Slashdot Mirror
DIY Service Pack For Windows 2000/XP/2003
Karsten Violka writes "Looking for manageable Windows updates even without an internet connection? Heise's script collection
Offline Update 3.0 downloads the entire body of fresh updates for Windows 2000, XP, or Server 2003 from Microsoft's servers in one fell swoop and then uses them to create ISO-Images for CD or DVD. Included is an intelligent installer script that allows you to update as many PCs as desired." Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
2) The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?
3) What else will we whine about now... the versatility of Macintosh hardware?
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
They used to offer a CD that they would MAIL you for free (around 2002) but stopped doing that. (no reason was given for why they stopped).
This sounds like a useful script. I know people who manage Windows Updates for corporate networks, and they've mentioned these sorts of ISOs before. Effectively, it allows an admin. to read the KB articles on microsoft.com and pick-and-choose which updates to make available to the corporate network. There's a lot of updates! A backup ISO of the updates you've chosen to make available allows you to easily rebuild the update server if anything happens to it, and to build update servers for other networks based off work you've already done.
As to circumventing WGA: it's already been circumvented for XP SP2. You actually have to download and run the WGA executable to destroy a cracked XP SP2 install (Windows Update doesn't push it to you). Vista may be a different story though.
mandelbr0t
"Please describe the scientific nature of the 'whammy'" - Agent Scully
A "danger" that is eliminated with a rinky $25 NAT router.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
i keep a up-to-date copy for my dialup friends, which most are.
Autopatcher!
Gone!
I've been using nLite and RyanVM's update pack to do this for a while now. Great stuff, even works with my Dell OEM version of XP.
LOAD "SIG",8,1
Who do you refer to, exactly? Heise? Heise is not a him, it's a big (and trustworthy) publisher of computer magazines in Germany (c't and iX).
nlite does almost the same thing and is much more flexible and easier to use
http://www.nliteos.com/
For anyone interested in this sort of thing, you might also want to check out RyanVM:
http://www.ryanvm.net/msfn/
This allows you to produce updated Windows installation CDs, that actually have the service packs and post-service pack hotfixes *already integrated into the installation*. This saves the extra time normally taken to install Windows *then* go apply all the updates.
Perhaps the key difference is this:
I can put an unpatched RedHat Linux system on the public Internet and download patches without worrying about it. In fact, I routinely use such systems AS the router/firewall for other systems!
If you hear people around here saying things like "Windows is insecure and/or isn't really ready for the Internet", that's because it's true, or you wouldn't need that stupid $25 router in the first place!
The fact that you can't even imagine a server without a dedicated firewall in front of it speaks volumes.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I wonder what Microsoft thinks about this, right now I'm downloading updates that I wouldn't be able to get since I don't use a legal version of their software.
:D
Thank you
So what's the point of using a reg.exe from the NT 4.0 resource kit? Rename a self extracting zip to reg.exe?
In short, don't play with strange links posted by anonymous cowards...
Jonah HEX
Horror & SciFi Erotic Nudes
Its called Autopatcher and its WAYYYY sexier. Lots of installable extras and sexy registry patches to make windows life easier.
http://www.autopatcher.com/
This is my sig. There are many like it, but this one is mine.
Yes, there is. Every time MS releases an updated WGA .dll, the pirates release a cracked copy. Shows up all over the place. Download, overwite the files in WINDOWS/SYSTEM32, and presto, no more nags, and you can use Windows Update manually too.
I have a feeling it won't be quite so cut and dried with Vista though.
Autopatcher, on the other hand, provides the actual software, which is explicitly prohibited by the TOS you mentioned. He has this hilarious line in his FAQ:
Q: Is AutoPatcher legal?A: Yes, nwraptor once spoke to a Microsoft employee and apparently they know about us but dont care what we do! Now that's legal advice you can hang your hat on!
John
"Many exploits work just fine through NAT if you're actually using the machine to surf the web or read email, and way too many people seem to not understand this."
Or connect to a torrent server. Watch the number of attacks on your PC's FW skyrocket the instant you run BT and connect to a tracker. Lot's of hackers run torrent servers just to mine the connection information and find new, unprotected computers to attack.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
On a Windows desktop PC behind a firewall, you are vulnerable to scripts and viruses that it come in from emails, documents & web pages but if you stick the PC on the network and don't use it for any of those things *until* you've put on all the updates, then nothing is going to happen to it. So let's get rid of this stupid notion that the moment you put an unpatched PC on a firewalled LAN, it's going to get swamped with viruses and rootkits - it just won't happen.
No, I'm no Microsoft fan but let's stick to facts rather than "science fiction" FUD stories...
Gentoo Linux - another day, another USE flag.
> No, I'm no Microsoft fan but let's stick to facts
> rather than "science fiction" FUD stories...
These are not SF FUD stories. There are a lot of people who:
- don't know shit about security
- don't know shit about patching
- own USB xDSL modem or connect to *untrusted* network with wifi or something similar (do you carry a $50 router with your laptop?)
- use computer to Just Work With it - as a tool - you know
And Windows is not uber-user-friendly there. In fact I think you need to be relatively skilled to set up XP so it is relatively secured. Not something your mom or dad (I assume) can do with their computers.
Recently a friend of mine reinstalled Windows (since it was wrecked to the point of no other option, at least for her) from CDs (sans SP) which came with her laptop. After 1 minute the system was infected and unusable it havent even a slight CHANCE of updating itself.
MS made some stupid decissions few years ago and now they pay the price. This is not FUD. People do not have the latest Vista and so on. Some of them use 5 year old computers since they tend to work for them.
I can surely install old version of Linux distribution or OSX and do not get infected in 10 minutes after connecting to untrusted network.
I agree - but I've set up a number of these NAT routers recently for friends and colleagues, and apart from some simple configuration for ADSL accounts (and some wireless security if needed), these things now work pretty much out of the box. They are a whole heap of good security for little cost that are easy to setup - and protect you from about 90% of the bad things out there on the Internet the moment you switch them on.
And for your information, I carry round a Linux laptop with a fully locked down kernel firewall that I *carefully* open up as I need to if I'm on an unprotected (un-NAT-ed) Internet connection. :-)
> And Windows is not uber-user-friendly there. In fact I think you need to be relatively skilled to set up XP so it is relatively secured. Not > something your mom or dad (I assume) can do with their computers.
I agree again - which is why I recommend a NAT router to anyone I know with ADSL; and if they refuse to buy one, I refuse to offer them any help when their PC goes wrong! :-)
> MS made some stupid decissions few years ago and now they pay the price. This is not FUD. People do not have the latest Vista and so on. Some of them > use 5 year old computers since they tend to work for them.
Again, I agree. But, if anything, Windows 9x didn't have a complete enough IP stack to allow much to be run in the way of services out to the Internet - so it could be argued that unpatched and out of the box, a 9x machine is more secure than XP.
> I can surely install old version of Linux distribution or OSX and do not get infected in 10 minutes after connecting to untrusted network.
It depends on what's out there. Before I moved house last year, on my old ISP I ran an SSH (Secure Shell) server out to the Internet and my log files were filled with scripted access attempts against the server - just pounding away at my server with common account names hoping that one of them would allow entry.
Yes, a secured Linux server is always going to be more secure than a secured Windows server but please don't get complacent about it - it just takes one stupid mistake on either OS and someone will get into it.
Gentoo Linux - another day, another USE flag.
Since every directed IP packet on the Internet contains the sender and receiver IP address, any Internet router that sees a private address in either the source or destination address will drop the packet and not route it. Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.
The trick of a NAT router is that when one of your PCs connects through the router to the Internet, the NAT router substitutes the private source IP address in each packet coming from one of those PCs with the real IP address on the Internet side of the router. So when a response comes back from, say, a web server one of your PCs is accessing, the response hits the router's Internet IP and the router puts the private IP address back in to send it back to the right PC.
It is possible to forward incoming connections to the router onto a PC in the private address space but this feature has to be manually configured on the router and is turned off by default.
So, yes, you can still download a nasty email or script from a server on the Internet, even with a NAT router in place - but then you just don't use a PC for those purposes until you've fully patched them.
Gentoo Linux - another day, another USE flag.
With *BSD, it's entirely possible to set up a low-level firewall that offers just as much protection as NAT without actually doing any address translation. It does this by monitoring the traffic at the packet-level, and can be configured to block certain ports, to ignore all unrequested traffic, or any number of QoS-type monitoring/filtering features that are a royal pain in the ass to set up on a NAT box. Really, the biggest advantage of NAT is that the DHCP allows you to have more than one computer on the network. (granted, that's a pretty big advantage).
There's even a howto on NetBSD's website that explains exactly how to go about setting such a box up.
But you're right... generally, it's easier to go with NAT in the long run.
If you believe everything you read, you'd better not read. - Japanese proverb
The unfortunate fact about OS security is that it is a case of "survival of the fittest". It's pretty safe to assume that as long as there is an Internet, then there will be crackers out there trying to break into PCs that sit on the Internet. From their perspective, if they crack open a PC then they are happy and that the longer it takes them to break into a PC, the more likely they are to just give up and try another one.
Consequently, the more "walls" you put in the way of a cracker, the more the chances that you'll reach the limit of his abilities & make him give up. So security is all about doing *multiple* things against attacks - disabling well-known account names, using strong passwords, deploying software firewalls *AND* NAT routers, turning off unnecessary services, tightening the configuration of needed services to only allow certain hosts to access... these are all *ADDITIONAL* steps to just applying software updates.
Sure, a lot of these processes are tricky for new users but a lot of them are also very simple to deploy - and any of those that you do deploy put you one step ahead of the people who don't deploy them and who are, consequently, put at more risk from attack by crackers.
Gentoo Linux - another day, another USE flag.
One of the best "In Soviet..." jokes I've ever seen, for those not in the know, it refers to some US made technology, most famously pipeline control software, the soviets stole in the early 1980s which was carefully designed to pass QA tests, then go haywire. Suffice to say, the plan worked, and in fact produced the largest non-nuclear explosion seen from space when it took out a large natural gas pipeline in Siberia. A version of the story here.
It seems like people are totally unaware of the lovely thing from M$ called WSUS (Windows Server Update Services). Which is a local server that works as an update proxy. It saves tons of bandwidth and time!
That's up to you. But please don't take it as an offense if I say that I'd never hire you as a sysadmin.
Ask yourself this... is the 5 minutes it takes to set up basic firewalling (or even simply shutting down any daemons you're running) worth the extra time you risk if you have to reinstall the computer? Banking on averages is never a good idea, especially not when you're dealing with something mission-critical. Whatever can go wrong will go wrong, at the worst possible moment and all.
Speaking as somebody who's had computers blow up on him on many an occasion, I'd rather not take any chances I don't have to. Recovering from your own fuckups is expensive and annoying, doubly so when it's avoidable.
If you believe everything you read, you'd better not read. - Japanese proverb
People keep repeating it, but it's just not true. It is TRIVIALLY easy to send packets to private addresses behind an open NAT.
First off, the way in which packets sent to a NAT box disappear is like waving a big red flag that says "NAT". Then all it takes is a little bit of forging of header address, and a couple packets, and you can discover the exact addresses of all the machines on the private net, and send whatever you want to them.
The two ways I like to explain it (for brevity) is source routed packets, and gateways.
Sequentially ping the broadcast addresses of the private networks (like 10.255.255.255) setting a source-route of the public IP address of the NAT box. The routers between the two of you will forward the packets to the NAT box. Then, being the good little router it is, it will see the packet is supposed to go to the private network, and forward it there. The ICMP replies will be sent back to you, and you now have a list of (most of) the running systems behind the NAT. Now you can send whatever payload you want, to any one of those privately-addressed machines.
Another very simple way (which gets around blocked source-routed packets) is to get an address on the same public subnet as your target. Most providers have their public addresses grouped in a
Needless to say, there are many, many other ways to trick the NAT into forwarding packets to the privately addressed machines, but they are a bit too involved for a short post on
For about two decades now, it has been trivially easy to setup a machine to do stateful packet filtering, which actually WILL stop penetration attempts. There's no reason NOT to do it. And for any kind of security, that's precisely what you need.
The warm fuzzy feeling you get with a NAT box, because you're ignorant of how easy they are to bypass, won't stop your computers from being turned into zombies.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant