Slashdot Mirror
Trustworthy Computing
Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."
As it says in the article, some people in the corporate world won't do it if the patch didn't come from MS. It's sad, really. If I had an exploitable machine around, I would trust their patch.
Plant a tree in a developing country.
What is the over/under for Microsoft getting a patch out for this?
If there is a time to deviate from their monthly patch cycle, this is it. The patch should have been out days ago, yet we are still waiting.
And Microsoft wonders why no one takes their security promises seriously.
Sometimes, I really start to think that security is so poor in commercial operating systems, because they want to use protection from all these exploits as the bait to get us into the "trusted computing" cage.
Trusted computing is a farce, because the one thing that *isn't* trusted, is the user.
The theory of relativity doesn't work right in Arkansas.
How many late nights, allnighters, and missed holidays have you experienced, thanks to things like ILOVEYOU and Slammer? How many times have you had to clean up the mess created by Microsoft's shitty, unsecure software?
Clearly Microsoft wasn't interested in calling people in over the holidays to whip up a patch for this critical vulnerability-- something that you could go in a couple hours early tomorrow and roll out to the PCs in your organization. They're going to let you suffer. And why should they care? They've already got the money of the company you work for. People are going to return from their holiday vacations tomorrow, load the wrong web page in IE, and get pwned. And you'll be left to clean up the mess. Again. Better pack an extra sandwich with your lunch tomorrow, because you probably won't be getting out at 5.
Windows have produced a datatype that allows people to place executable code into image files? How can they call themselves programmers. Seriously whoever engineered the WMF format should be ashamed.
99 bottles of beer in 175 characte
or Is the original healline post for this thread written in gibberish enhanced by misappropriation of terms and conflation of concepts? How is trusting the unofficial patch conceptually related to "trustworthy computing" and why should packet spanning make it invulenrable to filtering?
Some drink at the fountain of knowledge. Others just gargle.
No flamebait intended, but that's a typical sensationalist misleading Slashdot headline. Noone's advocating "trusted computing" or similar initiatives here; all they do is saying "here's an unofficial fix, and we'd like to recommend even though it *is* unofficial, considering the seriousness of the vulnerability and also considering it was written by a reputable windows expert, namely Ilfak Guilfanov (author of IDA Pro)".
And for that matter, there's no mention of "the Snort rules will hog your router's CPU", either - that's total rubbish, probably made up by the article submitter. And it slipped, too, since the Slashdot "editors" never care to actually edit stories before they publish them.
Shame on you, Hemos!
quidquid latine dictum sit altum videtur.
Of course they don't know what a DLL is. Windows has been marketed as a consumer OS, it was designed to be used by people without a clue. By default you can't even see the DLLs. People shouldn't need to have IT qualifications to use a computer, it should be secure enough for them to use it. What you are suggesting (to use a car metaphor and probably get flamed for it) is that people should need to strip and reassemble an engine to get a drivers liscence.
99 bottles of beer in 175 characte
..that if we all were running "trustworthy" computers, this problem would be much, much worse than it is now. Imagine that now instead of having a patch that's already been made by someone else while we sit and wait for Microsoft to get off their asses, we now have to wait on Microsoft, who still hasn't shown up.
Instead of having *some* machines patched, we'd have none. This late after the exploit has been released, and a zero-day attack has happened, we'd see no respite.
If you try to argue that Trustworthy computers wouldn't allow this to be exploited, what if the trustworthy compontent itself was exploited? As the Xbox and soon the Xbox 360 have shown, the more complex the hardware, the more complicated the bugs are. Microsoft's betting that the hardware complexity can outgrow the programmer's abilities to crack it, but if there's any truth in the world, it's that if it can be engineered, it can be destroyed. So imagine if this virus was actually signed by Microsoft through the exploit. How would this look for their company? How can you save face from a disaster like that?
No, trusted computers aren't the answer, just more secure computers, with better code. And the fact of the matter is, the more eyes that are on the code, the better it is, and that's why Open Source will always succeed. No amount of cryptography will help you if there's a hole in your crypto system.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
Think users are bad in the corporate sector? Wait until everyone gets back to the college dorms after winter break with their completely unpatched computers. And all the people who have new computers that they got over the holidays. It wouldn't matter if Microsoft had patched it last week, I guarantee that the student users who need it won't have it.
Speaking as a poor sap who has to fix these computers, I have one thing to say: "Thanks for the easy money". And a heads up to all you dorm technicians, get ready to start burning virus CDs.
Don't open e-mail from senders you don't recognize.
What would this accompolish? Since around 1999 or 2000, the vast majority of viruses and trojans have grabbed all the email addresses in someone inbox, address book, etc. and sent themselves out using a random return address from this list. There is a good bet that any virus/trojan you get will have a known return address in it, however it is just as good a bet that it will not be the address of the person infected.
Geeze, here it is 2006 and people still think that the return address in unsigned email means ANYTHING.
And if you are in a coporate setting and the Network Admin hasn't blocked IM, you've already got bigger problems to worry about.
It really seems sad that the norm is to block reasonable communication tools (I use IM almost exclusively for work related communication) simply because corporate America is infatuated with Microsoft despite the massive security headaches they cause.
Off topic, I'm really getting annoyed with Microsoft admins where I work constantly complaining about IE problems. I'm starting to ask these people how many times they had to put their hand on a hot stove when they were children before they decided it was a bad idea. Is pattern recognition a skill that we as a society just no longer have?
Finkployd
I wonder if anyone is going to be able to patch Win98 against this? There are still a lot of machines and this vulnerability could make them essentially useless and force an upgrade. While we would all love for them to upgrade to Linux or OS X it is more likely that they will shell out for WinXP and MS will benefit from a windfall of sales as a result of their inept programming. If someone produced a workable patch this would at least allow people to keep using their computers without pouring more money down the MS bottomless pit.
"I have the attention span of a strobe lit goldfish, please get to the point quickly!"
In some DRM scenarios, the TPM chip is also used to prove to your software that the OS has not been modified. Unless you have the skills to hack that software, your bought and paid for TPM programs may refuse to work any longer.
;)
A much tougher case would be the "rely on others" programs where you have to prove to an external instance that your system has not been hacked. Take the "death to game cheaters" implementations as an example:
Want to fix your vulnerable Windows with a non-official patch?
World Of Warcraft II won't let you play anymore
I also don't believe this is temporary. Except in the sense that TPM might be (hopefully!) a colossal failure in the market. And considering the current vulnerability, this looks like more than a slight theoretical risk to me.
C - the footgun of programming languages
I work for a very small company, probably typical of thousands of other very small companies. Our company is too small to afford a full-time IT staff; I'm the entire IT department, and it's a very small part of my job. I'm the IT guru because I'm the only one there who knows a DLL from a dungheap.
I have formal training in computers, but so long ago that the field was still called EDP and time-sharing was a big deal. I've spent years learning what I know about Windows and Windows networks, in my spare time. It would take me years more to reach a similar level of expertise with a brand-new OS. And until I reached that level, we'd be more vulnerable than with Windows.
My company has about a dozen computers, including a single domain server with no backup server. We have about $60,000 invested in software (other than OS's) that will only run under Windows. We have no hardware to set up a test server, no money (or time) to spend on unsuccessful experiments.
The only person in our company who has ever used Linux is our 21-year-old secretary. We have one Unix machine, which I despise, because its desktop GUI is primitive and its command interface makes MS-DOS look well-designed and intuitive.
I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined. If I hadn't automated them I wouldn't have time to do file backups some weeks. I have no time to spend trying to research the seventeen hundred different distros of Linux available, or whether Wine will support our COM+-dependent network applications--or whether the WMF exploit still applies if we run Windows applications on Linux.
We can't afford to have a regular support contract with a local computer-specialist firm. That's assuming we could even find someone in town we can trust--the overpriced morons who did our last batch of installations gave us a two-NIC server with only one NIC enabled (so no firewall), and set up user workstations with the Administrator password left blank!
I loathe Microsoft, and have since I first saw Windows 3.11. But what possible reason do I have for trusting the claims of Red Hat or Debian more? What research I can do is hardly reassuring. Remember Saturday's story here: researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included)?
I didn't choose Windows; I inherited it and have no resources to replace it. My company didn't really choose Windows; it was forced on us by the marketplace. Be realistic! My wife just bought an Apple, and the first thing she installed on it was the OS-X version of MS Office, necessary for compatibility with her company.
Maybe in another ten years Linux will be enough of a force that applications will be written for cross-compatibility, but little companies like mine can't wait that long. We have to use what we can, right now.
I figure by 2030 or so my 6-digit UID will be something to brag about.
it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames).
You *can* run 2 instances of snort in-line to get around this CPU-pegging issue.
Not really a whole lot of choice about this one.
There is always choice - have you considered a defense-in-depth multi-layered approach? I'm taking the following steps
1. unregister the ms pic and fax viewer dll
2. make WMF file extension default to an erroneous app like notepad
3. turn DEP up a notch
4. turn off downloads in IE if you must use it (set default security settings to HIGH)
5. block all WMF files at the perimiter
6. keep antivirus up to date and consider frequent manual updates and scans of key machines
These things in combo with being vigilant over the next few days should keep you and your corporate networks safe. There are even MSI versions of the patch for mass distribution.
Horns are really just a broken halo.
I rarely get to spend more than two or three hours a week on network maintenance, security monitoring, and research combined.
OK, so you're not a full-time IT guy. That's cool. But if you can't manage 12 machines and only $60K worth of vendor lock-in, then you absolutely, positively need some outside help. It's not an issue of whether you can afford it; at this point, I'd say you have to.
But what possible reason do I have for trusting the claims of Red Hat or Debian more? What research I can do is hardly reassuring. Remember Saturday's story [...]?
I did, but I don't think you did, because it was thoroughly debunked within the first 10 replies.
Let me put that another way. The article you're reading right now is full of stories about people going in on the holidays to patch their Windows systems. How many stories did you hear about Unix admins rushing in this weekend? All of last month? All of last year? So far this millennium? The latest unpatch{ed,able} Windows exploit is set to cause more work for the people who have to manage affected systems than the rest of us have had in the last five years.
But you can choose to believe whomever you want. As for me, I'm enjoying my four-day weekend and relaxing by reading about stuff that doesn't affect me. Hope your new year goes this well!
Dewey, what part of this looks like authorities should be involved?
I do not want a patch that is untested, and could cause even more hell. You really think, they could have created a patch, and tested it well to be deployed on 200+ million machines connected to Windows update, and not have any bad effects on other apps. /NoExecute=OptOut to the options, and kick in a restart. Atleast that is a better thing to do than trust a random untested patch.
If you look at the patches realeased by others, they also say it might break applications, and you might have problems with it etc. I do not think MS has that option while creating a patch.
Microsoft accpeted there was a flaw, posted information about it, told you about workarounds. If you want to be protected just turn on DEP on all applications. Want to do it on multiple machines, use scripts to edit boot.ini and add
Q: Why do folks still use Windows?
/., play games and do some serious stuff once in a while. So I run Windows XP on my desktop (instead of Linux or FreeBSD, although my other computer is an Apple Powerbook running OS X). I sit behind a hardware firewall, have autoupdates turned on, run a memory-resident virus scanner and antispyware scanner, use Firefox and Thunderbird - and I've never, ever had a security problem.
Short answer: It easily runs everything I want it to. The Linux user experience is significantly worse than Windows.
When I had to pick an OS, I did research and picked one that I felt was secure enough for my needs. Windows didn't make my cut.
What are you doing to make Windows insecure? Downloading unmarked executables from newsgroups and executing them? Running Outlook and double-clicking on every attachment you receive? Running without a firewall?
Let me rephrase your quote:
When I had to pick an OS, I did research and picked one that I felt was compatible enough for my needs. Linux didn't make my cut.
The last time I tried Linux (and I have, I really have), it didn't support all my hardware out of the box. Hardware support should simply work instead of having to recompile my kernel 36 times trying to figure out the correct settings (there were none, I had unsupported hardware). How ancient is that? And then I hated the distribution wars - the infighting over which was the "best way" to do something - the way that distro X does things completely differently from distro Y to the extent that they're binary and logically incompatible to the detrement of the user - and you end up hating both distros as neither of them uses a solution that makes sense for the user.
Then there's the sheer hypocracy of KDE - instead of supporting Microsoft, it's supporting Trolltech, but nobody seems to understand that ought to be just as much of an ethical problem. Trolltech are no better than Microsoft when it comes to trying to leverage a monopoly. The pond may be smaller, but if Linux ever takes off, Trolltech gets a free ride. Except that Linux will never take off while Trolltech are stunting commercial growth and charging $4000 per seat for commercial development licences - Microsoft couldn't have a more unlikely ally in supressing Linux.
And as far as a free OS, I found FreeBSD to be significantly better than Linux as it's logically organized and the maintainers are mature adults compared to the screaming teenagers of the Linux world.
Although neither Linux or FreeBSD run the games or applications that I want to play. If they reliably (and with no messing around) ran the very latest games (eg: World Of Warcraft), tax and financial software (eg: Taxcut and MS Money) - with full support for my graphics card, sound card and printer - I'd take another look. I did once manage to get Unreal Tournament 2003 running under Linux (which was the game I was into at the time) with full 3D acceleration, but the sound was delayed about 2 seconds so it was unplayable.
But given that I no longer use my computer for the sole purpose of messing with my computer, I'm sick of that shit not working. 15 years ago it would have been a fun challenge to "stick it to the man" and "rebel" against Microsoft, but I no longer care. I want as little maintainability as possible - I simply want to be able to read email, yell at people on
It doesn't look all that obsolete in Microsoft's documentation.
CERT may think the function is obsolete, but that doesn't mean
that apps no longer depend on it. Stuff breaks if you go ripping
pieces out of an ABI. Somebody's critical business app might
even depend on the function.
What you have said should be SOP for any fix on any large network. Even vendors can get it wrong, so testing is always important.
putting the 'B' in LGBTQ+