Slashdot Mirror
Virus Costs Dell Millions in Ireland
ruggerbugger writes "Dell's production plant in Limerick, Ireland was [temporarily] shut down due to a funlove virus causing the recall of 12,000 computers... For full story see the Irish Times."
← Back to Stories (view on slashdot.org)
So it's not LCD shortage as my friend was told?
Hei Lars!
Paul
You'd think that if they have a machine that does nothing but control the installation of software to the new units, they would not do much other stuff on there, so I would be really interested in how they managed to get a virus on there. Unless of course they stuff their new PCs with copies of Win2000 that they warezed off the net.
While some people may wish to believe the Chinese government has no plans for e-warfare, it is already happening, and has been for some time, among hackers and their targets. This includes electronic warfare between corporate organizations, and even already among governments (such as the US and Iraq).
;-P
Virii, whether intended to be amusing or destructive, can cost companies or countries millions of dollars when they strike networks. This is an obvious form of electronic "munition", and intentional or not, virii have damaged a number of corporations economically. Most companies have recovered from these virus attacks, but it is clear that virii and other threats are still quite a problem.
It's amusing that this story and the China story came so near each other. Maybe it's the Chinese
o/~ we are pissed, we are pissed, we have to resist... o/~ - ec8or
The y2K issues aren't going to be about a computers internal dates, they will be about all the wierd lamers and fanatics out there that think it's a handy date for them to do their stuff while people are recovering from their hangovers.
:o)
Who knows how many virii there are out there that lie dormant until 1/1/00, who knows how many hackers there are, or indeed even bombs out there with detonators set for 00:01 1/1/2000
I might be paranoid, I might not be, all I know is that humans are a strange breed in general and do some very silly things.
Still, I don't much care, I'll be hungover
How many times has this same sort of thing happened in the past?
I know I've heard of it a few times in the last few years.
But I can't remember who was effected or when.
Anyone have a better memory then me?
-- This post contains %100 recycled electrons Remove spam and eggs to send some mail.
"The FunLove virus infects both desktop computers and computer servers running Windows 95, 98 and Windows NT operating systems." /. about them. Maybe this will mean they push their preinstalled linux boxes a bit harder! :)
Another one in the eye for Billy G! Excellent PR for Microsoft (not!)- this will surely make the financial pages of international media. PHB's don't really understand stuff like "inherently weak security model", they just believe the Redmond spin doctors advice. But £14 Million, now that's something that will get their attention. Hear that mindshare slowly deflating in your bosses brain...
OTOH, it's bad news for Dell - they were doing well, last time I saw an article posted on
Strong data typing is for those with weak minds.
A car thief once told me "There is no such thing as complete security. All your precautions are going to do is stop the incompetant, who aren't a danger anyway, and slow down the professionals, who won't be stopped at any rate." Or maybe it was my dad.
Either way, no amount of virus protection will stop all virii. This should not be seen as a setback for Dell, but be a time for rejoicing. Dell actually admitted that there was a problem, has attempted to correct it, and not tried to hide any of this from the public. All at great cost to themselves.
Many other computer companies would simply hush up a problem of this magnitude, but Dell deserves our praise for coming forward and correcting a problem publicly.
Computers can only simulate determinism. ~Hermetic.
Notice my email address; it's at ireland.com . I can pretty much forget about checking that for the next few hours. Bastards.
On a lighter note, last year I took a train from Dublin to Limerick for a job interview with Dell. The two techies told me I more or less had the job, but the HR guy equivocated. I got another train home, and never heard from them again. Not as much as a PFO (does that term enjoy currency outside Ireland?).
Anyway: I can't condone the use of viruses (or viri, but not virii), but I did laugh. Hard.
Other companies would probably only offer a service pack several month later...
I wonder how long time the virus had gone undetected? They recalled 12,000 units so if anybody knows approximately how many they make per day I guess we could figure it out. My guess would be 4-6 days?
It really leaves you wondering what they were doing. The issue does not, to me, seem to be one of current virus software. No virus software is current: there are always new, undetected viruses out there. Rather the issue seems to be that Dell had failed to isolate their production computers from the network the administrators used for surfing the web and installing unknown games (or whatever) on.
It could be a lot worse. Somebody could have installed a backdoor program and used this to change the configuration of all new Dell PCs such that they fail to work on Jan 1, 2000.
Oh. Maybe they have :-)
Hi!
Can someone from the Emereld Isle tell this yankee what "automatic delivery" is? Here in the states, we have to contact a third party specializing in package delivery, like UPS or FedEx, for large boxes like computers to go anywhere ;)
Eric
The last line in the article. Look at all the companies that installed AV software afterwards. You would think that at least Microsoft would have decent AV stuff running.
Antivirus procedures in most companies is a joke.
I went round upgrading Win95/98/NT for Y2K compliance (another joke) in a very important company in N. Ireland over the summer, and everytime we did a computer we ahd to copy a Word document to the hard drive and fill it in, date, time etc. Then we copied it to a floppy. When we finally got all the disks back there were 4 different boot sector viruses on them, and numerous Macro viruses. All the computers were running virus checkers, so the PHB's all thought they were safe from viruses. The only problem was that the checkers were 4 years out of date.
This virus seems to be a relativly mild and easily controlled virus I was wondering about the possible threat of the recently availible Bubbleboy virus.
Given the ease of its transmission and the number of users who will not upgrade their email it appears the potential for infection is enormouse.
But how big? Will it be big enough to make a dent in internet bandwidth (a la the internet worm). Or will the fact that it is a virus and not a worm prevent such widespread network clogging?
Marriage is the "pseudo-ethics" that cloaks the messy truth of sexuality in the raiment of propriety -- it's "Don't Ask,
My PC was one of those held up by this problem, and whilst it's irritating not to get my hands on my new kit I think Dell have delt with it very well. I got a very apologetic phonecall and it's only going to be a couple of days late - far better than sending out infected machines.
Somatizer
There once was a man named Dell
Whose computere truly were swell
And he said,
as the computers were recalled
Whoever did this is gonna catch Hell!
then it comes to be that the soothing light at the end of your tunnel is just a freight train coming your way
Maybe next time I am forced by my employer to buy hardware from Dell, I will try to order from Dell there.
Here in the states several machines I ordered were delayed over three weeks.
And everytime *I* called to see when I would be getting them I got a different anwser.
All of which amounted to about the same thing "We couldn't care less."
I've started to notice this is true. That out of alot of other countries I have talked to people from.
Here in the US we seem to get the worst customer service. Do they treat the employees bettter other places, or is it something cultural?
-- This post contains %100 recycled electrons Remove spam and eggs to send some mail.
I live about 20 miles away from the plant, and I hear that in order to get the employees they need, the courts are giving crims the option of punishment by Dell.
Alledgedly... (no wonder I logged out first)
--
I can't stop laughing. Will they send the bill to microsoft ?
Any company pre-installing that looser OS deserves to be mass infected.
-- "Life is easier since I have excluded JonKatz stories from my homepage"
When I bought my current laptop I ordered it by credit card and had it the next day.
I ordered an Inspiron 7500 with the new cool 1400x1050 15" LCD 11 days ago over the Internet, and it took them from that Tuesday until the following Monday to debit my credit card.
While I was trying to use their order tracking page, it threw up Visual Basic (hmmm) exceptions, variously Out Of Memory and some other ones I forget, returned to the browser in HTML by their server. I called and waited out the queue for 6 minutes, only to be told by the customer service muppet that the problem must be at my end, ''because no-one else has reported any problems''.
They are quoting delivery expected on 13 Decemeber, but I find it hard to have much faith. The worst thing is Dell running TV ads in the UK at the moment where the sleek, rich Michael Dell oozes on about how customer service is so important to him.
In short, bad vibes, frustration, and poor service, and that's before they even debited my card!
The deal was this: we took shipment of a whole bunch of Dell PCs with their supposedly useful auto-install Win95 thingy on, so you could turn them on, agree to the license and it would install Win95 from a CD image on the hard disc. Only, because of the massive amounts of custom hardware on the mobo, it didn't work, and in quite a major way. The machines firstly died during initial installation, requiring a reboot. They then just about made it to the Win95 desktop, but didn't autodetect any hardware, so you had to restart the machines again, which crashed them. Rebooting into safe mode, shutting down, and restarting finally persuaded them to autodetect the onboard hardware, and then a final reboot bought them up in a 'useable' state.
I repeat, these machines were *straight* out of the box, with no weird setups or anything. My feeling is that if Dell quality control is lax enough to let this kind of thing slip through, I'm not at all surprised a virus made it onto their machines...
-- I reserve the right to be completely wrong --
It's this kind of financial and PR poke in the eye that makes a company like Dell seriously question their reliance on Microsoft. This will become even more clear the first time the headline reads "Lax Windows security Costs Dell millions".
---
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Can Linux catch a virus? Well, send a loaded email to my ISP. They happen to run Linux, use Pine for email, and under user accounts. There you have three reasons why the system files will not be corrupted.
Now I hear people say virus can infect anything regardless of what operating system I have, no matter how secure I think I am. Well, I haven't learned how to do scripting in Pine and I can see non text funny stuff from spammers and friends like a trojan. Things between the mailers like pagers, routers, copper wire, and your modem, etc., just really are not designed to host a virus. But when you run it on a Windows system that takes security as a joke, be prepared.
Or is the great Penguin too thin skinned?
Amazing how a bash-M$ post, with IMHO had little to do with increasing the quality of the thread got a "2", while a "hey, wait a minute" one gets a "0 - Flamebait" rating.
People: If we don't consider this an open community instead of an "Anti-Microsoft House of Worship", we all may as well go home. Squelching debate like this makes us no just like M$, less 1 Trillion Bucks.
46. The Hobo smiles, his eyes glaze over, and he burps. "Beware the man who has lived longer than the Wasteland."
I have drawn this abuse to Rob's attention, hopefully he will take appropriate action.
--
I wonder what kind of OS Windows would be? Certainly not "basic." Yi!
bradley
I guess that's the luck of the irish right there. (sorry.. had to be said)
---
-
ping -f 255.255.255.255 # if only
Frightening as it may seem to you, most people have moved beyond the 1970's computing paradigms. As (I should really say if) Linux becomes more popular, the viruses will proliferate. Unless you can convince people to get all nostalgic and embrace the TTY non-GUI.
/etc/passwd, and why they can't run that administration tool. The multi-user aspect just doesn't make sense to the average Joe User, esp. if it's a machine on their desktop. I've encountered this before: "Multi-user? Who else is using my computer??!?"
It's not about the GUI, it's about the security permissions. You can run any damn window manager/GUI you want, but if you routinely login as root, you're an idiot who deserves whatever happens. If you're not root, you shouldn't have permission to access any files you don't need, and then only with the minimal permissions you need. That, in fact, is pretty much the point of a multi-user system.
Of course, it's awfully difficult to explain to a windoze luser why they can't delete the system files, and why they're not allowed to edit
Any operating system is vulnerable to a virus. Period. Linux has very few viruses. There are none that I know of that can hose your system unless you're running as root (idiot). While I concede it may be possible to integrate a root security breach into a virus, so that it could do what it damn well pleased, I don't think any like this exist yet. And even so, once the security hole would be patched (quickly), that virus would no longer proliferate well.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
It doesn't seem that Dell is at fault here. If they applied a virus pattern file update last Thursday (Nov-11) and detected the virus, it makes complete sense. The virus was added to Network Associates' (McAfee's) list on Nov-9. Which means that two days after the virus was identified by the anti-virus community (and probably the very next pattern file update), Dell found it in their systems. Per the page at NAI, the virus is detected by the pattern file due out today.
This doesn't seem to be something we can blame Dell for.
Hello little man. I will destroy you!
There once was a rich man named Dell
Whose computers all truly were swell
But he said, quite appalled,
as the 'putes were recalled
The prankster is gonna catch Hell!
Scans even better now...
--
This is my cubicle. There are many like it, but this one is mine.
This is my cubicle. There are many like it, but this one is mine.
I think the moderation is fair, although he makes a good argument. Flamebait means that we'd just be discussing off-topic details back and forth. It would be an argument for argument's sake, and happen everytime such a topic is raised. It's too controversial, hot, hung up in definitions and perspectives, too black and white. Remember, a 0 doesn't necessarily mean the post was _bad_..
Myself, I find it silly to discuss wether Linux is virusproof or not, in the manner it is usually done on public boards. Nothing is by definition. But that doesn't mean Linux isn't *MUCH* more secure than any MS Windows version regarding viruses. There are lots of obvious reasons for this, including extreme hate for Windows from potential virus-writers. Linux is also a bit more vulnerable to _effective_ viruses than Windows, due to lack of anti-virus software. But as long as no viruses are detected, noones complaining. In their post, however, some Linux-fans are indeed too confident in their favourite OS.
About the perl script, a good idea, but not all Linux machines got perl. A meta-shell script may be better, but the real problem lie in how to spread this thing. First generation offspring would infect the very few who downloaded it from your site. That's fine, a good virus will spread anyways, possibly destroying the host after a long incubation time. But Linux lacks efficient ways for distributing the offspring viruses, without resorting to security holes. I really doubt you could make a really effective virus. The diversity of Linux and unix is just too great, and responsible users don't/shouldn't run as root very much.
- Steeltoe
http://www.debunkingskeptics.com/
Yes, they are, but who cares? Educating people is far more effective:
On most maschines, we have a more or less up to date virus checker running. When installs a virus on his PC and complains about it, by policy, we reinstall the machine from scratch and delete all infected files. The user gets the standard lecture on how to treat data from foreign sources and to read warnings on the screen with graphic analogies (Would you eat a cookie with green and black patches offered to you on a subway by a hobo? So why are you opening everything spammer send you?).
With lot of begging and cajoling, we may save a few crucial files. Usually less than ten.
Most user get, after the first or second time, really careful, and the number of virus infections have been rapidely decreasing around here since we started this policy.
Terror and pain are real good teachers sometimes.
The last machine we got from them (Dell UK) took over a month to arrive. After hassling them repeatedly and being promised dates and it not happening we spoke to someone else there who said that the order hadn't ever been placed and she would do it then and be with us in a couple of days. still no joy.
Had this often. machines not turning up, engineers not turning up. Engineers being inept. And the best one was a dvd player that lost all region coding when it was reinstalled and had to be replaced by Dell.
nice machines though
From the Otto is a Rat Bastard Department:
...
:-)
Found this interesting tidbit yesterday. The plural form of virus is "viruses". viri is the nominative plural form of the Latin vir, which means man. See: http://doriath.perl.com/misc/virus.html
Okay, firstly, that URL is wrong. It should be http://language.perl.com/misc/virus.html
Secondly, while I think Tom Christensen is a genius, I must say that in this case, he's just being annoying.
Thirdly, anyone who corrects my speech in front of me generally loses a tooth. I don't stand for that crap from grown adults.
Language is a flexible, growing, evolving entity. It's not static. It's not about "correctness". It's about communicating your thoughts from one person to another. If I say the word "virii" and the other person understands me, then to hell with the OED.
Frankly, I find that people who care about the correctness of a certain word (I find "ain't" to be a damn useful word), *generally* don't have the intelligence to understand much of anything else anyway. Especially those bastards that try to correct your pronounciation of a word. Oooh, those guys piss me off.
FWIW, Dell should do what everyone else does. Create a base install, virus scan the hell out of it, then ghost the sucker onto every machine needed. If they're actually installing software in the normal fashion, I'd be awfully surprised.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
But the first post, which essentially said, "HAHAHA Bill Gates, windows sux!!!", got marked up as Insightfuk, which would suggest that it was a topic of interest worth discussing. Then, Sanity posts a well thought out counter argument and gets moderated down, presumably because he wasn't pro-Linux enough. If the moderator disagreed with him, he could have posted a useful response to his argument, rather than just knocking him down a point!
Dana
Well done! Does anybody happen to have the exact formula for a properly scanning limerick? It would be nice to know the accepted rule rather constantly trying to match again the Man from Nantucket. :-)
I don't think it's a surprise that they deal better with a real emergency than normal ordering/support. Day to day stuff is always harder to raise enthusiam (and standards) for. Not an excuse for poor general service I admit, but not unexpected.
Actually, _both_ are correct.
Only, viruses is more commonly used in the States while virii is more common in Europe.
I use Virii personally. I despise using the 'es' suffix on a word that ends with s. Icky.
~FnkyAlien
but the post that started this thread was implying that Linux was immune to viri,
No, unless I am reading a different post than you. He suggested Dell should push Linux boxes harder. I supose you could interpret what the first poster said might suggest that Linux was a an alternative, but he did not state any facts about Linux dealing with viruses.
like linux.
Would n't that saved them a lot?
There once was a fellow on /.
Whose system was stable and crasched not
'til he made a reboot
and logged in as root
now his system is known as a crash-bot
All opinions are my own - until criticized
... we despise Michael Dell and his whole company. As popular as George Bush III is to a liberal.
Around my way, the names "Compaq" and "Dell" are never spoken unless followed by the phrases: "sucks", "really sucks" and the all time favorite, "really sucks big donkey balls."
Even though we cannot "blame" Dell for the recall (under my breath: "suckass r&d, suckass tech..."), you folks seem so surprise. Dell does not make anything. Micron makes their own memory and a couple years ago came out with their own chipset. IBM can make everything they want.
Dell is no better than your local mom & pop computer shop. They put together parts to make computers and that is it. The only Dell labeled product is on the faceplate of the case.
Now do we see the importance of the Dell/IBM partnership. Dell had to merge not only to succeed but just to survive.
In defense for Dell, they do have the option of shipping their servers with RH Linux install. This is definitely something I cannot get Micron to do
ChozSun [e-mail]
ChozSun
ChozSun.com
I am /. newbie. I see the term "FUD" all over the place. Could you please tell me what it means? Thanks.
It's not an academic definition, but I've always based limericks on five lines of anapests (unstressessed, unstressed, stressed); three, three, two, two, three. The first foot can be iambic without causing offense (as in the now-legendary man from nantucket, who also has an unstressed syllable appended).
So your limerick (in morse) goes
dit dit dah dit dit dah dit dit dah
dit dit dah dit dit dah dit dit dah
dit dit dah dit dit dah
dit dit dah dit dit dah
dit dit dah dit dit dah dit dit dah
That's something I'd never have typed in using Windows; the old highlight/middle click makes things a lot easier.
Of course, this is a rigid definition, unstressed syllables can be added or removed more or less at will an still maintain an aesthetic aspect. IMHO.
Perhaps this is why smarter people often have poor handwriting (doctors for example) and often bad spelling. This could be related to a smarter persons enhanced ability to decode information, which would make following a strict form of handwriting or spelling less useful to them because they will still be able to retrieve the information either way, and its quicker to write sloppy =] I think perhaps if I ever visit my old highschool I will adress this point to my old english teachers.
You are correct that it is no mean trick to write a program that can damage the system it runs on, largely irrespective of what kind of system we're talking about. And so long as you can hoodwink some unwitting user into executing that program on their system, that program can, of course, cause damages commensurate with the privileges and capabilities of that user.
What you've failed to consider is how the dramatic cultural differences between Unix and the much-maligned consumerist toys serve to affect the issue to our benefit and their detriment.
Probably the most important of these cultural differences is that Unix has historically been a source-only world. Programs are distributed in the form of source code, code which shall be configured, built, and ultimately installed on the target machine. Programs solely accessible in machine language form fall immediately under a taint of mistrust.
Think back to the last time you read a notice from someone whom you've never heard of before that was asking you to go fetch some random binary program from some random place on the net and then to run that program under full sysadmin privileges? I can already see the incredulous Unix sysadmin reading that and bursting out in uncontrollable guffaws. Because the de facto standard for program interchange in Unix is as source code, a Unix programmer will be far less likely to fall for your ploy than would your average Prisoner of Bill, who has been lulled into gullibility by a binary-only culture.
But for the sake of the argument, let's say that you've found a way to effect this trick. Suppose you're an employee of some reasonably respected company that happens to produce a binary-only distribution of their commercial software, and you decide to sneak something wicked into the binary image. You manage to replace the standard, clean copy on your company's ftp or http server, or even floppies or CDs, with your own naughty version. People are accustomed to downloading from your company, or using your company's floppies, so they do as they've always done, run the installation as the superuser, and you thereby have your way with their system.
If this scenario were to play out, just how dangerous--how destructive--could it really prove? Whom could you harm, and who would be immune to your ploy? The answer is that you could only hurt those folks running the exact platform for which your binary had been compiled, and everybody is unassailable. By platform, I mean the whole feature vector that includes processor chip (eg Sparc vs Intel), operating system (e.g. SGI vs BSD), shared libraries (e.g. libc vs glibc), and site-specific configuration (e.g. shadowed vs non-shadowed password files.
Let's not get too full of ourselves and pretend that the Unix culture's predilection for source-only program distribution derives only, or even mainly, from altruism. We have no choice in this matter. Consumer-targetted systems from Microsoft or Apple are two instances are a static monoculture, as vulnerable to mayhap as a field of cloned sweet corn. It only takes one genetically engineered virus to bring down the whole field. Unix is different.
In his acclaimed essay, In The Beginning , Neal Stephenson writes:
There is no one thing called Unix. Instead, Unix comprises a diverse set of subtly (and often not so subtly) variant platforms. A nefarious binary laced with exquisitely designed evil bullets hidden inside it can hurt only a few of us. When Apple and Microsoft laugh at our diversity, be sure to remind them that is it their lack of the same that contributes to their incredible vulnerability--and to our strength. Hybrid vigor ultimately wins out over a monoculture, for the latter is too in-bred and fragile to prove long viable.
Let me now return to your particular suggestion, that of a malignant Perl program activated by a Makefile rule at installation time. Because you're talking source code, and because Perl tries rather hard to attain a high level cross-platform intercompatibility, this form of subterfuge would appear exempt from the inherent protections stemming from diversity in variant Unix platforms. So, could your trick be done? How much of a problem could this really be? What might happen?
The answer is that of course, it could be done. And in point of fact, a demonstration model is already available, courtesy of Abigail. Guess what? There's no reason to run around like a chicken with its head cut off: the sky isn't falling. This sort of approach stands little chance of making a big splash, because you aren't going to insinuate it into a place that can affect a lot of people. Sure, you might catch a few folks, but just how long to you think this kind of thing will go unnoticed? Remember, it's in source code. That means anybody who wonders what happened can just look at it. There's a very low barrier to entry. And even if the naughtiness removes itself from your copy once its dirty deeds are done, that naughtiness is still sitting there in plain view for easy inspection back wherever you got your copy from.
Is there a way around this? Well, yes, if you're as clever as Ken Thompson. Fortunately, you aren't, and neither are the crackers. If they were, they'd doubtless receive more Turing Awards for their vaunted efforts. :-)
The only way you're going to get good propagation is if your nastiness into a copy that a lot of people will download and install. There's a very fine reason why so many archives contain a checksum of the image. It's to help with this problem. Security of course depends on several matters, including the strength of the algorithm and the integrity of the authenticating agent. But better that than nothing.
Let's talk about propagation some more. I assume that the goal is to have a notable impact, which means you need to spread your bad code as widely as possible. A hacked up install script, even if all goes to your liking, just doesn't have a very high rate of reproduction. First of all, how often do how many people install this software? Secondly, how do you plan to trick them into doing so? It's not really much of a challenge to get one person to this, especially if they trust. If that's your goal, maybe you'll succeed. But the risk of being traced and apprehended is high.
So how come this stuff can spread like wildfire amongst the OS-challenged? Can't whatever mechanism that's used there be used to get at the rest of us, too?
Over the last few years, a frighteningly frequent conduit of contagion for viral infection on toy systems has been the implicit, automatic execution of code with little or not manual intervention on the part of the box's owner. DOWN THIS PATH LIES MADNESS!. That this can ever, ever happen is as a plain a symptom of complete and total cretinization in the toybox world as you are ever going to see. It's stupid, it's crazy, and it's dangerous. Any programmer who even suggests it needs to go back to flipping hamburgers. Any user who asks for this feature needs to be quietly taken into the back room by the doleful men in long trenchcoats, where he will be told in no uncertain terms that his request is not only in the best interest of no one but criminals, but that he also now has a permanent record even for asking about it.
No, I don't care that a customer asked for it. Customers are idiots, just like any other user. So what if they pay you? They're still idiots, and it's your professional responsibility to act responsibly, to refuse to go along with their madnesses. The customer is not always right. In fact, they're very often wrong. A physician or a lawyer doesn't do whatever the customer requests, and neither do you. They, meaning the customers or users, simply don't have the background and training; they don't have the experience of seeing why automatic execution from untrustable source is the work of the Devil.
It's not as though we in Unix have never seen this issue before. In fact, we've seen it time and time again. And guess what? We recognized the problem and we addressed it. And we don't cater to that kind of lunacy anymore.
Here are a few concrete examples.
Remember when vi would--or at least, could--automatically execute macro commands embedded in a file in a specific way? That was a dubious feature called modelines. On my OpenBSD systems, if I type :set modeline, the program comes back and says set: the modeline option may never be turned on.
Another example of learning from our mistakes is the issue of shell archives. Instead of automatically running the sharfile through /bin/sh, there are specially made unshar programs that will do the common things, safely, and nothing else.
When CGI was first getting big, owners of toy systems would blindly install compilers and interpreters in such a way that these would easily execute arbitrary content coming in off the wire. Despite my pleas, both Netscape and Microsoft were actually advocating this! After a year of warning admins not to do this, and sending mail to the companies who were saying to just go ahead, nothing changed. So I released latro. Then and only then did various companies retract their suggestions, even though they'd been aware of the nature of the problem for a long, long time. Sure, you could be equally stupid on Unix, but for some reason, we weren't. History counts.
Implicit execution of untrusted material is simply stupid beyond words. And for some reason, the toybox people keep falling for the same chump moves, from MIME attachments to word processor and spreadsheet macros to embedded active scripting controls. I don't know quite why they just keep doing this crap. My hunch, and it's only a hunch, is that this is happening because Microsoft and their moronic minions simply cannot for the all the tea in China ever manage to think outside of their quaint but completely fictional little single-user universe. Maybe they don't hire people who come from a background in multiuser and/or networked computing systems. Maybe they don't hire people with real experience at all, just script-kiddies trying to make a buck legitimately but with no true understanding. Maybe the software makers simply can't say no to a customer request, no matter how suicidal they know that request to be. I don't know.
Whatever the cause, decades of history are completely and repeatedly ignored. They keep making the same mistakes, and they don't fix the underlying causes. Sure, there are things that are hard. Denial of service attacks are hard. People who know exactly all the ramifications of IP who go sending maliciously hand-crafted packets aren't much fun either.
But these highly technical ploys aren't why most folks on their toyboxes are being screwed up, down, left, right, and sideways. They're being screwed because of very simple matters. They don't have the notion of a protected execution mode. They don't have file permissions or memory protections. They automatically execute content willy-nilly, often with complete access to the whole machine. They expect a program to show up in binary not source form. They don't compare robust checksums from a strongly authenticated sources. They live in an infinitely vulnerable monoculture. They expect things to just magically happen for them without a thought or a care, and guess what? Their wishes are duly granted, much to their eventual dismay.
It is possible that mass-market factors may someday end up plaguing Unix systems in ways not so far removed from the stupidities that the toy boxes are riddled with. We just have to tell them no, and to condemn in the strongest and loudest possible terms any backsliding into insecurities that if we ever had, long ago banished. Looking at the Winix phenomenon, in which a dozen different vendors put together and ship their own Linux operating systems, all specifically constructed to be user-obsequious and Unix-hostile all in order to appease the lowered expectations of a hundred million Windows idiots, who, despite their numbers, really can still be wrong. The stupidity of the masses must never be underestimated.
PS: Congratulations for reading this far. :-)
Too many companies opt for the "Nothing can go wrong ... go wrong ... go" model of how to handle a problem.
Dell does an up-front attack on the problem first, PR later. This way, the world see's that they *HAD* a problem, but it's fixed now.
I find a "fix first, spin later" approach to increase my faith in a computer company.
There once was an old man named keith
Who'd circumsize boys with his teeth
it wasn't for leisure #(say it "leh-zhur")
or sexual pleasure
'Twas just for the cheese underneath
THATS WHY YOU USE THE LINUX OS!! MUCH MUCH MORE RELIABLE THAN CRAPY BUGGY WINDOWS.
There once was a virus called Funlove,
That fitted the code like a glove,
But when it found Limerick,
12,000 PC's got the Dick,
And poor Mr Dell went as white as a Dove.
;-)
Maybe it'd be a better idea to have a virus that goes off on 1.1.2000 and 1.1.1900 Just in case.
-Denor
The first erratum is that when I said " everybody is unassailable", I of course meant that "everybody else is unassailable".
The other is that immediately prior to the sentence beginning "Consumer-targetted systems", you should insert this:
Somehow this slipped by in the posted copy, and it's an important point.Finally, I fixed the latro links at the bottom, so you'll be able to see the real program. And yes, it works. Like nmap and other, um, security tools, this should of course only be used to verify the security of those systems that you yourself directly administer and have responsibility for. Not that it's apt to be sufficiently well logged to know what's really going on. It seems that POSTs never get their content logged. Play nice, and don't pick on the WinVictims. :-)
I dualboot LinuxPPC (not terribly often, but I insist on being able to do it). This means that there are some Linux software packages that I can't, actually run, because anything that's binary-only or depends on PC hardware is something I can't run. For instance, anything that expects a parallel port is likewise something I can't use.
Contrariwise, if someone makes a Linux binary that is a x86 virus, I can't run it either (nor would I want to). There's a level of inconvenience that is also protection. Add to this the fact that I like to not run a desktop such as KDE or Gnome, and mostly hack around with console apps and play with Window Maker when I _do_ boot into Linux, and it becomes extremely awkward for someone to make a generic Linux virus that can function under those conditions. I end up making a relentlessly nonstandard environment for myself, simply because Linux does _not_ deliver a very well realised and completed user environment, and because it encourages my active involvement in the building of this user environment.
This diversity is a strength, not a weakness: it makes it appallingly difficult for a commercial vendor to target the average Linux system (they will have to pick RH or something and support only that), but it also makes it appallingly difficult for a virus writer to target the average Linux system (again, they will have to pick the RH or something and 'support' only that...)
The most significant effects of this are as follows:
- Commercial 'Winux' offerings will overwhelmingly focus their efforts into a single dist, probably Red Hat, possibly Caldera or Corel or something. Divergent dists and installations will not be supported- with varying degrees of haughtiness.
- Because Linux is in fact poorly suited to being turned into a Windows clone (much of the advantages are wasted), a very _large_ percentage of the userbase will refuse to be homogenized, _much_ larger than the comparable percentage of Windows or Mac users running substantially unusual configurations. This will continue, emphasised by the ability to distribute and publicise novel experiments in interface and user environment.
- Because of this, Linux will continue to seemingly be penalized in comparison with, for instance, Windows, as a developer's platform and commercial target platform- the commercial Linux distributions will infight and intentionally foster conflicts with each other, and too many users will drastically alter their user environments to make distribution of generic Linux software easy. Some vendors will define really limited targets, others will attempt to issue zillions of patches and diffs to cover the widest area possible. These approaches will coexist.
- At this time, at least _some_ people will have the presence of mind to suggest the obvious: there is choice, change to a different sort of Linux that is not vulnerable. No single Linux distributor will have the leverage to be able to significantly eliminate other dists (though certain ones may be able to get very large percentages of marketshare simply through commercial distribution networks and the ability to make the Linux versions of 'AOL disks' and proliferate them)
So, the 'Linux virus' _will_ exist, but it's important to understand the context they will exist in. They will be targeting the passive consumers and the largest commercial vendors- anytime you have a single voice outshouting the chorus, you'll have the Linux virus targetted to that particular distribution, perhaps motivated by anger at some business decisions the company makes that violate unwritten or written rules, perhaps simply taking advantage of sloppiness.When Linux virii _do_ become a significant force, the commercial Linux distributions will be the ones taking the hit, and such attacks will be specific to individual releases of commercial distributions.
You DONT put production systems on corporate network. Production networks are always standalone. You dont let anyone near the production system. You use only factory sealed media to update the production system. If you are on a windows box you run virus checking before each production run. You make a few boxes, send them to QA and run the virus software again. This is not a windows problem. This is a operations problem. Either they put the production machine on the net, or the security of the production area was compromised.