Microsoft Bypasses HOSTS File

whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."

Not a useful thing for MS to do

[mgv]

I would have thought that if you cant subvert the HOSTS file then all you have to do is to intercept any DNS lookup of these MS addresses and you would have the same effect.

If you are trying to stop MS software from talking to home, then just use an external firewall.

Michael

Re:Not a useful thing for MS to do

[Surt]

It turns out to be easier to subvert the hosts file than to intercept DNS lookup. There's a really easy way to replace the hosts file from an activex script. How you would subvert DNS from the same point of attack is unclear.

Re:Not a useful thing for MS to do

[whoever57]

What is there to stop a virus making edits to the dll binary? Changing the strings that presently correspond to the IP addresses of MS domains to some random, invalid address?

Re:Not a useful thing for MS to do

[StarkRG]

Hey... isn't activex a microsoft "technology"? Why not just fix activex?

Re:Not a useful thing for MS to do

[x0n]

>What is there to stop a virus making edits to the dll binary? Changing the strings that presently
>correspond to the IP addresses of MS domains to some random, invalid address?

Yes, there is a mechanism built into Windows which uses digital signatures and a watchdog to prevent accidental (or deliberate) changes to sensitive DLLs. Any binary changes to any file will invalidate the signature on the DLL. This is more effective than tripwire or other such things whereby a checksum is held in another location since the DLL itself is signed using a PK and cannot be re-signed to hide the changes.

Windows File Protection: http://support.microsoft.com/?kbid=222193

- Oisin

Re:Not a useful thing for MS to do

[Nasarius]

Except it's not very effective, is it? Is there anything stopping a system-level process (eg, malware) from grabbing the window handle and sending the appropriate keystrokes to dismiss the prompt? I haven't tested it myself, but I've used that technique successfully for the "unsigned driver" warnings. WFP lets you keep the unsigned driver/DLL with no further warnings if you press two buttons.

Re:Not a useful thing for MS to do

Funny, but if you modify the version in dllcache before you modify the version in system32, the modification takes and the box never comes up.

Re:Not a useful thing for MS to do

[x0n]

incorrect/fud. you modify the version in dllcache, nothing happens; then when you modify the system32 version, it checks the dllcache version, see it's corrupt (signature/checksum failed) and will prompt you for product cd.

Re:Not a useful thing for MS to do

[x0n]

Nothing is 100% foolproof, you know that. It is software-based after all: anything that is protected in software, can be subverted in software. Regardless of sending keystrokes etc for drivers, a properly secured windows box will have group policy set preventing installation of unsigned drivers.

Yes, when one is running as admin, the point is moot.

- Oisin

Re:Not a useful thing for MS to do

[Nasarius]

It is software-based after all: anything that is protected in software, can be subverted in software.

Not so. It is entirely up to the operating system to decide what 'root' (or Administrator) is, and entirely possible to permanently protect certain files. After all, the filesystem can only be accessed through the kernel.

I'm not saying Microsoft necessarily made a bad decision here; I'm just saying that 99% of the time, WPF doesn't do much.

Re:Not a useful thing for MS to do

[timeOday]

These ad-hock hacks, layer upon layer, are exactly what make Windows *MORE* difficult to use than Linux for an expert user.

Re:Not a useful thing for MS to do

[x0n]

Again, this depends on the context. Boot from your own CD (winpe, erd commander, knoppix, etc), you can do what you like: subvert software with software.

- Oisin

Re:Not a useful thing for MS to do

[Nasarius]

That's not subverting the software, though. That's removing the software, which does not and (usually) cannot do.

Re:Not a useful thing for MS to do

[x0n]

...and besides, where are you pulling this 99% from? what are the use cases in which this level of success is applicable? what is "success" in this context? Sounds to me like you're just coughing up random FUD. Please support your claims with evidence.

WPF is primarily about protecting the system against badly written installers that overwrite system DLLs with old versions: also known as DLL-hell. The same issues exist on *nix, different glibs, ncurses, blah blah etc. WPF is only a small cog in security picture.

- Oisin

Re:Not a useful thing for MS to do

[Nasarius]

Sorry, that should be "which malware does not..."

If you want to use "but you can boot from Knoppix/remove the hard drive, then reverse-engineer the executables and replace the code that does the signature checks and ..." as your standard, there's no point to having any security at all.

Re:Not a useful thing for MS to do

[x0n]

Yes, that is the logical conclusion of any "but then you can... and then.. and then..." type dissection of software protection mechanisms (and is why s/w DRM is doomed to fail). We could continue this exchange indefinitely, but where do you draw the line?

- Oisin

Re:Not a useful thing for MS to do

[Nasarius]

You claimed that WFP was useful and "more effective than tripwire". I pointed out that if malware is run at admin-level (which it would need to be to replace system files in the first place), it is utterly trivial to 'disable' WFP. So the only times you'll get a warning from WFP is when it's a benign patch or a particularly stupid virus. It requires no removal of the OS and no rebooting into Knoppix. I don't know why you brought that up.

Re:Not a useful thing for MS to do

[LordOfTheNoobs]

That is not a subversion of the software, as the software is not running. That is subverting the hardware to alter the software.

These seem like rather distinct things to me.

Re:Not a useful thing for MS to do

[slugstone]

And how is it better then tripwire? You say that just because tripwire's data is another location. This data would be in a read only file system. So how is the M$ mechanism better?

Re:Not a useful thing for MS to do

[gflammer]

Signature spam is not cool.

Re:Not a useful thing for MS to do

[Sir+Joltalot]

This is only as good as the signature scheme. If collisions can be easily found for the signatures then it's useless, and sometimes even having a known collision makes it useless: several attacks on MD5-based signature schemes do not require finding a collision, but simply use a widely-known MD5 collision. The KB article doesn't say what signature scheme is used, so it's impossible to know whether or not that's an issue.

The other problem I see is that there appears to be a single point of failure in the catalog of known-good signatures. If you can successfully attack that, you can change any protected file to whatever you like.

So the system is a stumbling block for those wishing to overwrite protected dlls, but if you really want to you can probably get around it.

Re:Not a useful thing for MS to do

[walt-sjc]

The same issues exist on *nix

Actually, they don't. *nix can have DEPENDANCY hell, needing certain versions of libs that are not there, but they don't share the same problem with Windows because the VERSION information is part of the filename. This means that you can have 534 versions of the same library installed and everything is still happy because apps will use whatever ver of the library that they need.

Windows just uses the SAME filenames for diverent versions (anyone remember the fiasco with MFC42.dll of which there were dozens of incompatible versions?

Re:Not a useful thing for MS to do

[Surt]

?

You can turn off signatures you know. As far as I know, my signature is not particularly spam related.

Re:Not a useful thing for MS to do

[Torne]

incorrect/fud. you modify the version in dllcache, nothing happens; then when you modify the system32 version, it checks the dllcache version, see it's corrupt (signature/checksum failed) and will prompt you for product cd.

I haven't tried doing that, but one thing that *definately* works (because it's how I replace uxtheme.dll) is to just delete the version in dllcache, then modify the one in system32. It will ask for the CD to replace it, you hit cancel, and it forgets all about it. The file will get reverted if updated by a service pack/hotfix, but nothing else will touch it.

Re:Not a useful thing for MS to do

[petermgreen]

umm activex isn't a scripting technology its a way to run full native code with basically no restrictions.

but anyway if you have the power to edit the hosts file you probablly have the power to write an exe to the filesystem and mod win.ini to start it. Once you've done that the exe can change the dns settings to point to itself and proxy any requests.

Re:Not a useful thing for MS to do

[x0n]

whether you can find a collision in the hashing algorithm that manages to match your nefarious code changes is irrelevant, since you will not be able to sign the hashcode with MS's private key -- this is the extra step that differentiates it from tripwire.

Is this necessarily a bad thing?

[BluhDeBluh]

It helps prevent Malware. Sure, MS might have a slim advantage, but it also prevents otherwise botted PCs from accessing MS Updates against things like Blaster. I don't see this as being such a big deal.

Re:Is this necessarily a bad thing?

[Morvandium]

I agree. In addition, as much as I may think they should include other sites on that list, those other sites do not play into what MicroSoft sees as the "integrity" of their product. They're not out to make sure that you can get the latest update of Apache or OpenOffice or whatever; they want to make sure that you can update Windows to the latest version (one that might actually stop the malware they're trying to protect from) or get to a place where you can ask MicroSoft a question (which they may or may not answer, and if they do, the answer to which may or may not be helpful), or, heaven forbid, get to a place where you can order a new MicroSoft product (probably because you haven't realized it will have similar flaws to your current and older MS products).

Re:Is this necessarily a bad thing?

[thmnetwork]

I agree totally, only core sites should be listed, those required to fix the malware, but I think what the author's point was, was that you only seee this advantage if you're using MS anti-spyware (which , because of stuff like this, I've always was an ethical contradiction) listing the top 10 (popularity-wise) or so anti-spyware/adware sites would be more useful, since the supposed advantage is to sort of bootstrap the system from a state of mass-infection

like I said, I've always had a problem with the conflict of interest created by a company making money off of a product that essientially just compensates for the failure in one of its other products....

Re:Is this necessarily a bad thing?

[jpatters]

What this is just replacing the hosts file with something more obscure, the malware writers will simply learn how to modify it to do what they want. Meanwhile, you will have a false sense of security.

Re:Is this necessarily a bad thing?

[NutscrapeSucks]

Actually, there's an anti-spyware available from Windows Update called "Malicous Software Removal Tool". I think it only targets the most common and popular types of hacks,

Re:Is this necessarily a bad thing?

[ScrewMaster]

Anyone with an Internet-connected Windows machine that feels any sense of security whatsoever is fooling himself, regardless of how Microsoft subverts the hosts file. Sooner or later, you'll get hit ... either a browser drive-by, a remote exploit, email payload or something you installed on purpose. Just a matter of time. Now, of course Microsoft tells us that Vista will be different. How much so remains to be seen, and only time will tell.

Re:Is this necessarily a bad thing?

[quarkscat]

Absolutely, yes, it is a bad thing.

Microsoft has:
        instituted not only License 6, but also "phone home" validation. At any time, MS may
        decide to shut down any business worldwide that uses their products, at their (or a
        malviolent government's) discretion;

        embraced and extended(tm) LDAP with kerberos authentication that is not industry-
        standard or cross-platform compatible;

        embraced and extended(tm) web browser standards that have made Internet and
        platform security a nightmare;

        implimented a software firewall (XP SP2) that doesn't actually control/restrict all
        incoming and outgoing packets, making the use of a third party (H/W?) firewall
        less redundant and more actually necessary;

        stripped nearly all OS improvements out of their upcoming flagship OS, excepting
        Digital Rights Restrictions -- which may also remotely disable or remove products
        and/or services which they choose to disallow for any reason.

Bypassing DNS and the hosts file on the OS platform is their "camel's nose under the
tent flap" for future modifications to the network stack, all in the name of their brand
of "security", which is (frankly) appalling. Given Microsoft's current product direction,
it is not outside the realm of possibility that the future average computer user's
experience will be some cross between a WebTV and an XBox.

Re:Is this necessarily a bad thing?

[thmnetwork]

what's your point? There's a commercial version, that's what I'm talking about. if they develop anything along those lines it should be free for all windows users without commercial intent beyond value-adding. anything beyond that is a conflict

Re:Is this necessarily a bad thing?

[sheepcentral]

Yes I think them building this in is a good thing, there is an extra (but slim) chance you can get an update even if your computer is being raped by viruses (not viri!!!), it hardly gives them an advantage for example I didn't even know about the hosts file until 5 minutes ago so would it have effected me? No. They should also built in the addresses of certain common anti virus programs and other general anti malware update sites.

Re:Is this necessarily a bad thing?

[houstonbofh]

The problem I have is that it's My PC! It is not Microsoft's (as much as they want to believe it) or Sony's or Star Forces, but Mine. I am sick to death of companies trying to protect me from ME and preventing me from using my devices as I want. Try and put a good Cisco WiFi card in the mini-pci slot of a HP, Compaq, or IBM laptop. "Unauthorized wireless network card detected. System halted..." Try using a car charger for any RAZR phone on a Verizon RAZR phone. "Unauthorized Charger." When you sell me something, IT'S MINE DAMNIT!

Sorry, I just had to vent...

Re:Is this necessarily a bad thing?

[Dare+nMc]

> as the "integrity" of their product.
I would assume that helps with product verification/activation. Without it would be simpler to mimic much of windows update with a localhost sever, and point back to your PC. With this in, you would probably need a second PC, and a external non microsoft based dns server.

I would more quiclkly give msft credit for protecting profit, than protecting from malware.

Re:Is this necessarily a bad thing?

[thmnetwork]

let me guess, you voted for bush right? mind being a little verbose on your point of view? I'll try to respond, but maybe your future replies should include exactly WHAT the counter point is besides "you're wrong, you're so wrong mr. man" It is an advantage to Microsoft Inc, that was my point, if you want to say I was saying something else then go ahead. like I said your response is a little lacking in content for my to refute (again that's a bushism) so I don't know where to go with this

Re:Is this necessarily a bad thing?

[thmnetwork]

which part? again you've fail to mention any sort of point, I'm inclined to believe you don't know what you're talking about...

Re:Is this necessarily a bad thing?

[DrSkwid]

> I didn't even know about the hosts file until 5 minutes ago

and already you feel qualified to comment

Re:Is this necessarily a bad thing?

[Omaze]

I totally empathize and agree with your point of view but, unless you have a plan to turn the entire American legal and political system on its head, you can't do anything to stop it. There hasn't been a single bill passed in the last 30 years which hasn't been resulted in further transfer of power from individuals to corporate interests while masking it behind some clever PR front.

Re:Is this necessarily a bad thing?

[thmnetwork]

I agree totally, it's getting to the point where private ownership amongst normals is more like just leasing the stuff from the company, the next version might require you to replace it if you break it

Re:Is this necessarily a bad thing?

[caffeination]

Yes it is. So far the only thing I've used my hosts file for is to block web ad servers such as googlesyndication.com. I'm guessing that now if I used a Microsoft operating system, I would be unable to block Microsoft adverts. Sound bad yet?

Re:Is this necessarily a bad thing?

[Amiasian]

It would be pretty cool if they built in exemptions for well-known Security Vendors, but suffice it to say, when has MS ever propped their competition?

Re:Is this necessarily a bad thing?

[severeon]

I agree, this could be used for good or evil (lol). If MS is using it to ensure that people are getting to the correct site when they say... try to goto microsoft.com, then it shouldnt be an issue. But this is /. and since MS did something, the whole community is gonna say things to the nature of "I hate bill gates, linux is better than windows!!"

Re:Is this necessarily a bad thing?

[Phillup]

The problem I have is that it's My PC!

No, the problem you have is that you are not running your OS on your PC.

Re:Is this necessarily a bad thing?

[W2k]

Try and put a good Cisco WiFi card in the mini-pci slot of a HP, Compaq, or IBM laptop. "Unauthorized wireless network card detected. System halted..."

What? I have a perfectly good Cisco WiFi card in the mini-PCI slot of my IBM laptop. It has always worked perfectly. Please elaborate.

Re:Is this necessarily a bad thing?

[Hex4def6]

He speaks the truth.

I have some older Thinkpads, and they all give a similar message, although I found a hack on the net that allowed one to bypass this restriction. You still get the message at bootup though, and have to press "ESC" to continue, which is a pain.

Re:Is this necessarily a bad thing?

[cammoblammo]

whole community is gonna say things to the nature of "I hate bill gates, linux is better than windows!!

Yes, because:

1. We do
2. It is.

That is all.

Re:Is this necessarily a bad thing?

[Pecisk]

Hmmmmm. No. Windows as OS is not Yours and never will be, according to EULA. Next thing to steam on?

There are some reaosns why some 5-6% of PC users decide to stick with Linux and BSD.

Re:Is this necessarily a bad thing?

[Escogido]

In a way, it is. This is a part of the price that you pay for these things actually existing, and existing for the prices you have them. When you get sold something it's yours as sold, not as you want it to do. If you don't like it, don't buy it, it's as simple as this.

Please realize that in order for the corporations to meet business targets, it is sometimes needed to cut off competition like that. If you had the right of getting every piece of equipment being compatible with everything else out there, then you might find yourself in a world where aforementioned pieces are delayed or don't exist at all, because selling these (and funding R&D in the first place) wouldn't be financially viable.

So this is a trade-off of sorts: you get a worse-compatibility item for better prices and better availiability. How much would that RAZR cost if you could use any charger you like? And would Verizon even bother?

Now, I'm not defending Microsoft in this particular case, since your post didn't either. I'm just trying to be fair to evil corps (gasp!). After all, there is still free market and if there is enough of likes of you who have a desire of "mine damnits", then there is demand and someone will surely fill the supply.

And if not... well then I guess there's a lot that I'd like myself to use, too, but does not exist/costs too much as well.

Re:Is this necessarily a bad thing?

[ncc74656]

Try and put a good Cisco WiFi card in the mini-pci slot of a HP, Compaq, or IBM laptop. "Unauthorized wireless network card detected. System halted..."

What? I have a perfectly good Cisco WiFi card in the mini-PCI slot of my IBM laptop. It has always worked perfectly. Please elaborate.

I tried swapping out the Broadcom-based WiFi NIC in my HP L2000 with an Atheros-based NIC I bought from an eBay seller. I wanted to get WiFi working under Linux, and neither ndiswrapper nor the native Broadcom driver work worth a damn. I have an Atheros-based CardBus NIC for my old notebook, and madwifi works well with it, so I figured madwifi would work with a MiniPCI NIC in the newer notebook.

With the Atheros NIC installed, the machine wouldn't even POST. With the Broadcom NIC (or no NIC) installed, it fires right up.

Now that I have CardBus working on the L2000, I can use the CardBus NIC in it under Linux and the built-in NIC under Windows, but I'd rather have one NIC that works with both.

Re:Is this necessarily a bad thing?

[Paradise+Pete]

I didn't even know about the hosts file until 5 minutes ago so would it have effected[sic] me? No.

I think he must have had you in mind when the Sony exec said "Most people I think don't even know what a rootkit is, so why should they care about it?"

Re:Is this necessarily a bad thing?

[jrockway]

> Try using a car charger for any RAZR phone on a Verizon RAZR phone. "Unauthorized Charger." When you sell me something, IT'S MINE DAMNIT!

The RAZR just uses mini-USB to charge... so how can it tell that the +5V on the other side is not authorized?

Re:Is this necessarily a bad thing?

[afidel]

Sooner or later, you'll get hit ... either a browser drive-by, a remote exploit, email payload or something you installed on purpose

Well I don't run IE, I have a harware firewall and the windows firewall enabled, don't run Outlook, and don't install "free" software with spyware/adware payloads. For that matter so does the rest of my extended family, including my grandparents, and so I don't have the calls that so many other tech people seem to get from their relatives. It's not THAT hard to avoid this stuff, most people are just ignorant and don't put in the effort to become educated.

Re:Is this necessarily a bad thing?

The parent has a good point.

Someone sees something, doesn't even know its purpose but observes a small effect of it and bam, we have the clever idea of blocking ads with hosts files.

Incompetence at work.

Re:Is this necessarily a bad thing?

[TCM]

A saying comes to mind: "Linux is for people who hate Windows. BSD is for people who love UNIX." :)

Re:Is this necessarily a bad thing?

[ScrewMaster]

Sure. I do the same thing. But like you said, most people (numbering, I might add, in the hundreds of millions worldwide) don't have a clue how to do that. And even if they did, odds are they'll still get hit. After all, no defense is perfect and people still make mistakes, and Windows doesn't do much to cover for them when they do. In any event, I'm not willing to let Microsoft off the hook because their customer base is ignorant of security procedures. That company quite deliberately and with malice aforethought mass-marketed a dangerously insecure product that should never have been connected the Internet to those millions, and then leveraged an illegal monopoly to make sure those same people had few usable alternatives. Microsoft needs to get hit for a billion dollars or so in restitution due Windows users that had their savings accounts raped by some Bulgarian keylogger installed because Microsoft couldn't be bothered with good design. Can't say they didn't have the resources. And if they did get whacked with some truly punitive fines, I bet we'd all be surprised at how fast Windows surpasses the BSDs in terms of security.

Re:Is this necessarily a bad thing?

[dabraun]

I somehow doubt that the mechanism for activating windows is that simple to spoof. It is pretty trivial to devise a public/private key system where no server without the private key can activate your machine.

Re:Is this necessarily a bad thing?

[monkeydo]

Since MS has no control over what names other vendors use for their update servers it would be counter-productive for those names to be treated specially in the DNS client. Should MS create a patch (including full regression testing and everything else) every time Trend|Mcafee|Symantec|FSecure changes the name of their update server?

Re:Is this necessarily a bad thing?

I would voluntarily not put a CISCO anything in my machine. The number 1 software problem where I work is failed CISCO VPN client installs/upgrades. If CISCO cannot write a network driver, then I would never trust a driver+hardware from them.

Re:Is this necessarily a bad thing?

[Hymer]

Just FYI : This is NOT a good place to say that you didn't know about that file... this file has been there for over a decade, together with SERVICES, NETWORKS and the MS specifc LMHOSTS. HOSTS, SERVICES and NETWORKS exist in all TCP/IP implementations (and I've seen quite a lot of them).

--

My first PC used the then brand new MS-DOS 2.11, so now you got a hint how old I am...

Re:Is this necessarily a bad thing?

[MECC]

Perhaps just as interesting is that the more they do this kind of thing, the more dysfunctional windows becomes. Their XP dns client also caches failed lookups, which is not in keeping with either the letter or the spirit of the RFC. At first, this doesn't seem like much. However, if you VPN into a network that makes use of private IP addresses, some lookups will initially fail, and the failed results get cached. The failed lookups take precedence over entries in the hosts file. So, when we had people VPNing in and failing to get to internal web sites, we were confounded by this devient behaviour. In the end a script had to be pushed out to laptops to flush the dns cache, so normal lookups would work again. Had their DNS client implementation just stuck to the specs, everything would have worked normally. This nonsense is as likely to backfire as it is to actually help them.

The moral of the story is that the more they tighten their grasp, the more functionality slips through their fingers.

Re:Is this necessarily a bad thing?

[houstonbofh]

http://www.google.com/search?hl=en&q=razr+%22Unaut horized+charger%22

Magic Pixies?

And to the other poster, since T-Mobile does not have this lock, guess who I want when my contract is up? Guess where my next laptop will come from? Guess who did not sell me a new car stereo, in spite of making a car cd-player that worked well for almost 15 years?

But I think too many people just go to wall mart and buy the cheapest thing that looks pretty. To heck with principled companies, we need more principled consumers!

Re:Is this necessarily a bad thing?

[jrockway]

Yeah, fuck Verizon. I have T-Mobile, and everything on my phone works great. Syncs to my mac, can send mp3 ringtones via bluetooth, pictures come off via bluetooth, internet works via bluetooth, etc. And T-mobile is cheaper!

Re:Is this necessarily a bad thing?

I have had similar issues in the past with different hardware manufacturers.

Odd that this behaviour seems to happen only on NIC cards. Never had a sound card, gfx card, router, etc etc have issues.

Re:Is this necessarily a bad thing?

[FKnight]

Try and put a good Cisco WiFi card in the mini-pci slot of a HP, Compaq, or IBM laptop. "Unauthorized wireless network card detected. System halted..."

That's bullshit. Come up with something else.

Re:Is this necessarily a bad thing?

[Stephen+Samuel]

I bought the OS, too. I may not own the copyright, but I did buy the copy.

Re:Is this necessarily a bad thing?

[MoFoQ]

free market, fine.
but there's a reason why they have "anti-competitive/anti-trust" laws on the books.

not to grill you but Verizon didn't make the phone...motorola did.
And not only that, "NOT buying" would be an option if this "feature" was disclosed before purchase. Not all corporations will disclose such "limitations" as they believe the consumer need not know (if they did, they wouldn't buy it). It's too bad they don't have laws on the books that really grill companies for anti-competitive "features" like "unauthorized accessory" blocks.

then again, I thought lexmark/HP/etc. lost a generic cartridge case, so there's precedence.

anyways....just grinding an axe out of my 2 pennies.

o...as for "funding R&D" and compatibility....well...that's why there's an ISO and other standards organizations. By defining a standard and adhering to it, one can reduce the cost of R&D and getting a particular product compatible with others. Of course, making it compatible and then adding a few minor "fixes" to limit compatibility is VERY anti-innovative and anti-competitive. Even stupid if the device you are making "incompatible" is your own device.

Re:Is this necessarily a bad thing?

embraced and extended(tm) LDAP with kerberos authentication that is not industry-standard or cross-platform compatible

What the hell are you babbling about? Download industry-standard Kerberos software for every platform in existence

If Kerberos isn't "industry-standard" or "cross-platform" enough for you, what is? RADIUS? Don't make me laugh...

So what?

[nametaken]

People should know by now, when you go MS, you don't buy the horse, you buy the farm. You wanna segment and pick and choose on the MS platform? Good luck.

Re:So what?

[Aaden42]

No, no... You just *license* the farm. MS still owns it. For a nominal fee, they'll let you step in the cow pies every second Tuesday.

Re:So what?

You mean lease the farm. Soon to be rent.

Re:So what?

[kfg]

On the way to serfdom via tenant farming.

KFG

Re:So what?

[nametaken]

Haha... point taken!

I've often noticed that products that address issues similar to ones address in MS software find themselves fighting an uphill battle. Take the suggestion in the original post... MS has an immediate competative advantage by leveraging a feature built into the OS that can ONLY benefit other MS products. We've seen the same thing happen in other markets too, of course. Not least of which was with IE.

Re:So what?

[node+3]

Are you sure? I'm not sure there's ever been a Windows PC that hasn't bought the farm. Frequently. Sometimes spectacularly.

Re:So what?

[fimbulvetr]

For a nominal fee, they'll let you step in the cow pies every second Tuesday.

Didn't they recently change that to the second Tuesday of the month?

Re:So what?

[angrykeyboarder]

I agree. It seems like people who love to hate Microsoft have found yet something else to get their panties in a knot over.

I really think it's much ado about nothing.

Not to mention, I just checked "C:\WINDOWS\system32\drivers\etc\hosts" and I don't find anything out of the ordinary in it...

---
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

---

Strange coincidence that I happen to be in Windows (XP Pro) when I came across this article. I'm usually in Linux (Debian Sid).

Ad blocking

[aembleton]

Microsoft could also be using this to prevent users from blocking MSN messenger ad servers.

Re:Ad blocking

[MT628496]

I don't really think so. The types of people who run adblocking software are usually more technically advanced. Chances are that they won't be going to things like msn.com anyway and if they have to go to windows update, they'll be going whether there are ads or not.

Doesn't the adblock firefox extension just not display the images from certain hosts? Programs that block ads by editing the hosts file remove things before they even get to adblock. I suppose that's the real reason that I don't really think so.

Re:Ad blocking

MSN Messenger is an IM program like ICQ, it is not MSN.com. You can't use Firefox Adblock to block it, since it does not run in a browser, it is a standalone app. The only ways I could think of blocking it are by using something like Privoxy, or setting the ad servers to resolve to 127.0.0.1 in your hosts file.

Re:Ad blocking

[justthinkit]

Can anyone think of a way to override the override? I'd install a patch that overrode MS's latest "trust me" hack.

Re:Ad blocking

[forgotten_my_nick]

why not just block them at the router level? or am I missing something obvious?

Re:Ad blocking

Yes. Hexedit the strings to contain two consecutive dots. (Not valid DNS names).

Re:Ad blocking

He really meant "to prevent users from installing some anti-messenger-ad hosts file" i think

Re:Ad blocking

[eklitzke]

This isn't at all about MSN.com, it's about blocking ads in MSN messenger. MSN messenger fetches the ads from a Microsoft server. A common way to block ads is to set your hosts file to resolve the ads to your local host. Of course you can use a program like Filterset.G to block ads in FF, but how would you propose to block Microsoft ads in other programs? See the Wikipedia article for more information: http://en.wikipedia.org/wiki/HOSTS#Ad_filtering

Re:Ad blocking

[dwater]

Wouldn't using GAIM instead work?

Re:Ad blocking

[prichardson]

Well, for me, I don't have a router than can do that. I don't think I should have to have a router that can do that. I shouldn't have to fight with my computer.

Everyday I get happier and happier than I don't have Windows.

Re:Ad blocking

[pembo13]

Trust me, the average Windows user is more than accustom with fighting their computer.

Re:Ad blocking

[alibash]

... or their growing hoard of other "ad supported" software/services, or the rumored "ad supported Windows." Wouldn't it be silly if you disable the ads in your free Windows OS if you could just add a "127.0.0.1 ads.microsoft.com" line to the hosts file? =P

Re:Ad blocking

[devilspgd]

Gaim might be more useful...

http://gaim.sourceforge.net/faq.php#q1

Re:Ad blocking

[devilspgd]

I'm sure Microsoft would never think to check that ads.microsoft.com was reachable, and that ads were being served before allowing an advertising based copy of Windows to run.

Re:Ad blocking

[aembleton]

He really meant "to prevent users from installing some anti-messenger-ad hosts file" i think

That is correct. You can set up your hosts file so that your computer doesn't access ad servers, but instead goes after 127.0.0.1. By doing this, you don't have to suffer from any advertisements in any program that downloads them from an ad server. This covers all Windows programs including FireFox, IE, Opera and MSN.

Permissions?

[tomstdenis]

tom@localhost ~ $ ls -l /etc/hosts
-rw-r--r-- 1 root root 519 Oct 19 12:13 /etc/hosts

....

Why can't windows just make the host files read only.

Re:Permissions?

[mikerm19]

Because that isn't the problem. Windows is plain out ignoring the hosts file on some domains, even if it's read only. It would be the same thing as the Linux version of Firefox ignoring /etc/hosts too, regardless of permissions.

Re:Permissions?

[banaanimies]

If we ban writing to host files, only criminals will write to host files.

Re:Permissions?

[tomstdenis]

Yes, but the motivation to ignore the hosts file is because of viruses that could overwrite it.

So ... if a user level virus couldn't write to the host file ...

Think about it.

Tom

Re:Permissions?

[v1]

Windows security is as effective as a screen door on a submarine.

It'd take the malware makers about an hour to find any of the what, probably 80 holes that would let them go around such windows security. A back-and-forth battle like that could easily go on for months if not years. In unix, security and permissions are the foundation, on top of which everything is built. In windows, security is a hack that was added on later with no due consideration during the initial design phase of windows. It's no wonder it's next to impossible to get it to work the way you want it to.

When you are designing security, the sad truth of it is, the user is the enemy. There's no nicer way to look at it. So it takes a great deal of care to design a security system that can withstand the assult of a user while at the same time being functional and serving the user. It's too late for windows to make those design considerations. They have errored on the side of functionality and sacrificed the security of the system. There is no fixing that.

Re:Permissions?

Um, just like *Nix, it is read only for everyone but the administrator. As you can see from your little post, root can still change the file.

The problem lies in that it almost everyone runs Windows as an administrator. I do. Unlike most Linux distros, you don't get prompted for the root password when trying to do something that requires root privledges. In Linux it's also easier to su or sudo to run stuff as root. Where Windows' "Run As" is not intuitive to the end user, well maybe as intuitive as su or sudo from the command line in Linux. But unless you know it's there, which almost every end user does not, you never use it. You also can't run an explorer.exe as a different user to have file managment as an Administrator.

Re:Permissions?

[dioscaido]

Uhm they do. The hosts file has the exact same privileges as what you list (Administrator full access, Read-only for everyone else). The wrinkle in that is that almost everyone runs as Administrator. Very dumb.

Re:Permissions?

[thmnetwork]

well yes but there are a whole host of legit reasons admin's might write to the hosts file, or for apps to do that. The point to MS (at least publicly) is apparently that there are some sites which never should be remapped in HOSTS, and since they can't make exceptions for a million different TLD's, slowing everything down even more, only the "most important ones" get to be made exceptions, and it's just a really weird coincidence that they're all microsoft sites, none fo the competition are given this protection.

Re:Permissions?

[Teancum]

Of course this is also following the assumption that the administrator of the systems you are talking about are also not the users who are on the computer systems.

The whole admin/user philosophy is based on the religion called the "High Priesthood of the Computer Temple", where you have to make special requests to a special unique class of individuals who control computer resources.

As for PC operating systems, in particular Microsoft OS platforms, they were designed for independent system operations where the primary user was considered not only the "user" but also the "administrator". While in practice that may seem silly in a corporate environment (leading to fights between the ancient priests and the jonny come lately PC users), it is a fact of life.

I understand where you are coming from in this post, but it really is the result of the clash of two cultures, and Microsoft pretending that it is supporting one culture when its roots are firmly established in the other. And why security flaws like this abound.

Re:Permissions?

[secolactico]

So ... if a user level virus couldn't write to the host file ...

Which leads us back to the primordial Windows security problem: users running with admin priviledges.

In the example you provided in the previous post, /etc/hosts is writable only by root. If user runs as root all the time, then it's back to square one.

As far as I know Windows host file is only writable by Administrator level (dunno, I don't have a Windows machine with me right now). Is it otherwise?

Re:Permissions?

[NutscrapeSucks]

In unix, security and permissions are the foundation, on top of which everything is built. In windows, security is a hack that was added on later with no due consideration during the initial design phase of windows. It's no wonder it's next to impossible to get it to work the way you want it to.

In Unix, "root process can change the hosts file" would be rejected as NOTABUG, and the user would be told to use better security practices.

In Windows where Microsoft is in the awkward position of trying to protect the system against administrative users. For years they said the same thing, but the cold reality of millions of trojaned systems slapped them in the face and forced them to do the "wrong" thing.

I'm sure they're not stupid, it's an unwinnable game until people use good security practices. But the shortterm cost/benefit is there -- by mucking with the IP stack, they can maybe break some stupid trojans and get a few million people to clean up their systems? It's ugly but maybe it works.

Re:Permissions?

Before you speak, learn what you're talking about. A user level virus can't overwrite or modify the hosts file. The problem is everyone runs Windows as an Administrator, not a user. Even root can change the hosts file on Linux so if a virus ever was written for Linux that overwrote that hosts file and you were running as root, you'd be just as screwed as a Windows user.

Re:Permissions?

[1u3hr]

So ... if a user level virus couldn't write to the host file ...

The next generation will patch dnsapi.dll.

Re:Permissions?

[saleenS281]

funny, I see write access by root there. And last I checked, when malware *owns* windows, it's local root, which means the permissions you speak of would amount to absolutely nothing... And btw, you can make it read only to normal users, but again, this would accomplish nothing.

Re:Permissions?

[Homology]

So ... if a user level virus couldn't write to the host file ...

Think about it.

Dear Tom,
this is Slashdot and the term "think" does not apply.

Re:Permissions?

[SideshowBob]

Modern Unix-like systems (Linux, *BSD, Mac OS X) use a hybrid model, where the user is asked to authenticate before a potentially dangerous action is completed. This is not coincidentally the model MS seems to want to follow for future versions of Windows.

It's been hashed over several times before on /., maybe do a search.

Re:Permissions?

[fermion]

So why does the host file have to live in userland, or why can't the computer prompt for the user to verify identiy when certain dangerous operations are about to occur.

By MS doing this Host file management, they are admitting that most users don't use or know the host files, and the most probable reason for host file change, expecailly as it relates to MS, is an attack.

I should, in my user account have a wide variety of leeway. If I mess up, I or my qualified agent should be able to go to an admin account and troubleshoot. This measn that as long as I am running XP as a user, that should not mess up the admin host file.

When I think about this it seems that this seem like guns for airline pilots. We really don't want guns on board an aircraft. The proper fix is to make the cockpit an extremely secure location so that pilots can do thier job, which is not battle terrorists, but fly the plane. It has been shown that as long as a pilot is in control, and given certain leeway, the pilot has a good chance of halting dangerous activity with minimal danger. But simply securing the cockpit is not sexy enough and does not satisfy the ulterior motvies, so we find this other silly thing that does not help much, but does promote secondary goals.

Re:Permissions?

You also can't run an explorer.exe as a different user to have file managment as an Administrator.

Yes, you can. Before doing so, however, you must log into each user separately and enable the "Launch folder windows in a separate process" option (Tools, Folder Options, View tab). Otherwise, it attempts to reuse the existing process which obviously isn't running as the correct user.

Re:Permissions?

[Foolhardy]

On Windows Server 2003 SP1:

C:\WINNT\system32\drivers\etc\hosts
BUILTIN\Users :R
BUILTIN\Power Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

Normal and power users get read, Administrators and SYSTEM get full control, all inherited from the drivers directory.

You're absolutely right about the root problem as running everything as admin. Almost all the malware that I've seen fails miserably unless run as admin, and that which does run can't infect the entire system. I guess the users that know enough to run as a normal user are the same ones that avoid that crap in the first place.

Re:Permissions?

Every time I've tried this, it doesn't work.

Re:Permissions?

[DrSkwid]

> In unix, security and permissions are the foundation, on top of which everything is built. In windows, security is a hack that was added on later with no due consideration during the initial design phase of windows.

You might want to look into the history of root before deciding that only on Windows was multi-user added on later.

Root is a design fault, it is not even necessary.

Re:Permissions?

[Omaze]

> The problem is everyone runs Windows as an Administrator, not a user.

Only because people always need admin priveleges at the most inopportune times. Sure, you only need to be Admin for 2 seconds, but if you're doing anything technical with the system, you need them every 5-10 minutes. In these situations Run As is at best, cumbersome, and in many cases outright incapable.

If Windows wanted to be truly innovative there would be a way to supply an Admin password, temporarily upgrade privs to Admin, and then have a button available to immediately downgrade.

I'd like the IP on that idea since it'll be central to making a GUI OS both secure and functional.

Re:Permissions?

NTFS, SAM, and HAL were designed from the beginning to have "Better security than UNIX" and, in fact, did very well in implementing security.

Microsoft went out and found the best and brightest programmers they could to create an incredibly robust and reliable base for the operating system to work on. ...question is, why build a titanium-and-concrete foundation, then build a house out of matchsticks on top of it? That's where all the bugs appear. I've yet to see a single patch from MS that corrects an error in the foundation of windows... all the bugs are in the user portion of the OS.

Re:Permissions?

[Schraegstrichpunkt]

I'm sure they're not stupid,

Upon what basis do you rest this assumption?

Re:Permissions?

[Nasarius]

It'd take the malware makers about an hour to find any of the what, probably 80 holes that would let them go around such windows security.

Yeah. Off the top of my head, malware could install a TDI or NDIS Intermediate Mode driver, either of which can be used to filter and block packets. There are helpful examples right in the Windows DDK.

Re:Permissions?

[ultranova]

When you are designing security, the sad truth of it is, the user is the enemy.

Hmm... No. This is only true if you're designing DRM. In that, the users of the computer are enemies. In Unix, on the other hand, the user should be protected from possible errors of other users, since Unix was designed to be a multi-user OS and the possibility of someone screwing up badly increase linearly as the number of users goes up.

When you are designing Unix-like environments, the meaning of "security" is "it protects my private area from being messed up by other people" - a bit like the lock on your front door. When you're designing DRM, only then is the meaning of "security" "keep the user in his allowed area" - a bit like the lock on a prison cell door.

So, when you are designing computer security, you are treating users like VIPs that need to be protected and who may be potentially hostile to each other. The purpose of security is to protect them, not against them - unless we're talking about DRM, in which case your statement is correct.

Re:Permissions?

[firewrought]

this is Slashdot and the term "think" does not apply

Mods: this type of humor used to be a little bit funny, but it's gone stale. Let's make slashdot a better place by steering mod points away from formulaic humor and towards posts that are unique or informative.

Re:Permissions?

[masdog]

Microsoft is caught in an awkward position, but it isn't defending the computer from administrative users. Well...not entirely, anyway.

As another poster mentioned, Microsoft did a good job building a solid security foundation for the Windows NT line. They even attempted to implement a unix-style user system where program settings would be stored in each users Application Data file. Unfortunately, some programmers didn't get the memos about that, and either through lazy coding practices or some other reason, decided that all program data should be in an area where only administrators could access it, thus necessitating all users running as administrator to run this software.

Re:Permissions?

[NutscrapeSucks]

I think the line is "They might be dumb, but they ain't stupid". Meaning MS isn't thinking "Doy, wotsa permission?" like some folks seem to be implying.

Re:Permissions?

[jb.hl.com]

I'm sure it's lovely for you to be able to sit and say that Microsoft are complete retards, but truth is that for a company whose No. 1 business is making and selling software (or at the very least licenses to use that software) I'd expect them to have some pretty smart individuals working for them.

Re:Permissions?

[spongman]

C:\>cacls c:\windows\system32\drivers\etc\hosts
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
They do... You're forgetting: most people like to run their malware as root...

Re:Permissions?

[jb.hl.com]

Hmm... No. This is only true if you're designing DRM.

Wrong. If the user is going to do something stupid, which a lot of the time they are, then they are technically the enemy. This whole discussion has nothing to do with DRM and everything to do with stopping a user from doing stupid things to compromise their own security.

Re:Permissions?

[spongman]

this is what they're doing for Vista. With Vista's PAE all users in the 'BUILTIN\Administrators' group (except the real Administrator user) are given a split security token. the user runs as non-privileged most of the time, and doesn't have write access to system directories, HKLM, etc... however, when a process requests elevated permissions (via a key in the its manifest) a dialog is shown to the user requesting confirmation of the elevation.

Re:Permissions?

[seann]

chflags schg file

http://www.osxfaq.com/Tutorials/LearningCenter/Adv ancedUnix/ugp2/page2.ws

How nice that would be.

Re:Permissions?

[Alioth]

In the single user, single tasking non-networked PC world of the 1980s, the idea of the user always being the administrator was fine and not harmless. However, you can't take this model into the networked multi-user world and expect it to work. If Microsoft expects its software to work in the networked world, they must drop their single user single tasking philosophy.

Re:Permissions?

[TheRealMindChild]

You do know that The NT line of Windows IS NOT the same as Win9x, right? Security works fine. It is the design of applications that is flawed.

Re:Permissions?

These applications that are flawed, they'd be the GUI, ActiveX, IE right?

Re:Permissions?

[Tim+C]

The hosts file is read-only to normal users on Windows; only members of the Administrators group have write access. That's pretty-much the same as it is on Linux.

The problem is that the vast majority of (home) Windows users run with an admin account, and so (almost) the entire drive is writable.

Re:Permissions?

Windows security is as effective as a screen door on a submarine.

I'd say it's more like a safe with the combination set to 0-0-0. Modern Windows has an excellent security system, but is configured such that security is almost completely disabled.

Well, then there are the platform apps, such as IE... But those are only really fatal because the OS security is switched off.

Re:Permissions?

[TheRealMindChild]

That is a good example, but I wan't specifically thinking of that setup. The problem is, said ActiveX control, at WORST, will run at the level of the user running it. If said user has the ability to say... install Explorer hooks, well then, I would say that justify my statement.

Re:Permissions?

[Digi-John]

You're a Plan 9 fan, aren't you? :-)

Re:Permissions?

Dear firewrought

you need to realize that (/. being /.) the truly informative posts in a given story are vanishingly small percentage. By all means, do mod up the few lost souls that waste their lifes posting informative things for the thundering herd to blissfully ignore them. But once they are up to +5 what are the rest of us going to do with mod points? (yes, I know -1 Offtopic for this post and its parent is one possible use)

Re:Permissions?

[sqlrob]

SAM was designed from the beginning to be secure? You can get passwords out of older versions pretty quickly. Trying to remember the same of the program, IIRC it was from @stake.

Re:Permissions?

[drsmithy]

Why can't windows just make the host files read only.

It can, and does.

Re:Permissions?

[drsmithy]

Only because people always need admin priveleges at the most inopportune times. Sure, you only need to be Admin for 2 seconds, but if you're doing anything technical with the system, you need them every 5-10 minutes. In these situations Run As is at best, cumbersome, and in many cases outright incapable.

What on Earth are you doing that needs Administrator privileges every "5 - 10 minutes" ?

And if you really *do* need it that often, why aren't you just keeping an Administrator-level cmd or explorer window open from which you can launch things at will ?

If Windows wanted to be truly innovative there would be a way to supply an Admin password, temporarily upgrade privs to Admin, and then have a button available to immediately downgrade.

Which is, uh, basically what Run As does.

I'd like the IP on that idea since it'll be central to making a GUI OS both secure and functional.

Ignoring that there's massive amounts of prior art, it won't have much effect on security, because people would just run as Admin all the time anyway and never hit the button to "downgrade" their rights again.

Re:Permissions?

[drsmithy]

In unix, security and permissions are the foundation, on top of which everything is built. In windows, security is a hack that was added on later with no due consideration during the initial design phase of windows.

False on both counts.

Re:Permissions?

I for one welcome our new formulaic overlords.

Re:Permissions?

[sploxx]

Are you sure that the first versions of UNIX were designed with security in mind? Do you have references that support your claim?

Anyway, I think Windows someday can and will get more secure, it just needs time... The path microsoft seems to go is to shift the problem into hardware by endorsing TCPA. This way, it would also be possible to get rid of a few annoying competitors...

Re:Permissions?

[Herby+Sagues]

As if you couldn't do that in most Unix releases from 1990... SAM is a technology that hasn't aged well, but fifteen years ago when it was released it was pretty decent.

Re:Permissions?

[Herby+Sagues]

It's the ones that require admin privileges to work. If it weren't for those, most users would be running as normal user, and most (but not all) vulnerabilities would be mitigated. I'm amazed when I see stuff like financial management apps that require admin privileges. There's no excuse for that.

Re:Permissions?

[TCM]

There are helpful examples right in the Windows DDK.

I can already see it: Microsoft is removing documentation to protect users.

Re:Permissions?

[sqlrob]

Definitely hasn't aged well. The program I'm thinking of is from 95 or 96, so it lasted less than 5 years.

Re:Permissions?

[Q2Serpent]

The intelligence of the corporation itself, Microsoft, may not necessarilly correlate to the intelligence of the individual employees...

Said another way, a group of smart people doesn't guarantee a company or a product that is safe, secure, or even considered something that intelligent people should have been able to produce.

Re:Permissions?

[Omaze]

Are you trolls still following me?

Don't blame me if all you ever do with your system is play games and browse the web. There's a reason why many of us throw up our hands and give our primary Windows account superuser and Admin privs... and it's because there are too many niches and corners which Run As doesn't cover completely. Go ahead, tell me you've never run into any of them and you'll demonstrate one of two things: either you're a Windows weenie who's spent time/money in MS training and knows how to set everything up perfectly or you're a newb who never needs Admin privs anyway. If you're a Windows weenie, well then, more power to you. It'd be nice if there were an introductory level set of HOWTOs for Windows that'd be anywhere near as comprehensive as tldp.org. If Windows were a command-line centric OS then, yes, we'd all have Admin command prompts open but... hey dumbass... Windows is a GUI OS.

Re:Permissions?

[drsmithy]

Are you trolls still following me?

No. That's just your regularly-scheduled paranoia attack.

There's a reason why many of us throw up our hands and give our primary Windows account superuser and Admin privs... and it's because there are too many niches and corners which Run As doesn't cover completely.

So list a few. If there's that many, coming up with, say, a dozen or so should be a piece of cake. Do try to leave out scenarios that are obviously deliberately manufactured and multiple examples of the same problem with different descriptions.

Go ahead, tell me you've never run into any of them and you'll demonstrate one of two things: either you're a Windows weenie who's spent time/money in MS training and knows how to set everything up perfectly or you're a newb who never needs Admin privs anyway.

I've been running NT from a regular user account since the beginning of 1996 and since then I've bumped into a few things that don't work 100% with Run As. Particularly back in the 1996 - 1999 timeframe. However, I certainly can't remember any time _recently_ I've seen something that doesn't work as expected with Run As.

And I've never had a day of Microsoft training in my life.

If Windows were a command-line centric OS then, yes, we'd all have Admin command prompts open but... hey dumbass... Windows is a GUI OS.

Your ad-hominem (unsurprisingly) hasn't explained what stops you keeping an Administrator level cmd prompt or Explorer window open.

Re:Permissions?

[Omaze]

Okay twat-noggin... Look, there's this thing called "some assembly required", and there's also a matter of $200. When I use Linux, I expect to tweak around with it because it didn't cost $200 and there's an implied "some assembly required". When I use Windows I plunked down $200 for it and it should Just Work. I shouldn't have to dick around with Run As, or worry about drive-by installs that are my fault because I forgot some obscure security setting someplace. That's why I paid $200 for it.

And no, I can't list any of the situations off the top of my head because I don't keep track of them on a notepad. Are you paying me to be a beta tester? Maybe MS should start paying US, the users, to use their POS OS because yes, we are being used as free beta testers and your mentality proves it. There's a reason why many small companies default to giving the users superuser/admin privs... and it's because they're sick and tired of the help desk getting 100 calls/day about "how come I can't do this or that or the other" or "I tried Run As but it still didn't work". Don't try to bullshit me when the clear evidence is in corporate offices across the nation.

I don't know what it is in you that makes you have this seething desire to tear into anything I post but it's getting old... and yes, it may be ad hominem, but you're really coming off as a tweedle dick.

Re:Permissions?

[Z00L00K]

Which leads us to the second problem:

Windows lacks sufficient possibilities to allow a user to execute different applications with diffferent privileges in an easy way. (there are a few third-party tools that can drop your rights).

Some applications need more rights than other. A few varies from time to time what they need. If the web browser were to be executed in a hidden sandbox then it would be a lot easier to catch malicious effects. Every start of the web browser would mean a new sandbox, which will put a definitive end to cross-contamination.

Of course - by using a quarantine folder it should still be possible to download files.

Re:Permissions?

[walt-sjc]

Windows someday can and will get more secure, it just needs time

CAN it be more secure? Will it? How MUCH time?

Hell, even the minor changes in SP2 caused a major uproar. The probelm MS has is that they need to retain compatability for 99.9% of the stuff or users will rebel.

IMHO, MS needs to RADICALlY change how apps install and run, interact with DLL's, how drivers work, etc. in order to get a handle on the problem. This will most likely break EVERYTHING. TCPA is a DRM solution and not a security solution. MS already has the ability to only allow digitally signed apps / drivers to run, but they don't do so for obvious good reasons.

MS needs to change it's mindset. For example: if you want to install an extension in Firefox, it first asks, if it is not signed, it warns, and then finally allows you to manually allow the extension to be installed. Compare this to IE which allows installing of a "helper object" with no user knowledge or intervention at all. Why did they do this in the first place? Why does IE STILL work this way TODAY?

Re:Permissions?

Modded down, yet again, I see!

And, for what? Telling it how it is, vs. the b.s. that was spouted above by the user I was replying to by v1 (525388) on Sunday April 16, @12:27PM (#15138378) here:

http://yro.slashdot.org/comments.pl?sid=183258&cid =15138378

Typical slashdot moderation - if you correct "Pro-Linux/Pro-UNIX" b.s. & technical or historical inaccuracies here, and show it is in favor of Microsoft products, the moderators @ slashdot mod you down for it.

(Who do you people who do the moderating here think you are fooling? The noobs perhaps?? All so they choose Linux or UNIX rather than Windows via your machinations???)

Nope... I don't think it'll work boys!

(@ least not with those noobs with sense enough to see what is out there & used the most machine for machine from home or work laptops/desktops-workstations, thru midranges departmental servers @ work, up thru enterprise class servers @ work, @ the top most levels (& thus, provides them with a greater surface area for employment/survival & that's Windows NT-based OS))

* :)

APK

P.S.=> LOL, the HILARIOUS part here? Is how you modded up the post I was replying to as a 5, Insightful, when it was chockfull of historical inaccuracy AS WELL AS TECHNICAL INACCURACIES! Amazing - Slashdot: The home of the pro-linux/unix moderator, even when the information in modded-up, bootlicking of Unix/Linux posts is PURE F.U.D. and inaccurate... apk

Re:Permissions?

[stinky+wizzleteats]

And btw, you can make it read only to normal users, but again, this would accomplish nothing.

Horse shit.

The idea would be that one would not USE the system as root. You can do that on a *nix box. If you get malwared while logged in as bob, the malware can't get access to the hosts file.

That's the way security is thought of in a system designed with security in mind from the beginning.

Re:Permissions?

Microsoft security is fine. The problem is 3rd parties that make software that can only run in admin mode so users only use the administrator account. ActiveX I belive also uses the users permissions. If you are running under a standard user account it can't do admin stuff, it will behave.

This is a software design issue and is a result of a billion legacy programs and software companies that continue to design software that sticks stuff into admin only areas.

Re:Permissions?

You started out really good! You had a point to be made and did your very best to make it. Replies were reasonably diplomatic although you didn't agree with them which makes /. great.

Of course at that point you slithered down to the dumbass remark -- which was ..ok.. at best. But the twat-noggin bit? Some much for your credibility.

Personally I'd recommend logging off that Administrator account and checking into an anger management program, or at the very least check out "How to win friends and influence people" from your local library (oh yeah, and glance through it.. don't *just* check it out)

Re:Permissions?

[Malc]

You're not very familiar with Windows are you? Security was designed in from the beginning with the current crop of OSes available from Microsoft. The security model is quite powerful and flexible. How the security system is used is a different story. You try running your UNIX systems as root and see how vulnerable it is. Please stop spreading FUD and try to understand what it is you're attempting to discuss as if you were an expert.

Re:Permissions?

Windows security is as effective as a screen door on a submarine.

I take exception to that statement. a Screen door at least restricts the low of water into the submarine because of t he screening material.

windows does nothing to restrict the flow into the machine. in fact it seems that it attracts it and acts more like a sump-pump trying to fill your machine as fast as it can from the cesspool.

poorly written software by wannabe hacks are why windows users can not run as a regular user. EVERY application that requires admin rights is a clear sign it was written by someone that knows nothing about programming at all.

Re:Permissions?

[Mancat]

What you're looking for is "Runas" It's available as both a context menu command (hold shift and right-click on a shortcut, control panel applet, etc.) or a command line utility for use in scripts or shortcuts.

You can create user accounts or groups with finely-tuned capabilities and permissions with gpedit.msc (Group Policy Editor), then run the application with that user's credentials using Runas.

Re:Permissions?

Please stop spreading FUD and try to understand what it is you're attempting to discuss as if you were an expert.

Well, that makes two of us.

Re:Permissions?

[Blakey+Rat]

Ok, enough other people have debunked your other points so I won't go into detail here, but:

1) Unix was not originally designed with security in mind.
2) The Windows NT kernel, used by all current Microsoft OSes, was.

(Not that this implies that NT is currently more secure than Unix, or that Mac OS, another OS that had no conception of security whatsoever until 2001, is less secure than NT.)

But the real problem is that the "SECURITY OMG!" crowd here in Slashdot completely and utterly misses the point. When you say "security" what you mean is two things:

1) The average user/program can't muck around in the system files and break things.
2) A user can't muck around in another user's files and destroy data.

But what you're missing is the most important part of security:

3) A malware program (regardless of how it is installed, whether via trojan horse, social engineering, or a security flaw in some client program) can destroy a user's data.

NO OS has any type of protection against number 3 whatsoever right now, and it's a shame because while the OS might be worth $300 (the cost of an off-the-shelf Windows XP Pro install), the data in the user's directory is, in the vast majority of cases, worth several times that. I can attest that all my financial records are worth a heck of a lot more than my CD of Windows on the shelf.

In addition, the OS is easy to reinstall. If my files are lost, they're gone forever. (Now, I backup, but the computer industry needs to figure out once and for all that 99% of users *do not* back up files and act accordingly.)

What I'd like to see is a CVS-like feature built-into the filesystem so that if some malware *did* delete my files, I could "revert disk to yesterday" or some-such feature and get everything back. THAT would be TRUE SECURITY as far as I'm concerned... and yet where is it? Microsoft doesn't have it, Mac OS doesn't have it, Linux doesn't have it. Who gives a crap about my easily-replaced system files? Give me my data back!

Re:Permissions?

[yfarren]

Too bad you just published it (the IP) in an online Journal. Makes it Prior Art. And (to you) unpatentable. Now, unless somone has already had the Idea and is working on implementing it (in the US, where date of inventionis what is important) or has already filed a provisional patent (in the rest of the world, where date of file is what is key) the idea is unpatetable.

Re:Permissions?

[yfarren]

Of Course, a particular IMPLEMENTATION of the idea, might still be patentable. Like doing it using a particular API....

Re:Permissions?

[JimmytheGeek]

There are some very smart people at Microsoft. They generally will be found in marketing. Also - in large groups everywhere, the group intellegence will not reflect the average of its members.

I found the atmosphere there somewhat reminiscent of "Stepford Wives" (original version - haven't seen the remake). Lot's of people...missing something. Lots of pseudo geeks doing what they read was idiosyncratic geek behavior. Lots of people proclaiming passion for that which absolutely can not sustain passion. Hint: if you can turn on passion on cue, it ain't actually passion. Another hint: "overachiever" is a label that is exclusively for external use - it is damn near an error in grammar to apply it to yourself.

Re:Permissions?

[jb.hl.com]

Back when Win3.1 was released, the Internet was only just beginning to be a factor in peoples' lives, and a computer's administrator also being its primary user could be considered a feature, as people could get things done. As a result, no (or very weak) multi-user support was in consumer Windows lines up til XP, by which time it was too late. Computer worms were a horrible reality, and although permissions were necessary they could not be implemented to the degree they should be for backwards compatibility reasons.

For this reason, MS is in between a rock and a hard place. They either remove all the backwards compatibility and start afresh, meaning that everyone gets pissed off cos app foo and game bar don't work any more, or they keep the backwards compatibility but make everyone run as a user and not an administrator, meaning that either everyone will log in as administrator as a matter of course or that MS has to support lots of pissed off people who can't change their computer's clock. I would love to see someone come up with a solution to this that isn't "switch to Linux/Mac/BSD" because for most people that simply isn't an option.

In case you're wondering what the point is, the smart people at MS, when most people asked what the Internet was would say it was something from a Terminator movie, would probably have said that for ease of use having a single user OS would be perfect (and Mac OS had the same thing IIRC). Now the times have changed and those smart people are having a job and a half trying to undo that mistake.

Re:Permissions?

[DeviceDriver]

>>Windows security is as effective as a screen door on a submarine.

During WWII they did have screen doors for submarines. They kept the bugs out while in port.

Hey, a screen door on a submarine is MORE effective than Microsoft security!

Re:Permissions?

[Allador]

It is read-only by default.

Only users who belong to the Administrators group can modify that file.

Where people get burned is by running as a local admin for their day to day work, which is dangerous and silly.

Re:Permissions?

[Allador]

The hosts file does not live in userland. The hosts file is read-only to everyone who isnt part of the Administrator group.

Re:Permissions?

[scumbaguk]

yep runas has been in windows for 6 years now

It's a Big Deal because...

[TubeSteak]

As mentioned in TFA's thread:

2) As far as I know, their malicious software removal tool didn't exist back when this behavior was created, so what good was keeping access to Microsoft open going to do an infected system? What good does it do to install a patch for a vulnerability that's already been exploited onto the computer of the archetypal "home user"?

MS hardcoded this in with WinXP SP2 & Win2k3 SP1.

Why? Maybe someone will get a comment from MS.

The point is that mucking around with the inner workings of the OS is BAD, unless it is documented appropriately. Now, documentation doesn't make it good, but if they're departing from the expected behavior, they should let people know.

Re:It's a Big Deal because...

[slashname3]

The point is that mucking around with the inner workings of the OS is BAD

Stated like you control and/or own the OS running on your machine. This is just another example showing how Microsoft feels they should be the ones to control your system. There are many examples of this. Patches for applications that change things in the core operating system are common. Why a patch for office should change things in the OS never made any sense. But then Micrsoft knows best.

Re:It's a Big Deal because...

[Ravatar]

He didn't say anything about the malicious software removal tool. MS created hotfixes for worms like Blaster long before SP2.

Re:It's a Big Deal because...

[idfubar]

Yet *another* reason to stick with Win2k!!!

Re:It's a Big Deal because...

[DextroShadow]

The point is that mucking around with the inner workings of the OS is BAD

You must be new here.

Re:It's a Big Deal because...

I recently had to clean a computer with a certain spyware that hijacked something in windows that prevented it to use its hosts file. I wasnt able to block any bad site :(

Re:It's a Big Deal because...

For what?

So spyware developers know why when they try to redirect whatever.microsoft.com to their own site, they know why it is happening?

This isn't a big deal, even if they were doing it for all of the sites they are already and their ad services because they are not blocking anything from the user. Far from it, they are ensuring their sites have a repeatablely good user experience (retrievable...). If you have a serious need to block Microsoft sites, then you should be using an external firewall and all things considered, with the sites that are listed, I cannot see even a slight reason to block said sites.

In response to your bolded quote, it's pretty simple. They knew they were going to be releasing the tool and built it into their major security update in preparation.

Re:It's a Big Deal because...

It has nothing to do with malware. We put it in as part of a beefing-up of WPA; it prevents counterfeit local WPA servers.

Re:It's a Big Deal because...

[monkeydo]

Because other companies did have AV and anti-spyware tools. No point in disinfecting your computer if it is just going to get infected all over again. That's why we use anti-spyware AND anti-virus AND regular patching.

The fact that MS didn't have their own anti-spyware tool at the time is only relevant if you want to believe that everything MS does is part of a vast monopolistic conspiracy.

Re:It's a Big Deal because...

MS hardcoded this in with WinXP SP2 & Win2k3 SP1.

Why? Maybe someone will get a comment from MS.

The point is that mucking around with the inner workings of the OS is BAD, unless it is documented appropriately. Now, documentation doesn't make it good, but if they're departing from the expected behavior, they should let people know.

You're a fucking retard. They hardcoded it so that nobody else could override windowsupdate from the hosts file. In other words, if its not hardcoded then their own update service could be re-routed to some malware site. If they hadn't done this, then you'd be pissing and moaning about how stupid they were that they didn't think of this.

On top of this, your comment makes no fucking sense because this isn't a security vulnerability... this is a "Microsoft is using its unfair advantage" complaint pityfully masked as a security issue. This shit is getting old really quick.

Its also totally silly to even mention that at the time of XP SP1 that Microsoft's malware campaign hadn't begun because Microsoft has a history of putting years worth of research into projects prior to their release. The vast majority of projects that exist at MS are never publically exposed until management wants it to be.

After 9 or 10 years of posting here, I think I'm done. The content is just sucking and its just raging with ridiculously one-sided politics with zero editorial skill from the staff. I'm moving to digg... Sorry Taco, I'm just tired of reading bullshit on here.

conspiracy-theorists, start your engines!

[isecore]

Well, lucky I've got that brand new tinfoil-hat!

Re:conspiracy-theorists, start your engines!

[BeanThere]

Ah, so one way to manipulate your critics into suppressing their viewpoint is by blanketly associating it with paranoid nutcases, thereby using 'fear of being labelled' to silence them, I see.

I'm not sure where the "conspiracy theory" here though is because this is established fact.

Potentially unfair...

[Maul]

The main problem is not that you can't block MS addresses, it is that MS is only preventing their addresses from being blocked. Since they are now getting into the security business, this gives them what could be seen as an unfair advantage.

Let us say that Joe User gets a piece of Malware, so he decides to visit a security company to find a solution to his problem. However, the malware has modified his hosts file to block security company web pages from being accessed, which is extremely typical. Joe User is not experienced enough to even know there is a hosts file that he could change back.

Joe User's first attempt would likely be to norton.com, symantec.com (both go to Symantec's main page), or mcafee.com, since these names are pretty much synonymous with antivirus software. However, all of those are blocked and he can't access them.

However, if he goes to microsoft.com, he can go there since the hosts file is subverted in the OS. Since he can't spend the time to figure out why he can't access the others, he purchases Microsoft's AV solution.

Re:Potentially unfair...

[Limburgher]

Shocked!!! Shocked I say!!! How can you make such slanderous, conspiracy-theory-laden accusations against such a generous, benevolent entity as MicroSoft?
</sarcasm>

I barely managed to type that with my bladder intact.

Re:Potentially unfair...

[pimpimpim]

but couldn't it be a disadvantage as well? The hosts file is pretty easy to clean up, you just need a file editor, but as soon as someone has found out how to change this "hidden setting" pointing to the microsoft servers, it will be pretty hard to repair it again. I think in the end, this non-solution will backfire on microsoft.

Re:Potentially unfair...

[mikesd81]

The trick is to be able to prove this is exactly what they are doing and then the gov't could maybe finally break them apart.

http://www.answers.com/monopoly&r=67 Monopoly defnition:

3.
a. A company or group having exclusive control over a commercial activity.
b. A commodity or service so controlled.

But as an afterthought, I suppose mcaffee and norton could just do the same thing?

Re:Potentially unfair...

[harlows_monkeys]

Let us say that Joe User gets a piece of Malware, so he decides to visit a security company to find a solution to his problem. However, the malware has modified his hosts file to block security company web pages from being accessed, which is extremely typical. Joe User is not experienced enough to even know there is a hosts file that he could change back

This is why antivirus/antispyware software should check for updates by IP address. If it can't find the update servers, only then should it do a DNS lookup, and then it should do it with its own built-in resolver, that starts at the root servers and works its way down.

Re:Potentially unfair...

[ScottCooperDotNet]

Symantec does something similar. If a virus changes security company sites to 127.0.0.1 Symantec will only remove the ones effecting its sites and will leave McAfee and the rest unreachable.

Switch to AVG or Avira.

Re:Potentially unfair...

[mce]

So just who should, according to you, define the list of sites the lookup of which bypasses the hosts file? What if a new company enters the securityware business? How and when does it get in there? Be realistic! Oh I see, the list of exceptions should be modifiable without Mircosoft being involved... Errmmm....

The only thing that one might potentially accuse Microsoft of is not documenting this. To be honest, I couldn't care less...

Re:Potentially unfair...

[cammoblammo]

I think you just want to make yourself sound smart, when in reality you dont know what you are talking about.

And saying 'I work for Microsoft' makes you sound smart? I know the rest of your post doesn't.

Then again, it could explain a bit...

Re:Potentially unfair...

[gkhan1]

While I agree with your general senitiment, atleast Joe can now remove it at all. Had microdoft not hard-coded this he may have been stuck with that damn virus. I don't necessarily think this is all bad.

Re:Potentially unfair...

[Kaemaril]

So just who should, according to you, define the list of sites the lookup of which bypasses the hosts file?

How about ... the user?

Expose this 'feature' in the security centre or whatever Microsoft calls it, put it under user control.

Re:Potentially unfair...

You are over-simplifying drastically. Microsoft are in the business of making operating systems primarily, and when malware controlls the infrastructure for resolving addresses, it becomes very problematic. Microsoft cannot be expected to produce a list of sites that would satisfy many people, let alone all people for this very reason. While some of you expect Mcaffee to be included, what about:-

1) Government Organizations?
2) Miltiary Web Resources
3) Medical and Emergency Related Sites
4) Fortune 500 Websites
5) Alternative operating system vendors?

Which government sites though? What medical sites? What business sites? It's all relative and changes day to day, year to year. You cannot draw a line in shifting sand, and the choice to protect Windows Update access and other Microsoft sites is not a situation of selective non-inclusion, but rather selective inclusion. You have to realize, the mechanism exists for a single reason. That reason is that in the case of malware infection, it is imperitive that the ability to download Windows updates which may remedy or otherwise negate the problem must be protected, more so than any of the above. If there was a large database of sites, rather than a select few hard-coded ones, it would be a fairly easy target for malware to target, manipulate or disable.

That's just the way it is.

-Steve Gray

Re:Potentially unfair...

[ocelotbob]

Again, the problem here isn't about someone who knows what the hosts file is. The problem here is that most people don't even know the hosts file exists; these are the people who would be affected so adversely by such an action by MS.

Re:Potentially unfair...

[sqlrob]

That's a fark cliche, ignore it.

Re:Potentially unfair...

[MobileTatsu-NJG]

" Since they are now getting into the security business, this gives them what could be seen as an unfair advantage. ... However, if he goes to microsoft.com, he can go there since the hosts file is subverted in the OS. Since he can't spend the time to figure out why he can't access the others, he purchases Microsoft's AV solution."

So... a protection in place that gives this guy an easy out to a site that Microsoft controls is actually evil because it goes there first instead of going to any of Microsoft's competitors.

Well, I have to admit, that's an inexpensive way to get a +5 Insightful.

Re:Potentially unfair...

You don't get it.
If the user can change something, malware can change it as well.
If these overrides are not hardcoded, then they are exactly like the HOSTS file they override.

Re:Potentially unfair...

Indeed. It would be much better if he couldn't get anywhere, and left his zombie to die in shame.

Re:Potentially unfair...

So make it so that changes to the file require physical user intervention, like requiring their password typed into the physical keyboard. There are ways around it without hard coding. A malicious program could just as easily replace whatever file has the hardcoded strings in it.

Re:Potentially unfair...

[Maul]

You have to have already installed a Symantec product to get this functionality, though. It isn't built into the OS.

Re:Potentially unfair...

[Maul]

It isn't a bad idea in theory (unless a virus write can figure out how to change this setting in the OS). but I can see how security companies could say that it is anticompetative unless MS includes all of their sites as well.

I'm not saying they will, but I could see how they could.

Yet Another Band-Aid?

[displaced80]

Hmm. This seems a bit ass-backwards to me.

Rather than having to ignore the HOSTS file because it may be malicious, shouldn't the solution be to prevent HOSTS from getting mangled in the first place?

(oh, and on an unrelated note: why on earth is the Win32 HOSTS file buried away under C:\Windows\System32\Drivers\etc\? I mean.... 'drivers'?!!? Bizarre.

Re:Yet Another Band-Aid?

[idesofmarch]

The solution exists. Running as standard user in Windows XP will prevent changes to the hosts file.

Re:Yet Another Band-Aid?

And running as standard user also prevents half the windows software in existance from installing. Fun.

Re:Yet Another Band-Aid?

[moosesocks]

I've always found the /etc/ to be the funniest part of that path.

This is one of the telltale remaints of the BSD-derived TCP/IP stack that NT/XP uses.

Although the stack itself has been heavily modified, using /etc/ as the location for the hosts file still remains, along with other little hints -- ftp.exe is almost identical to the BSD FTP utility. BSD also gets properly credited in the XP copyright notice

Re:Yet Another Band-Aid?

[TubeSteak]

If the malware has enough permission to overwrite your HOSTS file.... what's stopping it from disabling Windows File Protection before unloading dnsapi.dll & patching it?

Admittedly, Windows won't like you even trying to unload the dll, but if you can manage it, it'll be a 1 time reboot. After that, you're home free.

Re:Yet Another Band-Aid?

[v1]

Windows has no effective security model. Users run as admin, so when they run spyware, the spyware runs as admin. Nothing is really protected from an admin, on windows most users basically run as root. So, there's really no way to protect an important part of windows OS except through obscurity. (yes, we all love it, "security through obscurity"!) The hosts file unfortunately is a well known weakness in the OS, so there's no hiding it. And since it's windows, there's no protecting it. So MS has to try something different.

It's sad that they have to try to plug the hole somewhere else, but here the battle is long since lost. At least with this subversion of Hosts, the malware makers (most of them anyway) don't know enough about the internal mechanisms of that feature to disable it as they can with Hosts. Of course given a little time they'll have figured that out too and that battle will also be lost.

Re:Yet Another Band-Aid?

[Wrexen]

So run the installer as admin. There is a "run as" option for a reason (the same reason su exists on *nix)

Whew, that was hard. Can I take a break now?

Re:Yet Another Band-Aid?

[Vasey]

And using the Run-As functionality that has been in place since at least Windows 2000 alleviates that problem entirely. Any more smart arse remarks?

Re:Yet Another Band-Aid?

[tpgp]

This is one of the telltale remaints of the BSD-derived TCP/IP stack that NT/XP uses.

I think they're actually unrelated - and I don't think Microsoft has used a bsd derived TCP/IP stack since NT4.

Although the stack itself has been heavily modified, using /etc/ as the location for the hosts file still remains, along with other little hints -- ftp.exe is almost identical to the BSD FTP utility. BSD also gets properly credited in the XP copyright notice

I'm actually pretty sure its there for the half-assed posix compliance that ealier version of NT had. (do MS even try for this in their NT server products anymore?)

I hardly ever use XP, so I'm not sure if their command line tools are BSD derived or not (they certainly used to be) - but if they are, good - far better to used free quality tools then something MS has written inhouse :-)

Re:Yet Another Band-Aid?

[whoever57]

And using the Run-As functionality that has been in place since at least Windows 2000 alleviates that problem entirely. Any more smart arse remarks?

I've lost count of the number of times that I have tried to run installers under WIndows 2000 using "Run As" and it did not work -- because tasks spawned by the installer don't get the administrator context.

Re:Yet Another Band-Aid?

[Vasey]

Fair enough, that's a problem. Not one I've ever had the misfortunate to run into but I'll take your word for it. You can still login as administrator and run the applications using Run-As, though, I would assume, so it doesn't seem a massive problem to me.

Re:Yet Another Band-Aid?

[sconeu]

Yeah, using Run-As requires me to give out the Admin password to people I don't want to have it.

Would you give out the root password to your Linux box to all your users, just so they can do stuff that shouldn't require root, but does?

Re:Yet Another Band-Aid?

[JacksBrokenCode]

They seem to have fixed that issue in XP.

Re:Yet Another Band-Aid?

Then use the MakeMeAdmin script, which will temporarily elevate the privileges of a normal account.

Re:Yet Another Band-Aid?

[Locutus]

it seems to be pretty easy to root a windows box so i figure most don't bother with the rice-paper gate put up when running as a user.

LoB

Re:Yet Another Band-Aid?

[Nasarius]

I hardly ever use XP, so I'm not sure if their command line tools are BSD derived or not (they certainly used to be) - but if they are, good - far better to used free quality tools then something MS has written inhouse :-)

> strings /cygdrive/C/WINDOWS/system32/ftp.exe | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.

I think you're right about the TCP/IP stack no longer being BSD-based, though.

Re:Yet Another Band-Aid?

[NutscrapeSucks]

I'm sure this has really nothing to do with BSD TCP/IP and everything to do with some programmer thinking "DUH, let's add a etc directory". Since they had to recode the thing, they could have put these files whereever they wanted.

Re:Yet Another Band-Aid?

[Vasey]

I think we're wandering into fairly different territory from the original point here. There's some shitty software out there that requires admin privileges to run, yeah, but that is not the fault of the OS. Blame the developers who code stupid shit like games to require admin. You could make Linux software that does retarded stuff like that too if you really felt the need.

Re:Yet Another Band-Aid?

why on earth is the Win32 HOSTS file buried away under C:\Windows\System32\Drivers\etc\? I mean.... 'drivers'?!!? Bizarre.

Drives you mad, eh?

Re:Yet Another Band-Aid?

[pD-brane]

(oh, and on an unrelated note: why on earth is the Win32 HOSTS file buried away under C:\Windows\System32\Drivers\etc\? I mean.... 'drivers'?!!? Bizarre.

No no! Don't post the path name here. It's supposed to be a secret. Now black hat hackers get a hand on this and... or... could they? Nevermind, happily Microsoft has thought of a solution, by obscuring the thing that overrules this file. :-)

Re:Yet Another Band-Aid?

[Tim+C]

In related news, the same is true of Linux - ordinary user accounts are prevented from making system-level changes.

That's the whole point.

Now if you'd said that a lot of third-party Windows software doesn't run properly as a limited user account, then you'd have a point. (And even then, there's the "Run as..." service.)

Re:Yet Another Band-Aid?

No, they haven't...

Re:Yet Another Band-Aid?

[Keeper]

I'm actually pretty sure its there for the half-assed posix compliance that ealier version of NT had. (do MS even try for this in their NT server products anymore?)

The posix OS "personality" still exists and they're still shipping SFU, so I would suspect the answer is "yes".

Re:Yet Another Band-Aid?

[Keeper]

It raises the bar. Appending text to a textfile is easy. Disabling file protection and patching a dll while it is being used is hard.

Re:Yet Another Band-Aid?

[Tim+C]

You could make Linux software that does retarded stuff like that too if you really felt the need.

Yes you could, although to be fair the box's admin could just setuid the offending binary (although that's generally seen as a security risk as the impact of any exploit is that much greater).

Re:Yet Another Band-Aid?

[colinrichardday]

Do Linux advocates get to blame those developers for not writing applications for Linux? It may not be the direct fault of Microsoft that developers write such applications, but Microsoft did nurture such a culture.

Re:Yet Another Band-Aid?

[colinrichardday]

What if normal users don't have local admin privileges?

Re:Yet Another Band-Aid?

[drsmithy]

This is one of the telltale remaints of the BSD-derived TCP/IP stack that NT/XP uses.

Even the page you link to disproves this (incorrect as usual when it comes to Slashdot and Windows) meme. NT hasn't used a BSD-derived TCP/IP stack since NT 3.5, and Windows 9x has never used it.

Re:Yet Another Band-Aid?

[Ekhymosis]

If you want to be extra paranoid, then I would suggest using and modifying these templates to suit your needs. http://csrc.nist.gov/itsec/guidance_WinXP.html

It is what I currently use on my laptop and I haven't had any problems since I implemented it over two months ago. Also, if you want to install stuff, there's a sudo program for windows http://home.toadlife.net/winsudo/ that you might want to check out.

Re:Yet Another Band-Aid?

[drsmithy]

Windows has no effective security model.

Windows has an excellent security model. The problem is people circumvent it, largely because incompetent software developers make doing so almost a necessity.

Re:Yet Another Band-Aid?

Now if you'd said that a lot of third-party Windows software doesn't run properly as a limited user account, then you'd have a point.

This is also true. Games with stupid copy protection schemes supposedly need Admin rights to check the CD. The Sims is one of these. My in-laws just installed a piece of DV camera software that feels the need to check for admin rights before doing anything, and won't run without it. Apparently reading video data off a USB device is some kind of priveleged operation.

I know these are badly behaved apps, but they are numerous, and 'Run As' is NOT a solution. If you train users to run apps as administrator every time they run into some app that needs admin rights (even for no valid reason, like the DV app), then you're in no better a position than if the user was running as admin full-time.

Re:Yet Another Band-Aid?

C:\Windows\System32\Drivers\etc\

It is, afaik, because Microsoft ported the std. BSD IP stack to Windows NT's 3.x series OS!

(The original versions, 3.1-3.51, circa 1992-1997 versions iirc on the versions + dates - it's been a LONG time since I used them (well, I actually DO keep a 486 Dx/4 133mhz here running NT 3.51, but not online anymore as far as the internet))

MS modified BSD's IP stack as much as they could for improvement (there are things BSD does IP wise that I do admire & MS could take a page from their playbook on nowadays though imo), but MS also TRIED to keep it as "std." as is possible, vs. the older Berkely IP stack!

For "POSIX compliance", a UNIX std. iirc...

E.G.-> Note the "etc" subdirectory/subfolder?

If you're from the UNIX world, you have seen the foldername/directoryname before without a doubt... for POSIX compliance, possibly.

APK

Re:Yet Another Band-Aid?

[v1]

This is not entirely the developers' faults but they are certainly a major contributing factor. Most windows software cannot be installed unless you are logged in as an admin. A great deal of windows software will not run once installed except when you are logged in as an administrator. This has become an accepted behavior for software under the Windows platform, and as a result, about 95% of windows users log in mainly with an administrative account for every day use. It's a vicious circle... software forces you to be logged in as admin, and therefore lazy/incompetent developers just code sloppy because they (correctly) assume all their users will be logged in as an admin, and this only encourages them to do so.

All MS would have to do is to place a few simple, sensible requirements on software in order to be given license to use that "made for windows xp" etc logo on their box. Requiring the installer to be logged in as admin is understandable, but once installed, most software should be perfectly usable when logged in as a non-administrator. If this were a requirement to obtain license for that logo, it would do a world of good for windows security. This is why I say that windows' security model is flawed. It may have the teoretical capability of working, but the accepted method of implementation, as sanctioned by MS, is fatally flawed. And that is microsoft's own doing.

Re:Yet Another Band-Aid?

[drsmithy]

This is not entirely the developers' faults but they are certainly a major contributing factor.

It is complete the fault of developers. There has not been any justifiable excuse for writing software that doesn't play nice with non-admin accounts since at least 1997.

Most windows software cannot be installed unless you are logged in as an admin. A great deal of windows software will not run once installed except when you are logged in as an administrator.

Both of which are 100% the fault of the person (or people) writing the software (or perhaps the installer). There is no *systemic* reason why installers cannot install software to a user's own disk space, nor why any typical application could require elevated privileges to run.

It's a vicious circle... software forces you to be logged in as admin, and therefore lazy/incompetent developers just code sloppy because they (correctly) assume all their users will be logged in as an admin, and this only encourages them to do so.

There is no blame to be placed anywhere else except in the hands of developers. There is *no need whatsoever* for them to write software that requires administrator privileges. Indeed, developers must specifically do stupid things or make worst-practice assumptions to create a situation where a non-admin account breaks software (eg: trying to open system files read/write, trying to store data in system directories or system Registry areas, etc).

There is nothing in the system or APIs that "encourages" the incorrect use of system areas.

All MS would have to do is to place a few simple, sensible requirements on software in order to be given license to use that "made for windows xp" etc logo on their box. Requiring the installer to be logged in as admin is understandable, but once installed, most software should be perfectly usable when logged in as a non-administrator. If this were a requirement to obtain license for that logo, it would do a world of good for windows security.

It *is* a requirement for the "Made for Windows XP" logo. If you find software bearing the logo that doesn't place nice with a non-Admin account, you should file it as a bug with the developer (and tell Microsoft as well so they can lean on the developer).

This is why I say that windows' security model is flawed. It may have the teoretical capability of working, but the accepted method of implementation, as sanctioned by MS, is fatally flawed. And that is microsoft's own doing.

It is *not* an "accepted method of implementation, as sanctioned by MS", it's ignorant and/or stupid and/or lazy developers writing bad software directly against the best practices Microsoft have been recommending (not to mention simple common sense) for getting close to a decade now.

There is nothing wrong whatsoever with the Windows security *model*. Your complaints are 100% about the *software* written by third parties whom Microsoft has no real control over.

Re:Yet Another Band-Aid?

[stinky+wizzleteats]

oh, and on an unrelated note: why on earth is the Win32 HOSTS file buried away under C:\Windows\System32\Drivers\etc\? I mean.... 'drivers'?!!? Bizarre.

Because Microsoft is easy to use and manage - not like that nasty obfuscated *nix stuff. It's no wonder that *nix isn't ready for the desktop.

-Warning - the above comment contains sarcasm.

Re:Yet Another Band-Aid?

[Allador]

No, it does not.

At worst, it requires you to create a separate account for that person which is in the local administrators group. That way its auditable, and you can keep logs of who used their la account when.

Or, if you want people to have non-admin accounts, and still get new software, then you have an IT staff to install them using their admin accounts.

Re:Yet Another Band-Aid?

[sconeu]

You miss the point. I don't mind installing on other people's machines. What I object to is software that, once installed, insists on being admin before it will run.

Cases in point: "The Sims", "Mavis Beacon Teaches Typing".

Why on G-d's Green Earth does a TYPING TUTOR require Admin?

MSN

[Joe+U]

The only thing that troubles me is the inclusion of MSN.com in the list.

The other hosts are used in Microsoft's patch distribution network and honestly is not something the average user would ever need to block. It is, however, something a virus/spyware program would love to block. So, if you want to block those hosts, buy a firewall, they're down to about $20.

As for MSN, my only guess is that they don't want to block updates for MSN messenger.

What we have to remember is that these sites are required to fix a broken system, so I don't view this as just an advantage for MS antispyware.

Re:MSN

[mrraven]

20 dollars, try free, like AVG. AVG is pretty nice it operates in stealth mode so your computers ports are invisible to probes and alerts you when any new program tries tries to phone home. And no I'm not affiliated or invested in AVG in any way I just think it's cool they make a good firewall available for free.
Yes it's propitiatory and closed source but at least free as in beer, shrug.
Anyway I only run Windows in a virtual pc. sandbox so it won't infect my real O.S.

Re:MSN

[Ksigpaul]

I completly agree. This is extra security for the MS update sites that are trusted by internet explorer so they can perform office and windows updates. Granted the MSN inclusion is a little odd. Personally, I believe this is completly justified b/c almost every single windows computer trusts update.microsoft.com, and the like, to perform activex so that the windows updates can occur. How easy would it be for a spyware program to change the ip address and utilize the auto-windows updating mechanism to update their own spyware (not trivial, but we know anything is possible).

Re:MSN

[techno-vampire]

20 dollars, try free, like AVG.

Zone Alarm's the same, if you take the home edition. Haven't tried AVG's firewall. Unlike XP's builtin excuse for a firewall, ZA warns you when unknown (or changed) applications try to phone home and lets you block them. The XP concept is that once a program's installed, it can do what it wants, including phone home. At least that's how it was the last time I checked. Might have been changed in the last few years; I wouldn't know.

Re:MSN

[Locutus]

and therein lies the rub. Microsoft is a marketing company first and foremost, so they organize things nicely to make that venture successful. After all, MSN is a component of MS Windows and it's shipped with MS Windows, but they have the msn.com domain to handle update? WTF... Ahhh, marketing.... By doing it this way, they can/will say that this is about updates when infact, it's about protecting its advertising revenues. Do you think pop-up blocking was/is something they really want to do? Not if you're a marketing company and that is why they've waited so long to do anything about it. IMO.

So, just like all the things which broke 3rd party competitors in every release of an MS DOS, MS Windows, MS Office, MS etc update/patch/fix/... if/when the justice system gets called it, they'll have an excuse, say they are sorry if that's what it takes, and then fix it over a period of months because it's just so hard and difficult to do. All the while, the 3rd party/competitor is left with flooded phone support calls and their customers find that Microsoft graciously provided them with a product that'll fill in...

The writtings been on the wall for over 15 years. If people haven't seen the neon sign and stay with Microsoft it is their choice and all this is SOP. It's not any different from what they've done in the past and it'll happen many many many times again.

LoB

Re:MSN

[ClamIAm]

As for MSN, my only guess is that they don't want to block updates for MSN messenger.

Doesn't IE, by default, redirect unknown hosts to an MSN search? *adjusts tinfoil hat*

Re:MSN

[mrraven]

DOH I ment Zonealarm, sigh... More coffee, must have more coffee...

Re:MSN

Which combined with the behaviour of "Back" when you do that provides my single largest day-in-day out peeve with IE. If I mistype an URL (especially a long one) the odds are pretty good that I'll want to go back and correct it. MS, of course, interprets this as meaning tack on a snotload of half-baked marketing crud to make that as hard as possible.

In Vista, I fully expect all mistyped URLs to redirect you to a random MSN pay per click.

Re:MSN

[pembo13]

Well, why not hardcode this into Internet Explorer instead?

Re:MSN

[ClamIAm]

I don't use IE anymore, but I'm pretty sure you can disable that.

How is this a competitive advantage?

[Jose]

so...how is this a competitive advantage? why can't the competitors just use IP addresses instead of DNS?

Re:How is this a competitive advantage?

[thmnetwork]

you're aware of what DNS does? what if their IP address has to change, do they have to update all their software to point to it? also, what the jist of the thread seems to be is that end-users at home will buy MS anti-spyware rather than trying to figure out why they can't get elsewhere.

Re:How is this a competitive advantage?

[MooUK]

Because using an IP address for the program to access causes problems if your server's IP changes. Simple as that.

Re:How is this a competitive advantage?

[harlows_monkeys]

Because using an IP address for the program to access causes problems if your server's IP changes. Simple as that.

If your antivirus vendor is on such a shoestring budget that they can't afford a stable IP address, or are so slow at getting updates out that when the IP address does change, they can't get their software updated in time, then you need a better antivirus vendor!

Best would be for the AV software to use several methods to find its update servers. Start with a built-in IP address. If that doesn't work (either it can't reach the server, or it doesn't find valid updates there--and updates should be digitally signed, of course), then it should try a DNS lookup, and see if that works. If that doesn't give it a valid update server, then it should do a DNS lookup itself, instead of relying on the system resolver, by going to the root servers and working its way down.

Malware does target antivirus software, so AV software should be written to not trust the system it is on.

Re:How is this a competitive advantage?

[Jose]

at some layer, you always have to trust. To me, DNS does not go low enough. It is waaaaay to easy to spoof.

You need to make it as hard as possible to spoof/break the connection back home for updates. Plus authenticate both sides of the connection. some would say the authentication is good enough..but you need to think defense in depth. Make every step a challenge to break.

the type of software that is of concern right now will be definition require frequent updates to be effective, so, to me, it is a non-issue to require software udpates to change IP addresses.

Re:How is this a competitive advantage?

[MooUK]

The problem with using software updated to change the IP comes if your IP has to change unexpectedly for one reason or another, or if a user is offline between the update being released and the IP changing. In those cases, the IP in the user's installed copy will be wrong.

Re:How is this a competitive advantage?

[Jose]

The problem with using software updated to change the IP comes if your IP has to change unexpectedly for one reason or another

it is unlikely that an IP address would have to change for a corporation, but in the event that it does have to change, that is fine, because as I was alluding to at least, the software *must* have multiple IP addresses to connect to. Each one *must* go to different ISP's, and ideally, geograpically disperse locations. so if one, or even a few IP addresses have to change, that is fine..you still have some locations that will be reachable.

or if a user is offline between the update being released and the IP changing. In those cases, the IP in the user's installed copy will be wrong.

as mentioned above, there *must* be several IP addresses available for automated updates. if a user is offline for an extented period of time (months/years), then that particular user will need to manually go to the vendors website and download an update/patch. but, again, given the type of software we are discussing..if you are months/years out of date....then you are FUBAR for various reasons.

Re:How is this a competitive advantage?

[MooUK]

I'm not denying that there are ways to work around it, but using a domain name and DNS rather than static IPs does also solve many of the problems. Even though it introduces others.

well

they are not doing this on 2k...

ive blocked most of microsoft off at the hosts file.. saves time since i know i dont ever want to go there. even if my browser does.

Re:Well

[TCM]

Upon further thinking, this whole article is flawed and perverted.

"Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file."

I already said why that's stupid anyway.

"All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware."

Well, malware authors are just going to replace the resolver function instead of aiming for the easier target. If they can replace entries in the hosts file, they have sufficient privileges anyway.

"However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."

That's really far-fetched. Let me see: Most users use their Windows as root-equivalent because of sucky software and because they don't know any better. Spyware can replace the hosts file to block access to Microsoft's auto-update because users are root. So instead of fixing the fundamental problem, Microsoft does what it does best: kludges, bandaids, bullshit. And now suddenly this is viewed as a "competitive advantage"?! Remember people: don't attribute to malice what can be explained with stupidity.

To me this is only proof again that anything related to Windows is a swamp of bad design, ugly hacks and inconsistencies. I wouldn't construct an evil intent on Microsoft's side here. It's just their usual incompetence.

Re:Well

[TheDarkener]

I don't know if it's been said already, but using the hosts file to reliably "block" anything is a very stupid idea to begin with.

I don't know if it's been said already, but anybody that tries to change the subject from the simple matter of "This functionality is broken, on purpose, with no documentation" is avoiding the issue.

Microsoft INTENTIONALLY altered an otherwise fully functional resolver system and tailored it to meet THEIR needs, at the expense of system and network administrators. I don't give a crap if "it's a dumb idea to use the hosts file", I give a crap if it took me 2 hours to figure something like this out and the end user is pissed because I TOOK SO LONG. I can't tell you how many times I've had this happen to me, not only by things Windows does that is NOT logical but other large software companies as well. No monopolous software company respects the user anymore - they just want to fill their wallets. And it makes me SICK.

legitimate use?

Wouldn't this prevent malware from redirecting legitimate Microsoft update requests to an imposter site?

Re:legitimate use?

[lintux]

At most it makes it slightly harder to do. They have to do some browser/IP stack hijacking instead. With browser hijacking they could then also get rid of the SSL certificate warnings, maybe.

Smart move from M$

[Fantasio]

How long before somebody poisons these adresses in the DNS servers ?

An automatic update of WMP and your PC gets owned, and nothing can be done to prevent it!

Re:Smart move from M$

An automatic update of WMP and your PC gets owned, and nothing can be done to prevent it!

Microsoft added DRM to media player ages ago. Who says Microsoft can't innovate?

Re:Smart move from M$

Well, except that everything that Microsoft puts out is digitally signed and that you have to go out of your way to bypass it.

Re:Smart move from M$

[ScrewMaster]

True ... but how many people go out of their way without a second's thought?

Re:Smart move from M$

[gclef]

Patches from MS are cryptographically signed. You need to do more than just poison teh DNS for these hosts. You need to either steal MS' private signing key or break RSA.

Let me know if you manage the second one.

Re:Smart move from M$

[HermanAB]

You don't need to break RSA - just replace the DLL that handles RSA with one that does nothing. Remember the PC is compromised - so the virus/spyware maker can do that and I think they have done it in the past.

Re:Smart move from M$

[harlows_monkeys]

You don't need to break RSA - just replace the DLL that handles RSA with one that does nothing. Remember the PC is compromised - so the virus/spyware maker can do that and I think they have done it in the past

Uhm...I think you've gotten a bit out of phase here. He was talking about diddling DNS servers or caches, to get it so that uncompromised computers could be infected via fake MS updates. The signature stops this.

Re:Smart move from M$

[toddestan]

You don't need to break RSA - just replace the DLL that handles RSA with one that does nothing. Remember the PC is compromised - so the virus/spyware maker can do that and I think they have done it in the past.

If the PC is already compromised, then why bother with poisoned DNS servers and trying to defeat Microsoft's encryption? Just have the computer go to wherever you want it to and have it download whatever you need.

Would be ok...

[thefogger]

...if Microsoft had documented this behavior. Yet still, I fail to see what the big deal is. So you can't force an IP address to a domain with hosts.txt for some sites that microsoft controls. If you need to do that, for example for some corporate filter or updating solution, you could just modify your own dns server. Home users on the other hand get more reliable access to windows update, which is very important. Otherwise it would be trivial for malware to block the computer from recieving updates, and the automatic updates would silently fail.

Cheers, Fogger

Re:Would be ok...

[techno-vampire]

If you're trying to block those sites for a corporate LAN, just use a non-MS proxy that intercepts DNS and returns localhost for those sites.

Re:Would be ok...

Did you ever write code for windows? Ok, so I can tell you never did.. Imagine writing code for a system that is undocumented. You write it according to the API produced by MS.. I think the main point here is we see this time and time again, MS makes a change and doesn't tell anyone, nor do they have to or want to.

So you're kinda right for home users but I think this is a big deal for the coporate world.. I got a great idea, why not change this for HOME EDITION users only and leave Professional edition alone?? Wow, what a concept, maybe MS should hire me?!?

"If you need to do that, for example for some corporate filter or updating solution, you could just modify your own dns server."

What happens when the hijacking application uses a different DNS server or hardcodes in an IP address?

Re:Would be ok...

[infolation]

You can't force an IP address to a domain with hosts.txt for ANY sites. The hosts file doesn't have a file extension.

Route to null

[PlusFiveTroll]

If the adware can change your hosts file then this is pretty useless anyway. Now all the software has to do is run a script that does the following

nslookup whatever.microsofts.domains
takes the list of return addresses and
route ADD destination MASK mask INVALID INVALID INVALID foreach

and your traffic to MS wont even leave the network card.

Re:Route to null

[thmnetwork]

correct, which means the goal should be to stop them from gaining those priv's, which microsoft has not done anything about really. Maybe vista (haven't "beta tested" aka DLed it) will provide for some "system maintainer" that can't login interactively or over network by default, that's what I end up setting my local security on win2k as anyways...who knows...

Re:Route to null

[Spy+der+Mann]

Um, for us network newbies, what do we replace INVALID with? Mind giving more examples?

Re:Route to null

[thmnetwork]

well I'm not sure what he's getting at, but you could try adding a route to the routing table saying to direct all traffic with the given destination to the local loopback, no CHANGE'ing of the default route is required, more specific routes, like naming the IP outright are preferred: route ADD 207.46.225.221 GATEWAY 127.0.0.1 METRIC 1

Re:Route to null

[HermanAB]

Exactly - if the spyware is that advanced, then it could also subvert the rest of the DNS lookup system. Once the machine security is breached, the rogue program can do anything it wants. "What part of 'arbitrary code' don't you understand?" :(

Re:Route to null

The idea of adding entries to the routing table has already been foreseen by Microsoft.

It examines new rules, and if it finds one of the kind:
"route ADD 207.46.225.221 GATEWAY 127.0.0.1 METRIC 1"
then the rule is declared invalid and ignored.

To prevent people working around this, the Win32::Registry service does an MD5sum on route.exe when the desktop is started. If it's MD5 does not match the result of an untouched file then the file is replaced with a clean copy from /WINDOWS/WIN32/HELPFILES.
Win32API::File::Time has been modified to scan the hosts file and compare the results of local lookups from /hosts with those from a legitimate Microsoft server. Should it's results differ from the expected ones, it will know that in turn, IE has become compromised and also requires to be replaced from the clean backup directory.

That's three levels of protection for the customer.
'Triple ply protection' if you will.

I don't think Linux has technologies like these fully integrated into the operating system. It's going to continue playing catch-up a long time before it can compete with us on deeply embedded security measures like these.

Re:Route to null

[SirTalon42]

What happens if the copy in /WINDOWS/WIN32/HELPFILES is deleted/replaced first? Sounds like a bandaid to me...

Re:Route to null

[MikeBabcock]

... which is why you'd change it to 10.0.0.254 which is an IP of a machine on your LAN with no forwarding allowed.

Malware removal

So do Windows users need to replace the entire TCP stack or just Windows resolver library?

Interference with my sig!

[Teun]

How nasty of MS to interfere with my sig!
Now I'll have to include a disclaimer...

Just another reason to continue using a more robust system :)

Re:Interference with my sig!

[ZeroExistenZ]

Just another reason to continue using a more robust system

I agree. I'm happy its spring now so I can finally post back on slashdot with TCP/IP using pigeons.
(2 pigeons were corrupted by posting this message)

Big deal.

I don't see what the big deal is. Name resolution on a system/application level isn't set in stone. They are completely free to implement a DNS client/name lookup system any way they want to. You are also free to implement your own DNS client. If you don't want to use dnsapi.dll, then don't. If they want to implement a DNS client that skips a local hosts file for some names, then so be it.

Granted, I don't run any Microsoft operating systems anyway.

In fact, you could run your own DNS relay server locally or remotely and block the names from there.

Re:Hm?

[FudRucker]

what a gentle euphemism...

eh..

[joshetc]

Not that I like it much but.. isnt it THEIR OS? Why cant they do whatever they want? Why does it have to support any 3rd party security software? Nintendo didn't get sued for not letting me run linux on my NES. I don't see how this is any different. Granted, if they take it too far they will lose marketshare.

I don't like any of the movements they are making toward being anti-competetive as far as software goes or w/e. The thing is though that if some media player manufacturer wants their player to stand up to WMP then they should make their own damn OS and get the kinda marketshare Windows has.

Just my $.02

Uh, what?!

Anyone can "bypass" the hosts file. Just make your program access hosts by their IP address rather than the DNS.

Re:Uh, what?!

[Scooter]

Couple of reasons:-

Your argument assumes a one to one relationship between hostname and IP address. There just aren't enough addresses in a 4 byte address range (actually a lot less in practice) for every server, and every client to have it's own address. Many web servers host multiple web sites under different hostnames, in different domains, on the same IP address. You need to to use the hostname for these sites as that's how the server determines which of the many sites it hosts to give you.

Take my site - http://www.muttsnutts.com/ It's hosted on my ISP's web server along with hundreds of others. Lookup the address:-

  ANSWER SECTION:
www.muttsnutts.com. 14400 IN A 84.92.1.5

Then try http://84.92.1.5/ - you get the default site.

Second, the reverse may be true - try doing a dig or nslookup of www.google.com - you'll get different addresses every time (or the same ones in a different order):-

  ANSWER SECTION:
www.google.com. 278479 IN CNAME www.l.google.com.
www.l.google.com. 30 IN A 216.239.59.147
www.l.google.com. 30 IN A 216.239.59.99
www.l.google.com. 30 IN A 216.239.59.103
www.l.google.com. 30 IN A 216.239.59.104

  ANSWER SECTION:
www.google.com. 278492 IN CNAME www.l.google.com.
www.l.google.com. 43 IN A 216.239.59.99
www.l.google.com. 43 IN A 216.239.59.103
www.l.google.com. 43 IN A 216.239.59.104
www.l.google.com. 43 IN A 216.239.59.147

Granted, Microsoft could engineer their sites so that the IP address would work, but this places some severe restrictions on their web server farm's scale. As a couple of other posters mentioned - you could block the traffic in the routing table anyway, or just buy an external firewall and block the traffic there.

I don't like the smell of this - especially as they didn't document it. It may seem harmless enough, or even beneficial, but is the first step onto a slippery slope. You probably agree to it in the EULA when you install though.

Re:Uh, what?!

[Kiaser+Wilhelm+II]

There is nothing that says you can't bypass any DNS related API when using the TCP/IP stack.

Many programs already do their own DNS lookups because the behavior of the OS's resolver causes problems for some particular types of programs.

I don't see why this is fishy. If you don't want Microsoft products phoning home, don't install them. You already knew they were going to try to do so. The HOSTS thing is just a way to make sure it is not being blocked by a retarded trojan.

Re:Uh, what?!

[Scooter]

Agreed - and that was my point - there are a 1001 ways to do this, and 1001 other ways apart from editing the hosts file to stop the OS from doing it.

It's the fact they didn't document it that smells. What else haven't they documented?

As I said, you probably agree in some way in the EULA - and I agree you don't have to install these products - although I do use XP. Why? because the pile bad points doesn't outweigh the good ones yet. I play games on my PC. When some other OS allows me to play these games, the pile of good points for XP will be reduced.

Re:Uh, what?!

...you'll get different addresses every time (or the same ones in a different order)
I belive it is called Round-Robin and this has been used for very long time...

Re:Uh, what?!

[Scooter]

Yes - "round robin" is the crudest way of doing it, and is fine if the load on each server is more or less the same. You can also change the order based on other factors such as source IP address, or the load of each server.

Sensationalism

Who cares?

Nothing prevents you from not using the operating system's resolver. Its trivial to implement your OWN DNS client in your programs, bypassing any HOSTS settings and other DNS resolver issues.

I've never seen so many people who were so clueless and misinformed about the technical issues involved here.

Re:Sensationalism

[mtenhagen]

I guess a virus of 2MB will be less succesfull then one of 100KB.

Re:Sensationalism

I have a 7K resolver. The only thing it currently lacks is a good way to find out path to root. Somehow, I think that is trivial on windows.

I couldn't reproduce this on Win2K.

[khasim]

I'm wondering if the behaviour will change if you just go into "services" and disable the DNS client.

I recommend this anyway. In theory it will increase the number of requests your machine does. But in practice it has saved me a lot of "try rebooting" calls.

Anyone out there with XP who can reproduce this?

Re:I couldn't reproduce this on Win2K.

[pla]

Anyone out there with XP who can reproduce this?

Good idea, but no luck. Same result, though with one slight difference which might prove useful as a workaround - The first attempt timed out, meaning it really performs the query rather than having a hardcoded list of IP mappings. So if you ran a cacheing DNS proxy on your machine (ie, exactly what the built-in DNS service does, but one not containing a built-in Microsoft hack), pointed your machine's DNS to itself, and tell the proxy to use a bogus address for the sites in question, that should successfully block them.

Better to do this at the firewall, though (a real external hardware firewall, not Microsoft's "trust us, this works" crap).

Re:I couldn't reproduce this on Win2K.

[pla]

So if you ran a cacheing DNS proxy on your machine

Just an update - I just set up exactly such a proxy (DNRD) on my masq'ing gateway, and it works like a charm. So MS hasn't done anything too sophisticated to get around blacklisting them, just enough to count as a nuissance.

Re:I couldn't reproduce this on Win2K.

[NoDramas]

Tried on XP SP2 Canned DNS Client service. Cleared DNS Cache. Fudged host file. They are diverting around the hosts file for www.microsoft.com but not www.hotmail.com. And very strangely, not Google.com!!

Re:I couldn't reproduce this on Win2K.

My fix was taking a hexeditor to dnsapi.dll, finding and replacing [domain].com with [random numbers].com and then saving into the dllcache and then the system32 folders

Re:I couldn't reproduce this on Win2K.

[Elektroschock]

I wonder whether it would be useful to report it to
http://europa.eu.int/comm/competition/publications /competition_policy_and_the_citizen/consumer_liais on/

You know, DG competition is curious to know more about MS anticompetitive pratices.

Re:I couldn't reproduce this on Win2K.

[scumbaguk]

ipconfig /flushdns

doh

Monopolies

[Tony]

A court of law has determined that Microsoft is a monopoly. One of the anti-trust regulations specifies that you cannot use your monopoly power to force your way into another market; that was the heart of the conviction against Microsoft in the Netscape case. Microsoft used their monopoly to oust Netscape as the dominant browser by bundling, which is illegal.

Now they are using that same monopoly power to take over the anti-malware market.

I'm rather ambivilent about this. On one hand, it is just one more case of Microsoft waiting for a market to mature, then forcing their way into it. On the other hand, this market wouldn't exist if it wasn't for their own shoddy products, so it's really Microsoft's reponsibility to fix it. However, malware protection software isn't the correct answer, it's just the most expedient, with a potential for additional profit.

All-in-all, it's just Microsoft's usual game: own the system, rig the system, use that to take over another system. Keep secrets, and act all coy when your secrets are discovered.

Re:Monopolies

[idesofmarch]

This raises something I have sometimes thought about, but did not deliberate enough to think up of an adequate answer.

How did Microsoft financially benefit from Internet Explorer's dominance? IE is and always has been a free product. More relevant to this topic, Windows Defender is free and probably always will be. Sure, other anti-malware software companies may suffer because their products are not so in demand, but so what?

Also, I do not even see this as an entry into another market, more of an effort make the core product better. As an analogy, what if GM suddenly added a device to all their cars that would clean the engine oil on the fly? Engine oil would never need to be changed. Engine oil manufacturers and oil changing stations may get up-in-arms over this, claiming that GM was using its monopoly power (let's assume GM had a dominant position similar to MS) unfairly, but really, it is just a matter of GM making its cars less prone to failure and in need of less maintenance.

Re:Monopolies

[TubeSteak]

Now they are using that same monopoly power to take over the anti-malware market.

No they aren't.

Some genius at MS came up with this brilliant idea before MS had a malware detection tool.

Before WinXP SP2, a subverted HOSTS file could prevent Windows Update from running.

The hardcoded DNS entries were probably some misguided piece of MS's 'ooh look, SP2 is going to have great security' campaign.

So again: MS wasn't/isn't trying to abuse their monopoly. If you (or whoever modded you up) had RTFA, then it'd be apparent that it isn't the case.

Re:Monopolies

[Changa_MC]

IE is and always has been a free product.

Microsoft Internet Explorer is only free if you own Microsoft Windows. Without a Microsoft Windows license, you have no license to run Microsoft Internet Explorer.

Microsoft leveraged Microsoft Windows to dominate the browser market, and then extended the browser in non-standard ways so that users must keep Microsoft Windows in order to keep their familiar browsing experience.

Leveraging one monopoly to strengthen another.

Re:Monopolies

[99BottlesOfBeerInMyF]

How did Microsoft financially benefit from Internet Explorer's dominance?

Lock-in. How many people can't switch their corporate network to Linux because they need IE to access some intranet or partner's Web site or HTML based tools? Not to mention breaking the standard helps stop the Web from democratizing the application space. How much sooner would Web-based applications have taken hold if developers only had to write to modern standards instead of having to be backward compliant with a very outdated and broken version of the spec as well?

IE is and always has been a free product. More relevant to this topic, Windows Defender is free and probably always will be. Sure, other anti-malware software companies may suffer because their products are not so in demand, but so what?

Do the developers who write IE work for free? Obviously not. Where do their paychecks come from? They come from Windows. Everyone who buys Windows is paying for IE, regardless of whether or not the ever use it. Even die-hard Firefox fans pay for IE when they buy Windows. IE isn't free; the price is bundled into the cost of Windows. That is one of the major reasons it is illegal.

The same applies equally for Windows Defender. It isn't free. it is rolled into the cost of Windows. Antitrust law is built on the markets an action affects, not the products themselves. People paid a minimal cost for Netscape. They viewed some ads at one point. They paid for support if they needed it. They agreed to a binding contract that said if they modified the code and distributed it they would give it back to the other users. All of these things are fairly indirect and hard to transform into hard cash numbers. It is hard then, to show how much damage MS did to the market by a given action.

Windows defender is moving into a space where people directly buy the product/service for cash. It is a much more clear cut case for the courts than even IE was. Legally, I don't believe Microsoft can either give away the product (bundling unless they make it for all platforms) or charge for it (the conflict of interest is double dipping and is a form of extorting current customers).

I hope this helps to clarify the issue for you.

Re:Monopolies

You ever look at the default homepage or default search? How many people do you think would visit msn.com if it wasnt for IE? And all those pages have adds. Also, just as important, it generates market exposure.

Re:Monopolies

[dryeo]

How did Microsoft financially benefit from Internet Explorer's dominance? IE is and always has been a free product.

Huh? IE is a $200 product, sure it comes with an OS which I personally don't like.
Lots of the time browsing the web I've come across sites that don't work without IE therefore trying to force me to purchase IE

Re:Monopolies

[TheNetAvenger]

A court of law has determined that Microsoft is a monopoly

Well, kind of... Monopolistic business behavior to protect their OS at least...

So now that we all agree they are a monopoly, NOW we get to debate whether they can protect an OS they made to ensure it can get the correct updates. Is everyone here nuts or high? Remember the WindowsUpdate Worm just a few years ago, and how awful it was and how everyone here was so angry at MS? Now they are taking another step to prevent this type of crap, and you are pissed at them for that too.

Tell me, what should they do to ensure updates are not sent to some website on a offshore island? Just ignore any issues?

Any yet people here are running OSes that have UPDATE mechanisms that work MUCH like the Windows Update by contacting the source/vendor of the OS, and if your OS distributor released an update to ensure malware couldn't screw with your updates, you would applaud them...

How big does the double standard have to get for people here to go, wow, we are not freaking stupid /. nerds, we can think for ourselves?

Oh, and back to the monopoly... Ya, big monopoly, so anyone here posting on OSX or Linux or OpenBSD, you better check your reality, because if they were a 'real' monopoly like Ma Bell, then you are using a non-existent OS...

I don't care if you hate MS or Sun or Apple or love them all, at least think for yourselves and quit following in line like lemmings so you can 'be different'... Geesh...

Re:Monopolies

[toddestan]

How did Microsoft financially benefit from Internet Explorer's dominance? IE is and always has been a free product. More relevant to this topic

Back in the day, Netscape was developing web applications. This was kind of scary for Microsoft, as this shifted the focus away from the operating system and to the browser. Back then, Netscape ran on almost everything (Windows, Mac, Linux, BSD, OS/2, etc), and if in the future the user did all their work under web applicatons, then suddenly the underlying OS would become less important. Why spring for a Windows license to run Netscape when you could download Linux for free?

So Microsoft's response was Internet Explorer. At first it seemed that Microsoft was going with the Netscape route of supporting multiple platforms, but they quickly killed off everything but IE for Windows (Except for the Mac version, which lingered on quite a bit longer before finally getting axed). From there they made their browser not quite standards compliant (but close enough to get people to switch to it), and created ActiveX. They then integrated all of this into Windows and their respective server software. This made it easy for people to create Web applications and content that only worked properly under Internet Explorer for Windows, and many of these ended up being made - particularly for company intranets. At first, this seemed great for companies that basically ran Windows everywhere, but it also locked them into Microsoft's software. This is likely one of the reasons why Windows is still so dominant on the desktop, and is also one of the main reasons why in the bizarro-land of slashdot circa April, 2006, Mac users are so excited about running Windows on their Apple machines.

Of course, the threat of Web applications is coming around again, with open standards like XML threating to make your choice of OS less revelevent, and even your choice of browser unimportant (so long as it supports the open standards). I'm not sure what Microsoft has in store for this round (if anything), as IE7 seems to be too little, too late - and the popularity of Linux and OSX growing.

So in conclusion, Internet Explorer wasn't so much about crushing Netscape Navigator, as it was about crushing Web applications that could run everywhere.

Re:Monopolies

"How big does the double standard have to get for people here to go, wow, we are not freaking stupid /. nerds, we can think for ourselves?"

considering the percentage of people using MS, I think most here are trying to think differently..

I think the main point is not the magical "fixing problems" it's the "my os is phoning home to check up on me"... Maybe tinfoilish but how far off is it? I know since I can't see in the greybox of MS land I can't be too sure to trust them.

"Ya, big monopoly, so anyone here posting on OSX or Linux or OpenBSD, you better check your reality, because if they were a 'real' monopoly like Ma Bell, then you are using a non-existent OS"

You're points aren't very valid if you ask me.. They were found to be a Monopoly by a court.. You're saying even tho they were found to be a monopoly by a court that fact doesn't matter?? You sound like a MS troll to me, worse than any linux troll I know of...

Re:Monopolies

[frostoftheblack]

"All-in-all, it's just Microsoft's usual game: own the system, rig the system, use that to take over another system. Keep secrets, and act all coy when your secrets are discovered." Remember Mission: Impossible II? Make the virus, make the drug, and release them both? Rather than preventing the virus, Microsoft is just making more of the drugs.

Re:Monopolies

[drsmithy]

Microsoft Internet Explorer is only free if you own Microsoft Windows. Without a Microsoft Windows license, you have no license to run Microsoft Internet Explorer.

Unless of course you dig up one of those old copies for Solaris, HPUX or MacOS [X].

Microsoft leveraged Microsoft Windows to dominate the browser market, and then extended the browser in non-standard ways so that users must keep Microsoft Windows in order to keep their familiar browsing experience.

And it's this that makes the fall of Netscape all the more entertaining. Microsoft took Netscape's business plan (leverage the free - or nearly free - browser with proprietry extensions to sell other products) and beat them with it.

Re:Monopolies

[TheNetAvenger]

They were found to be a Monopoly by a court..

Actually, the original ruling was thrown out, and they were NOT deemed a MONOPOLY, but a company that used Monopoly business tatics to try to create a monopoly. (They never said MS or Windows WAS a monopoly, and since Other OSes existed and still do, Windows nor Microsoft is a Monopoly.)

The original ruling tried to say they were, but that was thrown out with not only an overrulling, in appeal, but with VERY harsh words for how the Judge handled the original case. (You know, taking favors from other companies testifying, etc.)

Them BEING a monopoly and being convicted of TRYING to be a Monopoly IS NOT THE SAME THING. If they were a Monopoly, then you have to use Windows, and in this day YOU DO NOT EVER HAVE TO USE ANY MS Technology. Hence NOT A MONOPOLY.

This gets repeated so much here and on the internet, everyone just accepts it as fact. Talk about 'unknowingly' spreading FUD.

Don't trust my words, actually read the rulings yourself, and not from some news source.

And trulying I wasn't trying to troll, but why is it ANYTHING MS does gets slammed, often when it is the same stuff or a level of protection /. would normall be happy about if it were NOT MS.

I was trying to drop a reality check, that is all...

Thanks for the response, take care.

Re:Monopolies

[Kaenneth]

Kind of a damned if you do, damned if you don't situation...

Microsoft is obviously the most likely able to repair and protect Windows itself.

Should you complain that Honda dosn't allow you to buy an unpainted car, and take it to the paint shop of your choice? and they make it so hard to remove the paint they put on it, you can't just wash it off with water, what a pain. Then, when you get the paint off, it RUSTS! what kind of defective crap is that?

The majority of computer users don't know the differance between a hard drive and a modem.

as for the idea of MS being a monopoly, the only sense in which that is true is the same as any other Trademark/Patent/Copyright holder, being granted a monopoly on what they made. As opposed to the monopolies which the anti-extension law was designed for, such as providers of Telephone, Gas, Cable TV, Sewage, Garbage, Water, Electricity... back when Ma Bell forced people to buy telehones at 10x 'retail' price, Edison only allowing his light bulbs, Stoves made by the gas company...

The government keeps extending IP monopolies, by extending Copyright and Patent durations while the pace of development has increased.

In my mind, Micky Mouse, Windows 95, the older Beatles songs, and MPEG compression should all be public domain at this point.

Re:Monopolies

[Changa_MC]

...dig up one of those old copies for Solaris, HPUX or MacOS [X] Keyword there is old. There is no current version of IE available for any platform besides Microsoft Windows.

Sensationalist Junk

[PepeGSay]

If they removed other sites from the host file then there would be an article on Slashdot about how XYZ site can't be blocked in the host file and about how that is some nefarious evil plot by Microsoft. Microsoft did just what they should logically do: Removed their own sites from host lookups.

Re:They control the vertical, and the horizontal

[A10n]

:) yup yup!

The problems with this

[bobbutts]

The real problem with this is that: 1. It wasn't documented, so people had to discover this non-intuitive exception. 2. It defeats the purpose of the hosts file. Had they also included the other AV vendors in the list and made the function public it may have seemed like a practical band aid to the hosts file hijacking problem. Instead they made it M$ only and hid it so it looks slimy. The issue is being addressed is also PEBKAC related.. If Windows users weren't logged in as admin the hosts file would be off limits.

Re:The problems with this

[Spy+der+Mann]

If Windows users weren't logged in as admin the hosts file would be off limits.

Problem is, Even Windows has problems with the limited user accounts. I tried setting up internet connection sharing, and I can't even connect to my ISP using a limited account.

Re:The problems with this

[FKnight]

If Windows users weren't logged in as admin the hosts file would be off limits.

The blame for this lays squarely on the shoulders of software vendors who flat out ignore the reems of documentation and white papers that Microsoft publishes on how to write software for Windows such that it runs properly under a limited access account.

Problem is, Even Windows has problems with the limited user accounts. I tried setting up internet connection sharing, and I can't even connect to my ISP using a limited account.

Then you did something wrong because there are a billion other people who it works fine for.

Hotels on Park Place

[Doc+Ruby]

How come the Department of Justice, supposedly "closely monitoring" Microsoft's monopoly abuse, isn't stopping this? How come Microsoft isn't afraid to pull this Internet bundling stunt, illegally leveraging its monopoly, after the "landmark decision" against them 6 years ago?

Re:Hotels on Park Place

[ScrewMaster]

Because a decision does not guarantee enforcement.

Re:Hotels on Park Place

[BradleyUffner]

Maby because it's not illegal?

Re:Hotels on Park Place

[Shihar]

This isn't something that is going to set off the radar in terms of monopoly practices. This is basically a way to help ensure that their product stays up to date. As anyone who has installed from an unpatched version of windows can attest to, you are racing against the clock to get everything updated and firewalled. A smart user will have their updates and firewall in place before they connect to the Internet, but well, not everyone is a smart user.

Does this give Microsoft an advantage? Eh, maybe, but not by much. Most anti-malware/virus/exc software packages are also fanatical about keeping windows up to date. This helps them almost as much as it helps Microsoft. Finally, this doesn't really do much. If you have something running on your machine that can screw with your HOSTS file, you are already pretty much screwed. This is like welding a little wedge of steel to the door of your Humvee. Yeah, it might on a good day stop a stray non-armor piercing round, but it probably is not going to give an RPG much of a pause or stop a hail of gunfire if it comes at your from the dozens of other unarmored spots.

I wouldn't lose any sleep over this. This is a sensible thing for Microsoft to do that really isn't going to harm anyone. At worst, this will do no harm. At best, it will offer a thin layer of protection against some unsophisticated viruses.

Re:Hotels on Park Place

[mstefan]

How come the Department of Justice, supposedly "closely monitoring" Microsoft's monopoly abuse, isn't stopping this?

Oh good grief. Any moderately competent programmer can do exactly what Microsoft is doing with a few extra lines of code.

People getting worked up about this reminds of those folks who demanded that the government immediately do something about the "dangerous chemical" dihydrogen oxide that's "found in our drinking water".

Before ranting for government intervention, it's always helpful to know what you're actually talking about.

Re:Hotels on Park Place

[ScrewMaster]

Have you watched Penn and Teller's "Bullshit!" series? Dihydrogen oxide was the subject of one episode.

Re:Hotels on Park Place

[Doc+Ruby]

Bundling software to leverage a monopoly to promote other products is not only illegal, it's a violation of Microsoft's early 1990s consent agreement with the DoJ not to do so. Which it violated, as decided in the famous "Microsoft monopoly" decision of hte late 1990s. Bundling services is just as much an abuse as bundling software - don't you agree?

Re:Hotels on Park Place

[Doc+Ruby]

If Microsoft had only a thin layer of protection against some unsophisticated viruses to gain, and possible monopoly violations - and certain bad press - to lose, would the company do it?

Re:Hotels on Park Place

[Doc+Ruby]

If someone other than Microsoft did it, they wouldn't be abusing Microsoft's monopoly. Microsoft is unique, and operates under unique rules - supposedly.

BTW, that H2O story you're repeating is fiction.

Before blabbing about fake "libertarian" myths and corporate worship, you should know what you're talking about. Because I know what I'm talking about, and I know what you're talking about - making one of us.

Re:Hotels on Park Place

Lets PLEASE back up here.

This has nothing to do with libertarianism or "corporate worship".

We're talking about Microsoft NOT using the hosts file! Other companies are NOT being prevented from doing the same. I have, in fact, written Windows programs that bypasses Microsoft's TCP/IP API for doing name lookups because of unique situations I encountered where I wanted to do my own DNS lookups. Microsoft did nothing to prevent me from doing so or made it unnessecarily difficult.

If Microsoft was somehow stopping other programs from writing their own DNS resolver code, then I would understand your point and agree with you. What Microsoft is doing is none of this. Nothing is preventing Norton, MacAfee, etc. from DOING THE SAME EXACT THING MICROSOFT IS DOING. NOTHING!

Microsoft being a government recognized monopoly on operating system software is quite irrelevant in regards to this.

I'm afraid you're making this into some kind of situation that it isn't.

Please stop now. That goes for everyone here who obviously does not understand how ridiculous this story is.

Re:Hotels on Park Place

[Kiaser+Wilhelm+II]

What exactly should Microsoft not include with Windows in order to not make it a monopoly?

Should Microsoft only provide a kernel? Would providing a windowing system somehow deprive an other company of business? What about desktop/file system management? Couldn't some other company design a file manager to tell? Explorer.exe surely is an example of what you are talking about.

What about built in device drivers? Couldn't another company provide device drivers for common PC hardware for a price instead of Microsoft bundling their own?

I think this is a ridiculous argument.

Are you going to argue that if Microsoft secures their OS so that it is no longer a shoddy bug ridden security hole laden product it is anti-competitive because it (somehow, someway) makes their OS more appealing in comparison to Linux/etc. and deprives 3rd party AV and anti-Spyware companies of their revenue that it would be anti-competitive?

Re:Hotels on Park Place

[Doc+Ruby]

You might think it's a ridiculous argument, but the US courts thought it was very serious. Before you go reinventing monopoly law or that huge, complex case, try reading it.

Re:Hotels on Park Place

[MoneyT]

BTW, that H2O story you're repeating is fiction.

It may be fiction on any large scale public attempt to get government interaction, but I can certainly attest from personal experience (given that I was the one doing the speaking, and I have it on video) that it's not too difficult to get people interested in banning and eliminating DHMO from the world. People are more than willing to jump on a bandwagon for "public good" without knowing what they're talking about.

Re:Hotels on Park Place

[DanTheLewis]

All the experts at DoJ in "closely monitoring" are too busy writing briefs on toilet paper justifying the illegal wiretap programs to apply their expertise to MS.

Plus they are trying to get ahead on the Iran invasion.

Hmmm.... a landmark decision 6 years ago, somehow connected to MS's impunity in the software marketplace. Its initials are BvG.

The President of China is visiting Bush this week, and what's the number one topic? Not nuclear proliferation, not human rights abuse. It's rips of Windows XP and the trade deficit.

Re:Hotels on Park Place

If Microsoft had only a thin layer of protection against some unsophisticated viruses to gain, and possible monopoly violations - and certain bad press - to lose, would the company do it?

Throw in a tiny advantage in cross marketing MSN and you've got a deal.

Don't you know they're useless now?

[Opportunist]

Or do you think those Aliens are still working with the same technology they used in the 60s? OF COURSE they perfected the thought control beam, and OF COURSE the primary point of attack was tinfoil hats!

Now they're using a new, secret technology that controls you through your nose. Thankfully, I've designed new noseplugs that you can install in your nostrils, they're even almost invisible and throughly woven with gold and platinum. That makes them a little pricy, but it's the ONLY protection you can have!

Order now!

Re:Don't you know they're useless now?

[mOdQuArK!]

Ahhh, nostril-based mind-control protection with bling. Very classy.

MS products not behaving as expected

[Nikademus]

How is that news anyway :)

Re:MS products not behaving as expected

[jimmypw]

It is because, this time it's intentional.

Re:MS products not behaving as expected

[Nikademus]

How would you know some former times were not intentional?

Integrity

[Tony]

. . . those other sites do not play into what MicroSoft sees as the "integrity" of their product.

Which integrity might that be? The same integrity that allows malware to infect a machine to the point where it can poison the hosts file? The same integrity that spawned the anti-malware business in the first place?

Yeah. Microsoft is big on integrity, both moral and technical.

FUD flying low again

[Opportunist]

"Safeguarding" your hosts file against tampering is pointless. Yes, a few trojans toy with it. The ONLY place that's ever redirected afaik is updates.microsoft.com.

So this is going to be celebrated as the hack against malware that keeps you from updating. Ohhhh great. Ok, next move from the malware writers is simply to keep a thread running that checks if something is coming in from the "unwanted" sites. If so, it's deleted before execution. Problem solved.

There is no techical solution for social problems.

Re:FUD flying low again

[jtdennis]

I've seen various antivirus sites get redirected too.

Re:FUD flying low again

[Opportunist]

Apologies for being unclear: The only MS-Site redirected, since only those would be "protected" this way. Of course AV-Sites get the shaft as well, same with the pages of a few personal firewall solutions and online virusscanner pages.

Re:FUD flying low again

[chis101]

Many other sites besides microsoft update are redirected.

I've had to fix computers who's HOSTS file redirects google, microsoft, ebay, amazon, mcafee, norton, et al, to ad-laden websites that just confuse the user. Some even try to trick you by adding many blank lines to the host file, so at first glance upon opening the host file it looks fine, but if you scroll down several pages you notice that there are dozens of redirected sites.

Safeguarding your host file would be a very important thing to do, whether you think so or not.

Re:FUD flying low again

[Opportunist]

As I've stated above, I was refering to MS-related sites, since they'd be the only ones "guarded" by MS.

And yes, guarding your hosts file is important. IF, and only IF, you do it yourself and don't let some company do it. The reason for this lies in the shape of the threat.

The threat is that an attacker willingly alters your hosts file, trying to redirect you to some site. If you protect your hosts file by some means, you are safe from this. If, on the other hand, MS starts to protect the file, the attackers have to find out new clever ways to achive the same goal, thus making the protection virtually worthless because they attack from a different angle. This means more work for the attacker, so it's done through the hosts file as long as it works. If it doesn't work anymore because MS itself is guarding the hosts file, they have to take the approach that requires more work.

On their side, and on yours to protect yourself again.

So the protection from MS leads to less security, in the end. Currently, the average clued computer user can determine whether his hosts-file was tampered with or not. The question is whether this will be possible with the next attack. The clueless portion of the computer users will never be protected.

Re:FUD flying low again

[Keeper]

That's the most ass-backward dumbass statement I've ever read.

In summary: "Making a system harder to attack makes us more vulnerable to attack."

Using that logic, I would encourage you to place your box on a direct connection to the internet, enabling telnet access via the root account, and allowing the root account to login without a password.

After all, using a password would encourage a hacker to hack telnet which would be harder to observe. And if you didn't have telnet on they'd attack some other part of the system you didn't know about. And if you had a firewall, a hacker would have to get through that first, and you can't even check for that on your computer!

</sarcasm>

Re:FUD flying low again

[Opportunist]

I'd like to ask you to read my statement again, maybe it didn't get the point across well. I did NOT say that you should forgo any security on your system. I said that security by the system instead of by the user is going to be pointless.

A fine example for this would be the "Windows Firewall". I don't know any recent trojan that has no disabling routine for it. Still, it is sold as a security feature to the user and some even rely on it.

Currently, it is possible even without any intimate knowledge of DNS to take a look into your hosts file and find out if an attacker tampered with it. Because it is the simplest way of redirecting a user to a bogus page, this is usually the way it is done by attackers.

If you now close this "security hole", it will not stop the attacker but it will force him to use more sophisticated means to redirect you, which are not so easily detectable by computer illiterates.

A password on your telnet daemon is a proven concept. It's successful in keeping unwanted visitors out. "Securing" the hosts file, on the other hand, will serve no security purpose. All it will do is make it harder to detect if someone decides to send you to some page.

I hope this is easier to understand now.

Re:FUD flying low again

[Keeper]

Raising the bar to 0wn a system is never bad. Ever.

Currently, it is possible even without any intimate knowledge of DNS to take a look into your hosts file and find out if an attacker tampered with it. Because it is the simplest way of redirecting a user to a bogus page, this is usually the way it is done by attackers.

For you maybe. For 90% of the computer using population, it isn't. Tell me, how many people do you think KNOW where to find the host file on Windows, that it exists, or even what it does? Hell, I've been using Windows for over a decade and I didn't know where it lived until I read this article.

The problem with "simple attacks" is that "simple" people can perform them. A hard attack isn't something that can be done by a script kiddie. And that's exactly what this is transformed to -- from something that could be written in one minute via a BATCH FILE to something that probably requires, at minimum, a few months worth of effort.

Raising the security bar to exploit a system is always good. It reduces the percentage of people out there capable of understanding how to take advantage of a weakness.

If you now close this "security hole", it will not stop the attacker but it will force him to use more sophisticated means to redirect you, which are not so easily detectable by computer illiterates.

Yet it would still be rather simple to check for via anti-spyware and AV software (which most users depend on in the first place).

A password on your telnet daemon is a proven concept

So if someone has a new idea we shouldn't try it?

It's successful in keeping unwanted visitors out.

Actually, it isn't. Passwords are transmitted in cleartext (which is why you should always always ALWAYS use ssh).

"Securing" the hosts file, on the other hand, will serve no security purpose

It keeps some types of attacks from removing the ability of the machine to obtain an update that might disable said malware. Sounds like a pretty good security purpose to me.

All it will do is make it harder to detect if someone decides to send you to some page.

Just because you can "inspect" the hosts file does not mean there is not some other change hidden, lurking on your system that you couldn't find. Hell, it is entirely possible to write a file system filter driver that would return different versions of the file to different processes. You ability to inspect and "fix" the host file is useless in that case.

I hope this is easier to understand now.

I understand your perspective. I just don't agree with it.

Too bad

So.. they're bypassing my HOSTS file? Well, they're going to have to get past my linux router's DNS and HOSTS file too..

MicroSoft

How can you read slashdot and not know how to correctly capitalize Microsoft?
How can CmdrTaco let something that obviously incorrect get posted?

Yes but

[backslashdot]

You know, I would bet money that were Apple doing this, people would claim it's just vertical market integration .. why should they make things easy for spyware vendors etc.

Apple won't allow others to create DRM enabled files that play on the iPod. Other mp3 players are prevented from being able to play songs bought on iTunes (unless you go the roundabout, dubiously legal (read the contract), route of ripping to CD and then copying the mp3's on there). This is all considered "fair" and a brilliant example of vertical integration.

It seems to me that as far as people are concerned, anything Microsft does is evil, but if Apple does the exact same thing .. it's considered ethical and benevolent.

Re:Yes but

[FusionDragon2099]

Apple does not hold near-total control over online music or MP3 players. Your point is moot.

Comment removed

[account_deleted]

Comment removed based on user account deletion

WHY?

[dud83]

Do people CAPITALIZE the hosts file? I can't remember it being capitalized on any system that I've used. On WINDOWS it doesn't even matter about capitalization, and on both FreeBSD and Linux it is in all lower caps... WON'T SOMEONE THINK OF THE CHILDREN??!

Re:WHY?

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

Re:WHY?

[Mister+Transistor]

IIRC, it's a hangover from Windows 3.1 or maybe Win95.

Re:how long?

[tigrezno]

well, knowing Microsoft, this have been happening for a long time ;)
and what more to expect?

Sensationalist FUD

[Kiaser+Wilhelm+II]

Bypassing the hosts file is not some super-secret thing only Microsoft can do.

You can EASILY do this in your own programs by implementing your own resolver. Microsoft cannot and does not prevent you from doing this.

Microsoft is merely doing something smart. If other vendors cannot figure out this, its their fault. Microsoft shouldn't be penalized for being smart.

Re:Sensationalist FUD

[runderwo]

You can EASILY do this in your own programs by implementing your own resolver. Microsoft cannot and does not prevent you from doing this.

Yeah, I write a resolver for all of my programs... did you miss the point of a library? Implementing an RFC-correct resolver is NOT "easy" by any means.

It's a feature!

You buy their crap you're chained at the hip anyway.

Furthermore

If you don't have bread, just eat cake.

So whats the big deal

[poind3xt3r]

If you want to bypass the hosts file all you need to do is connect by using the IP address as opposed to the DNS name. Sure it seems a bit more complicated or problematic (incase DNS->IP pointing changes) but Im sure all malware programs would rather specify an IP instead of DNS. I would if I was creating a malware program :-)

Affect not effect

[WilliamSChips]

I didn't even know about the hosts file until 5 minutes ago so would it have effected me?

Even with you knowing about the hosts file, it would never bring you into existence.

Completely irrelevant

[mstefan]

It's trivial to directly perform a DNS query. Any third-party application (including malware) can do exactly the same thing Microsoft is doing, there's no "secret sauce" here that's only available to the coders in Redmond.

Re:Completely irrelevant

[jaseuk]

Most malware adds microsoft update and most common anti-virus and security sites into the hosts file to prevent updates from succeeding. This prevents the malware from being spotted by update virus signatures as they will be eternally frozen at the point the hosts file was messed up.

It's not a bad thing, but I do wonder why they don't just disable hosts file completely unless it's specifically required, particularly for the home editions.

Jason

Why not edit dnsapi.dll?

What would happen if you opened dnsapi.dll in a hex editor and changed the strings? I.E., where it says msdn.com, just change it to wxyz.abc. If the code is actually doing a string comparison (like strncmp()), this should cause it to fail. If this does work, it would be simple to write a patcher that changes all of those strings (both for the good guys and the bad guys).

Re:They control the haiku

[Psykechan]

(And my troll is in Haiku)

Windows xp still better
need to run useful software
Mac and Linux are toys

that is not quite right
both the troll and the haiku
are somewhat lacking

but please understand
Mac and Linux are not toys
just other systems

Windows has problems
while it does have more software
it is insecure

please try something else
you might find that you like it
don't stagnate yourself

if end users switch
developers will follow
more software for all

so please help yourself
and help the rest of the world
try something else

if you don't like them
that is your prerogative
simply don't use them

but I'm warning you
going back is much harder
but it is your choice

other OSes
few viruses and malware
true computing bliss

as for poetry
haiku sylable count is
5-7-5

Re:They control the vertical, and the horizontal

[caffeination]

Yes, Microsoft gives itself way too much control over their customers. But Apple isn't a better choice in this respect.

That's pretty serious!

[Weaselmancer]

People should know by now, when you go MS, you don't buy the horse, you buy the farm.

See? Buy the farm.

Wow!

[DivideByZero]

It seems to me that as far as people are concerned, anything Microsft does is evil, but if Apple does the exact same thing .. it's considered ethical and benevolent.

So, since it seems you don't agree, then you're not a person?

(Hint: Plenty of people have problems with Apple for doing this kind of bullshit. Cory Docorow springs to mind. Spare us the tired 'You MS haters just luuuurve Apple when they do the same thing, hippo-crates' bull, OK?)

The network guru's solution

[puzzled]

ip route [offending block] Null0
router ospf 1
redistribute static subnets route-map MSFT-GO-AWAY-NO

route-map MSFT-GO-AWAY-NO
    mat ip addr prefix-list LOSER-MONOPOLIST

ip prefix-list LOSER-MONOPOLIST permit [offending block]

    From memory, but should work under IOS. You have to be root on my desktop to change /etc/hosts, so I don't think about this stuff all that much.

Lawsuit

[Zorix]

Let's see what companies like Syamntec and McAfee will do now. Can't forget the EU either.

Re:Lawsuit

How exactly is bypassing the HOSTS file something someone can sue over?

People on Slashdot are nuts.

Which is more important?

[suv4x4]

Making it harder for malware to abuse our computers, or make sure that if not everybody can bypass hosts, then none can, so that we're all screwed. Think about it.

Re:Which is more important?

[suv4x4]

"Making it easier to administer your computer"

Be fair to yourself and let me know of a common scenario where a casual user would like to adminster their computer by mapping microsoft domains to a different IP in their hosts file...

And compare this to the number of casual users hijacked by malware.

You can twist it and bend it any way you want, but we gotta put some proper priorities in place when judging those issues and not just try to make everything into a shiny demonstration of our hate towards the evil Microsoft.

Re:Which is more important?

How is Microsoft stopping other products from not obeying the HOSTS file?

Microsoft does something that apparently no one else does that is a security benefit and people cry foul.

I don't get the inanity that exists here.

Goodbye, Microsoft

[Progman3K]

People are tired of being treated as stupid by you Microsoft.
You subvert their trust doing things like that.
On top of it, you do it quietly, hoping no one will catch on.
My computer is supposed to perform MY bidding, Microsoft, not yours.
Goodbye, Microsoft. I can't trust you, and I can't see any difference between you and the bad guys anymore.

Exactly.

[slashkitty]

Sure, you'd have to list a few IP addresses to future proof it, or only use the emergency IPs if the host names don't validate.

Which is more important?

[nagora]

Making it easier to administer your computer, or making sure that Bill Gates' products have an advantage over the ones that only try to compete on quality? Think about it.

TWW

not very effective, indeed!

[hackwrench]

-Considering the most popular non-microsoft patches are to tcpip.sys and uxtheme.dll

Re:not very effective, indeed!

[NaDrew]

tcpip.sys

Thanks for reminding me; I'd forgotten to re-patch tcpip.sys after the last round of Patch Tuesdays. Was wondering why my throughput was so low...

Paraphrase

[hackwrench]

First they came for those who knew about the HOSTS file, but I did not know about the HOSTS file, so I did not speak up.

A plan

[hackwrench]

I'm interested in developing such a plan, but it requires people in numbers. I have seen such a plan in works of fiction. Anyone care to contact me?

Re:They control the haiku

Real haiku is also supposed to be about nature. You can't just arrange a bunch of words in haiku format and call it haiku. You need to have some shit about trees and a sunset.

How would Symantec know ..

[RedLaggedTeut]

How would Symantec know that the user did not edit the host file himself to block updates from other AV vendors, for example because these detect Symantecs AV as a rootkit?

What I really don't like about this

[randombit]

The thing that really makes me want to stay away from Microsoft software (and proprietary software in general, though Microsoft seems particularly prone to it) is exactly this sort of behavior. For a long time I've had the sentiment that Unix was more secureable than Windows (securable, not secure-out-of-the-box, since neither of them is that), precisely because I find it much easier to look at a Unix system (particularly one which I have the full sources to) and understand what it is doing than I do when using a Windows system.

I assume this is actually undocumented behaviour, since I haven't seen anyone claim to have known about it before now, nor can I find any references on MSDN about it. Having unintuitive and undocumented behaviour is exactly the sort of thing that makes it very hard to gain a correct mental model of how a system behaves, and if you don't even understand how the system works I don't see how one can secure or troubleshoot the system in a way that isn't essentially "shotgun debugging".

My $.02

Re:What I really don't like about this

[Ash-Fox]

Apple does this too, better stay away from them too.

There's a quick fix for this...

Might take a little googling, and Im lazy at the moment, but I had the exact same problem. Its a small .com file fix that changes one bit in the IBM BIOS. Run it from a boot floopy and all is well... And once done it didn't display any messages, it just worked as it should.

rest of the FD thread

[Cally]

Here's a threaded view of the Full Disclosure thread, rather than the first follow-up post to Dave Korn's OP, which the story submitter seems to have decided would be a better way... http://archives.neohapsis.com/archives/fulldisclos ure/2006-04/thread.html#268

Re:rest of the FD thread

[whitehatlurker]

Cally;
Thank you for the FD link. That certainly is a more readable listing, and would have been a much better first link.

Just to explain why it was sent in that way, the second link in the preamble goes to a posting not on the FD list - Derek's email only went to bugtraq, and I think it contained some material of interest for the story.

Thanks again.
whl

Not very practical

[EmbeddedJanitor]

just use an external firewall

This is not very practical advice. Most people don't understand any of this stuff and adding a firewall will only have limited effect unless tuned by someone with significant understanding.

Yet again, MS proves themselves to be untrustworthy.

This is normal

[Gerzel]

Microsoft just felt threatened by Google starting to wear the evil dress. So to make up for it MS has shown off some evil it has been keeping on a back burner.

This bit me in the...

[grudgelord]

Some time back I was doing some work for a particularly draconian client who wanted all web traffic restricted to pre-approved sites for all users at his business. I repeatedly suggested that we go with a server based solution but he was convinced that Content Advisor would solve the problem. He failed to realize that CA is a very poor tool for this as it just doesn't work well for several hundred workstations nor does it have a centralized administration point. But he was convinced that he knew more about the topic, "It'll work fine, just go ahead and do it." So...

He wanted anything not explicitly approved by him to be blacklisted and specifically named msn.com and a few other popular office time-waster sites (yahoo, etc.). It was through this process that I discovered that neither content advisor nor manipulation of the hosts file will block msn.com or other Microsoft sites. As MS has never made it public knowledge that you cannot block these sites in this manner I ended up looking rather foolish when I couldn't black-list. I had guessed at that time what was actually happening but I had no proof of documentation on which to fall back.

At least I reduced the list propagation time by setting up the list on one machine and pushing the registry to the remainder but the damn thing never did work right, it was such a hack job and I'm ashamed of it when I look back in retrospect. I wish they'd let me do it right.

If MS had disclosed this change (along with the Content Advisor change) I wouldn't have felt so foolish.

Pah

[James+Youngman]

If you don't like the way that Microsoft software works, use something else already. Sheesh.

Apple seems to do the same with OS X

Oddly enough, I just noticed this today with OS X.

Try creating a host entry over configuration.apple.com on 10.4.6.

Re:Apple seems to do the same with OS X

[user+no.+590291]

I wouldn't be surprised if this is to prevent people from simulating the overpriced .mac service with their own box.

Re:Apple seems to do the same with OS X

[AcornWeb]

I just tried it. You have to run this command after changing your host file:
lookupd -flushcache

and then you can ping configuration.apple.com and have the new IP address reflected. This is on 10.4.6

Re:Apple seems to do the same with OS X

Ahh - Thanks! I thought that MIGHT be the case, but I didn't notice the same behavior with other hostnames. I suspect because they wern't cached yet.

Re:Is this necessarily a bad thing? COULD BE!

[davidsyes]

You know what this brings to mind? My block lists. In firestarter and Konqueror, Mozilla and Opera, I BAN the hell out of doubleshit! I also ban eqn, eqv, ad, point and some 150 or 200 subdomains.

But, it seems, though, double-dick caught on to people banning their asses, so what I have *I* noticed (don't know how long this/the following has been the case) is that our ***ISP's*** are hosting double click. That means that now, if you ban EVERY address spewing doubleshit, you're blocking your own ISP. It's pissing me off that Comcast **seems** to be hosting or handling doubleclick to make SURE something about your/my surfing habits WILL end up in doubledick's database.

This also, I guess could be similar to what ms **might** be doing. Has anyone traced their cookies, the bots, and the 1 pixel code crumbs, broken them open, and found their "home base"? I wouldn't be surprised if nowadays or in the past 6 years that the ms hosts file usage enables them to command your machine to randomly and in small bytes periodically send them some information about your activities, hardware, software, things your machine talks to on your LAN...

This could be the NEXT total information awareness arsenal piece: Wanna surf, doubledick (probably a federalized activity/government-funded entity by now) will get information. All your ISP has to do to assuage any "guilt" they may have is say what yahoo and others say: "WE COLLECT PRIVACY INFORMATION..." and create an umpteen-long document to deter rejection or complaint by MOST users.

I wish I could make heads or tails about what Ethereal finds, though. I wish I could find out enough about connections that try to come to my machine. Etherape helps, too, but I HATE doubledick with a passion. I block them and a slew of others, even though it nearly doubles or triples some page load.

Hmmm, interesting: image word/word image: "suffers"

they dont care

[MERVERNATOR]

I highly doubt they care as much about using this to stop malware as they say,.. but rather use it as a way to control product activations from being redirected.

Not just a monopoly

[KwKSilver]

IIRC, the court's finding was that Microsoft was a predatory monopoly. The lower court's findings of fact were upheld by the appeals panel. Merely being a monopoly is not illegal, if it were, almost all electricity companies would be illegal. Being a predatory monopoly is illegal. Where the appeals court failed was in the remedies.

OTOH, the MS EULAs give MS the right to do whatever they damn well please to your system, your applications and your data. It also states if you wishe to take them to court, you have to do it on their home turf in Washinton State. Good luck, bud.

Re:Potentially unfair... well, then...

[davidsyes]

WHos' gonna step up to write the applet that shows:

- you your host file
- what it is blocking
- the known universe of competitors who are still in business (based on another file)
- how to disable the host file so you can bypass ms' crackware sites
- how to disable it or if you're not admin/local admin, inform your IT department

?

Or, does such a thing exist in some anti-virus software?

It could be that the host file some day will be accessible to a few "ms-anointed" sites that either fit in with ms' view, pay ms the requisite amount, or are homeland security. Wait-- dhls can just go the the ISP and track your hops via some special crumbs, right?

Re:Potentially unfair... CLEARINGHOUSE?

[davidsyes]

Well, let's say the EFF or some authoritative source (please, no ms and TCP crap) maintains a list of new, active, performing A/V vendors. They get rated much like in the BBB lists.

Being on the list would cost or show about or require of the vendor

- say, $50 a year,
- submission limitation of only ONE IP address
- the submitted IP has to resolve to their main site
- the IP cannot be changed for 1 year
- the company has to be registered with its nations IRS and similar equivalents
- the business gets a rating based on a preponderance of veried complaints
- court cases and arbitration and nefarious or questionable marketing, technology, or product behavior gets listed
- anti-competitive conduct or behavior gets noted
- the vendor site has to be signature verified
- the vendor site has to have a basic security of kind

More items? Anyone?

WFP is for stability not security

[toadlife]

WFP was created to solve the problem of third party installers overwriting windows dlls with their own versions. This was a huge problem with Win9x. WFP pretty much solved that issue. WPF can be turned off by an administrative user, so it's not really equippped to deal with the actions of malicious programs.

Sorry to be anal

...but there is no captial "S" in Microsoft.

Re:Sorry to be anal

[pfleming]

...but there is no captial "S" in Microsoft.
or a capital one either.

Re: Wrong Wrong Wrong!

[mpapet]

If only most applications could run properly with user-level permissions.

I admin a tiny number of desktops and not one of them worked with user-level permissions.
-Mysterious errors
-Application functions that simply did not work.

These are *very* generic XPSP2/Win2k desktops with Office 2K/2003.

Initially, I was not deterred. With every hurdle crossed with ugly hacks, there was yet another error with no documented solution.

Someone posted a link to NIST(?) documentation that I eventually used. It's by far the best way to do a job that the OS was never designed to perform.

Mod parent way down

Microsoft Mental Model

[infolation]

You are now your computer's bitch. Deal with it.

Well

[TCM]

I don't know if it's been said already, but using the hosts file to reliably "block" anything is a very stupid idea to begin with.

The hosts file is there to provide name-to-address translation for crucial hosts which might be needed before DNS is available. It has no features like pattern matching or blocking by address range, because that's entirely out of its scope.

Another side effect of abusing the hosts file is ambiguous errors. Because access to ad servers in the hosts file is not "blocked" but rather redirected to 127.0.0.1, you are twisting semantics about why this or that URL doesn't work now.

If you need to block networks/URLs by pattern and for HTTP only, you should use a proxy like squid.

I won't even begin to rant how using the hosts file for more than 1 computer is phenomenally stupid. Seriously, the guy who came up with this abuse should be severely beaten over with a cluestick.

</rant>

Not OK, has great Censorship Potential.

[twitter]

Yet still, I fail to see what the big deal is.

You don't see what the bid deal is about a second M$ imposed DNS system is? If they can bypass your hosts files, they can bypass anything and thereby censor anything they wanted for you.

Let's say M$ decided to censor Slashdot, for example. You type http://slashdot.org/ but get the Microsoft mirror instead, all cleaned up. It might take you a while to catch on. A more diabolical approach would be to make connections to this site or that unreliable. This would transparently censor selected sites and frustrated users would simply abandon them. They could FUD those sites with Astroturf like, "That site sure is slow." etc.

This is the ultimate price of non free software - you never know what it is really doing.

Re:Not OK, has great Censorship Potential.

Let's say M$ decided to censor Slashdot [...] A more diabolical approach [...] They could FUD those sites with Astroturf like, "That site sure is slow." etc.

ROTFLMAO!!!! Hey twitter, maybe they could implement a filter and get rid of the dupes and slashvertisements! Wouldn't that be great?? Maybe even open source it!

BWAHAHAHAHAHAHA!!!!

You installed the malware yourself.

[twitter]

"Safeguarding" your hosts file against tampering is pointless.

No one is defending that excuse.

The greatest potential problem is from M$ themselves. If they have a mechanism that defeats DNS and host files, they can direct your traffic where ever and whenever they want to. Used carefully, this power is undetectable and easily explained by the overall sorry Microsoft browsing experience. M$ can intermittently DoS sites and make life difficult for those they don't like.

Re:You installed the malware yourself.

http://slashdot.org/comments.pl?sid=129735&thresho ld=5&cid=10823036
http://slashdot.org/comments.pl?sid=112229&cid=952 1025&threshold=5
http://slashdot.org/comments.pl?sid=137420&cid=114 89094&threshold=5
http://slashdot.org/comments.pl?sid=155076&cid=130 11391&threshold=5
http://slashdot.org/comments.pl?sid=113493&thresho ld=5&cid=9614809
http://slashdot.org/comments.pl?sid=164775&cid=137 51004
http://slashdot.org/comments.pl?sid=126301&thresho ld=5&cid=10572437
http://slashdot.org/comments.pl?sid=119108&thresho ld=5&cid=10056927
http://slashdot.org/comments.pl?sid=135403&cid=112 99129&threshold=5
http://slashdot.org/comments.pl?sid=136181&thresho ld=5&cid=11374447
http://slashdot.org/comments.pl?sid=134005&thresho ld=5&cid=11203454
http://slashdot.org/comments.pl?sid=159878&thresho ld=0&cid=13384602
http://slashdot.org/comments.pl?sid=166661&cid=138 99128&threshold=2
http://slashdot.org/comments.pl?sid=168164&cid=140 19967
http://slashdot.org/comments.pl?sid=168163&cid=140 20030&threshold=5
http://slashdot.org/comments.pl?sid=172399&thresho ld=1&cid=14355804
http://slashdot.org/comments.pl?sid=172869&cid=143 89115&threshold=5
http://slashdot.org/comments.pl?sid=175800&cid=146 12128&threshold=5
http://slashdot.org/comments.pl?sid=153489&thresho ld=-1&cid=12876883
http://slashdot.org/comments.pl?sid=118246&cid=999 7235&threshold=5
http://slashdot.org/comments.pl?sid=100963&cid=863 3073&threshold=5
http://slashdot.org/comments.pl?sid=182119&cid=150 55046

Worst Possible Behavior

[twitter]

From the Fine Article:

I'm gobsmacked by this: corrupting the resolver is little short of an intentional dns poisoning attack. It's as if internet explorer had special code in it to see if you were doing an internet search for 'microsoft products' and then altered the results to only return favourable reviews that microsoft wanted you to see.

Actually, it's exactly like that. Special cases, which can be added or subtracted on Windoze update, can effectively censor the internet for you. Imagine they intermittently broke connections to sites they did not like. The user would never know, the site would be blamed and abandoned. That nasty and it's exactly what M$ likes to do to their perceived competition.

Re:Worst Possible Behavior

[jfclavette]

What ? And of course, no one in the world would notice and Microsoft would NOT get its ass sued out of the window... Take off that tinfoil hat.

What version of DNS???

[kmeister62]

I wonder what version of DNS code MS uses. I find it rather interesting that the HOSTS file in MS Windows is located in ../etc/ directory.

Re:What version of DNS???

[stuuf]

Mirosoft borrowed a lot of the network code for Windows from BSD. Everybody knows this.

So what?

[Eskarel]

So they set up windows so it always does a DNS lookup on microsoft sites? So bloody what?

They aren't spying on you any more than they already were. They're ensuring that you can always get to their sites for patches and support. They aren't doing it for anyone elses sites because it's not their business to do that.

I just really don't see what the big deal on this is, your average user will never use the hosts file, and you need to get to Microsoft sites to patch and maintain your microsoft system. If you don't want to deal with Microsoft don't use their OS, they're not doing anything particularly wrong here.

Try looking at it in reverse.

[jd]

What it means is that if a rootkit alters the internal IP tables for a Microsoft address, most virus checkers won't pick up on it (the Hosts file will be untouched) and it will be impossible for the user to override the problem in order to get to Microsoft's website to download the necessary patches.

Really?

[BrokenHalo]

...available from Windows Update called "Malicous Software Removal Tool."

Hmmm, let me see... Oh yes, here we go:

"Windows has been found on your hard drive. Click [OK] to remove it."

:-P

WTF

[thepotoo]

The whole point of my using Windows is that I'm running everything as root. Without root, half the games I play don't run (GTA and Quake spring to mind).

If I can't play games, I might as well stop dual-booting and go 100% to Linux.

Heh. I guess this is just more evidance that Windows wasn't built with user sanity in mind.

It still works for localhost, though

[shanman]

I tried a few on the localhost line. DNSAPI seems to honor them.

For example:

127.0.0.1 localhost www.microsoft.com

PING www.microsoft.com resolves to 127.0.0.1 (and succeeds ;)

and http://www.microsoft.com/ fails (resolvs to 127.0.0.1 then redirs to a search)

Move it to it's own line, and the "trigger" kicks in.

I'm running WXP SP2 (w/ all the latest patches)

ANYONE can Do this! The Functions are Documented

[ZOverLord]

Just look Here for more info:

http://msdn.microsoft.com/library/default.asp?url= /library/en-us/dns/dns/dnsquery.asp

Also you can defeat a Host file by simply changing the priority of lookups using the registry, more here:

http://www.dslreports.com/forum/remark,15900699~da ys=9999~start=20#15902844

Let them over-rule the HOST file ...

[ignavus]

They may well over-rule the HOST file ... but *I* administer the firewall, the router and the DNS server.

What's that URL you want to look up?

Where do you want to have that packet sent? Oh, THAT IP, huh? Sure, I will.

Bwahahaha!

Re:They control the haiku

hi-res rolling hills
adorn the windows desktop
red queen on black king

Use Treewalk DNS instead

[Quizo69]

Here' a simple solution to the Microsoft controlled DNS HOSTS file:

http://treewalkdns.com/

Allows you to bypass Windows' own DNS server and gives you the useful feature of making DNS queries much quicker than resolving to your ISP all the time, among other benefits.

Very easy to install for Joe User and just as easy to uninstall.

HTH

absolutely safe band-aid

[jjohn_h]

The privileged Microsoft links that Dave Korn has discovered
are all accessed via go.microsoft.com.

I searched through /windows/system32 and found 3 files that
contain that address:

        browselc.dll
        themeui.dll
        wmvcore.dll

I renamed them after booting into Bart's PE. Actually, I
renamed several instances of them in different locations.

But what, if you want to access MS updates? Don't access them
online, wait for a CD to be released.

Oh, but that is risky in the meantime! No, it is not: just
deactivate ActiveX and jscript and go online as simple user.
No firewall, no real-time anti-virus, nothing.

That's my approach and I have not been bothered by malware
in years. Also consider the bonus: you are out of reach for
web artists! That's happiness, folks.

Spyware using an LSP can circumvent this I'm sure

[bedammit]

Spyware using an LSP can circumvent this I'm sure. see this link on coding an LSP http://www.microsoft.com/msj/0599/LayeredService/L ayeredService.aspx

Uh, what OS can you "own"

[tjstork]

You most certainly can't own Linux. GPL, is, after all General Public LICENSE.

Re:Uh, what OS can you "own"

[Pius+II.]

Simple: don't accept the license.

That's what the GPL says (clause 5): you don't have to accept it. If you don't want to accept it, fine. You still own your copy of Linux, and are free to do with it what you want. As long as you don't violate the copyright, which you don't own. The GPL is a distribution license, not some silly EULA.

Re:Uh, what OS can you "own"

Wrong. You are not "free to do with it what you want"

http://www.gnu.org/licenses/gpl.html

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

Why can't vendors use a fixed IP address?

[Joce640k]

Why use DNS at all? A vendor can easily hardwire a fixed IP address into their programs.

Re:Why can't vendors use a fixed IP address?

[jtn]

IP addresses change; renumbering is a fact of life on the Internet, even if you should have your own portable spaced assigned by your regional IP block authority.

cooool

[suezz]

this is the just an example of what drm and trusted computing that your wonderful senators are pushing for.

this is just the beginning folks - be ready for the rest with vista - drm and trusted computing are so cool - now you will get spam from only companies that pay microsoft more money to send spam.

here is a solution to this problem - buy linux and you will be in control of your own computer.

Re:Is this necessarily a bad thing? COULD BE!

try that post again using real names instead of they cutesy gimmicks and I'll read it again without thinking to myself "Wow, this guy is a real scrotum licking crackbaby."

Slashdot can be so hypocritical

[merlin_jim]

Here Microsoft adds features to one of their products to increase security and the effectiveness of their antispyware products, and we call them evil. THIS IS A GOOD THING. They didn't extend this feature to their direct competitors - big deal? Guess what? That's what competitive marketplaces are all about.

What would you rather they did? I mean they could've not added these features - would that be better? They're NOT going to offer to extend these protections to their competitors - that's less evil to consumers but more evil to shareholders - what could they have done that would be less evil?

Re:Slashdot can be so hypocritical

[Slashcrap]

What would you rather they did? I mean they could've not added these features - would that be better? They're NOT going to offer to extend these protections to their competitors - that's less evil to consumers but more evil to shareholders - what could they have done that would be less evil?

Yeah that's great, with such controversial opinions you must be a really interesting individual etc.etc...

How do you explain them not telling anybody about this wonderful new security feature? You know, the one that modifies how the OS works at a fairly low level?

Read this post from grudgelord for an excellent and completely non-sensational example of how this type of shit can bite people in the ass - http://yro.slashdot.org/comments.pl?sid=183258&cid =15139637

Re:Slashdot can be so hypocritical

How do you explain them not telling anybody about this wonderful new security feature? You know, the one that modifies how the OS works at a fairly low level?

Yes, they kept it a very tight secret, by putting the documentation for this feature where you'd never think to look for it: on msdn.

Re:ANYONE can Do this! The Functions are Documente

[I'm+Don+Giovanni]

And yet another Slashdot anti-MS conspiracy threory bites the dust. LOL
There are two sad things about this.
1. Slashdotters demand that Microsoft document their API, yet are quite ignorant of the vast documentation that already exists.
2. You can be sure that in the future, a slashdotter filled with irrational MS-hatred and his own self-righteousness will cite this bypassing of the HOST file as evidence of Microsoft's evil, totally unaware of his absolute ignorance on the subject (or worse, well-aware that these functions are documented, but ignoring that so as to make is ill-founded point).

if third party software wants to do this

[petermgreen]

it can just get the dns server ips through iphlpapi and talk to them directly.

so no real competitive advantage

not quite.

[petermgreen]

1: The same soname is kept until the library author makes a change that stops older applications from working. So you can (in theory) upgrade the library safely but you still have to be carefull about the possibility of stupid installers downgrading it.

2: library authors do sometimes make breaking changes without changing the soname. When they do so it puts distro makers (especially those that belive in distributed development like debian) in an awkward position. They either have to break compatibility with thier own older binaries or break compatibility with binaries built on other distros.

3: Library authors often make changes without changing the soname that while not effecting specified behavior do fix bugs that some applications may be relying on. Symbol versioning can sometimes solve this issue but only if the library authors know they are breaking undocumented functionality.

So the *nix situation is better than on windows one but still far from perfect.

M$ Modus

[SirLanse]

They have a way to make things work that is undocumented.
This works better than anybody else's methods.
When someone else starts to use it,
M$ changes it.
It is undocumented, so it is ok to chang it, WITHOUT NOTICE.
The other company's stuff crashes.
M$ Profit!!
-- They did this to WordPerfect and Lotus, now only Office survives.

IE was blacksmith response to internal combustion

[JimmytheGeek]

MS and IE was like a blacksmith seeing the writing on the wall and bolting the new paradigm (web apps) onto the old. So now the horse hauls around a dangerous engine in the back of the wagon, doing things the same old way only worse.

The direction things were going - we could have standardized on web apps and thin/lean clients. We'd sacrifice a little usability in the UI for portability. Run a browser, run the app. Anywhere the browser runs, the app does.

Now the browser is encased in the cruft of Windows and the industry and art is held back. It's as bad as when IBM held back magnetic tape because they sold punch card makers.

What about ipsec?

[Kazoo+the+Clown]

If they also bypass ipsec that could mean real trouble. The organization I work for has told the employees not to upgrade to XP SP2 due to software incompatibility issues (I had to anyway, as I'm running SQL Server 2005 & VS 2005 which required SP2, and I'm not sure just what's supposed to be incompatible with what).

If an organization chose to try to use ipsec to distribute blocking filters as part of their security policy and MS bypassed them, I'd think there'd be some issues with that...

Haven't tried it yet, but may get around to it sooner or later...

you do realise

[petermgreen]

that with use of iphlpapi its trivial to bypass the windows dns code (and therefore the hosts file) altogether right?

any anti-malware vendor could do this very easilly (writing a dns client isn't hard if you are a reasonable coder).

Re:ANYONE can Do this! The Functions are Documente

metasploit opcode in 3...2...

many reasons why things suck

This reminds me of the worst website ever...which was trying to make a fool of a random bulletin voting service. This site does nothing but hosts bulletins, but yet you can vote as many times as you like if you remove the unique identifier from the action. here check it out. Worst Website Ever and please click vote like a hundred times it's amusing