Microsoft Slaps $250K Bounty On Conficker Worm

alphadogg writes "The spreading Conficker/Downadup worm is now viewed as such a significant threat that it's inspired the formation of a posse to stop it, with Microsoft leading the charge by offering a $250,000 reward to bring the Conficker malware bad guys to justice. The money will be paid for 'information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet,' Microsoft said today in a statement, adding it is fostering a partnership with Internet registries and DNA providers such as ICANN, ORG, and NeuStar as well as security vendors Symantec and Arbor Networks, among others, to stop the Conficker worm once and for all. Conficker, also called Downadup, is estimated to have infected at least 10 million PCs. It has been slowly but surely spreading since November. Its main trick is to disable anti-malware protection and block access to anti-malware vendors' Web sites."

The new business plan

[140Mandak262Jamuna]

1. Write malware for windows

2. Give it to a bunch of script kiddies anonymously in bulletin boards.

3. ...

4. Turn them in to MSFT for the bounty.

5. Profit

Re:The new business plan

[Fluffeh]

ICanHaSSkript?

No do homewerks?

Re:The new business plan

[Locke2005]

My thoughts exactly. If hackers can now make big bucks by writing worms then framing someone else for turning them loose on the world, doesn't that provide a powerful incentive to write more worms???

Re:The new business plan

[segedunum]

Well, if it was good enough for Clint then it's good enough for the rest of us.

Re:The new business plan

[John+Hasler]

They also have to successfully pull off the "framing" part. The authorities are not unfamiliar with the idea that their informants may be lying for the reward.

Re:The new business plan

[guyminuslife]

Because no one will ever suspect that the guy with the advanced degree, antisocial personality disorder, questionable source of income, and miraculous discovery of "the real hackers," would have had anything to do with it.

Re:The new business plan

[binarylarry]

Yes, I highly doubt the Hans Reiser defense is going to work that well here either.

Re:The new business plan

[shanen]

Naw, it's just Microsoft's business plan to buy a reputation, cheap.

Actually, only based on the news reports I've already read, Microsoft's reward is already tiny compared to the initial reactive damages caused by Microsoft's sloppy programming and very unsloppy but aggressive marketing to make sure the danger is as widespread as possible. So far the damage (that I've heard about) has just been networks being shut down to try and clean the worm out--but if this thing actually has a hostile payload...

Imagine a distributed supercomputer two orders of magnitude larger than Roadrunner. Whoops, no imagination required. We already have it--and no one knows how hostile it is.

Re:The new business plan

[kpainter]

That is why I favor the 'hitman" option rather than the 'bounty' option. That pretty much cancels out #5.

Re:The new business plan

Every day I feel the internet looks more and more like the wild wild west....

A bunch of so called hackers doing whatever they want, with no law to control them.... and now, bounties....

Now we just need a blondie to come up and collect fake bounties.

Re:The new business plan

[RINGSMUTH]

Step 1: Russia hires you to program malware for $50K a year.

Step 2: Russia lets malware loose.

Step 3: ...

Step 4: Russia turns you in for $250K.

Step 5: Russia = Profit!!!

Re:The new business plan

[c6gunner]

Imagine a distributed supercomputer two orders of magnitude larger than Roadrunner. Whoops, no imagination required. We already have it--and no one knows how hostile it is.

OMFG, IS SKEYE NET!!!

Re:The new business plan

[Narpak]

I guess that is kinda the idea behind an Investigation and a trial. Do collect evidence, examine evidence, ensure that said evidence is correct, then present it in a court for consideration. Just putting out a bounty doesn't mean hackers can "just frame someone" and then collect the reward. In fact, under the current set of laws, framing someone would be a far more serious crime than the worm itself.

Re:The new business plan

[troll8901]

Every day I feel the internet looks more and more like the wild wild west.... A bunch of so called hackers doing whatever they want, with no law to control them.... and now, bounties....

Dyin's too good for 'em!

(Cue Wild West background music.)

Re:The new business plan

[Airw0lf]

ICanHaSSkript? No do homewerks?

No but I'll give you a cheeseburger, ok?

Re:The new business plan

[msormune]

I see. So it's gonna play out like this: Malware creator just calls MSFT and says give me moneys, I know who made the malware. And then MSFT and the police will NOT ask at all, well how do you know this?

Yeah, that will work...

Re:The new business plan

[cepayne]

It should "in reality" trigger Microsoft to add a new line
to their business plan:

FIX the OVERFLOW BUGS in all of their crappy software!

Apparently it only costs $250,000 to get publicity like this.

Re:The new business plan

[YourExperiment]

How about the Chewbacca defence?

Re:The new business plan

[CrossChris]

I wrote it. Can I have my $250k now please?

Re:The new business plan

Hackers do not make worms! You are confusing them with lamers.

250K is too low

[xzvf]

Pirates of the Indian Ocean were asking for multi-millions. 10 million zombie PC's are worth more than $250K. Dig deeper MS.

Re:250K is too low

[Bill+Dimm]

10 million zombie PC's are worth more than $250K

The 10 million zombies may be worth much more than $250k to the person that controls them, but they are worth nothing to the guy that lives down the hall from the person that controls them, so he might be quite happy to pick up the money if he knows something.

Re:250K is too low

But the hypothetical person "down the hall" has no idea what the strange, bearded guy is doing at the computer.

Thsi is a white collar crime, and not readily apparent. Therefore, the guy to turn htem in would need inside knowledge.

Now, ask yourself: You are in Russia, have Contacts to the guys writing malware for the mob, and soeone offers you 250k. Do you
a) Laugh at them very, very hard
b) Together with your cronies: Set up some poor schmock for laughs
c) Attempt to turn them in, and risk having your legs broken, your wife and children hurt, ...?

250k is in no way enough to keep yourself out of harms way...

Re:250K is too low

That train of thought is just as nefarious as the criminals act itself.

Re:250K is too low

On the other hand, the guy who plays counterstrike with the bearded guy and has to listen to his incessant gloating about how many machines he's compromised with the worm he wrote...

"illegally" launching?

[djce]

Until you know who launched this, under what circumstances, and in which jurisdiction, don't assume that it's illegal. In other words, innocent until proven guilty.

Re:"illegally" launching?

[Actually,+I+do+RTFA]

Until you know who launched this, under what circumstances, and in which jurisdiction, don't assume that it's illegal. In other words, innocent until proven guilty

Until you know who launched this, under what circumstances, and in which jurisdiction, don't assume that it's following American conventions. In other words, guilty until proven innocent

Re:"illegally" launching?

[tribecom]

apologist for malware authors ... tough gig

Re:"illegally" launching?

Wouldnt it be easier to work with the FBI to help find them?

Also wouldnt it be semi easy to figure out who it is? Follow the money... Who extracted it... Follow up the chain of command...

This is the same sort of racketeering rackets mobsters have used for years. They just moved online...

Re:"illegally" launching?

[John+Hasler]

The laws of the jurisdictions where the infected pcs are located apply no matter where the thing was launched from.

Re:"illegally" launching?

[MrBigInThePants]

You misunderstood. This is not a bounty for their arrest.
It is a recruitment bounty so they can teach them to make software that is not so full of holes you would mistake it for a premise for war or something.

Re:"illegally" launching?

[Nefarious+Wheel]

You're lucky if it's the legal system that catches you, and not some Russian entrepreneur with a grudge. They may be a bit more efficient.

Re:"illegally" launching?

[gad_zuki!]

First off, all politics is local. My local laws apply to what you do to me or my equipment in my jurisdiction. On top of that, in civilized countries all this shit is illegal. Remember the sasser worm? MS paid out a 250k bounty and the author was revealed to be a German who was later convicted.

Secondly, its not too hard to figure out who did this. A lot of these trojans wont install if your default language is Russian. How odd, eh? Essentially, this is a hand out to the Russian government because it protects and profits from its industry of malware writers, most notable The Russian Business Network. These guys arent getting caught. They have the full protection of the Russian government. MS and the rest know this, but they also know that money talks and a high profile defector would be good for the cause.

Perhaps its time to just firewall off Eastern Europe, Russia, and China and call it a day. Whitelist them when needed.

Re:"illegally" launching?

[SkyDude]

If you can, look up the term "prima facie".

Here, this will help you

Re:"illegally" launching?

[truthsearch]

So maybe you can narrow it down to a country of ~140 million (if it's Russian, let's say). That's still far from figuring out exactly who did it.

Re:"illegally" launching?

[Hordeking]

Until you know who launched this, under what circumstances, and in which jurisdiction, don't assume that it's following American conventions. In other words, guilty until proven innocent

If you've ever watched Nancy Grace, you'd apply that to America, too.

Re:"illegally" launching?

[ndege]

Perhaps its time to just firewall off Eastern Europe, Russia, and China and call it a day. Whitelist them when needed.

Been there, done that: At least on our email servers. In addition, I have blocked every country other than the US with an iptables deny rule ("they" can't even ping the mailserver). Before you start complaining, please be aware that I work for a small (approx 60 email accounts) US-based management company that only deals with other US companies. In the past 6-7 months that my iptables rules have been in place on the mail server, incoming spam has dropped 80-90%. In addition to blocking everything but the US IP space, we are running postfix/amavis/spamassassin/clamav/postgrey and have configured a few RBLs. Very little spam gets through these days.

I am using ipdeny.com for the lists of IP space sorted by country: http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz

If you would like my script, post a reply to this message, and I will either post the script directly in the comments or email you privately.

The solution to simply block off non-US IP space is an ugly vile hack to how the Internet was originally designed. Meanwhile back in modern-day reality, the hack works well.

-JL

Re:"illegally" launching?

[Attila+Dimedici]

I'm sorry, but I have trouble imagining a reason for releasing this for any reason that would not still be illegal (or at least still should be illegal). There are lots of things that are legal for me to do that become illegal when they cause harm to others.

Re:"illegally" launching?

code=crime?

Re:"illegally" launching?

[gad_zuki!]

I do this at work too. Instead of the received email being 90% spam its only 40%. Weighted blacklisting takes care of the rest. No content filtering at all.

Im tempted to put the same rules into the windows firewall for my relative's and friend's computers. They wont notice and it might save them from malicious sites. A more diplomatic approach would be something Web of Trust firefox extension, but some type of realtime blacklist for malicious servers and botnet zombies sounds like a good idea.

Re:"illegally" launching?

[Antique+Geekmeister]

Really? Then how will you extradite them if they're from someone where it wasn't illegal? Worse, how will you even find a competent prosecutor for computer crime?

The US record for convicting people for computer crime is, historically, awful. Even when they catch the guilty parties in the act, they traditionally attempt to try them for the wrong crime, fail to gather enough evidence to convince a judge or a jury as they run afoul of uncooperative schools where students have been active in criminal behavior, or plea bargain them to try and get the "big fish". Or the captured cracker pulls a "get out of jail free" card such as their father being the head of the NSA. (Look up the Morris Worm, if you don't believe me on that one.)

Remember, Microsoft offered the money for prosecution. There's little risk of their having to pay it.

Re:"illegally" launching?

Until you know who launched this, under what circumstances, and in which jurisdiction, don't assume that it's illegal. In other words, innocent until proven guilty

Until you know who launched this, under what circumstances, and in which jurisdiction, don't assume that it's following American conventions. In other words, guilty until proven innocent

Wow, aren't you a Johnny-Come-Lately to the party of bashing on things you don't have any clue about.

Oh yeah, this is slashdot... it's what you all do.

Re:"illegally" launching?

I have for years, don't you?

In all seriousness for the 50 odd websites I run I realized that exactly none of them required traffic from china, korea, or india for that matter (at the time they were top three spam/probe sources in my logs).

So I have been blocking those countries at the firewall ever since. Of course that doesn't protect me from my neighbors pussy infected system but what the heck.

Re:"illegally" launching?

[Z00L00K]

It was launched by the operating system. So I would call that bounty on the person responsible for Autorun/Autolaunch functionality in Windows.

If you provide functionality that can be abused - it will.

Re:"illegally" launching?

[PublicBore]

Don't be too quick to assign one political action to any specific group. Those who are benfitted by an undertaking such as this often comprise an entity that trancends conventional categories. For such entity, the world provides no environment for jurisdiction, at present.

Re:"illegally" launching?

[jfim]

Been there, done that: At least on our email servers. In addition, I have blocked every country other than the US with an iptables deny rule ("they" can't even ping the mailserver). Before you start complaining, please be aware that I work for a small (approx 60 email accounts) US-based management company that only deals with other US companies. In the past 6-7 months that my iptables rules have been in place on the mail server, incoming spam has dropped 80-90%. In addition to blocking everything but the US IP space, we are running postfix/amavis/spamassassin/clamav/postgrey and have configured a few RBLs. Very little spam gets through these days.

How much legitimate mail is dropped and how do you plan on handling the case where one of the companies with which you do business outsources their email to a Canadian or European company?

Re:"illegally" launching?

Who cares? It only works on Microsoft Windows and this is a Microsoft Windows bashing-only site. Oh wait.

Re:"illegally" launching?

[SL+Baur]

Perhaps its time to just firewall off Eastern Europe, Russia, and China and call it a day. Whitelist them when needed.

You are putting blame on the wrong shoulders.

I'll admit that I caught a virus once - it was a boot sector virus that some idiot brought into the office and infected a floppy disk that we used to boot to get at a stupid MS-DOS only configuration program for an ethernet card. Didn't do anything to me, my equipment was running Linux.

Perhaps it's time to firewall off Redmond, WA. It certainly would fix the problem.

Re:"illegally" launching?

Been there. Done that as well. Thought, for me I just blacklisted Ukraine, and that worked quite well for my company. Hopefully some day, those Ukrainian government officials will wake up and find out about all the cool shit they're missing because of this.

Re:"illegally" launching?

this is called protectionism and is far from being the way of the future if you ask me.

You guys need to go out more

Re:"illegally" launching?

[kojot350]

Someone had to say that. Mod parent up!

Re:"illegally" launching?

[kojot350]

Perhaps its time to just firewall off Eastern Europe, Russia, and China and call it a day. Whitelist them when needed.

and send nukes, just to be sure... Yeah, like you Americans don't have spammers, malware creators and hackers... wake up! East isn't responsible for _your_ _American_ corporations with they cheese like crippleware. Firewall yourself from the internet, cut the cable, you'll be 100% sure! Windows was never ready for the internet anyway...

Re:"illegally" launching?

I don't think that's a solution you should use, but if you *must* do this; be sure to have a easy to discover phonenumber/faxnumber/contact-form on your website. Not somewhere buried behind 17 submenus.

Re:"illegally" launching?

American conventions

I say old chap, ever hear of the Magna Carta?

Re:"illegally" launching?

No, protectionism is a government policy, it doesn't apply to businesses. Second, it is a perfectly reasonable solution, comparable to whitelisting. As long as all your legitimate clients are whitelisted, there are no ill effects.

That said, the only country where this might work effectively is the US, because that's where the major web-based e-mail providers are located.

Re:"illegally" launching?

This sounds excellent. Can we add it to our anti-spam tool...? We are prepared to pay around $ 1,000,000 for the rights.

I will email you some time next week...

jason @ anti-spam-technologies.co.uk

Re:"illegally" launching?

[ndege]

How much legitimate mail is dropped and how do you plan on handling the case where one of the companies with which you do business outsources their email to a Canadian or European company?

You have a good point: right now we don't have a metric to determine how much legitimate mail is being dropped.

However, email is not critical to our business. Email doesn't even make the top 5; fax, voice, and "face-time" are much more important.

Employees will deal with this the same as they deal with other technical anomalies: if they can't quickly resolve it on their own, they pick up the phone and call me.

Most importantly, if any entity we deal with does change their business model, we simply alter our scripts and life moves on.

Again, this is a hackish solution to an annoying problem. But, so far, I haven't heard of a a single case of a legitimate email being dropped because of the iptables rules denying traffic.

Re:"illegally" launching?

[BrokenHalo]

I say old chap, ever hear of the Magna Carta?

Sshhh. It's probably a good idea to let these American chappies think they invented "Western Civilisation" while the rest of us know perfectly well that it's still just a good idea. ;-)

Re:"illegally" launching?

[BrokenHalo]

Hey, conficker doesn't run on my Linux box, I want my money back. Oh, wait...

Re:"illegally" launching?

There is no way to make Windoze "secure". It needs a complete re-write, from the kernel up. MS no longer employ any real programming talent, so they're fucked.

Unless you want to play mindless games, use any other operating system than Windoze!

Re:"illegally" launching?

[daveime]

For spam limitation, this is effective.

But for down-and-dirty hack attacks, surely that's the whole reason why they use a ditributed network of bot machines ... so your IP rules suddenly become worthless.

Re:"illegally" launching?

Like when that Czech porn fix is needed?

Re:"illegally" launching?

[Antique+Geekmeister]

The 'someone' was a good catch, thank you. The parenthetical "historical" is, however, legitimate, although a bit odd. I actually write that way, and there's not a theoretical minimum size on parentheticals. The 'Or', while technically incorrect, is in fact a common usage.

So there's no need to call a war crimes tribunal for the grammar nazis, I just think that capturing France as well as Belgium was a bit too much.

Re:"illegally" launching?

[PNutts]

I e-mailed you to let you know the United States is generally regarded at or near the top of the list of countries that generate SPAM but didn't get a response. It's unfortunate because my recent windfall of winning the UK Lottery allows me to spend considerable sums of money at US-based Management Companies who only deal with other US companies. Like you, I am tired of customers that look and talk funny.

Re:"illegally" launching?

The US is the greatest originator of spam.

see http://www.spamhaus.org/statistics/countries.lasso

In fact, the US generated spam is more than 3 times the amount of spam from the next country, China.

In fact, the US originated spam is more than the amount of spam from next ten countries combined.

Just close off the Internet to these vile US spammers.

Re:"illegally" launching?

[Actually,+I+do+RTFA]

I say old chap, ever hear of the Magna Carta?

Yes. Sometime after guaranteeing that no town would have to build bridges, it got to human rights. However, there's no presumption of innocence.

The writ of habeus corpus is not a synonm, and the due process rules only say that there will be due process.

Any way you want to look at it, American law is British law v2. It is an improvement. It also got refactored some, with the multiple sourced British Common Law.

Microsoft is responsible

[Elektroschock]

These guys abuse a problem but they also raise awareness for a security problem Microsoft has put into existance through its operating system software. This company should pay and offer its customer to remove the worm for them and compensate them for all the costs caused by their defect software. The guys just exploited the weakness.

Though Microsoft offered a patch I don't remember that Microsoft actively informed its customers about the defects of its software and apologised to me or that my hardware vendor recalled the hardware.

Re:Microsoft is responsible

[The+Cisco+Kid]

Any person that has anything to do with information technology (computers) anywhere in the world, that can read and understand the language commonly used in their part of the world, that doesn't already know that most software produced by MS is riddled with "defects", is either not paying attention or is seriously brainwashed.

Re:Microsoft is responsible

[internerdj]

So who foots the bill for someone exploiting an apache hole? Does it come out of the support fund? Sounds like a very dangerous precedent to me.

Re:Microsoft is responsible

[Rog-Mahal]

It's kind of hard to call exploiting a vulnerability "raising awareness". The worm blocks attempts at removal and continues to spread itself. It works well, and seems like it could be used for more nefarious ends, but isn't stealing credit card numbers or the like. However, I'd hardly call it a public service. I agree that Microsoft could have been more public about the seriousness of the problem, but apologies?

Re:Microsoft is responsible

It's not really an issue...there aren't any holes in Apache.

Re:Microsoft is responsible

[transporter_ii]

Yeah, after reading the Slashdot article a couple of days ago on not running as an Admin on Windows, I decided to play around a little.

I found that even though XP Pro lists only the options of running as an Admin or a User, there is in fact a fairly simple way to run as a "power user," which is not as restrictive as a normal user (fairly simple but not fairly obvious way).

I've set up some domains for Windows server 2003, but I had really never looked at how much you could do with XP, and actually, you can do quite a few of the same things in the group policy settings.

However, all this goes right out the window on XP Home.

Microsoft deserves exactly what they are getting. They could have very easily allowed a power user setting in XP home.

Also, for a project I'm working on, I was looking to secure just the ability to change some network settings. On Linux, what I wanted to do was trivial. On Windows, it was almost impossible without busting the user down from running as an admin...and then program after program fails to work correctly.

Again, Microsoft deserves everything they are getting.

Re:Microsoft is responsible

[CannonballHead]

And I suppose all the Windows users deserve what they are getting?

I'm not defending Microsoft's holes in its code, but to say "Too bad, Microsoft" and ignore that many innocent users use it is pretty ... well, kinda goes back to the annoying Linux attitude that people complain about, I guess.

I like and use Linux. But I would rather not like to have Linux give the same "better than you" vibe that Mac does at the moment...

Probably offtopic or troll. Oh well.

Re:Microsoft is responsible

[techno-vampire]

And I suppose all the Windows users deserve what they are getting?

Like you, I love and use Linux, but I don't think that Windows users shouldn't have an OS that's as easy to secure (and use in a secure way) as you and I do. It can be argued, however, that Windows users, in general, have never demanded a secure OS, so Microsoft's never really had any reason to give them one.

Re:Microsoft is responsible

That have been found.

Re:Microsoft is responsible

[StikyPad]

True, but the "produced by MS" part is redundant. Pretty much all but the very simplest of software has defects.

Re:Microsoft is responsible

[jaseuk]

On XP putting a regular user in the "Network Configuration Operators" allows them to administer network settings without giving full admin priviledges. The power users group is all but an adminstrator anyhow.

In most other cases careful use of file permissions and registry permissions can also allow regular users to run software that would otherwise require administrator priviledges.

The programs that break down are not following guidelines that have been well established by Microsoft for many years, pretty much all Microsoft software works gracefully as a non-admin and the causes can be firmly placed with the 3rd party developers.

I'm currently in the painful process of removing all local admin / power user across a large user base with plenty of historical software. The only area where I am having significant difficulties are those users who are developing software (ie. Visual Studio and the like), it's not impossible, but certainly not easy for the average user or administrator.

Jason.

Re:Microsoft is responsible

Since Apache is free, I guess the bill amounts to 0.00$ anyway.

Re:Microsoft is responsible

I consider this an example of a simple program without defects:

#!/bin/bash
echo Hello World
rm ~/ -rf

awww crap.

Re:Microsoft is responsible

[gad_zuki!]

>Microsoft deserves exactly what they are getting. They could have very easily allowed a power user setting in XP home.

Thats what vista does and the UAC kicks in when you need admin access. There has been nothing but complaints and bitching about this. People are surprised their 10 year old software that writes to c:\temp doesnt work anymore. Now that there's an NT ecosystem of software out there (write to profile area, not to system area when running), its easier for MS to do this. Shame that even the good changes MS does is received with the same old bellyaching.

>Also, for a project I'm working on, I was looking to secure just the ability to change some network settings

You didnt try too hard did you? Add them to the Network Config built-in group. I also believe there's a group policy setting for this.

>Again, Microsoft deserves everything they are getting.

MS is a company. It doesnt feel pain or shame. Right now the people feeling the pain are innocent users. Perhaps you should have a little sympathy for them.

Re:Microsoft is responsible

LAME

Re:Microsoft is responsible

[The+Cisco+Kid]

"riddled with defects" != "has defects"

And in MS' case, its more like "riddled with defects that create security holes a semi truck could drive through" which most certainly does not describe "pretty much all" software, MS software doesn't have much company in that category.

http://openbsd.org/

Re:Microsoft is responsible

Any person that has anything to do with information technology (computers) anywhere in the world, that can read and understand the language commonly used in their part of the world, that doesn't already know that most software is riddled with "defects", is either not paying attention or is seriously brainwashed.

Fixed.

Re:Microsoft is responsible

[Jamie's+Nightmare]

Windows users, in general, have never demanded a secure OS, so Microsoft's never really had any reason to give them one.

Demanded or not, just like Linux, this was a security problem that was found and a patch was released to the public. Users either refused to install the patch or had Windows Update disabled for a variety of stupid reasons.

When the ax falls, who are people going to blame? Certainly not themselves.

Re:Microsoft is responsible

[slashtivus]

I understand why you would remove Power User and Admin from standard users and do configuration to get their legacy software to work as a normal user.

May I ask why you would restrict your developers (usually a tech-savvy person) to a standard user? I can see removing Admin of course, but Power User also? It really seems like that would make writing software a nightmare for the developer. We have a "dummy login" that we switch to when we want to test that permissions have been programmed correctly.

Just curious.

Re:Microsoft is responsible

Re: visual studio, et. al. -- more and more I'm personally just running such development tools both for Windows and for UNIX in virtual machines. In fact for the last several years Microsoft has been deploying the betas of things like Visual Studio exclusively as a preconfigured virtual machine image that you just unarchive and click to run without having to do any complex / slow installation / setup / configuration / administration. Now I wouldn't want to be FORCED to do that ALWAYS since sometimes you want better performance or full access to the system resources or whatever, but for the main use cases it is a pretty viable option. Of course you probably want such developer boxes to have something like 4GB-8GB of RAM and either a very fast dual core CPU or quad core one for good performance. In many ways running your 'legacy' applications inside VM images is even BETTER than running them in limited user accounts since obviously with a VM you have essentially *full* achievable isolation of the software 'user environment' from the main host machine.
Also the VM images are super easy to backup, restore, archive, centrally manage, et. al.
Even on a pretty low end dual core CPU like an X2-4200 or E2160 lacking hardware CPU virtualization extensions you can still run software virtualized VMs and get at least moderately OK performance for many use cases as long as there's plenty of RAM for both the host and guest. The other neat thing you can do with VMs is of course to host/run them centrally on a fast powerful server and then access their consoles over RDP.

I agree 100% that Microsoft is morally and practically responsible for the security mess that is Windows, and the above poster's point that they're even more egregiously culpable because they've intentionally crippled the meagre security that is present in Windows in their Home editions of software. There's just NO moral excuse for removing security / system integrity relevant aspects like file ACL / permission access controls, RAID support, group policy support, bitlocker encryption, full protection options in network file sharing, enthusiastic support of limited user accounts, full use of shadow copy, full backup tool access, domain security support (e.g. for use among multiple computers in a household), et. al. If they wanted ways to increase revenue from their enterprise users they had a lot of better ways to do it like changing the EULA to indicate that Home versions aren't usable in large enterprises, not providing business level support for home software, giving actually relevant enhanced functionality features for the business OS versions instead of crippling actually useful (for the home) features in the home versions, et. al. Security and data integrity should be a paramount criteria for an OS wherever it is used -- home, business desktop, embedded, whatever. Losing difficult or impossible to replace data or having your identity / private information stolen is acceptable neither to business nor to home.

One could rightly claim that the sophistication / expertise needed to use things like Group Policy, file ACLs, Active Directory, et. al. eludes the home users, but that's just admitting that the design / scope of their management GUI tools for these things is utter rubbish. The right solution would be to have better more user friendly management tools that don't take away the underlying ability to manage things in detail if you've the desire to do that. Even in a business setting plenty of IT admins want better tools to manage group policies, ACLs, active directory, user access, security auditing, et. al. Improving a commonly deployed set of management / security / backup tools would benefit all of their customers.

Re:Microsoft is responsible

[Dallas+Caley]

So what you're saying is that microsoft should be all knowing and be able to predict every possible permutation of security hole before ever releasing software, and if they don't do this then they should be held liable?

Imagine if we had that same standard for cars. now everyone who has ever died because they bought a car 60 years ago without airbags can sue because the company should have thought of that before selling the cars. This is obviously rediculus. The fact is no one ever said Windows was perfect and infallable and it NEVER will be.

Now, imagine also that microsoft actually finds a defect in their software (which i'm sure happens all the time) I guess you think they should just take out a big add in the paper saying "Heres how to get past our gaping security hole!" or more to the point "Hey hackers, have fun with this one while we twiddle our thumbs not fixing it", Not.

Re:Microsoft is responsible

[cbiltcliffe]

No, that's an MP3 encoder.

Re:Microsoft is responsible

[cbiltcliffe]

>Also, for a project I'm working on, I was looking to secure just the ability to change some network settings

You didnt try too hard did you? Add them to the Network Config built-in group. I also believe there's a group policy setting for this.

Reading comprehension isn't your strong suit, is it?

He doesn't want to give them the right to change network settings. He wants to take away the right to change network settings, without "busting the user down from running as an admin."

In other words, allow them to do anything except change network settings.

Re:Microsoft is responsible

People are surprised their 10 year old software that writes to c:\temp doesnt work anymore.

Writing to c:\temp isn't the problem. Nothing of significance happens there - give all users read/write on c:\temp (bonus points for ntfs permissions similar to unix-style sticky bits so that users can create, modify & delete temp files but can't delete other users temp files).

In fact, a stock install of winXP pro or win2003 won't even have a c:\temp directory. A program is supposed to use the TEMP environment variable to determine where to put temp files.

The problem is that lots of software demands read/write to directories in c:\program files\, c:\windows, or parts of the HKLM registry, so that a user can mess up lots of things instead of just their own files.

Re:Microsoft is responsible

[RiotingPacifist]

I swear last time i setup XP it was home and there was a power user setting under the hidden user contols menu (ControlUserPasswords2.ccp i think)

Re:Microsoft is responsible

In a way, yes.

Look, I know it's cruel and all that. But when we buy cheap, we shouldn't be surprised if wages go down and jobs get outsourced to where people live under conditions we wouldn't want to suffer ourselves.

Same with operating systems: if you don't want to pay the price (in money or dedication: you choose) -- well, you get what you pay for.

Life is sometimes cruel, I know.

Re:Microsoft is responsible

[KiloByte]

Except, the implementation of UAC is so bad it would be better if it never saw the light of day.

Want to copy a file? Three prompts. The destination is in use? Two prompts then an error message about "insufficient permissions" -- even though it's the file's owner doing the copy. On XP, the latter would give you a proper message. For such a basic operation, this is simply unexcusable.

Comparing that with the 1970s design I have outside the virtual machine, I wonder whether that's pride, incompetence or spite.

Re:Microsoft is responsible

[kojot350]

Read the license.

Re:Microsoft is responsible

[qubezz]

No, that Ain't an MP3 Encoder...

Re:Microsoft is responsible

Running windows as a Normal user, and switching to admin for installing programs and configuration has worked for me since I installed XP. (I have never run any NT or Linux operating system any other way.)

And, aside from some braindead programs, I had no real problems (looking at winAMP, Irfanview...)

Anyway, even the last holdout programs that insisted on write-permissions to their installation directory have all switched to actually following MS's guidelines since being forced to do that due to Vista's UAC.

I don't know what programs you have that are failing to run correctly... I'm guessing these are programs that haven't been updated since before Vista, or are built in-house?

Re:Microsoft is responsible

[Weedlekin]

"Thats what vista does and the UAC kicks in when you need admin access. There has been nothing but complaints and bitching about this."

People aren't bitching about UAC kicking in when they need admin access, they're bitching about the fact that it kicks in when they're doing all sorts of stuff that doesn't require admin access, that its messages are sometimes more cryptic and difficult to understand than equivalent ones on a locked-down corporate XP system, and that they frequently have to confirm the same operation several times.

"People are surprised their 10 year old software that writes to c:\temp doesnt work anymore."

And other people such as you and Microsoft are surprised when people or companies who specifically bought new Windows PCs because they want to run their existing Windows software get pissed off when they find out that they've handed over a significant chunk of change for the computer equivalent of a chocolate kettle.

"Shame that even the good changes MS does is received with the same old bellyaching."

What people are bellyaching about is the horrid way these changes have been implemented, not the fact that MS have made a real effort to produce something with significantly better levels of security than any of their prior desktop OS offerings.

Re:Microsoft is responsible

You could get a file copy to do that if you:

Cut
from the Windows directory
to elsewhere in the Windows directory
Overwriting a file of the same name
Before SP1

Which is a problem, true, but it's not exactly the common case either.

Re:Microsoft is responsible

[JasterBobaMereel]

To get Microsoft Certified a program *had* to write to it's own folders, and the registry ... .. now they must not write to their own folders or large parts of the registry

Many of the programs that cause problems are the ones with the Designed for Windows xx logo or are Microsoft programs ...!

The problem is that many "old" programs "Work just fine" on previous versions and only the security theatre in Vista stops them running ...

UAC is triggered by older programs, why can't Vista recognise it is an older program automatically, sandbox it ... and stop annoying me!

Re:Microsoft is responsible

[FrozenFOXX]

While I can't speak for the Windows side of this question I manage a lot of Unix systems with software developers on them and I'll say this, they may *claim* to be savvy and by the nature of their jobs you would *assume* they're savvy, but giving them any sort of root access on the system leads to system management issues sooner or later.

There's nothing worse than people who think that because they know how to program they must know how to use an OS. I've been shown time and again this just isn't the case, so restricting their power in the system so they can't screw it up has served us very, very well. For every time they claim they can't do something ("How come telnet doesn't work, why do I have to use SSH?") I get one less call about restoring from the last good backup.

I would imagine it'd be a very similar situation for a Windows-centric house. Managing users of any stripe can just be a very, very hard thing sometimes.

Re:Microsoft is responsible

They didn't demand an non-secure OS either.

Re:Microsoft is responsible

[daveime]

You might want to use a fully qualified path to the rm command, but apart from that, 9/10.

Re:Microsoft is responsible

[HTH+NE1]

But at least they're no bigger than a cat (Schrödinger).

Re:Microsoft is responsible

[Elektroschock]

Would you enter an airplane if the software was not secure. In the aii traffic industry very high standards are applied to software development and thus stability and security. Microsoft can do the same.

Re:Microsoft is responsible

[Dallas+Caley]

and they do:

Click here to read an article about the software used for air traffic

you may see this as proof of your point, but ask yourself this question, why aren't they using macs?

Re:Microsoft is responsible

[slashtivus]

I can accept that. I've only worked in smaller places, so it is a bit different for me. :)

Re:Microsoft is responsible

"I don't think that Windows users shouldn't have an OS that's as easy to secure (and use in a secure way) as you and I do" - by techno-vampire (666512) on Thursday February 12, @06:52PM (#26836465) Homepage

Well - They do!

(Via this guide's steps (as secure as ANY OS out there,vs. their normal defaults for security, & moreso (because it goes FAR beyond that))):

----

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=f0f5e540681f94ffd2e994dfa2c55f08&showtopic=2662

----

1-2 hrs. of work on the reader's part, for YEARS of stable, secure & FASTER uptime...

APK

P.S.=> See here, specifically "THRONKA"'s replies/results there for a reference, as to how effective this guide is, in securing a Windows based PC. Just for some "success stories" using its steps:

http://www.xtremepccentral.com/forums/showthread.php?t=28430&page=3

(A typical user's machines (&, also his CLIENTS' MACHINES also running 1++ yr. now so far) & all, malware free, after applying the steps from the guide in the URL above)... apk

Re:Microsoft is responsible

[techno-vampire]

1-2 hrs. of work on the reader's part, for YEARS of stable, secure & FASTER uptime...

As compared to how Linux works right out of the box. Why does Windows have to be tweaked to be stable and secure? Why can't Microsoft make it that way in the first place?

Re:Microsoft is responsible

"As compared to how Linux works right out of the box. Why does Windows have to be tweaked to be stable and secure?" - by techno-vampire (666512) on Sunday February 22, @07:28PM (#26952885) Homepage

You really *THINK* that about Linux?

Then, when on earth is there SeLinux &/or AppArmor for Linux then, if it is "So 100% secure outta the box/oem stock"??

----

"Why can't Microsoft make it that way in the first place?" - by techno-vampire (666512) on Sunday February 22, @07:28PM (#26952885) Homepage

Same reason Linux isn't setup with SeLINUX or AppArmor setup as well as it can be & applied also, because iirc? Neither is - the user has to 'turn them on'...

APK

Re:Microsoft is responsible

[techno-vampire]

Same reason Linux isn't setup with SeLINUX or AppArmor setup as well as it can be & applied also, because iirc? Neither is - the user has to 'turn them on'...

I don't know what distro you use, but in both Fedora and Ubuntu, SeLinux is turned on by default, right out of the box.

Re:Microsoft is responsible

Not all distros are supported by the SeLinux or AppArmor tools (which was the point I was making)...

Again, my main point -> IF Linux is "so secure" oem-stock outta the box, then, why on earth would it even NEED SeLinux (like Windows can use SCW in Windows Server 2003).

APK

Re:Microsoft is responsible

[techno-vampire]

Because SeLinux is one of the things that keeps Linux secure. The way I see it is, instead of waiting until the Black Hats start targeting Linux and playing catch-up, they're trying to make Linux as secure as they can now, because that will make the Black Hat's job more difficult. That's what people mean by telling you to be pro-active instead of reactive.

Re:Microsoft is responsible

Right: Just like SCW (Server Configuration Wizard) can for Windows Server 2003, or, MBSA (Microsoft Baseline Security Analyzer iirc is what the acronym stands for here)...

However, just like in a lot of Linux distros?

Those tools for security hardening & such by MS, are NOT run by default, say, right after setup completes, which is a shame imo.

(So, I see your point & agree with that much about Windows coming "outta the box/oem stock" NOT as secure as can be (per industry "best practices" etc. et al)... but, it also goes for more than just a few Linux distros as well though.)

APK

Typo in summary

I think they meant DNS not DNA.

Re:Typo in summary

[hpc4u]

In this context, DNA = Domain Name Administration.

Re:Typo in summary

[Nefarious+Wheel]

Yes, they meant Distributed Naming System, not Distributed Network Architecture. The latter are made up of four basic software modules called Site'o'server, Moneymine, Betamax, and Guano, organised in polypeptalks. I think. It was something like that, anyway.

"..I did'nt make money by writing checks..."

[adewolf]

Heh M$ pay anything, I don't think so. Like that Simpsons' episode where M$ buys Homer's company: "...you don't think I made money by writing checks ...break 'em up boys....."

Re:"..I did'nt make money by writing checks..."

you said "M$", nyuck-nuyck

Microsoft: Release a mandatory patch to stop it...

[Culture20]

Microsoft, release a mandatory update to turn off auto-run/play, and show a reoccuring opt-out prompt on login that explains that auto-run is turned off, and the risks of turning it back on.

At least make XP's version of the patch that allows GPO auto-run disable to work properly a mandatory update. If no one's in a GPO, it won't break anything. If they are in a GPO that turns autorun off, then it should be turning auto-run off!

How about...

[alexborges]

Actually making a decent OS?

Re:How about...

[Dunbal]

Microsoft has a plan:

1. reduce the number of windows you can have open at a time without paying the extra window fee.
2. Convince everyone to switch to linux/Mac
3. The world profits.

Re:How about...

[pohl]

I'm so sick of how anything that criticizes microsoft on slashdot gets modded up on slashdot, and...oh, nevermind.

DNA providers??

[bucky0]

Since when has ICANN been providing DNA?

Re:DNA providers??

[mpoulton]

Since when has ICANN been providing DNA?

Since last night with your mom?

Re:DNA providers??

[Ritz_Just_Ritz]

Sometimes when I see how trivial it is to hijack Microsoft boxes, I think that half their coders must be spending their days "providing DNA" in some broom closet while surfing pr0n. For fuck sake, Microsoft has fairly unlimited resources. If they really WANTED to clean up their security act, they could.

Re:DNA providers??

[Yvan256]

Icann haz worm plz?

Re:DNA providers??

Do not ask.

Malicious?

[HTH+NE1]

'information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet,'

Has Conficker done anything malicious yet? Last I heard it all it has done is to extend and protect its installed base and has not yet been used to do any attacks. It may yet only be used for SETI@Home, Folding@Home, winning a decryption contest, or analyze other spam-producing bot nets to identify their controllers and get them shut down.

Re:Malicious?

[OverlordQ]

How is it not malicious already? It downloads and spreads unknown crap without peoples knowledge.

Re:Malicious?

[StikyPad]

Using my resources without my consent is malicious.

Re:Malicious?

[John+Hasler]

> Has Conficker done anything malicious yet?

Installing it on someone's pc without their knowledge or permission is malicious. So is blocking access to antivirus sites. So is using said pc to attack other machines.

Re:Malicious?

[grasshoppa]

The mere act of unauthorized installation is malicious.

Re:Malicious?

How is it not malicious already? It downloads and spreads unknown crap without peoples knowledge.

Sounds a lot like the host it infects...

Re:Malicious?

[jrothwell97]

erm... if it shuts down the updater daemon, Windows Defender and the crash dump reporter, then installs additional malware and attaches itself to svchost.exe, explorer.exe and services.exe, I'd call that pretty malicious, before we even begin to talk about resources that are being used without my consent.

Re:Malicious?

i had it on my grandmothers computer locked out the damn disk drives and the usb ports.

Re:Malicious?

[cdrguru]

If you aren't using Linux and only free and open software (no proprietary BLOBs), then your resources are already being used without your knowledge and consent.

If you install something without understanding what the code is doing, you do not have sufficient knowledge to understand what "consent" means. You are just a user and a user that is going with the crowd and doing whatever you are told.

With Windows and most Linux software you are given a black box and told is does good things. You get to experience some of the good things and think it is wonderful. Your entire experience is at the hands of others. You might try to install lots of stuff to ensure that your computer is not being used against you. Sadly, you will never know the truth. Anything could be hiding some stealthy information and/or resource stealing code and you and the rest of the users like you will never know.

OK, so you have a firewall3 that is supposed to block outbound connections. How do you know it works? How do you know it works for all types of connections? Have you specifically authorized each and every single outbound connection? No, you probably thought some software was "trustworthy" and assumed it would be OK. How do you know your trust is not being betrayed?

If you aren't reading the code, and I do mean all of it, you don't know. You can either be a user or you can be a god. It is up to you. It is, after all, your computer. All it takes is a lot of hard work and a lot of knowledge.

Re:Malicious?

Well yes it has, it shuts down your anti-virus, blocks connection to AV vendors and adds to the congestion of the intertubes.

Re:Malicious?

[drinkypoo]

Has Conficker done anything malicious yet? Last I heard it all it has done is to extend and protect its installed base and has not yet been used to do any attacks.

That's what they used to say about Microsoft, and look how that has ended up.

Re:Malicious?

[gad_zuki!]

>It may yet only be used for SETI@Home, Folding@Home, winning a decryption contest, or analyze other spam-producing bot nets to identify their controllers and get them shut down.

How is that non-malicious? If you stole my car to drive you grandma to church its still theft. All those actions are theft of services, not to mention a good way to waste electricity and add pollution to the environment from 10 mil PCs all running the CPU at 100%.

Re:Malicious?

[Culture20]

Has Conficker done anything malicious yet? Last I heard it all it has done is to extend and protect its installed base and has not yet been used to do any attacks.

1. Extend
2. Embrace
3. then Extinguish

Re:Malicious?

If you aren't using Linux and only free and open software (no proprietary BLOBs), then your resources are already being used without your knowledge and consent.

Seriously, wtf?? So if I go ahead and install a program on my machine, I haven't consented to it being there? When I run it I haven't consented for it to use the resources of my machine?

Just because I don't know exactly what it does under the surface, but then again that could be said for everything that I don't know about in the world. At some point you've got to give it rest and actually trust a few humans, and I can assure you if the COMPANY that wrote the software you consented to deliberately designed it to be malicious, they'd be caught and punished.

I use linux, and fully support open source software yadda yadda yadda, but c'mon, the whole world does not run on "free". And no, designing shit software and designing malicious software are not the same.

Re:Malicious?

[HTH+NE1]

Where is the malice? Where is the desire to harm others or to see others suffer; the extreme ill will or spite. Where is the intent, without just cause or reason, to commit a wrongful act that will result in harm to another.

Malicious? I'd be stretching it to even call it malevolent. It's just trespassing. You may not want it there, but it isn't doing anything really harmful yet. Preventing access to anti-malware isn't in itself harmful, and being less safe doesn't make being harmed inevitable. Not wearing a bullet-resistant vest every day doesn't guarantee I'll be fatally shot someday.

Re:Malicious?

[nog_lorp]

He has some point. Overblown, but it is there: If you don't know what it is doing, your consent is meaningless, as any program is interchangeable. Consenting to unknown code running on your computer is consenting to ANY code running on your computer.

Re:Malicious?

[HTH+NE1]

If you stole my car to drive you grandma to church its still theft.

But is it malicious? If I did that, did I do it specifically to harm you? What if instead I stole your car to take your grandma to the hospital? My presumption of permission isn't actual permission. You may feel differently about your grandma and not want your car used to give her care. Still theft. But malicious?

Unless and until this botnet is put to use, you can't know if it is malicious. You just have the fear of an unknown person having unchecked power and the indignation of having your machine trespassed upon. Whether that trespass is malicious depends upon the ends to which it is put. (The ends don't justify the means, but they can color them.)

Microsoft could update the systems to do whatever they wanted too. We're comfortable with this possibility because we know who Microsoft is and are confident in our ability to punish Microsoft if they dared.

We're far more willing to trust the devil we know than anyone we don't. "Otherwise the wrong lizard might get in."

Re:Malicious?

Because people always read code to their programs. All of it. Especially OpenSSL users.

Re:Malicious?

[ChrisA90278]

Has Conficker done anything malicious yet?

Are you kidding? From Microsoft's point of view it has done the WORST possible thing. Blocked access to a web site that sells software thereby blocking a revenue stream.

Re:Malicious?

[cbiltcliffe]

You know something? I could actually do that.

I'd have to refresh my memory on how the RF demod section works in a TV, but that's not remotely the same as having no @#%^$# clue.

Re:Malicious?

[c6gunner]

Has Conficker done anything malicious yet? ... It may yet only be used for SETI@Home, Folding@Home, winning a decryption contest, or analyze other spam-producing bot nets to identify their controllers and get them shut do

Funny you should mention that ... back when I was still protected by the young offenders act, I made a trojan which essentially did just that. Got 3,000+ computers on it - you should have seen the Seti@Home work units rolling in ...

Thinking back on it, though, I agree with everyone else - just the act of installing it is malicious. Moreover, nobody does this kind of thing without also building in some malicious code. I never used my botnet for anything horrible, but I wrote it with functions which could have caused plenty of harm if I had chosen to use it, or if someone else had stolen control of it. Add to that the fact that THIS particular worm also disables security services, and there's absolutely no question that this software is malicious.

Maybe it's hypocritical of me to criticize them, but I'd like to think I've learned a few things about morality since I was a teenager. I'm certainly in favour of prosecuting them regardless of whether they intentionally use it to cause harm.

Re:Malicious?

Using my resources without my consent is malicious.

No, keying your car is malicious. Borrowing one of your t-shirts without your permission is merely inconsiderate.

Re:Malicious?

So you're saying that if I broke into your home but didn't hurt you, you wouldn't care? And I could stay in your home, potentially harming you or your family/friends at any time, and you wouldn't call the cops?

I hope you aren't that naive.

Re:Malicious?

[shanen]

Even without doing anything beyond installing itself, it has already done a lot of expensive damage. I've already read of two cases where networks were shut down because of infections that needed to be contained. One of the affected networks was the municipal court system of Houston. That outage was at least several days long, though I'm not sure how you assess the total cost of the damage. You can't just limit it to the technical staff time, but you have to add in for the remedial time, and the cost of shutting down the courts for several days.

Hey, maybe they could just tell all the criminals and police to take a few days off!

Re:Malicious?

[jcnnghm]

Tell that to the Democrats.

Re:Malicious?

[symbolset]

Generally I phrase that as "anything a program can do, another program can do". I think I got it from Wirth but it may date back to Turing, or even further.

Re:Malicious?

So does Windows.

And Flash.
And Acrobat.
And hundreds of other pieces of software.

Re:Malicious?

[stephanruby]

The slower they are. The scarier they are. At least, that's the way I've seen Zombies behave on TV.

Re:Malicious?

[Weedlekin]

"Consenting to unknown code running on your computer is consenting to ANY code running on your computer."

If this is the case, then inviting a girlfriend over for dinner and an overnight stay is consenting to anyone using your house and eating your food whenever they feel like doing so. People are after all largely interchangeable, and it's impossible to know what those you're familiar with are doing and thinking all the time even when you're nominally with them, so there's no difference between inviting somebody you know into your premises, and having a bunch of skinheads invite themselves to use your property, resources, and facilities whenever, and however they want.

Re:Malicious?

[slackbheep]

Don't forget making sure to leave all doors and windows open at the same time.

Re:Malicious?

[slackbheep]

Removing an object from the possession of its owner without the owners permission isn't stealing anymore? Doesn't really seem like an analogy worthy of an insightful rating :P

Re:Malicious?

[fulldecent]

Hey! Read this.

Re:Malicious?

[BrokenHalo]

Where is the malice? Where is the desire to harm others or to see others suffer

Hmmm. Maybe we need to set up a charity for neglected, unloved or deprived worms. Maybe that would make you feel better. ;-)

Re:Malicious?

[BrokenHalo]

Hmmm. This partially devil's advocacy, but most people don't even understand how their phones work any more, so why should they know what goes on in their computers?

Re:Malicious?

[HTH+NE1]

Funny you should mention that ... back when I was still protected by the young offenders act, I made a trojan which essentially did just that. Got 3,000+ computers on it - you should have seen the Seti@Home work units rolling in ...

So you prove my point. This network may be just as benign, or even benevolent.

Thinking back on it, though, I agree with everyone else - just the act of installing it is malicious.

The act of installing it is illegal electronic trespass and probably should be prosecuted, but the label "malicious" as applied to the Conficker/Downadup worm is unfounded hyperbole used to ally people against it and incite action. Practically libel liable to incite a riot.

But looking back at this discussion, it is clear that most of the people responding here truly don't know what "malicious" or "malice" mean, and many are not interested in their meanings.

Meanwhile, what other trespasses will be done to investigate and identify the command and control of this worm? The actions taken to take down its creator will be far more malicious than the worm's (and by extension its creator's) own actions to date.

Re:Malicious?

[HTH+NE1]

I've left my garage door wide open and unattended all Friday night and the following Saturday morning just last week, with the door from the garage to the house unlocked. Yesterday I neglected to lock my front door after walking the cat before going to work.

There's no evidence of any break in or of any theft on either of these events.

If my home was trespassed upon, I have no knowledge of it. With no physical harm or theft and no knowledge or evidence of harm, how am I harmed? I'd be more harmed by the knowledge. (As I am by the knowledge that my government wants secret-search power as a matter of course.)

Of course, I'm not going to make a habit of mistakes like those. I care enough to want to secure my home and would report any unwanted trespass of which I was aware or made aware... whether that trespass was malicious or not.

You don't understand. Absence of malice does not excuse Conficker's trespass, and I've never suggested it does. My gripe is with the labeling of it as malicious being premature and thus hyperbole.

There's also xkcd comic 350 to consider.

Re:Malicious?

[nog_lorp]

Exactly why I live in a cave in the Himalayas. No skinheads in my abode, no way. Just the village girl who leaves rice outside the door (she can't come in though, don't know if she is trustworthy).

Re:Malicious?

[HTH+NE1]

No, just that stealing isn't necessarily done out of malice.

DNA providers

[macraig]

I didn't know that part of ICANN's charter was providing DNA. I don't recall my ISP demanding a cheek swab from me when I signed up, so from where is ICANN getting the samples?

Re:DNA providers

[Sique]

Probably messed it up with DNS providers (S and A sit right next to each other). And interestingly though in German "DNS" means "DNA" ;) (the S standing for "Saeure" = "Acid").

Re:DNA providers

[macraig]

How could I resist having a bit of fun with someone's very public typing error? It's just my way of asking, "What, never heard of proofreading?"

Re:DNA providers

That isn't flamebait. It's humor. Damned mod-happy morons.

"and no disintegrations!"

[circletimessquare]

"as you wisshh"

Re:"and no disintegrations!"

[HTH+NE1]

"as you wisshh"

subtitle: I love you.

In separate news, Microsoft budgeting an extra

[mkcmkc]

US$398 to fix security problems with their software...

Re:In separate news, Microsoft budgeting an extra

[symbolset]

Silly me. I thought the price was $699.

They must have got a slamming discount for volume.

Microsoft is being cheap

[erroneus]

They need to offer upwards of 5 to 10 million dollars. With a bounty of $250,000 I don't think they will be caught. And $10 million is chump-change for Microsoft... they buy laws for more than that.

Robots 1, Humans 0

[hack++slash]

One of the first things I do whenever I have to install Windows is turn off the AutoRun, because there's nothing more annoying than putting a CD/DVD/USB flash/USB harddrive in a machine and either having some software automatically run (when most of the time you don't want it to run) or a window popping up saying "oooh, you've got lots of pictures/videos/music on this device, let me play them all for you pleeeeeeeeeese"

So back to my post title, if a Skynet equivilant does decide it wants to rule us, it will have been able to gain the necessary power over us through the human race's apathy towards hands-on involvement of computers - having everything automated is not a wise choice, as the Conficker worm is so aptly demonstrating.

Re:Robots 1, Humans 0

[daemonburrito]

You do know that turning off autorun does not turn off autorun, right?

Re:Robots 1, Humans 0

Auto run hasn't existed since... 2000? Home and Pro versions of XP don't have it (as far as I can tell), and at least Vista ultimate doesn't use it. A box pops up asking you what you want to do before it does anything.

Re:Robots 1, Humans 0

[LiENUS]

I'm on a XP Pro box now (SP3) with autorun. I have several vista and xp boxes with autorun.

Re:Robots 1, Humans 0

[daemonburrito]

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

http://en.wikipedia.org/wiki/Autorun#The_AutoRun_disable_bug

Re:Robots 1, Humans 0

[kojot350]

Good luck...

Seeking Fallguy

[murphyje]

Here's how it works: I accuse you, you take the fall, and we split the reward. You just have to sit in jail for whatever period of time. Of course, keep in mind that there will probably be hefty fines that will meet or exceed your portion of the reward.

Re:Seeking Fallguy

[mark-t]

The reward would have to be _WAY_ over a quarter million to justify taking the fall and going to jail for it. Bear in mind that it also carries a permanent criminal record, so the amount would not only have to justify taking the punishment for it, but also would also have to be enough to set a person up very comfortably for the rest of their life. Put a couple more zeroes onto the number and you might be in the ballpark... with a doubling of the figure for each year after the first spent in prison.

Fine print

Can "The money will be paid for 'information that results in the arrest and conviction of those responsible for " be contrued as fine print?

OK. Say I know where these guys live and have some preliminary evidence and turn that in. This leads to an arrest. But later, the lawyers screw up or whatever and these guys are NOT convicted. What happens then? Do I get 50%, 20% or 0%?

Has bounty hunting always meant "we will get you your cheque after the convition?" Wasn't like that atleast in Do Androids Dream of Electric Sheep.

Ramanujam

cheaper to sue

[init-five]

When MS learns how to write secure code for less money than what they offer to catch the script kiddies they would do the former. I wonder what happens to the MS coder/team that is responsible for the exploit?

*What* providers?

[nsayer]

DNA providers such as ICANN, ORG, and NeuStar

Hey, I'm a DNA provider too, baby.

Re:*What* providers?

[couchslug]

"Hey, I'm a DNA provider too, baby."

They can have my DNA when they pour it from my cold, dead keyboard.

Re:*What* providers?

[the+positive+path+]

Informative??? Funny maybe...but mod modder of parent -1 wtf

Re:*What* providers?

[BenoitRen]

More like "mod gp +1 lol".

Hmmm

Boba Fett, I choose you!

Yes,

[christoofar]

but does this run on Linux?

Re:Yes,

[symbolset]

No. I also heard it doesn't run on Macs. Something about Apple having taste.

The Price of My Loyalty

$250 Large? - My mother did it!

Given the secretive, highly technical, and often nasty nature of the people that may be involved I am not sure that this is enough of a reward.

Dog the Internet Bounty Hunter?

[mc1138]

How long till we have ex-con guys with arms as big around as a SAN busting into peoples houses and apprehending them for both money and the entertainment of people who love to watch skinny jerks try to wrestle with a human tank?

Re:Typo in summary... Maybe they REALLY

[davidsyes]

Mean... "Do Not ASK!" As in, "We really cannot tell you this is a ruse by the various world government bodies to throw you off the track that it really is them, and that this is an extension of and a fallback to the untimely exposure of government AT&T affiliate offices that snooped traffic everywhere."

But, maybe my thinfoil hat is unpossibly tooned...

Funny how it also work the other way around

[ProfMobius]

"The spreading Windows 7 worm is now viewed as such a significant threat that it's inspired the formation of a posse to stop it, with Public Sanity Service (PSS) leading the charge by offering a $250,000 reward to bring the Windows 7 malware bad guys to justice. The money will be paid for 'information that results in the arrest and conviction of those responsible for legally launching the Windows 7 malicious code on the Internet,' PSS said today in a statement, adding it is fostering a partnership with Internet registries and DNA providers such as ICANN, ORG, and NeuStar as well as security vendors Symantec and Arbor Networks, among others, to stop the Windows 7 worm once and for all. Windows 7, also called Windows Vista SP2, is estimated to have infected at least 90% of all PCs worldwide. It has been slowly but surely spreading since January. Its main trick is to also malware installation and authorize access to malware vendors' Web sites."

Lol @ Microsoft..

Guess big A/V companies don't like the competition because we all know who makes the viruses...So they pay Microsoft to put up a bounty. I applaud these guys.

A stroke of genius...

[w0mprat]

I was thinking about this, and thought of a way to counter this threat...

Patch the vulnerability!

Who do I see about dropping off my resume?

Re:A stroke of genius...

[dudpixel]

Not only that...

This action from Microsoft takes "Microsoft Anti-Malware" to a whole new level.

Not only will it protect your pc from malware (yet badly), it will also hunt down the author. Show me a competing anti-malware product that does THAT!

Re:A stroke of genius...

[jesstheaussie]

Actually, Microsoft patched the vulnerability in November 2008. The victims of this worm fall into one of 2 categories:

• Mostly people who never bought a windows license anyway and avoid Windows Update for that reason
• Some people who are dumb enough to turn off auto update without taking any steps to mitigate the security risks this brings.

Personally I think it's perverse that Microsoft feel the need to respond to this security threat that really only impacts people who either use their product in violation of the license or actively disable the security features built into the software.

This is not to say that other operating systems aren't more secure, Linux certainly is by default, but this particular issue with Windows has been patched and I think we would all be upset if MS started criticising OSS based on bugs that were patched months ago.

Re:A stroke of genius...

I was thinking about this, and thought of a way to counter this threat...

Patch the vulnerability!

  Who do I see about dropping off my resume?

Don't need your resume any more. Thanks for the solution. Will get the guys in India working on it right away.

Re:A stroke of genius...

[symbolset]

Microsoft patched one heinous vector months ago: the broken Server service that allows pathological inputs to execute arbitrary code with System privileges, remotely. They patched it with hasty broken code that will be exploited later this year, but that's a different worm for a different day. They also didn't disable remote logins on this service or do the rational thing and close the port entirely so one exploited PC inside your network is going to spend its whole day cracking passwords. A diligent IT shop might have validated the patch by now. Remember... patches break stuff.

Still not protected: that laptop that's been sitting in a drawer waiting for the position at that empty desk to be filled. The road warrior whose third party firewall blocks Windows updates.

Still not fixed: Autorun.

Blaming the victim isn't going to get you anywhere here. We know better.

Re:A stroke of genius...

[Moleculo]

Posting to undo misclicked moderation.

Re:A stroke of genius...

[daemonburrito]

You're absolutely wrong. Why do you people keep trusting Microsoft?

Re:A stroke of genius...

[amirulbahr]

Just follow the trail of chairs.

oops

The worm authors made just one mistake... they were far too successful. They wanted a botnet. Maybe a few thousand computers. Maybe 10 - 20 thousand.

Instead, they wrote a fast spreading worm that infected millions of computers.

What's the difference? The guys who infect 10,000 computers are small fries, and no one is going after them. Infect millions of computers though, and every computer crime agency on the planet will be after you...

Re:oops

[ProfMobius]

Maybe this is why there is not anykind of offensive payload on in it yet (beside the propagation part). The guys launched it, and when they saw how well they programmed it, they just want hidding in a hole somewhere.

Re:oops

[kojot350]

Let's hope this is how things are, but I wouldn't count on it. AFAIK with it's cpu-power, they can be using it right now to crack some encryption known as "secure". It doesn't have to be DDNS for starters...

Conflicker Flavors

[pyrrhonist]

From the article:

Symantec, which is contributing its malware-analysis expertise to the group, believes there are two main versions of Conflicker, "Flavor A" and "Flavor B,"

The flavors were determined using LOLCATS. True story.

It's singalong time!

[Chris+Tucker]

Botnets, global botnets.
What kind of boxes are on botnets?

Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even Asus, too!

Are boxes, found on botnets.
All running Windows. FOO!

Tough room

[symbolset]

The MS bounty program has been running since 2003. Thus far they have paid out only one award of $250.

I GOT HIM!

[Kent+Recal]

Hey, I GOT HIM. Even made a photo for you.
Now sack him and send the bounty to my paypal please.

This is the guy who is currently officially responsible for windows being vulnerable to worm and malware attacks.
There have been others in the past but your bounty explicitly asks for the person responsible for this current "conficker" worm, so here you go.

Re:I GOT HIM!

[shanen]

Actually, as I thought about it some more, what Microsoft should offer to pay for is a copy of the source code of the worm. That would provide the mechanism to deal with it--possibly. Of course, they couldn't do that in public. They'd motivate multitudes of script kiddies to try and strike it rich with a big payoff for a few hours of coding.

Re:I GOT HIM!

[Kent+Recal]

I don't think microsoft has an interest to deal with it in any way. This is a PR-effort to distract from where the blame should really go. Even if they "dealt" with this worm and its attack vectors in some way - the next worm is just around the corner. The security model in windows is just fundamentally broken, thus we'll continue to see worm attacks and pointless bounties.

We'll smoke 'em out

[Fastball]

We'll find the terrorists.

Well maybe

[symbolset]

I'm so sick of how anything that criticizes microsoft on slashdot gets modded up on slashdot, and...oh, nevermind.

Well maybe they should make a decent OS. Or stop partnering with companies for the purpose of killing them for the secondary benefits. Or suing their customers. Or stealing ideas like Stacker. Or paying Gartner to release "studies" that exclaim their new products are taking off like a rocket. Or taking a perfectly good webmail like hotmail and turning it all greasy. Or trying to kill decent software companies like Netscape, Corel and Adobe. Or launching disinformation campaigns like "get the facts" and "Mojave Project". Or generally puking all over everything in IT. Or paying folks like SCO to sue decent folk who are just trying to use decent software. Or... oh screw it. None of that is ever going to happen. Never mind.

Slashdot is never going to like Microsoft.

Re:Well maybe

[pohl]

At the time the post I was responding to was marked "troll". A mod must have come in after me to ruin my joke. Oh well. :-/

Not likely

[symbolset]

This program, which has been in place since 2003, has paid out a grand total of $250. All of it in one whopping check to the college mates of the Sasser programmer. Presumably they split it and bought some beer. The program manager must be quite proud of himself.

In related news, Microsoft is working with ICANN and others to prevent the registration of the domain this thing calls home to. It probably hasn't even occurred to them that the programmers ran their random name generator out a long way in advance, registered the domain in the name of some perfectly innocent third party long ago and that they're too late because launch day for downadup is tomorrow since they always kick these things off of the eve of a holiday weekend.

If you admin Windows desktops, I wouldn't invest too much in your plans for this weekend.

Re:Not likely

[Daltorak]

It probably hasn't even occurred to them that the programmers ran their random name generator out a long way in advance, registered the domain in the name of some perfectly innocent third party long ago and that they're too late because launch day for downadup is tomorrow since they always kick these things off of the eve of a holiday weekend.

Microsoft has published a complete list (in CSV form) of all the domain names that Conficker will try to contact through June 30, 2009. That's 249 of them a day, for a total of 113,500 domain names.

http://blogs.technet.com/msrc/archive/2009/02/12/conficker-domain-information.aspx

If you admin Windows desktops, I wouldn't invest too much in your plans for this weekend.

Why? The patch for this vulnerability was released four months ago, and the latest round of Windows Updates (a couple of days ago) include a scan & remove of Conficker.A and Conficker.B. As for the Autorun variant of this attack, Microsoft has published a KB article covering various ways to prevent it. Of course, if you don't have anyone working in your offices over the weekend, nobody's likely to come in and plug in infected USB devices.

Re:Not likely

[symbolset]

Microsoft has published a KB article covering various ways to prevent it.

Of course they skipped the obvious one: Get a Mac. Or at least use some other OS software.

Of course, if you don't have anyone working in your offices over the weekend, nobody's likely to come in and plug in infected USB devices.

If you're counting on this, you're not working IT in the Enterprise. Enterprise ops are a 24/7 operation.

It appears I was wrong though. If activation day was last Friday, we'd have heard by now.

If you read the domains it's likely you can find activation day by checking already registered domains. Of course, fast flux DNS can defeat the preregistered domains, as can various DNS hijacking techniques. This threat isn't done yet. A botnet might not even be the intended purpose of this threat. It's possible the random domain generator was engineered to put a perfectly legitimate domain offline, and the prevention techniques in place are the expected execution mechanism.

Why?

If you want to ask this question I have to ask if you were not better off asking yourself "Why not?". If you spent as much time and effort examining how and why these things happen, how the bad guys operate and where they might go next, than defending this malpractice on /. you might not have this problem.

Here are some free tips:

Allow neither open ports nor listening services on end-user desktops - ever. Not ever. Not for any reason. It's deliberate neglect of best practice going back 20 years at least. If I didn't have practical experience as well as theoretical I wouldn't believe this wasn't a mandatory pass interview question for enterprise IT. There is no justification for this practice and there never has been. Anybody who suggests such a thing should be summarily terminated for being an idiot, assuming the idea occured to him after he got past the interview in the first place.

Autorun. There hasn't been a less secure idea since Outlook executed attachments in the preview pane. People who don't know why this is a bad idea should be prohibited from practice as IT professionals. If you don't know the methods by which the prevention of autorun by group policy is prevented by accident or by purpose you shouldn't be allowed to edit GPO's, nor to give guidance to people who manage IT at the executive level in the enterprise.

USB. Its broad utility is its trap. Imagine you have a USB keyboard. If you can configure a PC to boot to USB you can insert a device in the keyboard includes a USB hub that includes both a keyboard attachment and an SSD that's bootable that chain boots to the HDD. That gives you a workable computer in a VM that looks like it's doing what you tell it to, but that is completely and totally owned by an intruder. Likewise a mouse. There's plenty of room in both a keyboard and a mouse. And then there's all those spare USB ports just waiting to be exploited. It's sad how easy this is. Here... let me send you a sample of our latest Ergonomic Human Interface Device. No, let me just share this Zune app with you. Hey, this iPod Touch video requires a codec. You download it from this website...

Oh, God. You're hosed.

I wonder if there's some other system we could use... some system that doesn't have the malware ecosystem that Windows has... Some system which might or might not theoretically be less secure depending on who you ask, but which is known to be less exploited in practice...

Please mod parent funny

[symbolset]

When MS learns how to write secure code....

Apparently Microsoft hires the brightest minds on H1B visas from around the world, draining the IQ of the planet on their way to spending $9 Billion a year on research and development. One must presume that they know how and that they don't care.

Re:Please mod parent funny

[benjymouse]

Apparently it works. Microsofts operating systems have less vulnerabilities than any of the other mainstream operating systems, OS X and Linux.

This is not a troll post. I know the general consensus on /. is that Microsoft operating systems and software have more holes than any other. However, IBM (X-Force team) draws regular statistics based on disclosed vulnerabilities.

http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf

• Linux kernel has roughly 2x the vulnerabilities of Vista,
• OS X has 3x the vulnerabilities of Vista.
• Windows XP is not doing to bad either. It still has far fewer vulnerabilities than Linux and OS X.

Now, in a (probably futile) attempt at preempting some of the popular myths as well:

1. The IBM research team did count Linux kernel vulnerabilities, i.e. they did not add vulnerabilities from multiple distributions, neither did they count vulnerabilities from distros' bundled software as kernel vulnerabilities.
2. Microsoft does disclose all of their vulnerabilities when patched. They may keep vulnerabilities secret until then. The delay in disclosure may create an temporary undercounting but as the vulnerability must eventually be patched this will even out over time.
3. Microsoft does not "slip patches" secretly through. Any Windows admin will tell you that all patches are followed by very detailed information about what is being patched and why.
4. If undercounting is going on, it is far more likely to be a trait of Linux kernel, as the kernel teams policy is to fix a bug when they see it and not go out of their way to formally "disclose" the bug as an official vulnerability. At least Linus has said as much.

Re:Please mod parent funny

[kojot350]

You mean found and patched vulnerabilities, right? So which system is now more vulnerable? Think...

If Symantec is helping

[symbolset]

Then the cure will be worse than the disease.

Slowly?

[symbolset]

It has been slowly but surely spreading since November.

If 4 million installs a month is slow then what is fast? Vista? ORLy?

Oo, oo, ooh!

250K ought to be enough for anybody.

*ducks*

Whack the hackers and cut off countries that don't

[tjstork]

Blaming an operating system for getting infected by a virus or an attacker of some sort is like blaming the victim for getting mugged when he's not allowed to shoot back.

It's time to get serious about going after botnets and the control network is the key. Follow that baby back to its origin, and shoot the guy holding the switch. If the network crosses into a country that doesn't allow that sort of thing, cut it off. It's not right to subject plenty of law abiding companies and people to this false ideology of passive defense.

Passive defense has failed, and its time to go on offense. The more hackers you have up rotting at the end of a rope at various computer fairs, the less likely people will be willing to attack. Now is not the time to be squeemish about the death penalty. If you can convince yourself a fetus isn't human, convince yourself that criminals aren't either, and kill them.

The old business plan

[clarkn0va]

1. Write an operating system and spend seven minutes making it secure
2. Sell it to a bunch of VPs, CTOs and OEMs from arm's length.
3. ...
4. Offer seven minutes worth of earnings to whoever catches "the bastard" that tried to rain on their parade
5. Profit!

Cheap Pricks

[hyades1]

Girls who want intelligent babies pay more than that for my sperm. Only the half-wits at Microsoft could imagine that the guilty parties (and the people who know them) carry less than $250,000 in their wallets.

Re:Cheap Pricks

[laejoh]

They need to do way instain mother> who kill thier babbies, becuse these babby can't frigth back? It was on the news this morning a mother in AR, who had kill her three kids. They are taking the three babby back to New York too a lady to rest. My pary are with the father who lost his chrilden ; i am truley sorry for your lots.

Re:Whack the hackers and cut off countries that do

[daemonburrito]

Sorry, but this one is definitely your operating system's fault.

Re:Microsoft: Release a mandatory patch to stop it

And get lawsuits from John Scherer the Video Professor who's lessons play on your screen like a VCR?

oops^2

Imagine if the worms generated botnet become a global A.I.
âoe/. archives registered that botnet accessed to autonomous conscience April the 1st, 2009 ADââ¦

Not what I meant, no

[benjymouse]

That IBM report does not state anything about MS patch time, and it was not what I wrote about.

The GP was talking about "writing secure code". By that I assume he meant writing it secure in the first place.

And in that area - contrary to popular myth - Microsoft seems to lead the pack. If you don't consider those who didn't even make the list, like the BSDs.

Why don't you read the report? There is more in there than mere operating system security, although that is probably the part that will ruffle feathers on /.

Microsoft comes out as the vendor with most vulnerabilities (across all products) overall. No surprise there, as their product portfolio is quite large. That IBM and Oracle are also on the list is also no surprise. They also have huge software portfolios.

But Apple makes it to 2nd spot, that was a bit surprising. They produce much fewer software products than the others.

But perhaps most alarmingly is the fact that several PHP based single-product vendors made it on to the top-10 list by virtue of their single products.

Re:Not what I meant, no

[kojot350]

I'll give it a try, but I'm really suspicious about "objective" "third-party" analyses, if you know what I mean ;)

i know the guy...

..but i would never turn him in, not even for 100 millions. it's just more fun to watch american war ships unable to navigate because of a little well designed program. developers, developers, developers do the monkey dance. mahahaha!

I'm on it Steve.

[xactuary]

Ballmer found a worm in his tequila bottle and asked me to look into it. No prob Steve. Don't let the chair hit me on the way out!

This plan needs a name.

[xactuary]

"Microsoft Slaps $250K Bounty On Conficker Worm"

This plan needs a name. How about calling it "The Quicker Picker Upper"?

Re:Whack the hackers and cut off countries that do

[slackbheep]

I support this like I support putting police bullets into gang members. Excellent use of tax dollars, but problematic to ensure power is not abused.

Average skript kiddie

[DrYak]

Yes, indeed. But does the average l33t skr1pt k1dd1e know this ? Very unlikely.

Most of them will probably think : "OMGLOL PWNIES ! Fast'n'easy bucks FTW ! KTHXBYE !" (or something along these lines)
and then try to pull a Joe job.

Net result : even more compromised machines everywhere as script-kiddies try to enact their "perfect plan to quickly earn money".

Re: Windows Update

[transporter_ii]

Whenever I see updates available on Linux, I know there is probably a fix or an improvement waiting on me.

For whatever stupid reason, on Windows, I always wonder what the next update is going to take away.

Once Again...

[flyneye]

Once again I tell Slashdotters, turn them over to me. I will make an example of them and post it to youtube for as long as they will carry it.
          I will do things that make the Hellraiser series look like Disney films. You will see up close just how inhumane man can be and all for my own personal entertainment.Well, o.k. I also have a thing for vandals,thieves and pedophiles.
          Send them to me.

Email priority...

for his company was listed as #5.

nice try.

This is how to troll

[symbolset]

Here we are in the middle of a thread discussing how a recent one of the million pieces of Windows malware has zombied 12 million computers around the world, and you're here to remind us that Windows is more secure because somebody somewhere said so.

Nice. Thanks.

Vulnerabilities != exploits

[benjymouse]

The GP I replied to suggested suing Microsoft because of all of the vulnerabilities.

I then pointed out that according to a normally respected organization (IBM) who did their homework, other OSes have far more vulnerabilities, alas we could sue Apple 3 times over and, well, Linus? 2 times over.

But then you jump in and once again equates vulnerabilities with exploits. And on top of that calls me a troll?

Get a clue will you? There is a difference between a vulnerability and an exploit. In case you don't know the difference is exploits are created by attackers taking advantage of vulnerabilities.

If you want to sue some company on the basis of something they did or failed to do, you may try to sue on the basis of vulnerabilities.

Your reference to exploits created by attackers is totally and utterly out of context here.

Or are you again trying to use the number of exploits that exist for Windows as "proof" of the perceived vulnerability of that OS when we actually have much better real data (vulnerabilities).

Or is your problem that some other OSes appear to have more vulnerabilities?

praise

[symbolset]

And on top of that calls me a troll?

Not quite. I was calling the post a troll. And a good one. If that wasn't your intent, well, I'm sorry - I take back the compliment.

Thanks for the laugh though. I needed one today.

Re:praise

[benjymouse]

It wasn't my intent to troll. The IBM report is an interesting read. Not just about operating system vulnerabilities, but also because it precisely addresses the "economics" of vulnerabilities - why some are exploited and others are not.

BTW, I noticed that I claimed the GP was talking about suing. I was mistaken (that was another thread) he talked about when Microsoft used some of their bright brains to improve the quality of their code (alluding that it is bad). I stand by my comments about the report, though. The IBM report shows that Microsoft has actually improved *a lot* since the sasser, nimda, code red disasters.

Much improved

[symbolset]

The IBM report shows that Microsoft has actually improved *a lot* since the sasser, nimda, code red disasters.

You're right of course. It's so much better now. I should have posted my snarky comment in that thread about the twelve million zombied macs and linux machines. Odd... Google isn't being very helpful on this one. Could you help me out with a link to that discussion?

Re:Much improved

[benjymouse]

Just read the report, will you? Your question has already been answered pretty convincingly by the IBM researchers.

Here, I'll give you the link again: http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf

And I'll even quote:

While all of the factors considered by CVSS are important, what CVSS scores fail to capture is the economic opportunity that a vulnerability presents to an attacker. The days of amateurs, college students, or hackers taking joy rides on corporate information systems are largely over. Todayâ(TM)s attackers are economically motivated. They are international criminal organizations who make a living stealing financial information and identities. Todayâ(TM)s threat is far more sophisticated and far more dangerous than the security threats of yore, but in some ways it is more predictable.

The result of this new reality is that there have been several vulnerabilities this year that received very high CVSS scores and raised widespread alarm within the security industry. However, they were not widely exploited in the wild. In most cases, these vulnerabilities did not fit well into the current business models of computer criminals

Vulnerabilities that fit into existing processes and which can leverage existing automation are easy for criminals to monetize. Vulnerabilities that require the development of new processes or software are much less likely to present an attractive opportunity to criminals, particularly if they represent a one-of-a-kind set of circumstances that is unlikely to be repeated in the future. Even when it does make sense for criminals to develop a new attack methodology to exploit a new class of vulnerabilities, widespread attacks will usually take longer to emerge than for vulnerabilities that fit directly into an existing process.

To put all of these issues into perspective, letâ(TM)s consider them together. Figure 7 plots each issue into one of four quadrants based on the opportunity they present to a criminal and the cost of realizing that opportunity. Only issues that make it to the top right [cheap exploit, many targets] resulted in widespread exploitation. The others did not present enough of a financial opportunity or they were too expensive to monetize.

Basically both OS X and - especially - Linux fails the "many targets" test for desktop-style drive-by exploits. You could argue that Linux, which is used with Apache on most internet servers, presents a formidable number of targets. Yes, but we haven't seen a "cheap" exploit which were remotely exploitable against any of the OSes in the latter years.

What with the back and forth I've forgotten.

[symbolset]

Yes, but we haven't seen a "cheap" exploit which were remotely exploitable against any of the OSes in the latter years.

What was the article we're talking about again? Was it a mac worm that's owned 12 million computers? Or was it a worm that uses as one vector a remotely exploitable vulnerability in the Server service on Microsoft Windows computers, including all versions of Microsoft Vista?

Look, why mac and linux software aren't the malware ecosystem crudfest that Windows is is irrelevant. They're not, and that should be enough for most people.

And pdfs are so dry. Here: have a video. Not a Ric Roll, I promise.

Re:Microsoft: Release a mandatory patch to stop it

[Megatog615]

But that would require them to admit to a mistake they made.

Everybody knows that's impossible.