with it for a few minutes, but then the killer question comes: "How do I put my kids' <i>Game X</i> on it?" or "How do I use my camera?" I've tried to convert several people to Linux, and there's <i>always</i> a killer question. Some site needs Active X, or some shit company doesn't make Linux drivers for their hardware. If nothing else, "This doesn't look like Excel. How do I put Windows back on?"

I'm sure you've all read those jokes in the respectable upstanding citizen! magazines like Reader's Digest, about how computers are unreliable. Everyone I talk to has this conception that computers are inherently unreliable machines that will always break. But when they say computers, they really mean Windows. They don't know the difference between a monitor and a modem, they just want to push the little blue button and have their email pop up... viruses and all.

In summary, Windows will be the #1 OS until a significant proportion of Wal Mart computers come with an alternative OS (not likely unless MS looses their grip) or people get smarter (not likely period).

Re:Netcraft Confirms It.

[bmo]

I think you misunderstand....

I am _not_ a professional admin who has a network of machines to maintain or easy access to the machines I fix or the authority to command people to do as I want. I'm "the guy that fixes stuff" for his friends/enemies.

Go 'round every couple of months requesting that everyone send me their machines for updating the OS? Are you out of your mind? Ghost? Are you out of your mind? These are all individual machines, not something cookie-cutter that I could administer in a sane way.

Yes, I would love to standardize all these machines with the same Windows distribution. I would love to partition the drives so that the OS resides on a separate partition from the user data, and yet another partition for the extra installed programs. That would be sane. But that would mean I would have to furnish boxed copies of XP at the retail price myself, to be sold to the "customers" so I can do it up right.

"But I have Windows! Why do I have to buy another?"

Things were so much simpler when PCs came with full OS licenses and a full set of disks. Now, the only choice is to either manually disinfect for HOURS without disturbing too much of the installation, or format and use the "recovery" cd, and the user is fucked for whatever was on the machine if it was never backed up.

It's fucking maddening is what it is.

The day that Microsoft stopped the likes of Dell and HP from furnishing OEM CDs spelled doom for the customer who wanted to have a multiple partition setup. Now if you want that, you need a purchase a full Windows kit that costs 200 bux for XP Home.

--
BMO

Re:Netcraft Confirms It.

[krappie]

Your comment is pretty much completely true.

Except the "Windows is dying" part. I dont know what planet you're on. That must just be wishful thinking.

Re:Netcraft Confirms It.

[GroundWire]

Generally speaking, not getting media is a choice you make when ordering the machine (at least in the case of Dell). I know some companies don't offer you the choice, and maybe that's one of the OTHER reasons to never buy from Dell as a "Home" customer..

Sometimes it doesn't even save you money on your machine, but we all know it increases their margins a little bit - which adds up.

I do happen to do professional tech work, and since I also run into the "what package of documentation and CDs?" problem - I just keep copies of the OEM CDs, as well as the retail versions.. Everytime I see a new slipstreamed version come through, it gets imaged..

That way - I can use my loaner media, and their CD key (which is supposed to be attached to the machine).. There is nothing illegal about doing that, since they obviously have a license to be running it.

- Joel

Re:Netcraft Confirms It.

[Emporerx]

Hi,

If I'm not mistaken, that particular executable file is probably one of many created by a program called WinPup(WinPup32?). When I used windows I noticed spikes in CPU usage at about five second intervals. I called up the mighty(HA) task manager and took a look at the processes. Randomly named .exe's popped up every five seconds.

Do a google on WinPup. It will involve(if I remember correctly) deleting the winpup file from /system32 and editing the registry. Best in safe mode if I'm right. This can be tricky because the registry entry also changes names with the random executables so you must be fast(even in safe mode). It is a bitch. Probably one of the harder ones I had to remove.

I hope this helps you bmo. Let us know.

As for the new security threats.. Bah. I run linux, very happily, now.

Re:Netcraft Confirms It.

[NanoGator]

" Everyone I talk to has this conception that computers are inherently unreliable machines that will always break. But when they say computers, they really mean Windows."

That conception existed well before Windows. Take a machine that requires proper hardware setup, build it upon a computing paradigm that is entirely too literal, and throw less than human-friendly software on it, and you'll get generalizations that computers are unreliable.

Don't get me wrong, Windows is a major contributer to this line of thinking, but no other OS is exempt from this feeling. Heck, I've known Mac users that felt they needed to reboot their machines because things went weird. It's amazing to me that these machines are actually mass-market items.

Re:Netcraft Confirms It.

[SolidGround]

I think you just have the wrong approach. If you don't reeducate the people who's computer you're trying to salvage then you're only punishing yourself since 99% of the time they themselves caused the infections and as soon as you turn your back they'll reinstall that cute "dancing pigs" screensaver that comes with 10 trojans.

It's easy to blame Windows/Microsoft/whoever but if you're honest you know that most of what's there is there because of their doing.

Get them a software firewall, or if you can convince them of the value, a home broadband router will go a long way.
Then sit them down and teach them how to install programs using alternate credentials so they can run under a LUA all the time. That takes care of most of it.
Then convince them not to blindly click or answer 'Yes' to everything that comes their way (by far the hardest).

I only had a few who didn't want to take the trouble and for those I simply told them they were on their own from then on. Everyone else has been clean ever since saving me countless hours regardless of whether they went with Firefox or preferred to stick to IE.

I haven't gotten to the point where they'll all update Windows or some other program when I mail them saying they need to but even so they manage to stay safe still.

Re:Netcraft Confirms It.

[pmdata]

Great post. Part of the problem is just like you say, Windows is dead and should be retired as soon as possible. The other issue is that we are a reactionary society, only "fixing" the problems that become too out of control or after a monsterous disaster. This easily applies to information security Couple that with the fact that everything today has to be easy and intantaneous, and you've got real problems.

Re:Netcraft Confirms It.

[AvitarX]

My girlfriends laptop (Powerbook) gets real slow sometimes, and quiting all running applications takes a while, and doesn'y fixe it, rebooting it does. I have noticed it at work too.

This is after a fe days of running.

Also, FWIW I have more random app crashes on my OSX machines (at work, G5 Towers) than on the Win2K machines that are hardware from the late 90's (though the machine itslef rarely locks up in OSX). OS9 is the worse, locking up on a whim.

On the Macs we print, use Quark, and CS

On the PCs we use those and Office.

Re:Netcraft Confirms It.

[bmo]

The other thing about SP2 is that it overwrites a bunch of virus-contaminated junk. That's the first thing to do if you've got someone's SP1 machine after you've reduced the infection to a low roar.

That's my experience, anyway.

SP2 has the firewall turned on by default. That is a Good Thing.

Another thing I do for the people I fix for is write a "Letter To The Victim", a prescription of sorts, describing dos and don'ts. It's mostly common sense stuff, like keeping virus software up to date (NAV from 1998?! Eh?!) and how to surf the net and read mail without getting socially engineered.

No, I don't make a bunch of money doing this, nor do I get many sexual favors.

I'm also an "intellectual whore". It could be worse. I could be a "cuddle bitch". Google if you don't get it. :-P

--
BMO

Re:Netcraft Confirms It.

[MsSmartyPants]

I can so relate to this. I go through the same shit. Fortunately, a few of "my" end-users are such total newbs that since all they use their machines for is email and a little known-safe-site visiting, I can just essentially disable *everything* risky. When they tell me something doesn't work, (e.g. an ActiveX widget or Flash) I just tell them that's because they don't need to go there! As for the other folks, after a few instances of total system hosing, and subsequent clean installs where their data was clobbered, they have learned to *back up their stuff* now. Not a perfect system, but it at least it doesn't take so much time. I miss Win 98. I could really lock it down. "'Twas a simpler, more natural time..."

Re:Netcraft Confirms It.

[Proudrooster]

BMO - two words, DEEP FREEZE. This is what I use to protect the school and public library computers from the users. It works great, just reboot for a clean machine.

Re:Netcraft Confirms It.

[paj1234]

Mozilla Mail (part of Mozilla Internet Suite) helps by not not allowing the user to run an executable attachment from within Mozilla Mail. The user has to save the attachment out of Mozilla Mail and then run it by double-clicking on its icon in Windows Explorer before they can infect their machine. See my article, "Avoiding Windows email viruses with Mozilla Mail" for details:

http://www.pjls16812.pwp.blueyonder.co.uk/mozilla/ index.html

IMHO Mozilla Mail has an excellent design that other Windows based emailers would do well to follow. Regarding executable file names, I was surprised to find that NTFS does actually have an execute bit. It's just that it doesn't seem to ever get used, because the file name extension gets in the way! Kind of sad really.

Phil

Re:Netcraft Confirms It.

[4of12]

The day that Microsoft stopped the likes of Dell and HP from furnishing OEM CDs spelled doom for the customer

But there's a good reason for the OEMs to go along with this particular "anti-piracy" tactic from Microsoft.

Computers users without patient knowledgeable tech support friends resort to curing spyware/adware/malware infestations by throwing away the old computer and buying a new one.

Que?

[Luigi30]

In other news, the US Government raises its alert level to the cover of Moving Pictures.

*Obligitory offtopic*

[ciroknight]

Seeing as more and more work is being put towards computers (scripts) reading those captchas, I wonder why they don't start making them questions. Like those logic questions you see on IQ tests online or something. As artificial intellegence still sucks at these kinds of questions, there'd be no quick way for it to answer short of asking a human for the answer...

Re:*Obligitory offtopic*

[Tango42]

You would have to have a small set of questions and use them all repeatedly - once you'd programmed your bot to know the answers it would be fine. There are effectively unlimited captchas (26^6=plenty big enough for me).

Re:*Obligitory offtopic*

[BrokenHalo]

As artificial intellegence still sucks at these kinds of questions...

That's probably because nobody has yet come up with a convincing artificial stupidity.

:-D

One Word:

[Waffle+Iron]

ConSchmon

Yellow is pretty rare..

[Dynamoo]

A Yellow alert at the ISC is pretty rare, and it has been several months at least since the last one. Generally even a worm outbreak such as Blaster only elevates the threat level to Yellow. Orange is even rarer.. I think that maybe has happened just a couple of times with Code Red and Slammer. There has never been a Red alert level.

In other words.. the alert level tends to stay stubbornly at green unless there is a real issue - the ISC is usually extremely conservative about threat assessments. If they've raised the alert level as a precaution then it's definitely time to take notice.

As for me.. I check the ISC at least once every day to see what emergent threat are out there. There are also a number of tools you can use such as a small Windows app that can help to inform you when the threat level changes.

It's worth having these tools - when Sasser came out I'm pretty sure they saved my backside.. because in that case the short amount of time between the vulnerability being announced and the worm coming out was so short that many organisations hadn't even started patching. Thanks to the ISC we managed to get almost everything secured in a day, so when the inevitable rogue laptop user physically brought a worm infected machine into the office, then we managed to contain the outbreak effectively.

Re:Yellow is pretty rare..

[buffy]

Someone needs to ask Tom Liston about the color Orange. :|

And Dynamoo, you're spot on. The Handlers do not arbitrarily upgrade to yellow on a whim.

-buf

Re:Yellow is pretty rare..

There has never been a Red alert level.

Red alert sould be used at each Windows release.

Re:Yellow is pretty rare..

[lamj]

One happy customer :-)

You are correct. We want the infocon to stay at green most of the time and only raise it when necessary. Think about this, if we keep it at yellow all the time, it would eventually lower people's perception of the current threat. Trust me, we do try very hard to only raise it when necessary and appropriately.

Disclaimer: I am one of the ISC guys.

Re:Yellow is pretty rare..

[PakProtector]

There has never been a Red alert level.

Oh, just wait. We've got till December.

/me eagerly awaits the coming of the Cursed Wave.

Re:Yellow is pretty rare..

[hey!]

Disclaimer: I am one of the ISC guys.

So, you're job is to hold up the radio tower when the big one hits?

Ahhh i love color codes...

[Lisandro]

Kinda reminds me of Robin Williams referring to the vage announcements of the US Homeland Security Department:

    Tom Ridge ever so often goes: "Today's a blue day. No, orange--RED!!!".

Re:Ahhh i love color codes...

[Ingolfke]

NetCraft has announced what we all knew a long time ago... Robin Williams is not funny. Maybe at one time he was, but that time is long past. Please Mr. Williams, follow in the footsteps of Jerry Lewis and self-impose an exile on yourself.

How long?

[ErichTheWebGuy]

How long until that "uber-virus/trojan/worm" comes out that deletes the hard disk contents of millions of PCs? On one hand, that would be a great day, because then people would truly pay attention to security and Microsoft would get the attention it deserves.

On the other hand, it would be bad for obvious reasons. But, IMO, it's only a matter of time. What color will the Infocon be then?

Re:How long?

[pintomp3]

considering dead machines don't make good zombie armies or spam relays, i would say it won't happen.

Re:How long?

[ScytheBlade1]

What we need to happen is have something like blaster come along, that spreads for three days and THEN formats the hard drive.

Good spam relay? Zombie? No, but it just might get some people to clue in and patch/etc.

Re:How long?

[NanoGator]

"What we need to happen is have something like blaster come along, that spreads for three days and THEN formats the hard drive."

It's already come and gone. It was called the Chernobyl virus. It was a subtle little app that would attach itself to.. oh.. EVERYTHING. Then, on the anniversary of Chernobyl, it'd blow away your fat table, effectively and instantaneously killing your computer. Kinda neat, though frustrating. It nuked an impressive number of computers.

Frankly, this didn't work for a simple reason: Shit happens, life goes on. Computer dies? No prob, put it back together and start again. Make backups. It doesn't take a virus for this to happen. Dead hard drive, lightning strike, idiot using your computer, whatever.

I think it's hard for a Slashdotters to understand that to a LOT of people, computers aren't a prized possession that must be preserved at all costs.

Re:How long?

[lachlan76]

I thought Chernobyl wiped your BIOS, rendering your motherboard useless?

Re:How long?

[NanoGator]

hmm. From what I've read, it's a little bit of both. Embarrasingly, I was hit by it. Bios was fine, hard drive wasn't. However, a quick little Google search says the Bios was hit, too.

Hooray, we're both right.

Re: How long?

[Black+Parrot]

> On one hand, that would be a great day, because then people would truly pay attention to security and Microsoft would get the attention it deserves.

Has it ever made a difference in the past?

Re:How long?

[Antique+Geekmeister]

How soon they forget. The Morris Worm, in 1988, didn't deliberately format your hard drive, but it spread slowly and insidiously and pervasively enough that you had to go back to complete backups from at least 4 days previously to make sure you had it completely clear on your re-installed system, and the patches to block it had to be downloaded slowly and carefully because of the overwhelmed patch servers. By the standards of the day, the thing was an insatiable monster and was slapping down core DNS, SMTP, and other network servers so hard that entire buildings and companies were offline for days while their sys-admins labored round the clock to re-install them. And he didn't even write it to do damage, he wrote it to demonstrate security vulnerabilities and mail the successful entries back to him. And of course, Mr. Morris never spent a day in jail. (It must be awfully nice to have a father who's head of the NSA to help you avoid jailtime.) He's never even publicly apologized that I can find anywhere: instead, he's a professor at MIT (http://pdos.csail.mit.edu/~rtm/). We've got him teaching a whole new generation of MIT students just how to break other people's toys with their brilliant ideas, then run away from responsibility for it.

Re:How long?

[ghislain_leblanc]

I don't think it could create a real outbreak. The problem is, like for DNA viruses, if the thing kills you immediatly, it won't ge very far! But something like the flu, propagates really quickly.

Of course, AIDS kills and is still an epidemic in some countrys; but it kills slowly. So for this kind of virus to propagate on a large scale, it would have to wait a while before doing any real damage, like was the case for Chernobyl. The problem then is: how can it stay dormant for so long without being detected?

I don't think this sort of thing would happen.

here's an idea

[rebug]

We need a universal peril indication color. All these organizations need to coordinate and come up with a single color for the day.

Fuscia means we should all stay in bed today.

I'm no grammar Nazi, but

[grcumb]

"Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."

What. The. Fuck.

Alert Level Red?

[g-san]

So if the internet should come crashing down, as in the infocon red situation, what is the use of a little hyperlinked gif to their website, a gDesklet , or a systray icon?

Is the cure worse than the sickness?

[mov_eax_eax]

several postings with the exploit were made public, two days after read this the automatic update of windows pop-ups, and a week after this, the issue hits the homepage of slashdot. the hackers have already won the arms race. i.e. gif.
Updating frequently broken software is nowhere near of true security.

Re:The waiting game?

[jericho4.0]

Some of you people might be, but I'm just waiting for my gentoo box to compile.

color threat codes..

[timmarhy]

are just something for management to mentally masturbate over, they are meaningless. so what if we were are WankerCon green, if your getting DDOS'd to death why will you care? what has it done for you?

American paranoia at its best

[HishamMuhammad]

Isn't "color-coded threat levels" an excessively paranoid way to describe what we've always known as outdated, buggy software? This kind of representation paints a very fake picture -- as if those "threats" are a given and that all we can do is "try to protect ourselves", when in fact what we're dealing with is simply the result of flawed operating system design. These threats are only symptoms, not the root of the problem. I wonder who benefits from making people focus on the former instead of the latter.

Re:American paranoia at its best

[lgw]

Well, until that shining day when people can write millions of lines of code with no bugs, we have to deal with the reality of an installed base. Only very small systems are bug free. Don't mistake the lack of popularity of some OS with it having no bugs - attackers focus on the mainstream.

Re:American paranoia at its best

[NetCow]

And what do you propose - not bothering even about raising awareness about the symptom, since raising awareness about the cause has been going on for years with less than stellar result?
ISC is at least doing *something*.

Once more, in English?

[poptones]

...Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."

WTF is this supposed to mean? Is there anyone in the office who took a grammar course in the last two decades who could translate this?

Re:Once more, in English?

[Animats]

Symantec copied the DOD definition of "force protection condition (formerly called THREATCON, now called FPCON) and hacked it into their ThreatCon definitions. It's not really relevant, but it sounds official and impressive.

Sounds like techno-babble from a SF B-movie...

[gtwreck]

No offense to the submitter of course, but the combination of all of those crazy named watchdog groups sounds like either something out of a comic book, Star Trek, or B movie.

Where's Will Wheaton when you need him?

Re:Sounds like techno-babble from a SF B-movie...

[cnettel]

Last I heard he was reversing the polarity of his Internet conncetion to fight these worms. They'll go back out on the net instead of invading his computer.

defcon level 0

[pair-a-noyd]

on all of my Linux boxes..
Thanks Linus!!

Re:The waiting game?

[jerw134]

The patches for Windows are already out: click

Infocon goes to yellow...

[zymurgy_cat]

...and colorblind admins go on without a care in the world....

Re:Infocon goes to yellow...

[rathehun]

Actually they don't.

In addition to the graphic, we offer two text feeds: * http://isc.sans.org/infocon.txt: The infocon color. Just one word in plain text * http://isc.sans.org/daily_alert.php: The daily alert. Infocon and handlers diary headline as minmal HTML feed for inclusion in web sites

R.

Re:And it doesn't help that many legit Windows use

[jerw134]

Critical updates can still be obtained without passing WGA.

Hmm..

[deep44]

Maybe Microsoft should create their own virus, exploiting this most recent flaw, that would automatically patch any computer it infects!

On second thought.. Windows users would probably detect the 30MB worm before it could "infect" their computer, and reboot.

Naming?

[zaguar]

Threatcon

Surely they think of better names for something unoriginal and overused like ($Buzzword)con? How about...

NinjaHackRating

***Evil Laugh***

All Hands To Battlestations...

[CoyoteGuy]

Data: Captain.. Sensors are picking up localized pockets of Upnp activity in subspace transmissions.

Picard: Geordi, can we triangulate the originating source?

Geordi: Yes sir, it's coming from a planetary system 15 light years from our present location. Long range sensors indicate it is...

Picard: Yes, I know... Microsoft...

Picard: All hands, yellow alert. Data, set a course for the source of the transmissions. All hands, to battlestations. Worf, put us to red alert upon enterting the system. We don't want another Code Red Incident. And send out a subspace communication to the Federation, all ships, all systems.. We have engaged Microsoft..

Worf: Yes Captain.

Picard: Data, we did test our monthly Microsoft patches on the first Tuesday of the month, correct.

Data: Negative Captain. Unfortunately, there were exploits in the wild which take advantage of the weaknesses in the Upnp service installed on the ship's computer, and the Federation threat level was raised, so we did not test them.

Picard: Damn Microsoft. Alright, let's be careful. We don't know yet what we're dealing with. Maximum Warp! Engage!

Re:All Hands To Battlestations...

[Krojack]

Ever thought about writing for Star Trek? :p

funny stuff.. mod +2

Hey Guys..

[CoyoteGuy]

I think the threat level was raised to blue...

But what does this mean?

STOP: 0x0000000A (00000595 00000002 00000000 8010da41)
IRQL_NOT_LESS_OR_EQUAL

Re:Hey Guys..

[scibbers]

for me it meant that my ram was toast.... other than that I dunno.

Re:Hey Guys..

[dtfinch]

On Linux, it can get even more vague:
kernel: Uhhuh. NMI received for unknown reason 21 on CPU 0.
kernel: Dazed and confused, but trying to continue
kernel: Do you have a strange power saving mode enabled?

These just start showing up in the log, sometimes hours before the system dies. Most of the time, it has nothing to do with power saving, but has long been considered a sign of failing ram.

Re:Hey Guys..

[FrostedChaos]

That's not vague to me. It's very specific.

It makes a lot more sense than the strange assertion that seems to be involved with the IRQ_NOT_LESS_OR_EQUAL message.

C.

Re:Hey Guys..

[cnettel]

Maybe that's because you know more about Linux than Windows internals? A call from the wrong IRQL is quite specific. If you make a crash dump you can pinpoint the stack when it happened and a whole lot of things with free (as in beer, if you already have a Windows license...) tools, provided by MS.

Nooooooo!

[lewp]

Yellow?! What are we going to do now?!

*Jumps out the nearest window*

Re:This just in...

[bmo]

Windows bigots are fond of pointing at Linux and Apple as each having 5 percent of the market, and therefore are "loser OSes that can't do anything".

So ok, let's use that number, just for shits and giggles. If popularity of OS == abundance of malware, let's do some math.

Depending on who you ask, there are between 60 and 70 THOUSAND Windows viruses, trojans, etc.

I'll use the low number, just so nobody can accuse me of bias.

5 percent of 60,000 is 3,000.

Where are the THREE THOUSAND viruses that should be out there for Linux or Macintosh? Last I looked, there were 7 for Linux, and NONE of them were active.

So it's more complicated than just popularity. There are other factors, and I'll let you guess as to what they are.

--
BMO

Re:And it doesn't help that many legit Windows use

[JFitzsimmons]

It Just Works(tm) for me... =/

Buzzwords

[gverdouw]

Wow, that summary is chock full of wierd names, AlertCon ThreatCon etc.

youd think they could come up with some less... tacky names

Mostly Business as usual...

[Fallen+Andy]

I guess someone over at ISC had to blow the dust off the colo(u)r sensor (grins), but seriously, not much on the radar to panic anyone right now. Still, if you aren't awake you really ought to add ISC to your
morning newspaper (wakeup + gallon of coffee) along with some others, so for the sake of people who don't grok the need to be aware (but: go read doug adams and don't panic as well!):

Here goes: (sometimes costs me an hour in the morning, but it's worth the effort...).

http://www.dshield.org/ http://secunia.com/ http://vitalsecurity.org/ http://www.f-secure.com/weblog/ - gossip and just
plain fun (cough) dilbert (cough).
(many others, but i'm tooo lazy on a sunday morning to write em...).

Oh, and be sure to replace the windows task manager with the wonderful (process explorer)
over at the always splendid Mark Russinovich's sysinternals.com (it'll save you when your friends machine gets pwn3d). (hint: it shows tcp/ip connections so you can see if ET is phoning home).

Finally, no list would be complete without a pointer to "comp.risks" (google groups ok?). Laugh. It helps...

cheers all,
Andy.

Go to Jail, Go directly to Jail...

[BrianMarshall]

... Do not pass you lawer, You won't be needing your passport.

It seems that the majority of people in the US and Canada believe that people who advocate terrorism should be jailed.

If they wanted to, that law and your post would be all that it would take.

It's getting scary out there.

Why do I love Windows98 SE...

[fprog]

Affected Products:
Microsoft Windows NT 4.0 up to and including SP6a
Microsoft Windows 2000 up to and including SP4
Microsoft Windows XP up to and including SP2
Microsoft Windows Server 2003 up to and including SP1

It's nice to be a Microsoft "reject"...
at least when worms come out I don't give a damn.

Just don't use Internet Explorer and have a good Firewall...

The only problem with Windows 98 SE, is that most newer machine cannot install it properly, since drivers do not exists!!! arggggg.

Which means.... hmmm
maybe I should update my Dell Laptop. =(

Anyone knows where to find Windows 98 drivers for Dell laptops ?! [Hint: Dell Tech Support are clueless]

Also, it's funny that all those fine .NET companies,
which insist on using ASP.NET, C#, ISS crapt will get infected again, again and again...
why nobody learn... just use LAPP!!!
(Linux, Apache, PostgreSQL, Perl/PHP)

Re:Why do I love Windows98 SE...

[krewemaynard]

Anyone knows where to find Windows 98 drivers for Dell laptops ?! [Hint: Dell Tech Support are clueless]

Sure...install Ubuntu. :) I've re-installed 2 PCs lately (both Dells). Ubuntu picked up all the hardware and installed the proper drivers flawlessly. Why anyone would want to stick with 98 is beyond me...just because most viruses target NT-based PCs now doesn't mean there's not enough crap floating around out there that will turn your PC into a wh0r3b0x in no time. One of the Dells I re-installed actually was running 98, and it was eaten up with crapware--it would crash if you looked at it funny. Not worth it, IMHO.

Re:Why do I love Windows98 SE...

[SilverspurG]

Why anyone would want to stick with 98 is beyond me

Because 98SE can be made into a surprisingly thin and fast OS. There were problems that were inherent in the industry back in '98-'02: problems with vid card drivers, and DX, and the competing 3D implementations (nV vs. ATI). Once all of this sorted itself out 98SE has become, in my opinion, the nicest Microsoft OS for a single user home computer.

There are problems when newer programs expect the system to have user privelege separation but this is usually fixed by restarting the program or, at worst, a reboot.

I'm a self-admitted Linux zealot but I still keep a 98SE install on my drives. I haven't booted to update it in four or five months but, as of the last update, it was pretty stable, ran as fast as Win2k/XP, worked with MSO2k+updates, and didn't force all of MSs neat new (useless) featureware onto my desktop.

it was eaten up with crapware

I bet I can break Debian by doing what crapware does--overloading processes and mangling libraries. Admittedly, on Debian you have to do it technically and on 98SE it's readily available on the web as a one-click install. That's really not the OSs fault. Putting a 98SE box behind a Linux router with any competent implementation of iptables rules makes a 98SE box a very nice home cruiser. All the convenience of Windows behind all the security of Linux.

Too many comic book / bad movie buzzwords....

[shri]

I'm sorry, but if I have to take stuff seriously, can someone put it in plan simple english without these threatening big brother buzzwords?

"Internet Storm Center"
"turn the Infocon to yellow"
"Internet Threat Level meters"
"Symantec ThreatCon"
"DeepSight Threat Management System"
"Internet Security Systems X-Force"
"AlertCon"

Sounds like a bad CIA / X-Men / Matrix rip off movie.

Re:Too many comic book / bad movie buzzwords....

[typical]

Yeah, that's the taste I got too. Seriously, either (a) the security information industry is still too immature to have competed fluff out and too many of the people there have watched too many bad tech movies or (b) the marketers involved are right and their *customers* are just plain stupid.

Re:This just in...

[timmarhy]

people who blab that shit generally have no real technical insight into why these worms become such a problem. thats why the fall back on "windows is more popular, therefore it has more attackers" what they view fails to take into account is there are millions of linux boxes installed on fat pipes doing unoffical mail servers and website, they DO MAKE A BIG TARGET. as an attacker why would i care about infecting someones cable internet with a shitty 25kb/sec upstream, when i can infect a linux box with 100mbit upstream? and i simply don't buy these market share figures, they are all bogus. how do they manage to take into account for boxes built and installed by admins themselfs? those figures of 5% only take into account PURCHASED systems. so as you can see, the idea that windows has a much larger virus potential is bullshit.

That's not what "disclaimer" means

[JoeBuck]

When you disclaim something, you remove your own responsibility for it. For example, if I saw something about the law and then say "Disclaimer: I am not a lawyer", I am using the word correctly: I'm disclaiming any responsibility towards people foolish enough to follow my advice, as well as warning them why they shouldn't take it too seriously. Your "disclaimer" is really a "claimer": you are saying that you speak from an insider position and know what you are talking about. So don't misuse the word "disclaimer" in such circumstances. Unless, that is, you mean to say that though you are one of the ISC guys, you are just giving your unofficial opinion, other ISC guys disagree, etc. But it doesn't read that way.

Re:That's not what "disclaimer" means

[syntaxglitch]

I think the implication was that he could be biased about the validity of the way things are handled. There's a difference between "Hey, the way this group does things is a great idea!" and "Hey, the way this group does things is a great idea and by the way I'm a member of the group." So what he would actually be disclaiming is the position of an unbiased observer.

Windows, the final news item to make you smile

[matt+me]

I just read the rest of this morning's news on /. half an hour ago, and just popped back to read this article. Seems a good order, reminds me of how TV news works. They show the day's 'real' news - war, disasters, etc and then at the end, just before the weather they have something silly to cheer you up, usually animal related - an otter that can surf, monkeys at zoos having triplets, etc

Here on /. we have the day's real news of interest, software patents, privacy, Google joining Apple, and then at the end when we think all is bleak for free software, there's a short story on Windows to make you laugh. Look, it's insecure! All their sensitive data's being emailed around. Ha ha.

ConCon

[mnemonic_]

InfoCon, ThreatCon, AlertCon... maybe someone could create a meta-Con of sorts, one that averages all the other *Con values. It could be called ConCon.

Re:This just in...

[deep44]

Modding me down and calling me a troll/flamebait will only prove Slashdot's unfair bias.

Damnit! We fell right into his trap..

Re: 40 mothers agree: Cleaning Windows is a PITA

[homesteader]

More often than not these days, the real tough buggers have randomly generated process names. Here's how I clean a machine:

Tools required:

Process Explorer(procexp) from http://www.sysinternals.com/
autoruns.exe from the same, or hijackthis.exe from http://www.merijn.org/
Any good virus scanner(McAfee's Enterprise scanner is decent. Use a simple scanner if possible, not a scanner/firewall/spam filter/personal servant. It will be generally be faster and simpler.
Ad-Aware from http://www.lavasoft.de/
LSPFix from http://www.cexx.org/lspfix.htm/
Updated Stinger from McAfee http://vil.nai.com/vil/stinger/
Experience enough to know valid windows processes and files.

Have all of this on a USB drive or CD. Will probably fit on a 64mb drive, unless your virus package is bulky.

Boot to safe mode

Start Task Manager or Proc Explorer and kill anything that doesn't look good, or everything that you know isn't part of windows. You could go to Control Panels:Admin Tools:Services and stop all services first, this will narrow the field.

Run Stinger, just let it scan memory and running apps. Don't wait for it to do a full system scan.

Run Ad-Aware, do the same. Just trying to ditch bad things that are actually running.

If you've gotten this far in 15 minutes, the machine probably isn't in too bad of shape. Dump all temp files, c:\temp, c:\winnt(windows)\temp, c:\documents and settings\username\local settings\temp, c:\documents and settings\username\local settings\temporary internet items

Update virus definitions and do a full scan. Latest SuperDAT from McAfee or Definitions from Symantec or whoever you use, should also be put on the USB drive or CD.

So, virus scan didn't deal with it, or couldn't stop/remove it? This is where it gets tricky and completely manual. This is the point where most people give up, since you really need to know what should be where in Win2k/XP/2k3. I'm really not thinking of 95/98/Me, if those are hosed just wipe it clean and move to XP home for $99-199

Run HiJackthis and look for gremlins. This tool really requires an eye for what is supposed to be there, but pay special attention to startup objects and BHOs(Browser Helper Objects aka evil Internet Explorer plugins)

Add/Remove programs. Go through it with the client. Anything they don't recognize, or know they don't need, ditch. This can be risky, since people forget, but compared to a reinstall . . .

Now for the real manual part . . .

Run lspfix and check for foreign entries. There are normally 2-4 LSP's present. I usually only do this if there are persistent network failures.

Check Hosts file at c:\winnt(windows)\system32\drivers\etc\hosts There really should only be one entry in here, for 127.0.0.1 localhost. You may have already checked this with hijackthis

Browse to c:\winnt(windows). Sort by date. On a default install, the file modify dates are going to be a long time ago. If you see anything from within the last few months, get suspicious. Ignore log/text files, but don't ignore those without an extension. Do the same for c:\winnt(windows)\system32 This can be a bit trickier, there are way more files in system32 than winnt(windows), but the same rule generally applies. Anything from the last 3-6 months is suspicious.

Do the same for c:\program files Delete any empty folders that your previous uninstall didn't remove. You should have an idea what is supposed to be here, after doing Add/Remove programs, so hack and slash the folders that you don't think belong.

In one of these deleting sprees you are sure to find something bad that won't let itself be deleted, usually a .dll that is registered and can't be removed. Never fear! Write down the .d

Sensationalism...

[Synli]

> Windows Plug and Play vulnerability's The author probably intentionally didn't say it applies Windows 2000 only. XP and others are secure. Win2k are now an *obsolete* system. It's like someone wrote about vulnerabilities in Windows 3.11. It's obsolete. Period.

Re:Sensationalism...

[minus9]

Yes, thank god no companies will still be using Windows 2000. Luckily they all scrap their entire infrastructure and upgrade as soon as a new version of windows comes out. OMG man we gotta update the PDC to XP the new themes are so cool.

Re:Sensationalism...

[Synli]

> to XP the new themes are so cool.

LOL. Grow up dude. XP has a much better kernel than Win2k. Win2k3 kernel is even better. Vista will have a better kernel than XP as well. THAT is the main reason to upgrade.

Re:Sensationalism...

[minus9]

"LOL. Grow up dude. XP has a much better kernel than Win2k. Win2k3 kernel is even better."

Whoa dude, 2k3 is like awesome to the max. Like totally radical.

Re:Sensationalism...

[Synli]

> Whoa dude, 2k3 is like awesome to the max. Like totally radical.

You really make the impression that you really know what you're talking about.

Re:Sensationalism...

[omega9]

And you're really doing a really incredible job of really showing you have a fucking real clue yourself.

Really.

Re:Sensationalism...

[Synli]

If they don't have money, then they have 3 options: 1) Keep using an obsolete OS (not advisable). 2) End 3) Switch to a free OS (BSD, Linux).

Re:Sensationalism...

[Synli]

Who cares? It's your problem if you use a obsolete OS. If you don't have money to upgrade to a non-obsolete OS, use Linux or BSD. You could've as well stayed with Windows 3.11.

Re:ConCon, vraiment...

[olden]

LOL... :-)
Ok, now I feel sorry for the 99+% non-French-speaking people out there, so I'll try and explain briefly why some of us can't help but laugh at all those TropCon names.
"con" used to be slang for vagina and has evolved to roughly mean "f*ing dumb".
How adequate sometimes...

Fantasic green zebras

[Bobsledboy]

Remember everybody... CONSTANT VIGILANCE!

Please don't hurt me ;)

Yellow Alert?

[Elshar]

Doesn't every ISP already have the typical windows ports blocked already?

I mean, in every one of my routers I block 135-139,445 TCP/UDP. (Yes, I know, there's one or two that aren't windows specific, but its easier on the FW rules considering its exceedingly rare for any legitimate traffic to go over the 'net on 'em)

Maybe the yellow alert is warrented, but imo its jumping the gun. And to those network admins who haven't gotten the hint yet and blocked those ports, DO IT NOW! Thanks. Oh, and while we're at it, make some decent anti-spoofing filters too, huh? Only things that should be leaving your network are *your* ips, and conversely the only things entering should *not* be yours. Lets all work together to make a better 'net huh? :)

Re:Yellow Alert?

[Antique+Geekmeister]

It doesn't block the email worms and backdoors. Holes in IIS can't be firewall blocked because it's port 80. Holes in SMTP servers can't be blocked, unless you want to get into the religious wars of stopping your users from running mail servers at home. The biggest assist in blocking the *invasion* of netcrawling attacks is using NAT, which keeps your internal machines on a 192.168 or other similarly unrouted subnet, and fakes a single external IP address. This allows *NO* incoming traffic unless you specifically allow it, and that goes to only a single machine. I very highly recommend this approach: AOL's practice of using a NAT'ed 10.* network is one of the main reasons their subscribers don't become awash in various remote exploits and worms.

Re:Yellow Alert?

[Elshar]

I actually do the same for my network. There are a few customers who pay for their own public ip/blocks, but the vast majority are on the 192.168/16 or 10/8 ip blocks (I use the 172.16/12 block for other things). Also, just using squid and setting it up as a transparent proxy then telling it to reject certain size httpd requests and such can really cut down on the availability of port 80 exploits. For port 25.. That really shouldn't be allowed incoming/outgoing except to the ISP's servers.

SMTP is probably where the majority of the issues actually stem from. Admins seem to not know or be apathetic towards properly setting them up. Just doing something as simple as pushing stuff through clamav and/or using some simple filters will catch the majority of the cruft that seems to like to infect windows boxes.. Its really kind of sad when you think about it.

Re:Yellow Alert?

[Antique+Geekmeister]

We're often blocked as a matter of policy from fixing open port 25. Too many VP's and paperwork pushers have a laptop installed by a relative with some strange mailer setup to accomplish some insane purpose that no right-thinking admin would configure, but they sign departmental checks. so you have to leave the firewall rules to permit their silliness.

Re: 40 mothers agree: Cleaning Windows is a PITA

[TCM]

Fucking hell! Is your second name Sisyphus? Plus you're doing half-assed stuff like sorting by file date and automatically overlooking old files?

Save yourself some of your lifespan dude and do what's the only right thing to do to a compromised machine: reinstall from fresh media.

Re: 40 mothers agree: Cleaning Windows is a PITA

[sapgau]

Great tips, thanks!

I will have my CD ready for my next family reunion. :-/

Sometimes...

[RAMMS+EIN]

Sometimes I almost wished Microsoft's own Internet imitation hadn't died. Then, we would have the true Internet, with the academic publications, some grassroots stuff, and the users of alternative operating systems. And the Microsoft network with all the Windows users, entertainment, flashing adverts, worms, pr0n, and everything.

Of course, people would probably build bridges between the two networks, and the bridges could probably be exploited by worms...but the vulnerabilities would probably be on the Microsoft side for the most part, meaning that worms could travel from the Internet to the Microsoft network, but hardly the other way around.

Ah, how pleasant dreams can be...

Re:Sometimes...

[jafac]

um, yeah. You do know, that had the internet bifurcated to commercial|academic model, the anti-government rebels who now control this country would have shut down funding for the academic Internet;

- because it competed with the commercial internet, and deprived private unregulated unsubsidized commercial internet companies (like PacBell or ComCast) a chance to compete on an open playing field without a government subsidized competitor.

- because it gave tenured liberal professors a channel to broadcast their evil communist takeover plans to their lackeys across the world.

- because it's too expensive and cuts into the funding for "more legitimate" government tasks, like payoffs to oil companies, or the development and construction of the next generation of weapons systems to stay ahead of all those axis-of-evil folks out there.

EULA

[Skiron]

The thing that really galls me on MS with these issues is the fact that it's THEIR problem, and they issue a security update to patch a product a user BOUGHT under good faith. Then you have to sign your life away/agree to various thing MS can do to your machine to apply it - as if it's YOUR fault and not MS's onus.

Re:Who cares?

[guardian653dave]

Oh boy, your new here aren't ya? You don't make fun of Apple users on slashdot--they'll disown you.

One less

[anticypher]

It means there is one less windoze machine infecting our internet. I consider this a good thing.

The only thing better would be to change the security switch on that machine from [I]nsecure to [O]versecure, which will change your machines threat level from blue (panic) to black(get a life). Typically the security switch is found on the back of the computer. Flip it. Go outside, enjoy the day.

the AC
Going to follow my own advice now

Installed programs partition...

[varebel]

I would love to partition the drives so that the OS resides on a separate partition from the user data, and yet another partition for the extra installed programs. That would be sane.

Serious question...

I fully agree with you on breaking out data to it's own parition. I do that...well, did that myself back when I ran Windows. However, what benefit is it to dedicat a partition for installed programs when "installing" a Windows program generally entails files being copies to system areas and/or registry keys being created by the installer? Even if the programs partition survived, you'd still have to re-run all the installers so that the necessary registry keys are created, etc...

Re:Installed programs partition...

[corsec67]

That is exactly the point: you can nuke the program partition, and reinstall everything, and your data will still be there on your data/home partition.

I do that in linux, and I have been able to move from red hat to suse to gentoo, all without erasing a single file from my /home partition.

Re:Installed programs partition...

[bmo]

You know, I've been running Linux for so long, I forgot about the registry keys when I made my post.

One of the major reasons to do a clean-up instead of a format is all those user-installed programs, some of which the user doesn't have or can't find the original media.

That brings me to my other gripe. The Registry is the biggest POS single-point-of-failure going on a Windows system.

Meh.

Here's my question to you, though:

"I fully agree with you on breaking out data to it's own parition. I do that...well, did that myself back when I ran Windows."

But not anymore? Why? It's _so_ much easier to blow away the OS and upgrade if it resides in its own partition. Upgrading over an old Linux install works only half the time. I know, I've tried.

--
BMO

Re:Installed programs partition...

[varebel]

But not anymore? Why? It's _so_ much easier to blow away the OS and upgrade if it resides in its own partition. Upgrading over an old Linux install works only half the time. I know, I've tried.

To clarify... I still do break /home out to it's own parition. When I said that "I used to", I meant that, now, it's not such a big deal as it's more consistent with the design of the OS to do so. Where-as, with Windows, if you do anything out of "the norm", you are constantly reminded of your non-conformance by having to enter alternative install paths and file save paths.

Not to sell a used car at a funeral, but...

[Kamiza+Ikioi]

Not to sell a used car at a funeral, but... when these worms hit is the best time to push linux, especially to companies who see significant downtime and lost sales. Something along the lines of, "You know, if you were running (Insert *nix and/or BSD distro here), you'd still be in business. Right now, your business is doing as much sales as a liquor store being robbed, because being 'robbed' is exactly what's happening. If Windows is the liquor store, (distro) is the well guarded bank. 'Robberies' can still happen, but they are extremely more rare and the 'crooks' will be caught sooner."

Something is happening now

[h3rmanni]

We just found a new worm using the 5-day old PnP exploit. Film at 11, more at http://www.f-secure.com/weblog/.

Re:This just in...

[tirnacopu]

Little as I may know about the "black hat" community - at least this thing seems logical: the main target for virus / SPAM spreaders is "shitty 25kb/s upstream" users. They never check their boxes, are used to having poor connectivity, are also very hard to track, cannot be charged under any law and yet can spew out 100-1000 messages per day. Imagine having a list of some hundreds of such machines. You'd be unstoppable :)

What they left out ...

[ShakiirNvar]

In fact, more than 275,000 developers have downloaded Windows CE Shared Source in an attempt to locate all the bugs in the software. This is another attempt by us to increase the security in our software thereby convincing our customers to stay with Microsoft.

Re:What they left out ...

[tomhudson]

So that's 275,000 developers who cannot now work on either open source or proprietary programs w/o having the people they work with wonder if they've been contaminated by the viral nature of Microsofts' "shared source" program.

Cute. Real cute.

Re:What they left out ...

[ShakiirNvar]

hehehe, sorry I have a rotten sense of humour :)

Is there a MicrosoftCon?

[Edzor]

oh wait thats windows XP!

ba-dum-tish!

Internet Threat Level?

[vigilology]

Or Microsoft Windows Threat Level?

MS05-039 worm in the wild right now - apparently.

[caluml]

Apparently there is a MS05-039 worm in the wild and running now.

*nix users - prepare for the net to slow down.

Re: 40 mothers agree: Cleaning Windows is a PITA

[RAMMS+EIN]

I think your postly neatly points out why *nix is a better choice for novices. I, for one, can't remember the last time I had to do that much to fix somebody's non-Windows system.

Re: 40 mothers agree: Cleaning Windows is a PITA

[GNUALMAFUERTE]

I have a better way>

% fdisk /dev/hda
% mke2fs /dev/hda1 && mount /dev/hda1 /mnt
% mkswap /dev/hda2 && swapon /dev/hda2
% mkdir /cdrom && mount /dev/cdrom /cdrom
% installpkg -root /mnt /cdrom/slackware/*/*.tgz
% liloconfig
% reboot

And it'll work forever.

Twice a year, you download the new version and do something like>

% mount /dev/cdrom /cdrom
% cd /cdrom/slackware
% upgradepkg --install-new */*.tgz

Now, tell me again how is windows easier than GNU?

Must read carefully

[HangingChad]

as a part of global DeepSight Threat Management System...

Did anyone besides me originally read that as the global DeepShit Threat Management System?

I think I like it better that way.

Re:This just in...

[sedyn]

I don't think the amount of virii/spyware/annoyances is proportional to the user base in terms of a linear relationship.

That being said about the minor attackware, there should be about the same number of major attacks against everything else.

I say this because:
a) FOSS software such as the Linux kernel may not have the same number of people looking for vulernabilites in a negative context. But those who do have the advantage of being able to see the source code to find them. Therefore it should be simplier to do so.
b) Major vulnerabilites aren't found by people who want to scam you into revenue. I'd say the type of people that try to find a major exploits are the ones who either want a big challenge or to burn a lot of people. Maybe both. And even at our current point, targeting linux/BSD/OSX/etc. people should be enough damage for anyone interested.

And for the minor stuff I do think there is a culture around the OSes. I doubt it is as easy to trick the typical BSD user into doing something stupid as it is to trick the average Windows user. If Linux or any similar OS came into wide spread use, I think that things like scripts, and abuse to sudoing users would become more problematic.

There is at least one worm active out there.

[Alejo]

Look for pnpsrv.exe in windows/system32 and /run.

A large client was affected last night because of it. And they patched almost all servers this week, but how can you keep patching up with thousands of workstations, including home users accessing through vpn?

Tightening more is not an easy option as people want to do all what Microsoft promises them. When security teams (or just plain support) insist on patching they are labeled as annoying dorks, and when a worm/virus hits because of lame users not patching... just plain dorks!

Sometimes I wish I liked painting instead of computers.

Re:There is at least one worm active out there.

[Alejo]

More info from my friend Emi:

More info about the worm: Looks like its Zotob.A., and weblog. Here are some comments.

Re:This just in...

[bmo]

No, I didn't factor in Metcalf's Law.

That's because I was arguing a totally different point that Windows bigots argue, that since Windows is more popular, that it gets a proportional amount of viruses.

Nothing more, nothing less.

Sure, you can use Metcalf's law. But then, where are the 186 viruses even using your formula?

We're talking about code that replicates itself, not rootkits.

No, rootkits don't count as they require hand-crafted attacks at single machines; not automated attacks, as in viruses and worms. There are only so many hours in the day for the black-hat hacker/script kiddie, and that's the biggest limiting factor right there.

The fact is that automatic replication of code (viruses, trojans, and worms) requires more than a little bit of work from the user recieving such code. Indeed, email viruses are nonexistent on *nix (OS/X included) because propagation requires that the user save the file, chmod the execute bit to 1, and then run the file.

On top of that, the little bundle of evil must also be binary compatible with the system that it discovers - in the *nix world, that's definitely not a given.

That's a pretty big hurdle for automatic propagation.

Compare and contrast that to what happens in the Windows world, where automatic execution of code is _built into the OS_ and rather than depend on the user to set an execute bit, executability is dependent on the three letter "file extension", as in my example of the "e-card" obfuscated URL plainly showed.

Click - *boom*

I think it's reasonable to use Metcalf's law to demonstrate virus propagation across a network populated with Windows machines as the machines really do have random connections between each other and that the barriers to propagation within the machines themselves are pretty low to begin with.

--
BMO

How truly wonderful it would be

[heinousjay]

Ah, yes, if only the elites ran the world...

Re:Upgrade spiral

[Synli]

Hmm, what was it that made you upgrade from MS-DOS?

Re: 40 mothers agree: Cleaning Windows is a PITA

[http]

You cannot clean a compromised system with tools running within that system, even in Safe Mode. That's like asking your mayor if s/he's been bribed or not and expecting an honest answer just because the question has been posed during a public council meeting. Wipe, and install from scratch. I would count those ~2 hours as lost in the sense that the system may not have been fixed; you'd probably have been better off watching a funny movie with kith and kin.
Try googling rootkit. *nix has been around ~35 years, and not with a perfect security record. *nix admins hae been dealing with breaches for a long time. While the *nix mindset has come up with clever tricks to detect rootkits I have yet to hear anyone sucessfully defend cleaning any system from within itself. The problem with this approach has nothing to do with *nix and applies across multiple platforms. Because the system is compromised, you can't trust ANYTHING the system tells you about itself, or any tools that use the system to gather information about the system.
I'm hard pressed to imagine an operating system where this would not be the case, but perhaps others would enlighten me.

It's not just MS, it's the users we need to get at

[Anonymous+Brave+Guy]

Security left in the hands of Microsoft is security that should be questioned.

Security left in the hands of anyone is security that should be questioned. If the Internet-using population as a whole isn't educated in at least basic security practices -- even if it's only a one-minute checklist of things they should do and how often, and a thirty-second warning about how bad things can get if they don't pay attention -- then nothing any vendor does will matter. It doesn't make a difference if you're Microsoft, or Apple, or $LINUX_DISTRO_VENDOR.

To their credit, all recent versions of Microsoft operating systems have had an automatic updates facility built in. If users either configure this to download and install automatically, or do it manually but regularly if they're more cautious, then most users are protected reasonably quickly against most things. That's a big step forward from where we were a few years ago. With WinXP SP2, Microsoft have started making security big and obvious to the kind of user that previously didn't do this stuff, which helps a bit more.

I'm all for criticising security and encouraging anyone producing systems software to give it the emphasis it deserves, but let's be fair. Microsoft are the leader of the pack in terms of promoting downloadable, automatic updates, and whatever Slashbots might like to think, measured objectively Microsoft also patch the vast majority of reported exploits very fast. Within hours of a major worm breaking out, there's usually a patch available on Windows Update, and it's prominently advertised all over the Microsoft home page.

Remember, the exploits we're talking about here are for vulnerabilities Microsoft just released patches for. But that doesn't help if users don't understand that they need to install these patches or bad stuff will happen. The vast majority of Windows security breaches occur on unpatched systems, when a suitable patch was available at the time of the breach.

Almost any generic criticism that is made of MS security is also applicable to major OSS platforms/applications and to commercial competitors like Apple, so banging that drum every time the subject comes up doesn't really help anyone. If you want to make a noise, please go and find a friend or family member who doesn't use a personal firewall and anti-virus software. Then take a moment to educate them about why they should, and show them what they need to do. If we all did this instead of bitching about how Microsoft "don't write secure code" -- who does, exactly? -- that would help everyone a lot more.

Never buy from a used car salesman

[Anonymous+Brave+Guy]

The thing is, the whole claim that OSS has inherently better security has been exposed as hype for a long time now.

Some OSS projects have excellent security, because the project leaders place sufficient emphasis on it, and the coders code with that emphasis in mind.

Other OSS projects do not have good security, sometimes not even as good as Microsoft and co.

Consider this: I have downloaded patches for more security flaws in Firefox than for IE in recent weeks. Moreover, the IE patches were offered to me via automatic updates within minutes of being available on Windows Update, while the Firefox patches did not show up as automatic updates for several days after they were available from the project web site in some cases. They even had a whole version missed out of the automatic updates, because somehow a release was made that contained serious bugs of its own, and had to be withdrawn.

This is not intended to be a slam against Firefox; it's great software and the project seems to be run well, the vast majority of the time. Rather, this is intended to demonstrate that nothing's perfect. Trying to convert people from Windows to OSS alternatives, based on security fears, at a time when a worm is circulating, Microsoft has made a patch available, but people haven't bothered installing that patch yet, really is being a used car salesman in the most derogatory sense of the term.

Re:Never buy from a used car salesman

[Kamiza+Ikioi]

I wasn't pushing OSS in my post, I was pushing Linux and BSD. BSD blows Windows security out of the water, and I've never even seen a virus (or spyware) on my home Linux box. The entire Linux security setup (ground-up, not top-down like MS's "we'll pasty some security here and there") is what first and foremost puts MS at a great disadvantage even before the talk about exploits. That they are OSS is inconsequential to the fact that it is 100% true that all of the giant worms affect MS, not *nix (unless you count peripheral damage.)

So, for Firefox, I wouldn't suggest ditching IE for Firefox, but ditching the MS operating system for a *nix alternative. Very big difference there. I've never had a problem with very fast patching for Linux. Microsoft doesn't even come close on patch release times. As for automatic updates, that's what cron is for. (Also, I'm referring to business users, not home users.)

Windows Updates do mess up sometimes

[Anonymous+Brave+Guy]

Then I finally realized that in the years approving the updates, I haven't rejected a single one.

We've rejected two in the past year, both of which fixed a weakness in a protocol by effectively disabling all use of it -- and with it, most of the interconnection between Windows and UNIX boxes in our office that relied on SAMBA. :-(

Here's my assessment

[Anonymous+Brave+Guy]

Here are my conclusions about the current Windows threat level:

Today, 173 users of Slashdot will post comments about how Windows security sucks, they've had enough, and they'll be switching their entire corporate network to Linux on Monday. None of them will.

Threat assessment: hollow.

Re: 40 mothers agree: Cleaning Windows is a PITA

[homesteader]

I fully agree. My home network is made up of 3 OS X machines and one windows box for when necessary. With OS X, I could actually agree that the best fix for a compromised machine(were it to happen) would be a reinstall, since there's nothing user specific in the System directory anyway.

Re: 40 mothers agree: Cleaning Windows is a PITA

[nmos]

Browse to c:\winnt(windows). Sort by date. On a default install, the file modify dates are going to be a long time ago. If you see anything from within the last few months, get suspicious.

Good summary. I'd add that some mallware fakes the date and sets it's files to hidden so looking for hidden files can be a good clue when you run into something really persistant.

Re: 40 mothers agree: Cleaning Windows is a PITA

[nmos]

Save yourself some of your lifespan dude and do what's the only right thing to do to a compromised machine: reinstall from fresh media.

The problem with that is that many users don't have backups and may not even have all of their CDs etc. Plus even if they have everything you still have to spend an hour or two with Windows Update so you probably arn't really saving any time.

Peculiar Syntax

[Halfbaked+Plan]

The following Internet Threat Level meters are at level 2/4 because of Windows Plug and Play vulnerability's several exploit codes too: Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon.

That's sure a big block of horrendous writing there.

Editors?

Re:This just in...

[bmo]

"but Linux and Unix service exploits are certainly automatable and common. Apache, Sendmail, BIND, inetd, and the list goes on and on."

Mein gott. Fine, whatever. Dude, on end user/client machines, NONE of that belongs.

"You're complaining about obsfucated URL's, for God's sake."

WHY ON GOD'S GREEN EARTH ARE YOU ALLOWED TO RUN REMOTE CODE FROM A URL AT ALL? EH?

This is an engineering flaw specific to windows! I can't do it from within a *nix system NO MATTER HOW HARD I TRY.

"http://www.spirit.com/Network/net0401.html" The Lion worm uses a bug in BIND Woop De Do. That's a nameserver exploit. How many end user systems you know of that run BIND?

The thing is, I can take this Linux machine I am using, throw out the router and connect bare-assed to the 'net. If I'm not offering any services like BIND, FTP, or any other service, good luck getting in.

"Because the exploit is fully contained in the message it is possible for a not vulnerable mail tranport agent to forward the infected message to other systems." Sounds like an email virus to me. It doesn't even require you to save a file and set a bit. Thanks for playing the game, but it's clear that you don't fully understand the rules.

You don't know the difference between an MTA and MUA. Nutjob. I'll give you a clue: an MTA sits on the server, which in my case happens to be mail.east.cox.net, which ain't my fucking worry. An MUA is Thunderbird or Outlook Express or something similar, like elm. This is where mail viruses propagate, not at the MTA level.

If anyone is ignorant, it's you.

"Yay! Grandma gets to attempt to COMPILE"

It's not 1994 anymore. Who needs to compile?

Game over. You lost. -- BMO

Re:You, my friend . . .

[Fizzl]

How exactly am I going to get hosed by it?
I don't care if that game/video editing machine is down for a day or two. All my data is on my server anyway. The hours wasted on researching each and every MS update would greatly outweight the inconvenience of repairing the machine once every infinite years. Infinite because the update hasn't hosed the machine thus far. I'll post an update when I get hit by it for the first time.

PS. What's the point of using quotation marks if you are not going to quote anyone?

Go get a cup of coffee wanker. ;)
(Ha! Now you can't mod me flame bait because I used a smilie to counter the personal insult at the end of the post!)

Re:This just in...

[bmo]

Oh, I forgot...

Yeah, you can run remote code on a *nix box. You have to be running Windows processes in Wine or actually run Windows in a virtual machine like Win4Lin.

In other words, totally remove the advantages of running a secure system by running Windows.

--
BMO

Nice try

[Anonymous+Brave+Guy]

The neat thing about OSS is if you don't like the way a OSS Project handles security you can always help them do it better.

Well, one neat thing about OSS is that you can write things like the above, and then pretend it's someone else's fault if your project's security is crap. It's the ultimate blame transferral technique.

The reason you may download more patches for some OSS software has nothing to do with how many bugs may be in the software. It only shows that OSS is willing to say out loud when they fuck up and patch the holes as soon as humanly possible.

Sure. It's well known that when Microsoft or Apple sit on a serious flaw for more then a few days, there are no professional organisations who specialise in attacking their software and finding the bugs. Moreover, while those organisations don't exist, if they did they certainly wouldn't release the information publicly if they thought the commercial groups were taking too long over fixing it.

BartPE

[liquid_rince]

Don't like safe mode, then try BartPE. It's basically a live windows CD, quite customisable. http://www.nu2.nu/pebuilder/

Re:ConCon, vraiment...

[chawly]

Oui, c'est con ça. Surtout si l'on se rappel l'existence du mot "conne". Il va falloir soigner cette explication.

Re: 40 mothers agree: Cleaning Windows is a PITA

[zenray]

>Boot to safe mode
Not good enough. Remenber the old rule for virus cleanup - first boot from known clean media. There exists thing that run in memory that will not reviel themselves to any tool - they are very well hidden. A total format and install is the only sure way to clean a very FUBARed system. Not even then if the BIOS has been hacked. I have also physically moved a FUBAR drive to an known clean system as the slave or ide1 master. Let nothing execute from this drive. Now do a cleanup job on it. File dates from the past are not a reliable check. They can be reset to anything a hacker wants.