DIY Service Pack For Windows 2000/XP/2003

Karsten Violka writes "Looking for manageable Windows updates even without an internet connection? Heise's script collection Offline Update 3.0 downloads the entire body of fresh updates for Windows 2000, XP, or Server 2003 from Microsoft's servers in one fell swoop and then uses them to create ISO-Images for CD or DVD. Included is an intelligent installer script that allows you to update as many PCs as desired." Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

yeah, that's real safe

[ILuvRamen]

Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

yeah, that's just so terribly safe compared to not having it...except that now there will be like a million fake isos floating around the internet saying they're the latest batch of windows updates and people who are too lazy to make the iso themselves will install the fake, spyware and trojan infested ones.

Re:yeah, that's real safe

[emor8t]

Well that's their problem now isn't it. You can only help the unknowledgeable learn if they are willing, otherwise, they are just stupid.

Re:yeah, that's real safe

Na, WGA or DRM or TCPA or whatever ensures the validity of the iso...
I'm just joking but they could use plain ol' hashes...

WGA & Patching pirated copies

[loimprevisto]

Is this a way around WGA? If so Microsoft will find a way to kill it...

Re:WGA & Patching pirated copies

Http://www.autopatcher.com
This has been around for a while, and WGA is an option!

Re:WGA & Patching pirated copies

[Deluge]

Yes, there is. Every time MS releases an updated WGA .dll, the pirates release a cracked copy. Shows up all over the place. Download, overwite the files in WINDOWS/SYSTEM32, and presto, no more nags, and you can use Windows Update manually too.

I have a feeling it won't be quite so cut and dried with Vista though.

Re:WGA & Patching pirated copies

[Sneakernets]

I have a feeling it won't be quite so cut and dried with Vista though.

Why? Never underestimate the power of piracy. Remember how "secure" WinXP was supposed to be? in a few weeks, a WPA killer was already making the rounds? WGA killers ABOUND.
Piracy has been around forever and always will. A huge company in Redmond won't be changing that.

Well Einstein

[El+Lobo]

1) Who says that you must download it from an unpatched PC?

2) The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?

3) What else will we whine about now... the versatility of Macintosh hardware?

Re:Well Einstein

[joe+155]

"The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?"

I would say your second guess of 2 is closer than your first of 0... shall we split the difference and agree at 1?

Re:Well Einstein

[truthsearch]

Home desktops aren't usually behind firewalls. A new PC gets connection attempts from evil scripts and viruses within seconds of plugging it into the internet. Even with a high speed connection it takes quite a long time to download and install all of the Windows updates on a new PC. So the chances of getting infected are quite high.

Re:Well Einstein

[falcon5768]

even with a firewall they are. Case in point I hooked up my father in laws brand new out of the box HP to get updates. Within 3 minutes it was hit and infected before i could even get everything configured. Thankfully I had AV running on it by that time but it blew me away how fast it got infected.

Re:Well Einstein

That's 0.2 for americans

Re:Well Einstein

[Vellmont]

Home desktops aren't usually behind firewalls.

That may have been true 10 years ago, but these days most home PCs are at least behind a NAT. Unless you've gone out of your way and configured your NAT to forward all ports to your PC (i.e. a DMZ), outside attacks will be quite useless. The only threat in this case is the user downloading a virus from email, or visiting a compromised website. If you run windows update (well, several times) before you do either of those things, there's no danger.

Re:Well Einstein

[Shakrai]

Home desktops aren't usually behind firewalls

Depends on your service provider. In my experiences most DSL providers use NAT routers -- even for single PC connections. Most cable providers seem to use bridges and your PC gets a globally valid address, which tends to be a problem for a Windows PC.

Then there's dialup users. But if you have to use dialup to do a complete set of Windows updates on a brand new PC it's an even money bet that you'll die from old age before they finish and in this scenario who cares about being pwned?

Re:Well Einstein

Oh look, you got modded flamebait. I guess they don't like that possibility (0.2) xD

Re:Well Einstein

[Shakrai]

That may have been true 10 years ago, but these days most home PCs are at least behind a NAT.

Umm, I'd have to disagree with that statement. Around here the biggest provider of internet connectivity for home users is Roadrunner. They provide you with a cable "modem" that acts as a bridge between their network and your PC. The PC gets a globally valid address.

In fact the only Roadrunner home users I know (not counting geeks/techies) that have NAT routers are those that have more then one computer. Otherwise it's right into the PC and come and get it boys cuz I'm wide open!

Re:Well Einstein

[Klaidas]

Well, the safest thing to do it to simply turn the computer off, remove the CPU, dig it in the yard and lock the rest of the computer in a safe.
Although, script kiddies might still be trying to infect it...

Re:Well Einstein

[truthsearch]

Most home PCs are behind NATs? Personal ones? I find it impossible to imagine that most non-technical people are asking for routers/gateways when they purchase their PCs. Especially when they're only purchasing one PC and therefore don't require a NAT. Do you have any evidence?

Re:Well Einstein

[Vellmont]

but they're in the minority now.
They provide you with a cable "modem" that acts as a bridge between their network and your PC. The PC gets a globally valid address.

That's true, but there's a large percentage of people with more than one computer/game console/etc in their household, and roadrunner only provides one IP address unless you want to pay big money for business class service. Those people will buy a cheap NAT router at best-buy and plug it in so they can get more than one computer connected to the internet.

Also, DSL modems these days almost universally provide a NAT inside them. All this adds up to most people being behind a NAT. Obviously there's still people NOT behind a NAT, but the numbers are shrinking every day.

Re:Well Einstein

[slashbob22]

would say your second guess of 2 is closer than your first of 0... shall we split the difference and agree at 1? bool hack_probability=1;

I guess there is good reason to be careful.

Re:Well Einstein

[Vellmont]

I find it impossible to imagine that most non-technical people are asking for routers/gateways when they purchase their PCs.

Most of them don't know what the hell it is, they just want something that'll allow them to connect multiple computers on the same internet connection.

Do you have any evidence?

Just my own experience. It really doesn't take much of any technical experience to setup a NAT. Your average interface-jockey can certainly plug the thing into the cable modem, and plug his computers into the lan side.

Re:Well Einstein

[shmlco]

Jumping in, the Qwest DSL modem (Cisco) we received for home use was preconfigured to automatically put us on an internal NAT w/DHCP running.

So yes, evidence exists.

Re:Well Einstein

[Shakrai]

That's true, but there's a large percentage of people with more than one computer/game console/etc in their household, and roadrunner only provides one IP address unless you want to pay big money for business class service. Those people will buy a cheap NAT router at best-buy and plug it in so they can get more than one computer connected to the internet.

I don't disagree with you on that. I just disagree with your original statement of "most" home PCs being behind a NAT. Being the only techie at my company I've often been asked to help people with PC issues. Besides one person who had bought a combined router/ap for her laptop, I honestly can't name a single one of them that didn't just have Roadrunner plugged right into the PC.

Also, DSL modems these days almost universally provide a NAT inside them. All this adds up to most people being behind a NAT. Obviously there's still people NOT behind a NAT, but the numbers are shrinking every day.

I made that observation too. That's another reason that I steer people towards DSL over cable. Plus the fact that Verizon offers 768k service for $14.95/mo vs $34.95-$44.95 for Roadrunner. 768/128 service may not impress most people on /. but it's more then enough for Grandma to send pictures to her kids and do online banking.

In any case, you must be working with a different area or group of people then I am, because in my experience the overwhelming majority of people are not behind NAT until I put them there.

Re:Well Einstein

[drinkypoo]

The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?

I've personally seen a Windows 2000 system get railroaded because it got bad DNS from a malicious DHCP server in the real world. Visit windows update, ends up feeding you a bogus IP, redirects you to someplace that owns you.

Re:Well Einstein

I've personally seen a Windows 2000 system get railroaded because it got bad DNS from a malicious DHCP server in the real world. Visit windows update, ends up feeding you a bogus IP, redirects you to someplace that owns you.

Just curious - does this work via an Internet Explorer vulnerability? Presumably the actual Windows Update packages are digitally signed to prevent this type of attack... but an IE vulnerability could be used to bypass that.

Re:Well Einstein

[IdolizingStewie]

Your average interface-jockey can certainly plug the thing into the cable modem, and plug his computers into the lan side.

I want your users. I lost internet access three times last year because some dumbass down the hall plugged his router in backwards and was trying to NAT the whole damn building.

Re:Well Einstein

[Vellmont]

I want your users. I lost internet access three times last year because some dumbass down the hall plugged his router in backwards and was trying to NAT the whole damn building.

Heh. Well I didn't say they understood what's going on at all. In their own home they can only screw up their own crap (and when it doesn't work, they plug it in the other way). In a public LAN they're dangerous as hell.

I had a similar problem a few years ago when some damn fool miss-configured his router with the same IP address as the NAT. It took me half an hour to figure out what he'd done (and confirming it via looking through ARP cache). Another time a different guy setup his router to advertise DHCP for the whole network, routing everything through his router. A third example was when a business on a totally seperate network many miles away. He had the same DSL provider as me and miss-configured his subnet mask (and I believe the DSL modem at that point was bridged). The end effect was that stuff going across his network across town wound up on my network, even though my network wasn't the destination (taking up a LOT of bandwidth). I never really did fully understand that one (though I really don't understand how DSL bridges work either).

Re:Well Einstein

I'm using a supplied 2wire DSL modem that has NAT and wireless built in. These seem very commmon around this location since I can see 4 or 5 identical routers when I scan for wifi networks within range.

Re:Well Einstein

[that+this+is+not+und]

My home network is behind TWO NAT layers. The DSL modem my ISP provided is a NAT router, but the DHCP server in it is hard-coded to only serve out one IP. The cheap-n-dirty solution was to connect a second NAT router to it as the only 'workstation' and translate everything a second time, using IT as a second DHCP server (except half my machines instead have static IPs and just use the router as a gateway statically.)

Re:Well Einstein

[that+this+is+not+und]

You're sharing a subnet with any random fool who your landlord decides to let in the building??

And I thought it was bad allowing my wife to tumble around the 'net on her Windoze box, downloading any junk she felt like... ("ooooh, this will make starting up pogo.com games go faster....")

Re:Well Einstein

[that+this+is+not+und]

When you power up the cpu-less motherboard, a resourceful hacker might still figure out a way to get some form of malware running on the 8042 processor that the PS/2 keyboard plugs into...

Re:Well Einstein

[Aczlan]

he must have had a nonworking firewall or another infected computer behind the firewall.

Re:Well Einstein

[Firehed]

Depends on your OS too. If it's a new PC, it has XP SP2 installed. Which has a firewall that's enabled by default.

I don't know if it's any good or not, but my understanding is that it should keep you covered at least until you get all your patches. Chances are that if you're confident enough with computers to have reformatted the thing for whatever reason, you have more than one in active use and thus a hardware firewall via your router.

Not to mention anyone with a wireless connection will have a wireless router. Considering that laptops are outselling desktops now, I'd say that's a fair chunk of people.

Re:Well Einstein

[fred133]

Where have you been for the last 7 years,in an Egyptian tomb?
I don't know anyone who isn't at least behind a router of some brand.
I run a linux box in front of all windoz boxes.
Are you stoned or stupid, or you just brought your brand new PC home from beeestBuy?
I realize that the buitin firewall on a fresh install is totally worthless against the "kiddies"
but a standard install on a router give you at least 20 minutes against them.
autopatcher,though I personally haven't tried/used it sounds solid to me.
I install xp/a,sp1,then sp2 all from cd,then go for updates,yea ,its not fast,but I can pick and choose the the updates that go into the machine that I"m building.custom not product!
Remember,it's windoz,NUKE and PAVE!!!Nothing like fresh asphalt!

Re:Well Einstein

My home lan sits behind a NAT. The Windows machines are all updated and locked down and not run in admin mode, so I'd think they're probably fairly safe to use.

But either way, I would just download this stuff on my Mac and burn it right there. Safer. Done.

I mean, who the heck would infect a Windows download with a virus or trojan for a Mac? It defies comprehen@#$*(F^^ +++NO CARRIER

Re:Well Einstein

[wizzahd]

2) The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?

I think you meant 0.002 percent. What, do you work for Verizon?

Re:Well Einstein

[falcon5768]

nope it was configured and running, and the only other systems behind it where 3 macs and a PS2. Simply put, by using Microsofts own software update site, it was hit with a virus. And its not unheard of, even our work firewall which doesnt let through anything remotely related to .exe, .zip or outside searches, still has managed to let through viruses disguised as things that are ok. Some can be traced to outside sources (people who have access abusing it, CDs and other media from home) but at least 1-2 times a month we get something that sneaks right through a configured firewall. Its always contained and disinfected before it does any amount of damage, but we can show through logs that it was infected from outside the network, despite it not supposed to be.

Re:Well Einstein

[skinfitz]

Even with a high speed connection it takes quite a long time to download and install all of the Windows updates on a new PC. So the chances of getting infected are quite high.

Would that be a new PC running the current version of Windows, namely XP Service Pack 2 where the firewall is installed by default?

How is that going to get infected please?

Re:Well Einstein

> but these days most home PCs are at least behind a NAT

whoop-de-fucking-do. and what exactly do you expect NAT to do for security?

Re:Well Einstein

[foreverdisillusioned]

I thought the idea was somewhat far-fetched, too... that is, until I was infected by Blaster wiithin minutes of my first boot, before I had a chance to download the service packs or a firewall (my router was acting up, so I was directly plugged into the cable modem.) So yeah, it happens, and I don't think I'm the only one it's happened to, either...

Re:Well Einstein

[strick1226]

Although, script kiddies might still be trying to infect it...

Or crypt kiddies, perhaps...

Re:Well Einstein

[RareButSeriousSideEf]

"2) The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?"

Last time I let an unpatched, freshly-built W2K Pro SP4 instance connect to the net sans-firewall, it was pwned and conducting outgoing portscans within 10 minutes.

The blackhats have enough strategies for surmounting firewalls that I'm not comfortable counting on one as my only prophylactic - especially on networks where I don't manage the wall myself. Seems akin to the rhythm method IMO.

I really try not to be anybody's fanboy, but after trying this Offline Update thingamabob, I'm afraid have a stomach full of Kool Aid. All hail heise Security! Join the family, meet a bunch of people who *really, really* love you, and finally attain the everlasting peace you've been seeking your whole life!

Does MS offer this

[MECC]

Does MS offer a cd with patches? Even for download (or would that violate DRM/DMCA/DigitalDarkAges laws/technologies)?

I know Apple offers their patches as download, complete with SHA1 sig.

Re:Does MS offer this

[phantomcircuit]

They used to offer a CD that they would MAIL you for free (around 2002) but stopped doing that. (no reason was given for why they stopped).

Re:Does MS offer this

[El+Lobo]

MS goes even further. They will SEND you a CD completly without cost (excepting shipping cost) for any security fixes in any Windows system or MS product. They have been doing so since 1987 (with floppies, of course) untill today.

Re:Does MS offer this

[nine-times]

I can't tell... are you trying to be funny? Completely without cost (except for the costs) and better than near-instantaneous downloads, they'll probably get a CD to you within a couple months!

Re:Does MS offer this

[olyar]

I know that you can go here and download Service Pack 2. There's lots of other individual patches that can be downloaded there as well...

From what I can tell, the value add of this site (and the autopatcher site) is that they download the patches for you all at once, and that they package some sort of script that figures out what needs to be applied.

However, according to the Terms of Use on the Microsoft site:

The Software is made available for download solely for use by end users according to the License Agreement. Any reproduction or redistribution of the Software not in accordance with the License Agreement is expressly prohibited by law, and may result in severe civil and criminal penalties. Violators will be prosecuted to the maximum extent possible.

So they may be outside the lines...

Re:Does MS offer this

[plover]

This site should be "within the limits" of that TOS simply because they don't provide the software. He just provides a tool which you can use to download it from the official Microsoft site, and the TOS doesn't say anything about how you download them, just where you download them from.

Autopatcher, on the other hand, provides the actual software, which is explicitly prohibited by the TOS you mentioned. He has this hilarious line in his FAQ:

Q: Is AutoPatcher legal?
A: Yes, nwraptor once spoke to a Microsoft employee and apparently they know about us but dont care what we do! Now that's legal advice you can hang your hat on!

Re:Does MS offer this

[LurkerXXX]

Er, they have Windows XP SP2 available. That came out well after 2002 IIRC.

I didn't look around more for other newer patches, but they might be doing that as well.

Re:Does MS offer this

[SEMW]

I can't tell... are you trying to be funny? Completely without cost (except for the costs) and better than near-instantaneous downloads, they'll probably get a CD to you within a couple months! I know you're a troll, but I'll bite. Yes, certainly "completely without cost". That's what "free" means, you know. I also have a SP2 CD that MS shipped for free. I think the main point was to get SP2 out to those who are stuck with dial-up or -- God forbid -- not connected to the internet. As for shipping time, it arrived quicker than Ubuntu Linux (but admittedly, being a security & stability update, wasn't as fun to play around with :) ).

Re:Does MS offer this

[nine-times]

Not exactly a troll. But sarcastic, yes. "Free" would mean completely without cost, and therefore something is not "completely without cost" if you're paying shipping/handling costs. Second, shipping CDs is fine and dandy, but in this day and age, it's not so clearly "better" than a convenient high-speed download.

Re:Does MS offer this

[SEMW]

"Free" would mean completely without cost, and therefore something is not "completely without cost" if you're paying shipping/handling costs. I didn't pay shipping and handling costs. At the time, I didn't have a credit or debit card and thus had no means with which to pay shipping and handling costs even if I had wished to out of the goodness of my heart. I did not, in fact, pay any costs. Nor did anyone. I think they've started charging for shipping now, but they certainly didn't when they released SP2.

Second, shipping CDs is fine and dandy, but in this day and age, it's not so clearly "better" than a convenient high-speed download. Uhh... Huh? They do offer a high-speed download. They do for all their updates. They've always done so. It's called Windowsupdate. The point was that if you can't download, for whatever reason, you can order a CD as an alternative. And yes, obviously you can download updates as self-contained packages, and burn them to CD to be installed; it's called a 'network installation' (e.g. SP2 can be downloaded here). You can even 'slipstream' updates into a custom installation CD (instructions here) if you want.

Re:Does MS offer this

[SuneSpeg]

It seems like people are totally unaware of the lovely thing from M$ called WSUS (Windows Server Update Services). Which is a local server that works as an update proxy. It saves tons of bandwidth and time!

Re:Does MS offer this

[snarkth]

Yet they are still around...

  Hey, third party distribution of microsoft patches saves microsoft bandwidth costs. Likely a significant amount. Beancounters take note...

  snarkth

Re:Does MS offer this

[plover]

Personally, I can't imagine how much bandwidth costs Microsoft. Distributing service packs, updates, hosting time servers, all that has to cost a fortune. Of course, they have a large fortune, so it's obviously worth it.

I don't really have a problem with sites like AutoPatcher, because I don't care that much about Microsoft's TOS on that page. I just thought his belief that it was all on the up-and-up was hilarious. But imagine the sh!t that would hit the fan if he distributed a virus-infected patch. Lawyers, feds, trials, it would break his piggy bank forever. At least he's not charging money for the service, he's just begging for bandwidth.

As for people who use AutoPatcher, can you "swear" that you trust him? Imagine what would happen if he deliberately wrote a password-sniffing Trojan and included it in one of the autopatch images? Microsoft may be the Evil Empire, but you know they have too much to lose by inserting identity-thieving code. This guy is small, and he could decide "hey, the Mob is offering me three million bucks to put out this zombie-creating patch, I think I'll take the money and head to the Cayman Islands!"

Corporate Windows Update

[mandelbr0t]

This sounds like a useful script. I know people who manage Windows Updates for corporate networks, and they've mentioned these sorts of ISOs before. Effectively, it allows an admin. to read the KB articles on microsoft.com and pick-and-choose which updates to make available to the corporate network. There's a lot of updates! A backup ISO of the updates you've chosen to make available allows you to easily rebuild the update server if anything happens to it, and to build update servers for other networks based off work you've already done.

As to circumventing WGA: it's already been circumvented for XP SP2. You actually have to download and run the WGA executable to destroy a cracked XP SP2 install (Windows Update doesn't push it to you). Vista may be a different story though.

mandelbr0t

Re:Corporate Windows Update

[node159]

AutoPatcher anyone http://www.autopatcher.com/? First thing to run on any new install after the drivers are done.

Comes with all the latest 'Critical' as well as recommended patches, along with common a bunch of other wanted items (Java, TweakUi, PowerToys, Flash/Shockwave, etc) as well as a heap of tweaks out of the box!

No honestly its all sweet goodness, and will save you a lot of time and reboots.

Re:Corporate Windows Update

[LurkerXXX]

I don't know any admin who would use these for a corporate network. ISOs are typically a thing you use when you only have one or a handful of individual machines to update. WSUS makes things easy to customize for what computer receives what individual patches without messing with DIY patch ISOs. WSUS Server chaining, replicas, or offline updates allows you to copy settings to other WSUS servers without worrying about 'backup ISOs' of what you have selected. It does it all for you.

Re:Corporate Windows Update

[ACMENEWSLLC]

>>...as to circumventing WGA: it's already been circumvented for XP SP2. You actually have to download and run the WGA executable to destroy a cracked XP SP2 install (Windows Update doesn't push it to you). Vista may be a different story though

That's a bit misleading. Automatic Updates will push WGA to you. Media Player 11 was released to customers, and it has WGA built into the patch. So if you have your computer setup to automatically download patches and apply them and you apply Media Player 11 then you have WGA now.

They did that a few weeks back.

Danger?

[dedazo]

Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

A "danger" that is eliminated with a rinky $25 NAT router.

Re:Danger?

[Captain+Splendid]

Thankyou. Or you could just slap a decent firewall on there from a USB key before you hook it up to the net. It's what I do when a client gets a new rig they want me to setup.

Re:Danger?

[AliasTheRoot]

Or plug in the Ethernet cable after you have turned on the firewall built into XP - assuming you aren't using a SP2 install where it's enabled by default.

Re:Danger?

[LodCrappo]

A NAT in front of your windows box does do a lot to prevent trouble while you're patching up a new install. As long as you immediately get up to date (before using the machine for anything else) then I'd think this is fine. The problem is people who rely on a NAT device for some sort of security *in place of* security patching. Many exploits work just fine through NAT if you're actually using the machine to surf the web or read email, and way too many people seem to not understand this.

Re:Danger?

What danger? I had an unpatched XP box directly connected to a broadband modem for over a year and it never had a lick of trouble.

Maybe these people who claim that it is unsafe can't resist teh pr0n and teh war3z for more than ten minutes, and that's why there is a percieved danger.

Re:Danger?

[toadlife]

It's sad that it took this many posts for someone to finally post this.

Anyone who is savvy enough to download this patch thingy should (hopefully?) be savvy enough to just turn the dang firewall on before plugging in the Ethernet cable.

autopatcher has been doing this for a while now

[schnikies79]

i keep a up-to-date copy for my dialup friends, which most are.

Autopatcher!

Re:autopatcher has been doing this for a while now

[EvilRyry]

I've been using autopatcher as well. I install it on my desktop with Wine, then upload it to my Samba server. I have a line in my logon.bat for the Windows machines to add Autopatcher as a weekly job, and I keep autopatcher up to date.

What does all this add up to?

Ghetto rigged WSUS for Linux servers to Windows clients.

Re:autopatcher has been doing this for a while now

[F�an�ro]

autopatcher is a closed source solution which requires you to trust executables from a dubious source. Even if you accept the autopatcher guys as currently trustworthy, they may still sell out or get hacked with much higher probability than microsoft.

Or just buy the firewall you should have anyway

[Tim+C]

Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

Or you could just buy the firewall you really should have anyway and be done with it. Seriously, I can't imagine anyone would try to argue that it's acceptable to put a server out on the net without a firewall in front of it, so why should a desktop PC be any different? That way you get to protect your unpatched Linux box too.

Re:Or just buy the firewall you should have anyway

[mcrbids]

Perhaps the key difference is this:

I can put an unpatched RedHat Linux system on the public Internet and download patches without worrying about it. In fact, I routinely use such systems AS the router/firewall for other systems!

If you hear people around here saying things like "Windows is insecure and/or isn't really ready for the Internet", that's because it's true, or you wouldn't need that stupid $25 router in the first place!

The fact that you can't even imagine a server without a dedicated firewall in front of it speaks volumes.

Re:Or just buy the firewall you should have anyway

[AliasTheRoot]

Good luck to you and your unpatched Redhat, it doesn't have the volume of attacks a Windows box has - but don't assume it won't get rooted - it will.

It has always been good practice to have a firewall, or at least a NAT router in front of any server, be it Redhat / Windows / BSD / OSX / Solaris whatever. Thats only one piece of the puzzle of course, but a very important one.

However, for your average desktop machine there has to be a balance between security and usability, a balance that the builtin firewall, some free AV and Windows Defender pretty much meets, the current trend towards non privildeged user accounts in mainstream OS's like Vista / OSX cements that.

Re:Or just buy the firewall you should have anyway

[mcrbids]

Good luck to you and your unpatched Redhat, it doesn't have the volume of attacks a Windows box has - but don't assume it won't get rooted - it will.

As I recall, it takes an average of about 3 months for an unpatched RedHat box to get rooted, if left up in its default config and unpatched. Can't find a link - but there was a honeypot project on this a while back. And somehow, I doubt that even at 28.8 Kbps, it would take 3 months to complete an update.

However, patch the system, and apply reasonable "best practices" - such as NOT having the password of "god" for the root account - and you should expect a clean system.

Re:Or just buy the firewall you should have anyway

such as NOT having the password of "god" for the root account - and you should expect a clean system.

Damn... How did you gues that... now i have to change the password of 127.7.22.11 again.

Re:Or just buy the firewall you should have anyway

[shmlco]

such as NOT having the password of "god" for the root account

Is it time for the obligatory 1-2-3-4-5 luggage joke?

Re:Or just buy the firewall you should have anyway

If you hear people around here saying things like "Windows is insecure and/or isn't really ready for the Internet", that's because it's true, or you wouldn't need that stupid $25 router in the first place!

The fact that you can't even imagine a server without a dedicated firewall in front of it speaks volumes.

Myself, I have run web servers (IIS,Apache,Abyss) on Windows (NT4,2K,2K3) Server directly on the net with no firewall for years. Never had a problem. Its all in who administrates the system and how. The benefits are many. Those who can't figure that out are missing out. I have also run Apache webservers on FreeBSD and QNX directly on the net with no problems. Regular log analysis and security audits have shown all of these platforms to be equally secure when administered correctly.

Incompetence can lead to all kinds of inaccurate conclusions. Each platform has its benefits and each requires its own specific administrative expertise for stable, reliable and secure operation.

That is the truth of it.

Re:Or just buy the firewall you should have anyway

[pandrijeczko]

If you hear people around here saying things like "Windows is insecure and/or isn't really ready for the Internet", that's because it's true, or you wouldn't need that stupid $25 router in the first place!

As a Linux user myself (Gentoo), I must say that you started to sound like you knew what you were talking about - until you made the above comment...

The whole point of a "$25 router" is that it separates valid Internet IP addresses from the reserved addresses normally used on a private LAN. When you take one of those things out of the box and switch it on with it's default config, there is absolutely *NO WAY* anyone on the Internet can connect into *ANY* PC on your private LAN, whether or not those PCs run Linux or Windows. Where damage *CAN* occur is when you connect out from the private LAN to the Internet to a web or mail server and allow something in as a result. Yes, that's generally something attached to an email or script that can damage a Windows PC - but you're treading on *VERY DANGEROUS* ground if you believe that you do not need one of these boxes to protect a Linux PC.

Yep, if you're ultra-confident with Linux and know *EXACTLY* which services to leave turned off and how to securely configure the services that you leave on, then you'll probably be okay - but the first lesson anyone learns about security is that you take a *LAYERED APPROACH* to it and deploy any security measures first that are "cheap and easy" (like one of these boxes), and then harden your PCs subsequently.

Believe me, I know. Five years ago, I opened up a Linux server to the Internet (behind a NAT router) and stupidly left an FTP server running on it. Within days, someone had buffer overflowed the FTP daemon, stuck an eggdrop script on my server and had it attacking IRC users on another ISP - I only found out because my ISP kicked me off my service and wouldn't let me on again until I'd proven in pages and pages of logs that I wasn't launching those attacks.

Please don't get complacent about security - take my advice.

Re:Or just buy the firewall you should have anyway

[gad_zuki!]

>or you wouldn't need that stupid $25 router in the first place!

Or you know, the windows firewall that came with your xp system. Enable it. Block printer and file sharing ports on the local lan (MS default). Now download your updates.

Re:Or just buy the firewall you should have anyway

[Tim+C]

I can put an unpatched RedHat Linux system on the public Internet and download patches without worrying about it.

Friend of mine did that until he realised that it'd been rooted a few weeks ago. Fortunately he didn't lose anything important, but it cost him an evening to work out what had happened then reformat and reinstall.

Don't assume that Linux is impervious to attack, as it most certainly isn't.

The fact that you can't even imagine a server without a dedicated firewall in front of it speaks volumes.

Yes - it says that I work at a company with a dedicated systems department who are paid (in part) not to leave things to chance. It says that I work with clients who mandate multiple firewalls on their networks, with fully separated subnets and as little as possible in the DMZ. It says that I'm willing to spend less than I spend on a night out to be that much more confident that my PC is safe from unwanted attack.

Re:Or just buy the firewall you should have anyway

a lot of those '$25 routers' run linux ....

do you need another router to protect your router? when does it stop?

Re:Or just buy the firewall you should have anyway

[pandrijeczko]

a lot of those '$25 routers' run linux ....

Agreed - but they're running an embedded Linux meaning that they don't have much in the way of command shells, you can't drop trojan horse or bad scripts on them...

Re:Or just buy the firewall you should have anyway

[KillerBob]

3 months average doesn't mean that it'll definitely happen in 3 months. It could never happen, it could happen in 5 minutes. You are taking a gamble every time you go online if you aren't behind some kind of firewall.

Re:Or just buy the firewall you should have anyway

If you're running Fedora, though it will take about that over dialup. Mainly since as soon as you finish downloading one file (say, OOo) it's already been updated and needs to be downloaded again.

Re:Or just buy the firewall you should have anyway

[dhasenan]

But it's reasonable to expect not to be rooted in the two or three hours it takes to get all the patches you need, if the mean time to failure is three months.

Re:Or just buy the firewall you should have anyway

My Debian Linux box isn't always patched but I've been running it for years (literally) without getting rooted.. and yes, I'd know. As long as there aren't any severe bugs in the TCP/IP stack or the firewall code itself, it's secure (which can be said about any "hardware" firewall since they would be vulnerable to similar attacks). However, allowing unfettered access to any services without keeping it patched would be stupid. I've had to clean-up boxes that have been rooted (and yes, they were behind an ICSA certified firewall).

Re:Or just buy the firewall you should have anyway

[KillerBob]

But it's reasonable to expect not to be rooted in the two or three hours it takes to get all the patches you need, if the mean time to failure is three months.

That's up to you. But please don't take it as an offense if I say that I'd never hire you as a sysadmin.

Ask yourself this... is the 5 minutes it takes to set up basic firewalling (or even simply shutting down any daemons you're running) worth the extra time you risk if you have to reinstall the computer? Banking on averages is never a good idea, especially not when you're dealing with something mission-critical. Whatever can go wrong will go wrong, at the worst possible moment and all.

Speaking as somebody who's had computers blow up on him on many an occasion, I'd rather not take any chances I don't have to. Recovering from your own fuckups is expensive and annoying, doubly so when it's avoidable.

Re:Or just buy the firewall you should have anyway

[tehcyder]

That's up to you. But please don't take it as an offense if I say that I'd never hire you as a sysadmin.

[...] Speaking as somebody who's had computers blow up on him on many an occasion

You're a fine one to talk, at least he'll just get some viruses rather than actual physical destruction of his machine.

Re:Or just buy the firewall you should have anyway

... That won't work! If you have XP SP2 you are OK. SP1 or plain XP, if you're patching up from there, the firewall is actually turned on WAY after the network card, and people can and have been rooted in that length of time it takes the firewall to kick on.

Vital...

[VidEdit]

Given that an XP SP1 install can become compromised within seconds of becoming connected with the internet, this is the kind of service MS **should offer**.

I own an XP1 SP1 copy of VPC, but hooking up to MS via an internet connection to download the updates through SP1 seems incredibly stupid :-)

Re:Vital...

[SEMW]

MS sent out SP2 CDs when it came out to anyone who asked, completely free of charge. They still do it now; you just have to pay shipping. Not to mention MS have *always* offered tools to let you slipstream updates into a custom installation CD.

Re:Vital...

[lagfest]

Unfortunately, these tools aren't exactly automated.

/please tell me I'm wrong.

Re:Vital...

[SEMW]

Well, it's not completely automated, no. It does involve typing a few commands into a command prompt (six in total); but that shouldn't really be a problem for most of the people on Slashdot. Full instructions here (it looks like quite a long page, but the bottom 2/3 is just screenshot-by-screenshot guide on how to burn a bootable CD in 3 different CD burning programs, so it's not as long as it looks).

Re:Vital...

[lagfest]

Yeah okay, but that's for one update. There's between 2^5 and 2^6 updates out for windows xp since sp2, so that gets boring really fast.

Re:Vital...

Good lord...my parent post isn't brilliant but SAF isn't flamebait any more than the thread is. Not insightful or as good as my usual posts but flamebait. I'm disappointed...

Problem with reg.exe

You must download ftp://ftp.microsoft.com/bussys/winnt/winnt-public/ reskit/nt40/i386/reg_x86.exe before using it if it cant find it. rename it to reg.exe and put it in client/bin

Re:Problem with reg.exe

[Jonah+Hex]

So what's the point of using a reg.exe from the NT 4.0 resource kit? Rename a self extracting zip to reg.exe?

In short, don't play with strange links posted by anonymous cowards...

Jonah HEX

Re:Problem with reg.exe

are you stupid ? extract the zip and put it into client/bin directory in the zip. in fact, the zip file tells you to do it if youre running win2k.

Re:Problem with reg.exe

[os2fan]

REG.EXE is supplied in the Win2k support tools (on the Win2k cd-rom), or in the base install of Windows XP and later.

The reg_x86.exe is actually a winzip file (it can be opened in any zip utility), the relevant file contains reg.exe, along with a readme file (suggesting the file goes to c:\reskitnt). I have been incliding reg.exe in the various update files etc.

Great idea but...

[rsmoody]

Hasn't this one already been done with AutoPatcher? I am still gonna play with this and see how it compares. AutoPatcher works fairly well, usually there are only a few items left to download after starting with a fresh install of SP2. For one, something like this that automates downloading the patches to be installed on multiple computers really helps out with the time it takes to patch a system. One download vs the 7 I will be doing here in a little bit is nice. Also along these lines is Update Accelerator for IPcop. Basically, it's a web cache for Windows Updates. You download the updates once, it stores them on the IPcop system and they are delivered from IPcop in the future, makes things take a lot less time and it's free (minus some old hardware and time).

Anyone taking numbers?

[Rob+T+Firefly]

This is a wonderfully useful idea, and I wonder how soon it'll be before the takedown notice from Microsoft.

Re:Anyone taking numbers?

Hopefully soon. If someone doesn't have broadband to download a ISO of a Linux distro or their updates to cause more holes, then screw them. If they can't get dialup where they fucking live either fucking move, fucking live with it, or go fucking kill themselves if they fucking can't live without it.

nLite

[Nasarius]

I've been using nLite and RyanVM's update pack to do this for a while now. Great stuff, even works with my Dell OEM version of XP.

Re:nLite

[Jonah+Hex]

Check out Microsoft Forum Network http://www.msfn.org/ for more do-it-yourself guides and forums dedicated to pre-building customized CDs/DVDs.

Jonah HEX

Re:nlite

[OAB_X]

Well ...... its not the same. nLite requires windows to be re-installed to do that patching (via the RyanVM patch), this is designed to be a patch utility that does not require re-installing windows.

Assuming it works of course, nLite does indeed work, this box is running via an nLite made windowz disk. (with RyanVM updates and driverpacks drivers slipstreamed)

Re:nLite

[ET_Fleshy]

Dell OEM eh, can I interest you in an addon or two that will automatically and legally activate your version of XP for you... forever! Just a quick google search or two for some vlk keys and you're golden ;). Or... maybe you already have some, who knows? Enjoy!

Re:nLite

[Nasarius]

For whatever reason, I've never had to activate my copy of XP from Dell, or even enter the CD key printed on the side of my PC case. It Just Works, and I don't question a good thing.

Re:nLite

[ET_Fleshy]

Are you using a restore CD or something? If you want to know why most of the OEMs don't have to activate, just meander over to the link I posted above and there is a link towards the top that will describe how it all works. Cheers!

Re:nlite

[Danathar]

Hence my word "Almost"

Re:nlite

[Kangie]

Actually, From what I gather the utility is made for boxen that are not patched (probably older CDs used to install windows), nLite will slipstream patches saving time for multiple reinstalls (CDs are slooow), And with the added bonus that you can make an unattended install.

Good for Builds ?

Will be definitely giving this ago, we run a build system at work, and image new machines.

Its its effort to keep making new images every time a patch is released, and WSUS takes a while to kick in.

Currently we are using vbscript from www.wsus.info forums to speed up the process, but its not instant, and still means plugging in the PC to a network, where someone could potentially also have an infected laptop connected. This sounds like a good alternative, assuming it works.

Trust him? Do you know what Heise is?

Who do you refer to, exactly? Heise? Heise is not a him, it's a big (and trustworthy) publisher of computer magazines in Germany (c't and iX).

Not much danger with 2003 SP1

2003 post SP1 blocks the inbound network connection until the first instance of windows updates completes, plus the fact that the exploitable services are all locked down in a default 2003 install. Not to mention most people are behind NAT routers like forever.

Say what you want about the usefulness of the mentioned tool, but the "unpatched windows on the internet" knock is so old and busted it has cobwebs.

nlite

[Danathar]

nlite does almost the same thing and is much more flexible and easier to use

http://www.nliteos.com/

Check out RyanVM too

[SteWhite]

For anyone interested in this sort of thing, you might also want to check out RyanVM:

http://www.ryanvm.net/msfn/

This allows you to produce updated Windows installation CDs, that actually have the service packs and post-service pack hotfixes *already integrated into the installation*. This saves the extra time normally taken to install Windows *then* go apply all the updates.

Is this the kind of stupid comment that gets...

[Assmasher]

...a Windows zealot slagged for saying "How are you supposed know how to configure support in *nix if you can't get on the internet to do it?" Seriously...

"Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates." - Who the heck said you should connect the unpatched machine to the 'net to grab this stuff? FFS, I bet ol' Karsten would go to town of the Windows zealot for playing stupid. ;)

Re:Is this the kind of stupid comment that gets...

[Jerf]

Who the heck said you should connect the unpatched machine to the 'net to grab this stuff?

Actually, that is a good question. Who did say that?

Could it be... you?

(Clearly the point is that you use a patched machine to make the CD, then feed the CD to an unpatched machine, resulting in 0 unpatched machines on the raw internet.)

Good idea for some applications...

[catdevnull]

This is a useful tool for my particular environment where we use RapiDeploy to re-image boxes. The image gets a little stale and we have to go through a quarantine network before our Cisco Clean Access authenticates us--we're essentially in a leper colony while we're trying to catch up on patches. It's a bit of a catch 22.

Having the patches on hand would really help when we don't have a little router on hand on field calls.

Not a clever move for MS...

I think MS is aware. And going after Heise wouldn't be a clever move at all, as they are most influental computer magazine publishers in the german speaking area. Two words: Baaaaaad press.

Re:Not a clever move for MS...

[RobertLTux]

this would be about as bad as going to octoberfest getting BLASTED and then going down the autoban with the pedal to the metal and playing chicken with a semi (or an M1-A1) driving a RABBIT

Slipstreaming by any other name

[GungaDan]

is still just slipstreaming - you don't need any special downloaded software for this.

AutoPatcher: Offline Windows Updates

http://www.autopatcher.com/ This site has been offering offline Windows updates for some time. Lots of translations as well. Worth a look.

Yes but...

[kosmosik]

Yes but no Polish (or any other than few) language version is supported. So it is useless for me.

It just shows how retarded update management is in Windows. It is like 10 years behind Linux and 5 behind OSX. And Vista is no different either.

Re:Yes but...

[nekokoneko]

So you're saying they forgot Poland?

Wish they would do this for Linux Distros

[Rashkae]

I wish the big Linux distros would start doing this. Being unable (or unwilling) to patch a linux box without a broadband connections is one of my biggest pet peeves with the current crop of distros.

Re:Wish they would do this for Linux Distros

Fedora, at least, has community-submitted "Respin" discs that include updates (http://torrent.fedoraunity.org/torrents .) I seem to remember hearing about an APT-based tool for doing something similar on Debian-esque systems too.

Re:Wish they would do this for Linux Distros

I wish the big Linux distros would start doing this.

Agreed.

My personal opinion is that some distributions are just no good without broadband. Take Debian - it's totally wonderful with a fast internet connection. The distribution is never static: all the software is being continuously improved, and you can stay up to date easily. If you can download things quickly.

But I never understood this before I had a fast connection. Then, the distribution was just inconvenient. It came on many CDs, the programs you wanted were never on the CD in the machine, and if you wanted anything that wasn't on CD, you'd be forced to download tons of packages in order to satisfy dependencies. A world of pain. It drove me away to a distribution with a less effective package manager.

Now I prefer the Internet-based approach, and I'm Debian all the way. I install from a 40Mb boot disk or debootstrap. It's like Windows Update, but applied to all applications as well as the core OS. We've got something here that the proprietary software world will never be able to do, and it's brilliant.

Re:Wish they would do this for Linux Distros

[drinkypoo]

If you use synaptic (for debian and friends) it will create a download script which is just a file with a bunch of "wget url" lines in it, where url is a full URL to a .deb package.

Personally I save this file to my USB key which has a windows wget.exe on it, and name the file whatever.cmd. Then I just put the usb key in my windows machine, double-click the file, and bingo! It downloads the packages. If I save the selection file as well, then I can copy the files to the distfiles location, load the selection file, and then install precisely the packages I needed. The same script will of course work on linux or OSX with wget installed (or you could alias wget to curl, then source the script instead of running it.)

Re:Wish they would do this for Linux Distros

[Raideen]

I suppose that you could walk around with a copy of the files in /var/cache/apt/archives on your Debian distro. You could also keep a mirror archive if you want absolutely everything. Either way, it's basically all in once place. Also under Debian, if there are enough patches to warrant a "service pack," a release update is created. If by "big," you mean Red Hat, SuSE, Ubuntu, or other commercially supported distro, well you can do similar things with Ubuntu and there's probably already a script that does it for the RPM based distros as well. I've never carried around every Windows patch anyway. I usually keep the patches for the latest big vulerability that's being exploited by a worm at the time (which usually means that their Internet connection is getting sapped anyway) just so that I don't have to download it repeatedly.

Re:Wish they would do this for Linux Distros

[petermgreen]

just how up to date do you feel you need to be?

debian do a "point release" every so often which includes security updates among other things and when they do so they build both new full CD/DVD images and a set of update CDs (they don't seem to yet do update DVDs but i've just suggested it ;) ).

If you really wan't the latest updates you can always take a copy of the relavent directories on security.debian.org and burn it to a CD/DVD.

There's always SUS

When you can't be bothered to slipstream all the updates you need, SUS in a VM on a USB drive works fairly well for updating unconnected machines.

What about Microsoft?

[febuiles]

I wonder what Microsoft thinks about this, right now I'm downloading updates that I wouldn't be able to get since I don't use a legal version of their software.

Thank you :D

Re:What about Microsoft?

[pandrijeczko]

I guess they think you are a complete and total hypocrite, just like I do.

If you're not prepared to pay for their software then you shouldn't be using it, simple. And you would probably be admired more if you had the courage and strength of conviction to go spend the time learning to use an alternative OS in order to make a much clearer statement to Microsoft that you're not prepared to pay the money they ask for their products.

Any fool can download a pirated Windows CD from the Internet, it takes initiative to go learn and legally use an alternative OS.

Re:What about Microsoft?

[febuiles]

Pretty harsh words you've got there.

I should start by clarifying you that I've been a Linux user since 2000 according to http://counter.li.org/cgi-bin/runscript/display-pe rson.cgi?user=295182 . Maybe I should tell also tell you that I'm a supporter and programmer for some FOSS, maybe you'll even find that the software you're using has one or two lines I've written. That should qualify me as having "the initiative to go learn and legally use an alternative OS", don't you think?

Sadly enough, I live in a third world country, where deals between universities and big software companies like MS and IBM forces us to use their software. I don't feel like starting to justify myself for using pirated versions of their OS, I know it's wrong, but hey, I am not, as a student, ready to start paying 6 times my salary so these deals can go on and on, it's a dirty way to make business and I won't be part of it.

But aaanyway, who am I to judge the actions of a big American company? After all, they're Microsoft, I should be ashamed of my acts...shouldn't I?

Have a nice day.

PS1: I don't feel like a hypocrite, I see myself as a dirty pirate, with eye-patch and a parrot on the shoulder.
PS2: Neither do I look for admiration in the web, precisely on Slashdot, e-peen size doesn't matter I've heard.

Re:What about Microsoft?

[pandrijeczko]

PS2: Neither do I look for admiration in the web, precisely on Slashdot, e-peen size doesn't matter I've heard.

But you've just contradicted yourself - you say you don't look for admiration on the web but in your initial comment you bragged about having the ability to update your illegal copy of Windows, like it is something to be proud of?

Sorry, but simply living in a Third World country does not justify piracy - it's the same the world over, if you don't like the price of something then DON'T buy it or use it, it's that simple; if lots of people do that, then MS has to listen and drop their prices.

I'm mostly a Linux user myself and even in the UK where I am, I personally do not believe MS products are worth the money based on the level of control they take of your PCs - so I just don't use the stuff, beyond what is supplied to me by my work and the single OEM copy of XP I have on one of my machines.

There is no such thing as being "forced" to use anything - very few people require the in-depth functionality of MS Office, for example, and for 90% of people, OpenOffice does more than what they need. The same is true for most other FOSS software, the real reason is that most people are just too damned lazy to have the strength of their convictions and do something about it.

Re:What about Microsoft?

[Anonymous+Cowled]

I wonder what Microsoft thinks about this, right now I'm downloading updates that I wouldn't be able to get since I don't use a legal version of their software.

That's plain retarded.

You are able to download security updates from windows update even with a pirated copy and always have been. Hell - you could even use the Devil's own serial key to download security updates, as long as you use automatic updates. WGA just prevents pirated copies going to Windows Update manually and downloading non-security related updates (IE7 or WMP upgrades for example).

This tool is useful for users who want to slipstream these hotfixes into their install disks. If you don't want to slipstream / don't know how - use autopatcher or a similar product. This isn't rocket science.

Re:What about Microsoft?

[febuiles]

But you've just contradicted yourself - you say you don't look for admiration on the web but in your initial comment you bragged about having the ability to update your illegal copy of Windows, like it is something to be proud of?

I'm sorry if you misread my original comment, I was NOT trying to brag about getting free updates, I'm actually curious to see what they think about these people offering these downloads this way.

I know that living in a third world country doesn't justify piracty, nothing does, but I still do it and believe it or not, you can be forced to use MS software when you have to develop .NET applications with old IIS and MS SQL Server you don't have too many choices :D

Anyway, I don't think this is the place to discuss this.

Re:What about Microsoft?

[febuiles]

You're had to download the genuine advantage software and do all the process for stuff like MSI updates, you _need_ an original version for this.

Re:What about Microsoft?

[Anonymous+Cowled]

Again, I would have to disagree with you:

Download "Windows Genuine Advantage Validation Tool" and install this. If you have a pirated copy of XP, it will tell you that your serial is not valid, give you a link to a website where you can buy a legit copy and block you from accessing Windows update manually. From then on - you can set automatic updates to do whatever you want (although as you have a pirated copy - it would be worth while setting to "download, but do not install". Update will tell you when you have *security* updates available, but won't install them until you have reviewed them. It will be worth your while *NOT* installing KB905474 - the "Windows Genuine Advantage Notification Tool". This is the piece of software which reminds you - I think every hour, but I don't know, as I have a genuine copy of XP (as my secondary OS, linux is my primary) - that you do not have a valid copy of XP... but even this is very easy to bypass if you realise how it works and what it does.

Also - there are very easy ways around WPA (for gaining access to IE7 and Media Player updates).

be good to do this for Office too

an unpatched Office installation is also a risk as it contains all the GDI flaws that are remote exploitable, be cool if the author could do this for the office variants floating round as well eg. o97,o2k,oXP,o2k3,o2k7

i know o2k3 needs over 50mb of updates even if its a brand new install and email is just as important as web, install a fresh o2k or oxp (which both need over 150mb of updates) and you can be 0wned by the first email you recieve regardless of how uptodate your OS is

all in all its a good idea, so many people are still on dialup (i know us geeks are on uber broadband but a lot of people ain't) where downloading 270mb SP2 is pretty much out of the question never mind the 100mb of updates on top of that, i would guess winxp + o2k would need 500mb of updates before being safe(as it gets)

Already been done in a better form

[cHiphead]

Its called Autopatcher and its WAYYYY sexier. Lots of installable extras and sexy registry patches to make windows life easier.

http://www.autopatcher.com/

Re:Already been done in a better form

[MCraigW]

I've been using Autopatcher for quite some time now, and I'm quite happy with it. It also has some extra utilities that it will install if you select them, and the ability to make various UI tweaks. I find it is a nice way to install everything on a new PC. I download the latest version, write it to a CD and take it to the new PC. The new PC never has to be connected to the internet to get the latest MS updates.

Re:Already been done in a better form

[sbben]

Same with Nlite, located here http://www.nliteos.com/nlite.html/.

I believe a vista version was release as well known as vlite. I have not used either but they look very promising, I have been meaning to try out nlite for the next time I reformat but maybe I will try one of these alternatives instead. Any one out there used them all?

Re:Already been done in a better form

[NorQue]

If I understood the information on the website correctly autopatcher is just a collection of the latest MS updates from a third party. With the offline update scripts from Heise you're able to create your *own* autopatcher collection from scratch. No middleman involved.

Re:Already been done in a better form

[therufus]

And while you're into Nlite, make sure you download the RyanVM update pack. It has all the Windows updates up to a few months ago.

After integrating RyanVM, last check there are only 6 updates to do.

Check out Ryan's files here

Re:Already been done in a better form

[cHiphead]

Which just means you duplicating the effort already put forth by the Autopatcher team? I can understand from a auditable trail/security pov, but so far I have experienced no issues with their patch tool.

Cheers.

Re:Already been done in a better form

[NorQue]

If you're trusting the Autopatcher people, fine. It's just that you can get the same result more secure with just a little bit more effort from that open-source heise script.

Re:Already been done in a better form

[cHiphead]

Seriously take a look at what Autopatcher includes, its a lot more than just the integrated patches from MS. Although its nothing you couldn't take care of with a few hours of scripting on your own, Heise or not, and a Group Policy to push it to domain computers, but its very convenient for lazy..XXXX... busy folks like me. ;)

Cheers.

All hail Autopatcher...

...and its glorious new regime!

Sincerely,
Little Girl

Re:Trojan Horsey anyone?!

The source code is available (it is just a series of scripts). Unless you meant it is not LICENSED under an Open Source "compatible" license, in which case you may be correct. I couldn't find any evidence of any license, though. And they say it is based off of another project which I didn't bother researching.

Torrents

[shmlco]

"Many exploits work just fine through NAT if you're actually using the machine to surf the web or read email, and way too many people seem to not understand this."

Or connect to a torrent server. Watch the number of attacks on your PC's FW skyrocket the instant you run BT and connect to a tracker. Lot's of hackers run torrent servers just to mine the connection information and find new, unprotected computers to attack.

Stop with the "unpatched PCs are insecure" rubbish

[pandrijeczko]

Anyone with any knowledge of security knows that if you deploy a NAT router/firewall between your unpatched PC and the Internet, whether a simple £50 box in a home environment or behind a DMZ in a corporate environment, then that PC, whether running Windows, Linux or any other OS, is pretty safe as long as you don't run any services out onto the Internet with it and don't do too much else with it. And if you run an Internet connection without one of these in place then more fool you...

On a Windows desktop PC behind a firewall, you are vulnerable to scripts and viruses that it come in from emails, documents & web pages but if you stick the PC on the network and don't use it for any of those things *until* you've put on all the updates, then nothing is going to happen to it. So let's get rid of this stupid notion that the moment you put an unpatched PC on a firewalled LAN, it's going to get swamped with viruses and rootkits - it just won't happen.

No, I'm no Microsoft fan but let's stick to facts rather than "science fiction" FUD stories...

Does it *really* matter?

[myz24]

They say one of the benefits of doing this is updating older systems because of the worms spreading the internet. Does anyone who is working with a windows system and needing to install updates (and one who knows how) even directly connect any computer to the internet? In this day and age, I'd bet that nearly everyone is behind a firewall already.

Re:Trojan Horsey?! Neigh!

[greg1104]

In the rush to be first post, you seem to have missed that all the source code to the tools (and even gpl.txt) are included in their zip file. You need to trust AutoIt to build some of them. I see a few binaries that don't have source included, but they're generic ones like mkisofs.exe and wget.exe that could easily be replaced with trusted versions.

Re:Stop with the "unpatched PCs are insecure" rubb

I don't understand this NAT router/firewall business. Either the unpatched PC can receive packets from the Internet or it cannot. If it *can*, then it can be rooted just like it would without a router/firewall. If it *cannot*, then this means that you cannot browse the web with it (can't receive the packets that servers send you in response to http requests).

Re:Stop with the "unpatched PCs are insecure"

have you nmap'd a windows install lately Einstein?

135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
5000/tcp open UPnP
5101/tcp open admdog

Danger! Danger!

[madsheep]

Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.
Right. That's of course if you don't have of one the following:

1) 3rd party firewall on the box
2) the OS's firewall (who says you're installing without an SP?)
3) a hardware firewall
4) a home router/switch that does NAT for you (and of course a home network that's not 0wn3d)
5) IPsec policy on the box preveting connections to the ports
6) File & Print sharing + naughty services turned off.. (anyone out there??)


Yea so those are all pretty good... #6 not being full proof but definitely highly recommended regardless. These CDs might be a good [neat] idea. Then again why not just setup your own WUS box and get your patches from your local LAN while not routing out. That way you can save time, touches, and bandwidth!! wowzers.

Re:Stop with the "unpatched PCs are insecure" rubb

[kosmosik]

> No, I'm no Microsoft fan but let's stick to facts
> rather than "science fiction" FUD stories...

These are not SF FUD stories. There are a lot of people who:
- don't know shit about security
- don't know shit about patching
- own USB xDSL modem or connect to *untrusted* network with wifi or something similar (do you carry a $50 router with your laptop?)
- use computer to Just Work With it - as a tool - you know

And Windows is not uber-user-friendly there. In fact I think you need to be relatively skilled to set up XP so it is relatively secured. Not something your mom or dad (I assume) can do with their computers.

Recently a friend of mine reinstalled Windows (since it was wrecked to the point of no other option, at least for her) from CDs (sans SP) which came with her laptop. After 1 minute the system was infected and unusable it havent even a slight CHANCE of updating itself.

MS made some stupid decissions few years ago and now they pay the price. This is not FUD. People do not have the latest Vista and so on. Some of them use 5 year old computers since they tend to work for them.

I can surely install old version of Linux distribution or OSX and do not get infected in 10 minutes after connecting to untrusted network.

encountered (again) another win box without NAT/FW

Today at work a customer showed me the IP the PC had gotten from the DHCP. It was public. I had to tell the person to look for the word NAT in the Router. Had to write it down for her, and tell her to call if she doesn't find it.

So call fud as much as you want, reality is clueless users.

m10

Great

This may be great in the future to archive all updates before MS stops supporting XP. We probably might need to reinstall XP with all patches in the distant future to run an old program and retrieve old data in some odd proprietary (hmmm, office) format.

Re:Stop with the "unpatched PCs are insecure" rubb

[pandrijeczko]

> These are not SF FUD stories. There are a lot of people who: > - don't know shit about security > - don't know shit about patching > - own USB xDSL modem or connect to *untrusted* network with wifi or something similar (do you carry a $50 router with your laptop?) > - use computer to Just Work With it - as a tool - you know

I agree - but I've set up a number of these NAT routers recently for friends and colleagues, and apart from some simple configuration for ADSL accounts (and some wireless security if needed), these things now work pretty much out of the box. They are a whole heap of good security for little cost that are easy to setup - and protect you from about 90% of the bad things out there on the Internet the moment you switch them on.

And for your information, I carry round a Linux laptop with a fully locked down kernel firewall that I *carefully* open up as I need to if I'm on an unprotected (un-NAT-ed) Internet connection. :-)

> And Windows is not uber-user-friendly there. In fact I think you need to be relatively skilled to set up XP so it is relatively secured. Not > something your mom or dad (I assume) can do with their computers.

I agree again - which is why I recommend a NAT router to anyone I know with ADSL; and if they refuse to buy one, I refuse to offer them any help when their PC goes wrong! :-)

> MS made some stupid decissions few years ago and now they pay the price. This is not FUD. People do not have the latest Vista and so on. Some of them > use 5 year old computers since they tend to work for them.

Again, I agree. But, if anything, Windows 9x didn't have a complete enough IP stack to allow much to be run in the way of services out to the Internet - so it could be argued that unpatched and out of the box, a 9x machine is more secure than XP.

> I can surely install old version of Linux distribution or OSX and do not get infected in 10 minutes after connecting to untrusted network.

It depends on what's out there. Before I moved house last year, on my old ISP I ran an SSH (Secure Shell) server out to the Internet and my log files were filled with scripted access attempts against the server - just pounding away at my server with common account names hoping that one of them would allow entry.

Yes, a secured Linux server is always going to be more secure than a secured Windows server but please don't get complacent about it - it just takes one stupid mistake on either OS and someone will get into it.

Re:encountered (again) another win box without NAT

[pandrijeczko]

Today at work a customer showed me the IP the PC had gotten from the DHCP. It was public. I had to tell the person to look for the word NAT in the Router. Had to write it down for her, and tell her to call if she doesn't find it.

But if it was a public (=valid) IP address then it probably just wouldn't work, or not make a great deal of difference, depending on what the NAT routed did. If the NAT router treated it like a private IP address and put the WAN (Internet) IP in the header in it's place, then I don't see there would be any difference in functionality; if it left the public IP in place, then it just wouldn't work because a router somewhere along the way would just route it to the *real* network where that public IP actually is.

Someone correct me if I'm wrong, BTW. I'm a LAN and OS man, not a Cisco or router guru.

Re:Stop with the "unpatched PCs are insecure"

[pandrijeczko]

No. But have you nmap'd a Windows install lately from the Internet side of a NAT router, Hawking?

I'm afraid you'd need to have mapped those ports through to the private network on the router first before you saw anything - and in my post I did quite clearly state usage of a NAT router...

Re:Stop with the "unpatched PCs are insecure" rubb

Why not just use the build-in port-based filtering that Windows XP provides since before SP1? (Quoting from memory): in network connections, right-click the network -> properties -> advanced -> tcp/ip filtering -> Allow Only -> leave blank. And there you go, no inbound traffic until you patch.

Re:Trojan Horsey anyone?!

Why not? You entrust your firewall and antivirus to closed source, so what's the problem. it's a case of estabilishing the credibility of the distributer. In this case they are reputable...

Installed patched OS, same as old OS

[AHuxley]

In Capitalist West you burn cd for unsafe consumer operating system.
In Soviet Union unsafe CIA operating system burns you.

Re:Installed patched OS, same as old OS

[PAPPP]

One of the best "In Soviet..." jokes I've ever seen, for those not in the know, it refers to some US made technology, most famously pipeline control software, the soviets stole in the early 1980s which was carefully designed to pass QA tests, then go haywire. Suffice to say, the plan worked, and in fact produced the largest non-nuclear explosion seen from space when it took out a large natural gas pipeline in Siberia. A version of the story here.

Re:Installed patched OS, same as old OS

[jumpfroggy]

Wow, that was an awesome read! It's like something out of a combination Tom Clancy + 1000 Joke book adventure, but worth the read. Sheds a little light on the zaniness that was the Cold War.

Re:Stop with the "unpatched PCs are insecure" rubb

[pandrijeczko]

PCs behind a NAT router should be given "private" IP addresses - either fixed ones or DHCP assigned ones. These private addresses are in the ranges 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x.

Since every directed IP packet on the Internet contains the sender and receiver IP address, any Internet router that sees a private address in either the source or destination address will drop the packet and not route it. Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.

The trick of a NAT router is that when one of your PCs connects through the router to the Internet, the NAT router substitutes the private source IP address in each packet coming from one of those PCs with the real IP address on the Internet side of the router. So when a response comes back from, say, a web server one of your PCs is accessing, the response hits the router's Internet IP and the router puts the private IP address back in to send it back to the right PC.

It is possible to forward incoming connections to the router onto a PC in the private address space but this feature has to be manually configured on the router and is turned off by default.

So, yes, you can still download a nasty email or script from a server on the Internet, even with a NAT router in place - but then you just don't use a PC for those purposes until you've fully patched them.

Re:Stop with the "unpatched PCs are insecure" rubb

[pandrijeczko]

I've never used that mechanism in XP so I don't know whether or not it would restrict outgoing connections also? After all, you will need to connect to a web server somewhere to download the updates...

Besides, this is about adding a good *additional* layer of security in a NAT router. Without one, your PC owns the Internet IP address meaning that it's directly exposed to the Internet - with a NAT router, the router has that IP address meaning that your PC only gets stuff that the router allows through.

Dangerous to put an unpatched machine on the net?

[NerveGas]

    Well, it can be, but doesn't have to. Behind a decently-configured firewall, the machine can download patches without any connections from the outside getting through. YOU might ruin things by initiating connections to non-trusted sources, but that's your fault, not the OS. Of course, the security of other machines on the same network is important, but it's easy enough to maintain a seperate, firewalled network for "fresh" machines, or any sort of machine you're not sure of.

steve

Alternate Windows Update method

[fostware]

I prefer UpdateHF.vbs

Once you've installed Installer 3.1 and BITS2 , it downloads and installs all the updates from the Windows update site

http://www.wsus.info/forums/index.php?showtopic=68 31

Re:encountered (again) another win box without NAT

[KillerBob]

With *BSD, it's entirely possible to set up a low-level firewall that offers just as much protection as NAT without actually doing any address translation. It does this by monitoring the traffic at the packet-level, and can be configured to block certain ports, to ignore all unrequested traffic, or any number of QoS-type monitoring/filtering features that are a royal pain in the ass to set up on a NAT box. Really, the biggest advantage of NAT is that the DHCP allows you to have more than one computer on the network. (granted, that's a pretty big advantage).

There's even a howto on NetBSD's website that explains exactly how to go about setting such a box up.

But you're right... generally, it's easier to go with NAT in the long run.

Security is about "survival of the fittest"

[pandrijeczko]

In response to some of the comments in this topic, a lot of the people on here need to be aware of the fact that OS security is a *process*, not a *goal*. Whether you run Windows, Linux, FreeBSD or whatever, it is very dangerous to assume that just because you have the latest updates installed alongside the latest virus checker, that you are "secure" and can just then sit back and relax.

The unfortunate fact about OS security is that it is a case of "survival of the fittest". It's pretty safe to assume that as long as there is an Internet, then there will be crackers out there trying to break into PCs that sit on the Internet. From their perspective, if they crack open a PC then they are happy and that the longer it takes them to break into a PC, the more likely they are to just give up and try another one.

Consequently, the more "walls" you put in the way of a cracker, the more the chances that you'll reach the limit of his abilities & make him give up. So security is all about doing *multiple* things against attacks - disabling well-known account names, using strong passwords, deploying software firewalls *AND* NAT routers, turning off unnecessary services, tightening the configuration of needed services to only allow certain hosts to access... these are all *ADDITIONAL* steps to just applying software updates.

Sure, a lot of these processes are tricky for new users but a lot of them are also very simple to deploy - and any of those that you do deploy put you one step ahead of the people who don't deploy them and who are, consequently, put at more risk from attack by crackers.

Re:encountered (again) another win box without NAT

[pandrijeczko]

I'm not a *BSD user but is this any different to what the Linux kernel does with iptables & netfilter?

I am genuinely interested because I've deployed Linux boxes (successfully) as firewalls in a few SOHO environments - but if BSD does an even better job of it then I'll definitely need to go take a look at it.

Re:Stop with the "unpatched PCs are insecure" rubb

[donatzsky]

While you're absolutely right that an unpatched PC should be behind a firewall/NAT, the trouble of course is that quite often this is not "possible".

Case in point: A few months ago my mother got a shiny new ADSL connection. Since it's a triple-play (net, tv and phone over ADSL) offering it comes with a ok router; nothing spectacular, but I've seen worse, and thus I thought everything was fine (not!). A week or so later her connection basically went down (you'd have to be lucky to get on-line), also IE windows began popping up (pushing some scum-ware called SystemDoctor2006) this despite the fact that she's using Firefox. Yes, she had a virus, and it had gotten in from the internet without the need for IE.
It turned out that the router was set up to put the PC in the DMZ (probably to save the ISP from support calls asking why Bit Torrent isn't working properly), thus exposing it to $Deity knows what. The morale therefore being that routers may NOT be set up properly for security thus exposing the PC even when you think it's secure.

The ISP, by the way, is Neuf (http://www.neuf.fr), so if you know someone that uses them be nice and check their router configuration.

(If it seemed a bit confused: It's 01.00 here, I'm Danish, have a slight cold, am tired and about to go to bed. YAY!)

autopatcher + nlite

Can you use autopatcher + nLite in tandem? I want to use nLite to customize my windows cd by installing all the applications I use automatically. I want to use autopatcher to apply the updates. How do I do this, what I just said?

Re:autopatcher + nlite

[Anonymous+Cowled]

Can you use autopatcher + nLite in tandem? I want to use nLite to customize my windows cd by installing all the applications I use automatically. I want to use autopatcher to apply the updates. How do I do this, what I just said?

You can, but you have to install autopatcher first (I would imagine on the build that you're going to create the "nLitened" install disk), then navigate to the program directory and manually copy the hotfixes (which are in individual folders for each hotfix...) to a suitable single directory location. It will be much easier with this script, though - as they will already be in one location.

You can also add whatever application you want to the $OEM$ folder and create a batch to run them on first boot, but you'll most likely have to remove some of the components from the original cd if you want to put a few things on there (languages and keyboard layouts are best - you'll get about 80 MB). You can of course use one of the presets, but I wouldn't recommend this. I used the "safe" preset once, added my drivers and hotfixes and it removed my IDE drivers - so even though it installed from cd, when I booted into Windows (I only have SCSI and SATA HDs), I had no CD/DVD drives!!!

Another

[Shawn+is+an+Asshole]

Here is another script for slipstreaming updates into an ISO:

http://smithii.com/slipstream_xpsp2

I use it for my unattended share. Works great.

Re:Stop with the "unpatched PCs are insecure" rubb

[RobertLTux]

nat/firewall is like a one way mirror on the 1 side its transparent on the other side its a mirror.

If you try to shoot a target on the other side you don't know
1 who is on the other side
2 how many whos are on the other side
3 what configuration the whos are (any cops/feds/military dudes wearing what)
4 where which who is

plus if the "mirror" is any good its also tempered/Bulletproof so you would need armour peircing bullets

Double Standard

When someone points out Vista's slipstreaming feature, it's reported as a virus/trojan writer's dream.

When someone points out someone's project that essentially does the same thing (burn an ISO with preinstalled SP's etc.) while "sticking it to the man" in a small way, it's reported as a neat project.

Mod parent up

[VGPowerlord]

The only special software I needed was to rip the floppy boot image from the original Windows CD so I could boot from the CD.

Concept is great, execution is poor. ERRORs

[Kazoo+the+Clown]

I just tried it, selected Windows 2K english, per selected platform. It instantly pops up a CMD window with a wget error:

Starting download (v. 3.02)
Copying Microsoft registry console tool...
Downloading Microsoft ifmember tool...
Can't timestamp and not clobber old files at the same time.
Usage: wget [OPTION]... [URL]...

ERROR: Download failure.

Press any key to continue . . .



Looking at the components it's not clear if there's an erroneous parameter passed to wget or something, as several things are less then obvious-- what the error means, exactly what wget command it's trying to run, etc.. No log file in sight... Not looking good...

Re:encountered (again) another win box without NAT

[KillerBob]

BSD has the ability to firewall just like Linux with iptables/netfilter. What I'm talking about is a different ability, though. You can set it up at the hardware bridge mode, to set up an invisible firewall. One of the great features is in forcing everybody on the net to use your proxy server... you can tell it that if outbound traffic on port 80 doesn't originate from 192.168.1.5, for example, then it gets redirected to 192.168.1.5:8080. It's a great way to stealthily force your entire network to use a proxy without having to manually configure it in every computer.

I *think* that's the real reason that the system was developped. But it also makes a great way to set up firewalling: all inbound traffic on all ports can be ignored, redirected to your DMZ host, or treated however you want. It's also able to do it transparently, so you could simply drop an appropriately configured NetBSD box between your existing gateway and the world. Not a lot of point in doing it that way, though. As I said, the real advantage is in being able to quietly force traffic to go through proxies of your choice.

no room for discs....

[asmjunky]

that's all fine and dandy, but we may have to wait for these

use your Mac to download the updates

[swell]

Then reboot in Windows to install them.

Someday there will be threats to the Mac OS, so you can download the Mac updates from the Windows half of your Mac...

Re:Stop with the "unpatched PCs are insecure" rubb

[Eskarel]

Actually I connected a freshly reinstalled XP box up to the internet(my disk is really old so it's pre SP1 and I didn't have a copy of SP2 lying around), without installing the firewall and AV software before I connected to the internet(I was tired and stupid at the time). On 8/1 ADSL my PC was pwned to the point that I couldn't download any files(including spyware scanners) that weren't corrupted before I could finish getting the windows updates. This was through a NAT router with no open ports. Without at least SP2 preinstalled NAT won't save you. A virus scanner and a reasonable software firewall plus NAT will, but not just NAT, and I'm far from ignorant about computers.

NT4 Revised Service Pack 6A

[os2fan]

I made a service pack 7 for Windows NT some while ago, but it is still in late alpha. When this installs, it does so as "Revised service pack 6A". Still, i use one further patch file to deliver updates, like the 2k3 NTLOADER / NTDETECT.COM, sol.exe and cmd.exe from Windows 2000, and a few other "fixes".

There are, none the same, a number of useful projects to slipstream fixes etc into both OS/2 and Windows.

One might for OS/2, try UPDCD, and compare this with the various Windows versions: NLITE, HFSLIP, and USP5 for Win2k. The UPDCD, NLITE and HFSLIP projects are multi-versions, while USP5 is for 2000 only.

Windows 3.1 did not check any files, and one has always been able to update the stuff. I managed to add all of the fixes to PC-DOS 6.31, once one gets a hold of compress.exe v 1.0.

Re:Stop with the "unpatched PCs are insecure" rubb

[evilviper]

Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.

People keep repeating it, but it's just not true. It is TRIVIALLY easy to send packets to private addresses behind an open NAT.

First off, the way in which packets sent to a NAT box disappear is like waving a big red flag that says "NAT". Then all it takes is a little bit of forging of header address, and a couple packets, and you can discover the exact addresses of all the machines on the private net, and send whatever you want to them.

The two ways I like to explain it (for brevity) is source routed packets, and gateways.

Sequentially ping the broadcast addresses of the private networks (like 10.255.255.255) setting a source-route of the public IP address of the NAT box. The routers between the two of you will forward the packets to the NAT box. Then, being the good little router it is, it will see the packet is supposed to go to the private network, and forward it there. The ICMP replies will be sent back to you, and you now have a list of (most of) the running systems behind the NAT. Now you can send whatever payload you want, to any one of those privately-addressed machines.

Another very simple way (which gets around blocked source-routed packets) is to get an address on the same public subnet as your target. Most providers have their public addresses grouped in a /24 subnet, or larger, which gives you at least 253 chances. That should be trivially easy to accomplish, and is left as an exercise for the reader. Once you've done that, all you have to do is set your default gateway as the NAT box's public IP, and you can just directly address all those machines by their private address, directly. No skill needed at all. The NAT box is only too happy to forward your packets, and return the replies.

Needless to say, there are many, many other ways to trick the NAT into forwarding packets to the privately addressed machines, but they are a bit too involved for a short post on /. Suffice it to say, NAT is common enough that I suspect a very large number of crackers have automatic routines to penetrate them, and your NAT isn't going to even slow them down.

For about two decades now, it has been trivially easy to setup a machine to do stateful packet filtering, which actually WILL stop penetration attempts. There's no reason NOT to do it. And for any kind of security, that's precisely what you need.

The warm fuzzy feeling you get with a NAT box, because you're ignorant of how easy they are to bypass, won't stop your computers from being turned into zombies.

re:

[sammcj2000]

TWO WORDS: auto patcher

http://www.autopatcher.com/

WSUS but who the hell knows how to use it?

Us dudes in the little shops who have real responsibilities get stuck doing the Windows crap thing. How the hell does a normal person implement it? Is this like Active Directory, not possible for mortals. I've never seen a tutorial and bill of materials to implement WSUS.

BTW we run mostly PhotoShop, I don't know why the owner just doesn't pitch the PCs.

Do these qualify as SP2 versions for Boot Camp?

[bjb]

One of the things that has been putting me off from trying Boot Camp is that I have to re-purchase Windows XP to get it with SP2 on the disc (the machine I used this copy on has been decomissioned for now and I haven't built a replacement). I'm wondering if doing this would produce a disc that would work with Boot Camp or Parallels?

XP SP3 / Vista SP1

[cafucu]

XP service pack 3 and Vista SP1 Beta can be downloaded here then installed offline. Remember to choose the "alternate install" ISO.