Slashdot Mirror
Microsoft's Vigilante Investigation of Zombies
Morgalyn writes "According to an article at Information Week, Microsoft has decided to fight zombie-launched spam in their own way. In conjunction with the FTC and consumer rights groups, Microsoft set up a clean computer and then infected it. They monitored the 'zombie' over the course of 20 days - 'In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages'. This whole operation has led to the (partial) identification of 13 different spamming groups, some of which reside in the US and may be prosecuted under the CAN-SPAM act."
Microsoft should just have Steve Ballmer fucking kill them.
Not a moment too soon! With Halloween on Monday and everything, this comes at a perfect time to save my brain. I'll still lock my doors though.
Clones are people two.
"Microsoft set up a clean computer and then infected it."
So they switched it on and connected it to the net?
---- There are 10 types of people in the world. Those that understand binary and those that don't
Microsoft set up a clean computer and then infected it.
And of course, by 'infected it' they mean 'installed Windows XP' and left it unpatched and connected to the net for 30 seconds.
How is this fighting this in thier own way? Don't lots of other orgs do this same thing...? Don't they also fight spammers in other ways too? And also, if they're doing this in conjunction with a whole bunch of other people... how is this their own way? :P
There are lives at stake here!
I mean come on, if we really want to discourage spam, let's send a real message!!
Come one everybody together now! WE HATE SPAM! Geeze... this is only going to get worse before it gets better... and it's been getting worse for 10 years...
Schrodinger's cat- A cat is put in a sealed box. Attached to which is a radioactive nucleus and a canister of poison gas
Since when is setting up a honeypot considered "Vigilante"?
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
I wonder how microsoft infected this computer, my guess is they installed the latest Vista build.
If they are working with the FCC, why would it be considered 'vigilante'?
That's like a considering a car company working with a police forensics department to determine why a car did what it did 'vigilante'.
It takes 20 days to collect data which may be used to convict the scumbags, but it takes years for Microsoft to realize there was a problem and do something about it. To be fair, this should be law enforcement, but someone has to file those John Does in a complaint.
"At the same press conference, Dan Salsburg, the assistant director of the FTC's Bureau of Consumer Protection, urged all computer users to do their part to stymie zombies. "The FTC is taking aggressive steps to stop zombies and protect consumers, but consumers also need to insure that zombies aren't on their computers," Salsburg said."
I'm sure they're shuffling paper like they've never quite shuffled before.
I just don't want to see, a couple years from now, Microsoft being awarded patents on the invention of the Honeypot.
A feeling of having made the same mistake before: Deja Foobar
How is this vigilantism? I thought we called it honeypots. Except, perhaps, when Microsoft does it?
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
How come when it's Microsoft doing something it's called vigilante but when it's somebody else doing it, it's called a honeypot? Come on guys? I see this as a positive thing.
The world according to SComps
... to catch a spammer?
At least they're TRYING to do something about the situation they helped create. Let them have their fancy word 'vigilante' and let them continue to persue these annoying bastards.
You're nothing; like me.
So MS is sending me spam now and can get away with and get positive credit for doing so?
"Brains" scream of death.
Maybe this is part of the upcoming movie Green Arrow Begins.
A feeling of having made the same mistake before: Deja Foobar
Ok, raise your hand, who thinks there's more than 1 infected windows machine on the Redmond campus?
Didn't you notice the original article was written by Zonk (aka li'l Zonky)?
He does this sort of inflammatory crap all the time.
This is a non-story --- clearly Microsoft is doing some PR. Rather than auditing their codebase, using formal methods or other techniques to root out flaws, they've decided to do a feelgood story and feed it to the press.
Useful idiots like li'l Zonky will push it for them.
http://www.thebricktestament.com/the_law/when_to_
So I guess, Microsoft being above the law, it's OK when they do that. The end justifies the means, after all.
I'm an American. I love this country and the freedoms that we used to have.
So they admit to knowingly violating the law 18 Million times!!!!!
It's swell that they forwarded on the 18 million spam emails, instead of just recording them or tracing their sources.
So MS sends 18 million spam messages (presumably to you and I) and that is called research?
Something that intrigues me is: Why hasn't anyone in law enforcement done this? If they already have, why is anyone listening to MS? Why is this news?
If law enforcement agencies are not doing this, I want them fired... well, that might be a knee-jerk reaction, but hellsbells, this is just plain common sense?
Support NYCountryLawyer RIAA vs People
[i]"some of which reside in the US and may be prosecuted under the CAN-SPAM act."[/i]
Common. We all know the only way to deal with zombies is massive head trauma.
From article:
"In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages," said Cranton.
That amount of data was impossible to analyze, so..."
So, seems 18 million records is too much for poor little SQL Server, hmm? I bet Oracle could help, or maybe MySQL/PostgreSQL.
Why? Because SQL Server 2005 can't store it all?
Oh, please mod the parent down. That's the lamest attempt at a joke i've ever seen.
I've always wanted a reason to say that.
Microsoft has decided to fight zombie-launched spam in their own way.
Boom! Head shot!
some of which reside in the US and may be prosecuted under the CAN-SPAM act.
I'd think there were more serious charges. Did the e-mail have forged headers? Does that make it wire fraud? Is unauthorized use of one's computers not a major crime?
Zombies are entirely different from a company putting you on its mailing list without your consent. These people aren't annoying marketers, they're criminals.
________________________________________________
suwain_2
Okay, aside from issues of "entrapment", why hasn't anyone with any legal authority done this?
It isn't like it would even be difficult to do. You wouldn't even need to setup your own machine. You could find any one of the hundreds of thousands of existing zombies out there just by asking your email admin to get you the IP addresses.
If you do this for a couple dozen boxes (it shouldn't be that difficult to find people who would cooperate) you can get a LOT more info than with just one box.
US 'bot net "admins" should be a dead breed by now. We're talking money. Even if they do nothing to really fix the problem of easily owned machines, they can bust the new "admins" every few months and rake in the money in fines and confiscated property.
... rather than the honeynet project who have better tools, and far more experience at this sort of thing?
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
I haven't seen anywhere in the anti-spam laws that says you have a positive duty to stop spam. There doesn't seem to be any criminal culpability for getting a system hacked. The person doing the hacking and spamming is in trouble, but not the person that it happened to.
If I'm incorrect on this, please point out the relivant part of the law.
"and sent 18 million spam messages."
So does this mean Microsoft spent time aiding spamers in their spamming? Can't they get in trouble for that?
On the otherhand imagine Paperclip... It looks like you're trying to fight off a zombie attack. Would you like me to (A) Shoot some of them in the head (B) Open the main gates and let some more in?
New meaning to Blue Screen of Death.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
There is no redress for grievances to or for corporations; remedy is legislated, and it is known that the remedy even recently has degraded to CAN SPAM ACT. Before CAN SPAM ACT, all that was necessary is to acknowledge the source of the transmission and send the owner a bill for purchasing the value-added resale of available communication services. It isn't so easy for a man (either male or female); to enumerate the tresspass of another in terms of billing to the use of a communications line for said data transfer, as an intended interference to a station, and further as deceptive commercial delivery of speach; the remedy would be limited to only those people acting on behalf or employed by the corporation and not the corporation. Reason being is the truth that flesh and blood, living people, can only challenge same; whereas any redress to a corporation would presume the complaint to be of a fellow corporation. Law of Nations clears up the difference between politic and corporate, and I hope everyone gets their copy certified from Project Gutenberg so they know that their are two nations, one America and the other the United States, there are American states and there are United States states, then there are the corporations chartered by their respective states. A challenge to a corporation could be transgressed by Return Service to a misnomer, or a presumption that the complaint is derived of a person in a contract with collateral to the services rendered, et al; no different than a libel of review. Abatement would clear this up, but a UNITED STATES judge or magistrate would need some coaxing as to why we believe people are more special than some fool stealing your resources for use by a UNITED STATES regulated corporation.
:-)
On a somewhat off-topic note, concerning commercial speach transmitted over FCC regulated communications lines, copper or wireless, a friend and I were discussing the circular reasoning involved with the FEDERAL COMMUNICATIONS COMMISSION for licensing; regarding their license demands that no codified transmission may emit from a FCC-licensed station, yet the study course is more FCC codes (regulations) as opposed to actual electrical theory and law. In other words, a demand to subscribe to a FCC license would itself prohibit use under the FCC license. Could this be a loophole regarding the first amendment, if enough pressure is exerted for the people to make unhindered use of services contracted, to prevent a contract stipulation to coerce agreement by reference or partial inclusion of an unrevealed contract (think FCC)? At the verry least, I know that Part 15 of the FCC code is honest about my use of a cable-cutter on copper wire.
Just trying to stimulate.
without prejudice
[Fuck Beta]
o0t!
Or we could, I suppose, get mad at the people who developed SMTP, a system so insecure in and as of itself that anyone can pretend to be anyone else and get away with it.
Of course, that was done in a kinder, gentler time when "spam" was unknown, so I guess they can be forgiven. Then again, much of the Windows code was created long before the terms "DoS" or "buffer overflow attack" came into existence.
Naw. Much easier to hate MS. Somehow, they should have known better...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
...I wondered why my gmail inbox had 18million new spams...
A couple friends and I set up a computer to measure our own security practices for hosting our own website before brining it online and live and then continually tried hacking into it. One night after we had connected it to the Internet while we were attempting access, someone else gained access through a hole we hadn't patched and turned our machine into a zombie. We set up a bunch of monitoring software and watched it. It attempted, or rather participated in, three DDoS attacks on various websites, it was continually resending received SPAM messages, and was accessed an average of about 40 times a second from all over the Internet. We watched it for a few days and then Blew off our install and started over fresh, and by the way we patched the hole before putting it online again. We continued to hack at it for a few weeks and then left it. It was comprimised again about a month later, but was never used as Vigorously as the first time we brought it online. Is there anywhere that you know of that the log files (All backed up on a separte machine) would be sent that could be useful to humanity to stop these folks from spamming? The data and IP's are over a year old at best but it may still be helpfull.
Generation Trance: What generation are you?
How is this fighting this in thier own way? Don't lots of other orgs do this same thing...?
Well, it's their own way in that other organizations are not so irresponsible as to allow the machine to send 18 million &#$% spam messages while they ooh and aahh over their creation. Microsoft "embraces and extends" yet again...
From The Fine Article:
"In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages," said Cranton.
That amount of data was impossible to analyze, so Microsoft focused on the three most-active spamming days, when 470,00 connection requests were made of the PC, and about 1.8 million messages were sent through it.
How nice: they allowed 18M junk messages to go through, but could be bothered to look at only 10% of the data. Unbelievable.
I want to drag this out as long as possible. Bring me my protractor.
We tried to analyze our monthly router logs with Access this week, and it died at 4 million records... Back to pgsql...
be doing some of this?
Microsoft is going through the courts and the criminal justice system. In neither case is there vigilantism involved, just vigilance.
Time is Nature's way of keeping everything from happening at once... the bitch.
Let's get together and file for patents on the SPAM process. Then we need to file papers on creating an OS that enables the above process. Then we need to patent the process of patenting the above.
Generation Trance: What generation are you?
I highly doubt Microsoft let the spam get out of the honeypot. Most likely they just returned fake responses to the spammer machine and collected the data. There's no need to actually relay the mail, and it's not like spammers audit their proxies to see which are working perfectly.
This has been a huge problem for longer than the past year, what took Microsoft or even the FCC so long to do investigate? The investigation wasn't exactly rocket science, they set up a zombie and watched it take connections.
The irony is, Spamming has been a serious center of creativity and innovation. Just the sort of thinkg Patent Law is there to protect.
A feeling of having made the same mistake before: Deja Foobar
How long do you think it would take for your car to be stolen if you left it parked in the worst area of Tijuana with the windows down and the engine running?
My amazing wife - Artist, Author, Philosopher - Laurie M
Is it just me or does it seem like everyone's trying to jump on the "popular topic" bandwagon? Notice how the first half of the page is full of replies saying Microsoft's actions aren't "vigilante", then the second half is full of replies about why Microsoft should be able to get away with sending 18 million spam emails. It seems interesting to me that if people are posting their own thoughts (and not just copying someone else's thoughts that they liked) that the two different topics aren't more evenly dispersed thorughout the page. Maybe it's just me.
There must be something going on, i got 18 million spam emails in somehting like 20 days!!!
There are 10 kinds of people in the world - those who understand binary and those who don't
*Runs from Microsoft employees, dressed in his zombie suit* EEP!
It's never just a game when you're winning. - George Carlin
That NONE of them read /. :D GO
Maybe it was a Foodian slip? You know how Ballmer is gaining some girth on the outer crust; maybe he was thinking of the Pillsbury doughboy? I feel like eating some sourdough myself... This is that CIA subliminal mind-control being used to by the corporate bakeries... mmmm sourdough.
without prejudice
I'd be amazed if it lasted 30 seconds.
:P.
When you get right down to it, cars are shitty in reliability compared to software. Off the top of my head, here are some major problems my car has, at least when looked at from a software standpoint:
1) My car is very venurable to break ins. You can smash a window, jimmy the locks and so on. It's easy, requries no knowledge to do.
2) My car doesn't deal with faulty input. If I set it in neutral and floor it, the engine will overheat and seize up. There's no system to deal with faulty operation like that.
3) My car has problems with user error. If I drive it in to a wall on accident, it'll stop functioning. Same if a user of another car makes a mistake and hits it.
Worse yet, the manufacturer will not fix ANY of these faults, even for a price. Even worse they KNEW about ALL of them when they sold the car.
Now compare that to software where we expect that it be essentially faultless and when a fault is found, that it be fixed quickly and for free.
Something tells me that if someone put a brick through your window, it would be them that you wanted busted, not the maker of your car. Yet if someone hacks your OS, you are mad at the OS maker, not that hacker.
Only on Slashdot
subject.
Oh. They setup a computer and watched how it could be exploited and went after the people doing the exploiting. Now that seems like a smart way to handle the problem. If it was my product then I would consider actually closing the holes that allow spammers to exploit Windows to be the best solution. But hell, what do I know?
9/11: Never forget it was a false-flag operation
If you can't beat them, join them. =)
This is another PR stunt. Its the same with their charity foundation. Children would sooner starve in Africa than accept money from MS.
MS admits to sending out 18 million pieces of spam.
prosecute them, law breaking to catch law breakers is the job of the cops.
they admitted it, should be an open and shut case.
a) Why did they allow it to actually send out 18 million friggin spams instead of redirecting those to /dev/null?
b) Did it scare them how easily the system was compromised? Yes, the articles says "they infected it". I'm sure they didn't, they put windos on it and let it run for a while.
c) Will the spammers get off easily because of entrapment?
d) Who is putting pressure on M$ to be suddenly so interested in spam after they ignored the problem completely for years? Something big is happening behind the scenes - M$ doesn't usually do things just to look good. There's either money to be made or a monopoly position to defend.
Assorted stuff I do sometimes: Lemuria.org
actually a good idea, create a "test/crash" machine let the bastard spamers get after it, prosecute thoes bastards after spaming.
kind of like what the police due with jack ass car thieves, have a "dummy car" with a kill switch, theives break into it, try to drive off, police remotely kill car engine, windows and door lock. Theives caught red handed........
repeat offenders given 3 strikes, 3rd their "removed from society" via firing squad shooting with civil war rifles, aiming from the legs up until they are dead.
that's how you remove repeat offenders out of the system for any crime, make the consequences leathal, and make it hurt. If you know that it's it and it won't be painless, your less likey to offend. Of course then the bastard will just do a "suicide by cops", but i don't see a problem with that, problem of them being removed from society is still solved.
vigilante zombies investigate YOU
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
Costume 1: Guy disguises himself as a zombie and puts on a cardboard monitor. Here instead of "brainssssssss" he should say: "mailssssssssssss"
:)
Costume 2: A fat guy carrying a chair, with a Google T-Shirt (and the handwritten letters above: "I'll F**ing Kill". Obviously his secondary target would be the guy wearing costume 1.
Now the following may be off-topic, but what the heck, I got started!
Costume 3: Just put on a Bill Gates mask, and wear a Microsoft T-Shirt. And instead of "Trick or treat", you say: "End User License Agreement".
Costume 4: Disguise yourself as a Lawyer and stick the logos of BMG, Sony, Time Warner (did I miss any?) on the back. Instead of "Trick or treat", say "Court or Settlement"
Costume 5: Disguise yourself as Zombie, but instead of wearing the cardboard monitor, just put an AOL sticker on your shirt. You're an official "AOL user". Instead of moaning "brainssss" you'll say: "Me, tooooo!"
Costume 6: Disguise yourself as a monitor, and paint the front in blue.
Costume 7: Paint your face black and buy fake jewelry. Pretend you're the relative of a Nigerian prince who just died.
Ah, Microsoft: for a company returning net profits well north of $30 million per day, you'd think the poor lambs might be able to afford more than a single computer. Perhaps the news that these here "zombies" exist and are used to send this strange stuff called "spam" came as a terrific shock. Agree with another poster: this comes over as a publicity stunt. One wonders if they even paid for the computer.
Perhaps it's time for a name and shame campaign on spam with the big IT companies. How much is each of them spending on combating spam and taking down spammers? I'll bet it's not nearly as much as they'd like us all to think.
Las qué passoun
tournoun pas maï
No one has been doing this already?
Isn't this elementary?
No! It's a *SIG*. Keep the Special Interest Groups away! (Con joke!)
Though the Information Week article didn't mention this, an article at another site makes it clear that Microsoft blocked the outgoing spam messages during their honeypot experiement.
Jesus, learn some grammar and learn to spell before posting would ya?
"...couple friends..." like railway cars?
"...then Blew off..." or perhaps pr0n?
"...was comprimised again..." look up the correct spelling
"... as Vigorously as..." and what's with all these capital letters?
"... files (All backed up..." why the capital letter?
"...on a separte machine..." spelling
"...helpfull...." spelling (hint one L only on the end)
"Hello there! Looks like you're trying to run a party!"
How can this be called 'vigilante'? If I go arrest and beat up the guy that stole my car - then I am a vigilante. If I know who did it and report him, then I am being a good citizen. I despise M$ as much as the next nerd, but this is reaching a bit...
Sig? We don't need no stinking sig....
Well, there's their sourcesafe server for a start - that's riddled with malware.
/* This sig is disabled. Press CTRL-W to enable. Thankyou */
Bad reporting on InfoWeek's part. ZDNet has an article about the same thing, but they include an important piece of information: "Microsoft said it blocked the junk mail before it hit the Internet."
The only thing about "entrapment" that I can see is infecting the computer in the first place.
It comes down to whether the cops/feds took any action on their own to connect that box to that 'bot-net.
Which is why I would prefer the "clean hands" version of simply picking a few dozen boxes that are already infected. This is all about making the case as solid and complete as possible with no way for the "admin" to weasel out on technicalities.
And if any of the cops/feds are interested in a long list of IP addresses that are 99% likely to be zombies, I can provide them. Hundreds of them. With data going back months.
I will give $10,000 to charity if someone creates a game where Steve Balmer goes on a rampage killing hundreds of spammers with his deadly bloody chair (as the default weapon), and in Quake 3 Arena fashion to also have a key bound to various choice quotes uttered by Mr. Balmer like "I will fucking bury that guy" and an animation of Mr. Balmer's model pointing in front of him to go along with those utterances.
(Disclaimer: I won't really donate the money because I'm a poor college student)
"If I set it in neutral and floor it, the engine will overheat and seize up. There's no system to deal with faulty operation like that."
First of all
1) Most cars have a rev limiter. If you floor it in neutral, it simply bumps into the limiter
2) On crappy cars and old ones, there is no rev limiter and the valves float and break the engine terribly
You car will not overheat from this in either case.
You forgot "brining it online." I don't think a computer filled with salt water would be very useful, and I don't understand why it was necessary to brine it online. You'd think it would be easier to brine it at the beach.
Wonder why they don't spend their time and energy fixing the problem in the first place?
If your house is insecure and you keep getting robbed you can do two things.
1) Go after the people who robbed you. -- Great.
2) Seucure your house so people can't rob you -- Even better.
They just knocked off a bunch of the dumber spammers. The world is a better place! But... now the surviving ones will realize that maybe it's not such a hot idea to connect directly to their zombies... better to get a zombie to connect to the zombie! Sure, you have to make a few connections to your zombie network to get things moving, but the chances of hitting a honey pot are pretty low, and even if you do, who's got time to investigate a thousand zombie machines to find one actual spammer (who could just say his machine was taken over as well)?
now THAT'S innovation!
if this is supposed to be a new economy, how come they still want my old fashioned money?
If my car had millions of people throwing bricks I'd be amazed if it lasted 30 seconds.
That is a nice analogy, but the problem is that the grand parent still had a point. I have three cars, My shiny Apple sports car, my Linux dune buggy kit car, and my booring gray Windows station waggon. Amazingly enough my Apple sports car and the Linux dune buggy stand up to the millions of bricks that get thrown at them just fine. I mean, in view of the complete absence of broken windows, dents and scratched paint I'd say they hardly know the bricks exist. Now my Windows station waggon on the other hand really took a beating the first time I took it for a spin. In the end I had to fit it with solid steel armor, build up the chassis (due to the weight of the armor) and fit it with bullet proof glass to deal with all those bricks. I even planned to add a turret with a 20mm cannon but the police would not give me a license for it. All in all this indicates to me that the guys at Apple motors and Linux Kit Cars Inc. did something right that the guys at Windows automobile company screwed up woldn't you agree?
Only to idiots, are orders laws.
-- Henning von Tresckow
But unusual? I kinda doubt it.
Infuriate left and right
A better comparison would be a car that let rain go through.
Anything, car or computer, has to be designed to function under 'normal conditions'.
When you're plugged to the Internet, it is normal to receive packets with arbitrary content from unknown people. Just like rain on a car.
I don't think a computer filled with salt water would be very useful
Depends. If it was previously running WinME, it may be a marked improvement.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I hadn't heard of the Fed's new cyber safety website before this article. It's an interesting attempt for the average user- should be educating to see how it develops over the next few months.
J
We adhese to our words and thoughts they present, respectively. I had a rather lengthy post on common law patents, modded as offtopic, yet I can't seem to look beyond the twenty-four post record limit without donating to Slashdot beyond the occasion. When thinking of letters patent, ponder on self-evident drawing rights by pen to paper, before the abomination Drawing Rights seized by that President RICHARD NIXON of the UNITED STATES. So, briefly I exhibit at DICTIONARY.COM;
pat-ent
Setting a common law patent is easy as placing the claimant postal address face of the each page of a letter, or serial enumeration, to be publicly known as patent; thereby a postal stamp set on the address of the claimant as having paid the postal fee, and thereafter sent to a recipient such for audience, witness, or return to sender (commercial patents are two-way as opposed to non-commercial patents) to preserve a record of a patent; do not conceal the letter patent with an envelope; it needs to be publicly visible; that is why the "To" and "From" needs to be on the face of the actual letter, down the middle and not in the upper-left corner as though a commercial service: This all so the postal service can be witness for an original estate. This precedes all patent offices, even that corporation known as UNITED STATES PATENT AND TRADEMARK OFFICE. How do you suppose you reserve your rights before you surrender the rights to someone else so they can Reserve your Rights on your behalf (office)? Isn't that like burning the unanimouse Declaration of Independence so King George couldn't get his greedy hands on that document? In other words, just send a frickin' postcard and it'll be greater evidence that you own your ideas than anyone else. If someone asks you where you got your idea, say to them that a beutiful angel, scantily clad in a everclear lake, reached into her bussom and handed you a Sword (of truth) whence to carry into battle for the King's court; then if they ignore that their idea looks as your idea, and insist that your idea is derived of theirs, you can begin blowing your nose at them and follow the advice of our blessed postal patron Benjamin Franklin to fart proudly in their general direction.
without prejudice
"Then again, much of the Windows code was created long before the terms "DoS" or "buffer overflow attack" came into existence."
e ntation.html) for an example of people have known how to write defensive code for a long time.
/ feb02/02-20mundieqa.mspx) they were looking at all their old code to focus on security.
Really?
Buffer overflow attacks have been known for well over 20 years, and while DoS is new, the concepts are not new. If you can still get your hands on it, take a look at the source of FWTK, written by Marcus Ranum (http://www.dreamwvr.com/fwtk.org/fwtk/docs/docum
Now, I think there is a grain of truth to the idea that MS is most attacked because 90% of the computers run Windows. However, the codebase of Windows XP is from the 21st century, particularly since they've released SP2 in the last year, which contained significant upgrades to all of Windows.
Especially since this was written after the time that MS announced (http://www.microsoft.com/presspass/features/2002
So all things considered, either MS fibbed about reviewing all the code to make it more secure, or they don't know how to do it very well. The idea that attacks on code are something that have only come about since the AOL moved to the internet seems a bit misguided.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
No wonder it's the wild west out there, after years of abuse and billions of spam & scams the finally set up a machine to catch some bad guys.
Good for them, they should keep it up, it's frigging insane the volume of spam and spambot hacking there is out there. It's real simple; start catching prosecuting the bastards, and to the *fullest* extent of the law.
I am somewhat antimicrosoft, but I fail to see why this is called "vigilante". Microsoft is working openly with the FTC. They set up their own computer, it got infected and they are investigating unauthorized connections to it. As a security professional I applaud their efforts. This is no different than anyone of you making a honeypot and checking the damage.
Yay MS! Now, make Stevie B kill them (as other posters suggested:-)
If my car had millions of people throwing bricks, I'd be amazed if it lasted 30 seconds.
:P.
When are people going to stop using analogies which don't work? They rarely work well. This one does not work at all.
If a car gets bricks thrown at it, it will be damaged by each brick until eventually a brick will break through the car.
On the other hand if a single attack comes from the internet to your computer and your computer is vulnerable to that attack, it will be breached on the first attempt. Conversely, you could have all the attacks your connection could handle, but if none of those attacks addresses any vulnerability your computer has, then it won't be penetrated (it might die DoS style though).
Now compare that to software where we expect that it be essentially faultless and when a fault is found, that it be fixed quickly and for free.
This is ridiculous and not just because the analogy is ridiculous.
Nobody should expect faultless software. However people should expect a premium product for a premium price and free fixes within the warrantee period. Especially given that the fix can be made once and then applied by millions. Also, you are comparing VENDOR FAULT with USER FAULT.
Only on Slashdot
Wake up to yourself. I wouldn't be poking fun at others if I had the screwed up logic that you do.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
that we go out an start shooting spammers? Why that's just...just...
I'll go get my gun. YEEHAW!
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
Because the infected computer usually has to contact the IRC channel and report in that it is infected and available.
There is no equivalent for stealing a car because the car does not call you up and tell you that it is sitting at the corner of Pike and 5th with a broken window and no car alarm.
Which is why the issue of entrapment comes up.
Most drivers are required to take a test to determine their competency. Drivers Ed is available across the US and required for minors in most if not all states.
It would be interesting to see the same for computers. Everyone seems to know that a car needs an oil change every x miles but too few seem to know that you need anti-virus and anti-spyware installed on your computer for safe operation. Perhaps seatbelts would be a better analogy.
While I think it's generally agreed that software could be safer, I think it goes just as well to say that users could be generally more educated. The problem is that software venders advertise their products as being safe all in-one products and come decorated with a "no experience necessary" sticker on the box. I think software venders could do more to educate the masses. Cars come with an owner's manual; computers come with a user agreement.
I want this account deleted.
Every car I have driven since 1985 cuts out the fuel injection system, while in neutral, if the engine exceeds 2000 to 3000 RPMs.
This line of thinking is utterly ridiculous.
Microsoft's "software" receives a finite sequence of bytes, and returns a finite sequence of bytes. That's all.
There's no door to pry open, there's no equivalent to a crowbar, there's no bomb or hand grenade to throw, and it's not Baghdad. The "thugs" are using a legitimate, publicly accessible avenue, they are just sending byte sequences, no different than what your web browser does. Sure, these people are malicious, and are doing something they shouldn't, but don't kid yourself, Microsoft probably doesn't even *try* any more. They all think like you do. "Security is impossible."
Stop trying to apologize for Microsoft's incompetence. The problem is that they can't (or won't) control all the byte sequences that their software allows. They won't hire enough people, they won't do enough work, and they won't reduce the feature set so they can.
Every patch Microsoft issues is not a "fix". It's an admission of failure. Why should an admin have to update something that should've shipped in a working condition? The fact that Microsoft's software could be turned into a zombie so easily is also an admission of failure. Who cares what the zombies do? I'm not interested in studying the criminal mind, I want my computer to work!! How about figuring out how to keep the computer from being zombified.
And no, Linux isn't much better. But at least it's *free*. I don't know what that has to do with Microsoft though. I want software that's 100% secure, not software that's "more secure than Linux".
The sooner companies (and random Slashbots) get it in their head that software should and can be written SECURELY, the better.
Something tells me that if someone put a brick through your window, it would be them that you wanted busted, not the maker of your car. Yet if someone hacks your OS, you are mad at the OS maker, not that hacker.
A delightful analogy but totally and absolutely bogus.
Just activate your cerebrum for a few minutes.
Is it reasonable to expect a car to be resistant to efforts to break into it with a brick? Clearly not, for your typical family vehicle. No reasonable person would think so.
Is it reasonable to expect a computer to be connected to the Internet, and for its user to perform simple tasks such as surfing the net, without being infected? Clearly it is, and any reasonable person who is not an apologist for the patheticly lacking security of MS (and quite a few other) products would think so.
It is just stupid to lay all the blame on the people who do the hacking. Sure they're bozos and criminals. But how in god's name does the world's largest software company, with virtually unlimited resources, get away for so long with producing software so flakey that infection is just a matter of time if you dare to connect your machine to the Internet?
Anyone with knowledge of computer systems outside the MS world should be aware that it is possible to create software that is highly resistant to attack via the network. Its hard - very hard - to make it 100% follproof, but its easy - very easy - to do one hell of a lot better than MS has done.
The people at MS are as smart as anyone but the total focus on making things easy over making them safe ties their hands. As a result millions of people have become trained to think that it is actually reasonable to pay hundreds of dollars out on anti-virus and other "security" software
[x] auto-moderate all posts by this user as insightful
i know microsoft = evil, and i'll probably get modded down for saying this... but Microsoft Zombie has got to be in the top 3 products they make.
The answer to your facetious analogy is, of course, that software is not the same as cars.
It's very similar -- I might argue that computer hardware is close to a car -- but it's not quite the same, as free market mechanics demonstrate.
If you provide buggy and unreliable software, people will use other software. People are willing and able to invest in new software, so they do; as a result, there's usually strong pressure on software developers to fix bugs. (When software costs no money but only time, a different dynamic emerges.)
Of course, if you disrupt the free market in some way - for instance if you gain monopoly power - your monopoly power makes it less likely that people can change vendors, and consequently less probable that you'll focus on free-market distinguishing features like customer service, software updates, or bug fixes.
For a practical example, consider Quark & Adobe. QuarkXPress didn't really improve from v4 to v6, during the period when Quark was the de facto choice for software. Once InDesign came onto the scene, real competition emerged again and computer-aided publishing began to improve again.
You can't make a useful assessment of what "should" or "shouldn't" be fixed or implemented. You can, however, look at what does happen. Pragmatically, most insecure software gets fixed because if it doesn't, demand (users) will go elsewhere. The fact that it hasn't happened with Windows says something striking about monopoly power.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
ok, lets think about this for a minute - 18 million email is too difficult to analyze
the folks that supposedly wrote the freaking OPERATING SYSTEM can't even whip up a few scripts to analyze 18 million msgs?
the suits who employ the folks that supposedly wrote the freaking OPERATING SYSTEM can't be BOTHERED to hire a geek (or two) capable of whipping up a few scripts to analyze 18 million msgs?
no WONDER windows security is non-existant...
But that wouldn't occur to them, would it? Wouldn't take too long. Either to write or to run.
Nuff said?
Pssst. Even Microsoft don't use SourceSafe. That's how bad it is.
Because most Windows users run as admin, else they'd bitch that they can't run Sober (well, they wouldn't actually know it is a mass mailing program). If they wanted to run it so bad because it said "hot-teen-sex.exe" and they knew the ropes of running as non-admin, they'd launch it as admin anyway. Or it need not be launched as admin just to run. Thunderbird is capable of sending e-mail. Is Thunderbird a malicious application?
PROBLEM EXISTS BETWEEN KEYBOARD AND CHAIR WHILE HEAD IN ASS (PEBKACWHIA).
Blame the user, not the software.
They decided to use a Mac or boot off of a Linux machine instead! :)
Bet that definitely got some laughs out of their brass -- the thought of infecting a Linux or Mac with spam. LOL
>>Only on Slashdot :P.
>Wake up to yourself. I wouldn't be poking fun at others if I had the screwed up logic that you do.
he has his logic and he wrote what he wrote while he was awake,... and if you had his logic, why would you write anything else,... unless you had different initial assumptions... [and i'm guessin' that's the big difference before and after anything resembling logic]
or am i missing something,... again?
Microsoft set up a "clean" PC, then infected it with malicious code commonly used by attackers to turn a computer into a zombie.
There is a wide interpretation with a lot of questions about this statement. By "clean" machine, I assumed that Microsoft has a current copy of Windows and it is fully patched. So did they manually put a virii on their computer locally or did they infected it remotely through a network using an unclean machine? The second part would mean that a fully patched Windows machine would not protect jack. Notice that they did not go into a lot of detail about that? Hmmmm...
Coderz 4 Life
I like to sincerely thank Microsoft for taking the initiative and doing this. It is the responsible thing to do.
But obviously Microsoft is giving these guys the razzberry, and also the blackberry and the olallieberry while they're at it. (The other Washington has the MarionBerry....)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But why Borg vs. Zombies is important is that they have the resources to get a bunch of lawyers to build a sufficiently large lawsuit to hunt down the spammers across jurisdictions, and sue them where it's legally possible.
And because they're MSN, the big ISP, they can make a strong case that zombies are costing them lots of money, and can get the spammers' ISPs to listen to them in ways that smaller non-ISP players usually can't.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Zombie Walks in Seattle - Boingboing seems to be a hotbed of articles on upcoming zombie mob activity and pointers to pictures of the events afterwards:
Vancouver Pictures San Francisco.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
OK, you've got me there :)
Somebody please mod parent up, that made me laugh out loud.
A very bizarre thing for Microsoft to do. They just bought Frontbridge, a spam blocking service. Now, they are going after a major number of spammers to, if I get this straight, stop them, thereby lessing the need (and I mean maybe a .01% lessen) for their brand new service to block spam.
A 9.2 on the 'hey I'm bored lets do something fun' scale but minus several hundred on the 'how will this affect our other businesses' scale.
Why do overlook and oversee mean opposite things?
How many millions sent?
WHERE were the blocklists when this happened?
did the emails arrive or what?
Mario.
No, cruel and unsual would be making the person run Windows ME and Bob.
Fight Spammers!
Go ahead and write a script to reverse DNS and calculate routes for 18 million messages and see if you can complete processing it in a few years.
BTW, Microsoft finally figured out the criminal masterminds behind it included Google, Apple, Linus Torvalds, and Larry Ellison...
The guy I was replying to was saying nobody would stand for a car that does X, why stand for software. My point was that if you want to compare them, then the car sucks. They aren't the same thing.
he has his logic and he wrote what he wrote while he was awake,...
... now fix it") versus a reasonable complaint like "I installed Windows XP and within minutes of being on the internet (while waiting for patches to download perhaps), I was infected with a WORM. Ever since vulnerabilities are found in my system every few weeks or so".
"Wake up to yourself" is a figure of speech. I don't literally mean that he is not awake. I could have said, "wake up and smell the shit you are shoveling". He is not awake to how wrong he is.
and if you had his logic, why would you write anything else,... unless you had different initial assumptions... [and i'm guessin' that's the big difference before and after anything resembling logic]
Logic does not have to be correct. It can be flawed and his is.
or am i missing something,... again?
He is making fun of some of the crazy statements which get written here, yet the particular statement he is poking fun at is based on reasonable logic, which he is debunking with some very flawed logic and ridiculous extension to a silly analogy.
The two do not mesh.
1) My car is very venurable to break ins. You can smash a window, jimmy the locks and so on. It's easy, requries no knowledge to do.
Physical security being compared with logical security. If you want a car that can sustain such brute force physical attacks, then you need to spend more money on an amorized car or something like a BMW Protection. To do the same for a computer, you should be spending more on physically locking it up securely with good locks.
2) My car doesn't deal with faulty input. If I set it in neutral and floor it, the engine will overheat and seize up. There's no system to deal with faulty operation like that.
This is irresponsible USER action, being blamed on the MANUFACTURER. In addition, sanity checking of input in software is of almost negligible cost, yet preventing complete and utter stupidity of a USER causing damage in this case, adds cost of additional physical mechanisms. Costs which the general public should not have to worry about, because it is much cheaper and effective to just educate vehicle owners that they should not redline or rev highly an engine without load.
3) My car has problems with user error. If I drive it in to a wall on accident, it'll stop functioning. Same if a user of another car makes a mistake and hits it.
No reasonable person would claim that user misuse of a car or software should be blamed on the manufacturer. This is a silly comparison. Anything can be misused. It does not mean that the problem is with the product, rather the problem is with the user.
Worse yet, the manufacturer will not fix ANY of these faults, even for a price. Even worse they KNEW about ALL of them when they sold the car.
Okay, so lets see... car makers should somehow provide unbreakable glass and locks, should cover every possible scenario to prevent user (or other person) stupidity causing harm to the car or owner? I suppose this would have to be done at a reasonable price too?
Now compare that to software where we expect that it be essentially faultless and when a fault is found, that it be fixed quickly and for free.
As I've already said and now further elaborated on, this is ridiculous. He is comparing car owner complete and utter stupidity, with software users who paid a premium price and expect premium quality and response to stability and security issues which crop up.
One is completely unreasonable ("I drove my car into a wall / Someone threw a brick through my window
Windows is thankfully FINALLY getting better. However in the past, systems could be expected to be vulnerable to MANY different attacks out of the box and users had to be knowledgable on how to prepare and deal with those problems. Remember, Windows is targetted to be usable by people with a minimum knowledge of these sorts of
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
You obviously never have owned a Toyota.
"If anyone needs me, I'm in the angry dome."
If the computer initiates the connection, it could be seen as entrapment.
So there would still be entrapment if the computer contacted the admin. Just as there would be if the cop was walking up to cars and saying "Hi, I'm available right now".
If people were regularly breaking into my car I would demand things like bullet proof glass so that they would not succeed. If every car in the world was getting broken into that much, I would demand that the makers build it to withstand bricks. Sure I'm mad that the thief breaking in, but I'm also mad at the manufacturer who didn't make the car harder to break into.
If I regularly put my car in neutral and floored it I would demand a rev-limiter. I don't do that often. My PWC (jetski) has a rev limiter because it is common to have the engine wide open with no load - when wave jumping. They could have teach me to let off the throttle when I am in the air, but the problem is common enough that it is worth a real fix.
If I regularly drove my car into walls I would demand a car that doesn't' allow that. In fact because accidents happen fairly often car makers build crumple zones, and other such things so that I'm safe in the event of an accident. Microsoft should not have waiting for sp2 to make the firewall default - by the time of win98 second edition it was clear this was needed.